Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family CM

CM-9Configuration Management Plan

Develop, document, and implement a configuration management plan for the system that: Addresses roles, responsibilities, and configuration management processes and procedures; Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; Defines the configuration items for the system and places the configuration items under configuration management; Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and Protects the configuration management plan from unauthorized disclosure and modification.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 16 mapping(s) from 2 framework(s): ASVS 5.0 14 (partial) · CSF 2.0 2 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (0)

Weaknesses this control addresses (7)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-200Exposure of Sensitive Information to an Unauthorized Actor10,501Protects the configuration management plan from unauthorized disclosure, reducing exposure of sensitive system details.
CWE-284Improper Access Control5,367Explicitly requires protecting the configuration management plan from unauthorized disclosure and modification.
CWE-269Improper Privilege Management3,104Defines roles and responsibilities to ensure proper privilege management during configuration changes.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Places configuration items under formal management, enforcing correct permission assignments on critical resources.
CWE-276Incorrect Default Permissions1,789Requires documented processes that include setting and maintaining correct default permissions for configuration items.
CWE-285Improper Authorization1,356Establishes roles, responsibilities, and authorization processes for all configuration management activities.
CWE-15External Control of System or Configuration Setting69The plan defines processes for identifying and managing configuration items, preventing external unauthorized control of system settings.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family CM

CM-1 CM-10 CM-11 CM-12 CM-13 CM-14 CM-2 CM-3 CM-4 CM-5 CM-6 CM-7 CM-8