Meet John Gilligan. John Gilligan, the President of Gilligan Group, is a proven IT innovator with a strong blend of leadership and operational experience.
The Cyber Security Commission formed to advise the incoming Administration released its recommendations on December 8th. John Gilligan co-authored the report.
Managing Complexity. In his government career, Mr. Gilligan successfully managed some of the most complex IT development and integration programs.

Baseline Standard of Due Care for Cybersecurity Announced


US Federal Cybersecurity Experts Name Top 20 Critical Controls


NOTE: An updated version of this topic was published on November 13, 2009. For the latest up-to-date information, please visit the updated page

WASHINGTON, DC (Feb. 23, 2009) -A consortium of federal agencies and private organizations today released Version 1.0 of the Consensus Audit Guidelines that define the most critical security controls to protect federal and contractor information and information systems.

The draft may be found at the following Web sites:


The public review period runs through March 23, 2009.

The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington DC to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.


A "No Brainer"

Cyber attack and defense experts from the federal agencies most involved in cybersecurity pooled their knowledge of the attack techniques being used against the government and the defense industrial base to determine the twenty key actions (called security "controls") that organizations must take if they hope to block or mitigate known attacks and attacks that can be reasonably expected in the near term. They tested their proposal for protecting federal systems to determine whether they would also stop or mitigate attacks known to be used against financial institutions and found the top 20 controls are essentially identical across government, the defense industrial base, financial institutions and retailers.

For each of the 20 controls, the experts identified specific (actual) attacks that the control stops or mitigates, illuminated best practices in automating the control (for 15 controls that can be automated) and defined tests that can determine whether each control is effectively implemented. The resulting document is called the Consensus Audit Guidelines and, once fully vetted, is expected to become the standard baseline for measuring computer security in organizations that are likely to be under attack.

The CAG project is led by John Gilligan who served as CIO for both the US Air Force and the US Department of Energy and served on the Obama transition team focusing on IT within the Department of Defense and the Intelligence Community. Of this project, Gilligan says, "It is a no brainer. If you know that attacks are being carried out, you have a responsibility to prioritize your security investments to stop those attacks."

"This is the best example of risk-based security I have ever seen," said Alan Paller, director of research at the SANS Institute. "The team that was brought together represents the nation's most complete understanding of the risk faced by our systems. In the past cybersecurity was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality"

Broad adoption of the CAG may lead to agreement on standards for security automation and government-wide procurement of tools that work. The Federal government spends more than $70 billion on information technology each year. Jim Lewis, Director of the CSIS Technology and Public Policy Program says, "Better use of standards and acquisitions authorities are among the most powerful tools the Federal government has to improve cybersecurity and offer a real opportunity for progress."




RELATED LINKS