Are you Properly Managing Federal High Value Assets?
Dissecting OMB Memorandum 17-09 to Meet DHS Directives
Department of Homeland Security (DHS) Binding Operational Directive 16-01, Securing High Value Assets, is an immediate and compulsory directive for federal agencies requiring the identification of high value assets and assessment of their risk and security status.
Issued in December 2016, Office of Management & Budget (OMB) Memorandum 17-09: Management of Federal High Value Assets, contains guidance for the handling of systems deemed High Value Assets (HVAs) by the federal government, including the handling of information related to HVAs, a requirement of Department of Homeland Security Binding Operational Directive 16-01. The memo defines such assets as those that “enable the government to conduct essential functions and operations, provide services to citizens, generate and disseminate information, and facilitate greater productivity and economic prosperity.”
The goal of HVA initiative is to enhance risk management by instituting a framework for the continuous process of planning, identifying, categorizing, prioritizing, reporting, assessing, and remediating HVAs. This enables agencies to clearly understand the risks facing their most critical assets. Information gained utilizing this framework can be integrated into IT modernization efforts to focus scarce budget dollars where they can be most effectively utilized to improve security posture and enhance mission delivery.
To be successful with this initiative, agencies must take a strategic enterprise-wide view of risk that accounts for all critical business and mission functions when identifying HVAs. They must then establish appropriate governance of HVA activities across the enterprise, integrating HVA remediation activities into agency planning, programming, budgeting, and execution processes. Implementing the HVA process enables agencies to better understand the specific security needs of their most critical assets. In addition to identifying their HVA inventory, agencies must update this list at least annually and report to OMB and DHS. Senior Agency Officials for Privacy must ensure required privacy documentation, including any Privacy Impact Assessments, are complete, accurate, and up-to-date for all HVAs that involve PII.
The HVA Process Framework includes specific actions that make up the continuous HVA process:
- Plan: Prepare for the HVA process, including stakeholder engagement, governance and oversight, third party engagement, and incorporation of HVA activities into broader agency IT planning.
- Identify: Examine systems from the agency’s perspective, adversary’s perspective, and enterprise-wide perspective to determine those assets which may be considered HVAs.
- Categorize: Organize information systems based on (among other things) system function, what kind of and how much information the system contains, the system’s importance to the agency’s mission, and the scale of impact from system loss or compromise.
- Prioritize: Rank HVA systems in terms of risk, considering the categories of threat, vulnerability, and consequence.
- Report: Agencies are responsible for keeping their internal HVA lists up-to-date. All CFO Act agencies are required to report their HVAs to DHS on an annual basis.
- Assess: The HVA system(s) will be assessed by DHS through a Risk and Vulnerability Assessment (RVA), Security Architecture Review (SAR), and any additional services as deemed necessary.
- Remediate: Agencies will receive a detailed report from DHS regarding the HVA system including recommended actions to address the findings.
Contact us to discuss your needs today.
Contribution from Maureen Aubrey, TalaTek Senior Information Security Consultant