The department’s inspector general found during a recent investigation that out of all active users, 4.75% of them used a password derived from some variation of the word “password.”

Within the first 90 minutes of testing conducted for the report, watchdog staff were able to crack passwords for 16% of the agency’s user accounts.

However, this represents a slight improvement on results from previous oversight projects when the IG was able to crack between 20% and 40% of passwords captured, according to the report.

In addition to concerns over password complexity requirements, the latest watchdog probe found that Interior did not consistently implement multi-factor authentication, including for 89% of its high-value assets. 

High-value assets are defined as assets that could have serious impacts on the department’s ability to conduct business if compromised.

According to the report, the Interior Department’s password complexity requirements were outdated and ineffective. It also failed to disable inactive accounts in a timely manner or to enforce password age limits.

As a result of the findings, the watchdog has made eight recommendations, including that the agency immediately adopt multifactor authentication across its systems and implement a process for tracking its implementation across all departments.

Interior’s IG has also recommended revamping the agency’s security protocols to require more complex passwords and establishing procedures to ensure that inactive accounts are disabled within a defined period of time.

In a response to the report signed by Interior Chief Information Officer Darren Ash and acting Chief Information Security Officer John Clink, the agency agreed with the recommendations and said it was working to ensure full compliance with an August Office of Management and Budget memo requiring federal agency application owners to move to multifactor authentication within a set timeframe.

It said: “This report fundamentally asserts that passwords as lone credentials for authentication are not sufficient for modern information systems. The Department agrees and is committed to implementation of requirements specified in Executive Order (EO) 14028, Improving the Nation’s Cybersecurity and related policies and directives.”

The post Interior Department watchdog finds 5% of active credentials at agency use word ‘password’ appeared first on FedScoop.

The National Oceanic and Atmospheric Administration is exploring multi-factor authentication beyond its network as it looks to strengthen cybersecurity in accordance with the federal zero trust strategy, according to its chief information officer.

Zach Goldstein told FedScoop his agency already requires Common Access Cards (CACs) and personal identification numbers to authenticate to its network but continues to perform comparative analyses of multi-factor authentication (MFA) solutions for applications and devices.

“We’re looking at things other than CAC cards, things that are intelligent tokens — that know who I am, that can exchange certificates with a certificate server, that can be easily revoked, that can have multiple kinds of privileges,” Goldstein said.

Goldstein added that cybersecurity is his “first priority,” in keeping with the White House’s Cybersecurity Executive Order issued in May 2021, and that he hopes to select a token for app and device authentication by the second quarter of fiscal 2023.

NOAA is also increasing supply chain risk assessments of Software as a Service — looking not only at the firm but what they buy and use for services — under Goldstein, who’s been with the agency 17-and-a-half years and CIO since 2015.

Goldstein wants to expand NOAA’s use of the cloud in a way that further improves the agency’s cyber posture while shedding light on how migration is progressing.

“We have an initiative to create a Cloud Program Management Office (PMO), one of whose jobs will be to provide me and NOAA leadership with that answer,” he said.

Assuming the funding for the office within the president’s fiscal 2023 budget stands, Goldstein hopes to launch it by the end of that fiscal year.

According to Goldstein, NOAA was the second federal agency to move its email and calendar to a public cloud, Google Apps for Government, in 2011, and since then the agency has migrated websites, help desk ticketing and global device management.

“It became very clear that we needed to have more discipline going to the cloud and more efficiencies because people were duplicating each other by having to learn how to do a security evaluation of going to the cloud, learn how to authenticate to the cloud, figure out how to communicate and get my data to the cloud,” Goldstein said. “And they were also using different contract vehicles.”

The CIO agreed to authorize NOAA offices’ migrations with the expectation that once his team implemented centralized cloud services streamlining and lowering the cost of the process, they’d use those instead.

NOAA now offers a standard way of getting to the cloud; authenticating using its identity, credential and access management (ICAM) service; and contracting with the three large service providers — Google, Amazon and Microsoft — and others. The Office of the CIO’s Cyber Division evaluates cloud offerings once for universal use across NOAA, accelerating offices’ migrations, but the Cloud PMO will make it so they don’t have to consult separate experts for each step in the process.

