Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SI

SI-2Flaw Remediation

Identify, report, and correct system flaws; Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and Incorporate flaw remediation into the organizational configuration management process.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 6 mapping(s) from 2 framework(s): CSF 2.0 3 (mostly) · OWASP-Web 3 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (10)

ATT&CK techniques this control mitigates (84)

Weaknesses this control addresses (5)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-327Use of a Broken or Risky Cryptographic Algorithm777Flaw remediation replaces broken or risky cryptographic algorithms once safer implementations are released by vendors.
CWE-326Inadequate Encryption Strength520Prompt patching corrects inadequate encryption strength when vendors release updates that increase key sizes or algorithm security.
CWE-328Use of Weak Hash85Security updates supplant weak hashing algorithms with stronger alternatives before attackers can exploit the original weakness.
CWE-1104Use of Unmaintained Third Party Components21Timely identification and installation of updates directly prevents use of unmaintained third-party components whose known flaws remain exploitable.
CWE-477Use of Obsolete Function16Software and firmware updates replace obsolete functions whose retained presence leaves systems exposed to publicly known weaknesses.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2026-3909 KEV10.08.80.0163good
CVE-2026-3910 KEV10.08.80.0200good
CVE-2026-20131 KEV10.010.00.2755good
CVE-2026-21385 KEV10.07.80.0107good
CVE-2026-22719 KEV10.08.10.1742good
CVE-2026-22769 KEV10.010.00.1313good
CVE-2026-2441 KEV10.08.80.2202good
CVE-2026-20700 KEV10.07.80.0132good
CVE-2026-25108 KEV10.08.80.0497good
CVE-2026-21510 KEV10.08.80.2584good
CVE-2026-21514 KEV10.07.80.0152good
CVE-2026-21525 KEV10.06.20.0496good
CVE-2026-21533 KEV10.07.80.0385good
CVE-2026-21519 KEV10.07.80.0242good
CVE-2026-1603 KEV10.08.60.8109good
CVE-2026-21513 KEV10.08.80.1538good
CVE-2025-62215 KEV10.07.00.0610good
CVE-2026-1731 KEV10.09.80.8609good
CVE-2026-1281 KEV10.09.80.8123good
CVE-2025-40551 KEV10.09.80.8413good
CVE-2025-40536 KEV10.08.10.8162good
CVE-2026-23760 KEV10.09.80.9627good
CVE-2026-24423 KEV10.09.80.8769good
CVE-2026-20963 KEV10.09.80.3111good
CVE-2026-24061 KEV10.09.80.9887good

Other controls in family SI

SI-1 SI-10 SI-11 SI-12 SI-13 SI-14 SI-15 SI-16 SI-17 SI-18 SI-19 SI-20 SI-21 SI-22 SI-23 SI-3 SI-4 SI-5 SI-6 SI-7 SI-8 SI-9