Cybersecurity Controls

Amid increasing scrutiny over U.S. cybersecurity, experts from the private and public sectors are pushing a set of recommendations they say are sorely needed to help shore up the nation’s defenses against data breaches. The resulting Consensus Audit Guidelines (CAG) map out requirements for security controls needed to protect IT installations in government and the private sector.

Their creators include the U.S. Department of Homeland Security’s US-CERT unit, the National Security Agency, and the Department of Defense. Commercial penetration testing and forensics experts from security vendors InGuardians and Mandiant also joined the effort.

The release comes on the heels of an earlier report by the Center for Strategic and International Studies (CSIS), a Washington think tank, which found U.S. cybersecurity policy lacking in the wake of high-profile breaches in both government and industry.

Aiming to shut the door on such attacks, the new CAG recommendations (availablehere) call for organizations to adopt 20 key security controls to safeguard themselves against current and future threats.

Recommendations include inventorying hardware and software, maintaining and analyzing security audit logs, setting up boundary defense measures, and implementing secure configurations for hardware, software, and network devices.

The effort marks the latest moves by security experts to fight back against an onslaught of major data breaches in both industry and government. The proposed CAG controls are also organized so that they can be implemented in stages, which their creators said is more practical than urging organizations to implement them all at once.