Some agencies continue to struggle with implementing phishing-resistant multi-factor authentication because there’s a dearth of identity engineers in government, according to cybersecurity experts.
Identity, credential and access management (ICAM) program management offices or other governance bodies aren’t universal yet, despite the Cybersecurity and Infrastructure Security Agency encouraging them, because most federal investments in training produce red and blue teamers — offensive- of defensive-minded professionals.
The first pillar of the federal zero-trust architecture strategy released in January is identity: agencies managing identities to allow staff access to applications while protecting them with multi-factor authentication (MFA). But the National Institute of Standards and Technology’s National Initiative for Cybersecurity Education (NICE) Workforce Framework buries identity “three layers deep” in “nichey” network or software engineering roles, rather than making it a standalone position, said Matt Topper, president and solutions catalyst, at Uberether.
“Nobody ever talks about, ‘I want to be an identity engineer.’” Topper said, during an ATARC webinar Tuesday. “That makes you the best blue teamer because you actually understand how these things work together.”
In the past cyber professionals typically attended security or identity conferences but rarely both. Agencies’ increasing use of cloud and ICAM technology and attacks like the SolarWinds hack, where Active Directory Federation Services allowed infiltrators to gain administrative privileges, have “blurred the lines” between the two communities, said Grant Dasher, ICAM expert at CISA.
For instance, CISA Director Jen Easterly tweets regularly about phishing-resistant MFA, and red teamers use their knowledge of identity engineering to gain access to networks, Dasher said.
“I think that the number of people in our community who have deep identity expertise is not significant,” Dasher said. “And they sort of move around between the agencies or, in some cases, retire.”
Fostering that expertise means building those skills among a new generation of experts, who understand the parts of identity that are unique to government, industry and how they work together, he added.
That talent will be essential to moving agencies beyond the personal identity verification (PIV) and common access card (CAC) smartcard authentication that prevails across government to other factors, the adoption of which should increase with additional NIST guidance in the next year, Topper said.
The federal zero-trust architecture strategy emphasized new approaches to cyber and experimentation with authentication and network security.
“The lesson will be whether we can pull it off over the coming years,” Dasher said.
CISA is looking to simplify agencies’ adoption of cloud identity technologies and continues to develop the forthcoming Zero Trust Maturity Model.
The years 2023-25 should prove pivotal for MFA adoption, especially with planned NIST guidance on derived credentials and digital identity guidelines, Topper said.
NIST Special Publication (SP) 800-63-3 Revision 4 is expected out this fall and will, for the first time, include a dedicated SP 800-63C Federation and Assertions. The document will cover identity federation between agencies, industry partners and citizens; federated authentication transactions and identity federation assurance levels.
“Those are super exciting because those are going to set the next decade of identity standards and patterns that we’re going to follow,” Topper said.