Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family AC

AC-17Remote Access

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and Authorize each type of remote access to the system prior to allowing such connections.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 5 mapping(s) from 2 framework(s): ASVS 5.0 3 (partial) · CSF 2.0 2 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (81)

Weaknesses this control addresses (7)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-862Missing Authorization9,346Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
CWE-284Improper Access Control5,367Requiring prior authorization for each remote access type prevents improper access control over remote connections.
CWE-863Incorrect Authorization3,515The authorization process and usage restrictions help prevent incorrect authorization for remote access types.
CWE-285Improper Authorization1,356Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.
CWE-288Authentication Bypass Using an Alternate Path or Channel592Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels.
CWE-420Unprotected Alternate Channel38Usage restrictions and authorization for remote access protect against unprotected alternate channels.
CWE-424Improper Protection of Alternate Path32Documenting requirements and authorizing remote access ensures proper protection of alternate paths.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2019-0708 KEV10.09.81.0000good
CVE-2017-3881 KEV10.09.80.9898good
CVE-2025-652947.09.80.0084good
CVE-2026-402897.09.10.0036good
CVE-2023-319027.09.80.0868good
CVE-2024-480637.09.80.0158good
CVE-2025-213096.08.10.1498good
CVE-2024-539616.08.10.1340good
CVE-2026-258075.58.80.0064good
CVE-2025-212975.58.10.0138good
CVE-2025-301165.57.50.0051good
CVE-2026-338925.57.10.0021good
CVE-2025-33054 UPD5.58.10.0083good
CVE-2024-435825.58.10.0309good
CVE-2024-53704 KEV10.09.80.9513good
CVE-2026-35616 KEV10.09.80.8851partial
CVE-2024-40891 KEV10.08.80.1973good
CVE-2026-0257 KEV UPD10.09.10.8668good
CVE-2024-0012 KEV10.09.80.9970good
CVE-2023-28461 KEV10.09.80.6764good
CVE-2023-24489 KEV10.09.80.9508partial
CVE-2023-20269 KEV10.05.00.2158good
CVE-2022-1388 KEV10.09.80.9996good
CVE-2022-1040 KEV10.09.80.9980good
CVE-2021-32030 KEV10.09.80.9939good

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-18 AC-19 AC-2 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9