NIST 800-53 r5 · Controls catalogue · Family CM
CM-7Least Functionality
Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (3)
- aws-config-restricted-common-ports Restricted Common Ports AWS::EC2::SecurityGroup partial protect enforce CIS v5 §5.4CIS v3 §5.3Hub EC2.54
- aws-config-no-unrestricted-route-to-igw No Unrestricted Route To Igw AWS::EC2::RouteTable partial protect enforce
- aws-config-restricted-ssh Restricted Ssh AWS::EC2::SecurityGroup partial protect enforce CIS v5 §5.3CIS v3 §5.2Hub EC2.53
ATT&CK techniques this control mitigates (223)
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1008 Fallback Channels Command And Control
- T1011 Exfiltration Over Other Network Medium Exfiltration
- T1011.001 Exfiltration Over Bluetooth Exfiltration
- T1020.001 Traffic Duplication Exfiltration
- T1021 Remote Services Lateral Movement
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1021.008 Direct Cloud VM Connections Lateral Movement
- T1027 Obfuscated Files or Information Stealth
- T1036 Masquerading Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1036.007 Double File Extension Stealth
- T1036.008 Masquerade File Type Stealth
- T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
- T1037.001 Logon Script (Windows) Persistence, Privilege Escalation
- T1040 Network Sniffing Credential Access, Discovery
- T1046 Network Service Discovery Discovery
- T1047 Windows Management Instrumentation Execution
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
- T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
- T1059 Command and Scripting Interpreter Execution
- T1059.005 Visual Basic Execution
- T1059.007 JavaScript Execution
- T1059.009 Cloud API Execution
- T1059.010 AutoHotKey & AutoIT Execution
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1071 Application Layer Protocol Command And Control
- T1071.001 Web Protocols Command And Control
- T1071.002 File Transfer Protocols Command And Control
- T1071.003 Mail Protocols Command And Control
- T1071.004 DNS Command And Control
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1080 Taint Shared Content Lateral Movement
- T1087 Account Discovery Discovery
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,905 | Restricting available functions and services reduces the attack surface and enforces proper access control boundaries. |
CWE-306 | Missing Authentication for Critical Function | 2,600 | Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,837 | Configuring systems to provide only required functionality avoids incorrect permission assignments on unneeded resources, ports, or services. |
CWE-285 | Improper Authorization | 1,252 | By limiting enabled features to only those needed, the control strengthens authorization by removing opportunities for unauthorized use of excess functionality. |
CWE-250 | Execution with Unnecessary Privileges | 311 | Prohibiting unnecessary functions, ports, protocols, software, and services directly prevents execution with privileges beyond what is required for the system's purpose. |
CWE-1188 | Initialization of a Resource with an Insecure Default | 309 | Requiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities. |
CWE-749 | Exposed Dangerous Method or Function | 158 | Explicitly prohibiting dangerous or unnecessary functions and services prevents exposure of methods that could be directly exploited. |
CWE-272 | Least Privilege Violation | 26 | Enforcing only the minimal set of functionality implements least privilege by eliminating unneeded capabilities that could be abused. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-27816 | 2.0 | 9.8 | 0.0031 | good |
CVE-2026-23751 | 2.0 | 9.8 | 0.0025 | good |
CVE-2025-43986 | 2.0 | 9.8 | 0.0012 | good |
CVE-2025-52089 | 2.0 | 8.8 | 0.0320 | good |
CVE-2025-42878 | 1.6 | 8.2 | 0.0010 | good |
CVE-2026-34990 | 1.6 | 7.8 | 0.0001 | good |
CVE-2025-41756 | 1.6 | 8.1 | 0.0005 | good |
CVE-2025-62188 | 1.5 | 7.5 | 0.0003 | good |
CVE-2024-40891 KEV | 7.0 | 8.8 | 0.5324 | good |
CVE-2026-27966 | 4.2 | 9.8 | 0.3739 | good |
CVE-2025-22226 KEV | 3.7 | 7.1 | 0.0432 | partial |
CVE-2025-54782 | 3.7 | 8.8 | 0.3248 | good |
CVE-2026-3844 | 2.8 | 9.8 | 0.1466 | good |
CVE-2026-21877 | 2.6 | 9.9 | 0.1074 | good |
CVE-2025-21307 | 2.6 | 9.8 | 0.1077 | partial |
CVE-2026-33057 | 2.5 | 9.8 | 0.0842 | good |
CVE-2025-41243 | 2.4 | 10.0 | 0.0642 | good |
CVE-2025-53145 | 2.4 | 8.8 | 0.1108 | good |
CVE-2025-53144 | 2.4 | 8.8 | 0.1108 | good |
CVE-2025-1497 | 2.3 | 9.8 | 0.0557 | good |
CVE-2025-54574 | 2.2 | 9.3 | 0.0499 | good |
CVE-2025-66631 | 2.1 | 9.8 | 0.0282 | good |
CVE-2025-7206 | 2.1 | 9.8 | 0.0295 | good |
CVE-2025-6704 | 2.1 | 9.8 | 0.0158 | good |
CVE-2026-3587 | 2.0 | 10.0 | 0.0013 | good |