A Cloud PMO will also help offices take advantage of NOAA Open Data Dissemination (NODD), which allows for “extremely inexpensive” egress to the public, Goldstein said.

The White House proposed a large funding increase for the Office of Space Commerce in its fiscal 2023 budget, which if accepted by Congress would elevate it to a staff office receiving IT support from the OCIO. 

Goldstein expects to indirectly advise on, provide perimeter security for and oversee the cloud-native Open-Architecture Data Repository, which processes tracking data on space objects to predict and assess risk of collision. This information will improve space situational awareness for commercial and civil space operators. A requirements analysis is ongoing, so the operational cost hasn’t been calculated yet.

“Because the cloud is available and they know how to do it, we know how to do it — we’re going to help the Office of Space Commerce with this — they’ll be able to get that capability in the hands of the world faster,” Goldstein said.

The cloud is also freeing up NOAA’s IT professionals — previously stuck patching, scanning and performing domain controller work — to improve weather forecasting model accuracy and speed.

Supercomputing improvements that continue to be made by NOAA have increased capacity for forecasting three times over and should lead to 30% growth in research computing by the end of 2022, but research and development could benefit from even more, Goldstein said. The agency’s objective is to get enough capacity to perform all NOAA research, and enable focusing these applications down to what should be operationalized.

“We’re not there yet,” Goldstein said. “But we’re getting closer.”

The post NOAA evaluating multi-factor authentication for apps and devices appeared first on FedScoop.

Pulse Q&A surveyed about 700 security experts across government and industry globally and found 86% of agencies increased their budgets for zero trust programs in the last year.

Budgets have swelled following the issuance of the federal zero trust strategy in January that, while unfunded, mandated agencies submit enhanced implementation plans annually. In addition to adjusting their budgets, some agencies have applied for Technology Modernization Fund money to support zero trust initiatives.

“We’re all dealing with the same problems that we’ve always been dealing with,” Sean Frazier, Okta’s chief security officer, told FedScoop. “But the good news is the budgets are there; the knowledge and understanding are there on what we need to do to shore up and protect those things.”

Most agencies appear to be referring the Zero Trust Maturity Model’s five pillars — identity, devices, networks, applications and workloads, and data — to guide their implementations and are starting with identity, Frazier said.

Of the agencies Pulse Q&A surveyed, 66% of them had already implemented multi-factor authentication (MFA) for employees with an additional 41% planning to do so within 12 to 18 months. Those numbers were lower, 45% and 31% respectively, when implementing MFA for citizens.

Agencies that have been doing identity, credential and access management (ICAM) for a while may be looking to increase funding for secure access solutions, which generally leads them to micro-segmentation, Frazier said.

The agencies helping Okta obtain Federal Risk and Authorization Management Program authorizations are exploring identity-as-a-service, providing it to employees like they do laptops, Frazier said. That’s unlike the last 20 years of software development, where apps have traditionally been deployed with standalone identity systems — leaving agencies to figure out how to make single sign-on work across them all.

Not only does identity-as-a-service allow agencies to manage identities, onboard and offboard users, apply MFA, and secure single sign-on, but it helps them push scarce identity expertise within their organizations down to an app’s endpoints, Frazier said. The National Initiative for Cybersecurity Education (NICE) Workforce Framework, guidance many agencies use to establish their cyber work roles, doesn’t include a distinct ICAM work role — instead prescribing the requisite knowledge, skills, abilities and tasks (KSATs) to other work roles like cyber defense analyst.

“If you can have identity-as-a-service, then that’s where that technical talent lives,” Frazier said. “And you don’t necessarily have to have 100 people that know ICAM.”

One global priority that government doesn’t seem to share currently is passwordless access, which only 3.5% of agencies have implemented and another 3.5% plans to in the next 12 to 18 months. For comparison, within the financial services sector, 1.9% of companies have implemented passwordless access, but 21.7% intend to in 12 to 18 months.

