FISMA compliance

CSIS: 20 Critical Security Controls

Government information security has come under scrutiny in the past few years. With this in mind, FISMA requirements have been reviewed to make understanding compliance simpler. The 20 Critical Security Controls focuses on prevention, monitoring and detection; all of which are essential to cyber security.

The 20 requirements will help to ensure organisations know what to prioritise and also what to measure to allow consistent compliance throughout the year. By focusing on whats important, government agencies can utilise their budget effectively.

20 Critical Controls
CSIS: 20 Critical Security Controls
Critical Control Effect on Attack Mitigation

1.

the Inventory of Authorized in Unauthorized 2. past few years. With thisandmind, FISMA requirements Very high haveSoftware been reviewed to make understanding compliance
3. Secure Configurations for Hardware and simpler. Software on Laptops, Workstations, and Servers 4. Very high

Inventory of Authorised and unauthorised Very high Government information security has come under scrutiny in devices

The 20 Critical Security Controls focusesand prevention, high on Continuous Vulnerability Assessment Very monitoring and detection; all of which are essential to cyber Remediation security. 5. Malware Defences High
6. 7.

The 20 requirements will help to ensure organisationsHigh know Wireless Device Control what Data Recovery Capability to measure to allow to prioritise and also what 8. Moderately consistent compliance throughout the year. By focusing on high to high whats important, government agencies can utiliseModerately their 9. Security Skills Assessment and Appropriate Training to Fill high to high budget effectively. Gaps
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Moderately high

Application Software Security

High

11. Limitation and Control of Network Ports, Protocols, and Services 12. Controlled Use of Administrative Privileges

Moderately high

Moderate to Moderately CSIS: 20 Critical Security Controls High Moderate Moderate

13. Boundary Defence 14. Maintenance, Monitoring, and Analysis of Security Audit Logs

Government information security has come under scrutiny in 15. Controlled Access Based on the Need to Moderate the past few years. With this in mind, FISMA requirements Know have been reviewed to make understanding compliance 16. Account Monitoring and Control Moderate simpler.
17. Data Loss Prevention

monitoring and detection; all of which are essential to cyber 18. Incident Response Capability Moderately Low to security. Moderate
19. Secure Network Engineering

Moderately Low to The 20 Critical Security Controls focuses on prevention, Moderate

The 20 requirements will help to ensure organisations know 20. Penetration Tests and Red Team Exercises Low what to prioritise and also what to measure to allow consistent compliance throughout the by all threats. Very high actively targeted and exploitedyear. By focusing on High known entry government agencies can utilise their whats important, point for targeted attacks. Moderate reduce attack surface, address known propagation budget effectively.
For more information on applying the 20 Critical Controls, visit Sans.org

Low

techniques, and/or mitigate impact. Low optimising, validating, and/or effectively managing controls.