NIST 800-53 r5 · Controls catalogue · Family IA
IA-8Identification and Authentication (Non-organizational Users)
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (22)
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.007 Container Orchestration Job Execution, Persistence, Privilege Escalation
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
- T1059.008 Network Device CLI Execution
- T1087.004 Cloud Account Discovery
- T1190 Exploit Public-Facing Application Initial Access
- T1210 Exploitation of Remote Services Lateral Movement
- T1213 Data from Information Repositories Collection
- T1213.001 Confluence Collection
- T1213.002 Sharepoint Collection
- T1213.004 Customer Relationship Management Software Collection
- T1213.005 Messaging Applications Collection
- T1528 Steal Application Access Token Credential Access
- T1530 Data from Cloud Storage Collection
- T1537 Transfer Data to Cloud Account Exfiltration
- T1538 Cloud Service Dashboard Discovery
- T1542 Pre-OS Boot Stealth, Persistence
- T1542.001 System Firmware Stealth, Persistence
- T1542.003 Bootkit Stealth, Persistence
- T1542.005 TFTP Boot Stealth, Persistence
- T1547.006 Kernel Modules and Extensions Persistence, Privilege Escalation
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-287 | Improper Authentication | 4,757 | Mandates unique identification and authentication of non-organizational users, directly mitigating improper authentication. |
CWE-306 | Missing Authentication for Critical Function | 2,600 | Requires authentication for non-organizational users, preventing access to critical functions without proper identification and authentication. |
CWE-290 | Authentication Bypass by Spoofing | 642 | Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing. |
CWE-288 | Authentication Bypass Using an Alternate Path or Channel | 534 | Enforces authentication for non-organizational users, making it harder to bypass via alternate paths or channels. |
CWE-302 | Authentication Bypass by Assumed-Immutable Data | 35 | Proper authentication for non-organizational users counters bypasses relying on assumed-immutable data. |
CWE-304 | Missing Critical Step in Authentication | 32 | Ensures the authentication process is followed for non-organizational users, avoiding missing critical steps. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-69985 | 2.2 | 9.8 | 0.0469 | good |
CVE-2026-4252 | 2.0 | 9.8 | 0.0037 | good |
CVE-2026-22236 | 2.0 | 9.8 | 0.0023 | good |
CVE-2025-1671 | 2.0 | 9.8 | 0.0019 | good |
CVE-2025-1638 | 2.0 | 9.8 | 0.0003 | good |
CVE-2026-3794 | 1.5 | 7.3 | 0.0014 | good |
CVE-2026-27707 | 1.5 | 7.3 | 0.0011 | good |
CVE-2025-57713 | 1.5 | 7.5 | 0.0008 | good |
CVE-2026-3192 | 1.1 | 5.6 | 0.0028 | good |
CVE-2012-10030 | 5.6 | 9.8 | 0.6098 | good |
CVE-2024-53944 | 3.0 | 9.8 | 0.1724 | good |
CVE-2025-40552 | 2.5 | 9.8 | 0.0855 | good |
CVE-2024-57725 | 2.2 | 6.5 | 0.1501 | good |
CVE-2025-21355 | 2.1 | 8.6 | 0.0696 | good |
CVE-2024-54805 | 2.1 | 9.8 | 0.0170 | good |
CVE-2021-47728 | 2.1 | 9.8 | 0.0162 | good |
CVE-2026-30784 | 2.0 | 9.8 | 0.0041 | good |
CVE-2026-1358 | 2.0 | 9.8 | 0.0010 | good |
CVE-2026-2096 | 2.0 | 9.8 | 0.0031 | good |
CVE-2025-0680 | 2.0 | 9.8 | 0.0081 | good |
CVE-2026-7204 | 2.0 | 9.8 | 0.0125 | good |
CVE-2025-58083 | 2.0 | 10.0 | 0.0008 | good |
CVE-2024-12857 | 2.0 | 9.8 | 0.0062 | good |
CVE-2026-22898 | 2.0 | 9.8 | 0.0045 | good |
CVE-2025-12868 | 2.0 | 9.8 | 0.0028 | good |