No one in the government seems to know whether agencies must use MFA (Multi Factor Authentication) on social media.
Even after the SEC “X” account was hacked and it was found to be the result of a sim-swapping attack, made possible because the SEC had disabled multi factor authentication, “policy makers” still have no clear guidance on MFA.
Scoop News Group asked multiple federal agencies and experts if the government required the use MFA for social media and not one could give a definitive answer:
- Office of Management and Budget
- Cybersecurity and Infrastructure Security Agency
- Former White House cybersecurity officials
- cybersecurity policy lawyers
- congressional staffers and federal identity experts
This should not be a hard question, as it’s been almost three years since the White House issued their “Executive Order on Improving the Nation’s Cybersecurity.” A key directive of that Order required the adoption of Zero Trust and more specifically, allowed just 180 days to implement MFA:
“Within 60 days of the date of this order (5/12/21), the head of each agency shall… develop a plan to implement Zero Trust Architecture”
“Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit”
Apparently, there is widespread use of MFA throughout the government, but with no unified approach, where some agencies require it, some use 3rd party security methods and others do not.
John Benkert , CEO, Cigent had this comment:
“I think there is a trust issue that the government has an obligation to uphold by protecting the authenticity of the channels our government uses to communicate with the public, hence the need to better monitor, standardize, and secure the social media accounts – including the use of social media.
“The extension of Multi-Factor Authentication (MFA) policies to media tools used by government agencies is a pertinent although complex issue. The diversity in the missions and operational frameworks of various government entities complicates the implementation of a unified security protocol, such as MFA. For instance, the Department of Defense (DoD) employs Common Access Cards (CAC), which offer a high level of security by tying access to a specific individual with designated permissions. This system is effective in maintaining security within the DoD’s operational scope but for some reason is not universally adopted across all government branches.
“The disparity in security measures across different government organizations highlights the need for a top-down approach to standardize security protocols. The implementation of MFA across all media tools used by government agencies could serve as a robust barrier against the dissemination of fake news and misinformation. MFA, by requiring multiple forms of verification before granting access, significantly reduces the risk of unauthorized or malicious entities infiltrating government communication channels.
“However, the challenge lies in harmonizing these security measures across diverse agencies, each with its own set of tools, sensitivities, and operational requirements. A one-size-fits-all approach might not be feasible given the varied nature of government operations. Therefore, the development of a flexible yet rigorous MFA policy, overseen by a central governing body, could offer a solution. This policy would need to accommodate the specific needs of different agencies while upholding a high standard of security to guard against the risks associated with digital media tools. Such a centralized strategy would not only enhance security across the board but also facilitate a more cohesive and coordinated response to the threats posed by misinformation and fake news within government channels.”
The bigger issue for me is this. Where else is MFA not used? By not using that or a password less solution, you are simply asking to get pwned. Just ask the SEC.
Related
This entry was posted on January 31, 2024 at 8:30 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
US Government Still Not Clear On MFA Usage
No one in the government seems to know whether agencies must use MFA (Multi Factor Authentication) on social media.
Even after the SEC “X” account was hacked and it was found to be the result of a sim-swapping attack, made possible because the SEC had disabled multi factor authentication, “policy makers” still have no clear guidance on MFA.
Scoop News Group asked multiple federal agencies and experts if the government required the use MFA for social media and not one could give a definitive answer:
This should not be a hard question, as it’s been almost three years since the White House issued their “Executive Order on Improving the Nation’s Cybersecurity.” A key directive of that Order required the adoption of Zero Trust and more specifically, allowed just 180 days to implement MFA:
“Within 60 days of the date of this order (5/12/21), the head of each agency shall… develop a plan to implement Zero Trust Architecture”
“Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit”
Apparently, there is widespread use of MFA throughout the government, but with no unified approach, where some agencies require it, some use 3rd party security methods and others do not.
John Benkert , CEO, Cigent had this comment:
“I think there is a trust issue that the government has an obligation to uphold by protecting the authenticity of the channels our government uses to communicate with the public, hence the need to better monitor, standardize, and secure the social media accounts – including the use of social media.
“The extension of Multi-Factor Authentication (MFA) policies to media tools used by government agencies is a pertinent although complex issue. The diversity in the missions and operational frameworks of various government entities complicates the implementation of a unified security protocol, such as MFA. For instance, the Department of Defense (DoD) employs Common Access Cards (CAC), which offer a high level of security by tying access to a specific individual with designated permissions. This system is effective in maintaining security within the DoD’s operational scope but for some reason is not universally adopted across all government branches.
“The disparity in security measures across different government organizations highlights the need for a top-down approach to standardize security protocols. The implementation of MFA across all media tools used by government agencies could serve as a robust barrier against the dissemination of fake news and misinformation. MFA, by requiring multiple forms of verification before granting access, significantly reduces the risk of unauthorized or malicious entities infiltrating government communication channels.
“However, the challenge lies in harmonizing these security measures across diverse agencies, each with its own set of tools, sensitivities, and operational requirements. A one-size-fits-all approach might not be feasible given the varied nature of government operations. Therefore, the development of a flexible yet rigorous MFA policy, overseen by a central governing body, could offer a solution. This policy would need to accommodate the specific needs of different agencies while upholding a high standard of security to guard against the risks associated with digital media tools. Such a centralized strategy would not only enhance security across the board but also facilitate a more cohesive and coordinated response to the threats posed by misinformation and fake news within government channels.”
The bigger issue for me is this. Where else is MFA not used? By not using that or a password less solution, you are simply asking to get pwned. Just ask the SEC.
Share this:
Like this:
Related
This entry was posted on January 31, 2024 at 8:30 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.