In late February, the OMB E-Gov Cyber unit released the Federal Information Security Management Act (FISMA) report to Congress for the fiscal year 2014. The FISMA report details metrics on the implementation of cybersecurity initiatives across the federal government. Fiscal year 2014 showed modest improvements across many initiatives but illuminated some startling statistics, particularly around strong authentication.
Most startling is that nearly half of the almost 70,000 documented cybersecurity incidents were related to strong authentication or better stated, the lack of strong authentication. The report states, “E-Gov Cyber found during its analysis that the majority of federal cybersecurity incidents are related to or could potentially have been mitigated by strong authentication implementation.” FISMA classifies incidents of this type to include unauthorized access, suspicious network activity and improper usage. For the fiscal year 2014, 52% of incidents fell into this classification. The numbers did decrease 13% from fiscal year 2013, but still represent an astonishingly high percentage of total incidents.
Implementation of strong authentication amongst CFO Act agencies has slowed. The average reached 72% of total users in fiscal year 2014. This represents a modest 5% growth and a further step back from the preceding year’s 10% growth. The report also indicates that when the Department of Defense is not factored into the equation, less than half of the CFO Act agencies are implementing strong authentication that comply with NIST standards. While the Department of Commerce and Environmental Protection Agency made significant gains in implementation in fiscal year 2014, there are still agencies that have not implemented any form of strong authentication at all. The goal for overall agency compliance to strong authentication standards for fiscal year 2014 was 75%.
The reasoning for the slowing implementation is unclear. Ever-tightening budgets and difficulty staffing highly skilled information security positions have always been raised as concerns by federal IT administrators. Notwithstanding, the federal government cannot afford to fall behind implementing this very fundamental element of security. Attackers are showing increasing skill in compromising legitimate credentials and then using them to pivot around an environment once they are in. This tactic makes the importance of employing the latest innovations in two-factor and adaptive authentication vital to defending federal systems, as users will need to be continuously verified to detect malicious behaviors.
In contrast, users are demanding higher levels of convenience when accessing their data, bringing their own devices into the mix. This precedent is being set by the highest level officials in government. The FISMA report briefly mentions the use of derived credentials to address this need, allowing PIV based strong authentication to be bridged to personal mobile devices. Derived credentials will become a fundamental part of federal identity management and the federal government must adapt quickly.
President Obama and his administration have been hailed by strong authentication experts for the attention to cybersecurity matters, most recently by FIDO Alliance Vice President Ramesh Kesanupalli. Kesanupalli praised President Obama’s understanding of the issue of strong authentication, stating, “President Obama was aware. Strong authentication was one of five foundational topics of the [Cybersecurity] Summit where the President poked fun at himself and his previous weak passwords.” It is comforting to know that the President is cognizant of the stakes, but he must continue to push on this critical issue.
Significant progress has been made in federal cybersecurity. However, there are some inexcusable gaps that must be addressed, and quickly. Strong authentication should be made the top priority in the coming year. Recent years have seen vast improvements in the affordability, deployability and maintainability of NIST compliant two-factor implementations. Many implementations offer additional security on top of PIV/CAC, adding adaptive techniques. These will become an absolute necessity to counter the ever-evolving tactics of the adversary.