NIST 800-53 r5 · Controls catalogue · Family SC

SC-15Collaborative Computing Devices and Applications

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and Provide an explicit indication of use to users physically present at the devices.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (0)

No ATT&CK techniques mapped to this control yet.

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-200`	Exposure of Sensitive Information to an Unauthorized Actor	10,204	Prevents covert remote capture and exposure of audio/video streams to unauthorized actors.
`CWE-862`	Missing Authorization	8,680	Eliminates missing authorization checks for activating devices that can capture sensitive information.
`CWE-284`	Improper Access Control	4,832	Directly enforces access control by prohibiting unauthorized remote activation of cameras, mics, and similar devices.
`CWE-306`	Missing Authentication for Critical Function	2,567	Treats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated.
`CWE-732`	Incorrect Permission Assignment for Critical Resource	1,824	Forces correct permission settings on device resources so remote parties cannot activate them.
`CWE-285`	Improper Authorization	1,230	Requires explicit authorization decisions before any remote activation of collaborative hardware or apps.
`CWE-359`	Exposure of Private Personal Information to an Unauthorized Actor	174	Blocks unauthorized remote access that would expose private personal information via collaborative devices.
`CWE-356`	Product UI does not Warn User of Unsafe Actions	32	Mandates explicit user-visible indication, directly countering absence of warnings for device activation.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
`CVE-2022-50925`	2.0	9.8	0.0003	good
`CVE-2025-23025`	1.9	9.0	0.0219	good

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9