NIST 800-53 r5 · Controls catalogue · Family SC

SC-27Platform-independent Applications

Include within organizational systems the following platform independent applications: {{ insert: param, sc-27_odp }}.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (0)

No ATT&CK techniques mapped to this control yet.

Weaknesses this control addresses (7)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-119`	Improper Restriction of Operations within the Bounds of a Memory Buffer	14,126	Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
`CWE-78`	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	6,832	Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.
`CWE-120`	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')	5,064	Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.
`CWE-284`	Improper Access Control	4,832	Sandboxing and security contexts provided by platform-independent runtimes add an enforceable access-control boundary that is independent of the host OS.
`CWE-269`	Improper Privilege Management	2,907	The abstraction layer of platform-independent applications allows centralized privilege management inside the runtime rather than scattered OS-level calls.
`CWE-732`	Incorrect Permission Assignment for Critical Resource	1,824	Platform-independent applications inherit runtime-enforced resource permissions instead of relying on error-prone native file or process permission assignments.
`CWE-250`	Execution with Unnecessary Privileges	305	Runtimes for platform-independent applications commonly support configurable security managers or sandboxes that enforce least privilege by default.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9