Train From Home on Your Schedule with OnDemand - Special Offers Available Now


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

New International Consortium to Support 11 Developments Shaping the Future of Cybersecurity Practices in Industry and Government

  • Washington, D.C.
  • October 31, 2012

The Consortium for Cybersecurity Action (CCA), a newly-formed international consortium of government agencies and private organizations from around the world, will host a Conference Call to promote the most effective approaches to cybersecurity and support 11 key developments that are shaping events.

The Conference Call is scheduled for Monday, November 5th at 11:00 a.m. EST. Dial-in instructions:

Domestic (Dial-in): 877-268-9432
International (Dial-in): 817-755-8752
Conference Call ID# 63979758

The briefing will feature analysis by the world's top security experts of 11 major "headlines" about efforts to prevent and thwart cyber attacks. The experts will also discuss the most effective ways for organizations to implement the newly updated Critical Controls, a prioritized, risk-based set of information security measures to defend against myriad internal and external threats.

The major cybersecurity headlines for discussion are:

  1. The United States, United Kingdom, Australia and dozens of major agencies and corporations (see list below) agree to cooperate in defining and promoting the most effective controls for computer and network security and the most rapid and cost-effective ways to deploy them.

  2. Tony Sager, most recently Chief Operating Officer of the National Security Agency's Information Assurance Directorate, agrees to lead the CCA. Sager heads the list of experts who will conduct the Conference Call, along with Dr. Eric Cole, Randy Marchany, and Alan Paller.

  3. The CCA releases the updated (Version 4.0) Critical Controls for Effective Cyber Defense document reflecting improved consensus on global risk assessment and the most effective actions enterprises can take to manage risk. The updated Controls will be published November 5th and available online at

  4. The British government's Center for the Protection of National Infrastructure (CPNI) describes the Critical Controls as the "baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence." CPNI is mapping its guidance products against the controls to assist organizations with implementation.

  5. The Australian Defence Signals Directorate revises its "35 Strategies to Mitigate Targeted Cyber Intrusions" and re-ranks the "Top 4 Mitigation Strategies to Protect Your ICT System." Available online at Educational video available at

  6. The U.S. Department of Homeland Security announces a large procurement package to automate the first five of the Critical Controls across .gov networks with buying options for federal cloud initiatives and state and local governments. In its procurement process the DHS has adopted Australia's top priority strategies (whitelisting, configuration and patching) as core elements of its first phase of a large contract implementing the Critical Controls.

  7. The U.S. Federal Communications Commission launches a task force to determine how the Critical Controls can best be applied to protect the telecommunications industry.

  8. The CCA announces it will publish Quarterly Updates to ensure that all consortium members have access to the most current threat information and that the controls are updated annually to address cutting-edge threats and vulnerabilities

  9. Training programs on the Critical Controls and the Top 4 Mitigation Strategies planned for the Asia-Pacific region, Europe, and United States over the next seven months.

  10. The states of Ohio and Colorado adopt the Critical Controls as their cybersecurity standard.

  11. Virginia Tech University adopts the Critical Controls as its cybersecurity standard. VT is polling other schools to determine which others have made similar decisions.

The CCA will serve as an ongoing mechanism to bring together community expertise on attacks and threats; identify and prioritize the most effective defensive controls (based on performance in stopping attacks); identify tools and processes to support implementation; encourage and support adoption of the Critical Controls by organizations, standards bodies, and governments; and enable the world community to share cyber defense information and effective practices.

The Critical Controls are specific guidelines that CISOs, CIOs, IGs, systems administrators, and information security personnel can use to both manage and measure the effectiveness of their defenses. They are designed to complement existing standards, frameworks, compliance schemes, etc. by bringing priority and focus to the most critical threat and highest payoff defenses, while providing a common baseline for action against the risks that we all face.

Members of the Consortium of Government Agencies and Private Organizations Working toward Defining the Consensus List of Critical Security Controls
American ExpressAustralian Government - Innovations
Booz Allen HamiltonCitibank
Core SecurityCentre for the Protection of National Infrastructure
Department of Defense Cyber Crime CenterDepartment of Homeland Security
Defense Information Systems AgencyDepartment of Defense
Goldman SachsMandiant
nCircleNational Security Agency

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (