Critical Security Controls

The Council’s Technology practice area is built upon the Top 20 Critical Security Controls (the Controls), a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. The Controls have been developed and maintained by an international, grass-roots consortium which includes a broad range of companies, government agencies, institutions, and individuals from every part of the ecosystem (threat responders and analysts, security technologists, vulnerability-finders, tool builders, solution providers, front-line defenders, users, consultants, policy-makers, executives, academia, auditors, etc.) who have banded together to create, adopt, and support the Controls.

 

Critical Controls Version 5.0:

The Council on CyberSecurity is proud to announce the publication of the Top 20 Critical Security Controls Version 5.0 – a reference set of recommendations for tangible methods to address risks to enterprise data and systems. The relevance of the Controls comes from the fact that it is regularly reviewed and updated by a consortium of experts to make it consistently applicable to current environments, as well as the wealth of products, processes and services which align to the Controls. To provide feedback, send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. .

Critical Security Controls v5.0 Final 2014-02-27 (PDF | 1.67mb)

 

Watch the Council's Chief Technologist, Tony Sager, speak about the Critical Controls Version 5.0 during his presentation "The Fog of More" at RSA Conference 2014.

Watch "The Fog of More" at RSA Conference 2014

Previous Critical Controls Documents:

Critical Controls for Effective Cyber Defense v4.1 (PDF | 1.44mb)

Tools for Automating the Critical Controls v4.1 (external link)

The Critical Security Controls: The Foundation for an
Enterprise Risk Management Framework
(PDF | 208kb)


 

Overview of the Critical Controls

The 20 Critical Controls for Effective Cyber Defense (the Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive attacks. They were developed and are maintained by a consortium of hundreds of security experts from across the public and private sectors. An underlying theme of the Controls is support for large-scale, standards-based security automation for the management of cyber defenses.

The actions defined by the Controls are demonstrably a subset of the comprehensive catalog defined by NIST SP 800-53. The Controls do not attempt to replace the National Institute of Standards and Technoloy comprehensive Risk Management Framework. The Controls instead prioritize and focus on a smaller number of actionable controls with high-payoff, aiming for a “must do first” philosophy. Since the Controls were derived from the most common attack patterns and were vetted across a very broad community of government and industry, with very strong consensus on the resulting set of controls, they serve as the basis for immediate high-value action.

Significance of the Controls

We are at a fascinating point in the evolution of what we now call cybersecurity. More so now than at any point in the last few decades, defenders have access to an extraordinary array of security tools and technology, security standards, training and classes, certifications, vulnerability databases, configuration guidance, best practices, catalogs of security controls, and countless security checklists, benchmarks, and recommendations. In terms of our understanding of the threat, we’ve seen the growth of numerous threat information feeds, reports, tools, alert services, standards, and threat sharing schemes. And to tie it all together, we are surrounded by security requirements, risk management frameworks, compliance regimes, regulatory mandates, and so forth.

There is a near-infinite list of “good things” for every enterprise to do and to know to improve the security of cyberspace, but not always clarity on what to prioritize. This overload of defensive support is like a “Fog of More”- more options, more tools, more knowledge, more advice, and more requirements… but not always more security.

Despite all of this well-intended information and technology and oversight, our problem seems to be getting worse faster than we are getting better. It is also clear that in our complex, interconnected world, no enterprise can think of its security as a standalone problem.

So how can we as a community – the community at large, as well as within sectors, partnerships, and coalitions - band together to establish priority of action, support each other, and keep our knowledge and technology current in the face of a rapidly evolving problem? What are the most critical problems we need to solve, what should an enterprise do first, which defensive steps have the greatest value? These are the kinds of problems that drive the Top 20 Critical Security Controls.

A key element of the Controls is the community aspect of this movement – how people and institutions voluntarily help each other by:

  • sharing insight into attacks by adversaries, summarizing the classes of attacks seen, finding root causes, and then translating that into classes of defensive action
  • documenting use cases of adoption and the successful application of tools to solve these problems
  • mapping the Controls to existing regulatory and compliance frameworks in order to bring priority and focus to their application
  • sharing tools, working aids, and translations with the community-at-large
  • identifying problems in common (like initial assessment of an enterprise, developing implementation roadmaps, gaining support from management) and solving them as a group instead of individually

The Top 20 Critical Security Controls illustrate of the kind of large-scale, public-private, voluntary cooperation we need as a community if we are going to improve our individual and collective security in cyberspace. It is a sad and unspoken aspect of the state of cybersecurity that by many measures, the “bad guys” are better organized and collaborate more closely than the “good guys.” The Controls provide a means to turn that around.

History & Impact of the Controls

Over the years, many standards for cybersecurity have been developed in order to provide a framework for addressing the risks that can threaten networks and the data within them. Most of these efforts, however, have more or less been exercises in reporting on compliance, effectively diverting necessary program resources. It wasn’t until 2008 that the National Security Agency (NSA) was asked by the Office of the Secretary of Defense (OSD) to help prioritize the many controls available, and began to take action with an “offense must inform defense” approach. While initially a project among government entities led by NSA, the effort expanded through a public-private consortium with the SANS Institute and the Center for Internet Security (CIS). The consortium soon expanded to include government entities from the United States and abroad, law enforcement agencies, security service providers, national laboratories, academic institutions, and others.

In 2008, the Center for Strategic and International Studies (CSIS) published the Controls for the first time, based in part the expertise gained through its convening of the Commission on Cybersecurity for the 44th Presidency. This initial draft of the Controls was shared with over 50 IT and security organizations for additional input in 2009. Since that time, the consortium has grown, and the Controls are refined through active involvement of members.

One of the earliest adopters was the U.S. Department of State, who determined that among the 3,085 cyber attacks it had experienced over fiscal year 2009, the 20 Controls showed remarkable alignment with actual attacks. Subsequently implemented by every system administrator across 24 time zones in which the Department operates, the Controls achieved an 88% reduction in vulnerability-based risks across 85,000 systems.

In December of 2011, the Centre for the Protection of National Infrastructure (CPNI) announced that the government of the United Kingdom would be adopting the 20 Critical Security Controls as the framework for securing their critical infrastructure. And in May of 2012, the NSA Director fully endorsed the adoption of the 20 Controls as a foundation for effective network security.

Today, the Controls are being used widely across the country and among international organizations. Studies conducted by the SANS Institute have found that 73% of surveyed organizations have adopted the Controls or plan to implement them, but only 10% expressed that they’ve done a complete job of adopting all of the controls that apply to them. This indicates both the opportunity and challenges of implementing effective cybersecurity measures.

The Council on CyberSecurity will continue the work of the consortium through stewardship of the Critical Security Controls. This includes the regular convening of experts to refine, update and validate the Controls, as well as collaboration with public and private partners globally to promote their adoption and implementation.

Critical Controls Case Studies

Implement the Critical Controls

Additional Resources

Newsletter Sign-Up

Connect With CCS

Contact CCS

  • Council on CyberSecurity
  • 1700 North Moore Street
  • Suite 2100
  • Arlington, VA 22209