Conclusion

Risk management remains critical to the way the Federal Government protects its information, systems, and assets and improves its overall security posture. The HVA initiative enhances existing risk management processes by instituting a continuous process of planning, identification, categorization, prioritization, reporting, assessment, and remediation. Implementing this process will enable agencies to better understand the specific security needs of their most critical assets while gaining new insight as to how those assets fit into the larger Federal enterprise. Through a continuous review of all critical assets, systems, information, and data, civilian agencies can achieve a better understanding of what is on their network, what is valuable to their stakeholders, and what is valuable to individuals with malicious intent.

Going forward, agencies, DHS, OMB, and other stakeholders will continue to refine this process as lessons are learned and the threat landscape evolves. Agencies should integrate information gained from HVA efforts into their broader IT modernization work, budget discussions, mission delivery activities, and security initiatives to reduce duplication and ensure that all parts of the agency are aligned in prioritization and remediation activities.