September 21, 2017
The Department of Energy’s Implementation of Multifactor Authentication Capabilities
The Department of Energy operates many types of information systems supporting mission related activities such as nuclear security, scientific research and development, and environmental management. Strengthening cybersecurity over its information technology environment is a significant challenge facing the Department. Federal requirements and industry best practices indicate that multifactor authentication is one of the most effective methods of safeguarding information systems. In its most basic form, authentication is the process of verifying the identity of a user prior to allowing access to an information system. While the most common method of authentication is username and password, multifactor authentication adds rigor to the authentication process using two or more different authenticators such as hardware security tokens and personal identity verification (PIV) cards.
Federal requirements concerning multifactor authentication on Federal information systems, including those operated by contractors, have existed for many years. For instance, the Office of Management and Budget (OMB) issued M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors, in August 2005 which required Federal agencies to implement multifactor authentication, in the form of PIV cards, for logical and physical access to Federal facilities and information systems. More recently, in June 2015, OMB initiated a 30-day Cybersecurity Sprint initiative to further emphasize access controls over Federal information systems by directing that all privileged users and most standard users utilize PIV card credentials to access information systems by September 30, 2016. We initiated this audit to determine whether the Department effectively implemented multifactor authentication when securing its information systems.
The Department made progress towards fully implementing multifactor authentication in accordance with Federal requirements. Specifically, the Department recently invigorated its efforts to meet the demands of the OMB Cybersecurity Sprint; however, we found that additional effort was needed for access to technology resources to ensure that multifactor authentication, including the use of PIV cards, was fully implemented across the Department. In particular, our review of 18 Federal information systems, including those systems operated by contractors, identified weaknesses related to ensuring adequate protections over access to network and application resources, and noted that information reported to OMB related to the Cybersecurity Sprint was not always consistent. Specifically, we found:
• Although requirements existed for more than 10 years, none of the locations reviewed had fully implemented multifactor authentication for secure access to information systems and resources.
• Federal and contractor locations tested had not always considered the applicability of multifactor authentication for software applications, including those that contained sensitive information such as personally identifiable information and personal health information.
• Information reported to OMB by the Department related to progress implementing the Cybersecurity Sprint was not consistent and did not portray an accurate accounting of its use of multifactor authentication.
The weaknesses identified occurred, in part, because officials had not fully planned for implementation of multifactor authentication on information systems. Department guidance and requirements related to multifactor authentication technologies also were not always communicated effectively. Without development and implementation of a Department-wide multifactor authentication process, the Department’s information, including sensitive data, will continue to be at a higher-than-necessary risk of compromise. We have made recommendations that, if fully implemented, should help the Department enhance its cybersecurity posture through effective implementation of multifactor authentication. Management concurred with the report’s recommendations and indicated that corrective actions had been initiated or were planned to address the issues identified in the report.
Topic: National Security & Safety