NIST 800-53 r5 · Controls catalogue · Family CM
CM-1Policy and Procedures
Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}: {{ insert: param, cm-01_odp.03 }} configuration management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and Review and update the current configuration management: Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Defines roles, responsibilities, and access rules for configuration management activities, making improper access to configuration resources harder to exploit. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Procedures specify correct permission assignments for critical configuration files and resources as part of baseline and change management. |
CWE-276 | Incorrect Default Permissions | 1,757 | Establishes requirements for appropriate default permissions on system resources as part of configuration management. |
CWE-1188 | Initialization of a Resource with an Insecure Default | 300 | Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines. |
CWE-1392 | Use of Default Credentials | 89 | Mandates replacement of default credentials during secure configuration and provisioning procedures. |
CWE-15 | External Control of System or Configuration Setting | 59 | The policy and procedures establish internal controls and change management for system configuration settings, reducing the feasibility of external unauthorized modifications. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||