Over the course of a two-year period that ended in February 2022, there were 32,179 failed attempts to access GSA-managed facilities through physical access control systems, the IG found in its audit, the results of which were published Tuesday. But based on its investigation, the inspector general found GSA was lax about using that data to inform how it identified, assessed and managed physical risks to those buildings, as recommended by federal guidance.

It’s not uncommon for PIV cardholders to be denied entry to a physical building, particularly if their card is expired or disabled. Cardholders are often also denied entry after attempting to access an area they don’t have permission to visit or when trying to visit outside of permitted hours.

But upon extrapolating the data, some startling trends appeared: One building had 4,164 failed access attempts over the two years whereas the average during that time was 244; and one cardholder had 1,963 failed access attempts compared to an average of two for nearly all others.

“These failed access attempts may have potential security implications,” the IG wrote in its report. Eight of the top 10 buildings with the most failed access attempts contain child-care facilities or security-sensitive agencies, such as the Federal Bureau of Investigation, U.S. Social Security Administration, and U.S. Department of Homeland Security. The safety and security of the tenants and children in these buildings are a major concern.”

Based on that, the IG reached out to GSA leadership — which admitted to not reviewing the data — and a sample of federal facilities managers to investigate how often they received data or trends about those failed access attempts. According to the watchdog, of the 15 managers contacted, eight did not receive data regularly, and the rest were only sent data about the previous day.

“The building managers do not receive any kind of trend analysis of the access card data, which could be used to identify suspicious access attempts,” the report explains. “Access card data can be filtered to show records by building, door, region, date, individual, or event type. With this capability, it is possible to highlight higher-risk scenarios and show trends, such as an unauthorized cardholder repeatedly attempting to gain access to secured areas or an unauthorized cardholder who is repeatedly attempting to gain access to a facility outside of regular operating hours.”

GSA agreed to all of the IG’s recommendations to take action to improve its use of physical access control system data. It did, however, note that the rejection rate was expected to be higher during this period because of the COVID-19 pandemic when many PIV cards expired and credentialing stations were closed. But, in the case of individuals or buildings with a high number of failed attempts, GSA said it agreed with the IG to better monitor access card data to identify trends that may need follow-up.

Tuesday’s report comes after the GSA IG in November 2020 issued similarly critical results of an audit that found the agency was unable to account for about 15,000 PIV cards issued to contract employees and failed to recover 445 such cards from those who failed background checks.

The post GSA failed to monitor PIV access card data effectively says watchdog appeared first on FedScoop.

The National Oceanic and Atmospheric Administration is exploring multi-factor authentication beyond its network as it looks to strengthen cybersecurity in accordance with the federal zero trust strategy, according to its chief information officer.

Zach Goldstein told FedScoop his agency already requires Common Access Cards (CACs) and personal identification numbers to authenticate to its network but continues to perform comparative analyses of multi-factor authentication (MFA) solutions for applications and devices.

“We’re looking at things other than CAC cards, things that are intelligent tokens — that know who I am, that can exchange certificates with a certificate server, that can be easily revoked, that can have multiple kinds of privileges,” Goldstein said.

Goldstein added that cybersecurity is his “first priority,” in keeping with the White House’s Cybersecurity Executive Order issued in May 2021, and that he hopes to select a token for app and device authentication by the second quarter of fiscal 2023.

NOAA is also increasing supply chain risk assessments of Software as a Service — looking not only at the firm but what they buy and use for services — under Goldstein, who’s been with the agency 17-and-a-half years and CIO since 2015.

Goldstein wants to expand NOAA’s use of the cloud in a way that further improves the agency’s cyber posture while shedding light on how migration is progressing.

“We have an initiative to create a Cloud Program Management Office (PMO), one of whose jobs will be to provide me and NOAA leadership with that answer,” he said.

Assuming the funding for the office within the president’s fiscal 2023 budget stands, Goldstein hopes to launch it by the end of that fiscal year.

According to Goldstein, NOAA was the second federal agency to move its email and calendar to a public cloud, Google Apps for Government, in 2011, and since then the agency has migrated websites, help desk ticketing and global device management.

