Cybersecurity audit guidelines recommended

A group of cybersecurity experts today recommended twenty specific security controls that the government and industry should deploy to block or lessen the consequences of cyberattacks that come from inside and outside threats. The recommended controls are meant to provide a standard baseline for measuring computer security.

The recommendations, the Consensus Audit Guidelines, were agreed to by federal and private industry cybersecurity officials and are based on specific experiences in dealing with particular attacks directed at government and the defense industrial base’s information systems. The group also detailed the types of cyberattacks that a recommended security controls could thwart, how a recommended security control could be implemented and how to evaluate its effectiveness.

Alan Paller, the director of research at the SANS Institute who worked on the guidelines, said the strategy is significant because it has specific actions for agencies to take and a way to measure their effectiveness, something he said the Government Accountability Office has been requesting. He said the project, started in early 2008, was inspired by the realization that the defense industrial base’s systems had been deeply penetrated.

“The fundamental error that was made in federal cybersecurity was asking people who had never understood the offense to tell us how to defend our systems,” he added.

The group of officials said the guidelines are meant to provide a set of security control activities that chief information security officers, chief information officers and inspectors general can agree on for evaluating the security of information systems. Although the guidelines are directed at federal agencies, the group said the guidelines are also relevant for systems run by academia and the private sector.

The team that crafted the guidelines was comprised of officials from the Defense and Homeland Security departments, the National Security Agency, The SANS Institute, GAO and labs of the Energy Department.

The guidelines are part of an ongoing effort through the Center for Strategic and International Studies to implement the recommendations of CSIS’ Commission on Cyber Security for the 44th Presidency that were released in December. The recommendations also come during the Obama administration’s ongoing 60-day review of the government’s overall cybersecurity efforts.

Fifteen of the recommended baseline security controls can be monitored automatically and five of the controls would need to be implemented manually. The controls are categorized as steps that can produce “quick wins” to improve cybersecurity, those that would specifically improve visibility and attribution, controls meant to improve an organization’s information security posture, as well as more advanced controls.

The public is being asked to review the guidelines and provide suggestions over the next thirty days; the recommended audit guidelines also will be compared with other audit existing standards. In addition, several federal agencies will also be conducting pilots to test the value of using the guidelines and the CIO Council, as well as the Federal Audit Executive Council also will be reviewing the recommended controls, the group said.

Additions will be made to the guidelines as needed and the National Institute of Standards and Technology is providing explanation on how the recommended guidelines fit with its existing high-level information security control guidance.

The controls that make up guidelines include:

  • Inventories of authorized and unauthorized hardware and software that is used.
  • Secure configurations for hardware, software and network security devices.
  • Wireless device control and data leakage protection.
  • Defenses against malware.
  • Controlled access and administrative privileges.
  • Incident response and data recovery capabilities.
  • Training and security skill assessments for employees.

About the Author

Ben Bain is a reporter for Federal Computer Week.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Tue, Feb 24, 2009 Editor

Now added.

Tue, Feb 24, 2009

No link . ..

Tue, Feb 24, 2009 Editor

The link to the guidelines have been added to the document title in the second paragraph.

Tue, Feb 24, 2009

I have rarely looked at your articles because they are to general to be of value. Whatever happened to the day where publishers demanded detail for their readers?

Tue, Feb 24, 2009

Where can the specific guidelines be located? How do these guidelines synch, or not, with the latest NIST revision for 800-53?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group