Dyson College of Arts and Sciences

Table I Critical Infrastructure Sectors and Associated Federal Agencies The Top 20 Critical Security Controls The Critical Controls for Effective Cyber Defense (the Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive attacks. They were developed and are maintained by a consortium of hundreds of security experts from across the public and private sectors. An underlying theme of the Controls is support for large-scale, standards-based security automation for the management of cyber defenses. The body that administers and created the unified set of the 20 most frequently occurring vulnerabilities that permeate the entire information and communication technology industry is known as the Council on CyberSecurity and in July 2014, it released its first annual report, concluding its first year as the organization that would serve as the home of the 20 Critical Security Controls. In the report, the Council stated that it was established to accelerate the widespread availability and adoption of effective cybersecurity measures, practice, and policy". 4 To accomplish this objective, the Council mobilized an extensive community of practitioner stakeholders willing to bring knowledge, experience and commitment to a common goal: identify, validate, promote and sustain the adoption of cybersecurity best practice. The various agencies that either participated or whose previous work on cyber-security was leveraged to help create the report generated by the council is listed below, in Table II. Document Contributors for the Top 20 Critical Security Controls 1. Blue team members inside the Dept. of Defense 10. US Department of State 2. Blue team members who provide services for non-DoD government agencies 11. Army Research Laboratory 3. Red and blue teams at the US National Security Agency 12. US Department of Homeland Security 4. US-CERT and other non-military incident response teams 13. DoD and private forensics experts 5. DoD Cyber Crime Center (DC3) 14. Red team members in DoD 6. Military investigators who fight cyber crime 15. The SANS Institute 7. The FBI and other police organizations 16. Federal CIOs and CISOs 8. Civilian penetration testers 17. Plus over 100 other collaborators 9. US Department of Energy laboratories 62

• Cover