In cybersecurity, not all assets are created equal. Some systems and data are so vital to a government’s mission that their compromise could result in severe disruption, financial loss, or public harm. These are known as high-value assets (HVAs)—the crown jewels of your organization’s digital infrastructure.
According to the Cybersecurity and Infrastructure Security Agency (CISA), HVAs are “information or an information system that is so critical to an organization that the loss or corruption of this information, or loss of access to the system, would have serious impact on the organization’s ability to perform its mission or conduct business.” For state and local governments, protecting HVAs is not optional—it’s foundational.
Step 1: Identifying and Assessing High-Value Assets
Before you can protect HVAs, you must know what they are. This begins with a thorough organizational assessment to identify systems and data that are mission-critical. Once identified, conduct a comprehensive risk assessment to evaluate vulnerabilities, dependencies, and potential impact.
Step 2: Patch Management
Unpatched systems are one of the most common entry points for attackers. While scheduling maintenance windows can be challenging, timely patching is essential to reduce exposure to known vulnerabilities. Prioritize HVAs in your patching schedule and automate where possible.
Step 3: Malware Defense and Anti-Phishing
Deploy automated tools to detect and neutralize malware. Phishing remains a top threat vector—especially for systems that store sensitive data. Implement email filtering, sandboxing, and user training to reduce the risk of infection.
Step 4: Access Control
Limit access to HVAs based on job roles. Avoid shared administrative accounts and enforce logging and monitoring of all key security events. Regular audits help ensure that access privileges remain appropriate and that remote access is tightly controlled.
Step 5: Authentication
Multi-factor authentication (MFA) is a must for all users accessing HVAs. It adds a critical layer of protection against unauthorized access and credential theft. Ensure MFA is enforced across all access points, including remote and mobile connections.
Step 6: Network Segmentation
Segment networks to isolate HVAs from less secure systems. This limits lateral movement in the event of a breach. Define zones with specific rules and restrictions, and monitor traffic between zones to detect anomalies.
Step 7: Employee Education
Human error is a leading cause of cybersecurity incidents. Train staff to recognize phishing attempts, avoid risky behaviors, and follow security protocols. Use awareness campaigns, simulations, and role-specific training to reinforce best practices.
CISA’s Recommended Actions for HVA Protection
CISA outlines five key actions to help organizations secure HVAs:
- Establish an Organization-Wide HVA Governance Program
Make HVA protection a strategic priority across departments. - Identify and Prioritize HVAs
Focus resources on the most critical systems. - Consider Interconnectivity and Dependencies
Understand how systems interact and rely on one another. - Develop a Methodology for Prioritizing HVAs
Use mission impact to guide protection efforts. - Develop an Assessment Approach for HVAs
Determine how often to assess and whether to use internal or external evaluators.
Protecting mission-critical assets requires more than technical controls—it demands strategic oversight, cross-functional collaboration, and continuous improvement. By identifying HVAs, implementing layered defenses, and following CISA’s guidance, state and local governments can reduce risk and ensure continuity of operations.
Local Government Cybersecurity Alliance 