Massive OPM breach gives OMB the ammo needed to drive PIV use
The goal of HSPD-12 more than a decade ago was simple. Federal agencies were to deploy a secure, interoperable identity document for physical access to facilities and logical access to networks and applications.
The actual rollout has been anything but simple. Eleven-years since HSPD-12 was signed and five-years since the White House mandated logical and physical security systems use the PIV, and still half of all federal agencies don’t use the credential. They have issued it … they just don’t use it.
The smart cards are in the hands of more than 90% of agency personnel, but agencies are still bucking the actual use of the card. A White House Office of Management and Budget (OMB) report released in 2015 showed that just 42% of federal agency employees – outside of the DOD – were using the PIV for access to secure networks and applications. The White House Office of Personnel Management (OPM) – the target of a massive data breach where more than 25 million current and past government employees had their personal information stolen – was one of the worst offenders. In 2013 no OPM employees were using PIV for logical access, and at the end of 2014, that number had climbed to only 1%.
The records reportedly were stolen in more than one breach. One of those breaches was linked to a contractor’s user name and password being hacked while another was linked to a “zero-day bug” that lived in the system.
In the wake of the OPM breach, federal agencies started a “30-day cyber sprint” to beef up cybersecurity mandated by OMB. A primary goal of the sprint was to accelerate implementation of multi-factor authentication, especially for privileged users.
“Intruders can easily steal or guess usernames and passwords and use them to gain access to Federal networks, systems, and data. Requiring the utilization of a Personal Identity Verification (PIV) card or alternative form of multi-factor authentication can significantly reduce the risk of adversaries penetrating Federal networks and systems,” according to a white house statement.
Privileged users, of which there are more than 134,000 across the government, possess elevated access to federal systems and are the ones that enable other employees’ access to different systems. For example, if a new employee needs access to a cloud-based app for accounting, a privileged user will be the one to enable that access. At the time of the OPM breach, eighteen agencies did not mandate that privileged users login using PIV authentication.
The cyber sprint concluded in mid-July and OMB officials reported an increased use of multi-factor authentication for privileged users.
While enabling PIV for privileged users is a key cybersecurity measure, OMB is pushing that more agencies start to use the smart card across the board. “We’re not doing so well with the deployment of PIV and strong authentication,” says Trevor Rudolph, chief of the Cyber and National Security Unit in the Office of E-Government and IT at OMB. “Agencies need a carrot to help get PIV implemented and we’re deploying the resources to the agencies to solve these problems.”
Technically this isn’t anything new. In 2011, OMB issued a memorandum stating that all new purchases dealing with physical or logical access needed to be HSPD-12 compliant. Still, many federal agencies rolled their eyes at the mandate and kept doing what they had been doing.
Cultural issues remain primary obstacle
The three biggest issues when it comes to using the credentials have been funding, technical issues and cultural challenges, Rudolph says. “With the cultural problems, people just don’t want to do it,” he explains. “They have the cards but don’t want to use them because they think it’s a burden.”
OMB is working on ways to solve all three of these issues. “We’re documenting all the challenges on why agencies can’t use PIV, and we’re deploying resources to solve these problem,” Rudolph says. “Some of the problems are technical but most of the time it’s cultural.”
Some agency and IT leadership have stubbornly refused to take any real steps to strengthen user authentication, insiders say. That is likely the attitude that OMB folks are gently referring to as cultural issues.
Such cultural issues are getting more attention, says Grant Schneider, federal cybersecurity advisor at OMB. At the highest levels, agencies are meeting regularly with OMB related to identity and access management. Schnieder and Rudolph both made the comments at the Smart Card Alliance’s Smart Cards in Government conference.
Often, if the cultural issues become too much of a problem phone calls can be placed. “We make a phone call to the secretary or deputy secretary and they make the changes overnight,” Rudolph adds.
Rudolph and Schneider both say PIV can also make life easier for employees. Agencies that deploy PIV-enabled single sign-on systems eliminate the need to remember usernames and passwords for different applications. “I just have the PIV and a six digit PIN,” Schneider says.
On the budget side of things, agencies have had years to procure PIV-enabled systems. “I don’t think is has been an unfunded mandate,” Schneider says. “Over the years the funding has been pretty good for agencies to make the changes and get these things done. Agencies could have done more.”
OMB is also working on ways to help agencies solve the technical issues. There is a 500-page Federal Identity and Access Management Roadmap that can guide agencies but that document isn’t without its issues. OMB is creating “playbooks” that look at some of the problems agencies experience with PIV and how to solve them, Schneider explains.
Beyond increasing usage of the PIV, Schneider says OMB wants to see attributes shared across agencies. If a Defense Department employee goes to Homeland Security, the PIV should be electronically verified before the employee is allowed entry. Today, a visual inspection of the badge is still all that generally takes place.
Too little, too late
While it’s been years since OMB has publicly talked about pushing agencies to use the PIV, some vendors are saying that it’s beyond time. “The penetration is tragically low,” says Neville Pattinson, senior vice president for government sales at Gemalto North America. “The government needs to do this, the writing is on the wall, there are so many vulnerabilities and they just lost the personnel records of the entire federal government.”
The cyber sprint was a reaction to the OMB breach, but there still aren’t any penalties if an agency fails to comply. “It’s something that should take a higher priority,” Pattinson says. “The agencies need some motivation.”
Dinging their budget might work, says Rick Patrick, senior vice president of the Identity Group-North America at Oberthur Technologies. He suggests annual audits, and if the agency doesn’t pass they get less money in subsequent budget cycles until they comply. “The problem is impacting national security,” he adds.
Greater accountability of how agencies are using the PIV would also be welcome Patrick says. The FISMA report released earlier this year gave some insight into PIV usage but not a lot of other details. “How many of the agencies are maximizing the full use of the PIV as intended in HSPD-12?” he asks.
Another issue around the PIV has been the FIPS 201 standard. FIPS 201-2 was release in 2013, yet the special publications that define the specific parts of the standard have not all been updated and test tools developed, says Christophe Goyet, director of Technical Marketing, ID and Government Programs at Oberthur Technologies.
The latest special publication draft was released in May for the PIV interface model (SP-800-73-4). This is only a draft and comments are expected to go back and forth before a final spec is released. From there, test tools will need to be created and finally products can be tested, Goyet says.
It will likely be 2016 before cards that are compliant with all the specifications can be approved and agencies can roll them out.
Change finally on the horizon?
It’s been more than a decade since the order mandating a standard identity card for federal employees was issued. Some delays are understandable, but it seems inexcusable for agencies to outright refuse use of the credentials.
Perhaps for the first time, however, there is an agency with overarching reach stepping up to push foot-draggers to get on board. OMB seems positioned to make things happen, if they can sustain the momentum provided by the unfortunate OPM breach.
---
Autor(en)/Author(s): Zack Martin
Quelle/Source: SecureIDNews, 14.09.2015
Bitte besuchen Sie/Please visit:
