This post was co-authored by Emily Shawgo.

Every organization has mission-critical information and technology assets that require enhanced security. Private organizations may identify these assets informally or rely on community knowledge to decide how to prioritize security resources. Federal government departments and agencies, however, have official guidelines for identifying and securing their high value assets. These guidelines can provide lessons for all organizations protecting their most critical assets. This blog post will outline the background of the federal High Value Asset (HVA) Program, explain the resources available to guide the securing of high value assets, and discuss ways to apply these resources to your own assets.

United States policy establishes security requirements for federal information systems through the entire system development lifecycle. The Office of Management and Budget (OMB) Circular A-130, Managing Information as a Strategic Resource, recognizes federal information as "both a strategic asset and a valuable national resource" essential for transparency and vital functions, such as the economy and public health. This policy defines "adequate security" and directs agencies to implement security controls that satisfy "the minimum information security requirements in FIPS Publication 200."

Some federal information assets and the information they contain are so crucial to the operation of federal agencies--as well as the safety and security of the nation--that they require protections beyond those required in OMB Circular A-130. The federal government has developed a uniform, robust system for identifying, prioritizing, and securing the most important of these assets: the High Value Asset (HVA) Program, operated by the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) in coordination with OMB.

OMB Memorandum M-17-09 defines high value assets as the "assets, Federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the United States' national security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people." OMB M-17-09 has since been superseded by OMB Memorandum M-19-03, but the former definition still helps frame high value assets. M-19-03 broadens the definition to allow agencies to apply it to assets they deem critical. According to M-19-03, a high value asset can be any information or information system that falls into one of these three categories:

• Informational value -- The information or information system that processes, stores, or transmits the information is of high value to the Government or its adversaries.
• Mission essential -- The agency that owns the information or information system cannot accomplish its primary mission essential functions (PMEF) ... within expected timelines without the information or information system.
• Federal civilian enterprise essential (FCEE) -- The information or information system serves a critical function in maintaining the security and resilience of the federal civilian enterprise.

According to OMB Circular A-130, federal agencies must include security requirements in planning and budgeting activities, categorize information and information systems (following FIPS 199 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60), and select and implement security controls that meet the minimum requirements in FIPS 200. Categorization involves designating each asset's level of impact on the D/A or individuals as high, moderate, or low. This categorization determines the control baseline defined in NIST SP 800-53B, the agency should use to protect the high value asset, tailored to meet mission or business needs.

By definition, high value assets must have been designated either moderate impact or high impact. In addition to the baseline security and privacy controls recommended in NIST SP 800-53 for the determined impact level, the organization may add a set of controls that CISA developed as an overlay to NIST SP 800-53. This High Value Asset Overlay addresses weaknesses and threats against high value assets that have been observed by CISA.

DHS Binding Operational Directive (BOD) 18-02 also requires federal agencies to submit details on agency high value assets to DHS. For the most critical assets, known as tier 1 high value assets, agencies must undergo two CISA-led assessments: a Risk and Vulnerability Assessment and a Security Architecture Review. Non-tier 1 high value assets are also subject to these assessments through a third party, independent assessor, or self-assessment. These assessments focus specifically on the high value asset, rather than the entire enterprise, and provide guidance on the potential vulnerabilities and risks associated with the asset.

Organizations in every sector have high value assets that require extra protection. Identifying and prioritizing these assets should be a central activity in securing your organization's environment. Using the federal HVA program as an example can help guide your risk-management decisions about these assets, as discussed below:

1. Define criteria for your high value assets. Just because an asset is important does not necessarily mean it is a high value asset. First, determine criteria that could be applied during system development and operation that could aid in the identification of a high value asset. You could use the three attributes of high value assets defined by OMB M-19-03: (1) mission essential, or those assets whose unavailability, exposure, or modification would significantly disrupt your organization's mission; (2) protective, or assets that provide security or resilience; and (3) informational value, or any asset that has great value to the organization or its competitors. Development of these criteria could be informed by prior risk assessments or threat modeling exercises.
2. Identify and select your highest value assets based on the criteria above. Using the criteria you developed, determine which information systems are your highest value assets. In addition, consider categorizing them in a "low, moderate, and high" impact level scale like that of FIPS 199. Once you have determined a system is a high value asset and categorized it based on your own scale, you should be able to develop a list of systems in rank order. The systems at the top of the list should be the ones that (1) are your highest value assets and (2) would have the greatest impact in the event of a breach. Keep in mind that if everything is a priority, nothing is a priority. Distinguish between systems that are critical to the mission of the organization and those that are simply helpful or convenient.
3. Identify the controls that will protect your high value assets. There are many established sources you can use to select controls for your high value assets. For example, the NIST SP 800-53 control catalog and associated baselines. For additional protection, consider implementing the more advanced controls and enhancements in the CISA High Value Asset Overlay. Tailor these baselines to meet your business requirements.
4. Implement controls and use an established process to assess control effectiveness. Organizations should, as do federal agencies following the NIST Risk Management Framework, formally accept the risk of operating the high value asset and continuously monitor the effectiveness of controls and monitor changes to the operating environment. Automated monitoring of the environment is key to providing the current security status of the system to those tasked with securing it. It is also important to periodically perform manual testing of controls. Federal high value asset systems are subject to assessments such as the DHS Risk and Vulnerability Assessment (RVA) and Security Architecture Review (SAR) to answer questions such as, "Have changes to the surrounding environment or other systems created a weakness in the high value system? Is there a version of a service running in the environment that has a discovered vulnerability that creates a significant risk?" Manual testing can help to answer these types of questions. This testing may include penetration testing and reviewing system planning documentation for alignment with the current state, are important activities for continued secure operation of a system.

Using established guidance such as NIST SP 800-60 and 800-53 could help your organization efficiently categorize your information systems and select security and privacy controls for organizational assets. To ensure mission success, it is important to identify and protect assets, particularly your most valuable assets. They should be mapped and prioritized based on their support to your critical services. Approaching security with a high value asset mindset does not replace a robust enterprise security program. It will, however, allow you to focus your resources on keeping your most important assets safe.