Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SI

SI-3Malicious Code Protection

Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; Configure malicious code protection mechanisms to: Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 5 mapping(s) from 3 framework(s): ASVS 5.0 3 (partial) · OWASP-Web 1 (partial) · CSF 2.0 1 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (224)

Weaknesses this control addresses (5)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-434Unrestricted Upload of File with Dangerous Type4,993Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.
CWE-502Deserialization of Untrusted Data3,432Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
CWE-829Inclusion of Functionality from Untrusted Control Sphere298Detects and prevents inclusion of malicious functionality downloaded from untrusted control spheres.
CWE-494Download of Code Without Integrity Check252Performs real-time scans of downloaded code, mitigating risks from downloads lacking integrity checks.
CWE-506Embedded Malicious Code85Directly detects and eradicates embedded malicious code at entry/exit points via periodic and real-time scans.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-3928 KEV UPD10.08.80.0193good
CVE-2024-38213 KEV10.06.50.1337good
CVE-2024-29988 KEV UPD10.08.80.4515good
CVE-2023-36025 KEV10.08.80.8820good
CVE-2023-32049 KEV10.08.80.0440good
CVE-2021-42292 KEV10.07.80.3195good
CVE-2021-40444 KEV10.08.80.9684good
CVE-2017-0199 KEV10.07.80.9993good
CVE-2014-6352 KEV10.07.80.7755good
CVE-2009-0556 KEV10.08.80.6754good
CVE-2009-0238 KEV10.08.80.4306good
CVE-2007-0671 KEV10.08.80.4214good
CVE-2025-17167.09.80.0159good
CVE-2025-276657.09.80.0062good
CVE-2023-225247.09.80.2472good
CVE-2024-35687.09.60.0207good
CVE-2023-381466.08.80.3949good
CVE-2024-399296.05.40.4123good
CVE-2025-24505.58.80.0048good
CVE-2025-213635.57.80.0076good
CVE-2025-213565.57.80.0071good
CVE-2026-43003 UPD5.58.00.0084good
CVE-2025-49740 UPD5.58.80.0075good
CVE-2022-23345.57.20.0950good
CVE-2024-435045.57.80.0610good

Other controls in family SI

SI-1 SI-10 SI-11 SI-12 SI-13 SI-14 SI-15 SI-16 SI-17 SI-18 SI-19 SI-2 SI-20 SI-21 SI-22 SI-23 SI-4 SI-5 SI-6 SI-7 SI-8 SI-9