6.8 High Value Assets (HVAs)
The HVA initiative was created in 2015 by OMB and DHS and established the capability for CFO Act agencies to assess agency HVAs, identify critical areas of weakness, and develop plans to remediate those weaknesses. HVAs are those assets, Federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification or destruction could cause significant impact to the United States’ nations security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people. Guidance and policies germane to HVAs include: the Cybersecurity Strategy and Implementation Plan (CSIP) which was issued as OMB Memorandum M-16-04 in October 2015, (OMB M-16-04. Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government. 10/30/2015) the initial implementing guidance for management of Federal HVAs which was issued by OMB as Memorandum M-17-09 (OMB M-17-09. Management of Federal High Value Assets. 12/9/2016) in December 2016, and Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (Executive Order 13800. Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. 5/11/2017) which was issued in May 2017.
New guidance for the HVA program was issued by OMB as Memorandum M-19-03 in December 2018. (OMB M-19-03. Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program. 12/10/2018.) This guidance consolidates and updates the previous requirements and rescinds the prior OMB memoranda, while also expanding the applicability of the HVA program from CFO Act agencies to all agencies. Agencies must take a strategic, enterprise-wide view of cyber risk to unify the protection of HVAs against evolving cyber threats. Specifically, agencies must:
- Designate an integrated agency-level office, team, or other governance structure to enable the incorporation of HVA activities (e.g. assessment, remediation, incident response) into broader agency planning activities for information system security and privacy management, and COOs must regularly coordinate with these governance structures to ensure HVA activities are executed in a timely manner.
- Establish, evaluate, and update HVA information sharing agreements with OMB, DHS, and other agencies to promote cross-agency sharing, coordination, and cooperation.
The M-19-03 guidance also establishes a new categorization system for the designation of HVAs by agencies. Agencies may designate Federal information or a Federal information system as an HVA if it relates to one or more of the following categories: Informational Value, Mission Essential, or Federal Civilian Enterprise Essential. Additionally, while agencies are principally responsible for their HVA designation, OMB and DHS reserve the right to designate HVAs at agencies based on potential impact to national security.