FISMA Report Reveals Federal Agencies Struggle with Strong Authentication
The annual Federal Information Security Management Act (FISMA) report (PDF) for Congress published Feb. 27 reveals a 15 percent increase in information security incidents impacting federal agencies last year, totalling nearly 70,000 events, recognizing that “strong authentication remains a key challenge.”
So what are some of the threats to the federal government? According to the report, in addition to leveraging software weaknesses and bypassing threat detection and prevention tools, there’s the common threat of the human:
Far too often, adversaries are able to employ social engineering techniques designed to trick the unsuspecting user to open a malicious link or attachment thereby giving the attacker direct access to Federal information and information systems.
And without proper security technology in place, it can be difficult to guard against these attacks. The FISMA points out that only 41 percent of agencies have implemented strong authentication for network access in 2014, with the Department of Defense exempted. The agency that saw the most significant increase in authentication security is the Environmental Protection Agency (EPA), from 0 percent to 69 percent.
What is ‘strong authentication’? The government’s definition involves multiple factors in order to securely authenticate a user, including:
- Something the user has, such as a PIV card
- Something the user is, an approved user
- Something the user knows, such as a password or key code
The second factor listed doesn’t make much sense to me, as I think the something the user is typically refers to biometrics in the industry (retina scan, fingerprint, etc.). Also, what’s a PIV card?
According to VA.gov, a personal identity verification (PIV) card is an ID card issued by a federal agency that contains a computer chip allowing it to transmit, receive and store information securely. The card uses public key infrastructure (PKI) encryption to secure information, and can provide functionality for digital signatures.
The report analyzed the different types of incidents reported and found they fell into the categories of improper use, suspicious network activity, unauthorized access, social engineering, phishing, malicious code, denial of service and equipment-related/other. After analyzing these incidents, the US-CERT incident report find that in 2013, 65 percent of information security incidents could have been prevented with strong authentication.
The report also acknowledges that agencies with the weakest authentication profile allow most of their unprivileged users to log in using only a username and password, which makes unauthorized network access more likely, since passwords are easy to steal via phishing or malware. FISMA named 16 agencies that fall into this category, including Energy, Labor, and the Nuclear Regulatory Commission.
But more troubling is the number of privileged users that are allowed to log in using only single-factor authentication. FISMA identified 18 agencies that don’t require most of of their privileged network users to log on using two-factor PIV authentication, including the Dept. of Health and Human Services, Veterans Affairs, Dept. of Human Services and many others.
With such a large amount of agencies lacking in basic authentication security, it’s obvious the first step they could take toward cutting down on security incidents is by implementing two-factor authentication. The report supports that idea, stating that while the federal government promotes telework, remote access to desktops, local area network and wide area network (LAN/WAN) resources must be secured with stronger authentication, e.g., by using two-factor PIV cards.
FISMA also ranked agencies on their cybersecurity score, which relied on ratings on their security programs implemented in different areas, including:
- Continuous monitoring management;
- Configuration management;
- Identity and access management;
- Incident response and reporting;
- Risk management;
- Security training;
- Plans of action and milestones (POA&M);
- Remote access management;
- Contingency planning;
- Contractor systems; and
- Security capital planning
A few agencies were at the bottom of the list, ranking very poorly for information security practices and programs, including the Dept. of Transportation, Small Business Administration, Dept. of Health and Human Services, Dept. of Commerce, and others.
Back in October 2014, the White House signed an executive order to improve the security of consumer transaction, requiring agencies to use two-factor authentication and an effective identity-proofing process whenever using web apps to provide citizens with personal data as part of the BuySecure initiative. Learn more in Executive Order Mandates 2FA to Protect Consumer Financial Transactions.
But not only is two factor effective at protecting web apps for citizens, it can also effectively protect federal agencies from unauthorized access.