NIST 800-53 r5 · Controls catalogue · Family CM
CM-6Configuration Settings
Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }}; Implement the configuration settings; Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (342)
- T1001 Data Obfuscation Command And Control
- T1001.001 Junk Data Command And Control
- T1001.002 Steganography Command And Control
- T1001.003 Protocol or Service Impersonation Command And Control
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1008 Fallback Channels Command And Control
- T1011 Exfiltration Over Other Network Medium Exfiltration
- T1011.001 Exfiltration Over Bluetooth Exfiltration
- T1020.001 Traffic Duplication Exfiltration
- T1021 Remote Services Lateral Movement
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1021.008 Direct Cloud VM Connections Lateral Movement
- T1027 Obfuscated Files or Information Stealth
- T1027.010 Command Obfuscation Stealth
- T1029 Scheduled Transfer Exfiltration
- T1030 Data Transfer Size Limits Exfiltration
- T1036 Masquerading Stealth
- T1036.001 Invalid Code Signature Stealth
- T1036.003 Rename Legitimate Utilities Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1036.007 Double File Extension Stealth
- T1036.010 Masquerade Account Name Stealth
- T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
- T1037.002 Login Hook Persistence, Privilege Escalation
- T1037.003 Network Logon Script Persistence, Privilege Escalation
- T1037.004 RC Scripts Persistence, Privilege Escalation
- T1037.005 Startup Items Persistence, Privilege Escalation
- T1046 Network Service Discovery Discovery
- T1047 Windows Management Instrumentation Execution
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
Weaknesses this control addresses (10)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,905 | Restrictive configuration settings implement and enforce proper access controls on system components. |
CWE-269 | Improper Privilege Management | 2,936 | Managing and monitoring configuration settings supports proper privilege management and avoids improper assignments. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,837 | Documenting and enforcing configuration settings ensures correct permission assignments for critical resources. |
CWE-276 | Incorrect Default Permissions | 1,765 | Requiring the most restrictive settings instead of defaults prevents incorrect default permissions on resources. |
CWE-319 | Cleartext Transmission of Sensitive Information | 1,051 | Settings can enforce secure transmission protocols to prevent cleartext transmission of sensitive data. |
CWE-312 | Cleartext Storage of Sensitive Information | 924 | Configuration policies can mandate secure storage methods to avoid cleartext storage of sensitive information. |
CWE-311 | Missing Encryption of Sensitive Data | 552 | Settings can require encryption of sensitive data, preventing missing encryption weaknesses. |
CWE-250 | Execution with Unnecessary Privileges | 311 | Configuration settings can mandate least-privilege execution, reducing unnecessary privileges. |
CWE-521 | Weak Password Requirements | 303 | Configuration settings can define and enforce strong password requirements to avoid weak policies. |
CWE-15 | External Control of System or Configuration Setting | 60 | Establishing, implementing, approving deviations from, and monitoring configuration settings directly prevents external or unauthorized control of system settings. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-34291 | 2.3 | 8.8 | 0.0949 | good |
CVE-2026-22869 | 2.0 | 9.8 | 0.0019 | good |
CVE-2025-60262 | 2.0 | 9.8 | 0.0032 | good |
CVE-2024-57061 | 2.0 | 9.8 | 0.0051 | good |
CVE-2025-10294 | 2.0 | 9.8 | 0.0053 | good |
CVE-2022-1736 | 2.0 | 9.8 | 0.0054 | good |
CVE-2025-27154 | 2.0 | 9.8 | 0.0024 | good |
CVE-2026-39920 | 2.0 | 9.8 | 0.0026 | good |
CVE-2024-8487 | 2.0 | 9.8 | 0.0026 | good |
CVE-2026-3207 | 2.0 | 9.8 | 0.0005 | good |
CVE-2026-25894 | 2.0 | 9.8 | 0.0010 | good |
CVE-2026-29128 | 2.0 | 10.0 | 0.0004 | good |
CVE-2026-27941 | 2.0 | 9.9 | 0.0007 | good |
CVE-2026-27002 | 2.0 | 9.8 | 0.0002 | good |
CVE-2026-2577 | 2.0 | 10.0 | 0.0008 | good |
CVE-2026-1699 | 2.0 | 10.0 | 0.0004 | good |
CVE-2022-50935 | 2.0 | 9.8 | 0.0008 | good |
CVE-2025-44658 | 2.0 | 9.8 | 0.0132 | good |
CVE-2025-44655 | 2.0 | 9.8 | 0.0056 | good |
CVE-2025-34207 | 2.0 | 9.8 | 0.0013 | good |
CVE-2025-44654 | 2.0 | 9.8 | 0.0041 | good |
CVE-2026-33334 | 1.9 | 9.6 | 0.0015 | good |
CVE-2025-68669 | 1.9 | 9.6 | 0.0010 | good |
CVE-2024-7760 | 1.9 | 9.6 | 0.0023 | good |
CVE-2026-30924 UPD | 1.9 | 9.6 | 0.0005 | good |