While widespread adoption of smartcards in the early 2000s eliminated the federal workforce’s need for passwords, the growth of citizen-facing services that require login has seen their return because they’re easy, Frazier said.

“We’re still talking about MFA and shoring up protections, when people are using passwords,” Frazier said.

The post Report: Agencies ahead of industry implementing zero-trust security appeared first on FedScoop.

Identity, credential and access management (ICAM) program management offices or other governance bodies aren’t universal yet, despite the Cybersecurity and Infrastructure Security Agency encouraging them, because most federal investments in training produce red and blue teamers — offensive- of defensive-minded professionals.

The first pillar of the federal zero-trust architecture strategy released in January is identity: agencies managing identities to allow staff access to applications while protecting them with multi-factor authentication (MFA). But the National Institute of Standards and Technology’s National Initiative for Cybersecurity Education (NICE) Workforce Framework buries identity “three layers deep” in “nichey” network or software engineering roles, rather than making it a standalone position, said Matt Topper, president and solutions catalyst, at Uberether.

“Nobody ever talks about, ‘I want to be an identity engineer.’” Topper said, during an ATARC webinar Tuesday. “That makes you the best blue teamer because you actually understand how these things work together.”

In the past cyber professionals typically attended security or identity conferences but rarely both. Agencies’ increasing use of cloud and ICAM technology and attacks like the SolarWinds hack, where Active Directory Federation Services allowed infiltrators to gain administrative privileges, have “blurred the lines” between the two communities, said Grant Dasher, ICAM expert at CISA.

For instance, CISA Director Jen Easterly tweets regularly about phishing-resistant MFA, and red teamers use their knowledge of identity engineering to gain access to networks, Dasher said.

“I think that the number of people in our community who have deep identity expertise is not significant,” Dasher said. “And they sort of move around between the agencies or, in some cases, retire.”

Fostering that expertise means building those skills among a new generation of experts, who understand the parts of identity that are unique to government, industry and how they work together, he added.

That talent will be essential to moving agencies beyond the personal identity verification (PIV) and common access card (CAC) smartcard authentication that prevails across government to other factors, the adoption of which should increase with additional NIST guidance in the next year, Topper said.

The federal zero-trust architecture strategy emphasized new approaches to cyber and experimentation with authentication and network security.

“The lesson will be whether we can pull it off over the coming years,” Dasher said.

CISA is looking to simplify agencies’ adoption of cloud identity technologies and continues to develop the forthcoming Zero Trust Maturity Model.

The years 2023-25 should prove pivotal for MFA adoption, especially with planned NIST guidance on derived credentials and digital identity guidelines, Topper said. 

NIST Special Publication (SP) 800-63-3 Revision 4 is expected out this fall and will, for the first time, include a dedicated SP 800-63C Federation and Assertions. The document will cover identity federation between agencies, industry partners and citizens; federated authentication transactions and identity federation assurance levels.

“Those are super exciting because those are going to set the next decade of identity standards and patterns that we’re going to follow,” Topper said.

The post Lack of identity engineers hinders agencies’ MFA adoption appeared first on FedScoop.

In a new, 12-part video interview series from FedScoop, federal CIOs and CISOs discuss strategies for reducing password-related data breaches and cyberthreats. The series, Zero trust begins with smarter password protection, was underwritten by Keeper Security and filmed between October 2021 and March 2022, and touches on several security issues,  including:

How the White House cybersecurity executive order reshaped IT strategies

Several leaders interviewed highlighted how the executive order accelerated their cybersecurity timeline and reinforced existing efforts.

Don Watson, CISO for the U.S. Patent & Trademark Office, says the agency was already implementing zero-trust architecture, cloud security and supply chain risk management —and improving investigative and remediation activities. He stresses that cybersecurity was a top priority before the EO was published, and the agency’s focus was on “efforts to stabilize and secure our legacy products while delivering modernized secure products.”

