Fill - Free fillable Form 2016: December MEMORANDUM FO ADS OF EXECUTIVE (White House) PDF form

EXECUTIVE

OFFICE

THE

PRESIDENT

OFFICE

MANAGEMENT

AND

BUDGET

WASHINGTON

, D. C .

20503

THE

DIRECTOR

December

2016

M-17-09

MEMORANDUM FO

ADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

FROM:

SUBJECT: Management

Federal High Value Assets

PURPOSE

This Memorandum contains general guidance for the planning, identification, categorization,

prioritization, reporting, assessment, and remediation

Federal High Value Assets (HV As), as

well as the handling

information related to HV As by the Federal Government.

also outlines

the responsibilities

Executive Branch departments and agencies, including the Office

Management and Budget (OMB), Department

Homeland Security (DRS), and General

Services Administration (GSA). The HVA initiative outlined in this memorandum is an ongoing

government-wide activity intended to evolve over time.

This memorandum is directed to Federal Executive Branch departments and agencies

(hereinafter "agencies") but does not apply to national security systems. Owners

national

security systems should follow relevant Department

Defense (DOD) and Intelligence

Community (IC) guidance regarding the protection

sensitive information and systems with

respect to national security systems.

INTRODUCTION

Federal Government HV As enable the government to conduct essential functions and operations,

provide services to citizens, generate and disseminate information, and facilitate greater

productivity and economic prosperity. Federal agencies have long taken measures to identify,

categorize, and secure Information Technology (IT) assets whose confidentiality, integrity, and

availability are essential to their ability to operate and execute their missions. In recent years,

continued increases in computing power combined with declining computing and storage costs

Recognizing that existing IC and DOD technical controls for sensitive IT assets may not sufficiently address policy

and strategic impacts and other enterprise risks, agencies operating national security systems are encouraged to

apply the principles

enterprise risk management contained in this memorandum and to familiarize themselves

with and, as appropriate, adopt approaches herein to ensure that national security systems are assessed, prioritized,

and protected based on a comprehensive assessment

ofrisk

that encompasses threat information; system

interdependencies; broader impacts to multiple organizations or the whole-of-government; and policy, business, and

strategic impacts that go beyond agency-specific IT or operations.

Page I

and increased network connectivity have expanded the government's capacity to store and

process data

order to improve service delivery to the public. This rise

technology and

interconnectivity also means that the Federal Government's critical networks, systems, and data

are more exposed to cyber risks. The Federal Government must continue to evolve its approach

to managing risks to these HV As and instantiating a continuous review

all critical networks,

systems, and data.

The Federal Government is committed to identifying and prioritizing HVAs, assessing the

HVAs' security posture, and taking needed protective actions. OMB Memorandum M-16-04,

Cybersecurity Strategy

and

Implementation Plan (CSIP)

for

the Federal Civilian Government,

issued

October 30, 2015, and the President's Cybersecurity National Action Plan (CNAP) ,

issued

February 9, 2016, recognized that the heightened threat environment and

increasing

number

incidents involving Federal IT assets requires such action in order to strengthen our

cybersecurity posture.

DEFINITION

"High Value Assets" are those assets, Federal information systems, information, and data for

which

unauthorized access, use, disclosure, disruption, modification,

destruction could

cause a significant impact to the United States' national security interests, foreign relations,

economy, or to the public confidence, civil liberties, or public health and safety

the American

people. HVAs may contain sensitive controls, instructions, data used in critical Federal

operations, or unique collections

data (by size or content),

support an agency's mission

essential functions, making them

specific value to criminal, politically motivated,

state-

sponsored actors for either direct exploitation or to cause a loss

confidence in the U.S.

Government.

THE CURRENT LANDSCAPE

Existing Federal risk management policies, guidance, and standards that direct agencies to

identify IT assets, perform risk assessments, and address risks related to IT assets also apply to

HV As. For example:

• OMB Circular No. A-123. Management's Re ·ponsibilitv

for

Enterprise Risk

Management

and

Internal Control, directs agencies to look at risk across all functions

the agency and highlights IT as a component

the portfolio view

risk.

