BOD 18-02: Securing High Value Assets

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

The Department of Homeland Security (DHS) develops and oversees the implementation of binding operational directives pursuant to the Federal Information Security Modernization Act of 2014.

Federal agencies are required to comply with DHS-developed directives.

DHS binding operational directives do not apply to statutorily defined “National Security Systems” nor to certain systems operated by the Department of Defense or the Intelligence Community. Id. § 3553(d)-(e).

Background

Since 2015, the Federal Government’s High Value Asset (HVA) initiative has ensured focus on the protection of the Federal Government’s most critical and high impact information and information systems. The broader government effort and related policy statements address the identification, categorization, and prioritization of HVAs across the Federal Government. These HVA activities focus on the identification of major and critical weaknesses to HVA systems through tailored assessments provided directly by DHS, the Agency, or an independent third-party assessor based on government-wide requirements. Through focused engagement with participating agencies, these weaknesses are prioritized for timely mitigation and architectural enhancements based on the assessment findings.

Consistent with that focus and Binding Operational Directive 16-01, DHS has been performing HVA assessments, which include Risk and Vulnerability Assessments (RVAs) and Security Architecture Reviews (SARs) on Agency HVA systems across the Federal Government’s High Value Asset enterprise. As required by BOD 16-01, agencies developed remediation plans specifying the timelines and mitigation actions necessary to address certain vulnerabilities. Based on operational insights and lessons learned, DHS is enhancing its approach to conducting these engagements to provide agencies with improved results and findings by expanding system scope, refining assessment methodologies, and using less-constrained penetration testing approaches to resemble tactics, techniques, and procedures used by advanced threat actors attempting to gain unauthorized access.

Revocation

This directive supersedes BOD 16-01, Securing High Value Assets (June 9, 2016), which is hereby revoked.

Required Actions

To ensure effective identification and timely remediation of major and critical weaknesses to HVA systems based on DHS HVA assessments, all Federal agencies shall complete Actions One and Two; and Federal agencies selected by the Office of Management and Budget (OMB) and DHS for HVA assessments shall complete all of the following actions:

Action One - Identify and Submit Coordination Points of Contact (POCs) for HVA Assessments

(Applies to All Agencies)

1. Identify a lead, federal employee POC and at least one backup federal employee POC responsible for coordinating the Agency’s HVA assessments with DHS.¹
2. Within 7 days of the issuance of this directive, submit the following contact information to the DHS email address below for the Agency’s lead POC and backup POC:
   1. Name
   2. Position/Title
   3. Email addresses: Unclassified and, if available, classified accounts
   4. Phone number
3. At least annually, review Agency POC information, and re-certify or submit updates as changes are made.

Action Two - Submit Agency HVAs

(Applies to All Agencies)

1. Submit a current and prioritized HVA list inclusive of the Agency enterprise (i.e. all departmental components) within 30 days of issuance of this directive through the identified HVA POC’s Homeland Security Information Network (HSIN) account.²
2. Once submitted, review the Agency HVA list on a quarterly basis and provide updates and modifications via HSIN.
3. Participate in an annual meeting, coordinated by DHS, to validate the Agency HVA list.

Action Three - Participate in DHS-led Assessments

1. If selected to participate in DHS-led HVA assessment³, complete and submit to DHS:

   1. A single Rules of Engagement (ROE)⁴; as well as,

   2. For each HVA and related system(s) to be assessed, one ROE Appendix A titled “RVA Services for High Value Assets and Related Systems,” authorizing DHS to conduct HVA RVAs on that Agency HVA and related systems.⁵⁶

2. Fully participate in the HVA assessments authorized by the ROE and one or more Appendix A submissions for “RVA Services for High Value Assets and Related Systems.”
3. Fully participate in a SAR of each HVA to be assessed.⁷
4. Agencies shall impose no restrictions on the timing and/or frequency of the assessments, the services to be provided by DHS, or the scope of systems that are part of or related to the HVA being assessed.

