NIST 800-53 r5 · Controls catalogue · Family SR
SR-4Provenance
Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: {{ insert: param, sr-04_odp }}.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (22)
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1059.002 AppleScript Execution
- T1195 Supply Chain Compromise Initial Access
- T1195.001 Compromise Software Dependencies and Development Tools Initial Access
- T1195.002 Compromise Software Supply Chain Initial Access
- T1195.003 Compromise Hardware Supply Chain Initial Access
- T1204.003 Malicious Image Execution
- T1505 Server Software Component Persistence
- T1505.001 SQL Stored Procedures Persistence
- T1505.002 Transport Agent Persistence
- T1505.004 IIS Components Persistence
- T1546.006 LC_LOAD_DYLIB Addition Privilege Escalation, Persistence
- T1554 Compromise Host Software Binary Persistence
- T1567 Exfiltration Over Web Service Exfiltration
- T1601 Modify System Image Defense Impairment
- T1601.001 Patch System Image Defense Impairment
- T1601.002 Downgrade System Image Defense Impairment
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-502 | Deserialization of Untrusted Data | 3,170 | Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs. |
CWE-345 | Insufficient Verification of Data Authenticity | 654 | Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 259 | Documenting component provenance ensures functionality is only included from verified, trusted control spheres rather than untrusted ones. |
CWE-494 | Download of Code Without Integrity Check | 243 | Tracking provenance of components and code necessitates integrity verification, preventing downloads or inclusions without such checks. |
CWE-506 | Embedded Malicious Code | 83 | Valid provenance monitoring makes insertion of embedded malicious code during supply chain or development stages detectable. |
CWE-912 | Hidden Functionality | 79 | Provenance tracking of components reveals hidden functionality introduced via supply chain or build processes. |
CWE-353 | Missing Support for Integrity Check | 37 | Maintaining valid provenance requires supporting integrity checks on the origin and chain of custody for systems and data. |
CWE-1104 | Use of Unmaintained Third Party Components | 20 | Provenance records include supplier and lifecycle details, enabling ongoing monitoring to avoid unmaintained third-party components. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-28500 | 1.7 | 8.6 | 0.0001 | good |
CVE-2026-35205 | 1.6 | 7.8 | 0.0002 | good |
CVE-2025-30066 KEV | 9.2 | 8.6 | 0.9178 | good |
CVE-2010-20103 | 7.1 | 9.8 | 0.8508 | good |
CVE-2026-31976 | 2.0 | 9.8 | 0.0009 | good |
CVE-2025-27510 | 0.4 | 0.0 | 0.0632 | good |