NIST 800-53 r5 · Controls catalogue · Family SA
SA-10Developer Configuration Management
Require the developer of the system, system component, or system service to: Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }}; Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }}; Implement only organization-approved changes to the system, component, or service; Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (27)
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.001 Default Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1195.001 Compromise Software Dependencies and Development Tools Initial Access
- T1195.003 Compromise Hardware Supply Chain Initial Access
- T1213.003 Code Repositories Collection
- T1495 Firmware Corruption Impact
- T1505 Server Software Component Persistence
- T1505.001 SQL Stored Procedures Persistence
- T1505.002 Transport Agent Persistence
- T1505.004 IIS Components Persistence
- T1542 Pre-OS Boot Stealth, Persistence
- T1542.001 System Firmware Stealth, Persistence
- T1542.003 Bootkit Stealth, Persistence
- T1542.004 ROMMONkit Stealth, Persistence
- T1542.005 TFTP Boot Stealth, Persistence
- T1553 Subvert Trust Controls Defense Impairment
- T1553.006 Code Signing Policy Modification Defense Impairment
- T1559.003 XPC Services Execution
- T1564.009 Resource Forking Stealth
- T1574.001 DLL Stealth, Execution
- T1601 Modify System Image Defense Impairment
- T1601.001 Patch System Image Defense Impairment
- T1601.002 Downgrade System Image Defense Impairment
- T1647 Plist File Modification Defense Impairment
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-494 | Download of Code Without Integrity Check | 242 | Mandating integrity control and approved-only changes during development prevents incorporation of code or components lacking integrity validation. |
CWE-506 | Embedded Malicious Code | 80 | Requiring documented, approved changes plus security flaw tracking makes undetected insertion of malicious code substantially harder. |
CWE-912 | Hidden Functionality | 79 | Change control, approval gates, and flaw tracking force hidden functionality to be either documented or discovered and removed. |
CWE-353 | Missing Support for Integrity Check | 37 | Requiring control over the integrity of all changes directly compels developers to implement integrity verification mechanisms rather than omitting them. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Configuration management and explicit tracking of security flaws require identification and remediation of unmaintained or vulnerable third-party components. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-54594 | 1.8 | 9.1 | 0.0011 | good |
CVE-2025-15617 | 1.3 | 6.5 | 0.0003 | good |
CVE-2026-39866 | 1.8 | 8.8 | 0.0018 | partial |
CVE-2025-54428 | 2.0 | 9.8 | 0.0010 | partial |
CVE-2026-40313 | 1.8 | 9.1 | 0.0004 | partial |
CVE-2026-29075 | 1.7 | 8.3 | 0.0013 | good |