NIST 800-53 r5 · Controls catalogue · Family IA
IA-3Device Identification and Authentication
Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (8)
- T1530 Data from Cloud Storage Collection
- T1537 Transfer Data to Cloud Account Exfiltration
- T1552 Unsecured Credentials Credential Access
- T1552.005 Cloud Instance Metadata API Credential Access
- T1602 Data from Configuration Repository Collection
- T1602.001 SNMP (MIB Dump) Collection
- T1602.002 Network Device Configuration Dump Collection
- T1621 Multi-Factor Authentication Request Generation Credential Access
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-287 | Improper Authentication | 4,757 | Enforces unique device identification and authentication before any connection is established, directly mitigating improper authentication weaknesses. |
CWE-306 | Missing Authentication for Critical Function | 2,600 | Requires authentication of devices prior to connection, preventing exploitation of missing authentication for critical network functions. |
CWE-290 | Authentication Bypass by Spoofing | 642 | Unique device authentication makes successful spoofing of device identity substantially more difficult to achieve. |
CWE-300 | Channel Accessible by Non-Endpoint | 53 | Ensures only authenticated endpoints can access the communication channel, blocking unauthorized non-endpoint access. |
CWE-291 | Reliance on IP Address for Authentication | 10 | Mandates proper device-level authentication instead of weaker identifiers such as IP addresses that are easily forged. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-4370 | 2.0 | 10.0 | 0.0004 | good |
CVE-2025-27671 | 2.0 | 9.8 | 0.0039 | good |
CVE-2025-67791 | 2.0 | 9.8 | 0.0007 | good |
CVE-2026-23518 | 2.0 | 9.8 | 0.0005 | good |
CVE-2026-29796 UPD | 1.9 | 9.4 | 0.0006 | good |
CVE-2026-26288 UPD | 1.9 | 9.4 | 0.0018 | good |
CVE-2026-22552 UPD | 1.9 | 9.4 | 0.0014 | good |
CVE-2026-26051 UPD | 1.9 | 9.4 | 0.0019 | good |
CVE-2026-27772 | 1.9 | 9.4 | 0.0020 | good |
CVE-2026-25851 | 1.9 | 9.4 | 0.0020 | good |
CVE-2026-20781 | 1.9 | 9.4 | 0.0020 | good |
CVE-2026-27028 | 1.9 | 9.4 | 0.0020 | good |
CVE-2026-27767 | 1.9 | 9.4 | 0.0020 | good |
CVE-2026-24731 | 1.9 | 9.4 | 0.0020 | good |
CVE-2026-28536 | 1.9 | 9.6 | 0.0004 | good |
CVE-2026-32042 | 1.8 | 8.8 | 0.0013 | good |
CVE-2025-30114 | 1.8 | 9.1 | 0.0003 | good |
CVE-2025-13914 | 1.7 | 8.7 | 0.0004 | good |
CVE-2026-38651 UPD | 1.6 | 8.2 | 0.0005 | good |
CVE-2026-32014 | 1.6 | 8.0 | 0.0003 | good |
CVE-2025-30142 | 1.6 | 8.1 | 0.0002 | good |
CVE-2026-28472 | 1.6 | 8.1 | 0.0006 | good |
CVE-2025-55292 | 1.6 | 8.2 | 0.0003 | good |
CVE-2025-62235 | 1.6 | 8.1 | 0.0005 | good |
CVE-2025-13455 | 1.6 | 7.8 | 0.0003 | good |