NIST 800-53 r5 · Controls catalogue · Family SR
SR-6Supplier Assessments and Reviews
Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ insert: param, sr-06_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-798 | Use of Hard-coded Credentials | 1,955 | Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services. |
CWE-321 | Use of Hard-coded Cryptographic Key | 277 | Assessments can uncover and prevent suppliers from shipping components that contain hard-coded cryptographic keys. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Supplier assessments directly reduce the likelihood of incorporating functionality from untrusted third-party control spheres. |
CWE-494 | Download of Code Without Integrity Check | 242 | Supply-chain reviews verify that suppliers implement integrity checks before code or components are accepted. |
CWE-259 | Use of Hard-coded Password | 187 | Reviews of supplier deliverables reduce the chance that hard-coded passwords are introduced into the system. |
CWE-506 | Embedded Malicious Code | 80 | Reviews of suppliers and their deliverables can detect or deter introduction of embedded malicious code. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Assessments evaluate supplier maintenance practices, lowering exposure to unmaintained third-party components. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||