The High Value Asset (HVA) Assessment Requirement for the HACS SIN
We live in the digital era and as we have seen with the pandemic, more and more aspects of life are becoming digitized. This does not exclude our federal entities, so it’s imperative that our federal government is protected from the threats that come with the digital age. As result, GSA created a HACS (Highly Adaptive Cybersecurity Services) SIN which is dedicated to preventing leaks and cyberattacks. Before an entity can obtain a HACS SIN, they must show that they are qualified to provide thorough and extensive cybersecurity. A main part of the qualification for the HACS SIN is determined by an Assessment Evaluation and Standardization (AES) High Value Asset (HVA) assessment. Let’s dive into the HVA assessment and what it entails.
What is the High Value Asset (HVA) Assessment?
A High Value Asset (HVA) is information or an information system that is so important to your organization that any loss would impact your ability to conduct business. High Value Assets (HVAs) often contains sensitive controls or data making them a target of cyber criminals. This is where the High Value Asset (HVA) assessment comes in.
The High Value Asset (HVA) assessment is determined and managed by the Cybersecurity and Infrastructure Security Agency (CISA) with the purpose to assess the HVA security architecture to identify technical concerns that could put an organization at risk. The HVA assessment is governed by an assessment lead who is the primary Point of Contact for the assessment, a technical lead who leads the technical exchange meeting and writes most of the assessment report, and finally, the operator who leads the penetration test. The penetration test is an important part of the assessment, because it includes a simulated cyber attack against your system to check for any vulnerabilities.
How Does the High Value Asset (HVA) Assessment Work?
First, potential entities must attend an orientation to ensure mutual understanding of the process. CISA presents an overview of Assessment Evaluation and Standardization (AES) program including the AES process, roles, and requirement for qualification. Once completed, entities will register for the courses via email request to CISA. Registered candidates will be evaluated typically 3-4 weeks before the course begins. This helps confirm that all applicants have a baseline cybersecurity knowledge to be successful in the course.
The evaluation consists of an individual online administration with machine scoreable questions. You must score a 70% or above to pass. Preparatory materials are sent prior to the exam and candidates are given three attempts to pass. Remember--this is just an evaluation to see if you qualify for the course. If your entity includes assessors that will be operators under the HACS SIN, they will be required to take an Operator Skills assessment as well as the candidate evaluation to test penetration skills. Next, you’ll move onto the course.
The HVA Assessment Course
Once you have made it to the actual course section of the assessment, there is a little more variability. Course durations will vary depending on the type of assessment, and exercises will be provided based on the practice assessment. These courses are instructor led and delivered via a collaborative platform and learning management system. CISA is hoping to have online on-demand courses in Q2 of Fiscal Year (FY) 2022, so keep an eye out for that update.
The information you learn in the courses will be tested in the capstone portion of the HVA process. The capstone is a comprehensive exam that covers all phases of the assessment and is administered at the end of the course. The format may vary for the capstone depending on the assessment. Most activities typically occur over a consecutive three-day period. Penetration tests must happen in a three-day period, but if you need more time, choose accuracy over time. The elapsed time may take 5-6 weeks, but it depends on the report review turnaround.
What Happens After You Pass the HVA Exam?
After successfully completing the capstone exam, candidates will be required to perform an initial assessment. Some assessments need to be completed as part of a team depending on assessment type. The candidate must submit an accurate and comprehensive report that meets CISA standards and methodologies.
CISA will then qualify the assessor by preforming a quality check of the completed assessment report. If the report is approved, the candidate will be qualified as an assessor after successful submission and acceptance of a report. If the report is unsuccessful, the candidate will be required to perform remedial activities for qualification. These activities will vary depending on the nature and weight of report issues. Then the candidate will be required to complete another assessment and submit a successful report. The key deliverable from the HVA assessment is the final HVA Assessment Report. Once you receive this, you have your qualification.
Responsibilities After Completing the HVA Assessment
The assessor must maintain their qualification. Because of how malleable and evolving the cyber world is, the HVA assessment must be updated to reflect the most recent technical advancements. Assessors will be qualified for 3 years before they have to renew their assessment. If the methodology and guidance significantly change during the 3-year period, CISA will inform qualified assessors of these changes and refresh activities may be necessary.
However, it is up to your company to inform AES that your year period is coming to an end and you need to renew your assessment. This will look like remedial activities that reflect current cyber security concerns. In this three-year period, it is required that each entity conduct 3 assessments in order to renew their assessment. In small organizations where it is not possible to conduct 3 assessments, a waiver must be granted by CISA 3 months prior to the end of the qualification period. These situations will be reviewed on a case-by-case basis, so you should make sure you are closely following the dates for your qualification renewal.
Do You Need Help with Your HACS SIN?
It’s crucial that you stay on top of the requirements and updates for your GSA Schedule contract, and if your contract has a HACS SIN, that means being on top of you HVA assessment. With the world of cybersecurity ever changing and evolving, it can be difficult to keep up. To get updates and information on HVA assessments and other GSA related news, subscribe to our weekly newsletter and blog. If you have any questions about the HACS SIN, or your GSA Schedule, you can reach out to one of our consultants.