“It became very clear that we needed to have more discipline going to the cloud and more efficiencies because people were duplicating each other by having to learn how to do a security evaluation of going to the cloud, learn how to authenticate to the cloud, figure out how to communicate and get my data to the cloud,” Goldstein said. “And they were also using different contract vehicles.”

The CIO agreed to authorize NOAA offices’ migrations with the expectation that once his team implemented centralized cloud services streamlining and lowering the cost of the process, they’d use those instead.

NOAA now offers a standard way of getting to the cloud; authenticating using its identity, credential and access management (ICAM) service; and contracting with the three large service providers — Google, Amazon and Microsoft — and others. The Office of the CIO’s Cyber Division evaluates cloud offerings once for universal use across NOAA, accelerating offices’ migrations, but the Cloud PMO will make it so they don’t have to consult separate experts for each step in the process.

A Cloud PMO will also help offices take advantage of NOAA Open Data Dissemination (NODD), which allows for “extremely inexpensive” egress to the public, Goldstein said.

The White House proposed a large funding increase for the Office of Space Commerce in its fiscal 2023 budget, which if accepted by Congress would elevate it to a staff office receiving IT support from the OCIO. 

Goldstein expects to indirectly advise on, provide perimeter security for and oversee the cloud-native Open-Architecture Data Repository, which processes tracking data on space objects to predict and assess risk of collision. This information will improve space situational awareness for commercial and civil space operators. A requirements analysis is ongoing, so the operational cost hasn’t been calculated yet.

“Because the cloud is available and they know how to do it, we know how to do it — we’re going to help the Office of Space Commerce with this — they’ll be able to get that capability in the hands of the world faster,” Goldstein said.

The cloud is also freeing up NOAA’s IT professionals — previously stuck patching, scanning and performing domain controller work — to improve weather forecasting model accuracy and speed.

Supercomputing improvements that continue to be made by NOAA have increased capacity for forecasting three times over and should lead to 30% growth in research computing by the end of 2022, but research and development could benefit from even more, Goldstein said. The agency’s objective is to get enough capacity to perform all NOAA research, and enable focusing these applications down to what should be operationalized.

“We’re not there yet,” Goldstein said. “But we’re getting closer.”

The post NOAA evaluating multi-factor authentication for apps and devices appeared first on FedScoop.

Identity, credential and access management (ICAM) program management offices or other governance bodies aren’t universal yet, despite the Cybersecurity and Infrastructure Security Agency encouraging them, because most federal investments in training produce red and blue teamers — offensive- of defensive-minded professionals.

The first pillar of the federal zero-trust architecture strategy released in January is identity: agencies managing identities to allow staff access to applications while protecting them with multi-factor authentication (MFA). But the National Institute of Standards and Technology’s National Initiative for Cybersecurity Education (NICE) Workforce Framework buries identity “three layers deep” in “nichey” network or software engineering roles, rather than making it a standalone position, said Matt Topper, president and solutions catalyst, at Uberether.

“Nobody ever talks about, ‘I want to be an identity engineer.’” Topper said, during an ATARC webinar Tuesday. “That makes you the best blue teamer because you actually understand how these things work together.”

In the past cyber professionals typically attended security or identity conferences but rarely both. Agencies’ increasing use of cloud and ICAM technology and attacks like the SolarWinds hack, where Active Directory Federation Services allowed infiltrators to gain administrative privileges, have “blurred the lines” between the two communities, said Grant Dasher, ICAM expert at CISA.

For instance, CISA Director Jen Easterly tweets regularly about phishing-resistant MFA, and red teamers use their knowledge of identity engineering to gain access to networks, Dasher said.

“I think that the number of people in our community who have deep identity expertise is not significant,” Dasher said. “And they sort of move around between the agencies or, in some cases, retire.”

Fostering that expertise means building those skills among a new generation of experts, who understand the parts of identity that are unique to government, industry and how they work together, he added.

That talent will be essential to moving agencies beyond the personal identity verification (PIV) and common access card (CAC) smartcard authentication that prevails across government to other factors, the adoption of which should increase with additional NIST guidance in the next year, Topper said.

