NIST 800-53 r5 · Controls catalogue · Family SA
SA-2Allocation of Resources
Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (3)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-693 | Protection Mechanism Failure | 476 | Mandates documented allocation of resources to protection requirements, reducing the likelihood that protection mechanisms are underfunded, omitted, or inadequately maintained. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Dedicated security line items in budgets enable ongoing maintenance, patching, and replacement of third-party components that would otherwise be left unmaintained due to lack of allocated resources. |
CWE-657 | Violation of Secure Design Principles | 19 | Explicitly requires security/privacy to be incorporated into mission/business process planning and capital budgeting, directly countering violations of secure design principles that occur when security is treated as an afterthought. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||