The guidance released this week from a CISA and NSA-led panel of government and industry experts highlighted confusion over MFA terminology and vague policy instructions as primary challenges that have so far prevented seamless application of the user authentication process. 

While one seemingly simple proposed fix from the panel is to settle on a more standardized MFA vocabulary, a thornier problem identified is the “lack of clarity regarding the security properties that certain implementations provide.” Additional steps to standardize and simplify the benefits provided by MFA were recommended by the panel, including greater investments by vendors into “phishing-resistant authenticators to more use cases to provide greater defense against sophisticated attacks.”

Other MFA-related challenges raised by the panel centered on sustainability and governance of user sign-ups, noting that a reliance on self-enrollment and “one time enrollment code[s]” leaves systems vulnerable to cyber threats.

On the single sign-on front, experts highlighted the “significant tradeoff” between functionality and complexity, adding that R&D efforts should prioritize a “secure-by-default, easy to use, SSO system to address these gaps in the market.”

Additionally, the panel suggested that SSO accessibility could be improved by bundling those capabilities in all high-enterprise product features, ensuring that small- and medium-sized organizations aren’t priced out.  

The concepts called out in the CISA-NSA guidance fall under the broader framework of identity and access management, a critical component of zero-trust security and a pillar of the government’s efforts in that space. The White House’s 2021 executive order on improving the nation’s cybersecurity called for advancements in zero-trust architecture within the federal government, while the 2022 OMB memorandum doubled down on the strategy, calling for stronger enterprise identity and access controls, including MFA.

The post Stumbling blocks abound in federal push to stronger identity and access management, CISA and NSA panel finds appeared first on FedScoop.

In a three-part document issued Thursday, the administration also said it would work to ensure the Department of Labor’s Inspector General can easily access multi-state data to detect instances of multi-state fraud where the same identity is inappropriately used to apply for benefits in multiple states.

Addressing public benefits fraud has been a top priority for the Biden administration, which last March announced a range of measures to crack down on pandemic funding fraud.

At the time, the administration said it was working on an executive order that would address specific elements of identity theft but has yet to be issued.

The proposals also included a range of state-level funding, including $380 million in anti-fraud grants and identity theft prevention, of which about $40 million is intended to make equitable innovations in identity verification available to states through Login.gov and the U.S. Postal Service.

The White House also in the document said it plans to make a further $600 million available for state government agencies to help modernize vulnerable IT systems and improve program integrity, which it said has led to significant fraud and payment errors.

The addition funds for state IT will come from $1.6 billion in American Rescue Plan Act funds that will be made available by June, according to the administration.

The post Biden administration allocates $300M to help federal agencies modernize ID verification technology appeared first on FedScoop.

NIH issued a request for information this week in search of identity, credential and access management (ICAM) vendors who can help transition the agency’s existing on-premise identity capabilities to a software-as-a-service in support of its move to a zero-trust security architecture.

Specifically, NIH wants a SaaS solution that provides web authentication, directory services and secure access service edge (SASE) services in the cloud.

“NIH is undergoing important transformations in when, where, and how the workforce operates.
The ICAM Modernization project will facilitate NIH staff members’ and biomedical research partners’ access to their NIH-managed systems and data securely, anytime, from almost anywhere in the world,” reads the RFI, adding that “NIH anticipates future ICAM solutions delivering faster, more secure and cost-effective services from the cloud.”

According to NIH, its Center for Information Technology serves “50,000 users daily in more than 400 buildings and facilities and hosts a 225,000-user grantee population. NIH also provides services to 1.2 million federated users domestically and internationally.”

The COVID-19 pandemic introduced new challenges and exacerbated existing ones, which led NIH to pursue a new cloud-based ICAM solution. It hopes a vendor can help with speeding up integration of applications via automation, lower operation costs with a more streamlined identity environment, enhance real-time visibility into active users and platform availability, and improve performance for end users.

Importantly, the envisioned solution would also provide key pillars of NIH’s zero trust roadmap in that it “eliminates implicit trust by continuously authenticating and validating digital identities based on a content and context-aware logical access boundary.”

“In the target state, anyone who attempts to access NIH managed resources will do so through enterprise-level SASE and Identity as a Services (IDaaS) platforms,” the RFI explains.

It continues: “The SASE and IDaaS solutions will provide a diverse set of security and networking capabilities to grant access to NIH’s applications and infrastructure which are both on cloud and on-premises. These capabilities will enable limited access, allow/block access, require MFA, block legacy authentication and force password reset. NIH will also utilize Continuous Monitoring and Diagnostics tools to ensure the services offered by the future solutions are operational and secure.”