• The overarching Federal information management policy, OMB Circular No. A-130,

Managing Information as a Strategic Resource, requires agencies to manage Federal

information throughout the information life cycle and directs agencies to provide

protection for their information commensurate with the risk and potential harm resulting

from its compromise. Additionally, OMB Circular A-130 states that agencies must

identify IT assets and maintain an inventory

agency information resources, and it

specifically directs each agency to maintain an inventory

its respective information

This replaces the definition

ofHV

A in OMB Memorandum M-16-04.

Page

2of16

systems that create, collect, use, process, store, maintain, disseminate, disclose, or

dispose

personally identifiable information (PII).

• OMB Memorandum M-13-13.

Open Data Policv-ManaI!im! Information a an A set,

requires that agencies create and maintain an inventory

data assets via an enterprise

data inventory.

Once an agency identifies its IT assets and creates the appropriate inventories, the agency has

additional obligations, for example:

• National Institute

Standards and Technology (NIST) Special Publication (SP) 800-37

Revision

Guide for Applying the

Risk

Management Framework to Federal Information

Systems: A Security Life Cycle Approach,

provides guidelines for applying the Risk

Management Framework to Federal information systems, to include conducting the

activities

security categorization, security control selection and implementation,

security control assessment, information system authorization, and security control

monitoring.

• Federal Information Processing Standard

CFIPS)

199, Standards for Security

Categorization

o(Federal

Information

and

Information Systems, then directs agencies to

categorize their information and information systems based on the potential impact to an

organization should events occur which jeopardize the information and information

systems

organization. Initial security categorizations pursuant to such guidance

will help determine the baseline security controls that an agency must implement to

protect Federal information and information systems at the security impact level

determined by the

FIPS 199 categorization. The specific controls chosen will be drawn

from NIST SP 800-53 Revision

4, Security and Privacy Controls

for

Federal Information

Systems

and

Organizations, and guided by NIST SP 800-60 Volume I Revision l , Guide

for Mapping Types

o(Federal

Information

and

Information Systems

Security

Categories,

tailored according to an assessment

ofrisk

by the owning agency.

While this HV A initiative is compatible with and must leverage existing policies and guidelines

regarding IT assets, such as those listed above, agencies must also consider their HV A risks from

a strategic enterprise-wide perspective. As such, the agency HV A process described herein

requires explicit consideration

the following factors:

• Agencies' assessment

risk should not be limited to IT and other technical

considerations. HV A risk assessments should incorporate operational, business, mission,

and continuity considerations. All key stakeholders

an agency, to include the Chief

Financial Officer (CFO), Chief Acquisition Officer (CAO), Senior Agency Official for

Privacy (SAOP), mission, business, and policy owners as well as the Chief Information

Officer (CIO) and Chieflnformation Security Officer (CISO) organizations, should be

engaged in evaluating HV A risks.

• Agencies' assessment

risk should consider not

just

the risk that an HVA poses to the

agency itself, but also the risk

interconnectivity and interdependencies leading to

significant adverse impact

the functions, operations, and mission

other agencies.

Page

3of16

Further, agencies' assessment

risk should include the risk

significant adverse

impact on national security interests, foreign relations, or economy

the United States

or to the public confidence, civil liberties, or public health and safety

the American

people.

• Agencies' assessment

risk to an HVA should be informed by an up-to-date awareness

threat intelligence regarding agencies' Federal information and information systems;

the evolving behaviors and interests

malicious actors; and the likelihood that certain

agencies and their HV As are at risk owing to demonstrated adversary interest

agencies' actual, related, or similar assets.

• All agency-identified

As will be reviewed by DHS and OMB in order to prioritize

HV As for assessment and remediation activities across government.

• Based on the DHS and OMB reviews, a select number

ofHV

As will be subject to a

standardized assessment with the potential for additional services as needed.

THE

AGENCY

PROCESS

Agencies must take a strategic enterprise-wide view

risk that accounts for all critical business

and mission functions when identifying HV As. Agencies must also establish appropriate

governance

A activities across the enterprise and should integrate HV A remediation

activities into agency planning, programming, budgeting, and execution processes. These efforts

must align with OMB policy, Federal law and regulations, Federal standards and guidelines, and

agency policies, processes, and procedures.

Figure

Agency HVA Process Framework

Page

4of16

Figure one represents the continuous HV A process, including the specific actions that make up

the process.

PLAN:

Agencies must develop, maintain, and regularly update their HV A inventory lists, at least

annually, to implement this guidance.

