New White House ID security directive for federal agencies comes as audits find access controls lacking
All US federal agencies must be able to identify, credential, monitor, and manage user access to information and information systems across their entire enterprise to ensure secure and efficient operations pursuant to the proposed new White House directive, Strengthening the Cybersecurity of Federal Agencies through Improved Identity, Credential, and Access Management.
Published in the Federal Register by the Office of Management and Budget (OMB), the proposed directive broadly delineates agency responsibilities, but doesn’t set forth specific deadlines. Comments can be submitted on the GitHub website for the draft policy, or by emailing the Office of the Federal Chief Information Officer.
The directive orders “federal agencies to strengthen and update their identity verification policies in order to try to prevent criminal or nation-state-backed hackers from gaining access to networks using information found online.”
But it is also designed to strengthen access controls from insider threats.
The OMB issued the new policy to address federal agencies’ implementation of Identity, Credential, and Access Management (ICAM) – “the security disciplines that enable the right individual to access the right resource, at the right time, for the right reason.”
The new order comes on the heels of federal audits which discovered a multitude of access control security weaknesses at federal agencies.
The new White House policy directive emphasized that “it is increasingly important that all agencies adopt identity validation solutions that enhance privacy and mitigate negative impacts to delivery of digital services and maintenance of online trust,” and it “is also essential that agencies’ Identity, Credential, and Access Management (ICAM) strategies and solutions are informed by risk perspectives and driven by targeted outcomes.”
The directive “sets forth the ICAM policy, providing agencies with guidance to strengthen the security of information and information systems,” specifically for the following three areas:
• Implementation of effective ICAM governance;
• Modernization of agency ICAM capabilities; and
• Agency adoption of ICAM shared solutions and services
The directive further outlined government-wide ICAM responsibilities, and updated previous requirements in areas such as multi-factor authentication, encryption, digital signatures, acquisition, and interoperability.”
Establishing effective ICAM governance “is an important part of the federal government’s continual efforts to promote robust cybersecurity” to “ensure effective governance.” All federal agencies must “leverage the approaches and principles of National Institute of Standards and Technology (NIST)” special publication, Digital Identity Guidelines, and also to “continue to follow Homeland Security Presidential Directive 12 [HSPD-12] requirements pertaining to the identity verification and credentialing of federal employees and contractors.”
With regard for credentialing, federal employees and contractors who require long-term access to federally-controlled facilities or federal information systems fall under the scope of HSPD-12, and shall be issued a PIV credential in accordance with relevant policy, standards, and guidelines. Agencies should refer to OMB M-05-24 for additional HSPD-12 applicability requirements.
The directive said, “Agencies should support the use of Derived PIV Credentials for federal employees, contractors and other users, and enable applications on mobile devices to accept them. As Derived PIV Credential service offerings are approved in accordance with the established Federal Information Processing Standard Publication 201 requirements, the General Services Administration’s Approved Products List shall include these solutions for agency use.”
For non-US national employees and contractors who require long-term access to federally-controlled facilities or federal information systems, “but are unable to complete the standard background investigation requirements, agencies shall follow the alternative credentialing standards outlined in Office of Personnel Management (OPM) policy 22. In addition, persons shall meet eligibility requirements based upon the background checks and other requirements specified in OPM Credentialing Standards. Before the alternative identity credential may be issued, the agency must adhere to the vetting requirements outlined in OPM policy.”
Further, “Applicability of HSPD-12 requirements to other agency specific categories of individuals (e.g., short-term (i.e., less than 6 months) guest researchers; volunteers; or intermittent, temporary or seasonal employees is an agency risk-based decision. Background investigations and identity proofing of these individuals shall follow OPM and NIST standards. To ensure interoperability and reduce costs, it is recommended that credentials issued to these individuals leverage the PIV infrastructure.”
As for interoperability, reciprocity, and revocation of credentials, “Agencies shall implement processes to determine if an employee or contractor already possesses a valid PIV credential and leverage the existing, valid PIV credential rather than issuing a separate one, where feasible. Agency processes shall accept and electronically verify PIV credentials issued by other agencies. This is equally applicable for local and physical access where another agency’s employee has been provisioned access. Agencies shall also implement processes to revoke or destroy credentials in a timely manner to prevent instances of unauthorized access when the credential has been compromised, the employee or contractor has been terminated, or the credential is lost.”
