Massive OPM breach gives OMB the ammo needed to drive PIV use
The goal of HSPD-12 more than a decade ago was simple. Federal agencies were to deploy a secure, interoperable identity document for physical access to facilities and logical access to networks and applications.
The actual rollout has been anything but simple. Eleven-years since HSPD-12 was signed and five-years since the White House mandated logical and physical security systems use the PIV, and still half of all federal agencies don’t use the credential. They have issued it … they just don’t use it.
The smart cards are in the hands of more than 90% of agency personnel, but agencies are still bucking the actual use of the card. A White House Office of Management and Budget (OMB) report released in 2015 showed that just 42% of federal agency employees – outside of the DOD – were using the PIV for access to secure networks and applications. The White House Office of Personnel Management (OPM) – the target of a massive data breach where more than 25 million current and past government employees had their personal information stolen – was one of the worst offenders. In 2013 no OPM employees were using PIV for logical access, and at the end of 2014, that number had climbed to only 1%.
The records reportedly were stolen in more than one breach. One of those breaches was linked to a contractor’s user name and password being hacked while another was linked to a “zero-day bug” that lived in the system.
In the wake of the OPM breach, federal agencies started a “30-day cyber sprint” to beef up cybersecurity mandated by OMB. A primary goal of the sprint was to accelerate implementation of multi-factor authentication, especially for privileged users.
“Intruders can easily steal or guess usernames and passwords and use them to gain access to Federal networks, systems, and data. Requiring the utilization of a Personal Identity Verification (PIV) card or alternative form of multi-factor authentication can significantly reduce the risk of adversaries penetrating Federal networks and systems,” according to a white house statement.
Privileged users, of which there are more than 134,000 across the government, possess elevated access to federal systems and are the ones that enable other employees’ access to different systems. For example, if a new employee needs access to a cloud-based app for accounting, a privileged user will be the one to enable that access. At the time of the OPM breach, eighteen agencies did not mandate that privileged users login using PIV authentication.
The cyber sprint concluded in mid-July and OMB officials reported an increased use of multi-factor authentication for privileged users.
While enabling PIV for privileged users is a key cybersecurity measure, OMB is pushing that more agencies start to use the smart card across the board. “We’re not doing so well with the deployment of PIV and strong authentication,” says Trevor Rudolph, chief of the Cyber and National Security Unit in the Office of E-Government and IT at OMB. “Agencies need a carrot to help get PIV implemented and we’re deploying the resources to the agencies to solve these problems.”
Agencies are not doing so well with the deployment of PIV and strong authentication. They need a carrot to help get PIV implemented
Technically this isn’t anything new. In 2011, OMB issued a memorandum stating that all new purchases dealing with physical or logical access needed to be HSPD-12 compliant. Still, many federal agencies rolled their eyes at the mandate and kept doing what they had been doing.