At least eight months after the final major agency to identify its high-valued assets under the 2015 cyber sprint, the Homeland Security Department is making sure they got it right.
Jeh Johnson, the DHS secretary, issued his second Binding Operational Directive (BOD) in late June.
“This directive mandated that agencies participate in DHS-led assessments of their high value assets and implement specific recommendations to secure these important systems from our adversaries,” Johnson told the Senate Judiciary Committee on June 30. “We are working aggressively with the owners of those systems to increase their security.”
The DHS public affairs office didn’t offer anything beyond what the Secretary said late last month.
One government source told me the directive also is helping agencies document, prioritize, remediate and monitor corrective actions for these high-valued assets.
If you do some digging, there are a couple of clues about what the BOD is focused on.
The first place you look is the Office of Management and Budget’s M-16-04 memo, which included the Cybersecurity Strategy and Implementation Plan (CSIP) from last November. In the memo and plan, OMB directed agencies to not only identify their high value assets, but also their critical architecture to understand the potential impact should those systems and data fall victim to a cyber attack.
OMB defined what a high-valued asset is: systems, facilities, data and datasets that are of particular interest to potential adversaries, and may include “sensitive controls, instructions or data used in critical federal operations, or house unique collections of data (by size or content) making them of particular interest to criminal, politically-motivated, or state-sponsored actors for either direct exploitation of the data or to cause a loss of confidence in the U.S. government.”
OMB told agencies in M-16-04 to ensure “robust physical and cybersecurity protections are in place. The identification of HVAs will be an ongoing activity due to the dynamic nature of cybersecurity risks.”
Additionally, as part of the Federal Information Security Management Act (FISMA) guidance of 2016, agencies were to have submitted their high-value data assets to DHS, and then CIOs are to work with DHS to assess the assets.
So we can deduce that the BOD is formalizing how DHS will ensure agencies are identifying and protecting high-valued assets.
Another clue comes from agencies themselves. In a recent interview, the Commerce Department says it has identified 62 high-valued assets and, of those, 18 became part of the governmentwide inventory. Commerce says it also identified three or four which DHS will review how they are protecting.
This is the second Binding Operational Directive issued by Johnson. He issued one in May 2015 requiring agencies to mitigate the most critical vulnerabilities on its Internet-facing systems within 30 days.
The question then becomes why did Johnson issue the BOD now, and what comes from it if agencies have been reviewing and monitoring these high-valued assets since November?
Is Commerce an outlier and agencies aren’t paying enough attention to these assets so therefore Johnson thought a directive would help, or is the BOD more of a formality ensuring agencies come to the table with DHS?