NIST 800-53 r5 · Controls catalogue · Family SA
SA-13Trustworthiness
Trustworthiness
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-798 | Use of Hard-coded Credentials | 1,955 | Reduces hard-coded credentials by requiring that trustworthiness evidence includes absence of embedded secrets that bypass normal authentication. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Limits inclusion of functionality from untrusted sources through supply-chain and component trustworthiness evaluation before integration. |
CWE-494 | Download of Code Without Integrity Check | 242 | Reduces exposure to code obtained without integrity verification by requiring assurance processes that confirm authenticity and absence of tampering. |
CWE-506 | Embedded Malicious Code | 80 | Directly reduces risk of embedded malicious code by requiring verification that acquired or developed components perform only as specified without hidden malicious behavior. |
CWE-912 | Hidden Functionality | 79 | Addresses hidden functionality by mandating evidence that the system or component contains no undocumented or unauthorized capabilities that could be exploited. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Makes use of unmaintained third-party components less likely by requiring ongoing trustworthiness assessment of dependencies and suppliers. |
CWE-1242 | Inclusion of Undocumented Features or Chicken Bits | 14 | Discourages undocumented features or chicken bits by demanding transparency and verification that only intended, documented behavior is present. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||