NIST 800-53 r5 · Controls catalogue · Family CM
CM-3Configuration Change Control
Determine and document the types of changes to the system that are configuration-controlled; Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; Document configuration change decisions associated with the system; Implement approved configuration-controlled changes to the system; Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }}; Monitor and review activities associated with configuration-controlled changes to the system; and Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (35)
- T1021.005 VNC Lateral Movement
- T1059.006 Python Execution
- T1176 Software Extensions Persistence
- T1195 Supply Chain Compromise Initial Access
- T1195.003 Compromise Hardware Supply Chain Initial Access
- T1213 Data from Information Repositories Collection
- T1213.001 Confluence Collection
- T1213.002 Sharepoint Collection
- T1213.005 Messaging Applications Collection
- T1495 Firmware Corruption Impact
- T1542 Pre-OS Boot Stealth, Persistence
- T1542.001 System Firmware Stealth, Persistence
- T1542.003 Bootkit Stealth, Persistence
- T1542.004 ROMMONkit Stealth, Persistence
- T1542.005 TFTP Boot Stealth, Persistence
- T1543 Create or Modify System Process Persistence, Privilege Escalation
- T1543.002 Systemd Service Persistence, Privilege Escalation
- T1546 Event Triggered Execution Privilege Escalation, Persistence
- T1547.007 Re-opened Applications Persistence, Privilege Escalation
- T1547.013 XDG Autostart Entries Persistence, Privilege Escalation
- T1548 Abuse Elevation Control Mechanism Privilege Escalation
- T1553 Subvert Trust Controls Defense Impairment
- T1553.006 Code Signing Policy Modification Defense Impairment
- T1555 Credentials from Password Stores Credential Access
- T1556.008 Network Provider DLL Defense Impairment, Persistence, Credential Access
- T1564.008 Email Hiding Rules Stealth
- T1578.005 Modify Cloud Compute Configurations Defense Impairment
- T1601 Modify System Image Defense Impairment
- T1601.001 Patch System Image Defense Impairment
- T1601.002 Downgrade System Image Defense Impairment
- T1647 Plist File Modification Defense Impairment
- T1653 Power Settings Persistence
- T1666 Modify Cloud Resource Hierarchy Defense Impairment
- T1685.002 Disable or Modify Cloud Log Defense Impairment
- T1685.004 Disable or Modify Linux Audit System Log Defense Impairment
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Enforces access controls and oversight on who can propose, approve, or implement configuration modifications. |
CWE-269 | Improper Privilege Management | 2,907 | Manages privileges for change control activities and provides oversight to prevent improper privilege use in configuration updates. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Controls changes to critical resources, helping maintain correct permission assignments and preventing insecure modifications. |
CWE-285 | Improper Authorization | 1,230 | Mandates explicit authorization and approval for configuration-controlled changes with security considerations. |
CWE-15 | External Control of System or Configuration Setting | 59 | Requires approval, documentation, and security impact review of all configuration changes, directly preventing unauthorized external control of system settings. |
CWE-642 | External Control of Critical State Data | 18 | Monitors, approves, and documents changes to critical configuration state data, mitigating external control risks. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-40313 | 1.8 | 9.1 | 0.0004 | partial |
CVE-2025-54594 | 1.8 | 9.1 | 0.0011 | good |
CVE-2024-46881 | 1.4 | 7.1 | 0.0003 | good |
CVE-2026-22869 | 2.0 | 9.8 | 0.0015 | good |
CVE-2025-25270 | 2.0 | 9.8 | 0.0113 | good |
CVE-2026-39958 | 1.8 | 9.1 | 0.0006 | partial |
CVE-2026-30898 | 1.8 | 8.8 | 0.0008 | partial |
CVE-2025-41717 | 1.8 | 8.8 | 0.0005 | partial |
CVE-2026-23391 | 1.6 | 7.8 | 0.0002 | partial |
CVE-2026-31548 | 1.6 | 7.8 | 0.0001 | partial |
CVE-2026-32303 | 1.5 | 7.6 | 0.0002 | partial |
CVE-2024-50696 | 1.5 | 7.5 | 0.0016 | partial |
CVE-2025-1341 | 0.7 | 3.7 | 0.0006 | partial |