[CONSENSUS AUDIT GUIDELINES V 2.3] November 13, 2009 Twenty Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines Version 2.3: November 13, 2009 Update: Added NIST SP 800‐53 Revision 3 mapping to each control, and updated appendix to include each area of direct mapping between 20 Critical Controls and 800‐53 Rev 3 Priority 1 controls. Also, added metrics and tests for each of the automatable controls (the first 15). Finally, added an appendix summarizing the attack types that motivated the development of each control. INTRODUCTION Securing our nation against cyber attacks has become one of the nation’s highest priorities. To achieve this objective, networks, systems, and the operations teams that support them must vigorously defend against a variety of threats, both internal and external. Furthermore, for those attacks that are successful, defenses must be capable of detecting, thwarting, and responding to follow‐on attacks on internal enterprise networks as attackers spread inside a compromised network. A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that “offense must inform defense.” In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses ...