Why Agencies Snub 20 Critical ControlsSurvey: Focus Is on Applying Broader NIST Guidance, Instead
The office of Defense Secretary Robert Gates in 2008 asked the National Security Agency to prioritize myriad IT security controls as a way to save money.
See Also: A CISO's Guide to Communicating Risk
A year later, the NSA took its newly found knowledge on prioritizing the controls to a public-private consortium led by the SANS Institute, a cybersecurity training organization, and a think tank, the Center for International and Strategic Studies, which in early 2009 published the critical controls as Consensus Audit Guidelines (see New Guidelines: Top 20 Cybersecurity Controls).
Fast forward nearly five years. That list of 20 critical IT security controls, with its genesis in the federal government, has been generally ignored by most federal agencies, a new survey shows. A simple explanation of why agencies have snubbed the critical controls: federal law.
The Federal Information Security and Management Act, the law that governs federal government IT security, requires government agencies to follow the 861 security controls published by the National Institute of Standards and Technology in its Special Publication 800-53, which is in its fourth revision.
Two-thirds of the 110 federal technology professionals surveyed this fall by Tripwire, a security and compliance management solutions provider, say they have no plans to adopt the 20 critical security controls administered by SANS.
Tripwire Chief Technology Officer Dwayne Melancon says the NIST guidance satisfies most federal security officers' needs for guidance.
Melancon says federal security managers "don't want to make waves ... to look like oddballs by not doing the same thing the rest of the government is doing." That means they're sticking with the NIST guidance.
Lack of Money
But Melancon sees reasons other than conformity to explain why federal IT security managers haven't adopted the 20 critical controls. Employing security controls costs money. Half the respondents say there's not just enough funds in their agencies' budgets to implement the 20 critical controls; another third cite bureaucratic barriers.
Most agencies have invested in NIST documentation and training, so there's no money left to spend on implementing the 20 critical security controls, Melancon says. Plus, many in government bureaucracies resist change.
It's not that all federal IT security managers have ignored the 20 critical security controls. The survey reveals that 23 percent of federal agencies plan to adopt the critical controls and 11 percent have already done so. Of agencies adopting the 20 critical controls, only 12 percent of respondents say they will supersede FISMA; 88 percent say the critical security controls will complement those requirements.
Melancon says agencies that have adopted the 20 critical controls use them to help with implementation of the NIST controls. "They like the way logically the top 20 controls are laid out because they fall out into nice, clean domain of activities," he says.
Ron Ross, a NIST fellow and principal author of SP 800-53, says each of the 20 critical security controls maps to equivalent controls found in NIST guidance.
But he contends the SANS-administered controls, in reality, consist of multiple controls that give an oversimplified view of what needs to be done. "Twenty sounds better than [the hundreds upon hundreds of] controls in the NIST catalogue," says Ross, who leads the NIST FISMA Implementation Project.
Lot of Moving Parts
"It's very dense; there can be a lot of moving parts in that one control," he says, referring to each of the 20 critical security controls. "Our controls do one thing. When you have a SANS's control, it may require the implementation of a half-dozen NIST controls to get that same capability."
Ross, as an example, cites Critical Control 12: Controlled Use of Administrative Privileges. To adopt that one control, he says, an agency would need to implement 25 to 30 controls in the NIST catalogue, such as identification and authentication controls, access controls and personnel security controls to support the access controls.
"Just by saying that you have to limit admin privileges, in order to do that, there's a lot of heavy lifting that goes on under the surface," Ross says. "It doesn't reflect the effort that is actually necessary to provide that capability."
Ross contends that the 20 critical controls would only stop 85 percent of cyber-attacks because they don't include crucial controls found in the NIST catalogue, such a family of controls on contingency planning.
Getting Into the Game
Ross, nevertheless, sees value in the 20 critical security controls.
"It does gives people areas to concentrate on," he says. "If it gets them into the game, and gets them focusing on things that are important, that's a good thing."
With the vast majority of the nation's critical infrastructure controlled by the private sector, Ross says the nation needs more organizations promoting security controls. "We shouldn't limit the number of players or the number useful things we can look at in this space," he says. "There's plenty of work for everybody and there's plenty of opportunity for different control sets to help carry the load."