NIST 800-53 r5 · Controls catalogue · Family CM

CM-11User-installed Software

Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users; Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and Monitor policy compliance {{ insert: param, cm-11_odp.03 }}.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (33)

T1021.005 VNC Lateral Movement
T1059 Command and Scripting Interpreter Execution
T1059.006 Python Execution
T1072 Software Deployment Tools Execution, Lateral Movement
T1176 Software Extensions Persistence
T1195 Supply Chain Compromise Initial Access
T1195.001 Compromise Software Dependencies and Development Tools Initial Access
T1195.002 Compromise Software Supply Chain Initial Access
T1218 System Binary Proxy Execution Stealth
T1218.001 Compiled HTML File Stealth
T1218.002 Control Panel Stealth
T1218.003 CMSTP Stealth
T1218.004 InstallUtil Stealth
T1218.005 Mshta Stealth
T1218.008 Odbcconf Stealth
T1218.009 Regsvcs/Regasm Stealth
T1218.012 Verclsid Stealth
T1218.013 Mavinject Stealth
T1218.014 MMC Stealth
T1505 Server Software Component Persistence
T1505.001 SQL Stored Procedures Persistence
T1505.002 Transport Agent Persistence
T1505.004 IIS Components Persistence
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1543.001 Launch Agent Persistence, Privilege Escalation
T1543.002 Systemd Service Persistence, Privilege Escalation
T1543.003 Windows Service Persistence, Privilege Escalation
T1543.004 Launch Daemon Persistence, Privilege Escalation
T1547.013 XDG Autostart Entries Persistence, Privilege Escalation
T1550.001 Application Access Token Lateral Movement
T1564.009 Resource Forking Stealth
T1569 System Services Execution
T1569.001 Launchctl Execution

Weaknesses this control addresses (4)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-284`	Improper Access Control	4,832	This control establishes and enforces policies that restrict which users can install software and what software is permitted.
`CWE-829`	Inclusion of Functionality from Untrusted Control Sphere	254	Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.
`CWE-494`	Download of Code Without Integrity Check	242	Policies can require integrity verification of software prior to installation, reducing risks from unverified downloads.
`CWE-506`	Embedded Malicious Code	80	The control prevents users from installing software that contains embedded malicious code.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
`CVE-2025-50286`	5.6	8.1	0.6651	good
`CVE-2025-1639`	2.4	8.8	0.1110	good
`CVE-2026-43571`	1.8	8.8	0.0004	good
`CVE-2026-3539`	1.8	8.8	0.0001	good
`CVE-2024-9499`	1.7	8.6	0.0001	good
`CVE-2024-9497`	1.7	8.6	0.0001	good
`CVE-2024-9491`	1.7	8.6	0.0008	good
`CVE-2025-1307`	3.7	9.8	0.2843	good
`CVE-2025-7401`	2.1	9.8	0.0188	good
`CVE-2026-2599`	2.0	9.8	0.0020	good
`CVE-2025-24232`	2.0	9.8	0.0070	good
`CVE-2026-26974`	2.0	9.8	0.0003	good
`CVE-2026-1490`	2.0	9.8	0.0005	partial
`CVE-2025-59046`	2.0	9.8	0.0028	good
`CVE-2025-43244`	2.0	9.8	0.0013	partial
`CVE-2024-9920`	1.9	8.8	0.0153	good
`CVE-2025-69264`	1.8	8.8	0.0013	good
`CVE-2025-10706`	1.8	8.8	0.0031	good
`CVE-2024-49644`	1.8	8.8	0.0026	good
`CVE-2025-0762`	1.8	8.8	0.0037	good
`CVE-2026-41651`	1.8	8.8	0.0020	good
`CVE-2025-1916`	1.8	8.8	0.0018	good
`CVE-2026-33507`	1.8	8.8	0.0009	good
`CVE-2026-4326`	1.8	8.8	0.0004	good
`CVE-2026-5914`	1.8	8.8	0.0002	good

Other controls in family CM

CM-1 CM-10 CM-12 CM-13 CM-14 CM-2 CM-3 CM-4 CM-5 CM-6 CM-7 CM-8 CM-9