Cybersecurity

Time for agencies to tell OMB about high-value assets

Shutterstock image: protected hardware.

After the cyber sprint came the Cybersecurity Strategy and Implementation Plan and the new plans hard deadlines coming due. The first deadline: By Nov. 13, agencies had to identify and report their "high-value assets" to the Office of Management and Budget.

OMB maintained a low profile as the deadline passed, but observers were in agreement that the exercise was a good one, if done thoroughly.

"It's a good step to take on the path to improved resiliency and risk management," said Federal Communications Commission CIO David Bray. (As an independent agency, the FCC doesn't have to follow OMB's directives on the CSIP, but Bray said his agency has already identified high-value assets in its own push.)

"It's a great first step," agreed Ray Rothrock, CEO of security firm RedSeal. "It's a good thing CSIP asks for this."

But what is a high-value asset?

High-value assets

Rothrock noted that high-value assets are not just highly sensitive data, or even data at all.

Social Security numbers on an agency's network are high-value, but less-sensitive information, such as a list of employee names, could also merit high-value classification if that list is exposed to the outside. Routers and switches, too, could be classified as high-value, since they're an appealing target for adversaries seeking to intercept agency traffic.

Faisal Iqbal, CTO of public sector at Citrix, noted that "contextual levels" of security will be key as agencies seek to protect their high-value assets. Some data should be accessible to lower level employees accessing the network remotely; other data should be locked down much more securely.

It's been nearly half a year since the public revelation of the massive Office of Personnel Management breach that accelerated the government's cybersecurity push, and to some, the high-value asset deadline was a long time coming.

"I would have thought people would already know what's important and what's not," Rothrock said.

"The whole data classification challenge, that's not an easy task," Iqbal said, noting that in this case, perhaps it was best that agencies took the time to get things right.

Data center squeeze

As the high-value asset deadline passed, federal CIO Tony Scott told Federal News Radio that he'll soon be putting out guidance on a related subject: data center consolidation.

In the interest of both saving money and getting a better handle on federal data, Scott's guidance won't necessarily focus on cutting down on the government's roughly 12,000 data centers, but it will push shared services, consolidation and cloud.

"Shifting to cloud services is a great way of eliminating data centers and getting to a smaller footprint," Scott said. "I think what you will see is a balanced approach to this that encourages multiple swim lanes, if you will, of getting more effective and efficient IT in that area and not just a focus on numeric achievement, although that could be one of the things."

Of course, some say numerical goals are a must.

"The forthcoming guidance must set far more aggressive goals than are in place now, as the government should be able to run on fewer than 1,000 data centers," said Anthony Robbins, vice president of federal at Brocade. "The challenge is to ensure that those data centers are being fully utilized and operating at peak efficiency."

Citrix' Iqbal noted that, while it's a great opportunity to streamline, not everything needs to go to the cloud.

Scott said the new guidance will come out later this winter.

About the Author

Zach Noble is a former FCW staff writer.

Featured

  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.