Interested parties have until March 7 to issue responses for the RFI.

The post With shift to increased remote work and zero trust, NIH eyes cloud solution for identity appeared first on FedScoop.

Speaking at FedTalks presented by FedScoop on Wednesday, George Chambers said the department continues to work on making information on who’s accessing its network, using what equipment, from what location actionable across apps to enable continuous monitoring.

HHS spent the last 15 to 20 years building walls between its various infrastructures it must now dissolve, all while responding to a global pandemic. The department requires zero-trust technologies from multiple vendors to meet its needs.

“I don’t believe that any agency, especially as federated as we are at HHS, is going to create a scenario where we go, ‘Here is your standard, we’re going to choose this and everyone is going to apply,’” Chambers said.

Instead leadership must provide some standards for managing multiple technologies departmentwide. Requiring a single standard for, say, identity management would be “naive,” Chambers said.

Different missions require different platforms, so HHS is investing in low-code and no-code solutions. But that creates other complications Chambers is trying to address by simultaneously buying application programming interface and access management tools, as well as standing up multiple cloud environments.

“All of those things allow us to get the flexibility to hit the endgame but still allow vendors and everybody to operate in that ecosystem,” Chambers said. “And it’s challenging as heck.”

The post HHS IT leader says agency still working to implement zero trust for all applications appeared first on FedScoop.

The recent zero-trust mandate is challenging federal IT teams to understand their security posture and maintain continuous visibility into their assets and users. This is compounded by a changing workplace landscape, the increased need for user access to software-as-a-services technologies, and the modification or addition of different end-user devices. 

Joe Bermudez, Senior Engineer, Axonius Federal Systems

Initiatives like the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) Program and Defense Information Systems Agency’s (DISA) Continuous Monitoring and Risk Scoring (CMRS) program aim to be beneficial frameworks for implementing zero-trust practices. However, federal IT teams are still struggling under the weight of the many security and operations tools they use to protect their assets. 

What agencies need is a turnkey approach to aggregate all the valuable data housed by the different systems they’ve already invested in and correlate it into actionable intelligence. 

Using asset management to build a zero-trust foundation

The Biden administration’s new mandate on zero trust calls for agencies to move swiftly to improve prevention, detection, assessment and remediation of cyber incidents. But as long as all system data remains siloed, agencies will never achieve the visibility required to stay ahead of threats — let alone move toward a zero-trust posture.

When starting the zero-trust journey, I recommend agencies first get a firm grasp on the security baseline and compliance level of their assets. 

Long-standing programs like CDM and CMRS are crucial to helping agencies establish a risk-based security approach to threats in their environment. These programs attempt to provide a dynamic approach to security by deriving a quantified, always up-to-date level of risk to articulate and track security compliance.

Adding a modern cyber asset attack surface management (CAASM) platform like Axonius drastically simplifies the task of aggregating and correlating all the necessary data for these programs, and greatly increases the accuracy and modernity of the programs. It also provides deeper visibility into assets and user actions. This puts agencies in a proactive posture to mitigate risks on the network. The combination slingshots agencies toward meeting their zero-trust mandates.

The second area I recommend agencies invest in is greater visibility into users and account access policies. While it remains to be seen how government agencies will navigate hybrid work in the long-term, trends suggest the demand for flexible work capabilities is on the rise. In this age, when agencies are scrutinizing their least-privileged access policies through the lens of zero-trust, they should be absolutely sure that devices are secured — but also that user accounts are adhering to security policies.

Tracking service accounts and administrator accounts can also be a big challenge for agencies. Axonius provides the ability to map out all devices to associated users quickly and easily. It allows agencies to easily monitor the frequency which passwords are modified for accounts, track the last time the account was used and show what devices the account is logged into.

Implementing multi-factor authentication (MFA) and single sign-on technology with an identity and access management solution is critical for agencies. While rolling out MFA to every facet of the agency is a challenge in itself, how well that policy is monitored is just as important. Axonius can constantly verify that the MFA security policy is being followed and flag or take action when it’s not.  

How to adopt a stronger zero-trust mindset

There’s no shortage of security threats and vulnerabilities, but the key to building a zero-trust mindset is to close those visibility gaps. Data plays a key role in how those security decisions will be made.

