Energy IG Finds Weaknesses in Protection of Agency Systems

The Energy IG reviewed 18 different federal information systems, including ones operated by contractors, in order to inspect the department’s performance in multifactor authentication. The report uses the NIST definition of multifactor authentication which, “requires the use of two or more factors to achieve authentication, including something you know, something you have, and/or something you are.” The process is one of the most effective methods in securing information systems. Five locations at the agency were observed including, Headquarters, Y-12 National Security Complex (Y-12), Savanah River Site, Pacific Northwest National Laboratory, and the National Renewable Energy Laboratory. Upon completion of the audit, several weaknesses were found related to multifactor authentication including incomplete implementation of requirements at network and remote access levels, lack of security controls over critical applications and inaccurate federal reporting.

Network, Local, and Remote Access

None of the locations the IG reviewed had fully implemented multifactor authentication at network and local access levels. While all users were found to enter the system with a username and password, the use of personal identity verification (PIV) cards was lacking. For example at the Y-12 site, the manufacturing facility that produces nuclear weapons, the IG found that Y-12 users used either usernames and passwords or security tokens but not PIV cards to authenticate network resources. Furthermore, the report found that none of the locations completed a full, five-step e-authentication process, required to allow remote access to federal systems.

Application Access

Recognizing that all applications are not in need of multifactor authentication, the report found that four out of the five locations reviewed had not considered multifactor authentication controls for applications. NIST suggests that applications that support mission and business operations benefit immensely from increased security and recommends authentication at the application level, particularly for those systems containing sensitive information. The IG audit found that three out of the five locations did not have security controls for applications systems with sensitive information. For example, an application that the Y-12 site contained both personally identifiable information and personal health information in which privileged and standard users only needed a username and password to access.

Cybersecurity Sprint Initiative

After the breach at OMB, DHS required a report from all agencies on their respective cybersecurity challenges. Energy submitted in July 2015 that only 13% of privileged users and 11% of standard users were meeting multifactor authentication requirements, the lowest of all the agencies. In June 2016, the agency reported that use of PIV cards, in particular, had increased to 57% for privileged users and 21% for standard users. However, the audit found varying definitions and interpretations of multifactor authentication throughout the agency, resulting in what could be incorrect results in their submitted progress reports. Additionally, the inadequate multifactor authentication implementation is a result of various exceptions to federal policies that the agency has implemented on an enterprise level. For instance, in April 2017, Energy approved 65,000 user account exceptions to multifactor authentication requirements based on OMB and agency exceptions, 30% of which was due to the latter.

Causes

The audit found the reasons for these weaknesses ranged from lack of formal, detailed guidance to inadequate funding. Moreover, a lack of communication was identified by the report, particularly between agency and contractor officials. Many contractors stated that federal requirements for multifactor authentication were not included in their contracts.

The IG provided the following recommendations in which it reported relevant managers generally concurred with:

1. Ensure multifactor plans are fully developed and implemented and full documentation communications made to all programs, sites and contractors.
2. Ensure that multifactor implementation are considered in budget priority developments.
3. Ensure implementation of multifactor authentication program is properly communicated to all stakeholders.
4. Ensure contract requirements are accurate, understood and enforced by all parties.
5. Ensure policies and guidance regarding PIV card implementation are in accordance with federal requirements.