Over 170 agencies are now seeing a new login system to access federal employees’ payroll data, and other types of information for human resources management.
The National Finance Center, an agency housed under the Agriculture Department, has launched a multi-factor authentication system for its federal customers to access the payroll and personnel website.
“Our decision to implement multi-factor authentication is a best practice that allows NFC to secure systems by providing a multi-layered approach to securing user accounts, thereby making the account less likely to allow unauthorized access,” a USDA spokesperson said in an email to Federal News Network.
The NFC is one of the four major federal payroll providers for agencies. NFC partners with more than 170 agencies, and provides payroll services to more than 600,000 federal employees — making it especially important to protect feds’ financial information with enhanced cybersecurity practices. Multi-factor authentication requires users to verify their identity through multiple steps, intending block any users who shouldn’t have access to personal information.
With the website update, the NFC has also become one of many agencies trying to take steps to comply with the White House’s federal cybersecurity and zero trust standards.
“USDA will continue to adhere to and implement all federal mandates, executive orders and National Institute of Standards and Technology (NIST) guidance to ensure the safety of all employee and customers’ accounts, data and information,” the spokesperson said.
Implementing multi-factor authentication is just one part of governmentwide cybersecurity requirements for federal agencies. It’s included, for instance, in the Federal Information Security Modernization Act (FISMA), which requires agencies to establish a risk management framework and ensure certain security controls. It’s also part of cybersecurity guidance from NIST, as well as the Biden administration’s executive order on improving the nation’s security. Multi-factor authentication is additionally a requirement under the White House’s zero trust strategy, which the Biden administration released in January of this year.
But there’s still a long way to go to reach governmentwide compliance with the White House’s security requirements. Though the White House released its zero trust strategy back in January, many agencies have since then made only limited progress on implementing multi-factor authentication. As of now, most agencies have not adopted multi-factor authentication across all of their systems, even if they are using it in some areas. Just 13 agencies have fully adopted the practice across all of their enterprises.
Some concerns over cybersecurity have also arisen alongside the increase of remote work and telework for federal employees, which may open the door to higher potential for cybersecurity risks.
“The increasing reliance on remote work has organizations grappling with the challenge of unmanaged personal devices of employees being used for work. They often don’t have the same degree of protection that company-owned devices do, nor can these devices be monitored for abnormal or anomalous behavior,” the spokesperson said.
But multi-factor authentication on NFC’s website can help mitigate that type of risk, according to the spokesperson. It’s part of the reason that the agency implemented the change in October.
And the update to NFC’s website is not the only upcoming change for the agency when it comes to cybersecurity. Along with implementing a multi-factor authentication system, the agency also plans to soon add endpoint detection and response, software supply chain inventory, and asset visibility and vulnerability detection. USDA will also continue to hold trainings for employees on the importance of protecting personal information. All of those plans are also requirements under the White House’s zero trust guidance, as well as the cybersecurity executive order.
Some of these requirements from the zero trust guidance are starting to get hard deadlines, too. According to a recent Office of Management and Budget memo, agencies have a 90-day deadline, starting from Sept. 14, to inventory all of their third-party software.
In general, not all types of multi-factor authentication are equally secure. Eric Mill, senior advisor to the federal chief information officer, has said that SMS text messages and push notifications, for instance, are still susceptible to phishing attacks. Mill has also said that the changes under the White House zero trust strategy have a more meaningful goal — and broader implications — than just implementing a multi-factor authentication system for federal agencies.
“We’re looking at a major architectural shift for the federal government. And we know that’s a multi-year process,” Mill said in January, when the White House initially released the zero trust strategy. “We’re trying to both design an oversight and timing process that reflects the urgency with which we need to move and the reality of the size of the work that is happening.”