NIST 800-53 r5 · Controls catalogue · Family RA

RA-7Risk Response

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-862`	Missing Authorization	8,680	Missing authorization is frequently identified by security assessments; organizational risk-response procedures drive remediation, directly limiting an attacker's ability to invoke protected functionality.
`CWE-284`	Improper Access Control	4,832	Findings of improper access control are routine outputs of audits and assessments; mandated response ensures the weaknesses are corrected before they can be exploited at scale.
`CWE-732`	Incorrect Permission Assignment for Critical Resource	1,824	Incorrect permission assignments on critical resources are typical audit findings; responding to them per risk tolerance removes the excessive privileges that enable exploitation.
`CWE-693`	Protection Mechanism Failure	476	When assessments or monitoring reveal that protection mechanisms are ineffective or bypassed, the required risk-response action directly restores or strengthens those mechanisms.
`CWE-657`	Violation of Secure Design Principles	19	Audits and assessments commonly surface violations of secure design principles; formal risk-response processes ensure such findings are remediated according to risk tolerance, reducing the window for exploitation.

CVE	Risk	CVSS	EPSS	Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.