NIST 800-53 r5 · Controls catalogue · Family CM
CM-9Configuration Management Plan
Develop, document, and implement a configuration management plan for the system that: Addresses roles, responsibilities, and configuration management processes and procedures; Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; Defines the configuration items for the system and places the configuration items under configuration management; Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and Protects the configuration management plan from unauthorized disclosure and modification.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Protects the configuration management plan from unauthorized disclosure, reducing exposure of sensitive system details. |
CWE-284 | Improper Access Control | 4,832 | Explicitly requires protecting the configuration management plan from unauthorized disclosure and modification. |
CWE-269 | Improper Privilege Management | 2,907 | Defines roles and responsibilities to ensure proper privilege management during configuration changes. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Places configuration items under formal management, enforcing correct permission assignments on critical resources. |
CWE-276 | Incorrect Default Permissions | 1,757 | Requires documented processes that include setting and maintaining correct default permissions for configuration items. |
CWE-285 | Improper Authorization | 1,230 | Establishes roles, responsibilities, and authorization processes for all configuration management activities. |
CWE-15 | External Control of System or Configuration Setting | 59 | The plan defines processes for identifying and managing configuration items, preventing external unauthorized control of system settings. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||