NIST 800-53 r5 · Controls catalogue · Family SC
SC-35External Malicious Code Identification
Include system components that proactively seek to identify network-based malicious code or malicious websites.
Last updated: 04 July 2026 08:17 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 3 mapping(s) from 2 framework(s): ASVS 5.0 2 (partial) · CSF 2.0 1 (mostly)
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (3)
Weaknesses this control addresses (3)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 298 | External identification of malicious code makes inclusion of functionality from untrusted network sources substantially harder to perform undetected. |
CWE-494 | Download of Code Without Integrity Check | 252 | Proactive network scanning for malicious code directly detects and blocks downloads that lack integrity verification. |
CWE-830 | Inclusion of Web Functionality from an Untrusted Source | 12 | Components that flag malicious websites reduce the ability to pull and render web functionality from untrusted external sources. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2023-32049 KEV | 10.0 | 8.8 | 0.0440 | good |
CVE-2026-1342 | 5.5 | 8.5 | 0.0018 | good |
CVE-2026-43003 UPD | 5.5 | 8.0 | 0.0084 | good |
CVE-2025-65319 | 7.0 | 9.1 | 0.0048 | partial |
CVE-2026-26056 | 5.5 | 8.8 | 0.0040 | good |