Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family AC

AC-19Access Control for Mobile Devices

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and Authorize the connection of mobile devices to organizational systems.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 2 mapping(s) from 2 framework(s): CSF 2.0 1 (mostly) · ASVS 5.0 1 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (27)

Weaknesses this control addresses (5)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-862Missing Authorization9,346The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
CWE-284Improper Access Control5,367Requiring authorization and configuration controls for mobile device connections directly enforces access control and prevents unauthorized devices from reaching organizational systems.
CWE-863Incorrect Authorization3,515Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.
CWE-306Missing Authentication for Critical Function2,820Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
CWE-285Improper Authorization1,356Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-05905.57.50.0034good
CVE-2025-154645.57.50.0047good
CVE-2025-12987.09.80.0043partial
CVE-2024-116245.57.80.0008good
CVE-2026-206065.57.10.0014good
CVE-2025-24200 KEV10.06.10.0491good
CVE-2024-539317.09.10.0034partial
CVE-2025-43192 UPD7.09.80.0064partial
CVE-2025-257585.57.50.0028good
CVE-2025-200605.57.50.0037good
CVE-2025-211945.57.10.0082partial
CVE-2025-01505.57.10.0046partial
CVE-2025-581075.57.50.0025partial
CVE-2024-441363.54.60.0042partial

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-2 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9