OMB expands definition of high-value assets

The Office of Management and Budget is making sure all agencies develop plans to protect their most sensitive and valuable cybersecurity assets and designate an agency-level office or team to secure them.

A new memo from OMB builds on the government's concerted, continued effort to shift its cybersecurity resources to focus to the most sensitive and mission-critical systems that agencies need to carry out their missions.

It builds on recent Department of Homeland Security guidance for agencies to update their lists of high-value assets, and it comes as watchdogs continue to report on agencies that need stronger protections around those assets.

The new guidance from OMB covers all agencies -- not just the Chief Financial Officers Act agencies covered in the 2016 memo -- and expands the criteria for what constitutes a "high-value asset." It replaces previous OMB directives.

The guidance considers information or a system a "high-value asset" if the system holds or transmits high-value information relating to the government or adversaries, if information or a system is necessary to an agency's mission or if the information or system has a critical security function. If one of these applies, agencies -- as well as OMB or DHS -- can label the information or system a "high-value asset."

OMB emphasizes the necessity of CIOs, CISOs, CFOs and senior officials -- along with OMB and DHS -- working together to distribute resources, making sure data and systems are adequately protected and ensuring the executive branch stays up to date on their status.

The reporting requirements issued by OMB are consistent with those from the DHS memo, and assessments of high-value assets -- whether conducted by the agency, DHS or a third party -- must be reported to DHS for review.

Within a year of sending findings to DHS, agencies must come up with plans to update their technology or architecture where needed to protect their assets, as well as addressing any obstacles in policy, resources, workforce or operations.

OMB directed DHS to work with agencies and continue providing help and guidance in protecting critical agency information and systems, determining reporting frequency and boosting protections for the assets with the greatest risk. It also directed DHS to help agencies with procuring technology or assessment services.

OMB also directed GSA to coordinate with DHS and OMB in procuring security services, gaining feedback on acquisition improvements and standardizing language agencies can reference when writing or modifying contracts for high-value asset assessments.