A lot of rules, regulations, directives, policies and procedures are coming from the federal government these days relating to cybersecurity. Another popped up when the Department of Homeland Security (DHS) on May 25 issued what’s called a Binding Operational Directive (BOD) aimed at girding the federal government’s “high impact information systems” from cyber attackers.
A BOD is an enforceable command to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. It's not optional -- federal agencies have to comply with DHS-developed directives. But national security systems as defined by statute, Defense Department systems or those belonging to the Intelligence community are exempt.
The feds refer to the government’s most critical, high impact information systems as “high value assets” (HVAs). Federal agencies are required to provide their own cybersecurity (that’s part of the problem, if you haven’t noticed) but DHS helps out with operational assessment services, technical assistance and a uniform set of security tools.
DHS Cybersecurity Guidance: Recent History
In 2016, DHS issued a cybersecurity directive BOD 16-01 requiring federal agencies to take specific actions to protect their HVAs. Under the updated directive, BOD 18-02, federal agencies must supply DHS with an updated and prioritized list of their own HVAs by June 7. In addition, they must designate a point of contact to liaise with DHS.
“With the issuance of BOD 18-02, DHS introduces a more focused, integrated approach to addressing weaknesses across federal agency HVAs, facilitates ongoing collaboration across cybersecurity teams to drive timely remediation, and ensures senior executive involvement to manage risk across an agency enterprise,” said Jeanette Manfra, the chief cybersecurity official for the DHS, in a blog post.
Since the 2016 BOD, the DHS said it has identified roughly 200 “high priority vulnerabilities” through HVA assessments, including risk and vulnerability and security architecture reviews. The earlier directive required agencies to develop remediation plans specifying the timelines and mitigation actions to address certain vulnerabilities. BOD 18-02 enhances DHS’s approach by taking a wider system view, refining assessment methodologies, and using testing that better replicates the tactics, techniques, and procedures used by advanced threat actors, the directive said.
Rules and Regulations
A select number of agencies designated by the Office of Management and Budget (OMB) must authorize DHS to conduct deeper assessments around risks and vulnerability and remediate any critical weaknesses identified within 30 days of notification.
According to BOD 18-02, all federal agencies must identify and submit a point of contact responsible for coordinating the agency’s HVA assessments with DHS, and submit a current and prioritized list of HVAs. The OMB selected agencies must also participate in DHS-led assessments, commit to remediate all identified vulnerabilities and report back to DHS.