NIST 800-53 r5 · Controls catalogue · Family RA
RA-2Security Categorization
Categorize the system and information it processes, stores, and transmits; Document the security categorization results, including supporting rationale, in the security plan for the system; and Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Categorization identifies sensitive data so that confidentiality protections commensurate with impact level are selected and documented. |
CWE-284 | Improper Access Control | 4,832 | Security categorization determines the impact level that drives selection of appropriate access-control baselines. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Security category directly informs the required permission settings for critical resources before authorization occurs. |
CWE-552 | Files or Directories Accessible to External Parties | 540 | Categorization results dictate which files and directories must be restricted, making unauthorized external access less likely. |
CWE-922 | Insecure Storage of Sensitive Information | 421 | Proper categorization drives selection of storage controls that keep sensitive information from being stored insecurely. |
CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | 314 | Documented categorization of system information reduces the chance that sensitive internals are left exposed to unauthorized spheres. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Explicit categorization of PII ensures stronger privacy controls are applied and approved before system operation. |
CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | 84 | Approved categorization forces identification of externally accessible files that contain sensitive content so they receive proper protection. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||