Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SI

SI-15Information Output Filtering

Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: {{ insert: param, si-15_odp }}.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 21 mapping(s) from 1 framework(s): ASVS 5.0 21 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (42)

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')51,662Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
CWE-200Exposure of Sensitive Information to an Unauthorized Actor10,501Filtering output to only permitted content stops unintended disclosure of sensitive information to unauthorized actors.
CWE-532Insertion of Sensitive Information into Log File1,427Checking application output against expected content catches insertion of sensitive values into log streams or files.
CWE-209Generation of Error Message Containing Sensitive Information666Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.
CWE-116Improper Encoding or Escaping of Output498Validating that output matches expected content directly mitigates failures to properly encode or escape data for its destination context.
CWE-117Improper Output Neutralization for Logs103Requiring output to conform to expected content prevents unneutralized data from reaching logs.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-27915 KEV10.05.40.0424good
CVE-2024-38475 KEV10.09.10.9996good
CVE-2022-42948 KEV10.09.80.0271good
CVE-2022-364468.09.80.9605good
CVE-2023-320718.09.00.7114good
CVE-2022-290368.05.40.7855good
CVE-2024-44398.07.20.7082good
CVE-2023-286518.04.80.6480good
CVE-2026-330667.09.00.0058good
CVE-2026-327517.09.00.0080good
CVE-2026-227927.09.60.0071good
CVE-2024-104417.09.80.0115good
CVE-2024-576867.09.80.0162good
CVE-2026-404707.09.90.0031good
CVE-2026-404727.09.90.0030good
CVE-2025-14320 UPD7.09.80.0033good
CVE-2025-302237.09.30.0059good
CVE-2026-291837.09.30.0063good
CVE-2026-349327.09.30.0029good
CVE-2026-331367.09.30.0021good
CVE-2025-660247.09.00.0035good
CVE-2026-327547.09.30.0053good
CVE-2026-318457.09.30.0050good
CVE-2025-664817.09.60.0048good
CVE-2026-329407.09.30.0030good

Other controls in family SI

SI-1 SI-10 SI-11 SI-12 SI-13 SI-14 SI-16 SI-17 SI-18 SI-19 SI-2 SI-20 SI-21 SI-22 SI-23 SI-3 SI-4 SI-5 SI-6 SI-7 SI-8 SI-9