NIST 800-53 r5 · Controls catalogue · Family SI
SI-2Flaw Remediation
Identify, report, and correct system flaws; Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and Incorporate flaw remediation into the organizational configuration management process.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 6 mapping(s) from 2 framework(s): CSF 2.0 3 (mostly) · OWASP-Web 3 (partial)
Implementations targeting this control (10)
- aws-config-rds-automatic-minor-version-upgrade-enabled RDS instances have minor version auto-upgrade AWS::RDS::DBInstance partial protect enforce CIS v5 §2.2.2CIS v3 §2.3.2Hub RDS.13
- aws-config-cloudwatch-alarm-action-check Critical CloudWatch alarms have at least one action AWS::CloudWatch::Alarm partial detect enforce
- aws-config-autoscaling-group-elb-healthcheck-required Autoscaling Group Elb Healthcheck Required AWS::AutoScaling::AutoScalingGroup partial protect enforce
- aws-config-beanstalk-enhanced-health-reporting-enabled Beanstalk Enhanced Health Reporting Enabled AWS::ElasticBeanstalk::Environment partial protect enforce
- aws-config-dynamodb-throughput-limit-check Dynamodb Throughput Limit Check AWS::DynamoDB::Table partial protect enforce
- aws-config-ec2-managedinstance-patch-compliance-status-check Ec2 Managedinstance Patch Compliance Status Check AWS::EC2::Instance partial protect enforce
- aws-config-elastic-beanstalk-managed-updates-enabled Elastic Beanstalk Managed Updates Enabled AWS::ElasticBeanstalk::Environment partial protect enforce
- aws-config-lambda-dlq-check Lambda Dlq Check AWS::Lambda::Function partial protect enforce
- aws-config-rds-enhanced-monitoring-enabled Rds Enhanced Monitoring Enabled AWS::RDS::DBInstance partial detect enforce
- aws-config-redshift-cluster-maintenancesettings-check Redshift Cluster Maintenancesettings Check AWS::Redshift::Cluster partial protect enforce
ATT&CK techniques this control mitigates (84)
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1027 Obfuscated Files or Information Stealth
- T1027.002 Software Packing Stealth
- T1027.007 Dynamic API Resolution Stealth
- T1027.008 Stripped Payloads Stealth
- T1027.009 Embedded Payloads Stealth
- T1047 Windows Management Instrumentation Execution
- T1055 Process Injection Stealth, Privilege Escalation
- T1055.001 Dynamic-link Library Injection Stealth, Privilege Escalation
- T1055.002 Portable Executable Injection Stealth, Privilege Escalation
- T1055.003 Thread Execution Hijacking Stealth, Privilege Escalation
- T1055.004 Asynchronous Procedure Call Stealth, Privilege Escalation
- T1055.005 Thread Local Storage Stealth, Privilege Escalation
- T1055.008 Ptrace System Calls Stealth, Privilege Escalation
- T1055.009 Proc Memory Stealth, Privilege Escalation
- T1055.011 Extra Window Memory Injection Stealth, Privilege Escalation
- T1055.012 Process Hollowing Stealth, Privilege Escalation
- T1055.013 Process Doppelgänging Stealth, Privilege Escalation
- T1055.014 VDSO Hijacking Stealth, Privilege Escalation
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
- T1059.005 Visual Basic Execution
- T1059.006 Python Execution
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1106 Native API Execution
- T1137 Office Application Startup Persistence
- T1137.003 Outlook Forms Persistence
- T1137.004 Outlook Home Page Persistence
- T1137.005 Outlook Rules Persistence
- T1189 Drive-by Compromise Initial Access
- T1190 Exploit Public-Facing Application Initial Access
- T1195 Supply Chain Compromise Initial Access
- T1195.001 Compromise Software Dependencies and Development Tools Initial Access
- T1195.002 Compromise Software Supply Chain Initial Access
- T1195.003 Compromise Hardware Supply Chain Initial Access
- T1203 Exploitation for Client Execution Execution
- T1204 User Execution Execution
- T1204.001 Malicious Link Execution
- T1204.003 Malicious Image Execution
- T1210 Exploitation of Remote Services Lateral Movement
- T1211 Exploitation for Stealth Stealth
- T1212 Exploitation for Credential Access Credential Access
- T1213.003 Code Repositories Collection
- T1213.005 Messaging Applications Collection
- T1221 Template Injection Stealth
- T1495 Firmware Corruption Impact
- T1525 Implant Internal Image Persistence
- T1542 Pre-OS Boot Stealth, Persistence
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | 777 | Flaw remediation replaces broken or risky cryptographic algorithms once safer implementations are released by vendors. |
CWE-326 | Inadequate Encryption Strength | 520 | Prompt patching corrects inadequate encryption strength when vendors release updates that increase key sizes or algorithm security. |
CWE-328 | Use of Weak Hash | 85 | Security updates supplant weak hashing algorithms with stronger alternatives before attackers can exploit the original weakness. |
CWE-1104 | Use of Unmaintained Third Party Components | 21 | Timely identification and installation of updates directly prevents use of unmaintained third-party components whose known flaws remain exploitable. |
CWE-477 | Use of Obsolete Function | 16 | Software and firmware updates replace obsolete functions whose retained presence leaves systems exposed to publicly known weaknesses. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-3909 KEV | 10.0 | 8.8 | 0.0163 | good |
CVE-2026-3910 KEV | 10.0 | 8.8 | 0.0200 | good |
CVE-2026-20131 KEV | 10.0 | 10.0 | 0.2755 | good |
CVE-2026-21385 KEV | 10.0 | 7.8 | 0.0107 | good |
CVE-2026-22719 KEV | 10.0 | 8.1 | 0.1742 | good |
CVE-2026-22769 KEV | 10.0 | 10.0 | 0.1313 | good |
CVE-2026-2441 KEV | 10.0 | 8.8 | 0.2202 | good |
CVE-2026-20700 KEV | 10.0 | 7.8 | 0.0132 | good |
CVE-2026-25108 KEV | 10.0 | 8.8 | 0.0497 | good |
CVE-2026-21510 KEV | 10.0 | 8.8 | 0.2584 | good |
CVE-2026-21514 KEV | 10.0 | 7.8 | 0.0152 | good |
CVE-2026-21525 KEV | 10.0 | 6.2 | 0.0496 | good |
CVE-2026-21533 KEV | 10.0 | 7.8 | 0.0385 | good |
CVE-2026-21519 KEV | 10.0 | 7.8 | 0.0242 | good |
CVE-2026-1603 KEV | 10.0 | 8.6 | 0.8109 | good |
CVE-2026-21513 KEV | 10.0 | 8.8 | 0.1538 | good |
CVE-2025-62215 KEV | 10.0 | 7.0 | 0.0610 | good |
CVE-2026-1731 KEV | 10.0 | 9.8 | 0.8609 | good |
CVE-2026-1281 KEV | 10.0 | 9.8 | 0.8123 | good |
CVE-2025-40551 KEV | 10.0 | 9.8 | 0.8413 | good |
CVE-2025-40536 KEV | 10.0 | 8.1 | 0.8162 | good |
CVE-2026-23760 KEV | 10.0 | 9.8 | 0.9627 | good |
CVE-2026-24423 KEV | 10.0 | 9.8 | 0.8769 | good |
CVE-2026-20963 KEV | 10.0 | 9.8 | 0.3111 | good |
CVE-2026-24061 KEV | 10.0 | 9.8 | 0.9887 | good |