The Current Landscape
Existing Federal risk management policies, guidance, and standards that direct agencies to identify IT assets, perform risk assessments, and address risks related to IT assets also apply to HVAs. For example:
- OMB Circular No. A-123. Management’s Responsibility for Enterprise Risk Management and Internal Control directs agencies to look at risk across all functions of the agency and highlights IT as a component of the portfolio view of risk.
- The overarching Federal information management policy, OMB Circular No. A-130, Managing Information as a Strategic Resource requires agencies to manage Federal information throughout the information life cycle and directs agencies to provide protection for their information commensurate with the risk and potential harm resulting from its compromise. Additionally, OMB Circular A-130 states that agencies must identify IT assets and maintain an inventory of agency information resources, and it specifically directs each agency to maintain an inventory of its respective information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of personally identifiable information (PII).
- OMB Memorandum M-13-13. Open Data Policy-Managing Information a an Asset requires that agencies create and maintain an inventory of data assets via an enterprise data inventory.
- Once an agency identifies its IT assets and creates the appropriate inventories, the agency has additional obligations, for example:
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Revision 1. Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach provides guidelines for applying the Risk Management Framework to Federal information systems, to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring.
Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems then directs agencies to categorize their information and information systems based on the potential impact to an organization should events occur which jeopardize the information and information systems of an organization. Initial security categorizations pursuant to such guidance will help determine the baseline security controls that an agency must implement to protect Federal information and information systems at the security impact level determined by the FIPS 199 categorization. The specific controls chosen will be drawn from NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations and guided by NIST SP 800-60 Volume I Revision 1, Guide for Mapping Types of Federal Information and Information Systems to Security Categories, tailored according to an assessment of risk by the owning agency.
While this HVA initiative is compatible with and must leverage existing policies and guidelines regarding IT assets, such as those listed above, agencies must also consider their HV A risks from a strategic enterprise-wide perspective. As such, the agency HVA process described herein requires explicit consideration of the following factors:
- Agencies’ assessment of risk should not be limited to IT and other technical considerations. HVA risk assessments should incorporate operational, business, mission, and continuity considerations. All key stakeholders of an agency, to include the Chief Financial Officer (CFO), Chief Acquisition Officer (CAO), Senior Agency Official for Privacy (SAOP), mission, business, and policy owners as well as the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) organizations, should be engaged in evaluating HVA risks.
- Agencies’ assessment of risk should consider not just the risk that an HVA poses to the agency itself, but also the risk of interconnectivity and interdependencies leading to significant adverse impact on the functions, operations, and mission of other agencies.
- Further, agencies’ assessment of risk should include the risk of significant adverse impact on national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.
- Agencies’ assessment of risk to an HVA should be informed by an up-to-date awareness of threat intelligence regarding agencies’ Federal information and information systems; the evolving behaviors and interests of malicious actors; and the likelihood that certain agencies and their HVAs are at risk owing to demonstrated adversary interest in agencies’ actual, related, or similar assets.
- All agency-identified HVAs will be reviewed by DHS and OMB in order to prioritize HVAs for assessment and remediation activities across government.
- Based on the DHS and OMB reviews, a select number of HVAs will be subject to a standardized assessment with the potential for additional services as needed.