NIST 800-53 r5 · Controls catalogue · Family SI
SI-7Software, Firmware, and Information Integrity
Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ insert: param, si-7_prm_1 }} ; and Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ insert: param, si-7_prm_2 }}.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (207)
- T1003 OS Credential Dumping Credential Access
- T1003.003 NTDS Credential Access
- T1020.001 Traffic Duplication Exfiltration
- T1027 Obfuscated Files or Information Stealth
- T1027.002 Software Packing Stealth
- T1027.007 Dynamic API Resolution Stealth
- T1027.008 Stripped Payloads Stealth
- T1027.009 Embedded Payloads Stealth
- T1036 Masquerading Stealth
- T1036.001 Invalid Code Signature Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
- T1037.002 Login Hook Persistence, Privilege Escalation
- T1037.003 Network Logon Script Persistence, Privilege Escalation
- T1037.004 RC Scripts Persistence, Privilege Escalation
- T1037.005 Startup Items Persistence, Privilege Escalation
- T1040 Network Sniffing Credential Access, Discovery
- T1047 Windows Management Instrumentation Execution
- T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
- T1056.002 GUI Input Capture Collection, Credential Access
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
- T1059.002 AppleScript Execution
- T1059.003 Windows Command Shell Execution
- T1059.004 Unix Shell Execution
- T1059.005 Visual Basic Execution
- T1059.006 Python Execution
- T1059.007 JavaScript Execution
- T1059.008 Network Device CLI Execution
- T1059.010 AutoHotKey & AutoIT Execution
- T1059.011 Lua Execution
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1070 Indicator Removal Stealth
- T1070.003 Clear Command History Stealth
- T1070.007 Clear Network Connection History and Configurations Stealth
- T1070.008 Clear Mailbox Data Stealth
- T1070.009 Clear Persistence Stealth
- T1070.010 Relocate Malware Stealth
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1080 Taint Shared Content Lateral Movement
- T1098.001 Additional Cloud Credentials Persistence, Privilege Escalation
- T1098.002 Additional Email Delegate Permissions Persistence, Privilege Escalation
- T1098.003 Additional Cloud Roles Persistence, Privilege Escalation
- T1112 Modify Registry Defense Impairment, Persistence
- T1114 Email Collection Collection
- T1114.001 Local Email Collection Collection
- T1114.002 Remote Email Collection Collection
- T1114.003 Email Forwarding Rule Collection
- T1119 Automated Collection Collection
- T1127 Trusted Developer Utilities Proxy Execution Stealth, Execution
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-502 | Deserialization of Untrusted Data | 3,170 | Integrity verification of serialized information can detect tampering before deserialization occurs. |
CWE-347 | Improper Verification of Cryptographic Signature | 789 | Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers. |
CWE-345 | Insufficient Verification of Data Authenticity | 654 | Mandates verification of data authenticity for software, firmware, and information. |
CWE-494 | Download of Code Without Integrity Check | 243 | Explicitly detects code or firmware that was obtained or altered without an integrity check. |
CWE-354 | Improper Validation of Integrity Check Value | 185 | Requires use of proper integrity verification tools, reducing the chance an incorrect check value is accepted. |
CWE-506 | Embedded Malicious Code | 83 | Unauthorized insertion of malicious code into software or firmware is revealed by integrity monitoring. |
CWE-353 | Missing Support for Integrity Check | 37 | Directly supplies the missing integrity verification mechanism the weakness describes. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-15556 KEV | 3.9 | 7.5 | 0.0609 | good |
CVE-2026-3502 KEV | 3.7 | 7.8 | 0.0258 | good |
CVE-2024-56336 | 2.0 | 9.8 | 0.0024 | good |
CVE-2025-59695 | 2.0 | 9.8 | 0.0014 | good |
CVE-2026-20997 | 2.0 | 9.8 | 0.0008 | good |
CVE-2019-25268 | 2.0 | 9.8 | 0.0009 | good |
CVE-2025-56513 UPD | 2.0 | 9.8 | 0.0053 | good |
CVE-2026-27510 | 1.9 | 9.6 | 0.0014 | good |
CVE-2025-27593 | 1.9 | 9.3 | 0.0019 | good |
CVE-2025-59334 | 1.9 | 9.6 | 0.0017 | good |
CVE-2026-33026 | 1.8 | 9.1 | 0.0002 | good |
CVE-2026-40372 | 1.8 | 9.1 | 0.0003 | good |
CVE-2025-0592 | 1.8 | 8.8 | 0.0010 | good |
CVE-2026-25922 | 1.8 | 8.8 | 0.0001 | good |
CVE-2025-58756 | 1.8 | 8.8 | 0.0138 | good |
CVE-2025-57431 | 1.8 | 8.8 | 0.0014 | good |
CVE-2025-12007 | 1.7 | 8.4 | 0.0001 | good |
CVE-2026-4478 UPD | 1.6 | 8.1 | 0.0001 | good |
CVE-2025-1058 | 1.6 | 8.1 | 0.0012 | good |
CVE-2026-40070 UPD | 1.6 | 8.1 | 0.0001 | good |
CVE-2026-31839 | 1.6 | 8.2 | 0.0002 | good |
CVE-2026-20658 | 1.6 | 7.8 | 0.0002 | good |
CVE-2026-1442 | 1.6 | 7.8 | 0.0001 | good |
CVE-2026-32303 | 1.5 | 7.6 | 0.0002 | good |
CVE-2024-52331 | 1.5 | 7.5 | 0.0008 | good |