U.S. Department of Commerce CIO Andre Mendes echoes similar efforts and says the EO gave “additional impetus to pursue zero-trust solutions that were already deployed at some bureaus and that were in consideration at others.”

A key takeaway from leaders was that security strategies need to lay the foundation of cybersecurity with zero trust while adopting policies that will secure technology and shape the behaviors of both IT and non-IT users.

Remote work and identity and multifactor authentication

Although telework policies and the IT systems to support them have been in place for many federal agencies, the pandemic forced nearly all employees to work remotely. That pushed agencies to rethink the future of work and how they could better secure remote networks.

The Cybersecurity and Infrastructure Security Agency realized it would eventually need to adopt a hybrid work model across many locations, says CIO Robert Costello. “CISA is taking a different approach to ensure they’re constantly identifying who’s accessing systems and data, and also tightly integrating identity management and credentialing systems as we roll out some of our new expanded offerings here for our user base,” he says.

Mittal Desai, CIO for the Federal Energy Regulatory Commission, explains that remote work made the agency reevaluate its security governance processes. It also explored more effective ways to use multi-factor authentication and monitor the access privileges of users on its networks.

Leaders agree that integrating identity and multi-factor authentication solutions was a cybersecurity best practice to reduce vulnerabilities.

Moving toward human-centric cybersecurity

Ensuring that security is easy to adopt and user-friendly can help agencies equip employees to deal with the growing threat of phishing attacks.

Robert Roser, Idaho National Laboratory CISO, says that while zero trust and the use of multi-factor authentication are critical to improving security, his organization is also tackling the culture around security with its employees. As part of the Energy Department, the lab regularly organizes spoof phishing campaigns and takes steps to think outside the traditional password approach.

“Cybersecurity is built around people consistently doing the right things. We spend a lot of our time educating and training our workforce to make good decisions concerning security,” says Consumer Financial Protection Bureau CIO Chris Chilbert. He highlights how the agency provides annual awareness training and conducts targeted training based on the employee’s role.

The future of passwords

In the end, organizations need to adopt a more modern approach to authenticating users, using a combination of unique passwords and multi-factor authentication, so that agencies can create greater efficiency, streamline access and carry out missions more effectively, says Darren Guccione, CEO of Keeper Security.

“Today, [organizations] are authenticating [users on up to] 150 applications on average; each one of those applications requires unique strong credentials,” he explains. “The only way to do that effectively is through an enterprise password-management solution. There is no other way to do this effectively because you’re talking about a parameter for an attack that is exponentially larger than it was two years ago.”

Other participants in the video series include:

• George Duchak, CIO, Defense Logistics Agency
• Jonathan Feibus, CISO, and Deputy Director, U.S. Nuclear Regulatory Commission
• Melinda Rogers, CIO, Department of Justice
• Rob Hankinson, Acting Director of Office Information Technology Infrastructure, U.S. Department of State
• Tristan Yancey, VP of Public Sector, Keeper Security

This video series was produced by Scoop News Group for FedScoop and sponsored by Keeper Security.

The post Zero trust begins with smarter password protection appeared first on FedScoop.

The executive order (EO) has agencies like the Department of Energy implementing zero trust and multi-factor authentication across highly federated environments, and the “elephant in the room” is how they will pay for everything, said CIO Ann Dunkin at ACT-IAC’s Imagine Nation conference in Hershey, Penn.

DOE is employing a risk-based approach to complying with the EO the Biden administration issued in May because compliance will take time and money, either from Congress or else internal cuts.

“I don’t have the money to support the [project management office] that I stood up to run the EO, if I don’t get any more money in 2022,” Dunkin said. “So either I take money away from something else, or I don’t even have that PMO in place.”

DOE has outstanding Technology Modernization Fund proposals that could help with Cyber EO compliance, but Dunkin reiterated her view there’s currently not enough money in the fund appropriated by Congress.

The Department of Labor hasn’t heard back on the TMF proposal it submitted for funds to help bolster its cyber posture. The Cybersecurity and Infrastructure Security Agency could assist departments in Labor’s situation by growing its Continuous Diagnostics and Mitigation program and developing governmentwide playbooks, but in the meantime agencies need to explore all their options, said CIO Gundeep Ahluwalia.

