In 2008, the Office of the Secretary of Defense asked the National Security Agency for help in prioritizing the myriad security controls that were available for cybersecurity. The request went to NSA because NSA best understood how cyber attacks worked and which attacks were used most frequently. The request came at a moment when the theme "offense must inform defense" had become a White House mantra for cybersecurity.
The objective was to help DoD prioritize its cybersecurity spending. NSA had been refining a list of security controls that were most effective in stopping known attacks since the early 2000s based on earlier requests from the military services, reinforced by guidance from the White House. The CIA's Tom Donahue, who was assigned to the White House cyber policy team, described the mandate as follows: "first fix the known bads." That meant no control should be made a priority unless it could be shown to stop or mitigate a known attack. That mandate was the key that came to separate the 20 critical controls from most other lists of controls.
The list of key controls that blocked the most frequent attacks was "for official use only" (FOUO) and could not be widely shared. However, NSA had been participating in a public-private partnership involving the Center for Internet Security (CIS) and the SANS Institute for more than a decade. When approached by John Gilligan of CIS and Alan Paller of SANS, NSA agreed to participate in a public-private consortium to share its attack information to provide the same type of control-prioritization knowledge for civilian government agencies and critical infrastructure. NSA reasoned that the military could not protect the nation if the critical communications, power and financial sectors were not also protected.
The consortium members expanded to include others that had formal access to high value threat information, either because they had large teams that developed and used attack techniques or because they had large teams that performed the deep after-attack analysis that disclosed tactics, techniques and method used by attackers, Additions to the coalition included the UK's CESG and CPNI, the DoD chief computer network architect who had previously led the NSA Red Teams, before moving to DoD, the FBI's IC-JTF, as well as a number of companies in the incident response field, such as Mandiant and InGuardians, who did high value analysis of major attacks. Further expansion brought in the Defense Cyber Crime Center, three DOE laboratories, and companies like McAfee and Lockheed that had experience with major breaches.
The group built consensus at each step, surprising many by their willingness to share sensitive attack data. The two overarching factors that enabled active sharing was (1) the agreement that only actual attack information could be used to justify adding any controls, and (2) the membership was so impressive that participants knew that the results would be authoritative and they wanted to be active contributors to something that could make a difference in protecting the nation. Surprisingly, the clear consensus of the consortium was that there were only 20 Critical Controls that addressed the most prevalent attacks found in government and industry. This then became the focus for an initial draft document. The draft of the 20 Critical Controls was circulated in early 2009 to several hundred IT and security organizations for further review and comment. Over 50 organizations commented on the draft. They overwhelmingly endorsed the concept of a focused set of controls and the selection of the 20 Critical Controls. These commenters also provided valuable "fine tuning" to the control descriptions.
The consortium reconnected with current and additional members every 6 to 12 months to ensure new attack information was reflected fully and that new techniques for mitigating old attacks were included. Other improvements to the 20 Critical Controls over time include measures by which organizations could know how well they had implemented the controls and a list of automated tools that have been validated (by thorough reference checks) to be effective in implementing the controls.
In the fall of 2008, the Center for Strategic and International Studies had convened a bipartisan panel, at the request two leading members of Congress, called the Commission on Cybersecurity for the 44th Presidency. The Commission's report made CSIS a respected source of guidance on cyber security. As a continuation of the Commission's work, it was natural for CSIS to become the first publisher of the 20 Critical Controls.
In 2009, the U.S. Department of State validated the consensus controls by determining whether the controls covered the 3,085 attacks it had experienced in FY 2009. In a presentation to the Intelligence Community, the State Department CISO reported remarkable alignment of the consensus controls and the State Department actual attacks. He also launched a program to implement automated capabilities to enforce the key controls and provide daily mitigation status information to every system administrator across 24 time zones in which the State Department operates. With a very rapid achievement of a more than 88% reduction in vulnerability-based risk across 85,000 systems, the State Department's program became a model for large government and private sector organizations. In December of 2011, DHS named the State Dept. CISO as the director of the National Cybersecurity Division, with the mandate to bring about the same type and level of risk reduction across the government and the critical infrastructure as he had led at the State Department.
Also in December 2011, the United Kingdom's Centre for the Protection of National Infrastructure (CPNI) announced to UK government agencies and critical industries that the UK government would adopt the 20 Critical Controls as the framework for securing the critical infrastructure going forward. And in May of 2012, the Commander of the US Cyber Command and Director of NSA announced that he believed adoption of the 20 Critical Controls was a good foundation for effective cybersecurity, and that they are a excellent example of how public and private sector organizations can voluntarily come together to improve security . His endorsement was the result of NSAs investment over the period of a year of some of its top talent vetting the 20 Critical Controls to be certain they reflected the actual risks faced by industrial and government systems.
In June 2012, the Idaho National Laboratory, home of the National SCADA Test Bed, of the U.S. Department of Energy, completed a very favorable analysis of how the 20 Critical Controls applied in the electric sector as a first step in assessing the applicability of the controls to specific industrial sectors.