NIST 800-53 r5 · Controls catalogue · Family PT
PT-2Authority to Process Personally Identifiable Information
Determine and document the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information; and Restrict the {{ insert: param, pt-02_odp.03 }} of personally identifiable information to only that which is authorized.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Limits PII handling to authorized authority, making unauthorized exposure of sensitive information less likely. |
CWE-862 | Missing Authorization | 8,680 | Requires explicit determination and documentation of authority before any PII processing occurs, addressing missing authorization. |
CWE-284 | Improper Access Control | 4,832 | Requires documented authority and explicit restriction of PII processing to only authorized actions, directly mitigating improper access control. |
CWE-863 | Incorrect Authorization | 3,234 | Restricts processing strictly to documented authorized uses, mitigating incorrect authorization decisions for sensitive data. |
CWE-285 | Improper Authorization | 1,230 | Mandates determining authority and limiting processing to what is authorized, preventing improper authorization over personal data. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Enforces restriction of PII processing to authorized purposes, reducing exposure of private personal information to unauthorized actors. |
CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | 29 | Demands documented authority and policy alignment for PII processing, reducing exposure due to incompatible or absent policies. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||