- SANS Site Network
- Current Site
- Training
- Choose a different site Help
- Certification
- Cyber Security Graduate School
- Internet Storm Center
- Security Awareness Training
- Computer Forensics
- Penetration Testing
- IT Audit
- Software Security
- Secure Access / Login
- Find Training
- Search For Training
- Upcoming Events
- Course List
- NetWars
- Ways To Train
- Training Curricula »
- Security
- Management
- Forensics
- Secure Software Development
- Penetration Testing
- System Administration
- Incident Handling
- Intrusion Analysis
- Audit
- Legal
- Cyber Guardian
- Group Discounts
- Calendars
- Live Training
- Search For Training
- Upcoming Events
- Summits
- Community Events
- Mentor
- OnSite
- Work Study
- COINS
- Online Training
- Search For Training
- vLive
- OnDemand
- Simulcast »
- Event
- Custom
- Security Awareness
- SelfStudy
- Programs
- Voucher Credit
- Cyber Guardian
- Cyber Ranges
- Hacker Guard
- Cybersecurity Innovation Awards
- Enterprise Solutions
- DoD 8570
- Resources
- Reading Room
- Webcasts
- Newsletters
- Blogs
- Top 25 Programming Errors
- Top 20 Critical Controls
- Security Policy Project
- From Vendors
- Additional Resources
- Vendor
- Overview
- Sponsorship
- Demographics
- Events
- Contact
- About
- About SANS
- Why SANS?
- Instructors
- Contact SANS
- SANS FAQ
- Link to SANS
- Press Room
- PGP Key
- PGP Key - Local Copy
CSIS: 20 Critical Security Controls Version 4.0
Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines
The Twenty Critical Security Controls have already begun to transform security in government agencies and other large enterprises by focusing their spending on the key controls that block known attacks and find the ones that get through. With the change in FISMA reporting implemented on June 1, the 20 Critical Controls become the centerpiece of effective security programs across government These controls allow those responsible for compliance and those responsible for security to agree, for the first time, on what needs to be done to make systems safer. No development in security is having a more profound and far reaching impact.
These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.
The automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. The US State Department, under CISO John Streufert, has already demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls.
A Brief History Of The 20 Critical Security Controls >>
20 Critical Security Controls - Version 4.0
- Critical Control 1: Inventory of Authorized and Unauthorized Devices
- Critical Control 2: Inventory of Authorized and Unauthorized Software
- Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Critical Control 4: Continuous Vulnerability Assessment and Remediation
- Critical Control 5: Malware Defenses
- Critical Control 6: Application Software Security
- Critical Control 7: Wireless Device Control
- Critical Control 8: Data Recovery Capability
- Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
- Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
- Critical Control 12: Controlled Use of Administrative Privileges
- Critical Control 13: Boundary Defense
- Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
- Critical Control 15: Controlled Access Based on the Need to Know
- Critical Control 16: Account Monitoring and Control
- Critical Control 17: Data Loss Prevention
- Critical Control 18: Incident Response and Management
- Critical Control 19: Secure Network Engineering
- Critical Control 20: Penetration Tests and Red Team Exercises
Download PDF Version (English)
Download Winter 2012 Poster
This work is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
To further clarify the Creative Commons license related to the 20 Critical Controls content, (i) All persons are authorized to use the content as a framework in their organization or to sell professional services related to the content (e.g. a consulting engagement to implement the 20 Critical Controls), and (ii) sale of the contents as a framework model is not authorized. Users of the 20 Critical Controls framework are also required to refer to www.sans.org/critical-security-controls/ when referring to the 20 Critical Controls in order to ensure that users are employing the most up to date guidance.
You may use the following code to embed the 20 Critical Controls on your site:
<br src="/img/spacer.gif">
A Brief History Of The 20 Critical Security Controls
View the 2011 US Government CIO Security Reporting Requirements (FISMA Metrics)
(PDF 184 KB)
Submit Comments and Feedback