I recommend leaders ask themselves some of these key questions to determine if they have enough visibility into their assets and users. Can you easily and constantly verify: 

• That your endpoint agents are deployed and working properly on all your assets?
• How many unmanaged devices are connected to your network, and if they should or shouldn’t be managed?
• That privileged user accounts are following MFA security policies?
• That service accounts are properly used?
• That all your users and devices are adhering to your security policies?

If the answer to any of the questions is no, or I don’t know, you need to take a step back and think about how to increase their level of asset intelligence and move forward on zero trust.

Modernizing the asset inventory approach

The CAASM approach delivers agencies enhanced visibility into assets, users and issues.

Axonius is the cybersecurity asset management platform that gives organizations a comprehensive asset inventory, uncovers gaps and automatically validates and enforces policies. Deployed in minutes, the Axonius solution integrates with hundreds of data sources to give customers the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, automating response actions and informing business-level strategy. 

The Axonius platform has more than 350 pre-built integrations into all the management, infrastructure and security tools that agencies already have deployed — and this number is still growing. 

These integrations provide the out-of-the-box capability to deliver and maintain an up-to-date credible asset inventory. The Axonius Query Wizard also allows users to build complex queries so they can interrogate their asset inventory from all data sources in one place. From there, agencies can easily analyze their security posture, take automated action via the Axonius Security Policy Enforcement Center and feed this curated and accurate information to risk management systems. 

Request a demo to learn more about how Axonius can help your organization address security risks with modern asset management solutions.

The post Using asset management to build a foundation for zero trust appeared first on FedScoop.

As agency leaders begin to look at a more permanent remote or hybrid-work future for some of their employees, they also need to consider both infrastructure and security modernization they will need to support the mission.

Read the full report

“Agencies will need to modernize access…but also security, because attackers never standstill,” says Sean Frazier, federal CSO at Okta in the report.

The report, “The 3 Tenets of Enabling a Remote Government Workforce,” produced by Okta, outlines strategies for agency leaders to consider that will support a more permanent remote workforce built on the principals of zero trust.

As agencies continue down the road to modernizations, says Frazier in the report, they need to change both their infrastructure and their mindset to evolve with changing workforce needs. That includes modernizing the identity stack, focusing on usability and putting security first.

Learn more about how ICAM platforms help agencies stay secure and productive in the age of telework.

This article was produced by FedScoop for, and sponsored by, Okta.

The post Three principles to ensure a secure remote workforce appeared first on FedScoop.

A new report, produced by ID.me, details how states partnered with private sector organizations to analyze millions of claims received and implement modern identity authentication tools to reduce fraud payouts. 

Read the full report.

“As early as May 2020, a Nigerian fraud ring dubbed ‘Scattered Canary’ reportedly siphoned hundreds of millions of dollars from the state of Washington before the coordinated attack was identified,” said the report.

“As fraudsters began to target new states, the Arizona Department of Economic Security (DES) saw a massive rise in claimants. There were 77,063 initial [pandemic unemployment assistance (PUA)] applications filed during the week ending May 16, 2020. That weekly number had risen to 266,674 by July 25. Initial applications for PUA peaked at 570,409 for the week ending October 10.”

By September 2020, a number of states partnered with ID.me — including Florida, Georgia and Nevada — to successfully verified tens of thousands of legitimate claimants and diminish fraud instances. About this time is when Arizona’s DES reached out to ID.me to initiate a pilot program that they hoped would help them determine fraud instances for the state.

“By October, the results of the pilot program in Arizona showed great success. ID.me contributed to a dramatic reduction in the number of claims, from a record high of nearly 570,400 claims filed in the week ending October 10, to just 6,700 the week ending November 14 — representing a 98.8% decrease in new claims filed,” shared the report.

By implementing ID.me’s identity verification tool, DES estimates savings from payouts on fraudulent PUA claims for the State of Arizona upwards of $40 billion.

Read more about how states are improving citizen benefits programs and reducing fraud through modern identity verification tools. 

This article was produced by Scoop News Group for, and sponsored by, ID.me.

The post How Arizona saved $40 billion in payouts on fraudulent unemployment claims appeared first on FedScoop.

“So, O’Neill, have you ever heard of something called Hanssen’s law?” the man asked. O’Neill responded that he did not recall studying such a law at the FBI Academy in Quantico.

The man sitting across the table looked back at O’Neill and began to explain Hanssen’s law. “The spy,” he said, “is always in the worst possible place.”

O’Neill could neither believe what he was hearing nor where the conversation was taking place. He was sitting across from Robert Philip Hanssen, one of the most damaging FBI cyber insiders in history, and they were talking as colleagues in the information assurance division within FBI headquarters. O’Neill maintained his poker face and asked Hanssen what he meant.

