The Office of Management and Budget (OMB) recently released updated guidance on Federal Information Security and Privacy Management Requirements M-19-02. Of particular interest and importance is Section I-IV: High Value Assets List Updates. In simple terms, it requires agencies to review and report their information crown jewels to help ensure that risk management resources are being applied to the things that matter most. This is a crucial aspect of good cybersecurity risk management that is often done poorly, when it’s done at all.
A rabbit warren of mixed guidance
If you’ve worked for the government for any length of time, you know that one of the facts of life is the seemingly endless documentation resources – most of which only cover part of what you might need to know on any given topic. Almost invariably, these documents reference one or more additional documents, which eventually, and hopefully, enable you to put together a complete picture of your area of interest.
With regard to crown jewel identification, carefully navigating the path of references takes you from M-19-02 to BOD18-02 to M-17-09 to FIPS 199 to NIST 800-60v1 and NIST 800-60v2 appendices C and D. Fortunately, these Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology (NIST) documents have some remarkably useful information.
If your navigation isn’t careful enough, which was true in my initial research on this topic, you could end up at the NIST 800-61, NCCIC Federal Incident Notification Requirements, and other resources. Although these provide some very good information regarding other aspects of risk management, their guidance regarding crown jewels is inconsistent with FIPS 199 or NIST 800-60, and is fundamentally flawed. The severity and nature of their flaws could be an entire article of its own, so I’m not going to get into the details here.
Suffice to say that government personnel trying to identify their agency’s crown jewels may or may not end up referencing the same resources. As a result, one agency’s “crown jewels” may not be comparable with another’s. Perhaps worse yet, an agency may misidentify their own crown jewels.
It’s a good first step
Assuming that personnel avoid referencing the wrong resources, what are the odds they’ll accurately identify their agency’s crown jewels? The good news is that FIPS 199 and NIST 800-60v1 & v2 appear to be well-designed to help agencies determine at a high level whether the information they handle is likely to have high, medium, or low loss implications for confidentiality, integrity, and availability cybersecurity scenarios. That said, a few concerns come to mind:
- High, medium, and low aren’t well-defined. As is usually the case with qualitative scales, a lot is left to the imagination and biases of whoever is using the scale.
- The suggested assignments of high, medium, and low to most information categories (e.g., information related to Foreign Affairs) generally passes an intuitive litmus test of reasonableness, but there were some that left me wondering (e.g., information related to Intellectual Property Protection was rated low for confidentiality, integrity, and availability). There may be good reasons for those ratings, but the rationale aren’t fully fleshed out for many categories.
- They don’t distinguish between the value and liability of one record versus many records. In other words, a system containing a single sensitive record of a certain impact category isn’t explicitly recognized as different in importance from a system with many such records. Certainly, a cybersecurity professional might intuitively recognize that a difference exists, but without guidance on where or how to draw the line there will undoubtedly be significant inconsistencies in how crown jewels are identified. Given the risk averse nature of most cybersecurity professionals, it’s easy to imagine that many low-volume systems would be rated equal to high-volume systems, “just to be safe.”
- Significant latitude appears to be given to agency management to vary from the suggested severity categories. For example, the NIST reference might say that, given an agency’s mission type, data sensitivity to integrity loss is low, but an executive can choose to categorize their information at a higher level. Why would an executive do this? Well, if resource allocations are tied to information sensitivity categories, and if they don’t want their cybersecurity budget cut… Yes, there is supposedly a review stage in the process, but the question is how closely exceptions given limited review resources.
The bottom line…
If the government wants to succeed at cost-effectively allocating attention and resources to protecting our most critical information assets, a couple of things need to happen:
- It needs to provide clear guidance on how to identify crown jewels, and
- Once the crown jewels are identified, it needs to leverage an effective risk analysis model to understand the true significance of any control shortfalls and their remediation options.
Despite the concerns I outlined, current resources (the right ones) represent a decent starting point for identifying crown jewels. The second step can be fulfilled by having qualified personnel use a well-established non-proprietary risk analysis model like Factor Analysis of Information Risk (FAIR). This question of what makes someone “qualified” to do risk analysis will be the topic of a future article.