The Public Eye with Eric Chabrow

Are States Intimidated by CAG?

Only 8 Percent of States Employ Consensus Audit Guidelines
Are States Intimidated by CAG?

A mere 8 percent of chief information security officers and other officials charged with safeguarding state IT systems adhere to the Consensus Audit Guidelines, known as CAG. That's the finding of a recent state IT security survey by the consultancy Deloitte and the National Association of State Chief Information Officers.

The survey doesn't explain why states haven't widely employed CAG, which has proven to be a godsend to some key federal agencies such as the State Department, which has significantly improved its cybersecurity after employing critical controls.

Perhaps the reason states haven't widely adopted CAG is that they're intimidated by the 20 critical controls the guidelines say organizations should implement. They needn't be, because they don't - or shouldn't - employ them all at once. A slow but deliberate approach is the way to go.

Former Air Force Chief Information Officer John Gilligan is Washington's biggest champion of CAG, and he notes that the State Department's gradual approach to implementing critical controls has made it the envy of other government agencies. That's because State CISO John Streufert didn't take a gung-ho approach. In fact, Gilligan says, most IT organization can't rush into implementing CAG:

"Organizations struggle to make any progress because it's literally impossible to do all of the controls at once, so you end up doing bits and pieces of controls and you really never get anything firmly established such that you can say, 'We're done with this and we can move onto something else.'"

Gilligan says the initial concept of CAG was to focus on subsets of controls. That's what the State Department did, and as it tackled subsets of the subset, the agency created a foundation to build more rigorous sets of controls. Gilligan advises that organization should:

"Just pick an incremental capability, do that, and sort of evolve and grow from that into something that's more expansive, getting feedback, getting lessons learned, rather than try to take a big-bang approach and not be able to get there."

And, organizations that feel good about taking baby steps by successfully tackling subsets of the controls will feel fantastic when they eventually make those giant leaps to implement the full controls.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.