Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family CM

CM-6Configuration Settings

Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }}; Implement the configuration settings; Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 24 mapping(s) from 3 framework(s): ASVS 5.0 19 (partial) · CSF 2.0 4 (mostly) · OWASP-Web 1 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (342)

Weaknesses this control addresses (10)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-284Improper Access Control5,367Restrictive configuration settings implement and enforce proper access controls on system components.
CWE-269Improper Privilege Management3,104Managing and monitoring configuration settings supports proper privilege management and avoids improper assignments.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Documenting and enforcing configuration settings ensures correct permission assignments for critical resources.
CWE-276Incorrect Default Permissions1,789Requiring the most restrictive settings instead of defaults prevents incorrect default permissions on resources.
CWE-319Cleartext Transmission of Sensitive Information1,076Settings can enforce secure transmission protocols to prevent cleartext transmission of sensitive data.
CWE-312Cleartext Storage of Sensitive Information935Configuration policies can mandate secure storage methods to avoid cleartext storage of sensitive information.
CWE-311Missing Encryption of Sensitive Data554Settings can require encryption of sensitive data, preventing missing encryption weaknesses.
CWE-250Execution with Unnecessary Privileges333Configuration settings can mandate least-privilege execution, reducing unnecessary privileges.
CWE-521Weak Password Requirements308Configuration settings can define and enforce strong password requirements to avoid weak policies.
CWE-15External Control of System or Configuration Setting69Establishing, implementing, approving deviations from, and monitoring configuration settings directly prevents external or unauthorized control of system settings.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-54253 KEV UPD10.010.00.8982good
CVE-2024-56145 KEV10.09.80.9745good
CVE-2022-0028 KEV10.08.60.0204good
CVE-2013-3900 KEV10.05.50.4465good
CVE-2025-30406 KEV10.09.00.9273good
CVE-2024-546768.09.80.6518good
CVE-2024-384728.07.50.6795good
CVE-2026-333347.09.60.0039good
CVE-2026-228697.09.80.0055good
CVE-2025-602627.09.80.0049good
CVE-2024-559647.09.80.0627good
CVE-2024-570617.09.80.0066good
CVE-2025-102947.09.80.0077good
CVE-2022-17367.09.80.0073good
CVE-2025-271547.09.80.0059good
CVE-2026-399207.09.80.0054good
CVE-2024-84877.09.80.0027good
CVE-2026-32077.09.80.0028good
CVE-2026-258947.09.80.0076good
CVE-2025-686697.09.60.0040good
CVE-2024-77607.09.60.0047good
CVE-2026-309247.09.60.0026good
CVE-2025-677447.09.60.0053good
CVE-2025-563327.09.10.0039good
CVE-2026-403137.09.10.0031good

Other controls in family CM

CM-1 CM-10 CM-11 CM-12 CM-13 CM-14 CM-2 CM-3 CM-4 CM-5 CM-7 CM-8 CM-9