Rash of data breaches forcing agencies to rethink how they verify employees’ identities

Subscribe to Federal Drive’s daily audio interviews on iTunes or PodcastOne.

Now that agencies have figured out how to use smart identity cards to better secure their computers, it’s time for them to take the next step.

Identity proofing will become the focus for many agencies in 2018. The first sign of this came from the General Services Administration’s 18F organization in the form of a solicitation for these services.

Login.gov is a growing platform and needs a variety of proofing methods and data sources in order to move towards the goal of universal coverage for the U.S population. As Login.gov grows, there is the need to have the mix of methods/data sources that can most effectively proof Login.gov’s partner agencies populations,” 18F wrote in the solicitation posted on Dec. 21. “The intent with a multi-award contract is to provide a broad base of contractors who the government can work with to have the highest proofing rate for an agency population. Each order may help support different population subsets including traditionally underserved populations and the data from those order will inform our planned proofing rate vs. actual and allow for iterating.”

Under the one-year contract with four one-year options, 18F hopes to bring on vendors who can provide services around five identity proofing areas: resolution, address verification, account verification, behavior analytics and government identity verification.

Responses to the request for proposals are due Jan. 18.

Joe Stuntz, vice president for cybersecurity at One World Identity and a former policy lead for the Office of Management and Budget’s cyber and national security unit, said Login.gov and other agencies are moving toward this advanced concept of identity proofing because of the progress agencies made during the 2015 cyber sprint.

Joe Stuntz, is the ice president for cybersecurity at One World Identity and a former policy lead for the Office of Management and Budget’s cyber and national security unit.

OMB said agencies went from around 40 percent governmentwide usage of two-factor authentication using smart identity cards under Homeland Security Presidential Directive-12 (HSPD-12) to log on to the network to more than 85 percent.

“The Equifax issue introduced a lot of new urgency around identity proofing,” Stuntz said on Ask the CIO. “That was touched in the Cybersecurity National Action Plan (CNAP) that we knew had to be done. But it’s a big, hard problem and I’m quite happy the administration is going to tackle it. Also, citizen facing services is something that has been on the government’s list for quite a while and it’s getting a lot more attention now than it used to. There are a lot of different opinions on how to do that and the best way to do that, but at least it’s getting in the right conversation. The PIV card is a nice foundation and we are building around that better citizen facing services and mobile authentication is an area of focus to make sure as we have a more distributed workforce, the same level of security is being reached.”

Equifax,  one of three major credit reporting companies, announced last spring it was the victim of a cyber attack where hackers stole the data of more than 143 million customers.

The concept of identity proofing is a method by which an organization authenticates who a customer or employee says they are through a series of related data points that provides the proof of who the person is.

“With the advent of a lot of new authentication technologies, authentication is actually getting easier. With the number of breaches that we’ve had, and the amount of previously secret information no longer being secret, identity proofing is getting harder,” Stuntz said. “Equifax highlighted this, but I don’t think the vast majority of people who do this for a living would say Social Security numbers are already a bad way to do this because they aren’t secret because of all the previous breaches. So the real key now is if we can’t use ‘secret information’ to do identity proofing, what is that next step? Is it working with the departments of motor vehicles? Is it working with passport offices to do better document verification?”

He added that the services must reach a wide variety of people so one solution can’t be the answer.

“This is something that will not be fast or easy, but when I was [at OMB] and preparing to leave, [White House Cyber Coordinator] Rob Joyce said we will tackle this. Grant Schneider [the acting federal chief information security officer and senior director for cybersecurity], my former boss, said they will tackle this. So it’s good to see,” Stuntz said. “I think it will help set the requirements where government should be in moving away from SSNs, and then industry and research groups can give them ideas to figure out the best way to move forward from SSNs.”

OMB told agencies to stop using Social Security numbers in May 2007 and again reiterated the need for a new way to authenticate and verify users through third-party credentials.

The Government Accountability Office in June found these efforts have had little success.

“All 24 CFO Act agencies developed SSN reduction plans and reported taking actions to curtail the use and display of SSNs. For example, the Department of Defense replaced SSNs, which previously appeared on its identification cards, with new identification numbers. Nevertheless, the agencies cited impediments to further reductions, including (1) statutes and regulations mandating SSN collection, (2) use of SSNs in necessary interactions with other federal entities, and (3) technological constraints of agency systems and processes,” GAO states. “Further, poor planning by agencies and ineffective monitoring by OMB have also limited efforts to reduce SSN use. Lacking direction from OMB, many agencies’ SSN reduction plans did not include key elements, such as time frames and performance indicators, calling into question their utility. In addition, OMB has not required agencies to maintain up-to-date inventories of their SSN holdings or provided criteria for determining ‘unnecessary use and display,’ limiting agencies’ ability to gauge progress. OMB also has not ensured that agencies update their progress in annual reports or established performance metrics to monitor agency efforts. Until OMB requires agencies to adopt better practices for managing their SSN reduction processes, overall governmentwide reduction efforts will likely remain limited and difficult to measure.”

Stuntz said SSNs have been very valuable over the last 75 years, but because of the string of major data breaches, it is no longer usable for real secure identity.

He said the solution will include multiple factors because a one-for-one replacement isn’t possible anymore.

“What the government has an advantage in is they have in-person methods that most businesses don’t. There are SSA sites. There are IRS in-person sites. So how can we use those locations that already exist to do real identity proofing?” he said. “The Postal Service already is looking at some of this and where they could use their large footprint and infrastructure to add additional value to customers. There are a lot of different options, and as long as people understand that there isn’t one way that will solve this, but they can put pieces together depending on their needs and the business processes, they can get there.”