NIST 800-53 r5 · Controls catalogue · Family SC
SC-29Heterogeneity
Employ a diverse set of information technologies for the following system components in the implementation of the system: {{ insert: param, sc-29_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (5)
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-693 | Protection Mechanism Failure | 476 | Diverse technology stacks ensure a single protection mechanism failure (or exploit) does not cascade across all components. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Diversity of sources and implementations limits the blast radius when functionality is drawn from untrusted control spheres. |
CWE-506 | Embedded Malicious Code | 80 | Embedding malicious code becomes far harder to achieve uniformly when components use heterogeneous languages, runtimes, and hardware. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Using multiple distinct technologies reduces systemic dependence on any single third-party component and its potential unmaintained vulnerabilities. |
CWE-657 | Violation of Secure Design Principles | 19 | Directly implements the secure design principle of diversity, preventing homogeneous monocultures that share identical weaknesses. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||