“In my mind, we have to find some resources internally, ask Congress for appropriated resources, look at the Technology Modernization Fund, and maybe some things can be pulled together and done centrally to raise all boats,” Ahluwalia said.

The U.S. Department of Agriculture also prioritized cybersecurity with its early TMF proposals, along with some to improve IT services to rural America and work with the Department of the Interior to modernize a platform for combating wildfires, said CIO Gary Washington. None of USDA’s proposals have received TMF funding yet.

Labor also has two outstanding TMF proposals that would help it finish an IT modernization effort around temporary workspace, as well as collaborate with the General Services Administration to meet accessibility requirements.

The Office of Personnel Management received TMF funding for its zero-trust networking proposal in September, one of three agencies along with GSA and the Department of Education to successfully propose Cyber EO-related projects.

Five other TMF proposals OPM submitted are tied to modernizing legacy systems, and while CIO Guy Cavallo hopes to establish a working capital fund for IT projects, TMF funding has proven critical since the Trump administration attempted to shutter the agency. The move made predicting future modernization costs more difficult, especially since federal background investigation work is still being transferred to the Department of Defense, Cavallo said.

“I inherited budgets that we weren’t sure were going to be there,” Cavallo said. “So I need the TMF funding to put some of our modernization efforts on the table.”

The post CIOs say they need more funding to implement cyber EO appeared first on FedScoop.

The executive order’s call for implementing zero-trust architecture, and new requirements to focus on more modern authentication strategies, signals an important turning point for government, say cybersecurity experts.

Read the full report.

“This executive order will affect many organizations, both in the public and private sector, that work with the government [including] financial services, healthcare, the public sector, critical infrastructures, high tech, and education,” commented David Treece, Director Solutions Architecture at Yubico in a new report on modernized multifactor authentication (MFA) strategies.

The new directives lay out the need for agencies to implement a more multifaceted and modernized approach to authentication that can support today’s widely distributed and dynamically configured networks, according to a new report, produced by FedScoop and underwritten by Yubico.

The limits of CAC/PIV cards

The report highlights the rapidly evolving nature of authentication tools and the need for agencies to expand upon traditional public key infrastructure (PKI) methods. While the government’s long-established PKI-based Common Access Card (CAC) and Personal Identity Verification (PIV) credentials remain foundational to controlling access to defense and civilian systems respectively, they still have their limits.

Those working in command centers requiring simultaneous access to multiple systems, for instance, can generally only use their CACs to access one system at a time. CAC and PIV cards also require specialized contact-based card readers — to prevent someone from eavesdropping on the traffic that goes between the card and the card reader — making them difficult to use with modern devices such as mobile smartphones and tablets.

Those and other limitations led a small group of engineers from Yubico in 2008 to develop the YubiKey, a hardware security key that utilizes DoD-approved PKI cryptography and Identify Federation Service (IFS) solutions to authenticate users as an alternative to CACs.

YubiKeys provide “a form factor that is as strong as the CAC or the PIV and can be used across multiple devices without a smart card reader,” explains Jeff Frederick in the report. Frederick is lead technical resource for the public sector team at Yubico. The YubiKey has since become a DOD-approved alternative authenticator.

Fast forward to the advent of cloud computing, the ubiquitous reliance on multiple mobile computing devices, and most recently, the massive redistribution of the government’s workforce during the pandemic, and the need for more modern and adaptable alternatives to multi-factor authentication has grown exponentially.

That led Yubico to work with various certificate authority (CA) vendors as well as with Google, Microsoft and other leading technology suppliers to advance the capabilities of remote authentication, says Frederick.

Most notably, Yubico became a founding member of the non-profit FIDO (Fast Identity Online) Alliance, formed to address the lack of interoperability among authentication devices. Yubico engineers have also teamed up with organizations to develop open, scalable and interoperable mechanisms which work effectively in the cloud and ultimately, are aimed at supplanting the reliance on passwords.

