Building on the May 2021 Cybersecurity executive order, Office of Management and Budget (OMB) memorandum M-22-09 sets out ambitious timelines for Federal agencies to improve cybersecurity. However, many agencies may be closer than they realize to the mandates laid out in M-22-09, particularly regarding multifactor authentication (MFA).
Because cyber attackers are always getting more creative and technologically advanced, the methods that agencies use to verify identity and authorize use of agency systems must constantly evolve. M-22-09 directs agencies to move away from password-based authentication, which leaves systems vulnerable. Password spraying, for example, may have been the method that allowed attackers to access government agencies in the SolarWinds hack. The memo outlines stronger authentication methods, including phishing-resistant MFA…
The universal Federal government standard is X.509 authentication, an International Telecommunication Union standard defining the format of certificates that bind an identity to a public key using a digital signature. In the Federal government, that certificate takes the form of a personal identity verification (PIV) or common access card (CAC).
“PIV and CAC and derived credentials are special versions of X.509 that incorporate lots of controls and processes,” Rosensteel notes. Those controls and processes are laid out in National Institute of Standards and Technology (NIST) Special Publications 800-157 and 800-79-2 and Federal Information Processing Standards (FIPS) 201-3… Read the full article here.
