The 20 CSC provide an excellent bridge between the high level security framework requirements and the operational commands needed to implement them. Implementation is a 3-7 year process depending on a wide variety of factors and constraints. This talk discusses our experiences in implementing the 20 CSC. For example, Control #1 has proved to be the most challenging one because it depends on how your IP addresses are generated by your networking group. We'll also discuss various tools and internal policies and standards that support a particular control's implementation. Finally, we'll show examples of how we measure progress. '