That has spawned a comprehensive line up of YubiKeys, capable of supporting multiple authentication protocols, allowing users to access accounts four-times faster than other two-factor authentication (2FA) and cut support calls by 92%, according to the report. And unlike other 2FA, YubiKeys store no data, require no network connection and don’t run on software — which is why users have experienced zero account takeovers.

The report highlight’s Yubico’s latest all-in-one multi-protocol YubiKey 5 FIPS Series is designed to meet the highest authenticator assurance level (AAL3) requirements from NIST for government and regulated industries.

“YubiKeys provide six, multi-factor authentication protocols all on one physical piece of hardware,” says Frederick, including the ability to support both legacy and modern security protocols, using static passwords, one-time passwords (OTP), PIV (smart card), OpenPGP, FIDO U2F and FIDO2.  Additionally, Yubico designed the hardware so that the authentication secret is stored on a separate secure chip built into the YubiKey, so that it cannot be copied or stolen.

“Government agencies can use the YubiKey to bridge the gap to the future,” adds Rob Konosky, director for Yubico’s federal defense business. “There’s no reason to wait to start issuing hardware security keys such as the YubiKey to every single, soldier, sailor, airman and marine that has strong authentication needs.”

Download the full report and learn how Yubico can help accelerate your agency’s journey to zero trust.

This report was produced by FedScoop and underwritten by Yubico.

The post New-era authentication key widens trusted access to federal resources appeared first on FedScoop.

The Biden administration issued a long-awaited cybersecurity executive order Wednesday that, among other things, requires federal agencies to develop an implementation plan for a zero-trust architecture for security.

This mandate falls under a larger push to modernize federal cybersecurity in the wake of the recent cyberattacks that have compromised federal agencies through the exploitation of software made by contractor SolarWinds and flaws in Microsoft’s Exchange software.

“The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period,” reads a fact sheet about the order. “Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.”

Within 60 days, agency heads must update their existing plans “to prioritize resources for the adoption and use of cloud technology” and issue a new plan on moving to zero trust, in line with National Institute of Standards and Technology (NIST) guidance.

On top of that, the Office of Management and Budget will work over the next 90 days with the Department of Homeland Security and General Services Administration to develop and issue a federal cloud-security strategy and guidance.

And, within 180 days, civilian agencies will need to “adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”

Modernizing federal cybersecurity is just one element of the larger EO. It also calls for increased sharing of threat information between the government and private sector, and for the development of baseline software supply chain security standards for any software sold to the federal government.

“The current market development of build, sell and maybe patch later means we routinely install software with significant vulnerabilities into some of our most critical systems and infrastructure,” a senior Biden administration official told reporters. “The cost of the continuing status quo is simply unacceptable.”

Additionally, the order calls for the creation of a national Cybersecurity Safety Review Board, akin to the National Transportation Safety Board, and the creation of a playbook for responding to cybersecurity incidents. With that, the administration orders agencies to “employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks” through improved endpoint detection and response measures.

Democrats on the House Homeland Security Committee applauded Biden’s executive order.

“Cybersecurity is a national security issue, and we commend the Administration for prioritizing it that way. From the SolarWinds supply chain attack that gave Russian actors access to Federal networks to the Colonial Pipeline ransomware attack that temporarily shut down 5,500 miles of gas pipeline, cyber attacks jeopardize our national and economic security,” said Reps. Bennie G. Thompson, D-Miss., and Yvette D. Clarke, D-N.Y. “If nothing else, the cyber incidents that have occurred over the past six months have demonstrated that bold action is required to defend our networks today and in the future. The Executive Order signed by the President today is just that.”

The post Biden cyber executive order reignites push to cloud, zero trust appeared first on FedScoop.

The COVID-19 pandemic and other crises have GSA‘s Technology Transformation Services looking to expand login.gov‘s authentication and identity proofing services, so people can more easily access their benefits.

Federal agencies have used login.gov with their websites since 2017, and GSA’s announcement Thursday brings users closer than ever to single sign-on for services at all levels of government.

