Is CAG the New FISMA?

February 26th, 2009 by

The Obama administration has been floating rumors of a Federal CTO for a while and the president has stated that cyber-security is a matter of national security. Now there’s talk of the Consensus Audit Guidelines (CAG), a new approach to federal IT security that was introduced for public review and comment on February 23. CAG is a set of 20 security controls proposed by some federal agencies including DoD, provides new security audits that encourage automated defensive mechanisms, including an automated inventory of authorized and unauthorized hardware and software to assess network security. Sounds like a perfect fit for EM7 to me!

The CAG leverages the efforts of the private sector and government to identify and address the 20 biggest cyber holes that can be closed to prevent or lessen the consequences of cyber-attacks. It includes security control activities that CIOs, information security officers and inspector generals can employ to evaluate the security of information systems.

If approved and implemented, CAG could replace FISMA. Critics continue to question the value of the FISMA report card. John Gilligan, former Air Force CIO and head of consultancy at the Gilligan Group is heading the CAG initiative has said, “The federal government FISMA legislation that federal agencies comply with has only proven to be partially successful.” Listen to his interview regarding CAG.

The public review and comment of this draft runs through March 23, 2009, then pilots will be conducted in several federal agencies to test and compare the CAG for value and cost against the current practices in use. Read about the six pronged approach to moving the CAG toward broad adoption.

Tagged with: , , ,


2 Comments Add your own

  • 1. rybolov  |  March 2nd, 2009 at 9:03 am

    You’re kidding me, right?

    There is no way that a holistic information security management model based in law can be replaced by a top-20 tactical document written by a handful of SANS instructors. They work in very different niches and actually compliment each other very nicely.

    Don’t believe the hype, CAG is good as a top-20 list and might make an OK standard, but it’s not officially endorsed by any Government agency.


  • 2. C&A Pro  |  March 9th, 2009 at 3:21 pm

    I would have to agree with rybolov. The work done by SANS cannot compare to the government regulations. SANS is trying to figure out how to cash in on FISMA Compliance. For years, Alan Paller (owner of SANS) has told everyone that FISMA is a terrible law. Now he is trying to find a way to map his SANS courses to FISMA with the CAG so he can sell more training to U.S. federal agencies. Besides, NIST is not the only government organization that publishes FISMA guidance…which shows that SANS does not really understand FISMA.


Leave a Comment


Required, hidden


Some HTML allowed:
<a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

Our blog’s authors aren’t just experts in their field, they’re also key contributors to our world-class monitoring platform. If you’d like to see how these topics play out in a real-world setting, please register for a free, no pressure demo:

Request a demo


type keywords | hit enter

Share this Page

Recent Posts



Recent Comments