Skip to main content
0 Results Found
              Back To Results
                Research & Intelligence

                The 20 Critical Security Controls

                By: Dell SecureWorks

                The 20 Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit Guidelines or CAG) is a publication of best practice guidelines for IT security. The project was initiated in 2008 in response to data losses experienced by organizations in the U.S. defense industrial base.

                The Consensus Audit Guidelines consist of 20 key actions, called security controls, that organizations should take to block or mitigate known cyber attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them. The security controls give practical, actionable recommendations for cyber security, written in language that's easily understood.

                The goals of the 20 controls are to:

                • Leverage cyber offense to inform cyber defense, focusing on high payoff areas,
                • Ensure that security investments are focused to counter the highest risk threats,
                • Maximize use of automation to enforce security controls, thereby negating human errors, and
                • Use consensus process to collect best ideas.

                The 20 Critical Controls are being prioritized for implementation by organizations that understand the evolving risk of cyber attack. Leading adopters include the U.S. National Security Agency, the British Centre for the Protection of National Infrastructure, and the U.S. Department of Homeland Security Federal Network Security Program. Ten state governments as well as power generation and distribution companies and defense contractors are among the hundreds of organizations that have shifted from a compliance focus to a security focus by adopting the Critical Controls.

                All of these entities have adopted the Critical Controls in answer to the question: "What needs to be done right now to protect my organization from known attacks?" Adopting and operationalizing the Critical Controls allows organizations to easily document those security processes to demonstrate compliance.

                Notable results

                Starting in 2009, the U.S. Department of State began supplementing its risk scoring program in part using the Critical Controls. According to the Department's measurements, in the first year of site scoring using this approach the Department reduced overall risk on its key unclassified network by nearly 90 percent in overseas sites, and 89 percent in domestic sites.

                The Critical Controls are regularly updated by The Consortium for Cybersecurity Action (CCA), a virtual community of more than 100 agencies, companies, and individuals.  More info on the CCA and the Controls, including the complete list, can be found at

                This lists 10 of the 20 Critical Controls that can be addressed with Dell SecureWorks services:

                Control #

                Critical Control

                Relevant Services from Dell SecureWorks


                Continuous Vulnerability Assessment and Remediation

                Vulnerability Management Services


                Malware Defense

                Managed Advanced Malware Protection, Managed Next Gen Firewall, Managed IDS/IPS, Managed Host IPS


                Application software security

                Managed Web App Firewall, Web Application Testing


                Secure configurations for firewalls, routers and switches

                Firewall Management, Managed Next Gen Firewall


                Limitation & Control of Network ports, protocols and services

                Firewall Management, Managed Next Gen Firewall, Managed IDS/IPS


                Boundary Defense

                Firewall Management, Managed Next Gen Firewall, Managed IDS/IPS, Managed UTM, Security Monitoring


                Maintenance, Monitoring & Analysis of Audit Logs

                Security Monitoring, Log Management


                Account Monitoring & Control

                Log Management


                Incident Response & Management

                Incident Response Services, Security Monitoring


                Penetration Testing, Incident Response Capabilities Testing

                Penetration Testing, Incident Response Testing & Capability Analysis

                Related Content

                Close Modal
                Close Modal