Binding Operational Directive 16-01

June 9, 2016

Securing High Value Assets

This directive has been revoked. It is superseded by BOD 18-02.

This page contains a web-friendly version of the Department of Homeland Security’s Binding Operational Directive 16-01, “Securing High Value Assets”.

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

The Department of Homeland Security (DHS) develops and oversees the implementation of binding operational directives pursuant to the Federal Information Security Modernization Act of 2014.

Federal agencies are required to comply with DHS-developed directives.

DHS binding operational directives do not apply to statutorily defined “National Security Systems” nor to certain systems operated by the Department of Defense or the Intelligence Community. Id. § 3553(d)-(e).

Background

Across the federal government, agencies operate high value assets that contain sensitive information or support critical government services. The President’s Cybersecurity National Action Plan directs all agencies to improve the security of their high value assets. DHS will help agencies identify vulnerabilities in their high value assets and implement targeted security measures to mitigate those vulnerabilities.1

Required Actions

Agencies receiving this Binding Operational Directive shall take the following two actions:

1. Identify and Submit a Lead Point of Contact

2. Participate in Assessments, Mitigation, Remediation Activities

Progress Tracking

Appendix A: High Value Asset Mitigation Measures

Agencies are required to implement the following security activities at each high value asset identified for assessment by DHS.4 DHS will validate whether these activities and any related protections have been appropriately implemented during each high value asset assessment and will provide the agency with a report on the extent of sufficient implementation.

1) Ensure Secure Configuration Management

2) Increase/Enhance Phishing Awareness Training and Testing

3) Implement Strict Access Controls Agencies must:

4) Perform Routine Vulnerability Scanning and Remediation

5) Improve Network Segmentation

Footnotes

  1. This Binding Operational Directive aligns with and furthers the execution of the Office of Management and Budget’s Cybersecurity Sprint Implementation Plan (CSIP), as restated in OMB Memorandum 16-03, which required agencies to “[i]mmediately identify agency specific [high value assets] and assess the security protections around those high value assets.”

    NOTE: M-16-03 has been rescinded by M-18-02

  2. To ensure that the designated point of contact is able to exchange necessary information with DHS, the individual should have appropriate clearances. 

  3. DHS will identify to each agency the high value assets to be assessed under this Binding Operational Directive. 

  4. When agencies implement these activities, DHS’s assessment can focus on more complex technical issues that will maximize the utility of the assessments.