High Value Assets Assessments Key to Providing Risk-Based Defense-In-Depth

High Value Assets Assessments Key to Providing Risk-Based Defense-In-Depth


Securing Federal networks, systems, and applications demands a multi-layered approach that provides defense-in-depth to protect valuable data and information. A key step in this process is a High Value Assets (HVA) Assessment, which assesses threats and vulnerabilities including deviations from cybersecurity policy; evaluates the level of risk; and develops/recommends appropriate mitigation strategies and/or remediations in operational and non-operational situations.

The target of the HVAs are those organizational assets, information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the organization. HVAs can contain sensitive controls, instructions, data used in critical business operations, or unique collections of data (by size or content), or support an organization’s mission essential functions, making them of specific value to criminal, politically motivated, or state sponsored actor for either direct exploitation or to cause a loss of confidence in the organization.

Criterion’s High Value Assets (HVA) Assessment services help organizations to strengthen their Cybersecurity & Privacy Program (CS&P) and optimize their CS&P investments. By improving asset inventories, better identifying security vulnerabilities and noncompliance with standards, and offering justified next steps for correcting, mitigating, and remediating these findings, we help our customers create a stronger, more resilient CS&P program. Furthermore, standardization and completeness of HVA policies, processes, and procedures lead to high confidence in the outcomes and efficiencies of Criterion’s HVA services. With increased context and links between HVA services and the mission/business impact, organizations will be better able to make decisions regarding CS&P investments.

HVA Benefits

There are several benefits to undertaking a High Value Asset Assessment:

  • Ensure that the organization’s most important data and systems are secure, allowing leaders to focus on innovation and choices that will support growth.
  • Improve efficiency and completeness of HVA services.
  • Increase confidence that HVAs are secure.

Criterion’s Approach

Criterion gets started by first conducting a Risk and Vulnerability Assessment (RVA) that assesses threats and vulnerabilities. It then conducts a Security Architecture Review (SAR), which evaluates a subset of the agency’s HVA security posture to determine whether the agency has properly architected its cybersecurity solutions and ensures that agency leadership fully understands the risks inherent in the implemented cybersecurity solution. Then, Systems Security Engineering (SSE) identifies security vulnerabilities and minimizes or contains risks associated with these vulnerabilities spanning the Systems Development Life Cycle (SDLC).

By definition, HVAs are tightly integrated into the enterprise’s business value chain so any assessment of HVAs must take into account the interconnectivity and interdependencies introduced by this position. By considering IT/technical as well as organizational considerations, such as personnel and budgets, Criterion’s process results in higher confidence in the efficiency and completeness of HVA services. By focusing on maturing all aspects of an organization’s cybersecurity and privacy (CS&P) program, not simply applying piecemeal improvements, businesses will have increased confidence that their HVAs are secure. Criterion’s HVA process has seven steps and supporting activities: Plan, Identify, Categorize, Prioritize, Report, Assess, and Remediate.

HVA Process: Plan, Identify, Categorize, Priorities, Report, Assess, Remediate.

Criterion’s HVA service was developed in our Cybersecurity Center of Excellence, a dedicated group of cybersecurity professionals and subject matter experts with a focus on understanding and extending industry best practices. This development and application of practical, innovative, and continuously improving cybersecurity approaches, methodologies, and technologies directly benefits our customers today and into the future, as they tap into Criterion’s specialized expertise. Adding HVA to our customers’ Focused Operations teams enables them to move beyond their current capabilities, keeping ahead of adversaries while they continually mature their systems.

Criterion’s HVA services are already being used by our Federal customers either as a stand-alone solution or combined with Criterion’s Cybersecurity Operations Center (CSOC) services. Customers can access our services via the General Services Administration (GSA) Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) 54151HACS.