I don't mean to be an alarmist or whatever. But that's how newspapers get sold and stations get ratings. What is this mystical issue? The answer is Control Implementation Prioritization.
Way back in February 2009 we were greeted with the Consensus Audit Guidelines (CAG). I personally do not care for CAG. Some people will get their controls implemented faster, better, cheaper. At a minimum, the guidelines are misleading since it had little to do with actual auditing or system security testing.
At the beginning of May, they revised CAG into 20 Critical Security Controls (CSC). Well at least now, there is some truth in the title. They are sold to us as controls that every system should implement. Well ... thanks. Let's take a quick look then.
Ahhh. Ok. So where is the part about laying down a strategy or developing an initial policy that needs to be followed. Its not there. Where is the part about strength and cost of the control implementation as measured against the risk. I couldn't find that either.
Apparently, that doesn't matter anymore. It is clear from the beginning that the focus of CSC is not about system-specific risk analysis anymore. So that is that, but then in Appendix D of the 800-53 Rev 3, Final Public Draft. What do my eyes find, CONTROL PRIORITIZATION. On a scale of 1 to 3 and a 0 for unspecified.
Now for the meat - why is this bad. Its bad because management types will focus on the number 1. "I have to do these controls first, because NIST told me so". Or "I have money for the top 20 then I will deal with the rest".
It has been proven time and time again security comes from determining risk and implementing controls comensurate with that risk. Then reassessing that risk and control effectiveness over time using adequate metrics. Plan for the worst with contingency and incident handling plans. Et cetera.
Implementation of the CSC will not make you safer, it will make the vendor richer. A total soup-to-nuts program is still the only way from my opinion. This would include selecting controls that you deem necessary.