For fiscal year 2020, the Trump administration is requesting more than $17.4 billion for cybersecurity efforts across federal agencies, which would represent a $790 million (5 percent) increase above the FY 2019 estimate. While that is a large sum of money, the government’s cybersecurity resources (including its personnel) are not unlimited. That is why agencies have been hunting for their high-value assets to defend.
In December, the Office of Management and Budget issued updated guidance on how to define high-value assets, or HVAs, which are the data and information whose unauthorized disclosure would hurt the government.
Speaking April 29 at the 2019 GITEC Emerging Technology Conference in Annapolis, Md., a panel of federal IT security leaders discussed how the Department of Homeland Security is working with agencies to identify and protect HVAs. The shift is important, they say, because agencies cannot protect all of their assets equally and must focus on putting the most significant data protection defenses toward those assets that truly matter to agencies’ missions.
How Federal Agencies Define High-Value Assets
As FedScoop reports, the OMB memo reclassified HVAs “from a single definition into three categories that provide agencies more flexibility in designating the protections needed and spells out the steps for reporting, assessing and remediating those assets against the threat of a cyberattack.”
The three categories in which information systems can fall under the heading of an HVA include:
- Informational Value: The information or information system that processes, stores or transmits the information is of high value to the government or its adversaries.
- Mission Essential: The agency that owns the information or information system cannot accomplish its Primary Mission Essential Functions, as approved in accordance with Presidential Policy Directive 40 (PPD-40) National Continuity Policy, within expected timelines without the information or information system.
- Federal Civilian Enterprise Essential: The information or information system serves a critical function in maintaining the security and resilience of the federal civilian enterprise.
Kevin Cox, the program manager of the Continuous Diagnostics and Mitigation program at DHS, notes that the fourth phase of CDM is focused on data protection and HVAs. Within the Cybersecurity and Infrastructure Security Agency at DHS, the federal network resilience branch works with agencies to identify HVAs, Cox notes.
Under the older definition of HVAs, there were fewer than 100 across the government. The more expansive definition has changed that figure into the hundreds. They include systems with personally identifiable information, personal health information and sensitive national security data, Cox notes.
How to Best Offer Cybersecurity for HVAs
DHS is working with agencies down to the system level to understand the architecture of these HVAs, Cox said, and then works to identify the proper technology solution to secure the data. That can mean rearchitecting a legacy system, using microsegmentation, data rights management or data loss prevention tools.
Scott Davis, the Labor Department’s deputy CISO, said that the old definition of HVAs led agencies to overprotect certain assets. Now, DOL and other agencies are working to “provide adequate security, not underprotecting or overprotecting.”
Reclassifying what counts as an HVA will allow agencies to “refocus our resources on the right things,” he said. Agencies will need to alter contracts to reflect this new reality and that will take time, Davis acknowledged. However, he said, it is a “great thing” for agencies to be laser-focused on protecting HVAs.
Darren Death, vice president of information security and CISO at ASRC Federal, said for CIO offices to fully understand what counts as an HVA, they need to work closely with mission partners at their agencies. “While IT may have some insight, your mission really understands what HVAs are and what is important to the organization,” he said. CIOs can deploy lots of great cybersecurity tools to provide microsegmentation, he said, but without a good working relationship with the mission areas, all of the technology won’t have as much of an impact.
Davis agreed, noting that before he joined the Labor Department in 2018, he did not know that the agency had 27 different components, including the Bureau of International Labor Affairs. That division has employees who travel all over the world. Without understanding that mission, network segmentation might unnecessarily hamper the communications of workers who were abroad, Davis noted.
“We need to have balance,” he said. “DOL is a very public-facing agency, like lots of other agencies. We need to be careful about how we protect and how we segment, otherwise we’re going to cripple our customers.”
For more articles from GITEC 2019, check out our conference landing page.