Cyber Posture

NIST 800-53 r5 · Controls catalogue · Family SR

SR-3Supply Chain Controls and Processes

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }}; Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (0)

Weaknesses this control addresses (4)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-829Inclusion of Functionality from Untrusted Control Sphere254Requiring vetted sources and controls for system components prevents inclusion of functionality obtained from untrusted control spheres.
CWE-494Download of Code Without Integrity Check242Supply chain processes require integrity verification of acquired components, directly preventing download or incorporation of unverified code.
CWE-506Embedded Malicious Code80Identifying weaknesses and applying supplier controls reduces the likelihood of embedded malicious code being introduced through procured elements.
CWE-1104Use of Unmaintained Third Party Components19Supply chain risk management processes include evaluation and replacement of unmaintained third-party components that introduce exploitable weaknesses.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2026-330751.88.80.0002good

Other controls in family SR

SR-1 SR-10 SR-11 SR-12 SR-2 SR-4 SR-5 SR-6 SR-7 SR-8 SR-9