Appendix A- OMB, DHS, and GSA Roles and Responsibilities

This Appendix describes third party responsibilities for implementing OMB Memorandum M­ 17-XX, Management of Federal High Value Assets.

DHS or Independent Third Party Assessor:

  • Work with the agency to ensure appropriate ROE documentation and other relevant legal agreements are in place.
  • Ensure all access rights and entrance-on-duty requirements have been clearly established and communicated to the agency in order to ensure an efficient assessment.
  • Conduct assessment(s) of HV As in accordance with the signed ROE or other relevant legal agreement(s).
  • Provide the assessed agency with a report outlining findings and recommendations.
    • Recommend to the assessed agency a prioritization of activities to appropriately remediate the findings o f the assessment.
  • In the case of DHS assessments, coordinate with OMB on the tracking of agency progress against the remediation plan.
  • Develop future phases of the Continuous Diagnostics and Mitigation Program to address common capability and tool gaps discovered during the HVA assessment process.


  • Assist DHS with metrics and measurements for the HVA program as a government-wide initiative.
  • Coordinate with DHS, the CIO Council, the CISO Council, the Cyber Interagency Policy Committee (Cyber-IPC), and other stakeholders as necessary to develop appropriate assessment tiers to ensure assessment teams are not delayed in focusing on the highest priority assessments.
  • Monitor progress against the remediation plan through existing methods such as the CyberStat process and governance bodies such as the President’s Management Council.
  • Incorporate lessons learned from agency HVA assessments into future policy development.
  • Work with agencies on budget formulation and execution related to HVA remediation.


  • Finalize and ensure the HACS SINs are kept up-to-date with multiple options for agencies to procure assessment services in a timely fashion.
  • Provide agencies with options to procure remediation assistance.