What might turn out to be one of the most important documents to be released in the realm of government compliance was released today. The SANS Institute, cooperating with a consortium of federal agencies and private organizations released the first public version of the Consensus Audit Guidelines.
This document and the supporting information is designed to boil FISMA down to just twenty most critical controls for protecting contractor and federal information. I was at one of the very first meetings when this consortium began being assembled and I can tell you that one of the primary objectives of this project was to not only identify most critical controls but also to determine which of these controls can also be effectively measured and how to do it!
What this means is that this document provides real risk-based guidance that can implemented and tested in the real world by anyone rather than just more 50,000 foot view, “You must have strong passwords”, style guidance.
Now that I’m back from an engagement in Japan we’ll be back on track with our postings and checklists. I’ll be in Orlando at the SANS conference next week, so if you’re in town please stop by and say “Hi” during one of my classes!