CAG - Consensus Audit Guidelines

CAG — the acronym for Consensus Audit Guidelines — is a collection of critical controls for effective cyber defense. CAG establishes a prioritized baseline of information security measures that can be continuously monitored with automated mechanisms. It aims to help federal Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) quickly deploy the top controls focused on securing systems exposed to the most critical risks. Controls in CAG are drawn from National Institute of Standards and Technology (NIST) Special Publication 800-53, which is the foundation for compliance with FISMA, the Federal Information Security Act of 2002.

RELATED LINKS
From U.S. Government

Consensus Audit Guidelines from SANS

FISMA Implementation Portal by NIST

NIST SP 800-53 v3

NIST Technical Specification for Security Content Automation Protocol (SCAP)

NIST Validation of QualysGuard

RELATED LINKS
From Qualys

Achieving Continuous Compliance of SANS CAG Top 20 Controls Using QualysGuard

FISMA Compliance: Making the Grade

Qualys FDCC Module

About CAG

CAG is all about simplifying the planning and deployment of the most urgent defenses for federal civilian agencies and the military. It's related to FISMA in that CAG controls are subsets of what NIST prescribes for FISMA compliance. Compliance with CAG does not equal compliance with FISMA, but it does present a roadmap for quickly reducing security risks for three common attack strategies with four related defenses, shown in the Figure 1.

Figure 1 — How CAG helps fight attacks (source: SANS)

To implement stronger security, CAG provides fifteen critical controls (and related sub-controls) subject to automated collection, measurement and validation. Five additional controls are not directly supported by automated measurement and testing. CAG critical controls were created by consensus of many federal and civilian cyber forensics experts, security experts, researchers, military experts, and federal CIOs and CISOs with intimate knowledge of cyber attacks. CAG has broad federal support and is managed by the SANS Institute.

Why CAG Matters to Your Organization

Threats to federal systems and critical cyber infrastructure come from sovereign states, terrorists, criminals, lone hackers, and mistakes committed by staff and contractors. A successful exploit would be disastrous if it stopped vital functions of government and critical services. CAG simplifies the most urgent requirements of the NIST SP800-53 framework, which includes 17 areas of security covering 205 technical and program management controls. Implementation of CAG's critical controls focuses risk reduction efforts and can lower exposure 80 percent or more. The use of CAG can put a federal agency well on the path to compliance with FISMA. If an agency fails to comply with FISMA, it may be sanctioned via a budget cut. Contractors that exchange data with federal information systems must comply with FISMA or risk termination from a contract. Non-compliance may preclude contractors from bidding on future federal contracts.

How Qualys Solutions Help Fulfill CAG Requirements

Qualys solutions in the QualysGuard IT Security and Compliance Suite enable immediate compliance with many CAG critical controls. These are enumerated in the table below.

CAG Requirements QualysGuard Capabilities

Critical Control 1

Inventory of authorized and unauthorized hardware
  • Maps all devices on the network perimeter
  • Maps all devices on internal networks (requires Scanner Appliance)
  • Provides details about mapped devices such as machine names, host attributes, and IP services

Critical Control 2

Inventory of authorized and unauthorized software
  • Authenticated scans discover and inventory all software installed on systems in the perimeter and internal networks

Critical Control 3

Secure configurations for hardware and software on laptops, workstations, and servers
  • Enables definition of secure configuration policy
  • Evaluates installed IT assets against configuration policy
  • QualysGuard Policy Compliance supports NIST SP800-53 framework
  • Identifies all deviations from policy, including unauthorized services and ports, patch levels, and vulnerability trends over time
  • Validated for SCAP with FDCC scanning, Authenticated Configuration Scanner, Authenticated Vulnerability and Patch Scanner, Unauthenticated Vulnerability Scanner and Vulnerability Database

Critical Control 5

Boundary defense
  • Integrates vulnerability data for perimeter and internal scans
  • Allows for testing all DMZ and Internet-facing firewall policies

Critical Control 6

Maintenance, monitoring, and analysis of security audit logs
  • Interrogates systems for compliance with logging policy
  • Integrates with third party SIM solutions such as ArcSight

Critical Control 7

Application software security
  • QualysGuard WAS automates web application scanning for most web vulnerabilities, including SQL Injection and Cross-Site Scripting
  • Automates repeatable testing processes
  • Identifies vulnerabilities of syntax and semantics in custom web applications
  • Performs authenticated scanning
  • Profiles the target application
  • Ensures accuracy by effective reduction of false positives and false negatives

Critical Control 8

Controlled use of administrative privileges
  • Assesses and validates password requirements on many types of systems
  • Tests systems before deployment for compliance with policy
  • File system privilege checking for Windows systems
  • Evaluates systems for remote access policy
  • Tests for configurations and settings related to administrative privileges on systems

Critical Control 9

Controlled access based on need to know
  • Tests file permission and custom Windows registry checks against policy to identify unauthenticated file and share access
  • Identifies and enumerates user group and system accounts and associated privilege levels

Critical Control 10

Continuous vulnerability testing and remediation
  • Provides persistent and ongoing network vulnerability scanning and assessments
  • Supports authenticated and unauthenticated scanning
  • No agents required
  • Scans may be executed manually or automatically
  • Tracks inventory and categorizes assets
  • Scans all networked systems for vulnerabilities
  • Verifies vulnerabilities against inventory to limit false positives and false negatives
  • Classifies and ranks risks
  • Provides guidance for pre-testing patches, fixes, and workarounds
  • Guides remediation process of applying patches, fixes, and workarounds
  • Automates re-scanning to verify results of patching
  • Automated reporting provides documentation for security team and auditors

Critical Control 11

Account monitoring and control
  • Provides visibility into configuration of all systems
  • Compares deployed configurations against policy and identifies systems that are non-compliant

Critical Control 12

Malware defenses
  • Verifies deployment of third party anti-virus, spam, and anti-malware software and configurations against policy
  • Identifies systems requiring software and / or signature file updates
  • Integrates with third party NAC solutions to enforce updates of most recent security software prior to admittance to a network

Critical Control 13

Limitation and control of network ports, protocols, and services
  • With authenticated and unauthenticated scans, QualysGuard verifies all open TCP and UDP ports on any system
  • Identifies all systems running DNS, file, mail, web, and database services

Critical Control 14

Wireless device control
  • Identifies all authorized and rogue wireless access devices on the network
  • Evaluates all access configurations of wireless devices against policy

Critical Control 15

Data loss prevention
  • Evaluates configuration settings for all Windows-based systems on the network, including removable media such as USB, CD ROM and floppy drives
  • With QualysGuard WAS, evaluates all web pages for presence of inappropriate or sensitive data

Learn More About CAG

Links in the sidebar will lead you to more information about CAG and its cousin, FISMA. They include official federal resources and educational material from Qualys.

Please contact us if you would like more in-depth information on specific CAG capabilities.