NIST 800-53 r5 · Controls catalogue · Family SC
SC-38Operations Security
Employ the following operations security controls to protect key organizational information throughout the system development life cycle: {{ insert: param, sc-38_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (2)
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Directly prevents exposure of critical organizational information by applying OPSEC processes across the SDLC. |
CWE-798 | Use of Hard-coded Credentials | 1,955 | Makes hard-coded credentials less likely by requiring OPSEC treatment of authentication material as protected information throughout development. |
CWE-532 | Insertion of Sensitive Information into Log File | 1,378 | Limits insertion of sensitive operational details into logs by treating such data as key information requiring protection. |
CWE-312 | Cleartext Storage of Sensitive Information | 915 | Reduces cleartext storage of sensitive data when OPSEC identifies and mandates protection of key information artifacts. |
CWE-548 | Exposure of Information Through Directory Listing | 54 | Reduces exposure via directory listings or accessible files when OPSEC restricts visibility of key organizational resources. |
CWE-540 | Inclusion of Sensitive Information in Source Code | 29 | Prevents inclusion of sensitive information in source code and development artifacts through SDLC-wide OPSEC controls. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||