Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium Businesses
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Contact Us
    Site Links
    CISA Administrative Subpoena
    Reporting Employee and Contractor Misconduct
    CISA GitHub
Report a Cyber Issue
Breadcrumb
  1. Home
  2. News & Events
  3. Cybersecurity Directives
Share:

Directives

  • Guidance on Applying June Microsoft Patch Tuesday Update for CVE-2022-26925
Binding Operational Directives

Binding Operational Directive 16-01 (Revoked)

June 09, 2016

SECURING HIGH VALUE ASSETS

This directive has been revoked. It is superseded by BOD 18-02.

This page contains a web-friendly version of the Department of Homeland Security’s Binding Operational Directive 16-01, “Securing High Value Assets”.

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

The Department of Homeland Security (DHS) develops and oversees the implementation of binding operational directives pursuant to the Federal Information Security Modernization Act of 2014.

Federal agencies are required to comply with DHS-developed directives.

DHS binding operational directives do not apply to statutorily defined “National Security Systems” nor to certain systems operated by the Department of Defense or the Intelligence Community. Id. § 3553(d)-(e).

Background

Across the federal government, agencies operate high value assets that contain sensitive information or support critical government services. The President’s Cybersecurity National Action Plan directs all agencies to improve the security of their high value assets. DHS will help agencies identify vulnerabilities in their high value assets and implement targeted security measures to mitigate those vulnerabilities.

Required Actions

Agencies receiving this Binding Operational Directive shall take the following two actions:

  1. Identify and Submit a Lead Point of Contact
    • Identify a lead point of contact who will be responsible for coordinating the agency’s high value asset assessments with DHS.2
    • Submit the name, email address(es), and phone number of your agency’s lead point of contact as identified above to FNR.BOD@hq.dhs.gov within seven days from the issuance of this binding operational directive.
    • Submission of the same information for at least one backup point of contact is encouraged.
  2. Participate in Assessments, Mitigation, Remediation Activities
    • Sign a DHS-provided rules of engagement authorizing DHS to conduct risk and vulnerability assessments on agency high value assets.3
    • Prior to an assessment authorized by the rules of engagement, begin to implement the mitigation measures listed in Appendix A for agency high value assets.
    • Participate in the high value asset assessments authorized by the rules of engagement.
    • If requested by DHS, participate in a security architecture assessment for select high value assets.
    • Mitigate the high-priority vulnerabilities identified by DHS in the high value asset final assessment report within 30 days of receipt of the report or determine that mitigation is not feasible within that timeframe.
    • Report the status of each high-priority vulnerability to the DHS email address below within 30 days of receiving the high value asset final assessment report. The status report must state that the vulnerability has been mitigated or explain the constraints preventing mitigation within 30 days and the steps that the agency is implementing to progress toward mitigation.
    • Provide additional status updates every 30 days until all high-priority vulnerabilities have been addressed.

Progress Tracking

If an agency does not comply with the requirements of this Binding Operational Directive, DHS will follow up with each Deputy Secretary or equivalent, as appropriate.

High Value Asset Mitigation Measures

Agencies are required to implement the following security activities at each high value asset identified for assessment by DHS. DHS will validate whether these activities and any related protections have been appropriately implemented during each high value asset assessment and will provide the agency with a report on the extent of sufficient implementation.

  1. Ensure Secure Configuration Management
    • High value assets must adhere to secure configuration settings as defined by the United States Government Configuration Baseline (USGCB).
      • If there is a mission need to deviate from the configuration baseline, that change must be documented and a mitigating control applied.
      • Any such documentation and mitigation must be approved by the Agency CIO or appropriately designated official.
  2. Increase/Enhance Phishing Awareness Training and Testing
    • Agencies must conduct a phishing test on personnel with privileged access to high value assets prior to the DHS assessment.
  3. Implement Strict Access Controls Agencies must:
    • limit the number of personnel with privileged access to high value assets.
    • limit user privileges to those necessary for the performance of job duties so that users have role-based access to only the information and resources that are necessary for a legitimate purpose.
    • ensure that all users with privileged access to high value assets are required to use multi-factor authentication for that privileged access.
    • ensure that all privileged-user activities with high value assets are tracked and logged to detect misuse and to help reduce the risk from insider threats or the risk posed by malicious actors using stolen credentials.
  4. Perform Routine Vulnerability Scanning and Remediation
    • Agencies must perform credentialed vulnerability scans of high value assets to identify and rapidly patch security vulnerabilities.
  5. Improve Network Segmentation
    • Agencies must limit network connections to and from high value assets and validate those connections using appropriate boundary defense and access control protections.

Footnotes

  1. This Binding Operational Directive aligns with and furthers the execution of the Office of Management and Budget’s Cybersecurity Sprint Implementation Plan (CSIP), as restated in OMB Memorandum 16-03, which required agencies to “[i]mmediately identify agency specific [high value assets] and assess the security protections around those high value assets.”

    NOTE: M-16-03 has been rescinded by M-18-02. 

  2. To ensure that the designated point of contact is able to exchange necessary information with DHS, the individual should have appropriate clearances. 

  3. DHS will identify to each agency the high value assets to be assessed under this Binding Operational Directive. 

  4. When agencies implement these activities, DHS’s assessment can focus on more complex technical issues that will maximize the utility of the assessments. 

  • Cybersecurity Best Practices

Related Directives

Oct 03, 2022

Binding Operational Directive 23-01 Implementation Guidance

Oct 03, 2022

Binding Operational Directive 23-01

Nov 03, 2021

Binding Operational Directive 22-01

Sep 02, 2020

Binding Operational Directive 20-01

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • The White House
  • USA.gov
  • Website Feedback