NIST 800-53 r5 · Controls catalogue · Family SC

SC-51Hardware-based Protection

Employ hardware-based, write-protect for {{ insert: param, sc-51_odp.01 }} ; and Implement specific procedures for {{ insert: param, sc-51_odp.02 }} to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.

Last updated: 19 May 2026 14:18 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (0)

No ATT&CK techniques mapped to this control yet.

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-862`	Missing Authorization	8,796	Eliminates missing authorization for writes by requiring physical/hardware action under controlled procedures.
`CWE-284`	Improper Access Control	4,905	Hardware write-protect enforces access control on critical resources (e.g., firmware) independent of software state.
`CWE-434`	Unrestricted Upload of File with Dangerous Type	4,889	Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
`CWE-863`	Incorrect Authorization	3,303	Ensures authorization decisions for firmware changes cannot be bypassed by software and must follow explicit re-enable steps.
`CWE-732`	Incorrect Permission Assignment for Critical Resource	1,837	Directly implements hardware-enforced write protection on critical resources instead of relying on potentially incorrect software permissions.
`CWE-285`	Improper Authorization	1,252	Requires explicit authorization (via manual hardware procedures) before any write is possible, preventing unauthorized modifications.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
`CVE-2026-31649`	2.0	9.8	0.0007	good
`CVE-2025-47375`	1.6	7.8	0.0002	good
`CVE-2025-47398`	1.6	7.8	0.0001	good

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-6 SC-7 SC-8 SC-9