Acting under the Director of NSA's authority as the National Manager responsible for securing the U.S. Government's national security telecommunications and information systems, a team of NSA experts worked with the community to develop CGS guidance through focus groups, surveys, and collaborative Web 2.0 technologies. The development is being conducted in phases, and the next phase will focus more in implementation.
How You Can Help!
Provide feedback, comments, best practices, and lessons learned to: CGS@nsa.gov
For additional Information Assurance resources please visit us at IAD.gov
National Manager's Guidance
2014 National Manager's Guidance
- For 2014, the National Manager has established credential management and access control as the baseline requirements to harden and defend National Security Systems (NSS). The intent of the 2014 baseline is to strengthen and protect credentials used to authenticate and access NSS. Efforts should be focused on employing effective authentication mechanisms and on protecting privileged credentials and accounts linked to mission critical capabilities. All Departments and Agencies shall implement these baseline requirements by 31 December 2014.
- A Supplemental Guide to the National Manager's Letter can be found in the General Documents section of the Community Gold Standard page.
2013 National Manager's Guidance
- For 2013, the National Manager has established secure configuration for hardware and software on laptops, workstations and servers as the baseline requirements to harden and defend NSS infrastructures. All Departments and Agencies shall implement these baseline requirements by 31 December 2013.
- NSA guidance on implementing secure configuration can be found at: http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/index.shtml.
Furthermore, the Community Gold Standard (CGS) for Information Assurance, documented at http://www.iad.gov/iad/cgs/cgs.cfm, provides a comprehensive understanding of the information assurance capabilities that should be implemented in the NSS environment, including Configuration Management Capability.
- CGS Configuration Management Capability can be found by following this path: IAD.gov > Community Gold Standard > Documents and Products > Community Gold Standard > Protect the Enterprise > Configuration management
2012 National Manager's Guidance
For 2012, the National Manager has established the following minimum baseline requirements:
- Implement automated capabilities to maintain an inventory of authorized and unauthorized devices and software; and
- Implement a process to eliminate unauthorized devices and software on NSS.
- All Departments and Agencies shall implement these baseline requirements by 31 December 2012.
Each of the above requirements was drawn from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, "Security Controls" and the SANS Institute Top 20 Critical Controls. The SANS "20 Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines" were developed by a government/industry consortium. Detailed information on the SANS Critical Controls and their mapping to the NIST SP 800-53 "Security Controls" can be found at: http://www.sans.org/critical-security-controls/.