“TTS will limit engagements with state and local entities to work that is linked to federal programs in which TTS is uniquely positioned to provide assistance,” reads a blog post announcing the news. “TTS will partner with applicable federal agencies to ensure proper coordination.”

Login.gov allows agencies to choose between forms of multi-factor authentication for securing accounts and is based on human-centered design.

Users in the participating states and localities will only need one account and password to access federal services and can rest easy knowing their privacy is protected in accordance with guidance from the National Institute of Standards and Technology, as well as the Cybersecurity National Action Plan.

Interested states and localities can apply to participate in the login.gov pilot here.

Those selected will have access to a developer sandbox letting them freely experiment with login.gov integrations while guiding them through the process. Participants will also be able to interact with each other, federal agencies and the login.gov team for support.

The post GSA extends login.gov access to states and localities appeared first on FedScoop.

Pandemic considerations delayed the National Institute of Standards and Technology‘s work on zero-trust reference architectures that will help agencies know what security tools to deploy.

Cyber experts hope that work will accelerate in the wake of one of the most serious incidents of digital espionage in U.S. history and that agencies will consult the special publication on zero trust that NIST finalized in August for the time being.

“We can’t see federal agencies kick this thing down the road anymore,” Stephen Kovac, vice president of global government and compliance at Zscaler, told FedScoop.

Zero trust could not have stopped the SolarWinds hack, which occurred when Russian hacking group APT29, or Cozy Bear, added source code into the tech company’s Orion software build process in a supply-chain attack. SolarWinds’ updating system was then used to push out malware compromising at least eight agencies.

But zero trust could, and did, mitigate that malware’s ability to spread across networks, cyber experts say.

“If SolarWinds would have happened a year ago or two years ago, I think agencies would have had a lot more consternation about it,” said Sean Frazier, federal chief security officer at Okta, in an interview.

Many agencies have started work improving their identity and access management, a component of zero trust, Frazier said.

But zero trust is a collection of solutions including cloud workload protection, micro-segmentation and secure access service edge (SASE) capabilities that provide agencies with full visibility and allow them to enforce consistent security policies across their networks.

Agencies with a zero-trust capability like SASE could’ve prevented malware from sending information out via the internet, but many agencies stop at one or two such capabilities. About 18,000 organizations were infected, though not all of them have seen malicious activity since.

“They’re kind of operating on the fly,” Kovac said. “They’re buying one solution and thinking they’ve got zero trust now.”

Agencies that haven’t already done so need to inventory the things on their network they care about, establish privileged accounts and multi-factor authentication for those things, and move identity and access management technologies to the cloud, Frazier said.

“I always think of the Star Wars movie, when they’re in the channel getting ready to blow up the Death Star, and they’re saying, ‘Stay on target. Stay on target,'” Frazier said. “That’s exactly what the situation is for zero trust: Don’t distract yourself; work on the basics.”

Other steps compromised agencies could have taken that would have mitigated the SolarWinds hack include preventing third-party vendor tools from having unnecessary privileges. SolarWinds “unfortunately” needs visibility across all the servers its software monitors, but compromised agencies could have restricted its access to the internet and limited it to only talking to its update infrastructure, said Deepen Desai, chief information security officer at Zscaler.

Agencies still would have been compromised by the SolarWinds update in that scenario, but their command-and-control infrastructure would’ve been protected.

Cloud workload protection, another zero-trust capability, could have identified anomalous activity faster when a SolarWinds server in a data center began connecting to unknown destinations, Desai said.

The concern now for agencies whose zero-trust architectures remain in their infancy is that the SolarWinds hack could have a ripple effect if another software vendor serving thousands of its own customers, including agencies, was compromised.

“If the nation-state actor has established persistence in their environment — and they’re able to do a similar supply chain attack using their supply chain infrastructure — then the possibilities are endless,” Desai said. “You will discover more and more similar types of scenarios in the coming months, as things get investigated in this Orion case.”

The post Industry urges agencies to accelerate zero trust adoption after SolarWinds hack appeared first on FedScoop.