Agencies have less than two weeks to make sure all their systems administrators and other employees known as privileged users only can log on using their smart identification cards.
Several government sources confirmed that the Office of Management and Budget set hard deadlines for agencies as part of the 30-day Cyber Sprint announced earlier this month. And chief information officers and other senior IT managers said this time they mean it.
Multiple sources confirmed that OMB wants agencies to implement smart identity cards under Homeland Security Presidential Directive-12 (HSPD-12) for all privileged users by mid-July. Privileged users are all systems administrators and others who have access to a large part or all of the network and data.
One source said the deadline could be as early as July 7, while others said it’s later in the month.
OMB also set a deadline of mid-to-late August for agencies to get 75 percent of all employees using smart identity cards to log on to the network.
An OMB official wouldn’t confirm the dates or timeframe.
“The administration has taken a number of aggressive actions to upgrade the federal government’s technology infrastructure and protect government networks and information, implementing tools and policies in order to detect and mitigate evolving threats. And we have seen significant progress,” the official said. “Federal departments and agencies have implemented capabilities to better manage cyber vulnerabilities when they arise, and agencies instituting new methods of conducting business like requiring employees to log-on to networks using privileged credentials, instead of other less secure means of identification and authentication.”
Two-factor authentication was one of the four initiatives outlined in the 30-day Cyber Sprint.
Steve Cooper, the Commerce Department’s CIO, said his agency is making progress around two-factor authentication.
“We actually stand at about 97 percent for privileged users, strong authentication, and we are at about 76 percent, which is 1 percentage point above the target at the moment,” Cooper said. “We need to push both of those by 100 percent for the target deadlines — July 15 for privileged users and by the August timeframe, end of August working for memory, for all users.”
Many are behind the curve
Unlike Commerce, this will be a major lift for most agencies.
According to Performance.gov, as of December, nine agencies didn’t require two-factor authentication for privileged users at all. These included the Veterans Affairs Department, the Department of Housing and Urban Development, the General Services Administration and NASA.
Four agencies — the Small Business Administration, the Department of Labor, the Nuclear Regulatory Commission and HUD — didn’t require any employee to log on to the network with their HSPD-12 cards.
OMB reported in December that only 42 percent of all users required smart identity cards to log-on to the network. That’s up from 1.2 percent in 2010, but still less than half is not a good accomplishment in more than a decade.
Agencies knew the focus on two-factor authentication was coming under the cyber sprint effort. One agency CIO said they were at zero for privileged users and now are up to more than 40 percent in a short period of time.
VA is facing a similar situation. The agency said as of December it’s at 10 percent for all users required to use smart identity cards to log onto the network.
Steph Warren, the VA CIO — at least until Monday when LaVerne Council is sworn in as the new assistant secretary and CIO — said his security team is working on all aspects of the cyber sprint.
“We are marching our way through the things that have been laid out in the cyber sprint. The area that is hardest for many is how do you do two-factor across all of an organization,” he said, during a conference call with reporters Wednesday. “We’ve been working with the medical community to make sure we are not doing harm to patients and patient care while implementing this. There have been a couple of directives that have come out, laying very, very clear guidelines about how the work is going to happen, what are the milestones and deadlines of progress. It clearly is laying it out in an unambiguous way what are the responsibilities of individuals to comply with standards as well as us going in and using the OPM incident as an opportunity to go back and look at the standards and make sure we haven’t missed anything.”
Warren said the security team is looking at areas where they can improve and ask if there is something they can do better or different in order to ensure networks and data are secure.
VA Chief Information Security Officer Stan Lowe signed out three memos over the last week detailing what those requirements for the agency. The guidance stated by July 15, all users not responsible for direct patient care must use two-factor authentication to gain access to VA’s network.
Lowe also wrote that any user with elevated privileges must begin using their HSPD-12 cards to log on to the network immediately.
Fifth time is the charm?
This is the fifth time OMB has required agencies to implement smart identity cards for logical access.
