Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SC

SC-20Secure Name/Address Resolution Service (Authoritative Source)

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 1 mapping(s) from 1 framework(s): CSF 2.0 1 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (14)

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-347Improper Verification of Cryptographic Signature842Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.
CWE-345Insufficient Verification of Data Authenticity699Mandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data.
CWE-290Authentication Bypass by Spoofing698Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source.
CWE-346Origin Validation Error661Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.
CWE-940Improper Verification of Source of a Communication Channel55Provides the means to verify the source of name-resolution responses instead of relying on unauthenticated channels.
CWE-353Missing Support for Integrity Check40Supplies the integrity-check artifacts (e.g., RRSIG, DNSKEY) that were previously missing for DNS responses.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2020-1350 KEV10.010.00.9218partial
CVE-2023-503878.07.51.0000partial
CVE-2025-301327.09.10.0034good
CVE-2026-412725.57.10.0023good
CVE-2025-311163.54.40.0045good

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9