NIST 800-53 r5 · Controls catalogue · Family SA
SA-12Supply Chain Protection
Supply Chain Protection
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-798 | Use of Hard-coded Credentials | 1,955 | Supplier evaluation and secure acquisition practices make it harder for hard-coded credentials to be introduced via procured products. |
CWE-321 | Use of Hard-coded Cryptographic Key | 277 | Supply chain protection includes scrutiny of cryptographic implementations, reducing hard-coded keys planted by untrusted vendors. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Requires use of trusted sources and provenance tracking, tangibly limiting inclusion of functionality from untrusted control spheres. |
CWE-494 | Download of Code Without Integrity Check | 242 | Supply chain protection requires integrity verification of acquired components, directly reducing insertion or tampering of malicious code during delivery. |
CWE-506 | Embedded Malicious Code | 80 | The control mandates vetting suppliers and tamper detection, making it harder for malicious code to be embedded by upstream providers. |
CWE-912 | Hidden Functionality | 79 | Vetting and integrity controls during acquisition reduce the likelihood of hidden backdoors or malicious functionality introduced by suppliers. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Supply chain risk management includes supplier assessments that favor maintained and supported third-party components. |
CWE-1242 | Inclusion of Undocumented Features or Chicken Bits | 14 | Requires transparency and verification of delivered components, limiting undocumented features or debug hooks introduced upstream. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-54313 KEV | 4.2 | 7.5 | 0.1162 | good |
CVE-2026-26974 | 2.0 | 9.8 | 0.0003 | good |
CVE-2026-34841 | 2.0 | 9.8 | 0.0003 | good |
CVE-2026-33075 | 1.8 | 8.8 | 0.0002 | good |