The U.S. Defense Department will require contractors to implement multi-factor authentication for access to IT systems by the end of 2017 and other federal agencies likely aren’t far behind the same requirement, according to a white paper from SureID.
The 2015 Office of Professional Management data breach and others have lead the federal government to call for protection of sensitive data. The National Institute of Standards and Technology Special Publication 800-171 calls for “the protection of Controlled Unclassified Information (CUI) while residing in non-federal information systems and organizations.” CUI is defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified.”
Federal government contractors that handle “covered defense information” under contract with the Defense Department, one of the first agencies to implement NIST SP 800-171, face a compliance deadline of December 31, 2017. One of the important components of the publication is the mandate for multi-factor authentication. “Beginning with DoD, the federal government no longer will allow simply a username and password to authenticate an individual’s identity; rather, an organization must implement a multifactor paradigm, such as a username or PIN (something you know), a biometric marker such as a fingerprint (something you are), plus a smart card (something you have).”
Contractors will be searching for a multi-factor authentication solution in order to comply with these federal mandates. There are many different technologies that could fulfill the mandate but SureID posits that PIV-I is the best possible option.
“The PIV-I credential system supports robust identity proofing through the use of multifactor authentication, protecting against infiltration by even the most sophisticated hacking groups. A PIV-I credential is provisioned with digital certificates, photo and fingerprint and among the most effective ways of addressing security vulnerabilities both online and on-premise,” the white paper states. PIV is already the way of the world for federal employees and PIV-I fills that need for contractors.
For more information on PIV-I and SP 800-171 the SureID white paper can be downloaded here.