Federal agencies have been handed new guidance for protecting their most sensitive systems and data under a new policy issued by the White House.
Revamped guidance for protecting agency’s “high-value assets” retools the definition of such systems and applies the rules, for the first time, across the entire federal government. The new guidance was laid out in a memo to the heads of federal agencies and departments from Mick Mulvaney, the director of the Office of Management and Budget.
The previous iteration of the policy only applied to the two dozen largest federal agencies, known as the CFO Act agencies.
The revamped version is expanding to include all agencies, including non-CFO Act agencies
“With the dynamic adversarial threat to the security and resilience of HVAs, it is essential that the initiative evolve to take a more comprehensive view of the risk to the federal enterprise and the measures available to mitigate those risks,” Mulvaney wrote in the memo to agency chiefs.
The new guidance also broadens the definition of high-value assets, moving away from a single, blanket definition and toward establishing multiple categories under which an agency may designate such a system.
The three broad categories under which an agency may designate a high-value asset include:
- If the information or information system is of a high value either to the government or its adversaries;
- If the agency that owns the information or information system could not accomplish primary mission-essential functions if it went down or was compromised; or
- The information or information system serves a critical function in maintaining the security and resilience of the federal civilian enterprise.
Agencies are also tasked with naming an office, team or other governance structure to carry out the various functions associated with securing high-value assets, including assessing them, remediating any issues and responding to incidents.