what is necessary to secure systems, but IGs and auditors, too, need specific guidance on how to measure security.
This document is a first step toward providing specific audit guidelines that CISOs, CIOs, IGs, and the US-CERT can adopt to ensure their agency systems have the baseline security controls in place that are most critical. It takes advantage of the knowledge gained in analyzing the myriad attacks that are being actively and successfully launched against federal systems and our nation’s industrial base systems and identifying the key controls that are most critical for stopping those attacks. This effort also takes advantage of the success and insights from the development and usage of standardized concepts for identifying, communicating, and documenting security-relevant characteristics/data. These standards include the following: common identification of vulnerabilities (Common Vulnerabilities and Exposures—CVE), definition of secure configurations (Common Configuration Enumeration-CCE), inventory of systems and platforms (Common Platform Enumeration-CPE), vulnerability severity (Common Vulnerability Scoring System-CVSS) and identification of application weaknesses (Common Weaknesses Enumeration-CWE). These standards have emerged over the last decade through collaborative research and deliberation between government, academia and industry. While still evolving, several of these efforts in standardization have made their way into commercial solutions and government, industry, and academic usage. Perhaps most visible of these has been the Federal Desktop Core Configuration (FDCC) which leveraged the Security Content Automation Program (SCAP). SCAP utilizes mature standardization efforts to clearly define common security nomenclature and evaluation criteria for vulnerability, patch, and configuration measurement guidance and is intended for adoption by automated tools. It is strongly recommended that automated tools used to implement or verify security controls identified in this document employ SCAP or similar standardization efforts for clearly defined nomenclature and evaluation criteria not covered by SCAP. Additional areas of standardization are emerging (e.g., application weaknesses, events, malware attributes, attack patterns, remediation actions) that in the future will be of benefit for some of the controls identified in this document.
The National Institutes of Standards and Technology (NIST) has produced excellent security guidelines that provide a very comprehensive set of security controls. This document by contrast seeks to identify that subset of security control activities that CISOs, CIOs and IGs can agree are their top, shared priority for cyber security. Once agreement is reached, these controls would be the basis for future audits and