NIST 800-53 r5 · Controls catalogue · Family PM
PM-5System Inventory
Develop and update {{ insert: param, pm-05_odp }} an inventory of organizational systems.
Last updated: 19 May 2026 20:20 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,260 | Inventory identifies all systems holding or processing data, enabling detection of unauthorized exposure paths before exploitation. |
CWE-862 | Missing Authorization | 8,799 | An authoritative inventory ensures no organizational system is omitted from authorization enforcement checks. |
CWE-284 | Improper Access Control | 4,907 | Complete system listing is a prerequisite for applying and verifying access controls across the entire organizational boundary. |
CWE-306 | Missing Authentication for Critical Function | 2,602 | Knowing every system allows confirmation that critical functions are not left without required authentication mechanisms. |
CWE-668 | Exposure of Resource to Wrong Sphere | 789 | Asset tracking reveals resources that have inadvertently entered an unintended security sphere, permitting corrective isolation. |
CWE-552 | Files or Directories Accessible to External Parties | 551 | Enumerating systems surfaces externally reachable resources that would otherwise remain unmonitored and accessible. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||