Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family AC

AC-22Publicly Accessible Content

Designate individuals authorized to make information publicly accessible; Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered.

Last updated: 04 July 2026 00:28 UTC

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (0)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-200Exposure of Sensitive Information to an Unauthorized Actor10,501Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.
CWE-284Improper Access Control5,367Designating authorized individuals and mandating pre/post-publication reviews enforces access controls on who can publish content publicly.
CWE-285Improper Authorization1,356Authorization checks via training and content reviews ensure only approved information is released to public systems.
CWE-668Exposure of Resource to Wrong Sphere797The control ensures information resources are not exposed to the incorrect (public) sphere through review and authorization.
CWE-552Files or Directories Accessible to External Parties563Controls on authorized publication limit files and directories with nonpublic data from becoming accessible to external parties.
CWE-497Exposure of Sensitive System Information to an Unauthorized Control Sphere342Ongoing reviews detect and remove sensitive system information before it reaches publicly accessible systems.
CWE-359Exposure of Private Personal Information to an Unauthorized Actor190Preventing nonpublic personal information from public posting reduces unauthorized exposure of private personal data.
CWE-538Insertion of Sensitive Information into Externally-Accessible File or Directory93Pre- and post-publication reviews prevent insertion of sensitive information into externally-accessible public locations.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-708417.010.00.0038good
CVE-2020-370827.09.80.0054good
CVE-2026-222377.09.80.0042good
CVE-2025-116937.09.80.0195good
CVE-2025-125397.010.00.0095good
CVE-2025-548637.010.00.0061good
CVE-2026-21445.58.10.0047good
CVE-2025-672235.57.50.0063good
CVE-2024-123305.57.50.0049good
CVE-2024-122745.57.50.0062good
CVE-2025-276045.57.50.0035good
CVE-2024-135625.57.50.0043good
CVE-2024-136065.57.50.0040good
CVE-2024-135685.57.50.0040good
CVE-2024-136115.57.50.0046good
CVE-2026-412785.57.50.0042good
CVE-2025-342255.58.60.0076good
CVE-2026-297795.57.50.0029good
CVE-2026-271615.57.50.0041good
CVE-2025-699085.57.50.0038good
CVE-2023-67505.57.50.0196good
CVE-2024-113963.55.30.0194good
CVE-2024-120083.55.30.0217good
CVE-2026-27877 UPD3.56.50.0031good
CVE-2024-136383.55.90.0044good

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-2 AC-20 AC-21 AC-23 AC-24 AC-25 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9