The federal zero-trust architecture strategy emphasized new approaches to cyber and experimentation with authentication and network security.

“The lesson will be whether we can pull it off over the coming years,” Dasher said.

CISA is looking to simplify agencies’ adoption of cloud identity technologies and continues to develop the forthcoming Zero Trust Maturity Model.

The years 2023-25 should prove pivotal for MFA adoption, especially with planned NIST guidance on derived credentials and digital identity guidelines, Topper said. 

NIST Special Publication (SP) 800-63-3 Revision 4 is expected out this fall and will, for the first time, include a dedicated SP 800-63C Federation and Assertions. The document will cover identity federation between agencies, industry partners and citizens; federated authentication transactions and identity federation assurance levels.

“Those are super exciting because those are going to set the next decade of identity standards and patterns that we’re going to follow,” Topper said.

The post Lack of identity engineers hinders agencies’ MFA adoption appeared first on FedScoop.

ATARC’s Digital Mobile Credentials Lab will showcase six use cases where devices serve as identifiers to access buildings and workstations, while an Identity Management Working Group lab will have vendors demonstrate the feasibility of a Derived Fast Identity Online 2 (FIDO2) Credential (DFC).

Personal Identity Verification (PIV) cards and Common Access Cards (CACs) became the standard at agencies around the turn of the millennium, but such physical credentials proved hard to disburse with the onset of the pandemic and remote work.

“Identity management is one of the five main pillars of zero trust,” Tom Suder, ATARC president, told FedScoop. “But we’ve seen during the pandemic that it’s really a challenge.”

Like its Zero Trust Lab launched in September, ATARC’s new labs are focused on generating more government-specific use cases.

The onboarding of enumerators for the decennial census creates tremendous demand for credentials, as does the Federal Emergency Management Agency scaling its workforce during disasters. Mobile phones the government typically issues to employees present an opportunity for a post-PIV and CAC environment, Suder said.

ATARC established a memorandum of understanding with General Services Administration for the Digital Mobile Credentials Lab, after the agency brought the use case of its USAccess shared service, which provides PIV cards across more than 110 agencies.

Among the technologies the lab will showcase are Public Key Infrastructure (PKI) and FIDO2 credentials; physical access control and logical access control system (PACS/LACS) technical architectures; and identity, credential and access management (ICAM) solutions.

The six use cases are:

• mobile phone-PKI authentication to PACS providing access to a building,
• mobile phone authentication to workstations or web applications using a x509 authentication certificate,
• mobile phone authentication to workstations or web applications using FIDO2 credentials,
• mobile phone or tablet authentication for temporary personnel using a x509 authentication certificate,
• mobile phone or tablet authentication to PACS with x509 authentications, and
• credentials provisioned to a wallet or container on a mobile phone or tablet.

Likely a partly physical, partly virtual lab, it will feature some of the same companies as the Zero Trust Lab, and a “fairly immediate” launch is expected, Suder said.

Meanwhile the DFC Lab came out of a recently published Identity Management Working Group white paper, which requested demos proving the feasibility of agencies issuing and managing FIDO2 hardware tokens tied to existing physical credentials. 

FIDO2 lets users authenticate using mobile devices, so they no longer need their PIV cards or CACs on them at all times. What’s more, the DFC would be transferable if an employee switched agencies.

“These controls are established practices that minimize the risk of impersonation and allow for managing which resources an end user can interact with while leveraging a DFC,” the white paper reads. “Currently, no such guidance exists for the issuance and management of FIDO2 credentials, and enterprise use of these credentials has been limited for this reason.”

The post ATARC announces 2 labs to spur government adoption of modern credentials appeared first on FedScoop.

Agencies must apply Microsoft‘s June 2022 patch, which detects anonymous connection attempts and disallows them, to all Windows endpoints.

CISA temporarily removed the Local Security Authority (LSA) spoofing vulnerability from its Known Exploited Vulnerability catalog — which Binding Operational Directive 22-01 released in November requires agencies to remediate — because the patch’s security updates break the authentication of Personal Identity Verification and Common Access Card certificates for many.

