“A Complete Revolution in Federal Cybersecurity”

This blog has previously discussed the CSIS Commission report on cybersecurity, and the one of the next steps towards federal cybersecurity was announced yesterday.   A consortium of US federal agencies has drawn up a list of critical security controls they hope will serve as a gold standard for cybersecurity. The Consensus Audit Guidelines (CAG) list is part of larger plans to apply the CSIS Commission report on cybersecurity as a blueprint for making information security systems more secure.

The CAG project began last year in response to data losses in the US defense industry. Participants include the National Security Agency, the Department of Homeland Security, US-CERT, the Department of Defense, the US Department of Energy Los Alamos National Lab, and many others.  Mitre Corporation, and the SANS Institute, are also involved.

 “I  do not know of anything going on in security that will have the impact this one can have,” Alan Paller, director of research at the SANS Institute told El Reg. “It’s a complete revolution in federal cybersecurity, and business security as well.  In the past cybersecurity was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality.”

The CAG’s Critical Security Controls:

1.       Hardware audit.

2.       Inventory of authorized and unauthorized software.

3.       Secure configurations for computers and servers

4.       Secure configurations of network kits such as firewalls and routers.

5.       Boundary defense

6.       Maintenance of audit logs

7.       Application software security

8.       Application of administrative privileges

9.       Access controls based on need to know

10.   Continuous vulnerability testing and remediation

11.   Dormant account monitoring and control

12.   Anti-malware defenses

13.   Limitation and control of ports, protocols and services

14.   Wireless device control

15.   Data leak protection

16.   Secure network engineering

17.   Red team exercises

18.   Incident response capability

19.   Data recovery

20.   Security Skills Assessment and Training

To read more about this HUGE announcement, check out more information at http://www.sans.org/cag/