Cybersecurity Sprint Results Show Rapid Growth of Multifactor User Authentication

In a blog post, federal CIO Tony Scott reported on the outcome of the Cybersecurity Sprint and provided thoughts on ongoing efforts as well as other actions the White House would like to see in areas that impact federal cybersecurity.

One of the major thrusts of the Sprint was to reduce the risk of adversaries penetrating networks and systems through the required use of strong authentication, especially for privileged users. According to the description on the Cybersecurity Cross-Agency Priority (CAP) Goal page on performance.gov, OMB defines strong authentication under Identity, Credential, and Access Management (ICAM) as “the implement a set of capabilities that ensure users must authenticate to information technology resources and have access to only those resources that are required for their job function.” Essentially, this is implemented through multifactor authentication, primarily via a hardware-based Personal Identity Verification (PIV) card.

Some of the results from the Sprint report that Scott highlighted include:

• A 30% increase by civilian agencies – from 42% to 72% – in their use of strong authentication for privileged and unprivileged users, since agencies last reported on the metric at the beginning of June.
  
  
• An increase from 33% to nearly 75% by civilian agencies in the use of strong authentication for privileged users – a 40% increase overall.
  
  
• Thirteen agencies have implemented strong authentication for nearly 95% of their privileged users. This includes more than half of the largest agencies, including the Departments of Transportation, Veterans Affairs, and the Interior.
   

DoD reported in the Sprint results that 82% of their total user base were using strong authentication, which was a 5% decrease from the 87% they reported in Q2 of FY 2015. However, this is still above the Q2 FY 2015 CAP Goal of 75%. Further, DoD’s privileged user percentage increased from 38% to 58% – a 20-point gain. The overall decline came in the area of unprivileged users, the population of which presumably far outnumbers the DoD privileged user population. It is unclear from the available data whether the number of privileged users significantly declined at DoD or other agency, but reducing the number of privileged users is an overall goal for OMB.

Scott stressed that these efforts must and will continue until federal networks and data are on a more secure footing. The next progress update will be the FY 2015 Q3 Cybersecurity CAP Goal report scheduled for September.