NIST 800-53 r5 · Controls catalogue · Family SR
SR-5Acquisition Strategies, Tools, and Methods
Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (15)
- T1059.002 AppleScript Execution
- T1195 Supply Chain Compromise Initial Access
- T1195.001 Compromise Software Dependencies and Development Tools Initial Access
- T1195.002 Compromise Software Supply Chain Initial Access
- T1195.003 Compromise Hardware Supply Chain Initial Access
- T1204.003 Malicious Image Execution
- T1505 Server Software Component Persistence
- T1505.001 SQL Stored Procedures Persistence
- T1505.002 Transport Agent Persistence
- T1505.004 IIS Components Persistence
- T1546.006 LC_LOAD_DYLIB Addition Privilege Escalation, Persistence
- T1554 Compromise Host Software Binary Persistence
- T1601 Modify System Image Defense Impairment
- T1601.001 Patch System Image Defense Impairment
- T1601.002 Downgrade System Image Defense Impairment
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Procurement methods and contract requirements can mandate use of vetted, controlled sources instead of arbitrary third-party or untrusted control spheres. |
CWE-494 | Download of Code Without Integrity Check | 242 | Acquisition strategies can stipulate that delivered code or firmware must be signed and integrity-checked, making downloads without verification contractually non-compliant. |
CWE-506 | Embedded Malicious Code | 80 | Acquisition strategies can require trusted suppliers, code reviews, and integrity attestations that directly reduce the likelihood of receiving components with embedded malicious code. |
CWE-912 | Hidden Functionality | 79 | Supply-chain controls such as supplier audits and functional verification requirements make insertion of hidden or undocumented functionality harder to achieve undetected. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Contract tools and acquisition criteria can explicitly require ongoing vendor support, patching commitments, and avoidance of unmaintained third-party components. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||