SurePassID and Section 889 Compliance Declaration
National Defense Authorization Act for FY2019 (Section 889) The John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA) is a...
Background In May of 2021, President Biden issued Executive Order 14028 “Improving the Nation’s Cybersecurity,” initiating a sweeping effort to ensure that
Background
In May of 2021, President Biden issued Executive Order 14028 “Improving the Nation’s Cybersecurity,” initiating a sweeping effort to ensure that baseline cybersecurity practices are in place across the federal government, the risks of cloud-based infrastructure are mitigated, and the zero trust architecture (ZTA) principles of NIST SP 800-207 “Zero Trust Architecture” are adopted.
In February of 2022, Acting Director Young of the Office of Management and Budget (OMB) issued Memorandum M-22-09 “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” This set forth a federal ZTA strategy, requiring all agencies to meet specific cybersecurity standards and objectives by the end of federal FY 2024.
Significantly, M-22-09 recognizes that certain forms of multi-factor authentication (MFA) do not provide adequate protection against the increasing scale and sophistication of phishing attacks. Thus, it mandates the adoption of “phishing-resistant” MFA by:
Scope of M-22-09
Category | In Scope? |
---|---|
Government Civilian Employees | YES |
Government Civilian Contractors | YES |
Government Civilian Partners | YES |
Department of Defense | YES |
U.S. Defense Industrial Base | YES |
U.S. Intelligence Community | YES |
Category | In Scope? |
---|---|
Other Critical Infrastructure Sectors | NO |
Other Regulated Industries | NO |
State and Local Governments | NO |
If your organization falls within the scope of M-22-09, SurePassID urges you to consult with your federal regulator(s) and auditor regarding impacts on users, business functions, and overall compliance.
Phishing-Resistant MFA Defined
Phishing-resistant MFA must render the authentication process resistant to attackers intercepting or tricking users into revealing their access information using phishing attacks, which include spear phishing, smishing, vishing, brute force attacks, man-in-the-middle attacks, replay attacks, and credential stuffing.
Phishing resistance within an MFA mechanism is achieved in four ways:
FIDO2-Based Phishing-Resistant MFA – The Challenges
FIDO2 is a set of industry standards that provide phishing-resistant MFA and which are ultimately intended to support Derived PIV. FIDO2 consists of two components: the WebAuthn specification, which was developed by W3C, and the Client to Authenticator Protocol (CTAP) specification, which was developed by FIDO Alliance. Together these components create cryptographic login credentials that are unique across every application, never leave the user’s device, and are not stored on a server.
To implement FIDO2-based phishing-resistant MFA, an MFA solution such as SurePassID must first be deployed. Then FIDO2 security keys (hardware or software “tokens”) must be bought, distributed, and managed, which significantly increases costs and operational complexities. If the FIDO2 security keys are physical, users may lose or forget their authenticators, generating additional operational complexities and support load on the IT help desk. Furthermore, since FIDO2 is not PIV Derived, additional overhead is required to centralize management of tokens, identity verification, and credential lifecycle.
Problematically, support for FIDO2 is not yet robust. For example, VPN vendors do not natively support FIDO2 (or legacy U2F) in their embedded browsers, instead forcing the adoption of painful workarounds that rely on reconfiguring portals, gateways, and clients to use the local browser, assuming that is even an option. If Android or iOS support is needed, then a Mobile Device Management (MDM) solution must be incorporated for non-BYOD, or a separate portal must be used for BYOD. Similarly, most Linux/UNIX distros also have limited or no support for FIDO2.
SurePassID Guidance to Customers
Implementing phishing-resistant MFA presents a matrix of considerations, such as regulatory requirements, use cases, site limitations, complexity, and cost. Every customer’s matrix will look different, but SurePassID provides the Authentication Server platform, unmatched domain expertise, and outstanding technical support needed to deliver the best solution set. We already support the widest range of open-standard protocols and authenticators, including FIDO2/WebAuthn authenticators – a continuation of the FIDO support we have trailblazed since co-founding the FIDO Alliance.
If your organization is facing a mandate to adopt phishing-resistant MFA, or if you simply want to upgrade the user access security of your enterprise, call SurePassID. We will develop a tailored solution that best addresses your matrix of considerations.
National Defense Authorization Act for FY2019 (Section 889) The John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA) is a...
SurePassID has been named an Enterprise Security Top 10 Multifactor Authentication Solution Provider for 2020. “We’re thrilled to receive this...
Explore the distinct security landscapes of IT and OT in our latest blog. Uncover their unique challenges, compare cybersecurity solutions like...
Hear from SurePassID’s thought leaders, stay informed on industry news and highlights, and keep up to date with company news.