NIST 800-53 r5 · Controls catalogue · Family CM
CM-12Information Location
Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored; Identify and document the users who have access to the system and system components where the information is processed and stored; and Document changes to the location (i.e., system or system components) where the information is processed and stored.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (2)
Weaknesses this control addresses (9)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Documenting information locations and authorized users enables better protection against unauthorized exposure of sensitive data. |
CWE-284 | Improper Access Control | 4,832 | Identifying users with access to specific system components supports enforcement of proper access controls on information. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Documenting users and component locations facilitates correct permission assignments for critical resources. |
CWE-285 | Improper Authorization | 1,230 | Documenting access to processing and storage locations helps ensure correct authorization for information resources. |
CWE-668 | Exposure of Resource to Wrong Sphere | 779 | Knowing exact processing and storage locations helps avoid exposure of resources to incorrect spheres. |
CWE-552 | Files or Directories Accessible to External Parties | 540 | Identifying and documenting file and directory locations allows restriction of access to external parties. |
CWE-922 | Insecure Storage of Sensitive Information | 421 | Tracking information locations and access supports secure storage practices instead of insecure ones. |
CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | 314 | Documenting where system information is processed and stored prevents exposure to unauthorized control spheres. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Tracking locations of sensitive data and access users reduces risk of private personal information exposure. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-24263 | 2.0 | 9.8 | 0.0045 | good |
CVE-2025-67303 | 1.6 | 7.5 | 0.0132 | good |
CVE-2024-13600 | 1.5 | 7.5 | 0.0032 | good |
CVE-2025-12539 | 2.0 | 10.0 | 0.0072 | good |
CVE-2024-13562 | 1.5 | 7.5 | 0.0059 | good |