NIST 800-53 r5 · Controls catalogue · Family CM

CM-7Least Functionality

Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (223)

T1003 OS Credential Dumping Credential Access
T1003.001 LSASS Memory Credential Access
T1003.002 Security Account Manager Credential Access
T1003.005 Cached Domain Credentials Credential Access
T1008 Fallback Channels Command And Control
T1011 Exfiltration Over Other Network Medium Exfiltration
T1011.001 Exfiltration Over Bluetooth Exfiltration
T1020.001 Traffic Duplication Exfiltration
T1021 Remote Services Lateral Movement
T1021.001 Remote Desktop Protocol Lateral Movement
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1021.003 Distributed Component Object Model Lateral Movement
T1021.005 VNC Lateral Movement
T1021.006 Windows Remote Management Lateral Movement
T1021.008 Direct Cloud VM Connections Lateral Movement
T1027 Obfuscated Files or Information Stealth
T1036 Masquerading Stealth
T1036.005 Match Legitimate Resource Name or Location Stealth
T1036.007 Double File Extension Stealth
T1036.008 Masquerade File Type Stealth
T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
T1037.001 Logon Script (Windows) Persistence, Privilege Escalation
T1040 Network Sniffing Credential Access, Discovery
T1046 Network Service Discovery Discovery
T1047 Windows Management Instrumentation Execution
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
T1052 Exfiltration Over Physical Medium Exfiltration
T1052.001 Exfiltration over USB Exfiltration
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1053.002 At Execution, Persistence, Privilege Escalation
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1059 Command and Scripting Interpreter Execution
T1059.005 Visual Basic Execution
T1059.007 JavaScript Execution
T1059.009 Cloud API Execution
T1059.010 AutoHotKey & AutoIT Execution
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1071 Application Layer Protocol Command And Control
T1071.001 Web Protocols Command And Control
T1071.002 File Transfer Protocols Command And Control
T1071.003 Mail Protocols Command And Control
T1071.004 DNS Command And Control
T1072 Software Deployment Tools Execution, Lateral Movement
T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1080 Taint Shared Content Lateral Movement
T1087 Account Discovery Discovery

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-284`	Improper Access Control	4,832	Restricting available functions and services reduces the attack surface and enforces proper access control boundaries.
`CWE-306`	Missing Authentication for Critical Function	2,567	Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components.
`CWE-732`	Incorrect Permission Assignment for Critical Resource	1,824	Configuring systems to provide only required functionality avoids incorrect permission assignments on unneeded resources, ports, or services.
`CWE-285`	Improper Authorization	1,230	By limiting enabled features to only those needed, the control strengthens authorization by removing opportunities for unauthorized use of excess functionality.
`CWE-250`	Execution with Unnecessary Privileges	305	Prohibiting unnecessary functions, ports, protocols, software, and services directly prevents execution with privileges beyond what is required for the system's purpose.
`CWE-1188`	Initialization of a Resource with an Insecure Default	300	Requiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities.
`CWE-749`	Exposed Dangerous Method or Function	153	Explicitly prohibiting dangerous or unnecessary functions and services prevents exposure of methods that could be directly exploited.
`CWE-272`	Least Privilege Violation	25	Enforcing only the minimal set of functionality implements least privilege by eliminating unneeded capabilities that could be abused.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
`CVE-2025-27816`	2.0	9.8	0.0031	good
`CVE-2026-23751`	2.0	9.8	0.0019	good
`CVE-2025-43986`	2.0	9.8	0.0011	good
`CVE-2025-52089`	2.0	8.8	0.0320	good
`CVE-2025-42878`	1.6	8.2	0.0008	good
`CVE-2026-34990`	1.6	7.8	0.0001	good
`CVE-2025-41756`	1.6	8.1	0.0004	good
`CVE-2025-62188`	1.5	7.5	0.0002	good
`CVE-2024-40891` KEV	7.0	8.8	0.5324	good
`CVE-2026-27966`	4.2	9.8	0.3658	good
`CVE-2025-22226` KEV	3.7	7.1	0.0432	partial
`CVE-2025-54782`	3.7	8.8	0.3248	good
`CVE-2026-21877`	2.8	9.9	0.1414	good
`CVE-2026-3844`	2.7	9.8	0.1313	good
`CVE-2025-21307`	2.6	9.8	0.1077	partial
`CVE-2026-33057`	2.5	9.8	0.0842	good
`CVE-2025-41243`	2.4	10.0	0.0726	good
`CVE-2025-1497`	2.3	9.8	0.0557	good
`CVE-2025-53145`	2.3	8.8	0.0867	good
`CVE-2025-53144`	2.3	8.8	0.0867	good
`CVE-2025-46817`	2.2	7.0	0.1320	good
`CVE-2025-66631`	2.1	9.8	0.0192	good
`CVE-2025-7206`	2.1	9.8	0.0295	good
`CVE-2025-54574`	2.1	9.3	0.0390	good
`CVE-2026-3587`	2.0	10.0	0.0013	good

Other controls in family CM

CM-1 CM-10 CM-11 CM-12 CM-13 CM-14 CM-2 CM-3 CM-4 CM-5 CM-6 CM-8 CM-9