Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family IA

IA-8Identification and Authentication (Non-organizational Users)

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 4 mapping(s) from 2 framework(s): CSF 2.0 2 (mostly) · ASVS 5.0 2 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (22)

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-287Improper Authentication4,908Mandates unique identification and authentication of non-organizational users, directly mitigating improper authentication.
CWE-306Missing Authentication for Critical Function2,820Requires authentication for non-organizational users, preventing access to critical functions without proper identification and authentication.
CWE-290Authentication Bypass by Spoofing698Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing.
CWE-288Authentication Bypass Using an Alternate Path or Channel592Enforces authentication for non-organizational users, making it harder to bypass via alternate paths or channels.
CWE-302Authentication Bypass by Assumed-Immutable Data38Proper authentication for non-organizational users counters bypasses relying on assumed-immutable data.
CWE-304Missing Critical Step in Authentication34Ensures the authentication process is followed for non-organizational users, avoiding missing critical steps.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2026-42527.09.80.0126good
CVE-2025-699857.09.80.0563good
CVE-2026-222367.09.80.0047good
CVE-2025-16717.09.80.0052good
CVE-2025-16387.09.80.0059good
CVE-2022-34777.09.80.0355good
CVE-2026-37945.57.30.0065good
CVE-2026-277075.57.30.0051good
CVE-2025-577135.57.50.0051good
CVE-2026-31923.55.60.0056good
CVE-2022-23227 KEV10.09.80.4943good
CVE-2022-21587 KEV10.09.80.9834good
CVE-2021-44077 KEV10.09.80.9351good
CVE-2020-13927 KEV10.09.80.9970good
CVE-2019-7481 KEV10.07.50.9991good
CVE-2017-7921 KEV10.09.81.0000good
CVE-2026-35273 KEV10.09.80.9233good
CVE-2024-39891 KEV10.05.30.0148good
CVE-2023-281218.09.80.8692good
CVE-2023-322438.09.80.7595good
CVE-2023-219318.07.50.8226good
CVE-2024-2862 UPD8.09.10.5100good
CVE-2024-90618.07.30.5132good
CVE-2026-307847.09.80.0065good
CVE-2026-13587.09.80.0121good

Other controls in family IA

IA-1 IA-10 IA-11 IA-12 IA-13 IA-2 IA-3 IA-4 IA-5 IA-6 IA-7 IA-9