The time finally came for multifactor authentication in DoD. The DoD finally put their feet down on securing privileged account access. For all devices/products coming into DoD (especially through DoDIN/UC APL testing), will be held to account for the Network Device Management (NDM) Security Requirements Guide (SRG). The NDM SRG contains only a single CAT 1 – multifactor authentication for privileged user accounts. Details are here:
Network Device Management Security Requirements Guide :: Release: 7 Benchmark Date: 28 Oct 2016
Rule Title: The network device must use multifactor authentication for network access to privileged accounts.
Multifactor authentication requires using two or more factors to achieve authentication. Factors include:
(i) something a user knows (e.g., password/PIN);
(ii) something a user has (e.g., cryptographic identification device, token); or
(iii) something a user is (e.g., biometric).
Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., LAN, WAN, or the Internet).
DoD has mandated the use of the Common Access Card (CAC) token/credential to support identity management and personal authentication for systems covered under HSPD 12. DoD recommended architecture for network devices is for system administrators to authenticate using an authentication server using the DoD CAC credential with DoD-approved PKI.
This requirement also applies to the account of last resort and the root account only if non-local access via the network is enabled for these accounts (not recommended).
Determine if the network device is configured to use an authentication server for authentication of all users, including administrator accounts. Verify the account of last resort and root account are not enabled for network access.
If multifactor authentication is not used for network access to all privileged accounts, this is a finding.
I’m a Product Vendor – How Does This Effect Me?
You need to provide support for it. DoD prefers you use PKI smartcard authentication (e.g. Common Access Cards (CACs). In fact, there is broad support now in general purpose software like Apache HTTPD, Microsoft IIS Server, etc. However, if your device/product only really supplies a command line interface (CLI), CAC authentication isn’t possible for you right now. This means you only have a few more resources: Bring Your Own MFA, or integrate with COTS MFA solutions. Entrust, RSA SecurID, and others all have their multifactor tokens enterprises have been using for decades. However, if the organization you are selling your product to does not have that capability – you force them to buy one.
Or you can brew your own. However, the easiest way would be to get in contact with us ASAP! We have a pre-configured solution that will solve all your problems. The only requirements for your device are as follows: you must obtain your own Yubikey tokens, your product must have a RADIUS or TACACS+ client, and the organization has connection to an active directory environment to use for admin user account authorization. Tachyon Dynamics offers the following solution – Yubikey and Red Hat Enterprise Linux 6.9 appliance to all of its former, current, and future clients. Take a look at the details of this offering here.
I’m a DoD Enterprise – How Does This Effect Me?
You will need to implement it. All DoD enterprises have known that 2-factor and multifactor authentication has been a requirement for them (for over 15 years now) to use on everything from their network devices, routers, switches, firewall, and host and server operating systems. The difference now is that this SRG could be held as an item that will be reviewed in a Command Cyber Readiness Inspection (CCRI). As like DoD APL testing, a CCRI can highlight CAT 1s as well. Meaning, the enterprises’ authority to operate (ATO) may be in jeopardy.
First thing you need to do is find out the capabilities of your software, application, and products for multifactor authentication. As previously stated, if your application sits on general purpose operating systems like Microsoft Windows Server 2008+ or Red Hat Enterprise Linux 6.9+, then you should work on integrating DoD PKI CAC authentication – as this is the most preferred option in DoD.
However, if CAC authentication is not feasible, get in contact with us and see how we can help.