“Active Directory now looks for the account’s security identifier (SID) in the certificate or for a strong mapping between the certificate and account,” reads CISA’s follow-up. “This guidance provides information on how the required patches can be applied without breaking certificate authentication.”

The vulnerability, CVE-2022-26925, allows unauthenticated attackers to call a method on the LSA Remote Protocol (RPC) interface and coerce the domain controller to authenticate to them using the Windows New Technology Local Area Network Manager. Microsoft’s patch prevents anonymous connection attempts in LSAPRC.

Microsoft considers the man-in-the-middle attack’s complexity to be high, based on the Common Vulnerability Scoring System.

The patch also remediates two other vulnerabilities: CVE-2022-26923 and CVE-2022-26931.

The post CISA instructs federal agencies to address Microsoft bug appeared first on FedScoop.

The tokens, which could be worn like a watch or sewn into a sleeve, would give solders a way to connect when plugging in a smartcard to access a network is not an option. In concept, the devices could prompt a login when a solider approaches a system.

The DOD primarily uses a credit card-sized device called the Common Access Card (CAC), a system that the Pentagon has long wanted to replace. The wearable tokens could integrate beyond just computers and servers, offering credentialed access to weapons systems and handheld devices.

“Soldiers should not have to take out a smartcard, insert it into a card reader and then remember to remove the card from the reader when they are done,” Ogedi Okwudishu, project lead for the Tactical Identity and Access Management program, said in a news release.

This is not the first attempt at changing the common access card. Last year, a New York-based artificial intelligence startup signed an other transaction agreement with the Defense Information Systems Agency to explore new options for identity, credentialing and access management. The company’s “deep learning” tools could be used to develop “continuous multifactor authentication,” according to the company’s limited-info release about the contract.

Before that, top DOD officials had pledged to replace the CAC card on timelines that have long since passed. Last fall, however, DOD CIO Dana Deasy said: “the CAC will remain the department’s principal authenticator for the foreseeable future.”

Improving biometric and personalized credentialing could be a major step in implementing a zero-trust network. The DOD’s Silicon Valley advisory group, the Defense Innovation Board, has been pushing the department to a zero-trust system, which only grants access to what specific users need. With continuous authentication through AI or a wearable login, individualizing a user’s network access could be easier to achieve.

The device Army Futures Command is working on would also be coupled with a second factor of authentication, such as a biometric login or a personal identification number. Okwudishu noted in the release that the technologies the command is working with are developments in public key-based credentials, wireless payments and flexible hybrid electronics.

Army Futures Command, which became fully operational in July, is tasked with developing technology for future warfare, as the name suggests.

The post Army Futures Command enters battle to replace CAC cards appeared first on FedScoop.

RPA is software that mimics the keystrokes and mouse actions of workers to automate transactional tasks and processes — like moving name and location information from a spreadsheet to an enterprise resource planning (ERP) system. DLA estimates RPA will save its employees about 50,000 hours in its first year by taking over routine functions.

But until now, most agencies have used attended bots given credentials from the laptop of the person they’re working with — as long as they’re on the clock.

“We want bots to run 24 hours a day,” John Lockwood, RPA program manager at DLA, told FedScoop. “And we need the bots to have access when the individual isn’t there.”

But for the last 10 years, “we’ve been anti-bot,” Lockwood added.

Office of Management and Budget memo 18-23 and President Trump’s proposed 2020 budget proposal direct agencies to use RPA, and Federal CIO Suzette Kent has launched reskilling efforts to address the impacts of automation on the workforce.

The Department of Defense relies on public key infrastructure (PKI) to verify that an employee is accessing its network, and some sites are common access card (CAC) enabled. Other agencies use personal identity verification (PIV) cards instead.

The IT had to be tweaked so unattended bots could make use of PKI to access CAC-enabled sites — a “big challenge” that took nine months to surmount, Lockwood said. Essentially, the bot had to be duplicated to have its own persona and access.

On May 6, DLA successfully had an unattended bot run on its own certification by reaching out to the agency’s ERP system, where it has an account, to receive its own credentials granting it access. The use case involved UiPath’s RPA platform and SafeNet’s hardware.

The proof of concept paves the way for full implementation of RPA across agencies, which can choose to use an unattended or attended bot based on the work.

