Federal agencies slow to adopt two factor authentication, says White House annual report
The majority of Federal employees are able to access Federal computer systems with nothing more than a username and password, despite President George W. Bush ordering Federal agencies to secure their information systems with strong authentication technologies more than a decade ago, according to a report by Govtech Works.
Only half of the largest Federal agencies — including General Services Administration (GSA), the Labor and Treasury departments, the Small Business Administration (SBA), National Science Foundation (NSF), and the Nuclear Regulatory Commission (NRC) — have deployed strong authentication methods across 95 percent of privileged users, according to the White House annual report to Congress on the Federal Information Security Management Act (FISMA).
President George W. Bush initially signed the Homeland Security Presidential Directive 12 in 2004, which mandated a national standard for secure government identification cards.
In 2006, the National Institute for Standards and Technology (NIST) published Federal Information Processing Standard 201, “Personal Identity Verification of Federal Employees and Contractors,” and has since revised the standards on two separate occasions.
There are currently more than 5.3 million Federal government Personal Identity Verification (PIV) cards in circulation, while the Defense Department offers a similar smart card program called Common Access Cards (CAC).
Both cards are integrated with a computer chip which stores identifying data that is fully encrypted.
The Pentagon has already achieved universal CAC compliance. Meanwhile, most Federal agencies are using the PIV card as an ID and card key for building access, but not yet as a network control device.
Hildegard Ferraiolo, PIV program lead and a computer scientist at NIST, said that while she is disappointed that agencies are not using the cards as a network control device, the Office of Personnel Management’s massive security breach last spring has encouraged many agencies to actively use the cards.
“Due to the recent cybersecurity attacks and threats, there really is a push to get the departments and agencies to use the PIV card to do user authentication,” said Ferraiolo.
OPM aims to secure its systems via two-factor authentication, with a goal to ensure that 100 percent of its PIV-enabled users are using multifactor authentication by the end of 2017.
Agency officials are also looking into other two-step authentication solutions for part-time users and subcontractors.
There are three main reasons why Federal agencies have been slow to adopt two factor authentication systems, including a need to update outdated infrastructure, the use of mobile devices, and a high job turnover and part-time workers, resulting in many employees not being eligible for a PIV card.
Increasing the adoption rate could be a matter of instilling in non-IT managers the importance of two-factor authentication to improve security, according to the White House annual report to Congress on FISMA.
Previously reported, a Department of Homeland Security official said federal personnel will soon be required to use a three-factor authentication method that includes a smartcard, a password and their fingerprints before logging onto computers.