Survey: Focus is on applying Broader NIST guidance, instead of 20 critical IT security controls. Two-thirds of federal technology professionals say they have no plans to adopt the 20 critical controls. Federal law requires agencies to follow the 861 security controls published by the National Institute of Standards and Technology. Security managers “don’t want to make waves” by not doing the same thing the rest of the government is doing, expert says. Lack of money, bureaucratic barriers may also explain why agencies haven’t adopted the controls, he says.”]
Source: https://www.cuinfosecurity.com/agencies-snub-20-critical-controls-a-6299