evaluations. While aimed at government organizations, the principles and measures addressed in this document are also highly applicable to commercial and academic enterprises and should be usable within the commercial marketplace.
What makes this document effective is that it reflects knowledge of actual attacks and defines controls that would have stopped those attacks from being successful. To construct the document, we have called upon the people who have first-hand knowledge about how the attacks are being carried out:
Red team members in NSA tasked with finding ways of circumventing military cyber defenses
Blue team members at NSA who are often called in when military commanders find their systems have been compromised
US-CERT and other non-military incident response employees and consultants who are called upon by civilian agencies and companies to identify the most likely method by which the penetrations were accomplished
Military investigators who fight cyber crime
Cybersecurity experts at US Department of Energy laboratories and Federally Funded Research and Development Centers (FFRDCs).
DoD and private forensics experts who analyze computers that have been infected
Civilian penetration testers who test civilian government and commercial systems to find how they can be penetrated
Federal CIOs and CISOs who have intimate knowledge of cyber attacks
The Government Accountability Office (GAO)
Consensus Audit Guideline Controls
Twenty critical security controls were agreed upon by knowledgeable individuals from the groups listed above. The list of controls includes fifteen that are able to be validated in an automated manner and five that must be validated manually.
Critical Controls Subject to Automated Measurement and Validation:
1: Inventory of Authorized and Unauthorized Hardware.
2: Inventory of Authorized and Unauthorized Software.