The majority of individuals with high-level control over Interior data and networks needed only a password to log in.
The Interior Department last week mandated that offices block individuals from logging into the agency's network unless they enter both a password and government-issued smart card, according to Interior IT officials.
The decision was made after hackers stole an Office of Personnel Management contractor’s credential to pull out records on 4.2 million current and former employees across the government. The intruders, believed to be Chinese-sponsored attackers, also pierced the defenses of an Interior data center warehousing the OPM files.
Interior and OPM are among 18 major agencies that did not previously require users with broad system access to sign in with so-called two-factor authentication, according to the most recent governmentwide cyber compliance report.
About 50,000 "privileged users" at Interior needed only a password to sign on. Among regular and wide-access Interior users who work remotely, 42 percent could do so without a smart card, officially known as a personal identity verification, or PIV, card.
"The department mandated that the PIV card implementation must occur sooner than expected, therefore beginning tomorrow you will need to log into your computers using your PIV cards," reads a June 23 internal email from an Interior Office of the Solicitor senior IT specialist to an administrative assistant in a Bloomington, Minnesota, field office, which was obtained by Nextgov.
Prompted by several U.S. government hacks, culminating in the massive OPM incursions, White House officials told all federal agencies they have until Sunday to complete a "30-day Cybersecurity Sprint," which, among other things, calls for speeding the activation of multistep ID verification.
The June 12 sprint instructions stop short of mandating that agencies deploy the login protections.
Interior officials said in a statement the department "initiated a major remediation effort in the context of other cybersecurity improvements already underway,” and “in accordance with the Cyber Sprint directive, we are working to dramatically accelerate implementation of multifactor authentication, especially for privileged users.”
The gargantuan breaches of federal employee data were discovered in April. The actual removal of OPM records from the Interior data center traces back to October 2014, federal officials told Congress last month.
There are 134,287 privileged user accounts across the government, according to this year's Federal Information Security Management Act compliance report. Such users have elevated levels of control over federal information, "significantly increasing the risk to government resources if their credentials are compromised," the report states.
OPM, for its part, has now rolled out two-factor verification for all privileged users and for half of regular users, agency officials said last month. All OPM users are expected to be using smart cards in conjunction with passwords by Aug. 1.
A White House Office of Management and Budget spokesman referenced an online fact-sheet outlining the Cyber Sprint when asked about expectations that agencies will make headway instituting two-step login processes. Agencies must “dramatically accelerate implementation of multifactor authentication, especially for privileged users” and “report to OMB and DHS on progress and challenges within 30 days," the directions state.
(Image via Orhan Cam/ Shutterstock.com)