In August 2005, OMB gave agencies an October 2007 deadline to begin using the HSPD-12 card. In June 2006, OMB issued another memo requiring the use of two-factor authentication for remove access within 45 days of issuing the memo. A year later, in May 2007, OMB reminded agencies again to implement two-factor authentication for remote access, but didn’t give a specific deadline.
The Obama administration then took its turn to push agencies to use HSPD-12 cards. In February 2011, OMB mandated use of smart identity cards by the beginning of fiscal 2012.
So what’s different this time?
Sources said the President’s Management Council, which is made up of agency deputy secretaries, was brought in to this effort and is overseeing progress at each of their agencies.
The OMB official said the PMC is playing a role as is OMB’s E-Gov Cyber Unit, in coordination with DHS and NIST. The cyber unit “is providing agencies with technical assistance where agencies have identified specific barriers to implementation on all cyber sprint immediate actions, to include two-factor [HSPD-12] adoption for privileged users.”
A senior IT official said, at least within their agency, failure to comply will result in the disabling of those accounts. The source, who requested anonymity because they didn’t have permission to speak to the press, said the administrators will no longer be able to perform their duties until such time as they complied with the requirements.
At least for one agency, that’s a much more serious penalty than just public shaming at the PMC meeting.
What the one agency person said about the punishment is something the Defense Department did in 2006 when it mandated network access using only its Common Access Card. A former DoD official said that if you didn’t meet the requirement, you didn’t get on the network, and you knew the Pentagon was serious about it.
At VA, Warren said his office would no longer accept justifications for why two-factor authentication can’t be done, and the agency’s security team is going through its systems one-by-one to bring them into compliance.
“We are making sure, where in the past somebody giving an anecdotal reason why they couldn’t do it, we are at the point, where we are saying it’s not anecdotal anymore and show us why you cannot. We flipped it from, ‘Yeah, it would be good if you did it,’ to ‘Show us why you will not’ and so very hard schedules and outcomes on it,” Warren said. “The deputy secretary is very engaged with us to make sure folks understand the imperative of action and the team has met with him a couple of times already since the [OPM] incident. Basically, as we march our way through, this is what we are doing, where are you on this, what do you need to do on this, how do we need to change this, how do we need to implement this? He’s giving a lot of support to make sure you will do it. There is no more time for excuses, no more time to reason why you don’t need to. We are going to do it. We are going to bring this organization into compliance, and we are going to understand how to do it while we meet our access obligations to veterans.”
Legacy systems remain biggest obstacle
OMB believes the use of HSPD-12 cards for logical access also will be an immediate difference maker. In fact, during the OPM breach, officials said its implementation of two-factor authentication for remote access stopped the hackers from stealing any more data as of January.
But with only 42 percent of all employees using the cards for logical access, several agencies face challenges to meet OMB’s goals. One of the biggest problems is similar to what OPM faced with securing its systems — legacy hardware and software that don’t easily accept smart card authentication.
Cooper said Commerce fits into that category.
“We have some legacy systems that simply don’t lend themselves from a technology standpoint to use our [HSPD-12] cards for logical access, not to the network, but to the actual application themselves,” he said. “We also have some somewhat unique situations that we don’t have the ability to issue [HSPD-12] cards for some non-typical reasons to 100 percent of our workforce. Therefore, we are working with our office of security to try to figure out if there are some back-up ways we could use the equivalent of a [HSPD-12] card, maybe a local Commerce credential or a Commerce credential and a token that would give us the equivalent of strong authentication, two-factor authentication.”
And it’s not just Commerce that is facing challenges.
The senior IT manager also said their agency is unprepared for the move for both privileged and unprivileged accounts.
The source said over the years several issues such as lost cards, employees without cards, Linux servers, Apple Mac computers, tablets and iPads that weren’t part of the smart identity card discussion.
The source said their management was well aware that two-factor authentication was coming, but they never planned for it outside the normal staff login situations. The source said now their agency is scrambling to meet the deadlines.
For many agencies, this will be a heavy lift, but it’s proved to be a valuable cyber tool and something agencies should’ve done years ago. The question is how much teeth OMB will put into its mandate?