Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family AC

AC-4Information Flow Enforcement

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 3 mapping(s) from 1 framework(s): CSF 2.0 3 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (5)

ATT&CK techniques this control mitigates (158)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-862Missing Authorization9,346Mandates authorization checks and enforcement for all information flows, addressing missing authorization.
CWE-284Improper Access Control5,367Enforcing approved authorizations for information flows directly implements access control over data movements within and between systems.
CWE-863Incorrect Authorization3,515Applies only approved authorizations to information flows, mitigating incorrect authorization decisions.
CWE-285Improper Authorization1,356Requires and applies authorization decisions specifically to control information flows based on policy.
CWE-668Exposure of Resource to Wrong Sphere797Restricts information flows to ensure resources are not exposed to incorrect or unauthorized spheres.
CWE-669Incorrect Resource Transfer Between Spheres105Enforces proper authorization rules for any resource or data transfer between different spheres.
CWE-653Improper Isolation or Compartmentalization66Maintains isolation and compartmentalization by restricting flows between security domains or levels.
CWE-501Trust Boundary Violation30Prevents information from crossing trust boundaries without explicit approved authorizations.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2024-21893 KEV UPD10.08.21.0000good
CVE-2022-2586 KEV10.05.30.1275good
CVE-2021-36942 KEV10.07.50.6602good
CVE-2021-27103 KEV10.09.80.1141good
CVE-2021-21311 KEV10.07.20.9046good
CVE-2019-9621 KEV10.07.50.8091good
CVE-2019-16256 KEV10.09.80.0495good
CVE-2023-462628.07.50.8285good
CVE-2024-420108.07.50.5281good
CVE-2024-300438.06.50.5466good
CVE-2026-327377.010.00.0039good
CVE-2026-327687.09.90.0028good
CVE-2026-327697.09.80.0050good
CVE-2026-318187.09.60.0038good
CVE-2025-700467.09.80.0036good
CVE-2026-11817.09.00.0031good
CVE-2022-355837.09.80.1128good
CVE-2022-385807.09.80.1100good
CVE-2022-264997.09.10.0768good
CVE-2024-454107.09.80.0151good
CVE-2023-308467.09.10.0222good
CVE-2025-47733 UPD7.09.10.0151good
CVE-2024-366757.09.10.0143good
CVE-2025-213856.08.80.2444good
CVE-2024-470086.07.50.4659good

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-2 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 AC-3 AC-5 AC-6 AC-7 AC-8 AC-9