Taking Steps Toward DFARS Compliance: Multi-Factor Authentication

As previously discussed in the CyberSheath blog, government contractors who process, store or transmit Covered Defense Information (CDI) are required by DFARS 252.204-7008 to comply with the 14 control families of the NIST SP 800-171 by December 2017. The clause dictates the security requirements specified by DFARS 252.204-7012 for Safeguarding Covered Defense Information and Cyber Incident Reporting. The intention of the directive is to ensure the safeguards implemented to protect CDI are consistent across nonfederal information systems as they relate to work contracted by the US government.

The regulation anticipates the addition of these controls is not intended to impose a burden by requiring additional systems or incurring additional expenses in order to acquire government contracts. Although the 800-171 is derived from FIPS 200 and NIST 800-53; the new control set is intended to remove the overhead of the controls specifically geared toward federal agencies. It was expected the majority of contractors would only need to implement and update policies in order to comply. While this may be valid for contractors who have a security baseline implemented that includes many components of the recommendations of FIPS 200 or NIST 800-53, it may not be true for all. Unfortunately for those that do not, this regulation may prove to be a challenging and expensive endeavor.

One of the direct requirements imposed by the 800-171 is the need for Multi-Factor Authentication (MFA). This necessity applies to all privileged account access and users who access network resources where Controlled Unclassified Information (CUI) exists, or CDI as defined by the DFARS clause. Additionally, this applies to any users who access the network remotely by means of remote access connections. These are described in the following ‘derived security requirements’ from both the ‘Identification and Authentication’ and ‘Maintenance’ control families of the NIST 800-171:

3.5.3   Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts

3.7.5   Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete

This requirement should not come as a surprise to many. A significant and common attack vector exists when a user’s account is compromised and leveraged by a hacker who has successfully acquired that user’s password. This is even more detrimental when an account with enhanced privileges is compromised. Accounts which have been protected with multiple factors of authentication make hacking much more difficult. Research demonstrates amongst the majority of cyber-attacks, the weakest elements are users and their credentials. This was validated by Verizon’s’ 2016 Data Breach Investigations Report (DBIR). The most recent DBIR states ‘63% of confirmed data breaches involved weak, default or stolen passwords’.

So you may ask, what exactly is Multi-Factor Authentication?

The NIST 800-171 describes MFA as:

The requirement of two or more different factors to achieve authentication. Factors include:

(i) something you know (e.g., password/PIN);

(ii) something you have (e.g., cryptographic identification device, token); or

(iii) something you are (e.g., biometric).

In layman’s terms, Multi-Factor Authentication is combining more than one method or factor of authentication to verify your identity. It is critical to understand the NIST 800-171 requires a minimum of two factors of authentication to meet the requirements the MFA controls. This is commonly referred to as Two-Factor Authentication (2FA). Therefore, the use of two different passwords does not constitute multiple factors since they are both ‘something you know’ and do not include a second-factor type.

The most common factor, albeit the weakest is ‘something you know’. This is generally the password or PIN that most associate with their user account when logging into their computer systems. Passwords are commonly weak, used across many systems and also reused often by users. It is important to note, once a password is compromised by an attacker it is often unknown to the user.

‘Something you have’ is the most commonly implemented second factor and is often in the form of a uniquely generated One-Time Passcode (OTP). These OTP’s can be provided by several different methods including hardware tokens or fobs, software applications such as on a smartphone, or even provided by a USB hardware device such as a Yubikey. While this factor is more secure than the first, it is still open to compromise by loss or theft of the medium which provides the OTP. It is imperative for users to safeguard these devices in order to maintain system integrity.

The third factor described is, ‘something you are’. This factor is considered by many to be most secure, but also the most difficult to manage on a large scale. This can be satisfied by several different biometric identifiers but most commonly with the user’s fingerprints. While this authentication method is the least open to compromise, ensuring the hardware being used is hardened against common biometric vulnerabilities such as the ‘Gummi-Bear Hack’ is critical.

As mentioned above, while adherence to the 800-171 was not intended to impose an additional financial burden to contractors who seek government contracts; the implementation of an MFA solution can prove to be costly. The major expenses incurred involve the cost of third party software to manage the additional authentication factor and also hardware if choosing to utilize a biometric factor or hardware tokens (hard tokens).  If supported by the solution, software tokens (soft tokens) can be a less expensive method of providing OTP’s by leveraging users existing mobile devices. This can prove to be a large scale project depending on the size of the organization and the availability of the current IT staff. Many organizations may need to seek third party consultants who are experts in the deployment in order to streamline the process which can incur additional costs over the investment of the initial solution.

Based on the investment required, it is imperative to perform due diligence when choosing an MFA solution. The products currently available on the market vary widely with their offerings so it is important to consider the following to determine what solution is the best fit for your organization:

  • What is the ease of use for the end-users?
  • What is the additional burden to support the solution for IT staff?
  • Does the solution offer any administrative bypass to allow logins for users who have lost their hardware token or smartphone?
  • Is the solution cloud-based or internally hosted on your network? If internal, is additional hardware needed?
  • What operating systems are supported?
    • Server and Desktops
      • Windows, Linux, Mac?
    • What deployment options does it support for client installation?
    • Does it integrate with your current firewall VPN solution?
    • What happens when your machine is not able to contact the authentication server?
      • Is the client software capable of validating locally or does it deny access?
      • Does it bypass the MFA altogether?
    • What types of authentication mechanisms are supported?
      • One-Time Passcodes
        • Hard Tokens
        • Soft Tokens – what mobile operating systems are supported? (Apple, Android, Microsoft)
      • Push verification to a smartphone app
      • Biometric
    • What is the cost of ownership?
      • One-time purchase
      • Monthly based on user count

It soon becomes obvious that there is a lot to consider when choosing the best Multi-Factor Authentication solution for your business. It is important to realize the ‘true cost’ of implementation. This value factors in the cost of the system and of the resources required to successfully implement and support the solution across your firm. Following the saying, ‘Do it once and do it right’ it is a good idea with the deployment of this nature and could save you profusely in cost and resources invested.

Does your organization need assistance choosing and implementing the right solutions to become compliant before the December 2017 DFARS compliance deadline? CyberSheath has the expertise to provide you with leading solutions and give you the guidance you need. We have a specialized team of Cybersecurity Professionals who have proven industry experience to guide and assist your business in achieving compliance.