Securing the United States against cyber-attacks has become one of the nation’s highest priorities. To achieve this objective, networks, systems, and the operations teams that support them must vigorously defend against external attacks. Furthermore, for those external attacks that are successful, defenses must be capable of thwarting, detecting, and responding to follow-on attacks on internal networks as attackers spread inside a compromised network.

This group of 20 crucial controls is designed to begin the process of establishing that prioritized baseline of information security measures and controls that can be applied across enterprise environments. Fifteen of these controls can be monitored, at least in part, automatically and continuously. This course has also identified a set of five controls that are essential but that do not appear to be able to be monitored continuously or automatically with current technology and practices.

The guiding principles used in devising these control areas and their associated subcontrols include:

• Defenses should focus on addressing the most common and damaging attack activities occurring today.
• Enterprise environments must ensure consistent controls across an enterprise to effectively negate attacks.
• Defenses should be automated where possible, and periodically or continuously measured using automated measurement techniques where feasible.
• To address current attacks occurring on a frequent basis against numerous organizations, a variety of specific technical activities should be undertaken to produce a more consistent defense.

The control areas and individual subcontrols described focus on various technical aspects of information security, with a primary goal of supporting organizations in prioritizing their efforts in defending against today’s most common and damaging computer and network attacks. Outside of the technical realm, a comprehensive security program should also take into account numerous additional areas of security, including overall policy, organizational structure, personnel issues (e.g., background checks, etc.), and physical security.

To help maintain focus, the controls in this document do not deal with these important, but non-technical, aspects of information security. Organizations should build a comprehensive approach in these other aspects of security as well, but overall policy, organization, personnel, and physical security are outside of the scope of this document.