The outcome of this project was the Top 20 Critical Security Controls (20 CSC) – a prioritized list of security best practices that were proven to help organizations combat the most common cybersecurity issues as well as reduce the greatest number of exploitable cyberattack vectors.
According to a recent U.S. Government Accountability Office (GAO) study, the number of security incidents reported by federal agencies has increased 782 percent from 2006-2012. Despite this growing number, survey results indicate that the 20 CSC have not yet been adopted by many federal agencies.
Tripwire has surveyed the attitudes of 110 federal information technology professionals from military, intelligence and civilian agencies regarding the implementation of 20 CSC, and these are the findings:
- Only 11 percent of the respondents have implemented the 20 CSC.
- Only 53 percent consider the 20 CSC to be valuable to their organization’s security strategy.
- 66 percent do not have plans to adopt the 20 CSC at this time.
“Instead, the Controls bring priority and focus to complex cybersecurity problems and make it possible to align the many complex and often conflicting schemes that regulate, oversee or determine security practices. Highly knowledgeable practitioners across every business sector have agreed that these 20 Critical Security Controls stop the vast majority of the attacks seen today.”
Additional Tripwire survey findings include:
- Only 18 percent of respondents implementing controls are doing so in the order proposed.
- 79 percent use the 20 CSC as general guidelines.
- 88 percent believe the 20 CSC will complement, not replace, existing FISMA efforts.
“In addition, a significant percentage of these controls can be automated, dramatically reducing the time and resources required to implement them. For example, automation of security configuration management and vulnerability management makes implementation of continuous diagnostics and mitigation very achievable. Mission owners at every agency should be asking how their security strategies stack up against the 20 Critical Security Controls.”