NIST 800-53 r5 · Controls catalogue · Family SI
SI-1Policy and Procedures
Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}: {{ insert: param, si-01_odp.03 }} system and information integrity policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and Review and update the current system and information integrity: Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Integrity policy and procedures explicitly define and assign responsibilities for access control enforcement, directly reducing unauthorized modification risks. |
CWE-269 | Improper Privilege Management | 2,907 | Policy mandates proper privilege assignment and review processes, making improper privilege management harder to overlook or sustain. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Procedures require correct default and assigned permissions on critical resources, tangibly lowering the chance of overly permissive settings. |
CWE-285 | Improper Authorization | 1,230 | Documented authorization procedures ensure consistent checks before allowing changes to system state or data, limiting exploitation of missing or incorrect authorization. |
CWE-693 | Protection Mechanism Failure | 476 | Regular policy review and procedure updates reduce the likelihood that integrity protection mechanisms are omitted, misconfigured, or allowed to degrade. |
CWE-657 | Violation of Secure Design Principles | 19 | Requiring a formal integrity policy enforces secure design principles such as least privilege and separation of duties across the organization. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||