NIST 800-53 r5 · Controls catalogue · Family SA
SA-24Design For Cyber Resiliency
Design organizational systems, system components, or system services to achieve cyber resiliency by: Defining the following cyber resiliency goals: {{ insert: param, sa-24_odp.01 }}. Defining the following cyber resiliency objectives: {{ insert: param, sa-24_odp.02 }}. Defining the following cyber resiliency techniques: {{ insert: param, sa-24_odp.03 }}. Defining the following cyber resiliency implementation approaches: {{ insert: param, sa-24_odp.04 }}. Defining the following cyber resiliency design principles: {{ insert: param, sa-24_odp.05 }}. Implement the selected cyber resiliency goals, objectives, techniques, implementation approaches, and design principles as part of an organizational risk management process or systems security engineering process.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Resiliency goals and objectives routinely incorporate least-privilege and access-control maintenance under adverse conditions, reducing improper access control. |
CWE-400 | Uncontrolled Resource Consumption | 3,324 | Resiliency techniques such as redundancy, throttling, and adaptive response limit uncontrolled resource consumption and denial-of-service effects. |
CWE-693 | Protection Mechanism Failure | 476 | Mandates selection and application of resiliency techniques and implementation approaches that strengthen protection mechanisms against failure or bypass. |
CWE-703 | Improper Check or Handling of Exceptional Conditions | 146 | Cyber resiliency objectives explicitly include graceful handling of adverse conditions and exceptional states, reducing improper exception handling. |
CWE-653 | Improper Isolation or Compartmentalization | 52 | Common cyber resiliency techniques include compartmentalization and isolation to limit blast radius, directly addressing improper isolation. |
CWE-664 | Improper Control of a Resource Through its Lifetime | 39 | Requires designing resource lifetime controls that anticipate, withstand, and recover from stresses or attacks, mitigating improper resource control. |
CWE-691 | Insufficient Control Flow Management | 32 | Design principles and implementation approaches enforce robust control-flow management to maintain function and enable recovery after disruption. |
CWE-657 | Violation of Secure Design Principles | 19 | Explicitly requires defining and implementing cyber resiliency design principles as part of systems engineering, directly preventing violations of secure design principles. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||