NIST 800-53 r5 · Controls catalogue · Family CM
CM-5Access Restrictions for Change
Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (160)
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1020.001 Traffic Duplication Exfiltration
- T1021 Remote Services Lateral Movement
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1021.008 Direct Cloud VM Connections Lateral Movement
- T1047 Windows Management Instrumentation Execution
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
- T1053.003 Cron Execution, Persistence, Privilege Escalation
- T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
- T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
- T1053.007 Container Orchestration Job Execution, Persistence, Privilege Escalation
- T1055 Process Injection Stealth, Privilege Escalation
- T1055.008 Ptrace System Calls Stealth, Privilege Escalation
- T1056.003 Web Portal Capture Collection, Credential Access
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
- T1059.006 Python Execution
- T1059.008 Network Device CLI Execution
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.002 Domain Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1098 Account Manipulation Persistence, Privilege Escalation
- T1098.001 Additional Cloud Credentials Persistence, Privilege Escalation
- T1098.002 Additional Email Delegate Permissions Persistence, Privilege Escalation
- T1098.003 Additional Cloud Roles Persistence, Privilege Escalation
- T1098.004 SSH Authorized Keys Persistence, Privilege Escalation
- T1098.005 Device Registration Persistence, Privilege Escalation
- T1098.007 Additional Local or Domain Groups Persistence, Privilege Escalation
- T1134 Access Token Manipulation Stealth, Privilege Escalation
- T1134.001 Token Impersonation/Theft Stealth, Privilege Escalation
- T1134.002 Create Process with Token Stealth, Privilege Escalation
- T1134.003 Make and Impersonate Token Stealth, Privilege Escalation
- T1136 Create Account Persistence
- T1136.001 Local Account Persistence
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Mandating authorization for changes prevents missing authorization checks on critical modification functions. |
CWE-284 | Improper Access Control | 4,832 | Enforcing physical and logical access restrictions for system changes directly prevents unauthorized actors from modifying the system. |
CWE-863 | Incorrect Authorization | 3,234 | The control requires correct implementation of authorization specifically tied to change operations. |
CWE-269 | Improper Privilege Management | 2,907 | Restricting who can perform changes helps ensure privileges are managed properly rather than assigned broadly. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Defining and enforcing access restrictions ensures correct permission assignments on resources that support changes. |
CWE-285 | Improper Authorization | 1,230 | Requiring definition, approval, and enforcement of access rules for changes addresses improper authorization of modifications. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Limiting change access to only approved entities reduces the risk of unnecessary privileges being available for modifications. |
CWE-15 | External Control of System or Configuration Setting | 59 | Restricting changes to system and configuration settings prevents external entities from controlling those settings without approval. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2024-57520 | 2.2 | 9.8 | 0.0352 | good |
CVE-2024-39273 | 1.8 | 9.0 | 0.0031 | good |
CVE-2016-20025 | 1.8 | 8.8 | 0.0003 | good |
CVE-2021-47852 | 1.8 | 8.8 | 0.0003 | good |
CVE-2025-41666 | 1.8 | 8.8 | 0.0118 | good |
CVE-2026-1995 | 1.6 | 7.8 | 0.0001 | good |
CVE-2026-33509 | 1.5 | 7.5 | 0.0010 | good |
CVE-2026-35464 | 1.5 | 7.5 | 0.0018 | good |
CVE-2023-47179 | 2.9 | 8.8 | 0.1915 | good |
CVE-2026-35029 | 2.7 | 8.8 | 0.1494 | good |
CVE-2026-22869 | 2.0 | 9.8 | 0.0015 | good |
CVE-2024-39608 | 2.0 | 10.0 | 0.0026 | good |
CVE-2025-11007 | 2.0 | 9.8 | 0.0028 | good |
CVE-2026-35546 | 2.0 | 9.8 | 0.0007 | good |
CVE-2019-25568 | 2.0 | 9.8 | 0.0003 | good |
CVE-2026-6235 | 2.0 | 9.8 | 0.0003 | good |
CVE-2026-42812 | 2.0 | 9.9 | 0.0006 | partial |
CVE-2016-20024 | 2.0 | 9.8 | 0.0003 | good |
CVE-2026-3130 | 2.0 | 9.8 | 0.0002 | partial |
CVE-2025-63690 | 1.9 | 9.1 | 0.0172 | good |
CVE-2025-55141 | 1.9 | 8.8 | 0.0288 | good |
CVE-2025-0928 | 1.9 | 8.8 | 0.0232 | good |
CVE-2021-47770 | 1.8 | 8.8 | 0.0033 | good |
CVE-2024-39788 | 1.8 | 9.1 | 0.0004 | good |
CVE-2021-47735 | 1.8 | 8.8 | 0.0049 | good |