The guidelines have been developed with knowledge of actual attacks that have compromised systems in order to construct effective defence.
This is not a replacement for other guidelines (i.e. NIST Security Guidelines), but a complement to help CIOs and CISOs to identify their top priorities. The CAG has been developed with the support of NSA, US-Cert, DoD, DoE, GAO and many Federal CIOs and CISOs. Also, a reference to NIST 800-53 Rev 3 Controls has been provided.
Below a summary of the 20 controls. You find the Guidelines here.
Inventory of Authorized and Unauthorized Hardware.
Inventory of Authorized and Unauthorized Software.
Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
Secure Configurations of Network Devices Such as Firewalls and Routers.
Maintenance and Analysis of Complete Security Audit Logs
Application Software Security
Controlled Use of Administrative Privileges
Controlled Access Based On Need to Know
Continuous Vulnerability Testing and Remediation
Dormant Account Monitoring and Control
Limitation and Control of Ports, Protocols and Services
Wireless Device Control
Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
Secure Network Engineering
Red Team Exercises
Incident Response Capability
Data Recovery Capability
Security Skills Assessment and Training to Fill Gaps