Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SC

SC-2Separation of System and User Functionality

Separate user functionality, including user interface services, from system management functionality.

Last updated: 04 July 2026 00:28 UTC

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (8)

Weaknesses this control addresses (7)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-284Improper Access Control5,367Explicit separation implements access control boundaries between user interfaces and system management functionality.
CWE-269Improper Privilege Management3,104The control enforces proper privilege boundaries by ensuring user functionality cannot invoke or manage system-level privileges.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Ensures critical system resources and functions receive permission assignments distinct from ordinary user resources.
CWE-668Exposure of Resource to Wrong Sphere797Prevents exposure of system management resources and functions into the user functionality sphere.
CWE-250Execution with Unnecessary Privileges333Separating user-facing code from system management functions directly prevents execution of privileged operations from untrusted user contexts.
CWE-1220Insufficient Granularity of Access Control94Provides the necessary granularity by placing system management functions outside the reach of user-level access controls.
CWE-653Improper Isolation or Compartmentalization66Directly requires isolation/compartmentalization of user services from system management functions.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2026-333347.09.60.0039good
CVE-2026-399115.58.80.0054good
CVE-2026-279525.58.80.0050good
CVE-2026-70645.57.30.0171good
CVE-2026-403177.09.30.0022good
CVE-2025-592527.09.30.0052good
CVE-2026-333365.58.80.0112good
CVE-2025-560985.58.80.0224partial
CVE-2025-242285.57.80.0032good
CVE-2025-04785.57.80.0014good
CVE-2024-443035.57.50.0027good
CVE-2025-241303.55.50.0063good

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9