Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family AC

AC-13Supervision and Review — Access Control

Supervision and Review — Access Control

Last updated: 04 July 2026 08:17 UTC

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (0)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-862Missing Authorization9,350Reviews of access controls detect missing authorization checks on critical functions or resources.
CWE-284Improper Access Control5,385Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
CWE-863Incorrect Authorization3,523Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.
CWE-269Improper Privilege Management3,104Access supervision ensures privileges are assigned and managed without improper escalation or retention.
CWE-285Improper Authorization1,360Periodic reviews identify and correct flaws in authorization decisions or enforcement.
CWE-266Incorrect Privilege Assignment969Regular reviews catch incorrect privilege assignments to users, roles, or processes.
CWE-250Execution with Unnecessary Privileges333Supervision detects and allows removal of unnecessary privileges that enable execution with excess rights.
CWE-272Least Privilege Violation33Access reviews verify and enforce adherence to least privilege by identifying excess permissions.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-2 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9