In a memo to agency heads, the Office of Management and Budget expanded its High Value Asset (HVA) program to all Federal agencies and expanded the definition of the term, which is aimed at encouraging agencies to establish multiple categories of HVAs.
The memo, sent on Monday by OMB Director Mick Mulvaney, replaces guidance from December 2016 on managing HVAs.
“With the dynamic adversarial threat to the security and resilience of HVAs, it is essential that the initiative evolve to take a more comprehensive view of the risk to the Federal enterprise and the measures available to mitigate those risks. As such, the HVA program is expanding to support all agencies, including both CFO Act and non-CFO Act agencies, in HVA identification, assessment, remediation, and response to incidents,” the memo states.
The new guidance established three new categories for designating systems and information as high value assets.
- “Informational Value – The information or information system that processes, stores, or transmits the information is of high value to the Government or its adversaries.
- Mission Essential – The agency that owns the information or information system cannot accomplish its Primary Mission Essential Functions, as approved in accordance with Presidential Policy Directive 40 (PPD-40) National Continuity Policy, within expected timelines without the information or information system.
- Federal Civilian Enterprise Essential (FCEE) – The information or information system serves a critical function in maintaining the security and resilience of the Federal civilian enterprise.”
Agencies also will need to continue to maintain the trustworthiness of their HVAs, by implementing NIST 800-160 guidance on systems security engineering principles, ensuring that privacy and security requirements reflect systems security engineering principles, and ensuring that HVA procurement includes strict security and privacy requirements.
“Increasing the trustworthiness of information systems is a significant undertaking that requires a substantial investment in the requirements, architecture, design, and development of systems, system components, applications, and networks,” the memo notes.
OMB’s memo also requires agencies to adopt the methodology developed by the Department of Homeland Security (DHS) to prioritize HVAs, a task that OMB assigned to DHS for all agencies. The guidance requires agencies to designate an integrated agency-level team or office to handle HVA activities in the context of broader agency planning like enterprise risk management and contract management.
The memo also highlights responsibilities for DHS, requiring the department to establish visibility into the security and privacy of HVAs across government, establish performance measures, provide guidance, and work with agencies to bolster the HVAs at the greatest risk.