Recent government audits found a number of serious insider breaches at the Federal Deposit Insurance Corporation (FDIC), as earlier reported by Biometric Update. One included a former “employee” who “copied highly confidential components of three sensitive resolution plans onto an unencrypted Universal Serial Bus storage device and took the information upon abruptly resigning.”
A recent Government Accountability Office (GAO) audit of Federal Reserve Banks’ (FSBs) Information System Controls “identified new deficiencies in information system controls that, along with unresolved control deficiencies from prior audits collectively represent a significant deficiency.”
“These new and continuing information system control deficiencies increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs,” GAO reported.
GAO said it also “identified deficiencies in information system controls over key financial systems maintained and operated by Federal Reserve Banks on behalf of [the Department of] Treasury that are relevant to the Schedule of Federal Debt … these control deficiencies increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs, and therefore warrant the attention and action of management.”
“Significant deficiencies” in internal control means “the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis,” GAO explained.
GAO said the “new access control deficiency we identified during fiscal year 2017 related to logical access controls,” explaining that, “Effectively designed and implemented logical access controls require users to authenticate themselves through the use of passwords or other identifiers, and limit the files and other resources that authenticated users can access and the actions that they can execute based on a valid need that is determined by assigned official duties.”
In commenting on a draft of GAO’s separately issued, “Limited Official Use Only,” report, the Board of Governors of the Federal Reserve System “stated that the agency takes control deficiencies seriously and that FRB management is currently in the process of addressing the new and continuing information system general control deficiencies” GAO first identified during its fiscal year 2017 audit.
GAO said an effective information system “limits access or detects inappropriate access to computer resources, such as data, programs, equipment, and facilities, thereby protecting them from unauthorized modification, loss, or disclosure (access controls); provides reasonable assurance that systems are securely configured and operated as intended (configuration management); includes policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations (segregation of duties); and protects critical and sensitive data, and provides for critical operations to continue without disruption or be promptly resumed when unexpected events occur (contingency planning).”
Meanwhile, another recent GAO audit report stated that, while the Centers for Medicare and Medicaid Services (CMS) — which shares Medicare beneficiary data with Medicare Administrative Contractors (MAC) that perform processing and distribution functions that support payment of Medicare benefits, as well as to research organizations that use Medicare beneficiary data to study how health care services are provided to beneficiaries – “has developed guidance for MACs and qualified entities,” but “has not developed equivalent guidance for researchers.”
“Researchers must [also] adhere to broad government-wide standards, but are not given guidance on which specific controls to implement,” GAO found. “According to CMS, the lack of specific guidance gives the researchers more flexibility to independently assess their security risks and determine which controls are appropriate to implement; however, without providing comprehensive, risk-based security guidance to researchers, CMS increases the risk that external entities possessing agency data may not have applied security controls that meet CMS standards.”
GAO noted that data breaches at hospitals, insurance companies, and other entities in the health care industry have highlighted the importance of ensuring the security of health information, including personally identifiable information (PII) about Medicare beneficiaries.
Consequently, GAO told Congress, “Without effective oversight measures in place for researchers and qualified entities, CMS cannot fully ensure that the security of Medicare beneficiary data is being adequately protected.”
And, “Regarding MACs,” GAO said, “although they are subject to two types of independent annual assessments, which have regularly identified weaknesses in their implementation of security controls, the weaknesses that have been assessed as low-risk have not been consistently tracked in the CMS finding tracking system. Without more consistent tracking of these low-risk weaknesses, it may be difficult for CMS to determine if all weaknesses are being addressed in a timely manner.”
GAO concluded that “the distributed nature of Medicare systems and networks, along with the fact that so many entities external to CMS are connected to them, increases the potential that unauthorized individuals could gain access to these systems and the extensive amount of Medicare beneficiary data they contain.”