Identification and authentication is one of the central pillars of any cybersecurity strategy, and it is essential to achieving compliance with the DFARS 252.204-7012 clause. Based on NIST SP 800 171, compliance requires adherence to all the primary domains of information security. This also includes measures like mandatory security awareness training, encryption of data at rest or in transit, and configuration management.
What are identification and authentication?
Identification and authentication concern the measures put in place to govern how employees access sensitive information. In the case of DFARS 252.204-7012, this involves the protection of controlled unclassified information (CUI). However, every organization should use stringent access controls to protect all of its potentially sensitive assets, regardless of whether or not it is a member of the 200,000-strong Defense Industrial Base.
The most basic and well-established method of digital authentication is logins and passwords. However, reliance on passwords by themselves are not enough to protect sensitive data, due to the fact they are highly susceptible to social engineering attacks. Even a robust password policy that is properly enforced is not sufficient, which is why there should always be an extra layer of security in the form of multifactor authentication (MFA).
While the US DoD itself uses the common access card (CAC) system to verify user identities, the DFARS 252.204-7012 clause states that organizations are free to use any MFA solution they wish, provided it meets the standards laid out by the NIST SP 800 171 framework. That said, the clause does provide some specifics, which must be applied to any local workstation, cloud-based system, server, or any other asset that stores or transmits CUI:
- Authentication mechanisms must be replay-resistant to protect systems from threats like replay and brute-force attacks.
- The reuse of identifiers should only be allowed for a clearly defined period to prevent security holes forming due to poor habits like reusing passwords.
- Identifiers should be disabled after a predefined period of inactivity, such as to protect dormant user accounts or those belonging to previous employees.
Creating a DFARS-compliant password policy
Passwords remain a central component of access control, and DFARS defines strict rules for their use. Most of these are already standard across all industries, but the main requirements are as follows:
- Passwords must have a minimum complexity to make them practically immune to any brute-force hacking attempt or easy guessing. The ideal password should include both letters and numbers, excluding real words and common names. A password length of at least 12 characters is also strongly advised.
- Passwords should not be reused, at least not within a specific number of generations. For example, passwords should be changed on a regular basis, and it should not be allowed to reuse them for at least five changes. However, temporary passwords can be used for first-time system logons before changing to a permanent password.
- Passwords should only be stored and transmitted under AES-256 encryption or better. This is necessary because password databases are often targeted by attackers. That said, if the passwords are encrypted, they will be useless to the attacker. Finally, every password should be obscured during entry to avoid spying.
What are the best DFARS-compliant protocols?
Identification and authentication protocols specify how the interactions between connected entities take place. Single-factor primary authentication was historically the most common of these methods, but it is also the least secure, and it does not adhere to the standards of the NIST SP 800 171 framework. For example, the password authentication protocol (PAP) does not use any encryption, and only validates the username and password combination provided.
Deploying the right identification and authentication protocol depends on the system. Among the most popular protocols are OIDC and OAuth2. These are suitable for use in distributed IT environments where it is often necessary for the sake of productivity and ease of use to have a single sign-on (SSO) for all apps and systems used for work.
It is also important to understand the difference between the types of protocol. Broadly, there are three main types, which overlap in functionality. Identity protocols supply information about the user, while authentication protocols are based on the exchange of anonymous keys and do not carry any personal identifiers. Finally, authorization protocols, such as OAuth2, can do both, making it the industry standard for simplicity and security.
Charles IT helps organizations prepare for their DFARS readiness assessments by evaluating security performance across the 14 domains of the NIST SP 800 171 framework. Contact us today to schedule your preliminary assessment!