NIST 800-53 r5 · Controls catalogue · Family CP
CP-10System Recovery and Reconstitution
Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (15)
- aws-config-elasticache-redis-cluster-automatic-backup-check Elasticache Redis Cluster Automatic Backup Check AWS::ElastiCache::CacheCluster partial recover enforce
- aws-config-db-instance-backup-enabled Db Instance Backup Enabled AWS::RDS::DBInstance partial recover enforce
- aws-config-dynamodb-autoscaling-enabled Dynamodb Autoscaling Enabled AWS::DynamoDB::Table partial protect enforce
- aws-config-dynamodb-in-backup-plan Dynamodb In Backup Plan AWS::DynamoDB::Table partial recover enforce
- aws-config-dynamodb-pitr-enabled Dynamodb Pitr Enabled AWS::DynamoDB::Table partial recover enforce
- aws-config-ebs-in-backup-plan Ebs In Backup Plan AWS::EC2::Volume partial recover enforce
- aws-config-ebs-optimized-instance Ebs Optimized Instance AWS::EC2::Volume partial protect enforce
- aws-config-efs-in-backup-plan Efs In Backup Plan AWS::EFS::FileSystem partial recover enforce
- aws-config-elb-cross-zone-load-balancing-enabled Elb Cross Zone Load Balancing Enabled AWS::ElasticLoadBalancing::LoadBalancer partial protect enforce
- aws-config-rds-multi-az-support Rds Multi Az Support AWS::RDS::DBInstance partial protect enforce CIS v5 §2.2.4Hub RDS.5
- aws-config-redshift-backup-enabled Redshift Backup Enabled AWS::Redshift::Cluster partial recover enforce
- aws-config-s3-bucket-replication-enabled S3 Bucket Replication Enabled AWS::S3::Bucket partial recover enforce
- aws-config-s3-bucket-versioning-enabled S3 Bucket Versioning Enabled AWS::S3::Bucket partial protect enforce
- aws-config-s3-version-lifecycle-policy-check S3 Version Lifecycle Policy Check AWS::S3::Bucket partial protect enforce
- aws-config-vpc-vpn-2-tunnels-up Vpc Vpn 2 Tunnels Up AWS::EC2::VPC partial protect enforce
ATT&CK techniques this control mitigates (12)
- T1485 Data Destruction Impact
- T1485.001 Lifecycle-Triggered Deletion Impact
- T1486 Data Encrypted for Impact Impact
- T1490 Inhibit System Recovery Impact
- T1491 Defacement Impact
- T1491.001 Internal Defacement Impact
- T1491.002 External Defacement Impact
- T1561 Disk Wipe Impact
- T1561.001 Disk Content Wipe Impact
- T1561.002 Disk Structure Wipe Impact
- T1565 Data Manipulation Impact
- T1565.001 Stored Data Manipulation Impact
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,905 | Recovery to a known state reverts unauthorized changes to access control mechanisms after compromise. |
CWE-287 | Improper Authentication | 4,757 | System recovery re-establishes trusted authentication processes following a compromise. |
CWE-269 | Improper Privilege Management | 2,936 | Recovery ensures return to a state with correctly assigned and managed privileges. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,837 | Reconstitution corrects improper permission assignments on critical resources. |
CWE-285 | Improper Authorization | 1,252 | Reconstitution restores proper authorization policies and enforcement that may have been altered. |
CWE-506 | Embedded Malicious Code | 83 | Reverting to a known state removes any malicious code embedded by an attacker. |
CWE-912 | Hidden Functionality | 79 | Recovery eliminates hidden functionality or backdoors introduced during compromise. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-27843 | 1.8 | 9.1 | 0.0010 | partial |
CVE-2025-59895 | 1.5 | 7.5 | 0.0003 | partial |