NIST 800-53 r5 · Controls catalogue · Family SI
SI-20Tainting
Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: {{ insert: param, si-20_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Tainting directly detects exfiltration resulting from exposure of sensitive information to unauthorized actors. |
CWE-552 | Files or Directories Accessible to External Parties | 540 | Detects improper removal of data from files or directories that are accessible to external parties. |
CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | 314 | The control detects removal of sensitive system information into an unauthorized control sphere. |
CWE-201 | Insertion of Sensitive Information Into Sent Data | 295 | Embedding taints allows detection when sensitive data is inserted into outbound or sent data streams. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Tainting enables identification of exfiltration of private personal information to unauthorized parties. |
CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | 84 | Tainting makes it possible to determine when sensitive data has been removed from externally accessible files or directories. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-33873 | 2.0 | 9.9 | 0.0005 | good |
CVE-2026-25881 | 1.8 | 9.0 | 0.0006 | good |
CVE-2025-21622 | 1.6 | 7.5 | 0.0127 | good |
CVE-2026-34041 | 2.0 | 9.8 | 0.0002 | good |