Cyber sprint forces two-factor auth into fed government
Massive OPM breach gives OMB the ammo needed to drive PIV use
14 September, 2015
category: Digital ID, Government, Smart Cards
Cultural issues remain primary obstacle
The three biggest issues when it comes to using the credentials have been funding, technical issues and cultural challenges, Rudolph says. “With the cultural problems, people just don’t want to do it,” he explains. “They have the cards but don’t want to use them because they think it’s a burden.”
OMB is working on ways to solve all three of these issues. “We’re documenting all the challenges on why agencies can’t use PIV, and we’re deploying resources to solve these problem,” Rudolph says. “Some of the problems are technical but most of the time it’s cultural.”
Some agency and IT leadership have stubbornly refused to take any real steps to strengthen user authentication, insiders say. That is likely the attitude that OMB folks are gently referring to as cultural issues.
Such cultural issues are getting more attention, says Grant Schneider, federal cybersecurity advisor at OMB. At the highest levels, agencies are meeting regularly with OMB related to identity and access management. Schnieder and Rudolph both made the comments at the Smart Card Alliance’s Smart Cards in Government conference.
Often, if the cultural issues become too much of a problem phone calls can be placed. “We make a phone call to the secretary or deputy secretary and they make the changes overnight,” Rudolph adds.
Rudolph and Schneider both say PIV can also make life easier for employees. Agencies that deploy PIV-enabled single sign-on systems eliminate the need to remember usernames and passwords for different applications. “I just have the PIV and a six digit PIN,” Schneider says.
On the budget side of things, agencies have had years to procure PIV-enabled systems. “I don’t think is has been an unfunded mandate,” Schneider says. “Over the years the funding has been pretty good for agencies to make the changes and get these things done. Agencies could have done more.”
OMB is also working on ways to help agencies solve the technical issues. There is a 500-page Federal Identity and Access Management Roadmap that can guide agencies but that document isn’t without its issues. OMB is creating “playbooks” that look at some of the problems agencies experience with PIV and how to solve them, Schneider explains.
Beyond increasing usage of the PIV, Schneider says OMB wants to see attributes shared across agencies. If a Defense Department employee goes to Homeland Security, the PIV should be electronically verified before the employee is allowed entry. Today, a visual inspection of the badge is still all that generally takes place.
Too little, too late
While it’s been years since OMB has publicly talked about pushing agencies to use the PIV, some vendors are saying that it’s beyond time. “The penetration is tragically low,” says Neville Pattinson, senior vice president for government sales at Gemalto North America. “The government needs to do this, the writing is on the wall, there are so many vulnerabilities and they just lost the personnel records of the entire federal government.”
The cyber sprint was a reaction to the OMB breach, but there still aren’t any penalties if an agency fails to comply. “It’s something that should take a higher priority,” Pattinson says. “The agencies need some motivation.”
Dinging their budget might work, says Rick Patrick, senior vice president of the Identity Group-North America at Oberthur Technologies. He suggests annual audits, and if the agency doesn’t pass they get less money in subsequent budget cycles until they comply. “The problem is impacting national security,” he adds.
Greater accountability of how agencies are using the PIV would also be welcome Patrick says. The FISMA report released earlier this year gave some insight into PIV usage but not a lot of other details. “How many of the agencies are maximizing the full use of the PIV as intended in HSPD-12?” he asks.
Another issue around the PIV has been the FIPS 201 standard. FIPS 201-2 was release in 2013, yet the special publications that define the specific parts of the standard have not all been updated and test tools developed, says Christophe Goyet, director of Technical Marketing, ID and Government Programs at Oberthur Technologies.
The latest special publication draft was released in May for the PIV interface model (SP-800-73-4). This is only a draft and comments are expected to go back and forth before a final spec is released. From there, test tools will need to be created and finally products can be tested, Goyet says.
It will likely be 2016 before cards that are compliant with all the specifications can be approved and agencies can roll them out.
Change finally on the horizon?
It’s been more than a decade since the order mandating a standard identity card for federal employees was issued. Some delays are understandable, but it seems inexcusable for agencies to outright refuse use of the credentials.
Perhaps for the first time, however, there is an agency with overarching reach stepping up to push foot-draggers to get on board. OMB seems positioned to make things happen, if they can sustain the momentum provided by the unfortunate OPM breach.