Figure 1: Types of Computer Attacker Activities these Controls Are Designed to Help Thwart
Relationship to Other Federal Guidelines, Recommendations, and Requirements
These Consensus Audit Guidelines are meant to reinforce and prioritize some of the most important elements of the guidelines, standards, and requirements put forth in other US Government documentation, such as NIST special publication 800-53: Recommended Security Controls for Federal Information Systems, SCAP, FDCC, FISMA, and Department of Homeland Security Software Assurance documents. These guidelines do not conflict with such recommendations. In fact, the guidelines set forth herein are a proper subset of the recommendations of 800-53, designed so that organizations can focus on a specific set of actions associated with current threats and computer attacks they face every day. A draft of the mapping of individual guidelines in this document to specific recommendations of 800-53 is included in Appendix A.
Additionally, the Consensus Audit Guidelines are not intended to be comprehensive in addressing everything that a CIO or CISO must address in an effective security program. For example, in addition to implementing controls identified in this document, organizations must develop appropriate security policies, security architectures, and