US-CCU Check List

US-CCU has just finished the final release version of their cyber-security check list. A bookmarked pdf copy of it is temporarily available for download from

Here’s the press release:

This final version takes account of the large number of suggestions that were received after circulating the draft versions. There were a few additional suggestions that seemed excellent, but that weren’t able to be included at this point, because they were either too detailed or too much ahead of current defender and attacker practices. US-CCU intends to do an annual update of the check list, however, so some of the suggestions that were omitted this time will probably be included in the future.

US-CCU is now ready for this checklist to be posted on any responsible and well-run website that would be interested in posting it. In fact, since our own website still isn’t back up, we are currently relying on other websites to get this checklist to cyber-security professionals around the world as soon as possible.

We are exploring the possibilities for developing additional versions of this checklist tailored to specific critical infrastructure industries and also the possibility of providing an interactive version in collaboration with another organization.

We are very interested in hearing from people who might want to translate this check list into other languages and who have the technical understanding necessary to do so. So far, we have arrangements for translations into German, Greek, and Japanese.

Recent developments in the hacker world are making some of the newer counter-measures described in this check list increasingly urgent. We have not yet heard what status this check list will be accorded by the relevant government departments, but the earlier drafts were extremely well received by leading cyber-security professionals, both inside and outside government, so we expect this check list will be put into widespread use fairly rapidly.

As far as we know, this is now the most comprehensive and most up-to-date cyber-security check list available. We hope to maintain this status for the check list by continuing to revise it annually in the light of our own ongoing work and in the light of the further suggestions we receive from other cyber-security practitioners.

We hope this final version of the check list is useful to you and would
greatly welcome your comments.

Best wishes,


Scott Borg
Director and Chief Economist
U.S. Cyber Consequences Unit

About the author

Security Evangelist