Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SA

SA-10Developer Configuration Management

Require the developer of the system, system component, or system service to: Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }}; Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }}; Implement only organization-approved changes to the system, component, or service; Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 4 mapping(s) from 2 framework(s): ASVS 5.0 3 (partial) · CSF 2.0 1 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (27)

Weaknesses this control addresses (5)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-494Download of Code Without Integrity Check252Mandating integrity control and approved-only changes during development prevents incorporation of code or components lacking integrity validation.
CWE-506Embedded Malicious Code85Requiring documented, approved changes plus security flaw tracking makes undetected insertion of malicious code substantially harder.
CWE-912Hidden Functionality79Change control, approval gates, and flaw tracking force hidden functionality to be either documented or discovered and removed.
CWE-353Missing Support for Integrity Check40Requiring control over the integrity of all changes directly compels developers to implement integrity verification mechanisms rather than omitting them.
CWE-1104Use of Unmaintained Third Party Components21Configuration management and explicit tracking of security flaws require identification and remediation of unmaintained or vulnerable third-party components.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-54594 UPD7.09.10.0043good
CVE-2025-156173.56.50.0039good
CVE-2026-398665.58.80.0235partial
CVE-2026-403137.09.10.0031partial
CVE-2025-54428 UPD7.09.80.0046partial
CVE-2026-290755.58.30.0037good
CVE-2026-279385.57.70.0079partial

Other controls in family SA

SA-1 SA-11 SA-12 SA-13 SA-14 SA-15 SA-16 SA-17 SA-18 SA-19 SA-2 SA-20 SA-21 SA-22 SA-23 SA-24 SA-3 SA-4 SA-5 SA-6 SA-7 SA-8 SA-9