At a minimum, the planning process must include the

following considerations:

• Stakeholder engagement, including identifying and engaging information system and

information/data owners, business process experts, IT experts, information security experts,

privacy experts, and risk management experts, as necessary;

• Review

business processes and identification

appropriate management controls to

protect HV A and critical business functions over the entire data and information lifecycle;

• Governance and oversight, including identification

a senior accountable official and a lead

office to be responsible to agency leaders and OMB for management

the overall HV A

initiative;

• Engagement with third parties on behalf

the agency to ensure appropriate contract clauses

or legal agreements are in place to assess and remediate system vulnerabilities as necessary;

• Engagement with contracting officers and the agency's general counsel to ensure all

necessary agreements for contracted services, such as penetration testing, auditing, and

security architecture reviews (SARs ), are

place; and

• Incorporation

HV A activities into broader agency IT and information security and privacy

management planning activities, including:

o Enterprise risk management;

o Budget, procurement, and contract management plans to address potential

assessor findings;

o Change management;

Plan:

Prepare for the

A process, including stakeholder engagement, governance and oversight, third party

engagement, and incorporation

HV A activities into broader agency IT planning.

Identify: Examine systems from the agency's perspective, adversary's perspective, and enterprise-wide perspective

to determine those assets which may be considered HV As.

Categorize: Organize information systems based on (among other things) system function, what kind

and how

much information the system contains, the system's importance to the agency's mission, and the scale

impact

from system loss or compromise.

Prioritize: Rank HVA systems in terms

ofrisk,

considering the categories

threat, vulnerability, and consequence.

Report: Agencies are responsible for keeping their internal

A lists up-to-date. All CFO Act agencies are required

to report their HV As to DHS on an annual basis.

Assess: The

A system(s) will be assessed by DHS through a Risk and Vulnerability Assessment (RVA), Security

Architecture Review (SAR), and any additional services as deemed necessary.

Remediate: Agencies will receive a detailed report from DHS regarding the

A system including recommended

actions to address the findings.

HV A management processes should take advantage

current security-related processes and artifacts produced by

agencies in accordance with their responsibilities under FISMA, thus avoiding duplication and redundancies.

Page

5of16

o Information Security Continuous Monitoring (ISCM) Strategy;

o IT lifecycle management, including plans to upgrade legacy components, system

migration, and disposal;

o Privacy compliance and Privacy Continuous Monitoring (PCM);

o Performance measurement and metrics; and

o Contingency planning.

IDENTIFY, CATEGORIZE

AND

PRIORITIZE:

Agencies should use the following guidelines to identify, categorize, and prioritize HVAs to

ensure that information systems performing or enabling mission essential functions have been

considered as potential

As and that appropriate agency stakeholders have been engaged.

• Start with an

agency-specific assessment

risk by using FIPS 199

and NIST SP 800-60 to

assist with information and information system identification and categorization.

• Next, consider the value

agency systems and data from a potential adversary's .

perspective.

This means agencies should maintain awareness

malicious actor intent,

capabilities, targeting, and trends based on government threat intelligence as well as

commercial sources

threat intelligence. Such information includes cybersecurity threats to

the agency by nation-state and criminal actors as well as current threat actor tactics,

techniques, and procedures.

• Throughout the identification process, agencies should also take a

Federal enterprise-wide

perspective

the risks posed by their HV As and

their mission responsibilities to both

identify their most critical functions, information, and data and to use that information to

categorize information systems as critical mission enablers or mission essential functions.

• Once an initial collection

HV As has been identified, agencies should protect that

collection according to the handling directions at the end

this guidance, take measures to

determine the physical location

those HVAs, determine key stakeholders (including third

parties) involved in the administration

those HV As, clearly communicate roles and

expectations to those stakeholders, and identify information system interdependencies.

• After the agency-level list

ofHVAs

has been assembled, agency CIOs should ensure that the

owners and operators

the

As are notified

their designation as an HV A.

Once the agency-level inventory

ofHV

As has been produced, agencies should develop a risk-

based matrix

threats, vulnerabilities, impacts, and likelihood

compromise. The matrix

should serve as a basis for prioritizing the agency's HV A assessment activities. This will

support the delivery

an annual "Top 10" prioritized list

ofHVAs

to OMB and DHS. For those

HV As that do not qualify as top 10, agencies have the discretion to rank and rate them using

either a "1-to-n" or "tiered" approach.

