NIST 800-53 r5 · Controls catalogue · Family AC
AC-16Security and Privacy Attributes
Provide the means to associate {{ insert: param, ac-16_prm_1 }} with {{ insert: param, ac-16_prm_2 }} for information in storage, in process, and/or in transmission; Ensure that the attribute associations are made and retained with the information; Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for {{ insert: param, ac-16_prm_3 }}: {{ insert: param, ac-16_prm_4 }}; Determine the following permitted attribute values or ranges for each of the established attributes: {{ insert: param, ac-16_odp.09 }}; Audit changes to attributes; and Review {{ insert: param, ac-16_prm_6 }} for applicability {{ insert: param, ac-16_prm_7 }}.
Last updated: 19 May 2026 20:20 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (57)
- T1003 OS Credential Dumping Credential Access
- T1003.003 NTDS Credential Access
- T1005 Data from Local System Collection
- T1020.001 Traffic Duplication Exfiltration
- T1025 Data from Removable Media Collection
- T1040 Network Sniffing Credential Access, Discovery
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1070 Indicator Removal Stealth
- T1070.008 Clear Mailbox Data Stealth
- T1114 Email Collection Collection
- T1114.001 Local Email Collection Collection
- T1114.002 Remote Email Collection Collection
- T1114.003 Email Forwarding Rule Collection
- T1119 Automated Collection Collection
- T1213 Data from Information Repositories Collection
- T1213.001 Confluence Collection
- T1213.002 Sharepoint Collection
- T1213.004 Customer Relationship Management Software Collection
- T1213.005 Messaging Applications Collection
- T1222 File and Directory Permissions Modification Defense Impairment
- T1222.001 Windows Permissions Defense Impairment
- T1222.002 Linux and Mac Permissions Defense Impairment
- T1505 Server Software Component Persistence
- T1505.002 Transport Agent Persistence
- T1530 Data from Cloud Storage Collection
- T1537 Transfer Data to Cloud Account Exfiltration
- T1547.007 Re-opened Applications Persistence, Privilege Escalation
- T1548 Abuse Elevation Control Mechanism Privilege Escalation
- T1548.003 Sudo and Sudo Caching Privilege Escalation
- T1548.006 TCC Manipulation Privilege Escalation
- T1550.001 Application Access Token Lateral Movement
- T1552 Unsecured Credentials Credential Access
- T1552.004 Private Keys Credential Access
- T1552.005 Cloud Instance Metadata API Credential Access
- T1556.009 Conditional Access Policies Defense Impairment, Persistence, Credential Access
- T1557 Adversary-in-the-Middle Credential Access, Collection
- T1557.002 ARP Cache Poisoning Credential Access, Collection
- T1558 Steal or Forge Kerberos Tickets Credential Access
- T1558.002 Silver Ticket Credential Access
- T1558.003 Kerberoasting Credential Access
- T1558.004 AS-REP Roasting Credential Access
- T1564.004 NTFS File Attributes Stealth
- T1565 Data Manipulation Impact
- T1565.001 Stored Data Manipulation Impact
- T1565.002 Transmitted Data Manipulation Impact
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,260 | Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels. |
CWE-862 | Missing Authorization | 8,799 | Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context. |
CWE-284 | Improper Access Control | 4,907 | Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission. |
CWE-863 | Incorrect Authorization | 3,305 | Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,837 | Attribute management for resources provides a mechanism to assign and maintain correct permissions based on security labels. |
CWE-285 | Improper Authorization | 1,252 | Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 178 | Privacy-specific attributes and their controlled association directly reduce exposure of private personal information through missing or incorrect labeling. |
CWE-1220 | Insufficient Granularity of Access Control | 83 | Use of granular security and privacy attributes enables finer access control than coarse permission models alone. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-50328 | 1.5 | 7.3 | 0.0003 | good |
CVE-2025-0411 KEV | 6.2 | 7.0 | 0.4672 | good |
CVE-2026-32975 | 2.0 | 9.8 | 0.0008 | good |
CVE-2026-28474 UPD | 2.0 | 9.8 | 0.0007 | good |
CVE-2025-65318 | 1.8 | 9.1 | 0.0010 | good |
CVE-2026-4503 UPD | 1.5 | 7.5 | 0.0007 | partial |
CVE-2026-32894 | 1.4 | 7.1 | 0.0004 | good |
CVE-2026-41299 | 1.4 | 7.1 | 0.0006 | good |
CVE-2025-24167 | 2.0 | 9.8 | 0.0034 | partial |
CVE-2025-45968 | 2.0 | 9.8 | 0.0041 | good |
CVE-2025-43232 | 2.0 | 9.8 | 0.0012 | good |
CVE-2026-25876 | 1.8 | 9.1 | 0.0008 | partial |
CVE-2026-25810 | 1.8 | 9.1 | 0.0008 | good |
CVE-2026-35045 | 1.6 | 8.1 | 0.0004 | partial |
CVE-2026-34055 | 1.6 | 8.1 | 0.0001 | partial |
CVE-2025-0352 | 1.5 | 7.5 | 0.0010 | partial |
CVE-2026-32123 | 1.5 | 7.7 | 0.0013 | partial |
CVE-2026-25758 | 1.5 | 7.5 | 0.0003 | partial |