Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family AC

AC-3Access Enforcement

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 9 mapping(s) from 2 framework(s): ASVS 5.0 6 (partial) · CSF 2.0 3 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (32)

ATT&CK techniques this control mitigates (279)

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-862Missing Authorization9,346Requiring enforcement of authorizations ensures checks are performed rather than omitted for resources.
CWE-284Improper Access Control5,367Enforcing approved authorizations directly implements access control policies to block unauthorized access.
CWE-863Incorrect Authorization3,515Mandating policy-based enforcement reduces the chance of incorrect authorization logic being used.
CWE-639Authorization Bypass Through User-Controlled Key2,141Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.
CWE-285Improper Authorization1,356The control requires checking and applying authorization decisions per policy, preventing improper authorization.
CWE-425Direct Request ('Forced Browsing')265Enforcing access for all logical requests prevents unauthorized direct access to protected resources.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2026-20127 KEV UPD10.010.00.5779good
CVE-2026-24858 KEV UPD10.09.80.8584good
CVE-2024-55591 KEV10.09.80.9826good
CVE-2024-53704 KEV10.09.80.9513good
CVE-2025-24813 KEV10.09.80.9994good
CVE-2025-2746 KEV10.09.80.5843good
CVE-2024-57726 KEV10.09.90.0933good
CVE-2025-31125 KEV10.05.30.5877good
CVE-2026-39987 KEV10.09.80.9565good
CVE-2023-52163 KEV10.08.80.9643good
CVE-2025-2747 KEV10.09.80.9216good
CVE-2024-57968 KEV10.09.90.3048good
CVE-2026-35616 KEV10.09.80.8851good
CVE-2025-12480 KEV10.09.10.9035good
CVE-2024-54085 KEV10.09.80.6120good
CVE-2025-24989 KEV10.08.20.0166good
CVE-2026-41940 KEV10.09.80.9810good
CVE-2025-59718 KEV UPD10.09.80.6583good
CVE-2025-24472 KEV10.08.10.0299good
CVE-2026-33825 KEV10.07.80.0675good
CVE-2025-48572 KEV10.07.80.0023good
CVE-2026-20133 KEV10.06.50.1024good
CVE-2025-40602 KEV10.06.60.0191good
CVE-2025-57819 KEV UPD10.09.80.9329good
CVE-2025-6205 KEV UPD10.09.10.6917good

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-2 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9