20 Controls for Effective Cyber Security and Defense

Securing our nation against cyber attacks has become one of the nation’s highest priorities. To achieve this objective, the US Comprehensive National Cybersecurity Initiative (CNCI) has purposed that “offense must inform defense.” In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses.

The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting the U.S. ICE Act of 2009 (the new FISMA). That new proposed legislation calls upon Federal agencies to (and on the White House to ensure that they):

“monitor, detect, analyze, protect, report, and respond against known vulnerabilities, attacks, and exploitations” and “continuously test and evaluate information security controls and techniques to ensure that they are effectively implemented.”

Because federal agencies do not have unlimited funds, current and past federal CIOs and CISOs have agreed that the only rational way they can hope to meet these requirements is to jointly establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms.

Consequently, a consensus document of 20 crucial controls was designed to begin the process of establishing the prioritized baseline of information security measures and controls that can be applied across Federal enterprise environments. The 20 specific technical security controls, which include both hardware and software solutions, are viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected in the near future.

Fifteen of these controls can be monitored, at least in part, automatically and continuously. The consensus effort has also identified a second set of five controls that are essential but that do not appear to be able to be monitored continuously or automatically with current technology and practices.

Each of the 20 control areas includes multiple individual subcontrols, each specifying actions an organization can take to help improve its defenses. Here are the 20:


Critical Controls Subject to Automated Collection, Measurement, and Validation:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  5. Boundary Defense
  6. Maintenance, Monitoring, and Analysis of Security Audit Logs
  7. Application Software Security
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based on Need to Know
  10. Continuous Vulnerability Assessment and Remediation
  11. Account Monitoring and Control
  12. Malware Defenses
  13. Limitation and Control of Network Ports, Protocols, and Services
  14. Wireless Device Control
  15. Data Loss Prevention

Additional Critical Controls (not directly supported by automated measurement and validation):

  1. Secure Network Engineering
  2. Penetration Tests and Red Team Exercises
  3. Incident Response Capability
  4. Data Recovery Capability
  5. Security Skills Assessment and Appropriate Training to Fill Gaps