Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family AC

AC-5Separation of Duties

Identify and document {{ insert: param, ac-05_odp }} ; and Define system access authorizations to support separation of duties.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 1 mapping(s) from 1 framework(s): CSF 2.0 1 (full)

See the full cumulative-coverage rollup →

Implementations targeting this control (6)

ATT&CK techniques this control mitigates (165)

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-284Improper Access Control5,367Defining authorizations to support separation of duties strengthens overall access control by preventing unauthorized combinations of actions within a single account.
CWE-269Improper Privilege Management3,104By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
CWE-285Improper Authorization1,356The control requires authorizations to be structured around separated duties, mitigating improper authorization that would otherwise allow one user to perform conflicting operations.
CWE-266Incorrect Privilege Assignment969The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
CWE-250Execution with Unnecessary Privileges333Separation of duties prevents any single user from holding all privileges needed to complete a critical task, directly reducing execution with unnecessary privileges.
CWE-272Least Privilege Violation33Separation of duties is a direct mechanism to enforce least privilege by ensuring no individual receives more access than required for their isolated responsibilities.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2023-20269 KEV10.05.00.2158partial
CVE-2026-297897.09.90.0037partial
CVE-2022-207596.08.80.2837partial
CVE-2026-276685.58.80.0026good
CVE-2026-345875.58.10.0033partial
CVE-2026-405915.57.10.0021partial
CVE-2026-290735.58.80.0032partial
CVE-2026-309445.58.80.0056partial
CVE-2026-264165.58.80.0038good
CVE-2026-258595.58.80.0034partial
CVE-2026-257415.57.10.0027partial
CVE-2022-225725.58.80.0200partial
CVE-2022-388135.58.10.0146partial
CVE-2025-256163.54.30.0039partial
CVE-2025-08493.56.30.0043partial
CVE-2026-321033.56.80.0034partial
CVE-2026-20773.56.30.0026partial

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-2 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 AC-3 AC-4 AC-6 AC-7 AC-8 AC-9