Department of Homeland Security Secretary Kirstjen Nielsen issued Binding Operational Directive (BOD) 18-02, Securing High Value Assets, earlier this month, to enhance the Department’s coordinated approach to securing the federal government’s High Value Assets (HVAs) from cybersecurity threats.
For the past several years, DHS has worked with federal agencies to identify, prioritize, and assess the cybersecurity posture of some of the federal government’s most critical, high impact information systems. These systems are referred to as high value assets (HVAs) and, in 2016, DHS issued a cybersecurity directive requiring federal agencies to take specific actions to protect their most critical systems.
With the issuance of BOD 18-02, DHS introduces a more focused, integrated approach to addressing weaknesses across federal agency HVAs, facilitates ongoing collaboration across cybersecurity teams to drive timely remediation, and ensures senior executive involvement to manage risk across an agency enterprise.
The National Protection and Programs Directorate (NPPD) also works with federal civilian agencies to conduct customized security assessments of HVAs and assist with remediation of identified vulnerabilities. In-depth security assessments and security architecture reviews of prioritized agency HVAs help identify vulnerabilities and weaknesses that may allow an adversary to penetrate a system, move through an agency’s network, and access and exfiltrate sensitive data without detection.
Since 2016, DHS has identified close to 200 high priority vulnerabilities through HVA assessments and worked closely with agencies to mitigate all critical findings as quickly as possible. DHS also coordinated with the National Institute of Standards and Technology (NIST) to develop a guidance document called the HVA Control Overlay, to provide further technical guidance for federal agencies to secure HVAs based on additional specifications for protections applied to high impact systems like HVAs.
Although federal agencies have a primary responsibility for their own cybersecurity, DHS provides operational assessment services, technical assistance, and a common set of security tools like the HVA Control Overlay to federal civilian executive branch agencies to help them manage their cyber risk. BOD 18-02 supports the Department’s efforts to safeguard and secure the Federal IT Enterprise by requiring all federal agencies to prioritize the security of their most critical and high impact systems.
For more information on DHS BOD 18-02, Securing High Value Assets, please visit https://cyber.DHS.gov.