Overview[]
The goal of the Critical Controls is to protect critical assets, infrastructure, and information by strengthening your organization's defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs.
The Critical Controls encompass and amplify efforts over the last decade to develop security standards, including the Security Content Automation Protocol (SCAP) sponsored by the National Institute of Standards and Technology (NIST) and the Associated Manageable Network Plan Milestones and Network Security Tasks developed by the National Security Agency (NSA).
In particular, NSA's work allowed for prioritizing the controls based on whether they address operational conditions being actively targeted and exploited, combat a large number of attacks, block attacks early in the compromise cycle, and deal with an expected high impact of successful exploitation. The Controls focus on automation to provide cost efficiency, measurable results, scalability, and reliability.
The five critical tenets of an effective cyber defense system as reflected in the Critical Controls are:
- Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
- Prioritization: Invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment.
- Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
- Continuous monitoring: Carry out continuous monitoring to test and validate the effectiveness of current security measures.
- Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics.