Top 20 Critical Security Controls not popular with federal IT pros

The National Security Agency created a best security practices list for their customers, which was later expanded through a large-scale community project initiated by the SANS Institute and sponsored by the Center for Strategic and International Studies (CSIS).

The outcome of this project was the Top 20 Critical Security Controls (20 CSC) – a prioritized list of security best practices that were proven to help organizations combat the most common cybersecurity issues as well as reduce the greatest number of exploitable cyberattack vectors.

According to a recent U.S. Government Accountability Office (GAO) study, the number of security incidents reported by federal agencies has increased 782 percent from 2006-2012. Despite this growing number, survey results indicate that the 20 CSC have not yet been adopted by many federal agencies.

Tripwire has surveyed the attitudes of 110 federal information technology professionals from military, intelligence and civilian agencies regarding the implementation of 20 CSC, and these are the findings:

• Only 11 percent of the respondents have implemented the 20 CSC.
• Only 53 percent consider the 20 CSC to be valuable to their organization’s security strategy.
• 66 percent do not have plans to adopt the 20 CSC at this time.

“The Top 20 Critical Security Controls were not designed to be a replacement or alternative for comprehensive risk management frameworks like FISMA,” said Tony Sager, director of programs for the Council on CyberSecurity.

“Instead, the Controls bring priority and focus to complex cybersecurity problems and make it possible to align the many complex and often conflicting schemes that regulate, oversee or determine security practices. Highly knowledgeable practitioners across every business sector have agreed that these 20 Critical Security Controls stop the vast majority of the attacks seen today.”

Additional Tripwire survey findings include:

• Only 18 percent of respondents implementing controls are doing so in the order proposed.
• 79 percent use the 20 CSC as general guidelines.
• 88 percent believe the 20 CSC will complement, not replace, existing FISMA efforts.

“The 20 Critical Security Controls are easily understood by nontechnical mission owners and have been proven time and again by agencies around the world to be effective against the greatest number of targeted cyberattacks,” said Rekha Shenoy, vice president of marketing and corporate development for Tripwire.

“In addition, a significant percentage of these controls can be automated, dramatically reducing the time and resources required to implement them. For example, automation of security configuration management and vulnerability management makes implementation of continuous diagnostics and mitigation very achievable. Mission owners at every agency should be asking how their security strategies stack up against the 20 Critical Security Controls.”