NIST 800-53 r5 · Controls catalogue · Family SA
SA-19Component Authenticity
Component Authenticity
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-295 | Improper Certificate Validation | 1,586 | When certificates are used to establish component provenance, the control requires correct certificate validation procedures. |
CWE-347 | Improper Verification of Cryptographic Signature | 778 | Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Mandates acquisition only from trusted suppliers and verified authentic sources, reducing inclusion of functionality from untrusted control spheres. |
CWE-494 | Download of Code Without Integrity Check | 242 | Component authenticity requires verifying origin/integrity of acquired firmware or software, directly preventing inclusion of code without integrity checks. |
CWE-506 | Embedded Malicious Code | 80 | Authenticity verification and anti-counterfeit procedures detect and block components that may contain embedded malicious code or backdoors. |
CWE-353 | Missing Support for Integrity Check | 37 | Explicitly requires support for integrity and authenticity checks on components before acceptance into the system. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Requires use of trusted, maintained suppliers and configuration control, making use of unmaintained third-party components far less likely. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-24062 | 1.6 | 7.8 | 0.0001 | good |
CVE-2025-27607 | 3.1 | 8.8 | 0.2176 | good |
CVE-2010-20103 | 7.1 | 9.8 | 0.8508 | good |
CVE-2025-0928 | 1.9 | 8.8 | 0.0232 | good |
CVE-2024-7344 | 1.7 | 8.2 | 0.0039 | good |