OMB Redefines Government's 'Crown Jewels'

The federal government has been revamping old information technology policies this fall and just released expanded requirements for protecting the most sensitive, most critical—most valuable—data and assets on government networks.

It is widely understood in cybersecurity circles that you can’t defend all things at all times. In order to make the most of a cybersecurity program, officials should give added focus to what are commonly called the “crown jewels”—the most important information and apps on the network.

In government-speak, crown jewels are known as high-value assets, a designation codified in a 2016 memo from the Office of Management and Budget as “those assets, federal information systems, information and data for which an unauthorized access, use, disclosure, disruption, modification or destruction could cause a significant impact to the United States’ national security interests, foreign relations, economy or to the public confidence, civil liberties or public health and safety of the American people.”

However, the 2016 memo and guidance only applied to the 23 civilian agencies covered under the CFO Act. The new guidance released Monday expands the requirement to all federal agencies—no matter the size or disposition—and updates references to the latest guidance for securing those assets once identified.

The guidance looks to create a unified, strategic approach to managing risk across the federal government by requiring everyone to meet the same standards. The latest release requires all agencies to designate an agency-level office or team to run point on the program, requires agency chief operating officers to coordinate and meet regularly with those teams, and establish information sharing agreements with OMB, the Homeland Security Department and other agencies, as needed, such as for shared assets.

The new guidance also opens the aperture for what counts as “high-value” to include informational value, mission essential or systems that are critical to the federal enterprise as a whole. While individual agencies determine which of their assets fall into these buckets, OMB and Homeland Security also have the authority to deem specific information or systems as critical to national security.

The new policy officially replaces previous memos issued in 2016 and 2017 concerning the Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government, and Management of Federal High Value Assets, respectively.