Page 43 - Cyber Warnings
P. 43
Six Reasons PIV-I Has Emerged as the Standard For High-
Assurance Identity Management
By Abrar Ahmed, CIO and Senior Vice President, SureID, Inc.
In a world where breaking news about high-profile cyberattacks seems to be a daily occurrence
(the Yahoo September 22, 2016 data breach is a recent example), the federal government has
begun dramatically increasing the level of security surrounding its IT systems and processes.
According to Gartner Research, often the weakest links in a security paradigm are “privileged
accounts” with access to sensitive information. Within the federal government landscape, this
sensitive but frequently unclassified information known as CUI (controlled unclassified
information) is coming under increased scrutiny both inside and outside the federal purview.
As a result, federal contractors with both privileged and non-privileged access – and that handle
CUI – face significant new compliance obligations.
Last year, the National Institute of Standards and Technology (NIST) released a special
publication called SP 800-171 that calls for “the protection of CUI while residing in non-federal
information systems and organizations.” This includes “information that requires safeguarding or
dissemination controls pursuant to and consistent with applicable law, regulations, and
government-wide policies but is not classified,” which was first introduced as a definition in the
DFARS 252.204-7008/7012.
Federal government contractors that handle a type of CUI called “covered defense information”
(CDI) for the Department of Defense (DoD), one of the first agencies to adopt new regulations
that implement NIST SP 800-171, are facing a compliance deadline of December 31, 2017.
Failure to comply could put contractors at risk of losing covered contracts and becoming
ineligible to bid on future ones until the requisite obligations are satisfied.
Multifactor Authentication & PIV-I
NIST SP 800-171 lists 14 “Security Requirement Families” that defense contractors handling
CDI may need to satisfy to win and maintain covered DoD contracts. One Security Requirement
Family in particular requires the most significant attention from such organizations: Identification
and Authentication.
In short, a simple username and password no longer will be sufficient to authenticate an
individual’s identity; rather, an organization must implement a multifactor paradigm, such as a
username and/or PIN (something you know); a biometric marker such as a fingerprint
(something you are); plus a smart card (something you have).
43 Cyber Warnings E-Magazine November 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
