OMB authentication tool could be used for interagency collaboration

This story was updated at 10:30 a.m. on Oct. 13.

The Office of Management and Budget recently began using a new tool that makes it easier for federal employees to navigate secure websites it administers by requiring them to enter their credentials only once.

The single sign-on feature allows authorized personnel access to almost any agency's content on OMB's MAX service -- an information-sharing gateway that federal managers and White House officials use to produce the annual budget and collaborate on other interagency activities. The vendor that developed the connector to OMB's system, now known as web services firm XaaS, believes that one day cleared federal employees will be able to log in once to be able to access any restricted government application on any network.

The tool was conceived after OMB approached XaaS' developers -- already under a $15,000 contract for OMB work -- wondering if it would be possible to build a central authentication tool that would be compliant with 2004 Homeland Security Presidential Directive 12. The policy, issued in response to the Sept. 11 attacks by President George W. Bush, requires all federal employees and contractors to be assigned credentials for accessing federal buildings and networks.

After XaaS' developers spent six months fulfilling OMB's request, the firm realized it could repackage the technology for other agencies to use in coordinating with each other. "There's no reason to have to reissue passwords" or smart card credentials, said Chris Grady, chief executive officer of XaaS. "The service guarantees that the person getting ready to enter your system is who they say they are."

"While we support agencies using the [MAX service], we do not endorse specific vendors and an agency does not need to use a vendor to connect to us," OMB spokeswoman Moira Mack said Tuesday night.

XaaS officials said any agency can deploy the gadget in about 45 minutes, at a cost of about $5,000 per app for an unlimited number of users.

But the availability of one-stop authentication for feds raises questions about the risk of creating a single point of attack for hackers.

Grady said the system does not tell verified users which websites and applications they are permitted to visit. "When you log in, there's not some roadmap to what applications they have access to," he said. In addition, the centralized setup enables system administrators to quickly block a rogue employee or would-be intruder from all networks by simply voiding the user's account.

Some cybersecurity experts, however, see a bigger problem if other agencies start relying on a similar mechanism for registered users.

"Aggregating all this identity management within one system brings up some very valid information assurance concerns," said Clarke Caporale, an information assurance manager with the New York Army National Guard. "In addition to sufficient bandwidth, server horsepower, and a distributed architecture to protect against single points of failure, this would create a massive target for cyberwarfare and cybercrime."

He said the method might be suitable for GSA, or smaller agencies that do not have the resources to install their own single-sign on tools. But having "one single, centralized identity management provider forced on all agencies is short-sighted," Caporale said. "At best, it may be unreliable, and at worst may open government information systems up to fraud or compromise at the hands of our enemies."

Grady acknowledged those concerns, noting the system is not a completed work. But he argued the real benefit is the regulatory compliance that the feature provides to agencies that do not have the skill sets or budgets to establish their own verification techniques.

"We simply provide a tool that gives organizations a choice," Grady said. "We have provided a stepping stone tool that will, perhaps, get the government to the point of considering a centralized vs. decentralized approach to authentication. However, our only objective was to help agencies and contractors to be able to check off the HSPD-12 compliance check box and to make our government's systems more secure."