NIST 800-53 r5 · Controls catalogue · Family SA
SA-20Customized Development of Critical Components
Reimplement or custom develop the following critical system components: {{ insert: param, sa-20_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Reimplementing critical components avoids pulling in functionality from untrusted external control spheres. |
CWE-506 | Embedded Malicious Code | 80 | In-house development of critical components eliminates the attack surface of vendor-embedded malicious code. |
CWE-912 | Hidden Functionality | 79 | Custom reimplementation prevents hidden functionality or backdoors that may exist in commercial or open-source components. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Custom development replaces unmaintained third-party components with internally controlled code for critical functions. |
CWE-1242 | Inclusion of Undocumented Features or Chicken Bits | 14 | Developing critical components internally avoids undocumented features and chicken bits present in vendor hardware or software. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||