“Not only are we replacing processes with robots, but new processes are coming on board,” Lockwood said.

DLA automated five processes in six weeks to help handle all the data associated with standing up G-Invoicing, the Department of the Treasury’s solution for money transfers between agencies.

The agency also created a bot to clean up spreadsheets so names of employees are standardized during onboarding and computer access can be more easily granted.

RPA will help DLA respond to audit requests because, when a bot grabs information, all the steps are logged with time stamps, Lockwood said.

Lockwood said a lot of agencies have created attended bots using individuals’ CACs. DLA intends to release a white paper in the next couple months allowing those agencies to use its RPA solution to operationalize unattended bots and will be sharing use cases and code, he added.

Long term, DLA is looking at areas where getting information was “just too human intensive” but a bot could do the work cheaper and with faster computing power, Lockwood said.

“Finally, we expect to see bots be a tool to utilize our management system and to utilize future artificial intelligence,” he said.

The post Defense agency surmounts ‘big’ security challenge for robotic process automation appeared first on FedScoop.

TWOSENSE.AI, an early-stage company that’s working to build better identity, credentialing and access management (ICAM) through “deep-learning based” AI, won a $2.42 million contract last October to work with the Defense Information Systems Agency on continuous multifactor authentication for the military. The startup announced the contract Thursday with few details about the specific work.

The contract, an other transaction agreement (OTA) awarded through DOD’s Rapid Innovation Fund, will focus on next-generation identity verification by authenticating users “by their behavior, such as how they walk, type, carry their device, or interact with the screen,” TWOSENSE.AI said in a release. OTAs come from a decades-old authority Congress recently expanded in the 2016 National Defense Authorization Act to allow agencies to prototype technologies with the potential to move them into scaled production, if successful, without going through the traditional contracting process.

“Both DISA and TWOSENSE.AI believe that continuous authentication is the cornerstone of securing identity. Behavior-based authentication is invisible to the user, therefore it can be used continuously without creating any extra work” said Dawud Gordon, CEO of TWOSENSE.AI.

TWOSENSE.AI’s technology uses machine learning to model unique user identities based on behavior, such “the way they walk, interact with their phone, commute to work, and how and where they spend their time.”

“Through the power of deep learning, algorithms are highly personalized, learning the personal characteristics that make each user unique on an individual level,” the company says. “The product leverages mobile and workstation behavioral biometrics, as well as proximity, to create invisible continuous multi-factor authentication for the workplace.”

The work will be done as part of DISA’s ongoing Assured Identity effort to replace CAC cards with continuous identity management through advanced biometrics. The DOD’s then-CIO Terry Halvorsen said in 2016 to great excitement in the community that the Pentagon had plans to eliminate the CAC for system logins. While that didn’t happen in the two-year timeframe, DISA continues to work on a multi-factor, biometric-based and continuous solution for identity verification.

Despite DISA’s efforts to move on from the CAC, DOD CIO Dana Deasy said recently that the military’s personal identity verification smart card isn’t going anywhere anytime soon. ”

The CAC card has “been a key component of the DOD security. Something you may have heard, that the CAC is going away,” Deasy said in September 2018. “Well, from my standpoint, the CAC will remain the department’s principle authenticator for the foreseeable future.”

The DOD, he said then, is in the midst of developing a new DOD-wide ICAM strategy that “will revolutionize how we create digital identities and any maintenance of associated attributes, including both people and non-person entities.”

The post To help replace the CAC card, Pentagon enlists AI startup appeared first on FedScoop.

“Now I know what you’re thinking. Most of you hear about identity and credential management at DOD, and what you think about is the common access card, CACs,” he said Thursday at the Billington Cybersecurity Summit. “They have been a key component of the DOD security. Something you may have heard, that the CAC is going away. Well, from my standpoint, the CAC will remain the department’s principal authenticator for the foreseeable future.”

