Appendix B- HVA Requirements Tracker

This Appendix documents specific action items including deadlines and action item owners. OMB and DHS engagement with agencies will occur as needed to close out the action items.

Action Deadline Who is responsible?
Identify agency senior accountable officials and lead office to manage HVA processes and report to DHS. January 15, 2017 All CFO Act agencies (all agencies encouraged)
Provide a “Top 10” prioritized list of HVAs to DHS (ref. “Report” section for required data fields). January 15, 2017 All CFO Act agencies (all agencies encouraged)
Ensure agency HVA points of contact have active INTELINK. accounts (JWICS or SIPR). Annual, prior to “Top 1O” HVA list submission All CFO Act agencies (all agencies encouraged)
SAOP will ensure required privacy documentation, including any PIAs, are complete, accurate, and up-to-date for all HV As that involve PII. Immediate All CFO Act agencies (all agencies encouraged)
Conduct HVA Pre- Assessments (ref. Assess: Pre- Assessment section for details)
Ensure implementation and validation of appropriate security controls for all HVAs. Identify system dependencies and interdependencies. Create and implement plan for conducting HVA assessments. Establish required legal agreements, including valid FNAs and ROEs with DHS.
Prior to HVA assessments All CFO Act agencies (all agencies encouraged) All CFO Act agencies (all agencies encouraged);
DHS or other assessor
Establish and communicate access rights and entrance on duty requirements to agency. Prior to HVA assessments DHS or other assessor
Conduct HVA Assessments (ref. Assess: Assessment Process section for details)
Conduct RVAs through DHS NCA TS or commercial provider.
Conduct SAR.(As needed) Conduct ICS assessments, hunting for malicious activity, and incident response evaluation.
Create remediation POA&M.
Ongoing All CFO Act agencies (all agencies encouraged);
DHS or other assessor
Remediate HVA weaknesses and deficiencies
Provide agencies with detailed reports of assessments and prioritized recommendations and milestones for remediation.
Mitigate high-priority vulnerabilities (ref. BOD 16­ 01).
Report status of high-priority vulnerabilities to DHS (ref. BOD 16-01).
Within 30 days of completion o f assessment
Within 30 days of receipt of assessment findings report
Within 30 days of receipt of assessment findings report; every 30 days until all high- priority vulnerabilities are mitigated
DHS or other assessor
All CFO Act agencies (all agencies encouraged)
All CFO Act agencies (all agencies encouraged)
Coordinate with OMB for tracking of agency progress in remediation. Ongoing DHS or other assessor
Provide agencies with government-wide vehicles to procure remediation assistance. Ongoing GSA