VA moving out on two-factor authentication
Government employees use PIV cards for facility access. (Gray/NIST)
The massive data breach at the Office of Personnel Management has pushed the Department of Veterans Affairs to refocus on deployments of personal identity verification cards and two-factor authentication mechanisms for network security — requirements that have languished throughout the federal government for years without significant progress.
VA Chief Information Security Officer Stan Lowe has issued three memorandums since June 25 calling for mandatory use of PIV cards for IT personnel with privileged user access and two-factor authentication for all employees accessing the VA network.
“Effective immediately, any VA information system user with any type of elevated privileges must use their PIV card and PIN to gain access to any VA information system,” Lowe wrote in a June 30 memorandum to division heads within the Office of Information and Technology.
In separate memorandums, Lowe required all VA information system users “not responsible for direct patient care” to use their PIV cards and PIN to gain access to any agency IT system. Although the policy goes into effect July 15, former VA Secretary Eric Shinseki had mandated the use of PIV card credentials for both physical and network access as far back as April 2011.
VA did not respond to FedScoop’s questions about why it’s taken more than five years to enforce the PIV card policy memorandum issued by Shinseki.
By July 25, all elevated privilege activity — such as IT administrator access — on all VA systems will require two factor authentication, according to a June 25 memorandum. “All local administrative accounts will be disabled unless compliant,” Lowe wrote. The policy also requires all elevated privilege accounts to be inventoried and reviewed for compliance every quarter, and states that they will be subject spot checks by security officials.
The new policy memos come on the heels of a series of meetings in early June between VA cybersecurity officials and the agency’s contractors to discuss raising the threat level and the potential impact that might have on VA programs. Among the topics discussed were improving boundary protections, reconfiguring and reducing access points, and locking down the use of social media from within the VA network, according to VA Chief Information Officer Steph Warren, who spoke to reporters July 1.
But Warren acknowledged that as the agency works through the recent cybersecurity sprint guidance issued in the wake of the OPM breach by U.S. CIO Tony Scott, deploying two factor authentication throughout an enterprise as large as VA remains a challenge.
“We have been working with the medical community to make sure we are not doing harm to patients and patient care while implementing this,” Warren said.
FISMA Annual Report to Congress, February 27, 2015.
OPM Director Katherine Archuleta, under fire for refusing to take responsibility for her agency’s security failures, told the Senate this week that the breach of data on up to 18 million current and former federal employees is believed to have been made possible by a compromised contractor login.
OPM and VA were among 17 agencies reporting minimum progress on PIV deployments and two-factor authentication, according to the latest Federal Information Security Management Act report released in February by the Office of Management and Budget. Those agencies remain far below the cybersecurity cross agency priority goal for strong authentication.
According to Warren, VA’s security team is now going through all VA systems, including medical devices, “one-by-one” to bring them into compliance with authentication requirements. “There’s no more time for excuses,” Warren said. “We are going to bring this organization into compliance…while we continue to meet our access obligations to veterans.”
