Steady Approach to Critical ControlsEx-Air Force CIO John Gilligan on the Consensus Audit Guidelines
The guidelines allow agencies to identify and address the most prominent threats by focusing on subsets of those threats, Gilligan says. "Those principles are now pretty much baked in," he says, "so when you look at the latest FISMA guidance that's coming out of OMB, looking at what's happening on the hill in the legislation proposals, they sort of have those same philosophies. that's really what was the basis of consensus audit guidelines
"I won't say we were genius, but we created all of this, we perhaps in the consensus audit guidelines were some of the first to really codify and put emphasis on those e-principles."
In the interview, Gilligan also discusses how agencies should take a deliberate approach in implementing CAG and the success the State Department has achieved through the implementation of critical controls.
During his 25 years in government, Gilligan served as CIO at the Energy Department. He now heads his own consulting firm, the Gilligan Group. Gilligan remains a big influence on government IT, not only leading the consortium that developed CAG but coauthored the influential Commission on Cybersecurity for the 44th Presidency report. He also serves as chairman of the Center for Internet Security, a not-for-profit with a mission to establish and promote the use of consensus-based standards to raise the level of security and privacy in Internet-connected systems.