NIST 800-53 r5 · Controls catalogue · Family PT
PT-4Consent
Implement {{ insert: param, pt-04_odp }} for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | The control supplies the missing authorization check that would otherwise allow processing without user approval. |
CWE-284 | Improper Access Control | 4,832 | Consent enforcement adds an explicit access-control gate before any PII processing can occur. |
CWE-863 | Incorrect Authorization | 3,234 | Consent logic ensures authorization decisions governing PII are both present and correctly applied. |
CWE-285 | Improper Authorization | 1,230 | Requiring affirmative consent implements an authorization decision for each instance of PII collection or use. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Mandating consent prior to collection directly prevents unauthorized exposure of private personal information. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||