A rare piece of good news for federal cybersecurity

At a time when government networks are increasingly under attack -- and government itself is being criticized for not doing enough to respond -- the recent award of the Credentials and Authentication Management task order of the Department of Homeland Security’s  Continuous Diagnostics and Mitigation program is a welcome piece of good news.

CRED, like other components of phase 2 of the CDM program, focuses on identity and access management, which has been a sore point for most government systems. Consider: every major U.S. government breach of the last five years -- whether by insiders such as Chelsea Manning and Edward Snowden, or by foreign adversaries as we saw in the attack on the Office of Personnel Management -- has taken advantage of inadequate identity solutions and used them as the vector of attack. In some cases, it was a compromised password, but in other cases, it was someone who had a legitimate credential and was able to use it in ways that should have never been permitted.

Last year's report from the White House Commission on Enhancing National Cybersecurity highlighted our cyber identity problems, stating, "Identity, especially the use of passwords, has been the primary vector for cyber breaches -- and the trend is not improving despite our increased knowledge and awareness of this risk."  The report went on to say that "an ambitious but important goal for the next Administration should be to see no major breaches by 2021 in which identity -- especially the use of passwords -- is the primary vector of attack."

As my firm noted in a white paper we published last year, securing identity does not stop with strong authentication -- it requires a holistic approach to identity and access management that is rooted in governance and delivers not just strong authentication, but also authorization, administration, analytics and audit capabilities.  Together, an IAM approach that delivers the "Five As" ensures that every aspect of the identity lifecycle in an enterprise is secured.

There are two areas of good news here with regard to CRED:

First, the newly awarded CRED solution is delivering capabilities to agencies that will serve as the cornerstone of a "Five As" approach.  CRED is focused on managing credentials and authentication. At its core, that means establishing a "master user record" governing what data and applications all employees and contractors are able to access -- and then using that record to ensure they only have access to applications and resources based on their unique identities, roles and responsibilities within their organization.

With this solution, the benefits of strong, multifactor authentication -- enabled by the PIV card -- can more easily be extended to a wider array of agency applications. And agencies have the ability to more easily manage and update access privileges as roles change. 

Second, DHS and the General Services Administration somewhat craftily negotiated the award of the CRED solution -- choosing a solution that does not just "check the box" on meeting the CRED requirements, but that also gives agencies the option of applying some "bonus" features.

In simple terms, that means that government structured the license agreements with best-in-class IAM software providers SailPoint and Centrify to include a broad set of each firm's capabilities, while only paying for the elements required for CRED. (Disclosure: Chertoff Group has an advisory relationship with SailPoint and Centrify.)  Agencies thus have a great opportunity here to leverage the tools provided by CDM CRED to not just achieve compliance, but also to drive new efficiencies in the ways their organization works.

When an agency gets identity right, it doesn’t just improve security -- it also uses identity to drive greater efficiencies and business transformation.  Identity becomes the great enabler.

It's a lofty goal to meet the Commission's objective of eliminating identity-related breaches by 2021, but it's not impossible.  On the contrary, I'm quite bullish that the government can do this -- if it decides to make it a priority.

Congress has already put ample funding behind the CRED solution, covering the costs for all civilian agencies to deploy it. Agency executives should now look to take advantage of that funding, both to upgrade their IAM systems to guard against the full range of identity-centered cyber attacks and to enable new efficiencies in the way they do business.