Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance Draft : February 23, 2009 NOTICE to readers of this draft document: Criticisms and suggestions are strongly encouraged. If you are actively engaged in cyber forensics, red teams, blue teams, technical incident response, vulnerability research, or cyber attack research or operations, please help make sure this document is as good as it can be. We also request support in identifying users who have implemented scalable methods for measuring compliance with these controls and producing sharable benchmarks and other types of baseline guidance that can be used to drive tool‐based assessment of as many of these controls as possible