Per A-130, agencies are required to establish and maintain an agency-wide PCM program that implements the

agency's PCM strategy

There is no minimum FIPS categorization for a system to be considered an HV

FIPS ratings are only one

factor to consider in the identification and prioritization process.

Page

6of16

The following criteria should be used by agencies as additional inputs to their own prioritization

when categorizing and prioritizing identified HV As. This is not an exhaustive list, and it does

not preclude agencies from considering additional criteria.

• Adversary and criminal interest;

• Nature and sensitivity

Federal information processed, stored, or otherwise utilized by the

HVA;

• Whether the HV A contains Controlled Unclassified Information (CUI),

particularly one or

the following:

o PII on agency employees or customers;

CUI used for traveler/cargo vetting or other law enforcement purposes;

o Proprietary information; and

o CUI related to Federal or national critical infrastructure or key resources;

• Nature and sensitivity

processes controlled by the system, as in the case

an Industrial

Control System (ICS) or Supervisory Control and Data Acquisition (SCAD A) system;

• Quantity

information stored or handled

the HV A;

• Uniqueness

the stored or handled information or data and/or the information system

function(s) (e.g.,

ifthe

information system is a single point

failure);

• Degree to which the HV A is essential to supporting the agency's mission essential functions,

including whether the HV A is connected with

As in other agencies so that a compromise

could significantly impact mission essential functions within other agencies;

• Scale

impact (i.e., local, multiagency, Federal enterprise, national-level impact)

the loss

or compromise

the information or data and/or information system functionality; and

• Nature

impact (i.e. national security interests, foreign relations, or economy

the

United States or to the public confidence, civil liberties, or public health and safety

the

American people).

Many

these inputs focus

the potential resulting impact or consequence should the

confidentiality, availability, or integrity

a given HV A be compromised. As agencies consider

potential inputs for their own individual prioritization approaches, they should also consider

privacy risk to individuals, potential threats to the HV

as well as known vulnerabilities and the

overall security posture

the HV A. All three categories

risk (threat, vulnerability, and

consequence) should be considered when ranking HV As.

Per

Executive Order

CEO)

13556. Comrolled Unclassified fn(ormation, Controlled Unclassified Information

information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations,

and government-wide policies, excluding information that is classified under EO 13526, Classified National

Security Information,

December 29, 2009, or the Atomic Energy

Act

(P.L. 83-703), as amended.

Page

7of16

REPORT:

All Federal agencies are responsible for keeping their internal HV A lists up-to-date. All CFO

Act agencies

are required to report all

their HV As, including the prioritized top

list, to

DHS on an annual basis. DHS will coordinate with OMB and other interagency partners to

ensure appropriate oversight and governance across the Federal Government. Although HVAs

can be either classified or unclassified systems, agencies are only required to report their non-

national security HVAs to

DHS.

The Fiscal Year 2017 reporting date is January 15, 2017.

CFO Act agencies will be required to submit the following data fields to DHS on an INTELINK

platform on either the Joint Worldwide Intelligence Communications System (JWICS) or Secret

Internet Protocol Router (SIPR) platforms. Non-CFO Act agencies are encouraged, but not

required, to follow the same review and reporting process. Agency HV A points

contact must

maintain an active INTELINK account on either JWICS or SIPR. The required data fields are as

follows:

• AgencyName;

• Agency Component or Bureau Name

(if

applicable);

•

HVAName;

• Is the HV A a Top

Priority HV A (yes/no);

• Description

ofHVA

Function (maximum

500 characters);

• Description

oflmpact

HV A Compromise to the Agency (maximum

500 characters);

• Valid Authorization to Operate (ATO) (yes/no);

• Is the HV A an ICS or SCAD A system (yes/no);

• Date

the Last HV A Assessment;

• Type

Assessor (Agency/DRS/Third-party);

• Current Plan

Action and Milestones (POA&M) to Remediate Assessment Findings

(yes/no); and

•

Applicable, How Many Critical/High, Moderate, and Low Impact Actions Remain

Incomplete from the Most Recent POA&M.

Per

U.S.C § 90l(b),

amended, the current CFO Act agencies include the Departments

Agriculture,

Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban

Development, Interior, Justice, Labor, State, Transportation, the Treasury, Veterans Affairs, Environment Protection

Agency, General Services Administration, National Aeronautics and Space Administration, National Science

Foundation, Office

Personnel Management, Small Business Administration, Social Security Administration, U.S.

