DHS directive doubles down to protect high-value assets
- By Derek B. Johnson
The Department of Homeland Security announced May 25 that it has issued a new Binding Operational Directive designed to further protect high-value assets in the federal government from cyber attacks.
Under the new directive, 18-02, federal agencies must submit to DHS an updated and prioritized list of their own high-value assets within 30 days of the order’s issuance, dated May 7. They must also identify a point of contact within the agency responsible for coordinating with DHS.
Additionally, a select number of agencies designated by the Office of Management and Budget must authorize DHS to conduct deeper assessments around risks and vulnerability and remediate any critical weaknesses identified within 30 days of notification.
“With the issuance of BOD 18-02, DHS introduces a more focused, integrated approach to addressing weaknesses across federal agency [high-value assets], facilitates ongoing collaboration across cybersecurity teams to drive timely remediation, and ensures senior executive involvement to manage risk across an agency enterprise,” wrote Jeanette Manfra, Assistant Secretary for Cybersecurity and Communications in a note accompanying the directive’s release.
The new BOD will supersede a similar directive issued in 2016.
“Based on operational insights and lessons learned, DHS is enhancing its approach to conducting these engagements to provide agencies with improved results and findings by expanding system scope, refining assessment methodologies, and using less-constrained penetration testing approaches to resemble tactics, techniques, and procedures used by advanced threat actors attempting to gain unauthorized access,” the directive read.