NIST 800-53 r5 · Controls catalogue · Family SA

SA-8Security and Privacy Engineering Principles

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (20)

T1005 Data from Local System Collection
T1025 Data from Removable Media Collection
T1041 Exfiltration Over C2 Channel Exfiltration
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
T1052 Exfiltration Over Physical Medium Exfiltration
T1052.001 Exfiltration over USB Exfiltration
T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1078.001 Default Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1134.005 SID-History Injection Stealth, Privilege Escalation
T1190 Exploit Public-Facing Application Initial Access
T1213.003 Code Repositories Collection
T1482 Domain Trust Discovery Discovery
T1559.003 XPC Services Execution
T1567 Exfiltration Over Web Service Exfiltration
T1574.001 DLL Stealth, Execution
T1647 Plist File Modification Defense Impairment

Weaknesses this control addresses (9)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-284`	Improper Access Control	4,832	Complete-mediation and least-privilege principles ensure proper access-control design and enforcement.
`CWE-269`	Improper Privilege Management	2,907	Least-privilege and separation-of-duties principles prevent improper privilege management.
`CWE-306`	Missing Authentication for Critical Function	2,567	Complete-mediation principle requires authentication for critical functions.
`CWE-732`	Incorrect Permission Assignment for Critical Resource	1,824	Permission-assignment and least-privilege principles prevent incorrect critical-resource permissions.
`CWE-693`	Protection Mechanism Failure	476	Engineering principles ensure protection mechanisms are correctly specified and implemented.
`CWE-250`	Execution with Unnecessary Privileges	305	Least-privilege engineering principle directly reduces execution with unnecessary privileges.
`CWE-653`	Improper Isolation or Compartmentalization	52	Separation-of-privilege and least-common-mechanism principles enforce proper isolation.
`CWE-636`	Not Failing Securely ('Failing Open')	27	Fail-safe-defaults principle prevents systems from failing open.
`CWE-657`	Violation of Secure Design Principles	19	Control explicitly requires application of secure design principles throughout the lifecycle.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
`CVE-2025-30123`	2.0	9.8	0.0011	good
`CVE-2025-8857`	2.0	9.8	0.0015	good
`CVE-2025-1242`	1.8	9.1	0.0004	good
`CVE-2025-54550`	1.6	8.1	0.0006	good
`CVE-2026-1221`	2.0	9.8	0.0013	good
`CVE-2025-27674`	2.0	9.8	0.0051	good
`CVE-2025-59407`	2.0	9.8	0.0012	partial
`CVE-2026-40315`	2.0	9.8	0.0004	good
`CVE-2026-34934`	2.0	9.8	0.0002	good
`CVE-2025-10681`	1.7	8.6	0.0006	good
`CVE-2026-26742`	1.6	8.1	0.0005	good

Other controls in family SA

SA-1 SA-10 SA-11 SA-12 SA-13 SA-14 SA-15 SA-16 SA-17 SA-18 SA-19 SA-2 SA-20 SA-21 SA-22 SA-23 SA-24 SA-3 SA-4 SA-5 SA-6 SA-7 SA-9