Security for Security’s Sake Is Just Going Through the Motions
Every day military personnel log into their computers with a Common Access Card (CAC) to do work, handle benefits, and manage paperwork like payroll or tax documents. But what happens when you don’t have your card? Or if you’ve never been issued a card, but have to get into pay systems, health records, or human resources? Retirees, dependents, and some reservists face this situation all the time.
CACs or “CAC lite” cards can cost more than $100 per card per year of their total life cycle. Cost issues prevent them from being issued to everyone, but a solution to letting people securely get into the systems they need has to be found.
Capt. Joseph A. Grace Jr., USN (Ret.), president and chief executive officer of Grace and Associates LLC and a former chief information officer for Navy Medicine, offers one solution in a recent SIGNAL online post.
For those systems without CAC access—which is many of our networks—to feign security, we have implemented processes that are beyond unreasonable and force members to change their 14-character password every 30 to 60 days. Requests for password changes often occur more frequently than the actual process of accessing the website, which means that the password expires and has to be reset every time. Passwords have so many restrictions that it is no wonder people write them down for that easy access. One site reported that 80 percent of its technical support calls were for password resets, which is a significant use of resources.
To access pay records, TRICARE online, Army Knowledge Online or a host of other sites, one must have a CAC or have presented him/herself in person at a PSD, a military treatment facility or some other government location of a person’s inconvenient choosing. However, with budget cuts and base consolidations, many people are not near one of those facilities and yet still need access.
We now have policies across government that use a commercial best practice allowing for National Institute of Standards and Technology (NIST) level-three remote authentication and identity proofing using approved technologies and systems without a CAC. In some cases, the technology already has been purchased, so why is it not being used? It has been stated that no use case or business owner has requested the implementation. If customer service and taking care of the military family and our veterans is really important, I cannot imagine a better use case or requirement. Why do we make it so difficult for people to access the very sites that are supposed to make their lives easier? It just does not make sense.
Realizing that strict standards were required, NIST issued a special publication that describes the requirements (NIST SP 800-63 for Level 3) for this type of remote identity proofing. The Defense Information Systems Agency (DISA) access control Security Technology Implementation Guide (STIG) provides examples of how a solution, similar to that provided by companies such as Equifax’s Anakam Identity Services, can leverages a combination of something you know—a high-entropy password—with something you have—a one-time password device—to enable access to for official use only (FOUO) information, personally identifiable information and electronic protected health information (ePHI) as contemplated under the Health Insurance Portability and Accountability Act (HIPAA) that conforms to MAC III and II. The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and DISA have issued policy statements and managed successful pilots of this technology, and the Department of Veterans Affairs purchased this technology three years ago to allow for this exact process, but to date it has not executed this capability.
Reprinted from SIGNAL Online, August 2011, with permission of Signal Magazine. Copyright 2011. All rights reserved.
Recommended For You
Online consumers can make their purchase with various payment options, like credit card, Apple Pay or PayPal. As a result, […]
As an HR professional, it’s your priority to protect employee data. You may not realize it, but responding to employment […]
The CERCA Spring Conference, held on May 16, capped a broadly successful 2018 filing season that saw tax identity theft reduced by […]
Fraudulent account activity and identity fraud are both significant drains to today’s business resources. In the era of online and mobile commerce, […]