Skip to content ↓ | Skip to navigation ↓

Tripwire has announced the results of a survey on security technology trends in the federal government which finds that only 11% of Federal IT professionals have implemented the Top 20 Critical Security Controls.

The National Security Agency (NSA) originally created the best security practices list, which was later expanded through a large-scale community project initiated by the SANS Institute and sponsored by the Center for Strategic and International Studies (CSIS).

The outcome of this project was the Top 20 Critical Security Controls (20 CSC) – a prioritized list of security best practices that were proven to help organizations combat the most common cybersecurity issues as well as reduce the greatest number of exploitable cyberattack vectors.

According to a recent U.S. Government Accountability Office (GAO) study, the number of security incidents reported by federal agencies has increased 782 percent from 2006-2012. Despite this growing number, survey results indicate that the 20 CSC have not yet been adopted by many federal agencies.

Key Tripwire survey findings:

  • Only 11 percent of the respondents have implemented the 20 CSC.
  • Only 53 percent consider the 20 CSC to be valuable to their organization’s security strategy.
  • 66 percent do not have plans to adopt the 20 CSC at this time.

“The Top 20 Critical Security Controls were not designed to be a replacement or alternative for comprehensive risk management frameworks like FISMA,” said Tony Sager, director of programs for the Council on Cyber Security.

“Instead, the Controls bring priority and focus to complex cybersecurity problems and make it possible to align the many complex and often conflicting schemes that regulate, oversee or determine security practices. Highly knowledgeable practitioners across every business sector have agreed that these 20 Critical Security Controls stop the vast majority of the attacks seen today.”

Additional Tripwire survey finding include:

  • Only 18 percent of respondents implementing controls are doing so in the order proposed.
  • 79 percent use the 20 CSC as general guidelines.
  • 88 percent believe the 20 CSC will complement, not replace, existing FISMA efforts.

“The 20 Critical Security Controls are easily understood by nontechnical mission owners and have been proven time and again by agencies around the world to be effective against the greatest number of targeted cyberattacks,” said Rekha Shenoy, vice president of marketing and corporate development for Tripwire.

“In addition, a significant percentage of these controls can be automated, dramatically reducing the time and resources required to implement them. For example, automation of security configuration management and vulnerability management makes implementation of continuous diagnostics and mitigation very achievable. Mission owners at every agency should be asking how their security strategies stack up against the 20 Critical Security Controls.”

The survey was conducted by Dimensional Research from September 26 through October 4, 2013, and evaluated the attitudes of 110 federal information technology professionals from military, intelligence and civilian agencies.

For more information about this survey, please visit:

picTripwire has also compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.

The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.

Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.



Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.

* Show how security activities are enabling the business

* Balance security risk with business needs

* Continuously improve your extended enterprise security posture