Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SA

SA-22Unsupported System Components

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 4 mapping(s) from 3 framework(s): ASVS 5.0 2 (partial) · CSF 2.0 1 (mostly) · OWASP-Web 1 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (6)

Weaknesses this control addresses (2)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-1104Use of Unmaintained Third Party Components21Directly prevents continued use of components that receive no further security updates or patches from the vendor.
CWE-477Use of Obsolete Function16Eliminates reliance on functions or components explicitly declared obsolete and unsupported by their maintainers.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-59374 KEV10.09.80.0108good
CVE-2024-3273 KEV UPD10.07.31.0000good
CVE-2024-3272 KEV UPD10.09.80.9804good
CVE-2024-23692 KEV10.09.80.9949good
CVE-2024-11120 KEV10.09.80.2855good
CVE-2024-0769 KEV10.05.30.8271good
CVE-2021-45382 KEV10.09.80.9784good
CVE-2020-9377 KEV10.08.80.2134good
CVE-2023-320078.08.80.7579good
CVE-2022-233028.08.80.6179good
CVE-2026-34857.09.80.0466good
CVE-2025-154717.09.80.1211good
CVE-2016-150577.09.90.0373good
CVE-2025-09827.010.00.0024good
CVE-2025-26197.09.80.0185good
CVE-2026-41847.09.80.0118good
CVE-2026-41837.09.80.0118good
CVE-2025-131887.09.80.0224good
CVE-2025-26187.09.80.0185good
CVE-2026-41827.09.80.0108good
CVE-2026-41817.09.80.0118good
CVE-2025-26217.09.80.0191good
CVE-2025-151947.09.80.0104good
CVE-2026-418737.09.80.0044good
CVE-2026-42374 UPD7.09.80.0047good

Other controls in family SA

SA-1 SA-10 SA-11 SA-12 SA-13 SA-14 SA-15 SA-16 SA-17 SA-18 SA-19 SA-2 SA-20 SA-21 SA-23 SA-24 SA-3 SA-4 SA-5 SA-6 SA-7 SA-8 SA-9