The critical controls focus on technical aspects of information security with the primary goal of helping organizations prioritize and automate their efforts to defend against the most common and damaging insider and outsider attacks.
Version 3.0 updates the controls based on analysis of actual attacks and defines controls that prevent those attacks from being successful, explained SANS. The update was developed with input the Department of Homeland Security, Department of Defense, US-CERT, the Australian Government Department of Defence, the FBI and other law enforcement agencies, forensics experts, penetration testers, and federal chief information and information security officers.
The first key item in the update is realignment of each of the 20 controls and the associated subcontrols. The realignment of the subcontrols was done based on the current technology and threat environment, including new threat vectors. As zero-day attacks increase and the focus shifts to advanced persistent threats, new subcontrols have been added to facilitate rapid detection and prevention of attacks, SANS noted.
The second item is the controls’ alignment to the National Security Agency's Associated Manageable Network Plan Revision 2.0 Milestones. Close mapping and correlation with these milestones enables the SANS controls to offer a step-by-step approach to transform an insecure network into one able to provide continuous defense.
The third item is establishment of definitions, guidelines, and proposed scoring criteria to evaluate tools for their ability to satisfy the controls’ requirements. These guidelines allow organizations to select tools so that the controls can be automated.
The fourth key item is the inclusion of the Australian government’s Top 35 Key Mitigation Strategies. These strategies, which have been mapped to the 20 controls, provide measures to help reduce the impact of cyber attacks, SANS related.