New version of 20 top security controls is available

Consensus Audit Guidelines can help agencies manage their security efforts

Version 2.3 of the Consensus Audit Guidelines, the top 20 critical security controls agreed on by a consortium of private and government security experts, has been released and is available on the Web site of the SANS Institute.

The consortium includes the National Security Agency, the U.S. Computer Emergency Readiness Team, and agencies from the departments of Defense, State and Energy, in addition to commercial forensics experts and white hat hackers. The controls are intended to help large enterprises prioritize and automate efforts to block known attacks and identify intrusions. They include 15 automated controls and five additional controls that cannot be automated to the same degree.

The automated controls include: complete inventories of hardware devices and software; secure configurations of networking and endpoint equipment; boundary defenses; maintenance, monitoring and analysis of audit logs; application software security; controls of administrative privileges and user access; vulnerability assessment and remediation; account monitoring and control; malware defenses; control of network ports, protocols and services; wireless controls; and data loss prevention.

The additional controls include secure network engineering, penetration testing, incident response, data recovery, and security skills assessment and training.

About the Author

William Jackson is a Maryland-based freelance writer.


  • 2020 Government Innovation Awards
    Government Innovation Awards -

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected