Here's some background on the CAG (Consensus Audit Guidelines). The Red Teams have consistently proved that poor configuration and patching practices have made it easy for them to defeat network defenses. This determination lead to the Air Force approaching Microsoft and insisting that new desktop software application come with a standard secure configuration. This was the genesis of what is now known as the Federal Desktop Core Configuration (FDCC.) FDCC uses Red Team knowledge about attacker techniques to protect systems and network vulnerabilities used by attackers to break into systems. This in turn, has led to the Twenty Critical Security Controls (the “CAG” not to be confused with the older abbreviation for Carrier, Air Group used by the Navy.) In the IA context, CAG is the follow-on to the FDCC. It extends the mandate that “offense must teach defense” to identify all 20 critical controls that ensure systems are protected against most known attack vectors and that the systems are configured adequately so that attack software that does get through can be found and eliminated quickly. The demonstrated collateral benefits of these efforts include saving costs in terms of configuration management and patching plus reducing help desk calls.