NIST 800-53 r5 · Controls catalogue · Family SC
SC-17Public Key Infrastructure Certificates
Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and Include only approved trust anchors in trust stores or certificate stores managed by the organization.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (2)
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-295 | Improper Certificate Validation | 1,586 | Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates. |
CWE-347 | Improper Verification of Cryptographic Signature | 778 | PKI certificates under an approved policy require cryptographic signature verification on issuance and validation. |
CWE-345 | Insufficient Verification of Data Authenticity | 643 | Use of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts. |
CWE-321 | Use of Hard-coded Cryptographic Key | 277 | Approved PKI issuance and trust stores replace ad-hoc or hard-coded keys with properly managed, signed certificates. |
CWE-297 | Improper Validation of Certificate with Host Mismatch | 53 | Approved PKI issuance and trust stores enforce full certificate validation steps including name/hostname checks. |
CWE-296 | Improper Following of a Certificate's Chain of Trust | 14 | Requires only approved trust anchors in stores, ensuring proper chain-of-trust validation rather than arbitrary or incomplete paths. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-20184 | 2.0 | 9.8 | 0.0007 | good |
CVE-2025-67229 | 2.0 | 9.8 | 0.0002 | good |
CVE-2026-1709 | 1.9 | 9.4 | 0.0003 | good |
CVE-2025-15573 | 1.9 | 9.4 | 0.0001 | good |
CVE-2024-11621 | 1.8 | 8.8 | 0.0016 | good |
CVE-2025-70043 | 1.8 | 9.1 | 0.0002 | good |
CVE-2026-25160 | 1.8 | 9.1 | 0.0001 | good |
CVE-2025-15557 | 1.8 | 8.8 | 0.0001 | good |
CVE-2025-30278 | 1.8 | 8.8 | 0.0012 | good |
CVE-2025-30277 | 1.8 | 8.8 | 0.0012 | good |
CVE-2024-41724 | 1.7 | 8.7 | 0.0008 | good |
CVE-2025-67601 | 1.7 | 8.3 | 0.0001 | good |
CVE-2024-40702 | 1.6 | 8.2 | 0.0009 | good |
CVE-2023-24011 | 1.6 | 8.2 | 0.0012 | good |
CVE-2026-4434 | 1.6 | 8.1 | 0.0003 | good |
CVE-2025-1146 | 1.6 | 8.1 | 0.0015 | good |
CVE-2025-1193 | 1.6 | 8.1 | 0.0025 | good |
CVE-2024-47258 | 1.6 | 8.1 | 0.0006 | good |
CVE-2026-4396 | 1.6 | 8.1 | 0.0004 | good |
CVE-2026-30794 | 1.6 | 8.1 | 0.0004 | good |
CVE-2026-27134 | 1.6 | 8.1 | 0.0002 | good |
CVE-2025-71063 | 1.6 | 8.2 | 0.0002 | good |
CVE-2026-21228 | 1.6 | 8.1 | 0.0009 | good |
CVE-2025-9293 | 1.6 | 8.1 | 0.0001 | good |
CVE-2026-1531 | 1.6 | 8.1 | 0.0001 | good |