Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SC

SC-46Cross Domain Policy Enforcement

Implement a policy enforcement mechanism {{ insert: param, sc-46_odp }} between the physical and/or network interfaces for the connecting security domains.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 2 mapping(s) from 1 framework(s): ASVS 5.0 2 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (27)

Weaknesses this control addresses (9)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-862Missing Authorization9,346Implementing the enforcement point directly addresses missing authorization checks for operations that cross security domains.
CWE-284Improper Access Control5,367Cross-domain policy enforcement implements mandatory access control at domain boundaries, directly preventing unauthorized interactions across security domains.
CWE-863Incorrect Authorization3,515The mechanism applies correct, centrally managed authorization rules at domain boundaries, blocking incorrect authorization logic from being exploited.
CWE-285Improper Authorization1,356The control enforces explicit authorization policies on all traffic and data flows between domains, mitigating improper or missing authorization decisions.
CWE-668Exposure of Resource to Wrong Sphere797The control ensures resources are not exposed outside their intended security domain by filtering transfers at the domain boundary.
CWE-669Incorrect Resource Transfer Between Spheres105It governs all resource transfers between spheres, preventing incorrect or unauthorized movement of data or capabilities across domain interfaces.
CWE-653Improper Isolation or Compartmentalization66Policy enforcement between domains strengthens isolation and compartmentalization, reducing the ability to exploit weak separation of security contexts.
CWE-923Improper Restriction of Communication Channel to Intended Endpoints61Policy enforcement restricts communication channels to only the intended endpoints and protocols between security domains.
CWE-501Trust Boundary Violation30By mediating every interface between security domains, the mechanism upholds trust boundaries and blocks violations that would allow untrusted data or commands to cross.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2017-0210 KEV10.08.80.1952good
CVE-2026-344497.09.60.0050good
CVE-2026-410565.58.10.0034good
CVE-2026-66625.57.30.0018good
CVE-2026-53023.56.30.0026good
CVE-2024-223483.55.30.0034good
CVE-2026-330435.58.10.0034good

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9