Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family AC

AC-6Least Privilege

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 12 mapping(s) from 2 framework(s): ASVS 5.0 10 (partial) · CSF 2.0 2 (full)

See the full cumulative-coverage rollup →

Implementations targeting this control (1)

ATT&CK techniques this control mitigates (268)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-284Improper Access Control5,367Supports proper access control through restriction to only authorized necessary accesses.
CWE-269Improper Privilege Management3,104Implements core proper privilege management by restricting to only required rights.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Prevents overly permissive assignments to critical resources by limiting to task needs.
CWE-276Incorrect Default Permissions1,789Guides setting of default permissions to the minimum required level.
CWE-285Improper Authorization1,356Requires authorization to grant only the minimal privileges needed for tasks.
CWE-266Incorrect Privilege Assignment969Ensures privileges are assigned only as necessary rather than incorrectly over-granted.
CWE-250Execution with Unnecessary Privileges333Directly prevents execution with more privileges than needed for assigned tasks.
CWE-272Least Privilege Violation33Enforces the least privilege principle to avoid violations of minimal necessary access.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-21333 KEV10.07.80.0980good
CVE-2026-31431 KEV UPD10.07.80.9627good
CVE-2025-1976 KEV UPD10.06.70.0074good
CVE-2024-26169 KEV UPD10.07.80.0401good
CVE-2023-41179 KEV10.07.20.0474good
CVE-2023-29360 KEV10.08.40.2213good
CVE-2022-22960 KEV10.07.80.3717good
CVE-2022-22047 KEV10.07.80.1891good
CVE-2022-21919 KEV10.07.00.0295good
CVE-2021-43226 KEV10.07.80.0307good
CVE-2021-41357 KEV10.07.80.0197good
CVE-2021-38163 KEV10.09.90.3715good
CVE-2021-34484 KEV10.07.80.1439good
CVE-2021-33771 KEV10.07.80.0620good
CVE-2021-31979 KEV10.07.80.0261good
CVE-2021-31201 KEV10.05.20.0262good
CVE-2020-8655 KEV10.07.80.5808good
CVE-2020-3950 KEV10.07.80.0725good
CVE-2020-0638 KEV10.07.80.0293good
CVE-2019-3010 KEV10.08.80.1351good
CVE-2019-15949 KEV10.08.80.7774good
CVE-2019-1385 KEV10.07.80.0360good
CVE-2019-1130 KEV10.07.80.0228good
CVE-2019-1129 KEV10.07.80.0178good
CVE-2019-0863 KEV10.07.80.0521good

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-2 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 AC-3 AC-4 AC-5 AC-7 AC-8 AC-9