Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family AC

AC-25Reference Monitor

Implement a reference monitor for {{ insert: param, ac-25_odp }} that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 9 mapping(s) from 1 framework(s): ASVS 5.0 9 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (0)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-862Missing Authorization9,346Always invoking the reference monitor prevents missing authorization checks for protected resources.
CWE-284Improper Access Control5,367Provides a tamperproof, always-invoked, and verifiable mechanism to enforce access control policies.
CWE-863Incorrect Authorization3,515The small, testable reference monitor reduces the likelihood of incorrect authorization implementations.
CWE-269Improper Privilege Management3,104Enforces proper privilege management by requiring all decisions through the verified reference monitor.
CWE-306Missing Authentication for Critical Function2,820Guarantees critical functions are protected by mandatory invocation of the access control mechanism.
CWE-285Improper Authorization1,356Ensures authorization decisions are always performed by a complete and analyzable reference monitor.
CWE-693Protection Mechanism Failure613Implements a reliable, tamperproof protection mechanism whose completeness can be assured.
CWE-425Direct Request ('Forced Browsing')265Forces all accesses through the reference monitor, preventing direct or forced requests that bypass checks.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-241787.09.80.0148good
CVE-2025-43261 UPD7.09.80.0077good
CVE-2026-336315.58.70.0010good
CVE-2026-242225.58.60.0040good
CVE-2026-356665.58.80.0037good
CVE-2026-296485.58.80.0032good
CVE-2025-03595.58.50.0013good
CVE-2026-412965.58.20.0020good
CVE-2026-355705.58.40.0023good
CVE-2026-288175.58.10.0016good
CVE-2025-255005.57.50.0069good
CVE-2026-336325.57.80.0010good
CVE-2025-697835.57.80.0016good
CVE-2024-538415.57.80.0009good
CVE-2026-375255.57.80.0014good
CVE-2026-329885.57.50.0008good
CVE-2026-00085.58.40.0007good
CVE-2026-239895.58.20.0027good
CVE-2025-35998 UPD5.57.90.0015good
CVE-2026-409683.54.20.0017good
CVE-2022-369808.08.10.8314good
CVE-2026-238307.010.00.0112good
CVE-2025-242387.09.80.0106good
CVE-2025-311827.09.80.0116good
CVE-2026-34444 UPD7.010.00.0061good

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-2 AC-20 AC-21 AC-22 AC-23 AC-24 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9