20 Critical Security Controls

The 20 critical security controls were created to answer a key question: "What needs to be done right now to protect my organization from known attacks?"  The critical controls are being implemented by many agencies and organizations who understand the evolving risks of a cyber attack.  Some of these include the US National Security Agency, the British Centre for the Protection of National Infrastructure, US Department of Homeland Security, state governments, power generation and distribution companies, defense contractors, and hundreds of other organizations around the world.  The critical controls reflect the consensus of organizations with deep knowledge and understanding of how cyber attacks occur in the real world.  They also address why the attacks succeed, and what specific controls can stop them or mitigate their damage. Failure to implement the controls can put an organization’s sensitive information or processes at great risk.  For more information on the 20 critical security controls, click here

Below is a table of the 20 Critical Controls, where The National Security Agency categorized them by their attack mitigation impact.


Stop Attacks Early    |    Stop Many Attacks    |    Mitigate Impact of Attacks
Reconnaissance Get In Stay In Exploit

Hardware Inventory

(CSC 1)

Secure Configuration

(CSC 3)

Audit Monitoring

(CSC 14)

Security Skills & Training

(CSC 9)

Software Inventory

(CSC 2

Secure Configuration

(CSC 10

Boundary Defense

(CSC 13

Data Recovery

(CSC 8

Continuous Vuln Access 

(CSC 4

Application SW Security

(CSC 6)

Admin Privileges

(CSC 12)

Data Loss Prevention 

(CSC 17)

Networking Engineering

(CSC 19


(CSC 7

Controlled Access

(CSC 15

Incident Response

(CSC 18)

Penetration Testing

(CSC 20

Malware Defense

(CSC 5)

Penetration Testing

(CSC 20)


Limit Ports/P/S

(CSC 11)



CSC #                              Critical Security Control Description

1     Reduce the ability of attackers to find and exploit unauthorized and unprotected systems: Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the enterprise network, including servers, workstations, laptops, and remote devices. For more information, click here.


2     Identify vulnerable or malicious software to mitigate or root out attacks: Devise a list of authorized software for each type of system, and deploy tools to track software installed (including type, version, and patches) and monitor for unauthorized or unnecessary software. For more information, click here.


3     Prevent attackers from exploiting services and settings that allow easy access through networks and browsers: Build a secure image that is used for all new systems deployed to the enterprise, host these standard images on secure storage servers, regularly validate and update these configurations, and track system images in a configuration management system. For more information, click here.


4     Proactively identify and repair software vulnerabilities reported by security researchers or vendors: Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities, with critical problems fixed within 48 hours. Proactively identify and repair software vulnerabilities reported by security researchers or vendors: Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities, with critical problems fixed within 48 hours. For more information, click here.


5     Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading: Use automated anti-virus and anti-spyware software to continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti-malware tools on all machines on a daily basis. Prevent network devices from using auto-run programs to access removable media. For more information, click here.


6     Neutralize vulnerabilities in web-based and other application software: Carefully test internally developed and third-party application software for security flaws, including coding errors and malware. Deploy web application firewalls that inspect all traffic, and explicitly check for errors in all user input (including by size and data type). For more information, click here.


7     Protect the security perimeter against unauthorized wireless access: Allow wireless devices to connect to the network only if they match an authorized configuration and security profile and have a documented owner and defined business need. Ensure that all wireless access points are manageable using enterprise management tools. Configure scanning tools to detect wireless access points. For more information, click here.


8     Minimize the damage from an attack: Implement a trustworthy plan for removing all traces of an attack. Automatically back up all information required to fully restore each system, including the operating system, application software, and data. Back up all systems at least weekly; back up sensitive systems more often. Regularly test the restoration process. For more information, click here.


9     Find knowledge gaps, and fill them with exercises and training: Develop a security skills assessment program, map training against the skills required for each job, and use the results to allocate resources effectively to improve security practices. For more information, click here.


10     Preclude electronic holes from forming at connection points with the Internet, other organizations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device. Ensure that any deviations from the standard configurations are documented and approved and that any temporary deviations are undone when the business need abates. For more information, click here.


11     Allow remote access only to legitimate users and services: Apply host-based firewalls and port-filtering and -scanning tools to block traffic that is not explicitly allowed. Properly configure web servers, mail servers, file and print services, and domain name system (DNS) servers to limit remote access. Disable automatic installation of unnecessary software components. Move servers inside the firewall unless remote access is required for business purposes. For more information, click here.


12     Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: (1) enticing users to open a malicious e-mail, attachment, or file, or to visit a malicious website; and (2) cracking an administrative password and thereby gaining access to a target machine. Use robust passwords that follow Federal Desktop Core Configuration (FDCC) standards. For more information, click here.


13     Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines: Establish multi layered boundary defenses by relying on firewalls, proxies, demilitarized zone (DMZ) perimeter networks, and other network-based tools. Filter inbound and outbound traffic, including through business partner networks (“extranets”). For more information, click here.


14     Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machines: Generate standardized logs for each hardware device and the software installed on it, including date, time stamp, source addresses, destination addresses, and other information about each packet and/or transaction. Store logs on dedicated servers, and run biweekly reports to identify and document anomalies. For more information, click here.


15     Prevent attackers from gaining access to highly sensitive data: Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure, and ensure that only authenticated users have access to non public data and files. For more information, click here.


16     Keep attackers from impersonating legitimate users: Review all system accounts and disable any that are not associated with a business process and owner. Immediately revoke system access for terminated employees or contractors. Disable dormant accounts and encrypt and isolate any files associated with such accounts. Use robust passwords that conform to FDCC standards. For more information, click here. To view diagram, click here.


17     Stop unauthorized transfer of sensitive data through network attacks and physical theft: Scrutinize the movement of data across network boundaries, both electronically and physically, to minimize the exposure to attackers. Monitor people, processes, and systems, using a centralized management framework. For more information, click here.


18     Protect the organization’s reputation, as well as its information: Develop an incident response plan with clearly delineated roles and responsibilities for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems. For more information, click here.


19     Keep poor network design from enabling attackers: Use a robust, secure network engineering process to prevent security controls from being circumvented. Deploy a network architecture with at least three tiers: DMZ, middleware, private network. Allow rapid deployment of new access controls to quickly deflect attacks. For more information, click here.


20     Use simulated attacks to improve organizational readiness: Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage. Use periodic red team exercises—all-out attempts to gain access to critical data and systems to test existing defenses and response capabilities. For more information, click here.