NIST 800-53 r5 · Controls catalogue · Family SA
SA-6Software Usage Restrictions
Software Usage Restrictions
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | P2P usage restrictions directly reduce unauthorized external exposure of sensitive or copyrighted information. |
CWE-552 | Files or Directories Accessible to External Parties | 540 | Explicit controls on peer-to-peer file sharing prevent files and directories from being made accessible to external parties without authorization. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Software usage restrictions limit inclusion of code obtained from untrusted or non-contracted control spheres. |
CWE-506 | Embedded Malicious Code | 80 | Mandating only contract-approved software reduces the chance of introducing binaries that contain embedded malicious code. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | License and contract compliance requirements can enforce use of only supported, maintained third-party components. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||