NIST 800-53 r5 · Controls catalogue · Family SC
SC-42Sensor Capability and Data
Prohibit {{ insert: param, sc-42_odp.01 }} ; and Provide an explicit indication of sensor use to {{ insert: param, sc-42_odp.05 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (4)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Requiring explicit sensor-use indication and prohibiting selected capabilities directly reduces covert collection and exposure of sensitive data captured by device sensors. |
CWE-284 | Improper Access Control | 4,832 | Prohibiting specific sensor capabilities implements an access-control policy on hardware resources that would otherwise be freely usable by unauthorized software. |
CWE-668 | Exposure of Resource to Wrong Sphere | 779 | By restricting sensor activation and surfacing its use, the control prevents sensor data from being transferred into an unintended sphere (e.g., attacker-controlled processes or remote exfiltration). |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Mandatory user notification of sensor activation makes surreptitious capture of private personal information (camera, microphone, location, etc.) substantially harder to perform without detection. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-69515 | 1.8 | 9.1 | 0.0005 | good |