NIST 800-53 r5 · Controls catalogue · Family SA
SA-16Developer-provided Training
Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: {{ insert: param, sa-16_odp }}.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (3)
Weaknesses this control addresses (9)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,905 | Explicit training on access control mechanisms and their operation makes improper access control harder to introduce via misconfiguration. |
CWE-287 | Improper Authentication | 4,757 | Developer-provided instruction on authentication controls improves correct implementation and ongoing operation of authentication. |
CWE-269 | Improper Privilege Management | 2,936 | Developer training on implemented privilege management controls prevents improper assignment or escalation through correct configuration and operation. |
CWE-306 | Missing Authentication for Critical Function | 2,600 | Training emphasizes enabling and properly using authentication for critical functions, reducing missing authentication exposures. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,837 | Training on security functions includes correct permission assignment for critical resources, lowering misconfiguration risk. |
CWE-276 | Incorrect Default Permissions | 1,765 | Training covers proper setting of permissions on resources, reducing incorrect default or inherited permissions after deployment. |
CWE-285 | Improper Authorization | 1,252 | Training on authorization functions and controls reduces authorization bypasses stemming from incorrect setup or use. |
CWE-250 | Execution with Unnecessary Privileges | 311 | Training on correct operation of privilege-related security functions directly reduces unnecessary privilege execution by teaching least-privilege usage. |
CWE-1188 | Initialization of a Resource with an Insecure Default | 309 | Instruction on secure initialization of security controls prevents leaving resources with insecure defaults after installation. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||