High Value Asset Program Management Office
The Federal High Value Asset (HVA) Program Management Office (PMO) plans, prioritizes, and coordinates the delivery of CISA-led HVA assessments to provide and unbiased review of the HVAs cybersecurity posture across the Federal HVA Enterprise (FHE). Results of these assessments inform risk management decisions at an agency level to enhance the Cyber Security of the FHE across the Federal government. The HVA PMO connects the authorities of the Office of Management and Budget (OMB) and CISA to identify the most valuable systems and harmonize a Federal Civilian Government-wide approach to protect HVA system functions and the information they contain.
To maintain shared situational awareness of the Federal Civilian Executive Branch (FCEB) risk posture, CISA has established an assessment frequency for HVA systems. CISA categorizes HVA systems into Tier 1 and Non-Tier 1 based on criticality and establishes the assessment and frequency requirements listed in Table 1.
- Tier 1 HVAs represent systems of critical impact to both the agency and the nation.
- Non-Tier 1 HVAs represent systems of significant impact to both the agency and the nation.
|Assessment||Applicability||Tier 1 Minimum Requirements||Non-Tier 1 Minimum Requirements|
|HVA Assessment||Each HVA||CISA-Led once every 3 years||Assessment Evaluation and Standardization (AES) Qualified Assessor once every 3 years|
|Validated Architecture Design Review (VADR)||Optional - Each HVA that includes operational technology components including SCADA systems||CISA-Led available by agency request||CISA-Led available by agency request|
In addition, agencies are encouraged to conduct supplemental assessments as listed in Table 2 of their Tier 1 and Non-Tier 1 HVAs to further enhance protections of these HVA systems.
|Cyber Resiliency Review (CRR)||
All agencies and sub-components that maintain HVAs
|Red Team Assessment (RTA)||Agency or sub-component level assessment|