Managing a federal agency's high-value asset cybersecurity risks

Challenge

A U.S. federal agency lacked complete visibility of the cyber risk landscape threatening its high-value assets (HVAs). Asset ownership and associated funding were distributed across the agency, making consistent risk identification, remediation prioritization, and reporting complex.

The agency needed support with creating and managing a comprehensive cybersecurity risk management strategy and program. Both would have to comply with the Office of Management and Budget’s (OMB) HVA Initiative—designed to help agencies protect their most critical assets and avoid breaches that could compromise data security and disrupt mission-essential functions.

Agency leaders turned to Guidehouse for our proven expertise in developing successful cyber strategies, serving as HVA assessors qualified by the Cybersecurity and Infrastructure Security Agency (CISA), and operationalizing compliant programs.

Approach

As experts on those compliance requirements—including categorical definitions, prioritization schema, and methodologies for identifying, prioritizing, and assessing HVAs—we provided cybersecurity and programmatic assistance. Our approach for developing the new program included two main elements: HVA identification and assessment. 

Identifying HVAs: Following CISA’s methodology, we helped rapidly identify and categorize agency HVAs. Our recommendations enabled the agency to streamline stakeholder engagements, reduce steps, and decrease HVA identification time and accuracy in future efforts.

Assessing HVAs: To identify specific cybersecurity risks and vulnerabilities for each non-tier 1 HVA, we provided information collection support. We then recommended remediation strategies and created an agency-wide dashboard that enabled:

• Better understanding of risks to make more informed decisions
• Access to asset ownership, information about dependencies, and other remediation-related details
• Adoption and prioritization of remediation efforts
• Progress tracking and assessment

Impact

Through this process, we helped the agency:

• Meet OMB compliance requirements and better manage HVA cybersecurity risks
• Address and remediate multiple critical cybersecurity risks discovered during our assessments—some within the first 20 days
• Gain the visibility needed to streamline HVA cyber risk remediation and accelerate security improvements using our dashboard and scorecard
• Clear its backlog and implement a continuous improvement program to boost efficiency
• Complete all planned assessments for the fiscal year
• Create HVA system profiles to better track and analyze risks, vulnerabilities, and cybersecurity risk trends
• Develop common solutions that could be implemented where needed across the agency