Agency for International Development, and U.S. Nuclear Regulatory Commission.

Page

8of16

ASSESS:

Pre-.A.ssessment

addition to the standard processes agencies must use for all information systems, to include

tailoring security and privacy controls following the selection

the appropriate baseline

(cornrnensurate with NIST SP 800-53), agencies must prepare the HV

.A.

for assessment and

ensure appropriate protections are in place by completing the steps listed below:

•

Implement

and

validate security controls - Per the direction

Binding Operational

Directive (BOD) 16-01,

and using the security engineering principles, concepts, and

techniques in

NIST

SP 800-160, Consideration

for

a Multidisciplina1y Approach in the

Engineering

Trustworthy Secure Systems, agencies must implement the following security

activities for all HV

.A.s:

o Secure configuration management;

o Increased phishing awareness training and testing

personnel with access to HV

.A.s;

o Continual validation

strict access controls, including multifactor authentication;

o Routine vulnerability scanning and remediation;

o Increased monitoring and analysis

relevant audit logs;

o Network segmentation;

o .A.ppropriate boundary protections;

o Verification

data recovery capabilities;

o Routinely tested incident response procedures; and

o Maintenance

I 00% automated asset visibility and control.

• Identify system dependencies

and

interdependencies - .A.gencies must identify the

connections between HV .A.sand other systems, including other HV .A.sand non-HV

.A.s,

understand critical dependencies.

•

Conduct

security assessments

As -

.A.fter

validation

security controls and

identification

dependencies and interdependences at the identified HV

.A.s,

the agency, in

coordination with OMB and DHS, shall create and implement a plan for prioritizing and

conducting assessments.

•

Ensure

appropriate

agreements with DHS

independent

third-party

assessment

providers

are

place to facilitate timely

and

comprehensive assessments -

.A.11

CFO

.A.ct

agencies are required to participate in the HV

.A.

initiative and ensure all required legal

agreements are signed and

place with DHS prior to cornrnencement

assessment work.

This includes having a valid and signed standing Federal Network .A.uthorization

(FN.A.)

and

Published BODs are available to OMB MAX Executive Branch users at community.max.gov/x/RJQ5JQ.

The ROE establish the guidelines and agreement between DHS and the agency, authorizing DHS, typically

through

DHS's

National Cybersecurity Assessment and Technical Services (NCATS) to conduct RV As on the

agency's networks.

Page

9of16

a Rules

Engagement (ROE) in place with DHS consistent with OMB M-16-03.

addition, all Federal Executive Branch agencies are encouraged to follow these procedures.

All agencies are responsible for the ongoing assessment and authorization

their systems to

ensure accuracy

information pertaining to the security posture

their

As. Agencies

should leverage the results

security audits and voluntary third party assessments to ensure that

HV As are assessed on a regular basis. Following the assessments, DHS or, alternatively, an

independent third party assessment organization will provide specific findings and

recommendations and will work with agencies to develop a remediation plan to address findings

discovered during the assessment. Agencies must ensure that the independent third party

assessment findings and recommendations are provided to

DHS

a timely manner. In addition

to including appropriate confidentiality and data handling requirements in any agreements with

independent third party assessors, agencies must ensure that relevant agreements with

independent third party assessors specify that the agency is the sole owner

all agency

information collected by the third party and such information and any derivative work, including

notes and working documents, must be returned to the agency.

Assessment Process

HV A assessments will focus

the agency's assets, systems, information, data, and datasets as

prioritized by the agency and will be reviewed by DHS in coordination with OMB. These

assessments will not replace existing cybersecurity assessment programs for the agency.

Agencies may work with DHS to receive comprehensive assessment services or may, and are

encouraged to, procure similar

A risk management services from commercial providers, so

long as such services meet the DBS-established baseline requirements

the newly developed

Highly Adaptive Cybersecurity Services (HACS) Special Item Numbers (SINs) on GSA's IT

Schedule 70.

A assessment activities include:

OMB M-16-03 directed agencies (not only CFO Act agencies), consistent with applicable law, to provide a signed

FNA to DHS by November 13, 2015, to ensure DHS, typically through US-CERT, can rapidly deploy on-site

resources to conduct incident response activities, as necessary.

The HACS SINS are comprised

the following cybersecurity services:

l 32-45A: Penetration Testing - Security testing in which assessors mimic real-world attacks to identify methods for

circumventing the security features

an application, system, or network.

