Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SR

SR-8Notification Agreements

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 6 mapping(s) from 1 framework(s): CSF 2.0 6 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (0)

Weaknesses this control addresses (4)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-829Inclusion of Functionality from Untrusted Control Sphere298Agreements establish channels for suppliers to report integrity or compromise issues in included third-party functionality, shrinking the window for exploitation.
CWE-494Download of Code Without Integrity Check252Suppliers can be contractually required to notify of integrity failures or required updates for delivered code, improving detection of tampering.
CWE-506Embedded Malicious Code85Notification agreements enable suppliers to alert acquirers to discovered or suspected embedded malicious code, directly supporting detection and response.
CWE-1104Use of Unmaintained Third Party Components21Notification procedures can mandate alerts when third-party components reach end-of-life or lose support, reducing prolonged use of vulnerable components.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family SR

SR-1 SR-10 SR-11 SR-12 SR-2 SR-3 SR-4 SR-5 SR-6 SR-7 SR-9