NIST 800-53 r5 · Controls catalogue · Family CM

CM-5Access Restrictions for Change

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

Last updated: 19 May 2026 14:18 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (160)

T1003 OS Credential Dumping Credential Access
T1003.001 LSASS Memory Credential Access
T1003.002 Security Account Manager Credential Access
T1003.003 NTDS Credential Access
T1003.004 LSA Secrets Credential Access
T1003.005 Cached Domain Credentials Credential Access
T1003.006 DCSync Credential Access
T1003.007 Proc Filesystem Credential Access
T1003.008 /etc/passwd and /etc/shadow Credential Access
T1020.001 Traffic Duplication Exfiltration
T1021 Remote Services Lateral Movement
T1021.001 Remote Desktop Protocol Lateral Movement
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1021.003 Distributed Component Object Model Lateral Movement
T1021.004 SSH Lateral Movement
T1021.005 VNC Lateral Movement
T1021.006 Windows Remote Management Lateral Movement
T1021.008 Direct Cloud VM Connections Lateral Movement
T1047 Windows Management Instrumentation Execution
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1053.002 At Execution, Persistence, Privilege Escalation
T1053.003 Cron Execution, Persistence, Privilege Escalation
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
T1053.007 Container Orchestration Job Execution, Persistence, Privilege Escalation
T1055 Process Injection Stealth, Privilege Escalation
T1055.008 Ptrace System Calls Stealth, Privilege Escalation
T1056.003 Web Portal Capture Collection, Credential Access
T1059 Command and Scripting Interpreter Execution
T1059.001 PowerShell Execution
T1059.006 Python Execution
T1059.008 Network Device CLI Execution
T1072 Software Deployment Tools Execution, Lateral Movement
T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1078.002 Domain Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1098 Account Manipulation Persistence, Privilege Escalation
T1098.001 Additional Cloud Credentials Persistence, Privilege Escalation
T1098.002 Additional Email Delegate Permissions Persistence, Privilege Escalation
T1098.003 Additional Cloud Roles Persistence, Privilege Escalation
T1098.004 SSH Authorized Keys Persistence, Privilege Escalation
T1098.005 Device Registration Persistence, Privilege Escalation
T1098.007 Additional Local or Domain Groups Persistence, Privilege Escalation
T1134 Access Token Manipulation Stealth, Privilege Escalation
T1134.001 Token Impersonation/Theft Stealth, Privilege Escalation
T1134.002 Create Process with Token Stealth, Privilege Escalation
T1134.003 Make and Impersonate Token Stealth, Privilege Escalation
T1136 Create Account Persistence
T1136.001 Local Account Persistence

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-862`	Missing Authorization	8,796	Mandating authorization for changes prevents missing authorization checks on critical modification functions.
`CWE-284`	Improper Access Control	4,905	Enforcing physical and logical access restrictions for system changes directly prevents unauthorized actors from modifying the system.
`CWE-863`	Incorrect Authorization	3,303	The control requires correct implementation of authorization specifically tied to change operations.
`CWE-269`	Improper Privilege Management	2,936	Restricting who can perform changes helps ensure privileges are managed properly rather than assigned broadly.
`CWE-732`	Incorrect Permission Assignment for Critical Resource	1,837	Defining and enforcing access restrictions ensures correct permission assignments on resources that support changes.
`CWE-285`	Improper Authorization	1,252	Requiring definition, approval, and enforcement of access rules for changes addresses improper authorization of modifications.
`CWE-250`	Execution with Unnecessary Privileges	311	Limiting change access to only approved entities reduces the risk of unnecessary privileges being available for modifications.
`CWE-15`	External Control of System or Configuration Setting	60	Restricting changes to system and configuration settings prevents external entities from controlling those settings without approval.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
`CVE-2024-57520`	2.2	9.8	0.0352	good
`CVE-2024-39273`	1.8	9.0	0.0031	good
`CVE-2016-20025`	1.8	8.8	0.0003	good
`CVE-2021-47852`	1.8	8.8	0.0003	good
`CVE-2025-41666`	1.8	8.8	0.0118	good
`CVE-2026-1995`	1.6	7.8	0.0001	good
`CVE-2026-33509`	1.5	7.5	0.0010	good
`CVE-2026-35464` UPD	1.5	7.5	0.0021	good
`CVE-2023-47179` UPD	2.9	8.8	0.1915	good
`CVE-2026-35029`	2.8	8.8	0.1767	good
`CVE-2026-22869`	2.0	9.8	0.0019	good
`CVE-2024-39608`	2.0	10.0	0.0026	good
`CVE-2025-11007`	2.0	9.8	0.0028	good
`CVE-2026-35546` UPD	2.0	9.8	0.0008	good
`CVE-2019-25568` UPD	2.0	9.8	0.0003	good
`CVE-2026-6235`	2.0	9.8	0.0003	good
`CVE-2026-42812` UPD	2.0	9.9	0.0012	partial
`CVE-2016-20024`	2.0	9.8	0.0003	good
`CVE-2026-3130`	2.0	9.8	0.0002	partial
`CVE-2025-55141`	2.0	8.8	0.0384	good
`CVE-2025-63690`	1.9	9.1	0.0172	good
`CVE-2025-0928`	1.9	8.8	0.0232	good
`CVE-2021-47770`	1.8	8.8	0.0033	good
`CVE-2024-39788`	1.8	9.1	0.0004	good
`CVE-2021-47735`	1.8	8.8	0.0049	good

Other controls in family CM

CM-1 CM-10 CM-11 CM-12 CM-13 CM-14 CM-2 CM-3 CM-4 CM-6 CM-7 CM-8 CM-9