That may come as a surprise to many who’ve followed the substantive fodder about the replacement of the CAC since Halvorsen’s announcement in 2016.  For instance, the Defense Information Systems Agency in late 2017 introduced an elaborate continuous authentication system based on multiple forms of advanced biometrics like commercial facial recognition, iris scans and fingerprints, as well as locational patterns, gait, speech and keystroke rate. But such a replacement system is more likely, at least in a widespread format, further down the pipeline, Deasy said.

“The department must be ready to adapt, as well as accommodate an environment [with] more than 4.5 million users that is rapidly evolving due to current and emerging threats from our adversaries,” he said. “DOD has always been a pioneer when it comes to driving innovation. We must continue to do so and incorporate key storage and biometrics to prepare for a future where we need quantum-resistant cryptography. These innovations will become critical to ensure our warfighters continue to operate in a secure environment.”

The comments came as Deasy described DOD’s work to create a new identity, credential and access management (ICAM) strategy that will replace one it released in 2014 and how the CAC will continue to play a part in that.

The new strategy, he said, “will revolutionize how we create digital identities and any maintenance of associated attributes, including both people and non-person entities. ICAM creates a secure, trusted environment where any of our users can access all of the authorized resources, including applications and of course our valuable data, to have a successful mission. It will also let us know who is on the network at any time.”

ICAM, he said, is just one part of his attempt to take a more holistic, end-to-end view of cybersecurity risk within the Pentagon, to also include system, network and application security, data encryption and proper classification of information all the way out to weapon systems. That also includes contractors providing systems and services to the Pentagon, and the security of the U.S.’s connected critical infrastructure, Deasy said.

“So we have this conversation, but I always tell people you can’t have it at any one point,” he said. “You have to discuss the entire ecosystem of cybersecurity.”

The post DOD CIO Deasy: The CAC is here to stay ‘for the foreseeable future’ appeared first on FedScoop.

In addition, a report by Thales and 451 Research shows that one of every three federal respondents experienced a data breach in the past year, and 65 percent indicated a breach at some point in the past. Nearly all respondents, 96 percent, consider themselves vulnerable.

Challenges with Passwords and 2FA

Technology leaders have predicted for years that the traditional password will end because it is not failsafe. Unsuccessful attempts to improve security by using two-factor authentication (2FA), typically via SMS, have repeatedly and richly rewarded attackers. This led the U.S. National Institute of Standards and Technology to withdraw support for SMS-based 2FA.

The sheer inconvenience of 2FA and multi-factor authentication often prevents people from using them. Mark Risher, manager of Google’s identity systems, has said that “users won’t accept more security than they think they need.”

A New Solution: Direct Autonomous Authentication

The search for frictionless identity verification, capable of protecting sensitive government and citizen data, while also providing an authentication experience that people will actually use, has led to considering devices rather than user input as the source of trust. Throughout government, users see this every day as they insert their CAC Card or PIV Card into their computers to authenticate their identity. But what about authentication through mobile devices that don’t have a card reader?

One way that smartphones and tablets are being leveraged for secure identity verification is through Direct Autonomous Authentication (DAA), which seamlessly integrates with ultra-secure entities that have already verified users—namely, mobile carriers, which instantly authenticate users every day in order to accurately bill the correct customer.

At Averon, we developed DAA to instantly authenticate users via the real-time mobile-carrier signaling and SIM card technology already found in every smartphone and other devices. A SIM card can be understood as a smaller PIV or CAC card. DAA, a patented, new type of user-authentication, is both automatic and requires no effort by the user. It relies on data the mobile carriers already have, which is impervious to being hacked, intercepted or otherwise compromised because there is absolutely no transmission of user information.

Bringing DAA to Citizen Services

Averon recently participated in the Dcode accelerator program to help bring DAA technology to government. With this technology, agencies can more seamlessly and securely engage with any citizen who has a mobile phone, thus simplifying citizens’ access to services, helping law enforcement combat crime, assisting in voter identity verification, and so on.

It’s time to move beyond passwords, 2FA, and other vulnerable and outmoded methods for identity verification.

Aaron Mahone is director of finance and operations at Averon. Previously a management consultant with KPMG, he also served as business development director for Greenlight Energy Group and as an auditor with the New York State Department of Health.

The post Evolving Government: Moving beyond passwords for seamless identity verification appeared first on FedScoop.