NIST 800-53 r5 · Controls catalogue · Family SR
SR-11Component Authenticity
Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (15)
- T1059.002 AppleScript Execution
- T1195 Supply Chain Compromise Initial Access
- T1195.001 Compromise Software Dependencies and Development Tools Initial Access
- T1195.002 Compromise Software Supply Chain Initial Access
- T1195.003 Compromise Hardware Supply Chain Initial Access
- T1204.003 Malicious Image Execution
- T1505 Server Software Component Persistence
- T1505.001 SQL Stored Procedures Persistence
- T1505.002 Transport Agent Persistence
- T1505.004 IIS Components Persistence
- T1546.006 LC_LOAD_DYLIB Addition Privilege Escalation, Persistence
- T1554 Compromise Host Software Binary Persistence
- T1601 Modify System Image Defense Impairment
- T1601.001 Patch System Image Defense Impairment
- T1601.002 Downgrade System Image Defense Impairment
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-347 | Improper Verification of Cryptographic Signature | 778 | Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Anti-counterfeit procedures directly block inclusion of components originating from untrusted supply-chain actors. |
CWE-494 | Download of Code Without Integrity Check | 242 | Detecting counterfeits requires integrity verification of received components before acceptance. |
CWE-506 | Embedded Malicious Code | 80 | Counterfeit components are a common vector for embedding malicious code; preventing their entry reduces this exposure. |
CWE-912 | Hidden Functionality | 79 | Policies that verify component provenance make introduction of hidden or undocumented functionality materially harder. |
CWE-353 | Missing Support for Integrity Check | 37 | The control mandates support for integrity-checking mechanisms to identify non-genuine components. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-30066 KEV | 9.2 | 8.6 | 0.9183 | good |
CVE-2010-20103 | 7.1 | 9.8 | 0.8508 | good |
CVE-2025-30154 KEV | 5.8 | 8.6 | 0.3399 | good |
CVE-2011-10018 | 5.1 | 9.8 | 0.5300 | good |
CVE-2026-33634 KEV | 4.8 | 8.8 | 0.1683 | good |
CVE-2025-27607 | 3.1 | 8.8 | 0.2176 | good |
CVE-2026-34424 | 2.0 | 9.8 | 0.0024 | good |
CVE-2026-6443 | 2.0 | 9.8 | 0.0006 | good |
CVE-2026-34841 | 2.0 | 9.8 | 0.0003 | good |
CVE-2026-31976 | 2.0 | 9.8 | 0.0008 | good |
CVE-2025-34212 | 2.0 | 9.8 | 0.0067 | good |
CVE-2026-40154 | 1.9 | 9.3 | 0.0004 | good |
CVE-2024-41739 | 1.8 | 8.8 | 0.0027 | good |
CVE-2026-41387 | 1.6 | 7.8 | 0.0002 | good |
CVE-2026-4269 | 1.5 | 7.5 | 0.0006 | good |
CVE-2025-27510 | 0.4 | 0.0 | 0.0632 | good |
CVE-2025-59374 KEV | 6.0 | 9.8 | 0.3475 | good |
CVE-2025-54313 KEV | 4.2 | 7.5 | 0.1162 | good |
CVE-2024-41334 | 1.8 | 8.8 | 0.0014 | good |
CVE-2026-28500 | 1.7 | 8.6 | 0.0001 | good |
CVE-2023-24011 | 1.6 | 8.2 | 0.0012 | good |
CVE-2025-21399 | 1.5 | 7.4 | 0.0019 | good |
CVE-2025-15556 KEV | 3.9 | 7.5 | 0.0609 | good |
CVE-2025-50472 | 2.0 | 9.8 | 0.0105 | good |
CVE-2025-27680 | 1.8 | 9.1 | 0.0023 | good |