“That spy is that person with the access to information and the wherewithal to use that information to sell it to those who will do the most damage with it. And that Eric,” Hanssen said to O’Neill, “is what we in the FBI as counterintelligence agents, are tasked to do. Find that spy. Hunt them wherever they are.”

Speaking at the 2021 Public Sector Innovation Summit sponsored by VMware, O’Neill — now National Security Strategist at VMware and author of Gray Day: My Undercover Mission to Expose America’s First Cyber Spy — acknowledged that Hanssen’s words were very prescient. 

(Watch O’Neill’s full presentation here.) 

The FBI’s most sobering discovery had to do with Hanssen’s use of the Bureau’s own IT infrastructure. To their dismay, the FBI found that Hanssen had used his authorized access to the Bureau’s Automated Case Support system and his knowledge of computers to monitor the FBI investigation that was trying to find him.

At the heart of the ACS system, which first came online in 1995, is the Electronic Case File (ECF). The ECF contains all of the Bureau’s internal communications relating to ongoing investigations and programs. Subsequent investigation of Hanssen’s use of the ECF system showed that he routinely searched the system using search terms directly related to the investigation that was aimed at uncovering his identity.

Hanssen compromised thousands of pages of classified documents detailing the most sensitive intelligence collection programs in the U.S. intelligence community. Among the most damaging disclosures concerned the details of a tunnel that had been dug beneath the Soviet embassy in Washington and outfitted with high-tech listening devices that were monitored by the FBI and the National Security Agency. 

It was the exchange with Hanssen and the lessons learned from the investigation that would begin the evolution of O’Neill’s own thinking about cybersecurity and insider threats, which he now shares with government agencies and companies on behalf of VMware.

“As I thought about whether the spy is always in the worst possible place, I realized that the spy is always in the worst possible place for anyone who is breached,” O’Neill said. 

Cyberspies are changing the world, according to O’Neill. “There are no hackers, there are only spies,” he said. “The true cyberattackers, cyberspies, and cybercriminals are well-resourced, are very knowledgeable and they’re using sophisticated computer equipment…to get at the data that is the currency of our lives. And as the world gets smaller, cyberattacks are simply growing.”

Pandemic 3.0 – Reopening Our World

O’Neill refers to the massive shift in how people work — from pre-pandemic to pandemic-era remote work and now the post-pandemic reopening — as Pandemic 3.0. Cyberspace has become more hostile, said O’Neill. Destructive attacks have increased 118%, he said.

“Cyberattacks have quadrupled during the pandemic and foreign spies have been targeting everything, in particular COVID-19 research in the healthcare sector,” O’Neill said. 

These trends pose a significant challenge for the Pandemic 3.0 world, in which we must find a way for employees to work from any place, on any device, and through any cloud. “Zero trust and endpoint [detection] is critical for remote work,” O’Neill said. “Zero trust is the only way to ensure that everyone accessing your data is authorized.”

The pandemic also forced a massive expansion in cloud investments but when you move to a public cloud “you’re moving to a tough neighborhood,” according to O’Neill. “You may be able to secure your own resources, but you have no control over who’s sharing that environment with you. So you have to prioritize security cloud workloads at every point in the security lifecycle,” he said. “That means security that extends across workloads, containers, and Kubernetes.”

Learn more about “Zero Trust” strategies and how VMware is helping to accelerate public sector innovation.

The post Cybersecurity in a shrinking world appeared first on FedScoop.

Read the full report.

According to a recent Okta report, the Air Force is one of several agencies using modern identity and access management tools to assist with security and user experience.

It is working to “centralize IAM across 33 systems and 200 applications,” the report says. Additionally, among other capabilities, the IAM platform allows them to streamline auditing and reporting tools and user behavior analytics to uncover anomalies.

The report describes how Okta’s zero trust architecture is being used as a foundation to secure DOD resource across on-premise and cloud environments to help defense organizations manage their extended enterprise, and by making it possible for them to:

• Embrace the secure cloud, at scale — while also extending the same strong authentication to on-prem apps, such as WAM.
• Reduce the complexity of managing separate password and authentication policies across on-premise and cloud resources.
• Provide a consistent and seamless access experience for end users, eliminating password fatigue and improving onboarding time.

Learn more about how zero trust and identity management are proving to be a game-changer for DOD network security.

This article was produced by FedScoop for, and sponsored by, Okta.

The post Zero trust, identity management and DOD network security strategies appeared first on FedScoop.