NIST 800-53 r5 · Controls catalogue · Family SA
SA-14Criticality Analysis
Criticality Analysis
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (9)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Criticality analysis reveals functions that must be protected by authorization checks, making missing-authorization weaknesses far less likely to affect high-value operations. |
CWE-284 | Improper Access Control | 4,832 | The analysis highlights critical resources that require strong access-control enforcement, thereby reducing the chance that improper access control will be present on those resources. |
CWE-269 | Improper Privilege Management | 2,907 | By determining which components are critical, the analysis drives proper privilege assignment and management for those components, limiting attacker escalation paths. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Explicit identification of critical functions enables organizations to ensure authentication is applied exactly where it is most needed, preventing missing authentication for those functions. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | The control directly supports correct permission assignment by first determining which resources are critical, thereby lowering the likelihood of insecure permissions on those resources. |
CWE-285 | Improper Authorization | 1,230 | Criticality analysis identifies functions whose authorization decisions must be correct, making improper authorization flaws less likely to remain exploitable in those areas. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Criticality analysis identifies high-impact functions so that unnecessary privileges can be removed from them, directly reducing the exploitability of excessive-privilege weaknesses. |
CWE-653 | Improper Isolation or Compartmentalization | 52 | Criticality analysis informs isolation and compartmentalization decisions for high-value components, reducing the attack surface that an adversary can reach after an initial compromise. |
CWE-272 | Least Privilege Violation | 25 | Criticality analysis supplies the information needed to enforce least privilege on the most important system elements, making violations of that principle less likely to exist in high-value targets. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||