Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family CM

CM-2Baseline Configuration

Develop, document, and maintain under configuration control, a current baseline configuration of the system; and Review and update the baseline configuration of the system: {{ insert: param, cm-02_odp.01 }}; When required due to {{ insert: param, cm-02_odp.02 }} ; and When system components are installed or upgraded.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 7 mapping(s) from 2 framework(s): ASVS 5.0 6 (partial) · CSF 2.0 1 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (10)

ATT&CK techniques this control mitigates (285)

Weaknesses this control addresses (7)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-284Improper Access Control5,367Baseline includes documented access control settings that are reviewed and maintained, reducing the ability to exploit improper access control.
CWE-269Improper Privilege Management3,104Baseline configuration documents and controls privilege assignments, making improper privilege management harder to introduce or sustain.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Maintaining baseline configuration controls permission assignments for critical resources and detects unauthorized changes.
CWE-276Incorrect Default Permissions1,789Baseline establishment and updates on install/upgrade ensure correct default permissions rather than insecure ones.
CWE-1188Initialization of a Resource with an Insecure Default335Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults.
CWE-250Execution with Unnecessary Privileges333Baseline review prevents systems from running with unnecessary privileges by enforcing least-privilege settings.
CWE-15External Control of System or Configuration Setting69Baseline configuration under change control directly prevents unauthorized external modification of system or configuration settings.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2024-1086 KEV UPD10.07.80.2806partial
CVE-2022-22747.09.80.4488partial
CVE-2022-316296.06.50.4934partial
CVE-2025-711565.57.80.0012good
CVE-2025-278215.57.30.0086good
CVE-2026-40175 UPD3.54.80.0181partial
CVE-2026-227703.56.50.0034partial
CVE-2025-526273.55.50.0015good
CVE-2025-54253 KEV UPD10.010.00.8982partial
CVE-2024-9537 KEV10.09.80.0385partial
CVE-2022-0609 KEV10.08.80.2355partial
CVE-2022-36546.08.80.2380partial
CVE-2026-330375.58.10.0067partial
CVE-2025-217295.57.80.0019partial
CVE-2025-249155.57.80.0018partial
CVE-2022-497375.57.70.0031partial
CVE-2025-662365.57.50.0044good
CVE-2026-329655.57.50.0035good
CVE-2026-28365.58.10.0039partial
CVE-2025-129855.58.40.0012good
CVE-2022-509135.58.40.0013good
CVE-2019-253105.57.80.0012good
CVE-2019-252665.57.80.0013partial
CVE-2020-370165.57.80.0012good
CVE-2021-478745.57.80.0013good

Other controls in family CM

CM-1 CM-10 CM-11 CM-12 CM-13 CM-14 CM-3 CM-4 CM-5 CM-6 CM-7 CM-8 CM-9