Anyone who’s attended a cybersecurity conference over the past five years has heard numerous government speakers proclaim that this is the year in which we’re going to get rid of usernames and passwords for federal IT purposes. Passwords, after all, are relatively easy to steal, and human nature being what it is, some system administrator somewhere uses the same password to order pizza and to log into a national security system.
But the Navy appears to be extremely serious this time. A message to the fleet dated Feb. 5 says administrators of all unclassified systems have only one week left to implement two-factor authentication using Common Access Cards, DoD’s implementation of the personal identity verification (PIV) credentials that President George W. Bush first ordered agencies to roll out with Homeland Security Presidential Directive 12 back in 2004.
Although DoD has required CAC cards leveraging public key infrastructure (PKI) in order to log into most of its workstations for years now, thousands of purpose-built databases inside DoD’s firewall have been operating under waivers that allowed them to be accessed with just usernames and passwords. In the Navy’s case, most of those waivers are going away.
“All approved PKI exceptions are rescinded, except for accounts on networks, systems, or applications that are technically unable to implement a solution to provide two-factor authentication” per the new policy, which also sets a fairly high bar for which systems are “technically unable” to handle PKI. System owners will have to convince an admiral within their chain of command that their application delivers capabilities the Navy can’t live without and explain why that system hasn’t yet managed to move to two-factor authentication.
Classified systems, operating on DoD’s SIPRNet will get a bit more time to come into compliance with the new policy, since the Pentagon didn’t begin to roll out a system of PKI smart cards for its Secret Internet Protocol Network until several years after it had done so for its unclassified systems. But administrators of classified systems will have to meet the same restrictions by the end of July.