diff --git a/components/sudo.yml b/components/sudo.yml
index c0f7e382c02..752c426ef8e 100644
--- a/components/sudo.yml
+++ b/components/sudo.yml
@@ -32,5 +32,6 @@ rules:
 - sudoers_no_command_negation
 - sudoers_no_root_target
 - sudoers_validate_passwd
+- file_permissions_sudo
 templates:
 - sudo_defaults_option
diff --git a/controls/anssi.yml b/controls/anssi.yml
index ca8128ad36a..63cd826bd8a 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -886,6 +886,7 @@ controls:
     rules:
     - sudo_dedicated_group
     - var_sudo_dedicated_group=sudogrp
+    - file_permissions_sudo
 
   - id: R39
     title: Sudo configuration guidelines
diff --git a/linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml b/linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml
new file mode 100644
index 00000000000..b56e6c17aab
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Ensure That the sudo Binary Has the Correct Permissions'
+
+description: |-
+{{{ describe_file_permissions("/usr/bin/sudo", "4111") | indent(4) }}}
+
+rationale: |-
+    The sudoers program should only be usable by people who have the correct permissions.
+
+identifiers:
+    cce@rhel7: CCE-86949-5
+    cce@rhel8: CCE-86950-3
+    cce@rhel9: CCE-86951-1
+
+severity: medium
+
+platform: package[sudo]
+
+template:
+    name: "file_permissions"
+    vars:
+        filepath: "/usr/bin/sudo"
+        filemode: '4111'
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 1659d4bd84a..8b7712fb422 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -400,9 +400,6 @@ CCE-86939-6
 CCE-86940-4
 CCE-86941-2
 CCE-86942-0
-CCE-86949-5
-CCE-86950-3
-CCE-86951-1
 CCE-86952-9
 CCE-86953-7
 CCE-86955-2