Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family CM

CM-7Least Functionality

Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 4 mapping(s) from 2 framework(s): CSF 2.0 2 (full) · ASVS 5.0 2 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (3)

ATT&CK techniques this control mitigates (223)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-284Improper Access Control5,367Restricting available functions and services reduces the attack surface and enforces proper access control boundaries.
CWE-306Missing Authentication for Critical Function2,820Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Configuring systems to provide only required functionality avoids incorrect permission assignments on unneeded resources, ports, or services.
CWE-285Improper Authorization1,356By limiting enabled features to only those needed, the control strengthens authorization by removing opportunities for unauthorized use of excess functionality.
CWE-1188Initialization of a Resource with an Insecure Default335Requiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities.
CWE-250Execution with Unnecessary Privileges333Prohibiting unnecessary functions, ports, protocols, software, and services directly prevents execution with privileges beyond what is required for the system's purpose.
CWE-749Exposed Dangerous Method or Function174Explicitly prohibiting dangerous or unnecessary functions and services prevents exposure of methods that could be directly exploited.
CWE-272Least Privilege Violation33Enforcing only the minimal set of functionality implements least privilege by eliminating unneeded capabilities that could be abused.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2022-30190 KEV10.07.80.9937good
CVE-2021-43890 KEV10.07.10.1029good
CVE-2021-27877 KEV10.08.20.6491good
CVE-2020-1631 KEV10.08.80.0473good
CVE-2020-11978 KEV10.08.80.9912good
CVE-2019-11580 KEV10.09.80.9536good
CVE-2019-0193 KEV10.07.20.8355good
CVE-2018-6961 KEV10.08.10.8643good
CVE-2017-6736 KEV10.08.80.7056good
CVE-2017-12617 KEV10.08.10.9999good
CVE-2017-12615 KEV10.08.10.9961good
CVE-2017-0147 KEV10.07.50.9969good
CVE-2017-0146 KEV10.08.80.8986good
CVE-2017-0145 KEV10.08.80.8985good
CVE-2017-0144 KEV10.08.80.9923good
CVE-2017-0143 KEV10.08.80.9331good
CVE-2016-3718 KEV10.05.50.7690good
CVE-2023-381248.08.80.5582good
CVE-2026-222087.09.60.0092good
CVE-2025-278167.09.80.0063good
CVE-2026-237517.09.80.0088good
CVE-2025-43986 UPD7.09.80.0046good
CVE-2023-368127.09.80.1650good
CVE-2023-378957.09.80.0266good
CVE-2023-506437.09.80.0221good

Other controls in family CM

CM-1 CM-10 CM-11 CM-12 CM-13 CM-14 CM-2 CM-3 CM-4 CM-5 CM-6 CM-8 CM-9