132-45B: Incident Response Services

-These

services help organizations impacted by a cybersecurity compromise

determine the extent

the incident, remove the adversary from their systems, and restore their networks to a more

secure state.

132-45C: Cyber Hunt Services

-These

activities are undertaken in response to crises or urgent situations within the

pertinent domain to mitigate immediate and potential threats. Cyber hunt activities start with the premise that threat

actors that are known to target some organizations in a specific industry, or organizations using specific systems, are

likely to also target other organizations in the same industry or with the same systems. The processes use

information and threat intelligence specifically focused on the proximate incident to identify undiscovered attacks.

Cyber hunt activities also include the investigation and analysis

all relevant response activities.

132-45D: Risk and Vulnerability

Assessment-

These activities include assessments

threats and vulnerabilities,

deviations from acceptable configurations, and enterprise or local policy to assesses the current level

risk. The

assessor then develops and/or recommends appropriate mitigation countermeasures in operational and non-

operational situations.

Page

10of16

•

Risk

and

Vulnerability Assessment

(RVA)-This

service, provided by the DHS National

Cybersecurity Assessment and Technical Services (NCATS) team, uses a number

techniques to identify weaknesses in the security posture

a given

A. These can include

network mapping, vulnerability scanning, phishing tests, wireless assessments, web

application assessments, and

d~tabase

assessments.

• Security

Architecture

Review (SAR) - As appropriate and as resources are available, DHS

will review the architecture

the HV A and develop recommendations for improving the

security

the

A related to the design and interconnections

the system. Once the SAR

is complete, DHS will develop a report in collaboration with agency personnel to outline the

current state

the agency's architecture and propose recommendations for a target state

architecture.

requested by the agency, and

resources are available, DHS will also

provide security engineering services to assist the agency with planning and implementation

the recommendations.

•

Additional

Services, as

needed

o ICS

I SCADA System Assessments - Comprised

tailored assessments based on the

type

HV A, this assessment can supplement or replace other assessment activity, as

appropriate.

o Hunting for Potential Malicious Activity - A hunt capability can be deployed to search

for malicious activity

any HV A and should be deployed, at a minimum, when the

RVA or SAR finds evidence

a potential incident.

o Federal Incident Response

Evaluation-

Based

the HV A and its inter-connectedness to

other internal or external systems, including other HV As, it may be appropriate to

evaluate incident response readiness specifically tailored around the HV A or related

systems.

•

Remediation

Plans

- After the reviews

the HV A have been conducted, DHS, or the

agency's independent third party assessment provider, will provide a report on the results,

including detailed recommendations on actions that should be taken to address findings.

Agencies will then be responsible for the creation

a remediation plan, to include a

POA&M detailing specific actions, milestones, and timelines. The remediation plan does not

represent the end

the process, as assessments should be completed on a continuous basis,

and agencies should always ensure that HV As receive an appropriate level

attention and

resources to enhance their security posture.

REMEDIATE:

The agency must complete its remediation plan expeditiously and should treat it as a priority.

The remediation plan must include actions, milestones, and timelines for remediating the

weaknesses or deficiencies identified in the assessment's findings. This plan should be validated

by the CISO, CIO, CFO, SAOP

(if

the HVA contains PII), and CAO, and it should conform with

DHS reporting requirements, including BOD 16-01 or any successor document for timely status

updates.

Page

Agencies should work with their budget offices and governance structures to ensure that

potential remediation strategies are in alignment with the organization's broader cybersecurity

risk-based budgeting plan outlined in the Capital Planning and Investment Control (CPIC)

process.

REVIEW

PRIVACY COMPLIANCE AND PRIVACY

RISK

Federal law and policy establish requirements for the proper handling

PII. To both ensure

compliance with those requirements and manage privacy risks, SAOPs are required to review

agency HV As and identify those that create, collect, use, process, store, maintain, disseminate,

disclose, or dispose

PII. For each HV A identified in the SAOP's review, the SAOP shall

ensure that all required privacy documentation and materials are complete, accurate, and up-to-

date. This includes the information system's privacy plan, a formal document that details the

privacy controls in place or planned for an information system or environment to meet applicable

privacy requirements and manage privacy risks,

how

the controls have been implemented, and

the methodologies and metrics used to assess the controls. The plan also includes documentation

required by the Privacy Act

1974

U.S.C. § 552a) (e.g., systems ofrecords notices and

Privacy Act Statements), the privacy provisions

the E-Govemrnent Act

2002 (i.e., privacy

impact assessments (PIAs)), Federal Information System Modernization Act

2014 (FISMA),

and relevant OMB guidance.

