NIST 800-53 r5 · Controls catalogue · Family CM
CM-2Baseline Configuration
Develop, document, and maintain under configuration control, a current baseline configuration of the system; and Review and update the baseline configuration of the system: {{ insert: param, cm-02_odp.01 }}; When required due to {{ insert: param, cm-02_odp.02 }} ; and When system components are installed or upgraded.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (10)
- aws-config-restricted-common-ports Restricted Common Ports AWS::EC2::SecurityGroup partial protect enforce CIS v5 §5.4CIS v3 §5.3Hub EC2.54
- aws-config-account-part-of-organizations Account Part Of Organizations AWS::Organizations::Account partial protect enforce
- aws-config-ec2-instance-managed-by-systems-manager Ec2 Instance Managed By Systems Manager AWS::EC2::Instance partial protect enforce
- aws-config-ec2-managedinstance-association-compliance-status-check Ec2 Managedinstance Association Compliance Status Check AWS::EC2::Instance partial protect enforce
- aws-config-ec2-stopped-instance Ec2 Stopped Instance AWS::EC2::Instance partial protect enforce
- aws-config-ec2-volume-inuse-check Ec2 Volume Inuse Check AWS::EC2::Instance partial protect enforce
- aws-config-elb-deletion-protection-enabled Elb Deletion Protection Enabled AWS::ElasticLoadBalancing::LoadBalancer partial protect enforce
- aws-config-rds-instance-default-admin-check Rds Instance Default Admin Check AWS::RDS::DBInstance partial protect enforce
- aws-config-redshift-cluster-maintenancesettings-check Redshift Cluster Maintenancesettings Check AWS::Redshift::Cluster partial protect enforce
- aws-config-redshift-default-admin-check Redshift Default Admin Check AWS::Redshift::Cluster partial protect enforce
ATT&CK techniques this control mitigates (285)
- T1001 Data Obfuscation Command And Control
- T1001.001 Junk Data Command And Control
- T1001.002 Steganography Command And Control
- T1001.003 Protocol or Service Impersonation Command And Control
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1008 Fallback Channels Command And Control
- T1011.001 Exfiltration Over Bluetooth Exfiltration
- T1020.001 Traffic Duplication Exfiltration
- T1021 Remote Services Lateral Movement
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1027 Obfuscated Files or Information Stealth
- T1029 Scheduled Transfer Exfiltration
- T1030 Data Transfer Size Limits Exfiltration
- T1036 Masquerading Stealth
- T1036.001 Invalid Code Signature Stealth
- T1036.003 Rename Legitimate Utilities Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1036.007 Double File Extension Stealth
- T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
- T1037.002 Login Hook Persistence, Privilege Escalation
- T1037.003 Network Logon Script Persistence, Privilege Escalation
- T1037.004 RC Scripts Persistence, Privilege Escalation
- T1037.005 Startup Items Persistence, Privilege Escalation
- T1046 Network Service Discovery Discovery
- T1047 Windows Management Instrumentation Execution
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
- T1053.003 Cron Execution, Persistence, Privilege Escalation
- T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,905 | Baseline includes documented access control settings that are reviewed and maintained, reducing the ability to exploit improper access control. |
CWE-269 | Improper Privilege Management | 2,936 | Baseline configuration documents and controls privilege assignments, making improper privilege management harder to introduce or sustain. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,837 | Maintaining baseline configuration controls permission assignments for critical resources and detects unauthorized changes. |
CWE-276 | Incorrect Default Permissions | 1,765 | Baseline establishment and updates on install/upgrade ensure correct default permissions rather than insecure ones. |
CWE-250 | Execution with Unnecessary Privileges | 311 | Baseline review prevents systems from running with unnecessary privileges by enforcing least-privilege settings. |
CWE-1188 | Initialization of a Resource with an Insecure Default | 309 | Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults. |
CWE-15 | External Control of System or Configuration Setting | 60 | Baseline configuration under change control directly prevents unauthorized external modification of system or configuration settings. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-71156 | 1.6 | 7.8 | 0.0002 | good |
CVE-2025-54253 KEV | 5.2 | 10.0 | 0.1971 | good |
CVE-2025-12985 | 1.7 | 8.4 | 0.0002 | good |
CVE-2022-50913 | 1.7 | 8.4 | 0.0002 | good |
CVE-2026-33037 | 1.6 | 8.1 | 0.0048 | partial |
CVE-2025-21729 | 1.6 | 7.8 | 0.0003 | partial |
CVE-2025-24915 | 1.6 | 7.8 | 0.0007 | partial |
CVE-2026-2836 | 1.6 | 8.1 | 0.0001 | partial |
CVE-2019-25310 | 1.6 | 7.8 | 0.0002 | good |
CVE-2019-25266 | 1.6 | 7.8 | 0.0002 | partial |
CVE-2020-37016 | 1.6 | 7.8 | 0.0002 | good |
CVE-2021-47874 | 1.6 | 7.8 | 0.0002 | good |
CVE-2020-36980 | 1.6 | 7.8 | 0.0002 | good |
CVE-2019-25308 | 1.6 | 7.8 | 0.0001 | good |
CVE-2019-25292 | 1.6 | 7.8 | 0.0001 | good |
CVE-2019-25272 | 1.6 | 7.8 | 0.0001 | good |
CVE-2020-36976 | 1.6 | 7.8 | 0.0001 | good |
CVE-2021-47847 | 1.6 | 7.8 | 0.0001 | partial |
CVE-2021-47809 | 1.6 | 7.8 | 0.0001 | partial |
CVE-2022-49737 | 1.5 | 7.7 | 0.0009 | partial |
CVE-2025-66236 | 1.5 | 7.5 | 0.0012 | good |
CVE-2026-32965 | 1.5 | 7.5 | 0.0004 | good |