Action Four - Ensure Timely Remediation of Identified Vulnerabilities and Report Mitigation Plans and Progress

1. Within 30 days of receipt of the RVA and/or SAR reports identifying major or critical weakness to an assessed HVA, remediate all major or critical weaknesses and provide notification to DHS that each identified weakness was addressed.⁸.

2. If it is determined by the designated Senior Accountable Official for Risk Management (SAORM) that full remediation cannot be completed within the initial 30 day timeframe, develop and submit to the DHS email address below a remediation plan for each HVA with remaining major or critical weaknesses within 30 days of the receipt of the RVA and/or SAR reports.

   1. This remediation plan shall include justification for the extended timeline, the proposed timeline and associated milestones to remediation (not to exceed one year), interim mitigation actions planned to address immediate vulnerabilities, and, if relevant, the identification of constraints related to policy, budget, workforce, and operations.

   2. This remediation plan must be signed by the designated SAORM prior to submission to DHS.

3. Report the status of each remaining major or critical weakness to the DHS email address below every 30 days until full remediation is achieved for all assessed HVAs. Status reports must address RVA and SAR results through combined reporting and must be submitted every 30 days starting 30 days after the submission of the remediation plan described above.
4. Notify DHS at the email address listed below and through the monthly status reports of any modifications to remediation plan timelines and when full remediation has been achieved. The notifications for modifications and full remediation must be certified under signature of the designated SAORM.

Progress Tracking

• DHS will centrally manage Agency progress and report submissions, and will engage each Agency Head in all cases where the Agency has not met the deadlines outlined in Required Actions defined above.

DHS Actions

• DHS collects, maintains, and prioritizes Agency-submitted HVAs, and will notify enterprise Chief Information Officers, Chief Information Security Officers, and HVA POCs of specific HVAs selected for DHS-led assessments based on OMB-led determinations.
• DHS maintains all Agency HVA submissions on HSIN. DHS provisions HSIN accounts for designated Agency HVA POCs and provides instruction on HSIN use, as needed.
• DHS provides standard templates for identifying and submitting Agency HVAs and for remediation plans and progress reports.
• DHS plans and conducts RVAs and SARs for OMB-selected Agency HVAs, and provides formal reports containing assessment findings and recommendations to the designated Agency HVA POCs.

Footnotes

1. To ensure that the designated POC is able to exchange necessary information with DHS, the individual must have an active HSIN account and should have an active PKI certificate and reliable access to either JWICS or SIPR/HSDN. Some agencies may have already submitted a POC to DHS. In such cases, agencies will confirm their POCs with DHS. 

2. Agency HVA lists shall be compiled pursuant to OMB M-17-09, its successor, or other selection criteria defined by OMB. (NOTE: M-17-09 has been rescinded and replaced by M-19-03.) 

3. DHS will determine the frequency of HVA assessments on specific HVAs and coordinate with the Agency, as appropriate. 

4. Most agencies have an appropriate Rules of Engagement on file with DHS and do not need to sign another. 

5. DHS will notify agencies which Agency HVAs and related systems will have RVAs performed under this directive. Even if agencies have an ROE on file with DHS, agencies will need to complete and sign a new “Appendix A - RVA Services for High Value Assets and Related Systems.” For each HVA and related systems to be assessed, DHS will provide the required information, including that appendix, and identify the Agency HVAs to be assessed under this BOD using the contact information obtained from Action One. 

6. For the purposes of this Directive, ‘related systems’ refers to the network infrastructure resources of an Agency’s entire network that enable network connectivity, communication, operations and management of the Agency enterprise network which are interconnected or otherwise required for operations of the identified HVA. DHS will determine whether specific infrastructure is part of a related system. 

7. DHS will notify agencies which HVAs and related systems will have SARs performed under this directive. 

8. Current un-remediated findings identified as high priority vulnerabilities pursuant to are deemed ‘major or critical weaknesses’ pursuant to this directive and must be mitigated consistent with Action 4 from BOD 18-02. Reportable findings after the issuance of BOD 18-02 will be identified as ‘major and critical weaknesses’ in SAR reports and identified as ‘critical’ and ‘high’ severity vulnerabilities in the RVA reports.