NIST 800-53 r5 · Controls catalogue · Family SC
SC-2Separation of System and User Functionality
Separate user functionality, including user interface services, from system management functionality.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (8)
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1189 Drive-by Compromise Initial Access
- T1190 Exploit Public-Facing Application Initial Access
- T1203 Exploitation for Client Execution Execution
- T1210 Exploitation of Remote Services Lateral Movement
- T1211 Exploitation for Stealth Stealth
- T1212 Exploitation for Credential Access Credential Access
- T1611 Escape to Host Privilege Escalation
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Explicit separation implements access control boundaries between user interfaces and system management functionality. |
CWE-269 | Improper Privilege Management | 2,907 | The control enforces proper privilege boundaries by ensuring user functionality cannot invoke or manage system-level privileges. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Ensures critical system resources and functions receive permission assignments distinct from ordinary user resources. |
CWE-668 | Exposure of Resource to Wrong Sphere | 779 | Prevents exposure of system management resources and functions into the user functionality sphere. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Separating user-facing code from system management functions directly prevents execution of privileged operations from untrusted user contexts. |
CWE-1220 | Insufficient Granularity of Access Control | 79 | Provides the necessary granularity by placing system management functions outside the reach of user-level access controls. |
CWE-653 | Improper Isolation or Compartmentalization | 52 | Directly requires isolation/compartmentalization of user services from system management functions. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-33334 | 1.9 | 9.6 | 0.0015 | good |
CVE-2026-39911 | 1.8 | 8.8 | 0.0012 | good |
CVE-2026-27952 | 1.8 | 8.8 | 0.0012 | good |
CVE-2026-7064 | 1.5 | 7.3 | 0.0050 | good |
CVE-2025-64127 | 2.5 | 10.0 | 0.0832 | good |
CVE-2026-5853 | 2.0 | 9.8 | 0.0125 | good |
CVE-2026-40317 | 1.9 | 9.3 | 0.0003 | good |
CVE-2025-59252 | 1.9 | 9.3 | 0.0011 | good |
CVE-2026-33336 | 1.8 | 8.8 | 0.0034 | good |
CVE-2025-56098 | 1.8 | 8.8 | 0.0105 | partial |
CVE-2025-24228 | 1.6 | 7.8 | 0.0011 | good |
CVE-2025-0478 | 1.6 | 7.8 | 0.0006 | good |
CVE-2024-44303 | 1.5 | 7.5 | 0.0009 | good |
CVE-2025-24130 | 1.1 | 5.5 | 0.0005 | good |