NIST 800-53 r5 · Controls catalogue · Family SC

SC-13Cryptographic Protection

Determine the {{ insert: param, sc-13_odp.01 }} ; and Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (5)

T1005 Data from Local System Collection
T1025 Data from Removable Media Collection
T1041 Exfiltration Over C2 Channel Exfiltration
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
T1557.004 Evil Twin Credential Access, Collection

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-319`	Cleartext Transmission of Sensitive Information	1,042	Requires cryptography for transmission uses, eliminating cleartext exposure of sensitive data in transit.
`CWE-327`	Use of a Broken or Risky Cryptographic Algorithm	736	Enforces approved cryptographic algorithms for each use case, blocking use of broken or risky algorithms.
`CWE-311`	Missing Encryption of Sensitive Data	552	Mandates encryption for specified data uses, directly preventing missing encryption of sensitive information.
`CWE-326`	Inadequate Encryption Strength	513	Specifies required cryptography types and parameters, preventing selection of inadequate encryption strength.
`CWE-328`	Use of Weak Hash	58	Requires appropriate hash functions for cryptographic uses, preventing reliance on weak hashes.
`CWE-1240`	Use of a Cryptographic Primitive with a Risky Implementation	16	Requires specific, validated cryptographic primitives, reducing use of risky or improperly implemented primitives.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
`CVE-2024-4282`	2.0	9.8	0.0011	good
`CVE-2026-28252`	2.0	9.8	0.0003	good
`CVE-2026-22585`	2.0	9.8	0.0001	good
`CVE-2025-15385`	2.0	9.8	0.0004	good
`CVE-2024-58041`	1.8	9.1	0.0004	good
`CVE-2026-23687`	1.8	8.8	0.0002	good
`CVE-2019-25651`	1.7	8.3	0.0001	good
`CVE-2023-24012`	1.6	8.2	0.0012	good
`CVE-2026-28678`	1.6	8.1	0.0003	good
`CVE-2026-1529`	1.6	8.1	0.0001	good
`CVE-2024-51346`	1.5	7.7	0.0002	good
`CVE-2024-8603`	1.5	7.5	0.0006	good
`CVE-2024-54089`	1.5	7.5	0.0003	good
`CVE-2026-33488`	1.5	7.4	0.0004	good
`CVE-2024-38320`	1.2	5.9	0.0006	good
`CVE-2024-41763`	1.2	5.9	0.0005	good
`CVE-2024-45643`	1.2	5.9	0.0005	good
`CVE-2024-22347`	1.2	5.9	0.0002	good
`CVE-2025-64647`	1.2	5.9	0.0001	good
`CVE-2024-31896`	1.2	5.9	0.0009	good
`CVE-2025-13916`	1.2	5.9	0.0002	good
`CVE-2024-27256`	1.2	5.9	0.0009	good
`CVE-2025-22475`	0.8	3.7	0.0018	good
`CVE-2025-14611` KEV	7.5	9.8	0.5835	good
`CVE-2025-0477`	2.0	9.8	0.0143	good

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9