NIST 800-53 r5 · Controls catalogue · Family RA
RA-9Criticality Analysis
Identify critical system components and functions by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (12)
- T1195.003 Compromise Hardware Supply Chain Initial Access
- T1495 Firmware Corruption Impact
- T1542 Pre-OS Boot Stealth, Persistence
- T1542.001 System Firmware Stealth, Persistence
- T1542.003 Bootkit Stealth, Persistence
- T1542.004 ROMMONkit Stealth, Persistence
- T1542.005 TFTP Boot Stealth, Persistence
- T1553 Subvert Trust Controls Defense Impairment
- T1553.006 Code Signing Policy Modification Defense Impairment
- T1601 Modify System Image Defense Impairment
- T1601.001 Patch System Image Defense Impairment
- T1601.002 Downgrade System Image Defense Impairment
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Criticality analysis highlights functions that must be protected by authorization checks, mitigating missing authorization on those paths. |
CWE-284 | Improper Access Control | 4,832 | Criticality analysis identifies components/functions requiring strict access control enforcement, directly reducing improper access control exposure. |
CWE-863 | Incorrect Authorization | 3,234 | By surfacing critical resources and functions, the control drives correct authorization logic instead of incorrect authorization decisions. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Explicit identification of critical functions enables targeted authentication requirements, preventing missing authentication for those functions. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | The analysis directly locates critical resources so that permission assignments can be made correctly rather than left incorrect or default. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Knowing which functions and components are critical supports application of least privilege, reducing execution with unnecessary privileges. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||