Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family CM

CM-5Access Restrictions for Change

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 2 mapping(s) from 2 framework(s): ASVS 5.0 1 (partial) · CSF 2.0 1 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (160)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-862Missing Authorization9,346Mandating authorization for changes prevents missing authorization checks on critical modification functions.
CWE-284Improper Access Control5,367Enforcing physical and logical access restrictions for system changes directly prevents unauthorized actors from modifying the system.
CWE-863Incorrect Authorization3,515The control requires correct implementation of authorization specifically tied to change operations.
CWE-269Improper Privilege Management3,104Restricting who can perform changes helps ensure privileges are managed properly rather than assigned broadly.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Defining and enforcing access restrictions ensures correct permission assignments on resources that support changes.
CWE-285Improper Authorization1,356Requiring definition, approval, and enforcement of access rules for changes addresses improper authorization of modifications.
CWE-250Execution with Unnecessary Privileges333Limiting change access to only approved entities reduces the risk of unnecessary privileges being available for modifications.
CWE-15External Control of System or Configuration Setting69Restricting changes to system and configuration settings prevents external entities from controlling those settings without approval.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2021-1675 KEV10.07.80.8613good
CVE-2020-3153 KEV10.06.50.2831good
CVE-2024-575207.09.80.0097good
CVE-2024-392737.09.00.0105good
CVE-2025-341957.09.80.0091good
CVE-2022-304707.09.80.0253good
CVE-2022-285906.07.20.2403good
CVE-2024-561815.58.20.0020good
CVE-2026-19955.57.80.0017good
CVE-2026-335095.57.50.0053good
CVE-2026-354645.57.50.0053good
CVE-2016-20025 UPD5.58.80.0044good
CVE-2021-478525.58.80.0020good
CVE-2026-23645.57.30.0008good
CVE-2026-284565.57.20.0040good
CVE-2022-261495.57.20.0931good
CVE-2023-252665.58.80.0163good
CVE-2022-230505.57.20.0465good
CVE-2024-416515.58.10.0126good
CVE-2025-324095.58.10.0100good
CVE-2026-6973 KEV UPD10.07.20.3445partial
CVE-2026-34926 KEV UPD10.06.70.1268good
CVE-2025-31324 KEV UPD10.010.00.9936good
CVE-2021-26828 KEV10.08.80.3910good
CVE-2020-8243 KEV10.07.20.9076good

Other controls in family CM

CM-1 CM-10 CM-11 CM-12 CM-13 CM-14 CM-2 CM-3 CM-4 CM-6 CM-7 CM-8 CM-9