addition, each agency's SAOP shall ensure that when PIAs are required for HV As, they

remain current and accurately reflect the information created, collected, used, processed, stored,

maintained, disseminated, disclosed, or disposed

by the HV A. Further, these PIAs should be

updated regularly to reflect any changes made to the information technology, agency practices,

or HV As that substantively alter the privacy risks associated with the use

such IT. The PIAs

should appropriately document privacy risks and the controls required to mitigate those risks.

Finally, SAOPs should ensure they have a reliable process in place to identify and assess on an

ongoing basis any changes to the HV As that may impact privacy risk and/or that may result in

the need for additional or modified privacy documentation as part

the agency's PCM program

and PCM strategy as required by OMB Circular No. A-130.

HANDLING INSTRUCTIONS

Handling guidance for agencies on information about

HVAs

can be found on

MAX

As noted throughout the document, the HV A initiative relies on the identification and

prioritization

HV As for testing and assessment based on numerous factors including the type

and amount

information, criticality to mission essential functions, and adversary Tactics

Techniques, and Procedures (TTPs). The identification and prioritization

these systems is

critical to conducting assessments efficiently, but the results

these efforts are also an attractive

target to anyone with malicious intent. To ensure the access needed to perform their appropriate

functions while protecting the information about these critical systems, both agencies and

www

.whitehouse.gov/sites/default/fi les/ornb/assets/egov doc

it budget guidance.pdf

https://community.max.gov/

xNg8

- This handling guidance will be periodically updated depending

the

outcomes

the

HVA

assessments

changes in TTPs.

Page

12of16

independent third party assessors are expected to follow the handling guidance, except for

classified national security information which should follow established guidance.

a specific process or information is not listed, then it does not have unique handling or

protection guidance in terms

being related to

HV A. However, any information submitted

outside agencies that is covered

separate classification guidance should retain the

appropriate level

classification.

CONCLUSION

Risk management remains critical to the way the Federal Government protects its information,

systems, and assets and improves its overall security posture. The

A initiative enhances

existing risk management processes

instituting a continuous process

planning,

identification, categorization, prioritization, reporting, assessment, and remediation.

Implementing this process will enable agencies to better understand the specific security needs

their most critical assets while gaining

new

insight as to

how

those assets fit into the larger

Federal enterprise. Through a continuous review

all critical assets, systems, information, and

data, civilian agencies

can

achieve a better understanding

what is

their network, what is

valuable to their stakeholders, and what is valuable to individuals with malicious intent.

Going forward, agencies, DHS, OMB, and other stakeholders will continue to refine this process

as lessons are learned and the threat landscape evolves. Agencies should integrate information

gained from

A efforts into their broader IT modernization work, budget discussions, mission

delivery activities, and security initiatives to reduce duplication and ensure that all parts

the

agency are aligned

prioritization and remediation activities.

Points

Contact:

Questions for OMB may

directed to ombcyber@omb.eop.gov

Page

13of16

Appendix

OMB, DHS, and GSA Roles and Responsibilities

This Appendix describes third party responsibilities for implementing OMB Memorandum M-

17-XX, Management

Federal High Value Assets.

DHS or Independent Thlrd Party Assessor:

• Work with the agency to ensure appropriate ROE documentation and other relevant legal

agreements are

in place.

• Ensure all access rights and entrance-on-duty requirements have been clearly established and

communicated to the agency

in order to ensure an efficient assessment.

• Conduct assessment(s)

HVAs in accordance with the signed ROE or other relevant legal

agreement(s).

• Provide the assessed agency with a report outlining findings and recommendations.

o Recommend to the assessed agency a prioritization

activities to appropriately

remediate the findings

the assessment.

•

the case

DHS assessments, coordinate with OMB on the tracking

agency progress

against the remediation plan.

• Develop future phases

the Continuous Diagnostics and Mitigation Program to address

common capability and tool gaps discovered during the HV A assessment process.

OMB:

• Assist DHS with metrics and measurements for the HV A program as a government-wide

initiative.

