Our on-demand knowledge webcast series, addressing the directives Federal CIO Tony Scott gave to agencies for the 30-day Cybersecurity Sprint concludes with a discussion of the fourth and final directive:
“Dramatically accelerate implementation of multi-factor authentication, especially for privileged users. Intruders can easily steal or guess usernames/passwords and use them to gain access to Federal networks, systems, and data. Requiring the utilization of a Personal Identity Verification (PIV) card or alternative form of multi-factor authentication can significantly reduce the risk of adversaries penetrating Federal networks and systems. Agencies must report to OMB and DHS on progress and challenges within 30 days.”
Federal Cybersecurity for the 21st Century
Of all four directives, this is the one for which federal CIO Tony Scott reported the most significant amount of progress after the Sprint was completed. From his August 3 blog post on cio.gov:
“Federal Civilian agencies increased their use of strong authentication for privileged and unprivileged users from 42 percent to 72 percent… their use of strong authentication for privileged users from 33 percent to nearly 75 percent…Thirteen agencies, or more than half of the largest agencies – including the Departments of Transportation, Veterans Affairs, and the Interior – have implemented the same level of strong authentication for nearly 95 percent of their privileged users.”
The graph below, from Sprint results posted on performance.gov, visualizes these increases against the overall context of Cross Agency Priority (CAP) goals:
That’s an impressive-looking curve. And a lot of progress was made against the fourth directive. It is worth noting that per HSPD-12, PIV/CAC card distribution was supposed to be at 100% by the end of 2014, and all indications from publicly available sources are that that was the case, or was as close to 100% as can be possible given ongoing changes in the federal employee and contractor workforce.
PIV cards are used for both physical access to federal facilities and logical access to federal information systems. What’s apparent from the above results is that during the Sprint, agencies stepped up the actual use of the cards for system access. That’s all to the good, but many agencies still have a ways to go to make sure that the cards are used for system access by everyone who has one.
Multi-factor authentication, whether by PIV card or another solution, throws up another wall in front of those with the aim of invading federal information.