The Department of Homeland Security is expanding its efforts to protect federal high-value assets in a new binding operation directive, issued earlier this month.
The directive “introduces a more focused, integrated approach to addressing weaknesses across federal agency HVAs, facilitates ongoing collaboration across cybersecurity teams to drive timely remediation, and ensures senior executive involvement to manage risk across an agency enterprise,” Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications, wrote in a DHS blog post Friday.
Binding Operational Directive 18-02, “Securing High Value Assets,” is very similar to and now supersedes another directive the department issued in 2016, which required agencies, with DHS’s help, to identify any weaknesses in their high-value assets — systems that “enable the government to conduct essential functions and operations, provide services to citizens, generate and disseminate information, and facilitate greater productivity and economic prosperity.
This new directive enhances those efforts, based lessons learned over the past two years, “by expanding system scope, refining assessment methodologies, and using less-constrained penetration testing approaches to resemble tactics, techniques, and procedures used by advanced threat actors attempting to gain unauthorized access,” it explains. The policy ensures that civilian agencies are prepared to work with DHS not only to identify those critical systems but also to conduct risk and vulnerability assessments and security architecture reviews on the systems in question, and then remediating any found vulnerabilities within 30 days.
“In-depth security assessments and security architecture reviews of prioritized agency HVAs help identify vulnerabilities and weaknesses that may allow an adversary to penetrate a system, move through an agency’s network, and access and exfiltrate sensitive data without detection,” Manfra said.
DHS isn’t limiting its work to only its federal partners. The department’s National Protection and Programs Directorate is also working to identify and protect key areas designated as “national critical functions,” Manfra explained May 22 at the Security Through Innovation Summit presented by McAfee and produced by FedScoop and CyberScoop.
“Those are things like a stable financial system, the ability to have clean water, the ability to have electricity and now, the ability to have communications,” she said. “All of these systems need to be stable, they need to be resilient, they need to be secure.”