The twenty controls were agreed upon by by cyber security experts from various Federal Government agencies.
Note: The list of controls includes fifteen that are able to be validated in an automated manner and five that must be validated manually.
Consensus Audit Guideline Controls
Critical Controls Subject to Automated Measurement and Validation:
1: Inventory of Authorized and Unauthorized Hardware.
2: Inventory of Authorized and Unauthorized Software.
3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
4: Secure Configurations of Network Devices Such as Firewalls and Routers.
5: Boundary Defense 5
6: Maintenance and Analysis of Complete Security Audit Logs
7: Application Software Security
8: Controlled Use of Administrative Privileges
9: Controlled Access Based On Need to Know
10: Continuous Vulnerability Testing and Remediation
11: Dormant Account Monitoring and Control
12: Anti‐Malware Defenses
13: Limitation and Control of Ports, Protocols and Services
14: Wireless Device Control
15: Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
16. Secure Network Engineering
17. Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability
20. Security Skills Assessment and Training to Fill Gaps
The controls above were agreed upon by knowledgeable individuals from the Federal Government entities listed below.
Contributing Federal Groups:
- Red team members in NSA tasked with finding ways of circumventing military cyber defenses
- Blue team members at NSA who are often called in when military commanders find their systems have been compromised
- US‐CERT and other non‐military incident response employees and consultants who are called upon by civilian agencies and companies to identify the most likely method by which the penetrations were accomplished
- Military investigators who fight cyber crime
- Cybersecurity experts at US Department of Energy laboratories and Federally Funded Research and Development Centers (FFRDCs).
- DoD and private forensics experts who analyze computers that have been infected
- Civilian penetration testers who test civilian government and commercial systems to find how they can be penetrated
- Federal CIOs and CISOs who have intimate knowledge of cyber attacks
- The Government Accountability Office (GAO)
Reference:
http://csis.org/files/media/csis/pubs/090223_cag_1_0_draft4.1.pdf