NIST 800-53 r5 · Controls catalogue · Family SC

SC-1Policy and Procedures

Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}: {{ insert: param, sc-01_odp.03 }} system and communications protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls; Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and Review and update the current system and communications protection: Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (0)

No ATT&CK techniques mapped to this control yet.

Weaknesses this control addresses (3)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-284`	Improper Access Control	4,832	Establishes organizational policy defining roles, responsibilities, and compliance for system and communications protection, tangibly strengthening access control enforcement.
`CWE-693`	Protection Mechanism Failure	476	Requires procedures that facilitate consistent implementation and periodic review of protection controls, making failure of those mechanisms less likely.
`CWE-657`	Violation of Secure Design Principles	19	Mandates documented policies consistent with secure design principles, standards, and guidelines, directly reducing violations from undefined or ad-hoc protection approaches.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family SC

SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9