NIST 800-53 r5 · Controls catalogue · Family SC
SC-41Port and I/O Device Access
{{ insert: param, sc-41_odp.02 }} disable or remove {{ insert: param, sc-41_odp.01 }} on the following systems or system components: {{ insert: param, sc-41_odp.03 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (5)
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Disabling or removing ports and I/O devices directly enforces hardware-level access control by eliminating entry points. |
CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | 57 | Restricts communication channels to only intended endpoints by eliminating unnecessary ports and devices. |
CWE-300 | Channel Accessible by Non-Endpoint | 53 | Eliminates channels that could be accessed by non-endpoint actors through disabled ports and devices. |
CWE-420 | Unprotected Alternate Channel | 37 | Removes or disables unprotected alternate I/O channels that could otherwise be used to bypass primary controls. |
CWE-1191 | On-Chip Debug and Test Interface With Improper Access Control | 20 | Directly mitigates exposure of on-chip debug and test interfaces by disabling or removing them. |
CWE-1263 | Improper Physical Access Control | 13 | Reduces physical access attack surface by disabling physical ports and I/O devices. |
CWE-1244 | Internal Asset Exposed to Unsafe Debug Access Level or State | 11 | Prevents internal assets from being exposed through debug or test access levels by removing those interfaces. |
CWE-1299 | Missing Protection Mechanism for Alternate Hardware Interface | 11 | Provides protection for alternate hardware interfaces by disabling them when not required. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-30704 | 1.8 | 9.1 | 0.0006 | good |
CVE-2024-48123 | 1.7 | 8.4 | 0.0006 | good |
CVE-2026-29093 | 1.6 | 8.1 | 0.0004 | good |
CVE-2024-55407 | 1.6 | 7.8 | 0.0007 | good |
CVE-2024-55412 | 1.6 | 7.8 | 0.0002 | good |
CVE-2026-25086 | 1.5 | 7.7 | 0.0002 | good |
CVE-2025-30113 | 2.0 | 9.8 | 0.0011 | good |
CVE-2025-54304 | 2.0 | 9.8 | 0.0008 | good |
CVE-2026-25807 | 1.8 | 8.8 | 0.0014 | good |
CVE-2026-27182 | 1.7 | 8.4 | 0.0013 | good |
CVE-2025-55221 | 1.7 | 8.6 | 0.0007 | good |
CVE-2024-55413 | 1.6 | 7.8 | 0.0002 | good |
CVE-2025-30141 | 1.5 | 7.5 | 0.0025 | good |
CVE-2025-59403 | 2.1 | 9.8 | 0.0275 | good |
CVE-2026-2038 | 2.0 | 9.8 | 0.0036 | good |
CVE-2026-26333 | 2.0 | 9.8 | 0.0020 | good |
CVE-2025-30137 | 2.0 | 9.8 | 0.0025 | good |
CVE-2026-6264 | 2.0 | 9.8 | 0.0010 | good |
CVE-2025-66602 | 2.0 | 9.8 | 0.0006 | good |
CVE-2022-50925 | 2.0 | 9.8 | 0.0003 | good |
CVE-2025-34202 | 1.8 | 8.8 | 0.0050 | good |
CVE-2024-45561 | 1.6 | 7.8 | 0.0011 | partial |
CVE-2026-23447 | 1.6 | 7.8 | 0.0001 | partial |
CVE-2026-22163 | 1.6 | 7.8 | 0.0001 | partial |
CVE-2022-49291 | 1.6 | 7.8 | 0.0002 | partial |