Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SR

SR-4Provenance

Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: {{ insert: param, sr-04_odp }}.

Last updated: 04 July 2026 08:17 UTC

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (22)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-502Deserialization of Untrusted Data3,448Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.
CWE-345Insufficient Verification of Data Authenticity699Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.
CWE-829Inclusion of Functionality from Untrusted Control Sphere298Documenting component provenance ensures functionality is only included from verified, trusted control spheres rather than untrusted ones.
CWE-494Download of Code Without Integrity Check252Tracking provenance of components and code necessitates integrity verification, preventing downloads or inclusions without such checks.
CWE-506Embedded Malicious Code85Valid provenance monitoring makes insertion of embedded malicious code during supply chain or development stages detectable.
CWE-912Hidden Functionality79Provenance tracking of components reveals hidden functionality introduced via supply chain or build processes.
CWE-353Missing Support for Integrity Check40Maintaining valid provenance requires supporting integrity checks on the origin and chain of custody for systems and data.
CWE-1104Use of Unmaintained Third Party Components21Provenance records include supplier and lifecycle details, enabling ongoing monitoring to avoid unmaintained third-party components.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-30066 KEV10.08.60.4101good
CVE-2024-3094 UPD8.010.00.8597good
CVE-2026-28500 UPD5.58.60.0032good
CVE-2026-35205 UPD5.57.80.0018good
CVE-2010-201037.09.80.0475good
CVE-2026-319767.09.80.0050good
CVE-2025-276075.58.80.0145partial
CVE-2025-275100.00.00.0058good

Other controls in family SR

SR-1 SR-10 SR-11 SR-12 SR-2 SR-3 SR-5 SR-6 SR-7 SR-8 SR-9