Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SA

SA-12Supply Chain Protection

Supply Chain Protection

Last updated: 04 July 2026 08:17 UTC

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (0)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-798Use of Hard-coded Credentials2,013Supplier evaluation and secure acquisition practices make it harder for hard-coded credentials to be introduced via procured products.
CWE-321Use of Hard-coded Cryptographic Key302Supply chain protection includes scrutiny of cryptographic implementations, reducing hard-coded keys planted by untrusted vendors.
CWE-829Inclusion of Functionality from Untrusted Control Sphere298Requires use of trusted sources and provenance tracking, tangibly limiting inclusion of functionality from untrusted control spheres.
CWE-494Download of Code Without Integrity Check252Supply chain protection requires integrity verification of acquired components, directly reducing insertion or tampering of malicious code during delivery.
CWE-506Embedded Malicious Code85The control mandates vetting suppliers and tamper detection, making it harder for malicious code to be embedded by upstream providers.
CWE-912Hidden Functionality79Vetting and integrity controls during acquisition reduce the likelihood of hidden backdoors or malicious functionality introduced by suppliers.
CWE-1104Use of Unmaintained Third Party Components21Supply chain risk management includes supplier assessments that favor maintained and supported third-party components.
CWE-1242Inclusion of Undocumented Features or Chicken Bits14Requires transparency and verification of delivered components, limiting undocumented features or debug hooks introduced upstream.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-30154 KEV10.08.60.0230good
CVE-2026-8398 KEV UPD10.09.80.0146good
CVE-2026-269747.09.80.0054good
CVE-2025-276075.58.80.0145good
CVE-2026-228655.57.40.0014good
CVE-2026-228165.57.40.0015good
CVE-2024-385265.57.20.0383good
CVE-2026-45321 KEV UPD10.09.60.0234good
CVE-2026-348417.09.80.0023good
CVE-2026-330755.58.80.0030good
CVE-2025-69263 UPD5.57.50.0031good
CVE-2025-30066 KEV10.08.60.4101partial
CVE-2024-3094 UPD8.010.00.8597partial

Other controls in family SA

SA-1 SA-10 SA-11 SA-13 SA-14 SA-15 SA-16 SA-17 SA-18 SA-19 SA-2 SA-20 SA-21 SA-22 SA-23 SA-24 SA-3 SA-4 SA-5 SA-6 SA-7 SA-8 SA-9