PR.AA-05
Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
Implementation examples
- Ex1: Review logical and physical access privileges periodically and whenever someone changes roles or leaves the organization, and promptly rescind privileges that are no longer needed
- Ex2: Take attributes of the requester and the requested resource into account for authorization decisions (e.g., geolocation, day/time, requester endpoint's cyber health)
- Ex3: Restrict access and privileges to the minimum necessary (e.g., zero trust architecture)
- Ex4: Periodically review the privileges associated with critical business functions to confirm proper separation of duties
Mapped NIST 800-53 r5 controls (12)
Mapped CWE weaknesses (8)
Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.
All informative references (132)
- BXAIOS: Chapter 6 - Install the Router
- CCMv4.0: CCC-04
- CCMv4.0: CEK-10
- CCMv4.0: CEK-11
- CCMv4.0: CEK-12
- CCMv4.0: CEK-13
- CCMv4.0: CEK-14
- CCMv4.0: CEK-15
- CCMv4.0: CEK-16
- CCMv4.0: CEK-17
- CCMv4.0: CEK-18
- CCMv4.0: CEK-19
- CCMv4.0: CEK-20
- CCMv4.0: CEK-21
- CCMv4.0: IAM-01
- CCMv4.0: IAM-03
- CCMv4.0: IAM-04
- CCMv4.0: IAM-05
- CCMv4.0: IAM-06
- CCMv4.0: IAM-07
- CCMv4.0: IAM-08
- CCMv4.0: IAM-09
- CCMv4.0: IAM-10
- CCMv4.0: IAM-11
- CCMv4.0: IAM-12
- CCMv4.0: IAM-16
- CCMv4.0: IVS-03
- CCMv4.0: IVS-06
- CCMv4.0: LOG-02
- CCMv4.0: LOG-04
- CCMv4.0: LOG-09
- CCMv4.0: UEM-05
- CCMv4.0: UEM-14
- CIS Controls v8.0: 3.3
- CIS Controls v8.0: 6.8
- CIS Controls v8.1: 3.3
- CIS Controls v8.1: 5.1
- CIS Controls v8.1: 6.8
- CRI Profile v2.0: PR.AA-05
- CRI Profile v2.0: PR.AA-05.01
- CRI Profile v2.0: PR.AA-05.02
- CRI Profile v2.0: PR.AA-05.03
- CRI Profile v2.0: PR.AA-05.04
- CSF v1.1: PR.AC-1
- CSF v1.1: PR.AC-3
- CSF v1.1: PR.AC-4
- ISO/IEC 27001:2022: Mandatory Clause: None
- ISO/IEC 27001:2022: Annex A Controls: 5.1
- ISO/IEC 27001:2022: Annex A Controls: 5.3
- ISO/IEC 27001:2022: Annex A Controls: 5.14
- ISO/IEC 27001:2022: Annex A Controls: 5.15
- ISO/IEC 27001:2022: Annex A Controls: 5.16
- ISO/IEC 27001:2022: Annex A Controls: 5.17
- ISO/IEC 27001:2022: Annex A Controls: 5.18
- ISO/IEC 27001:2022: Annex A Controls: 8.2
- ISO/IEC 27001:2022: Annex A Controls: 8.3
- ISO/IEC 27001:2022: Annex A Controls: 8.5
- ISO/IEC 27001:2022: Annex A Controls: 8.18
- NICE Framework: DD-WRL-001
- NICE Framework: DD-WRL-004
- NICE Framework: IO-WRL-003
- NICE Framework: IO-WRL-005
- NICE Framework: OG-WRL-002
- NICE Framework: OG-WRL-013
- NICE Framework: OG-WRL-014
- NICE Framework: PD-WRL-004
- OWASP Top 10 LLM Applications: LLM01-2025
- OWASP Top 10 LLM Applications: LLM02-2025
- OWASP Top 10 LLM Applications: LLM06-2025
- OWASP Top 10 LLM Applications: LLM07-2025
- OWASP Top 10 LLM Applications: LLM08-2025
- OWASP Top 10 LLM Applications: LLM10-2025
- PCI DSS: 7.2.2
- PCI DSS: 7.2.4
- PCI DSS: 7.2.5.1
- PCI DSS: 8.2.6
- PCI DSS: 12.1.3
- PCI DSS: 8.1.1
- PCI DSS: 7.1.1
- PCI DSS: 7.2.1
- SCF: HRS-02
- SCF: HRS-11
- SCF: IAC-01
- SCF: IAC-01.2
- SCF: IAC-02
- SCF: IAC-03
- SCF: IAC-04
- SCF: IAC-05
- SCF: IAC-08
- SCF: IAC-21
- SDOS: SDOS-AD-01
- SDOS: SDOS-EN-02
- SDOS: SDOS-GV-01
- SDOS: SDOS-GV-05
- SP 800-171 Rev 3: 03.01.01
- SP 800-171 Rev 3: 03.01.02
- SP 800-171 Rev 3: 03.01.04
- SP 800-171 Rev 3: 03.01.05
- SP 800-171 Rev 3: 03.01.06
- SP 800-171 Rev 3: 03.01.07
- SP 800-171 Rev 3: 03.01.12
- SP 800-171 Rev 3: 03.01.16
- SP 800-171 Rev 3: 03.01.18
- SP 800-171 Rev 3: 03.13.08
- SP 800-171 Rev 3: 03.15.01
- SP 800-53 Rev 5.1.1: AC-01
- SP 800-53 Rev 5.1.1: AC-02
- SP 800-53 Rev 5.1.1: AC-03
- SP 800-53 Rev 5.1.1: AC-05
- SP 800-53 Rev 5.1.1: AC-06
- SP 800-53 Rev 5.1.1: AC-10
- SP 800-53 Rev 5.1.1: AC-16
- SP 800-53 Rev 5.1.1: AC-17
- SP 800-53 Rev 5.1.1: AC-18
- SP 800-53 Rev 5.1.1: AC-19
- SP 800-53 Rev 5.1.1: AC-24
- SP 800-53 Rev 5.1.1: IA-13
- SP 800-53 Rev 5.2.0: AC-01
- SP 800-53 Rev 5.2.0: AC-02
- SP 800-53 Rev 5.2.0: AC-03
- SP 800-53 Rev 5.2.0: AC-05
- SP 800-53 Rev 5.2.0: AC-06
- SP 800-53 Rev 5.2.0: AC-10
- SP 800-53 Rev 5.2.0: AC-16
- SP 800-53 Rev 5.2.0: AC-17
- SP 800-53 Rev 5.2.0: AC-18
- SP 800-53 Rev 5.2.0: AC-19
- SP 800-53 Rev 5.2.0: AC-24
- SP 800-53 Rev 5.2.0: IA-13
- SP 800-81r3: 3.1.1
- SSDF: PO.5.2
- SSDF: PS.1.1
Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).