• Coordinate with DHS, the CIO Council, the CISO Council, the Cyber Interagency Policy

Committee (Cyber-IPC), and other stakeholders as necessary to develop appropriate

assessment tiers to ensure assessment teams are not delayed in focusing on the highest

priority assessments.

• Monitor progress against the remediation plan through existing methods such as the

CyberStat process and governance bodies such as the President's Management Council.

• Incorporate lessons learned from agency HV A assessments into future policy development.

• Work with agencies on budget formulation and execution related to

A remediation.

GSA:

• Finalize and ensure the HACS SINs are kept up-to-date with multiple options for agencies to

procure assessment services in a timely fashion.

• Provide agencies with options to procure remediation assistance.

Page

14of16

Appendix B: HVA Requirements Tracker

This Appendix documents specific action items including deadlines and action item owners.

OMB and DHS engagement with agencies will occur as needed to close out the action items.

Action Deadline Who

responsible?

Identify agency senior accountable officials

and lead office to manage HV A processes

and report to DHS.

January 15, 2017

All

CFO Act agencies

(all agencies

encouraged)

Provide a "Top 10" prioritized list

ofHVAs

to DHS (ref. "Report" section for required

data fields).

January 15, 2017

All CFO Act agencies

(all agencies

encouraged)

Ensure agency HV A points

contact have

active INTELINK. accounts (JWICS or

SIPR).

Annual, prior to "Top

HV A list

submission

All CFO Act agencies

(all agencies

encouraged)

SAOP will ensure required privacy

documentation, including any PIAs, are

complete, accurate, and up-to-date for all

HV As that involve PII.

Immediate

All CFO Act agencies

(all agencies

encouraged)

Conduct

HVAPre-

Assessments

(ref. Assess:

Pre-

Assessment

section for

details)

Ensure implementation and

validation

appropriate

security controls for all

HVAs.

Prior to HVA

assessments

All CFO Act agencies

(all agencies

encouraged)

All

CFO Act agencies

Identify system

dependencies and

interdependencies.

Create and implement plan

for conducting

HV A

assessments.

Establish required legal

agreements, including valid (all agencies

FNAs and

ROEs with DHS.

encouraged); DHS or

other assessor

Establish and communicate access rights

and entrance

duty requirements to

agency.

Prior to HVA

assessments

DHS or other assessor

Page

15of16

Action

Conduct

HVA

Assessments

(ref. Assess:

Assessment

Process

section for

details)

Remediate

HVA

weaknesses

and

deficiencies

Conduct RV As through

DHS NCATS or commercial

provider.

Conduct SAR.

(As needed) Conduct

ICS

assessments, hunting for

malicious activity, and

incident response

evaluation.

Create remediation

POA&M.

Provide agencies with

detailed reports

assessments and prioritized

recommendations and

milestones for remediation.

Mitigate high-priority

vulnerabilities (ref. BOD 16-

01).

Report status

high-

priority vulnerabilities to

DHS (ref. BOD 16-01).

Coordinate with

OMB for tracking

agency progress in remediation.

Provide agencies with government-wide

vehicles to procure remediation assistance.

Deadline

Ongoing

Within 30 days

completion

assessment

Within 30 days

receipt

assessment

findings report

Within 30 days

receipt

assessment

findings report; every

30 days until all high-

priority vulnerabilities

are mitigated

Ongoing

Who is responsible?

All CFO Act agencies

(all agencies

encouraged); DHS or

other assessor

DHS or other assessor

All CFO Act agencies

(all agencies

encouraged)

All CFO Act agencies

(all agencies

encouraged)

DHS or other assessor

GSA

Page

16of16

Download
Save PDF to desktop

Email
Email completed PDF

Send for Signing
Email for others to sign

Print
Print document

NAME

Form 2016: December MEMORANDUM FO ADS OF EXECUTIVE (White House)

View Audit Log
Print With Audit Log
Duplicate Document

Fill Online, Printable, Fillable, Blank Form 2016: December MEMORANDUM FO ADS OF EXECUTIVE (White House) Form

Related forms

Fillable Form 2016: December MEMORANDUM FO ADS OF EXECUTIVE (White House)

Fill Online, Printable, Fillable, Blank Form 2016: December MEMORANDUM FO ADS OF EXECUTIVE (White House) Form

Related forms

First 20 documents completely FREE!