Facing challenges passing a comprehensive cybersecurity bill, the 112th Congress provided DHS with a preliminary budget to begin work: $183 million to bolster implementation of a federal Continuous Diagnostics and Mitigation (CDM) program that would provide tested continuous monitoring, diagnosis, and mitigation activities designed to strengthen the security posture for civilian agencies. But how best to proceed? While substantial, this new funding was a mere down payment on a comprehensive FISMA compliance effort that—according to at least one DHS budget analyst—could cost $7.5 billion over the next five years. Choices would have to be made to optimize resources: Which were the higher priority actions? Which actions could best mitigate known attacks? Which would address the widest variety of attacks? Which could identify and stop attacks earliest in the compromise cycle? Fortunately, DHS had at its disposal a series of consensus audit guidelines—The 20 Critical Security Controls for Effective Cyber Defense—conceived by an impressive consortium of publicand private-sector cybersecurity experts, and published by the Center for Strategic and International Studies (CSIS) and the SANS Institute. More specifically, DHS decided to focus on the first five controls, deemed the most crucial of all because they provide the highest level of protection: hardware and software asset management, configuration control, vulnerability management, and malware defense as shown in the below image.