system security approvals. Furthermore, CIOs and CISOs must balance business needs and security risks, recognizing that there are sometimes trade-offs between them that must be carefully analyzed and measured.
Periodic and Continual Testing of Controls
Each control included in this document describes a series of tests that organizations can conduct on a periodic or, in some cases, continual basis to ensure that appropriate defenses are in place. One of the goals of the tests described in this document is to provide as much automation of testing as possible. By leveraging standardization efforts and repositories of content like SCAP, these automated test suites and scripts can be highly sharable between organizations, consistent to a large extent, and easily used by auditors for validation. However, at various phases of the tests, human testers are needed to set up tests or evaluate results in a fashion that cannot be automated. The testers associated with measuring such controls must be trusted individuals, as the test may require them to access sensitive systems or data in the course of their tests. Without appropriate authorization, background checks, and possibly clearance, such tests may be impossible. Such tests should also be supervised or reviewed by appropriate agency officials well versed in the parameters of lawful monitoring and analysis of information technology systems.
A Work in Progress
The consensus effort to define critical security controls is a work in progress. In fact, changing technology and changing attack patterns will necessitate future changes even after it has been adopted. In a sense, this will be a living document moving forward, but the controls described in this version are a solid start on the quest to make fundamental computer security hygiene a well-understood, repeatable, measurable, scalable, and reliable process throughout the federal government.