Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family AC

AC-14Permitted Actions Without Identification or Authentication

Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 1 mapping(s) from 1 framework(s): ASVS 5.0 1 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (1)

Weaknesses this control addresses (4)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-862Missing Authorization9,346Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
CWE-284Improper Access Control5,367Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
CWE-306Missing Authentication for Critical Function2,820Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
CWE-285Improper Authorization1,356The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-405548.09.80.5845good
CVE-2026-251927.09.40.0048good
CVE-2026-35877.010.00.0068good
CVE-2026-3611 UPD7.010.00.0558good
CVE-2026-4312 UPD7.09.80.0045good
CVE-2026-279447.09.80.2216good
CVE-2026-287107.09.80.0041good
CVE-2026-27446 UPD7.09.80.1063good
CVE-2026-248987.010.00.0056good
CVE-2026-236937.010.00.0038good
CVE-2026-22497.09.80.0051good
CVE-2025-701507.09.80.0057good
CVE-2025-701467.09.10.0045good
CVE-2019-253377.09.80.0041good
CVE-2026-250847.09.80.0073good
CVE-2026-22487.09.80.0051good
CVE-2026-247897.09.80.0067good
CVE-2026-20967.09.80.0052good
CVE-2026-14537.09.80.0050good
CVE-2021-478917.09.80.0080good
CVE-2025-235047.09.80.0043good
CVE-2025-371847.09.80.0057good
CVE-2026-239447.09.80.0044good
CVE-2026-240427.09.40.0058good
CVE-2026-10197.09.80.0053good

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-15 AC-16 AC-17 AC-18 AC-19 AC-2 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9