NIST 800-53 r5 · Controls catalogue · Family SC
SC-51Hardware-based Protection
Employ hardware-based, write-protect for {{ insert: param, sc-51_odp.01 }} ; and Implement specific procedures for {{ insert: param, sc-51_odp.02 }} to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Eliminates missing authorization for writes by requiring physical/hardware action under controlled procedures. |
CWE-434 | Unrestricted Upload of File with Dangerous Type | 4,869 | Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures. |
CWE-284 | Improper Access Control | 4,832 | Hardware write-protect enforces access control on critical resources (e.g., firmware) independent of software state. |
CWE-863 | Incorrect Authorization | 3,234 | Ensures authorization decisions for firmware changes cannot be bypassed by software and must follow explicit re-enable steps. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Directly implements hardware-enforced write protection on critical resources instead of relying on potentially incorrect software permissions. |
CWE-285 | Improper Authorization | 1,230 | Requires explicit authorization (via manual hardware procedures) before any write is possible, preventing unauthorized modifications. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-31649 | 2.0 | 9.8 | 0.0007 | good |