The Defense Department has long used the Common Access Card to verify identity. However, civilian agency adoption was nearly nonexistent before 2011, according to federal documents. (DoD)
Another day, another massive security breach: The online theft of usernames, passwords and personally identifiable information is now so common many people barely think twice about it. But when it’s the federal government that’s been hacked, the situation takes on a different urgency.
Central to the debate over how to better secure federal networks is the use of passwords, often cited as the weakest link in the chain. Most experts agree it is time to move to tighter security, but questions surround what the best option is and how to implement changes at the enterprise level.
Plenty of directives now mandate improved identity management measures, including the use of multifactor authentication to ensure user identities. Feds can expect to see more of that in the near future amid increasing focus on the intersection between people and technology.
Homeland Security Presidential Directive-12, the National Strategy for Trusted Identities in Cyberspace, the Federal Risk and Authorization Management Program, the Homeland Security Department’s continuous diagnostic monitoring program and guidance from the National Institute of Standards and Technology (NIST) are among several government initiatives that contain some element addressing authentication and identity management. The introduction of Performance.gov’s cross-agency priority goals — and subsequent close eye on adoption and implementation — are further cementing federal efforts to move beyond the password.
Much of the latest focus is on further development of personal identity verification, or PIV, cards. PIV cards aren’t new to federal agencies, but their emergence as a prime candidate in implementing multifactor authentication is heightening emphasis on greater use. For one, many agencies already have them, so it’s not a huge stretch — financially, culturally or otherwise — to combine PIV cards with another form factor.
Beyond ease of use, Office of Management and Budget requirements for agencies to reach 95-percent implementation of White House cybersecurity priorities by the end of this fiscal year mean the heat is on for federal agencies. Strong authentication, as one of the three OMB cybersecurity-focused cross-agency priorities, now faces more scrutiny than ever; according to federal documents, civilian government adoption of PIV was nearly nonexistent before 2011, despite being mandated under HSPD-12 since 2004. That attention will increase by fiscal 2015, when OMB rolls out PIV-specific metrics for performance, implementation and maturity.
“With programs like HSPD-12, FedRAMP, continuous diagnostic monitoring — these are in fact all connected around the identity access management issue, and they’re all connected through the PIV issue,” said Ken Ammon, chief strategy officer at Xceedium. “If you look at each program office individually, you often see some absence of a specific mention of PIV and [the Common Access Card, widely used by the Defense Department]. But those dots are starting to be connected now.”
Further guidance will come when NIST releases an update to Federal Information Processing Standard Publication 201, or FIPS 201, which mandates PIV usage in the federal government. NIST officials say an update is expected next month.
“What we’ve done is taken some of the technologies referenced in some of the associated special publications, and now that they’ve been implemented and commercial technologies have become more mature, we’ve moved them into the PIV-specific area,” said Matt Scholl, NIST acting computer security division chief. “Some other changes include looking at use of that [PIV token] hard credential and how we integrate that with technologies we use today — how does it integrate with mobile devices and those types of things? So those are the two big changes.”
Other technologies the FIPS 201 update will look at include uses that don’t involve the traditional practice of inserting PIV tokens into machines, such as near-field communications that only require brief contact, Scholl added.
But as NIST looks to new technologies for integrating PIV, many federal agencies are dealing with the old technologies that may be holding them back. The costs and other barriers associated with integrating new authentication technology into legacy systems and infrastructure is a real concern agencies are grappling with as they struggle with shrinking budgets and regulatory pressures.
“Ensuring a smooth and usable transition for the experience of the users is an extraordinarily important issue,” Scholl said. “The U.S. government is not just legacy systems, but many custom-built systems, because we have a lot of very specific and unique missions that commercial industry might not have. So all of those things are issues that have to be considered when people look at transitioning to newer technologies and how to integrate them into the extraordinarily large enterprise.”
With mandates bearing down on agencies at the same time that they’re wrestling with budgets and older existing technology, decision-makers face tough choices in avoiding the next major security breach at their own organization.
“They’re dealing with massive existing infrastructure relying on specific methodology, and changing that is not easy, not cheap and not trivial,” said Kayvan Alikhani, senior director of technology at RSA. “I advocate biting the bullet, making the change, eating the cost and going forward. This is a more aggressive view, but as we deal with compromises, it becomes clearer how much these vulnerabilities are hurting us. Accelerating directives and putting more emphasis makes more sense … but, unfortunately, this problem is one where people care more when the compromise occurs. Too often, it’s a reactive response.”
But there’s hope yet for the federal government, Alikhani pointed out, noting that in the past it’s been government, rather than industry, leading these types of changes.
“A lot of innovation has come from the military and federal government with regard to credentials. I think we will see efforts, in some cases led by the federal government, showing that users can switch to an alternative method at a large scale much earlier than other large sectors, because you’re dealing with a controlled environment,” Alikhani said. “Once people see the convenience and the opportunity to protect large quantities of [personally identifiable information] data using alternative techniques, I think it’ll become less controversial and less of a behavioral change for users.”