Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SC

SC-17Public Key Infrastructure Certificates

Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and Include only approved trust anchors in trust stores or certificate stores managed by the organization.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 7 mapping(s) from 1 framework(s): ASVS 5.0 7 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (2)

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-295Improper Certificate Validation1,683Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.
CWE-347Improper Verification of Cryptographic Signature842PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.
CWE-345Insufficient Verification of Data Authenticity699Use of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts.
CWE-321Use of Hard-coded Cryptographic Key302Approved PKI issuance and trust stores replace ad-hoc or hard-coded keys with properly managed, signed certificates.
CWE-297Improper Validation of Certificate with Host Mismatch59Approved PKI issuance and trust stores enforce full certificate validation steps including name/hostname checks.
CWE-296Improper Following of a Certificate's Chain of Trust17Requires only approved trust anchors in stores, ensuring proper chain-of-trust validation rather than arbitrary or incomplete paths.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2020-0601 KEV10.08.10.8944good
CVE-2026-201847.09.80.0052good
CVE-2025-700437.09.10.0018good
CVE-2025-672297.09.80.0026good
CVE-2026-1709 UPD7.09.40.0575good
CVE-2025-155737.09.40.0022good
CVE-2026-251607.09.10.0023good
CVE-2024-329627.010.00.0083good
CVE-2022-346896.07.50.3793good
CVE-2024-116215.58.80.0022good
CVE-2024-417245.58.70.0018good
CVE-2024-407025.58.20.0025good
CVE-2023-240115.58.20.0033good
CVE-2026-44345.58.10.0014good
CVE-2025-11465.58.10.0027good
CVE-2025-11935.58.10.0036good
CVE-2024-472585.58.10.0013good
CVE-2026-43965.58.10.0014good
CVE-2025-05015.57.50.0044good
CVE-2024-523295.57.40.0037good
CVE-2024-523305.57.40.0033good
CVE-2024-104445.57.50.0024good
CVE-2019-256525.57.50.0011good
CVE-2024-548485.57.40.0030good
CVE-2026-33896 UPD5.57.40.0035good

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9