International Security Journal: Ensuring Your Organization Stays in Compliance

May 7, 2020

By Mark Allen, General Manager, Premises, Identiv Emerging technologies such as artificial intelligence (AI), machine learning, big data analytics, and the Internet of Things (IoT) are creating new ways for government agencies to conduct daily business. We've entered a new era, one that is defined by a world in which machines learn new tasks automatically; autonomous vehicles communicate with intelligent infrastructure; and smart devices anticipate your specific needs at any given moment. There are many examples of how technology can have unintended homeland security consequences — and that is why regulators are focused on ensuring the systems and solutions we employ to optimize daily operations are, in fact, safe (well, that takes security to a whole new level!). Overall, it's really a very fine line between balancing control and innovation, and this may lead to new questions, the formation of new partnerships, and adopting new processes to keep pace with emerging technologies. While security is essential for any business, it may not seem to be considered an emerging or groundbreaking technology. But the market is evolving and there is a desire to move to new technologies at the federal, state, and local level. But government agencies are bound by a host of regulations and must comply with ordinances and guidelines to ensure the proper technology is used to reduce risk. By leveraging the proper strategies, processes, and guidance from regulatory groups, organizations can create a space that is safe and secure, but also accessible to authorized individuals. In areas with highly sensitive information, having security measures in place that are cutting-edge, impenetrable, and trusted are of the utmost importance. Considering that government facilities range from basic office space, often in shared buildings, to law enforcement, intelligence, diplomatic, military, judicial, correctional, and research facilities, physical access control and identity management systems must be flexible, reliable, connected, and secure at all times. In particular, there are a few key requirements to keep in mind when selecting a solutions approved for use in government applications:

CPNI

CPNI is the government authority for protective security advice to the U.K. national infrastructure. The organization's role is to protect national security by helping to reduce the vulnerability of the national infrastructure to terrorism and other threats. CPNI also tests the security of technologies and only recommends physical and cyber security technologies that meet its stringent requirements. According to the Centre of Protection for National Infrastructure, “everyone with senior executive or board-level responsibility needs to have concise strategic information to guide their decision-making, risk management and governance activities. This is particularly important for the effective management of security at an organizational level.”

Federal Identity, Credential, and Access Management (FICAM)

Since its creation in fall 2008, the Identity, Credential, and Access Management (ICAM) program has focused on addressing challenges, pressing issues, and design requirements for digital identity, credential, and access management. It also focuses on defining and promoting consistency across approaches for implementing ICAM programs as reflected in the FICAM Roadmap & Implementation Guidance (FICAM Roadmap). The FICAM Roadmap was developed to outline a common framework for ICAM within the federal government and to provide supporting implementation guidance for federal agencies as they plan and execute a segment architecture for ICAM management programs. FICAM compliance is mandatory in all government buildings, so it is crucial to choose a solution that abides by these protocols. Advanced FICAM solutions will address the typical pain points associated with FICAM compliance through ease-of-use and by planning for future upgrades to PIV reader capabilities as standards evolve. End-users should choose a technology partner that is established and has a portfolio of products dedicated to FICAM compliance; however, they should also select a provider that is well-positioned to develop new solutions as the threat landscape continues to evolve. Trustworthy technology partners will be able to provide a convenient, compliant, and performant solution that is capable of leveraging existing systems while also being future-proof as new security recommendations are made down the road. Of all the considerations to take into account, FICAM compliance is the most necessary, as it is a federal requirement.

Cybersecurity

According to the 2019 Verizon Data Breach Report, almost 80% of all network intrusions detailed in the survey were the result of the exploitation of weak authentication systems (password hacks), the same results of their 2013 study. When you consider that the average cost to U.S. companies of a data breach is over $8 million, clinging to these single-factor authentication systems is anything but inexpensive. Organizations, particularly government agencies, have woken up to the fact that the current cybersecurity situation is broken and are looking for better solutions. Many of those organizations rely on physical security solution providers to deliver secure, reliable physical access control solutions — and many are now turning to those same providers to achieve the same level of security for the virtual world. There are a few essential cybersecurity tools that all government agencies should leverage, many of which are also FICAM requirements.

Multi-Factor Authentication

Multi-factor authentication is essential for government security and is also a central component in achieving FICAM compliance. Every major hacking incident in the past decade — from Target to Ukraine's power grid — has had one thing in common: the lack of multi-factor authentication. Usernames and passwords, even the most secure and frequently changed ones, are still susceptible to being compromised. The very best passwords can, with the right equipment, be cracked in a matter of weeks. With multi-factor authentication, users add an additional element to the log-in process that makes hacking nearly impossible. Multi-factor authentication can include various elements, from the inclusion of biometrics to the use of one-time passwords. The most common form of multi-factor authentication is two-factor authentication. Two-factor authentication requires something you have and something you know. In 2004, President George W. Bush signed HSPD-11, which began the United States government's road toward mandated two-factor authentication. From that directive, the U.S. government settled on using a smart card with encrypted security certificates — something you have — and an eight to 10-digit personal identification number (PIN) — something you know — as a requirement for access to all government systems. Still, it is important to note that not all multi-factor authentication protocols are created equal. Both native and third-party tools for web access and email, the two most common needs of an employee on their mobile device, are either completely absent or else lack the features needed for an enterprise deployment. Luckily, as manufacturers have specialized and become more acquainted with the government space, they have developed a series of applications that meet these challenges and conform to FICAM compliance.

Easing the Complexity

Regulations, guidelines and ordinances. These rules might seem overwhelming but working closely with solutions vendors who are informed about and understand that we live in a world in which regulators guide buying decisions is critical. Also, the public and private sectors working hand in hand to protect the public can help stimulate economic growth and promote innovation. When choosing to invest in security solutions, it is vital to keep these tips in mind to be sure a system meets all compliance regulations and has room to grow as needs evolve. When in doubt, partnering with a trusted technology provider that has established itself as a government-grade supplier is one way to be sure all of these points are considered. Federal security is unlike security for other vertical markets and requires a specialized and focused understanding of current trends and regulations. Originally posted via International Security Journal (pp. 56 - 58).