NIST 800-53 r5 · Controls catalogue · Family CM
CM-2Baseline Configuration
Develop, document, and maintain under configuration control, a current baseline configuration of the system; and Review and update the baseline configuration of the system: {{ insert: param, cm-02_odp.01 }}; When required due to {{ insert: param, cm-02_odp.02 }} ; and When system components are installed or upgraded.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 7 mapping(s) from 2 framework(s): ASVS 5.0 6 (partial) · CSF 2.0 1 (mostly)
Implementations targeting this control (10)
- aws-config-restricted-common-ports Restricted Common Ports AWS::EC2::SecurityGroup partial protect enforce CIS v5 §5.4CIS v3 §5.3Hub EC2.54
- aws-config-account-part-of-organizations Account Part Of Organizations AWS::Organizations::Account partial protect enforce
- aws-config-ec2-instance-managed-by-systems-manager Ec2 Instance Managed By Systems Manager AWS::EC2::Instance partial protect enforce
- aws-config-ec2-managedinstance-association-compliance-status-check Ec2 Managedinstance Association Compliance Status Check AWS::EC2::Instance partial protect enforce
- aws-config-ec2-stopped-instance Ec2 Stopped Instance AWS::EC2::Instance partial protect enforce
- aws-config-ec2-volume-inuse-check Ec2 Volume Inuse Check AWS::EC2::Instance partial protect enforce
- aws-config-elb-deletion-protection-enabled Elb Deletion Protection Enabled AWS::ElasticLoadBalancing::LoadBalancer partial protect enforce
- aws-config-rds-instance-default-admin-check Rds Instance Default Admin Check AWS::RDS::DBInstance partial protect enforce
- aws-config-redshift-cluster-maintenancesettings-check Redshift Cluster Maintenancesettings Check AWS::Redshift::Cluster partial protect enforce
- aws-config-redshift-default-admin-check Redshift Default Admin Check AWS::Redshift::Cluster partial protect enforce
ATT&CK techniques this control mitigates (285)
- T1001 Data Obfuscation Command And Control
- T1001.001 Junk Data Command And Control
- T1001.002 Steganography Command And Control
- T1001.003 Protocol or Service Impersonation Command And Control
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1008 Fallback Channels Command And Control
- T1011.001 Exfiltration Over Bluetooth Exfiltration
- T1020.001 Traffic Duplication Exfiltration
- T1021 Remote Services Lateral Movement
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1027 Obfuscated Files or Information Stealth
- T1029 Scheduled Transfer Exfiltration
- T1030 Data Transfer Size Limits Exfiltration
- T1036 Masquerading Stealth
- T1036.001 Invalid Code Signature Stealth
- T1036.003 Rename Legitimate Utilities Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1036.007 Double File Extension Stealth
- T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
- T1037.002 Login Hook Persistence, Privilege Escalation
- T1037.003 Network Logon Script Persistence, Privilege Escalation
- T1037.004 RC Scripts Persistence, Privilege Escalation
- T1037.005 Startup Items Persistence, Privilege Escalation
- T1046 Network Service Discovery Discovery
- T1047 Windows Management Instrumentation Execution
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
- T1053.003 Cron Execution, Persistence, Privilege Escalation
- T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 5,367 | Baseline includes documented access control settings that are reviewed and maintained, reducing the ability to exploit improper access control. |
CWE-269 | Improper Privilege Management | 3,104 | Baseline configuration documents and controls privilege assignments, making improper privilege management harder to introduce or sustain. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,874 | Maintaining baseline configuration controls permission assignments for critical resources and detects unauthorized changes. |
CWE-276 | Incorrect Default Permissions | 1,789 | Baseline establishment and updates on install/upgrade ensure correct default permissions rather than insecure ones. |
CWE-1188 | Initialization of a Resource with an Insecure Default | 335 | Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults. |
CWE-250 | Execution with Unnecessary Privileges | 333 | Baseline review prevents systems from running with unnecessary privileges by enforcing least-privilege settings. |
CWE-15 | External Control of System or Configuration Setting | 69 | Baseline configuration under change control directly prevents unauthorized external modification of system or configuration settings. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2024-1086 KEV UPD | 10.0 | 7.8 | 0.2806 | partial |
CVE-2022-2274 | 7.0 | 9.8 | 0.4488 | partial |
CVE-2022-31629 | 6.0 | 6.5 | 0.4934 | partial |
CVE-2025-71156 | 5.5 | 7.8 | 0.0012 | good |
CVE-2025-27821 | 5.5 | 7.3 | 0.0086 | good |
CVE-2026-40175 UPD | 3.5 | 4.8 | 0.0181 | partial |
CVE-2026-22770 | 3.5 | 6.5 | 0.0034 | partial |
CVE-2025-52627 | 3.5 | 5.5 | 0.0015 | good |
CVE-2025-54253 KEV UPD | 10.0 | 10.0 | 0.8982 | partial |
CVE-2024-9537 KEV | 10.0 | 9.8 | 0.0385 | partial |
CVE-2022-0609 KEV | 10.0 | 8.8 | 0.2355 | partial |
CVE-2022-3654 | 6.0 | 8.8 | 0.2380 | partial |
CVE-2026-33037 | 5.5 | 8.1 | 0.0067 | partial |
CVE-2025-21729 | 5.5 | 7.8 | 0.0019 | partial |
CVE-2025-24915 | 5.5 | 7.8 | 0.0018 | partial |
CVE-2022-49737 | 5.5 | 7.7 | 0.0031 | partial |
CVE-2025-66236 | 5.5 | 7.5 | 0.0044 | good |
CVE-2026-32965 | 5.5 | 7.5 | 0.0035 | good |
CVE-2026-2836 | 5.5 | 8.1 | 0.0039 | partial |
CVE-2025-12985 | 5.5 | 8.4 | 0.0012 | good |
CVE-2022-50913 | 5.5 | 8.4 | 0.0013 | good |
CVE-2019-25310 | 5.5 | 7.8 | 0.0012 | good |
CVE-2019-25266 | 5.5 | 7.8 | 0.0013 | partial |
CVE-2020-37016 | 5.5 | 7.8 | 0.0012 | good |
CVE-2021-47874 | 5.5 | 7.8 | 0.0013 | good |