New CISA, NSA guidance highlights pain points in identity and security management

Federal agencies and the private sector still face significant challenges in adopting and implementing critical security controls like multifactor authentication and single sign-on services, according to new guidance from the Cybersecurity and Infrastructure Security Agency and the National Security Agency. 

The federal zero trust strategy published last year requires agencies to use "strong MFA throughout their enterprise," and CISA has long urged the public—as well as organizations operating in critical infrastructure sectors—to employ MFA and SSO over the years. 

Despite those efforts, such security measures have not become universally adopted by some critical organizations. A public-private working panel led by CISA and the NSA identified a series of developer and vendor issues complicating the adoption of identity and access management best practices, from ambiguous MFA terminology and a lack of clarity around its security properties, to other major technical gaps that prevent MFA and SSO deployment across sectors.

The Enduring Security Framework, a CISA and NSA working panel that includes a public-private cross-sector partnership, published guidance on Wednesday that describes MFA deployment as a "notoriously difficult" challenge for many organizations, due in part to "confusing definitions and unclear policy" around its different variations. 

The report says MFA provides "differing levels of security" and notes that SMS-based MFA is particularly vulnerable to attacks and "considered among the least secure MFA options." It also points out the "significant tradeoff between functionality and complexity" in the deployment of SSO technology, adding that sophisticated measures often require "significant numbers of highly skilled personnel to operate in a secure way."

"There is a need for clarity, interoperability and standardization amongst MFA variations to allow organizations to make value comparisons and to integrate these solutions into their environment," the guidance says.

CISA and the NSA called on the vendor community to provide MFA services with additional investments and greater defenses against sophisticated attacks from threat actors, including phishing-resistant authenticators that can be simplified for adoption and embedded into operating systems. 

The guidance also recommends identity and access management vendors develop more secure enrollment tools and automated methods to detect and remove MFA authenticators that are no longer in use. The goal of the recommendations is to streamline MFA and SSO processes and provide standardization across sectors, according to the Enduring Security Framework.