Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family IA

IA-5Authenticator Management

Manage system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; Establishing initial authenticator content for any authenticators issued by the organization; Ensuring that authenticators have sufficient strength of mechanism for their intended use; Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; Changing default authenticators prior to first use; Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur; Protecting authenticator content from unauthorized disclosure and modification; Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and Changing authenticators for group or role accounts when membership to those accounts changes.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 54 mapping(s) from 3 framework(s): ASVS 5.0 47 (partial) · CSF 2.0 6 (mostly) · OWASP-Web 1 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (72)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-798Use of Hard-coded Credentials2,013Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.
CWE-522Insufficiently Protected Credentials1,559Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.
CWE-640Weak Password Recovery Mechanism for Forgotten Password317Establishing procedures for lost or compromised authenticators addresses weak password recovery mechanisms.
CWE-521Weak Password Requirements308Ensuring authenticators have sufficient strength of mechanism for intended use addresses weak password requirements.
CWE-259Use of Hard-coded Password194Changing default authenticators prior to first use directly prevents use of hard-coded passwords.
CWE-1392Use of Default Credentials104Changing default authenticators prior to first use prevents use of default credentials.
CWE-1391Use of Weak Credentials51Ensuring sufficient strength of mechanism for authenticators prevents use of weak credentials.
CWE-1393Use of Default Password40Changing default authenticators prior to first use prevents use of default passwords.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2026-20128 KEV10.07.50.0527good
CVE-2024-28987 KEV10.09.10.9316good
CVE-2024-20439 KEV10.09.80.9201good
CVE-2023-7028 KEV10.010.00.9496good
CVE-2023-6448 KEV10.09.80.0209good
CVE-2023-45249 KEV10.09.80.5353good
CVE-2022-28810 KEV10.06.80.7042good
CVE-2022-26138 KEV10.09.80.9817good
CVE-2021-44207 KEV10.08.10.1758good
CVE-2020-8657 KEV10.09.80.9187good
CVE-2014-1812 KEV10.08.80.6512good
CVE-2013-0632 KEV10.09.80.9369good
CVE-2025-584348.09.80.5012good
CVE-2022-11628.09.10.7618good
CVE-2024-128568.07.20.8219good
CVE-2023-224638.09.80.6967good
CVE-2023-50748.09.80.6791good
CVE-2023-52228.06.30.7470good
CVE-2023-285038.09.80.6214good
CVE-2025-671147.09.80.0052good
CVE-2026-287787.09.80.0085good
CVE-2026-291197.09.80.0049good
CVE-2026-228867.09.80.0040good
CVE-2026-287777.09.80.0049good
CVE-2026-287767.09.80.0048good

Other controls in family IA

IA-1 IA-10 IA-11 IA-12 IA-13 IA-2 IA-3 IA-4 IA-6 IA-7 IA-8 IA-9