Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family AC

AC-16Security and Privacy Attributes

Provide the means to associate {{ insert: param, ac-16_prm_1 }} with {{ insert: param, ac-16_prm_2 }} for information in storage, in process, and/or in transmission; Ensure that the attribute associations are made and retained with the information; Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for {{ insert: param, ac-16_prm_3 }}: {{ insert: param, ac-16_prm_4 }}; Determine the following permitted attribute values or ranges for each of the established attributes: {{ insert: param, ac-16_odp.09 }}; Audit changes to attributes; and Review {{ insert: param, ac-16_prm_6 }} for applicability {{ insert: param, ac-16_prm_7 }}.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 18 mapping(s) from 2 framework(s): ASVS 5.0 17 (partial) · CSF 2.0 1 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (57)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-200Exposure of Sensitive Information to an Unauthorized Actor10,501Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.
CWE-862Missing Authorization9,346Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
CWE-284Improper Access Control5,367Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
CWE-863Incorrect Authorization3,515Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Attribute management for resources provides a mechanism to assign and maintain correct permissions based on security labels.
CWE-285Improper Authorization1,356Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.
CWE-359Exposure of Private Personal Information to an Unauthorized Actor190Privacy-specific attributes and their controlled association directly reduce exposure of private personal information through missing or incorrect labeling.
CWE-1220Insufficient Granularity of Access Control94Use of granular security and privacy attributes enables finer access control than coarse permission models alone.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-503285.57.30.0033good
CVE-2025-0411 KEV10.07.00.6707good
CVE-2026-329757.09.80.0034good
CVE-2025-653187.09.10.0048good
CVE-2026-284747.09.80.0049good
CVE-2026-45035.57.50.0034partial
CVE-2026-328945.57.10.0028good
CVE-2026-412995.57.10.0020good
CVE-2025-241677.09.80.0086partial
CVE-2026-258767.09.10.0025partial
CVE-2026-258107.09.10.0025good
CVE-2025-45968 UPD7.09.80.0058good
CVE-2025-43232 UPD7.09.80.0073good
CVE-2024-454897.09.80.0124partial
CVE-2023-295077.09.10.0090partial
CVE-2023-292067.09.00.0094partial
CVE-2023-26406.07.80.1578partial
CVE-2026-350455.58.10.0027partial
CVE-2026-340555.58.10.0027partial
CVE-2025-03525.57.50.0033partial
CVE-2026-321235.57.70.0025partial
CVE-2026-257585.57.50.0060partial
CVE-2026-238435.57.10.0020partial
CVE-2025-48063 UPD5.58.80.0078partial
CVE-2024-299763.56.50.0895partial

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-17 AC-18 AC-19 AC-2 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9