Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family AC

AC-2Account Management

Define and document the types of accounts allowed and specifically prohibited for use within the system; Assign account managers; Require {{ insert: param, ac-02_odp.01 }} for group and role membership; Specify: Authorized users of the system; Group and role membership; and Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account; Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts; Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }}; Monitor the use of accounts; Notify account managers and {{ insert: param, ac-02_odp.05 }} within: {{ insert: param, ac-02_odp.06 }} when accounts are no longer required; {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual; Authorize access to the system based on: A valid access authorization; Intended system usage; and {{ insert: param, ac-02_odp.09 }}; Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }}; Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and Align account management processes with personnel termination and transfer processes.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 24 mapping(s) from 2 framework(s): ASVS 5.0 18 (partial) · CSF 2.0 6 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (8)

ATT&CK techniques this control mitigates (218)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-862Missing Authorization9,346Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.
CWE-284Improper Access Control5,367Defining account types, requiring approvals for creation, specifying authorizations, monitoring usage, and reviewing accounts directly prevents improper access control by ensuring only authorized accounts exist and are used.
CWE-863Incorrect Authorization3,515Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.
CWE-269Improper Privilege Management3,104Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
CWE-285Improper Authorization1,356Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.
CWE-266Incorrect Privilege Assignment969Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments.
CWE-250Execution with Unnecessary Privileges333Reviewing accounts for compliance, disabling/removing unneeded accounts, and aligning with termination processes prevents execution with unnecessary privileges.
CWE-272Least Privilege Violation33Requiring specification of intended system usage and access authorizations, plus periodic reviews, supports enforcement of least privilege.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2020-29583 KEV10.09.80.9005good
CVE-2026-318747.09.80.0064good
CVE-2025-128827.09.80.0041good
CVE-2025-114577.09.80.0036good
CVE-2025-145337.09.80.0098good
CVE-2024-96367.09.80.0077good
CVE-2025-01777.09.80.0042good
CVE-2024-134217.09.80.0072good
CVE-2025-136757.09.80.0031good
CVE-2024-122817.09.80.0040good
CVE-2024-119517.09.80.0040good
CVE-2025-137647.09.80.0030good
CVE-2025-135597.09.80.0031good
CVE-2025-22327.09.80.0051good
CVE-2025-13618 UPD7.09.80.0034good
CVE-2026-09207.09.80.0108good
CVE-2025-6758 UPD7.09.80.0035good
CVE-2025-6994 UPD7.09.80.0037good
CVE-2025-342177.09.80.0070good
CVE-2025-354527.09.80.0079good
CVE-2024-464335.58.80.0051good
CVE-2024-574345.58.80.0044good
CVE-2024-464295.58.80.0055good
CVE-2026-356075.58.10.0038good
CVE-2026-333165.58.10.0036good

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9