OMB has updated and consolidated its policies on strengthening cybersecurity of “high-value assets,” a program it operates in coordination with DHS requiring agencies to take a strategic, enterprise-wide view of cyber risk.
“With the dynamic adversarial threat to the security and resilience of HVAs, it is essential that the initiative evolve to take a more comprehensive view of the risk to the federal enterprise and the measures available to mitigate those risks. As such, the HVA program is expanding to support all agencies, including both CFO Act and non-CFO Act agencies, in HVA identification, assessment, remediation, and response to incidents,” says memo M-19-03.
Under the memo, agencies are to designate an integrated agency-level office, team, or other structure to incorporate HVA activities such as assessment, remediation, incident response into broader agency planning activities for information security and privacy management; and are to enter information-sharing arrangements with OMB, DHS and other agencies on cybersecurity related information.
OMB also is providing greater leeway for agencies in the identification of their most critical assets by moving from a single definition of what constitutes an HVA toward the establishment of multiple categories.
Other topics covered include adoption of systems security engineering principles, protection of personally identifying information, reporting and assessment requirements, remediation plans, and more.
