Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SA

SA-24Design For Cyber Resiliency

Design organizational systems, system components, or system services to achieve cyber resiliency by: Defining the following cyber resiliency goals: {{ insert: param, sa-24_odp.01 }}. Defining the following cyber resiliency objectives: {{ insert: param, sa-24_odp.02 }}. Defining the following cyber resiliency techniques: {{ insert: param, sa-24_odp.03 }}. Defining the following cyber resiliency implementation approaches: {{ insert: param, sa-24_odp.04 }}. Defining the following cyber resiliency design principles: {{ insert: param, sa-24_odp.05 }}. Implement the selected cyber resiliency goals, objectives, techniques, implementation approaches, and design principles as part of an organizational risk management process or systems security engineering process.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 6 mapping(s) from 3 framework(s): ASVS 5.0 3 (partial) · CSF 2.0 2 (partial) · OWASP-Web 1 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (0)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-284Improper Access Control5,367Resiliency goals and objectives routinely incorporate least-privilege and access-control maintenance under adverse conditions, reducing improper access control.
CWE-400Uncontrolled Resource Consumption3,572Resiliency techniques such as redundancy, throttling, and adaptive response limit uncontrolled resource consumption and denial-of-service effects.
CWE-693Protection Mechanism Failure613Mandates selection and application of resiliency techniques and implementation approaches that strengthen protection mechanisms against failure or bypass.
CWE-703Improper Check or Handling of Exceptional Conditions150Cyber resiliency objectives explicitly include graceful handling of adverse conditions and exceptional states, reducing improper exception handling.
CWE-653Improper Isolation or Compartmentalization66Common cyber resiliency techniques include compartmentalization and isolation to limit blast radius, directly addressing improper isolation.
CWE-664Improper Control of a Resource Through its Lifetime42Requires designing resource lifetime controls that anticipate, withstand, and recover from stresses or attacks, mitigating improper resource control.
CWE-691Insufficient Control Flow Management32Design principles and implementation approaches enforce robust control-flow management to maintain function and enable recovery after disruption.
CWE-657Violation of Secure Design Principles19Explicitly requires defining and implementing cyber resiliency design principles as part of systems engineering, directly preventing violations of secure design principles.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family SA

SA-1 SA-10 SA-11 SA-12 SA-13 SA-14 SA-15 SA-16 SA-17 SA-18 SA-19 SA-2 SA-20 SA-21 SA-22 SA-23 SA-3 SA-4 SA-5 SA-6 SA-7 SA-8 SA-9