Weak user authentication permitted testers to penetrate the Transportation Department-wide network undetected, says a new departmental office of inspector general report.
The Postal Service awarded Aug. 20 a $15 million contract to stand up a Federal Cloud Credential Exchange. The one-year pilot will create an authentication infrastructure that enables individuals to securely access online services at multiple federal agencies.
Two memos released by the Navy Department chief information officer in short succession show the department edging away from the dedicated machine model that's dominated computing for the past 4 decades. In a July 29 memo (.pdf), DON CIO Terry Halvorsen says all Navy and Marine Corps servers should be virtualized by the end of fiscal 2017.
The registry isn't encrypted, and doesn't require multifactor authentication for registry users to log on to the system. FAA officials told auditors that they use digital signatures to authenticate users, but auditors say they found that not to be the case. There are more than 38,000 registry users who aren't FAA employees, but the agency "only sporadically validates" user accounts and doesn't routinely monitor who's accessing sensitive registry data.
The vulnerability of medical devices to network attacks--increasingly a concern as devices add network capabilities, although no known fatality has yet been caused by a cyber attack--would have to be addressed by manufacturers under draft guidance issued June 14 by the Food and Drug Administration.
Rather than, for example, build a new system to capture photographs of possible improvised explosive devices for analysis with dedicated hardware and software, "they can leverage a mobile device that will take that picture and send it back to the server, and all [the Marines on patrol] are focused on is the application," said Capt. Josh Dixon, project officer for technology transition within the Marine Corps Systems Command.
Given the array of digital credential providers and agencies' unique business requirements there are no uniform methods for revoking credentials or their associated attributes, finds a recently-published National Institute of Standards and Technology interagency report (.pdf).
The Internal Revenue Service's efforts to upgrade its systems to use SmartID cards are 22 months behind schedule, according to a Treasury Inspector General for Tax Administration report (.pdf) dated Sept. 28 but only released publicly Nov. 15. The delays have also been costly. The IRS acquired products are compliant with technical specifications, however, two acquired software licenses went unused.
The National Institute of Standards and Technology awarded Sept. 20 five pilot projects worth more than $9 million in grant funding to demonstrate identity solutions under the National Strategy for Trusted Identities in Cyberspace, or NSTIC. "The awardees actually came in with specific proposals to take that product and work with a number of partners to actually deploy it," said Jeremy Grant, head of the NSTIC National Program Office.
Federal cybersecurity czar Howard Schmidt says the Obama administration will now focus on three priority areas needing improvement. In a blog post dated March 23, Schmidt says the Trusted Internet