As a federal government watcher, I get exposed to some happenings in Washington that few outsiders know about. One such initiative is the Consensus Audit Guidelines (CAG). Simply stated, CAG applies the old 80%\/20% rule to cybersecurity best practices by focusing on 20 high priority security controls. Since these controls are specifically designed as countermeasures for the most likely types of real-world attacks. There are two primary knocks against CAG. First, many people believe that it completely redundant with other security requirements and IT frameworks like ITIL and COBIT. Second, CAG is viewed as incomplete. The thought here is that stealthy or innovative security attacks could circumvent the 20 controls.In my opinion, each of these criticisms is accurate. That said, I think these points are non-issues. Yes, CAG is redundant with other security and IT efforts but most large organizations already face this redundancy issues as they are forced to comply with HIPAA, SOX, PCI DSS, FISMA, etc. Sure, CAG has gaps -- no one ever claimed it was exhaustive.CAG ain't perfect but it does have several key strengths:1. CAG has focus. I see organizations get overwhelmed by the scope of information security policies and controls all the time. CAG takes away this "boil the ocean" mentality and concentrates on the highest risks. This makes it easier to implement -- and afford -- than other security models.2. CAG is based upon real-time data analysis. As the old saying goes, "you can't manage what you can't measure." CAG takes this expression to heart as the 20 controls are anchored by data collection, measurement, and validation -- in real time.In the future, it is likely that the list of 20 CAG controls will grow to accommodate new threats thus keeping CAG up to date. CAG may not be as comprehensive as other security models and it is certainly no panacea, but given its focus, it is a great way for overwhelmed CISOs to rationalize their security efforts and concentrate on high priority risks.