In 2015, the federal government’s Office of Personnel Management discovered two cybersecurity incidents that compromised the records of employees and contractors. Sensitive data for millions of personnel were stolen, including Social Security Numbers and information from background checks. This breach was investigated by the Federal Bureau of Investigation and the Department of Homeland Security, which led to new mandates designed to enhance data protection and prevent future security incidents. The Office of Management and Budget (OMB) mandated that all agencies in the Department of Energy (DOE), including Lawrence Livermore, implement multifactor authentication (MFA) using the DOE-issued HSPD-12 badge for 100 percent of the Laboratory population.
Based on the DOE’s Multifactor Implementation Plan, Livermore Information Technology (LivIT) began the design and implementation of MFA across all onsite desktop computers, laptops, and servers. The OMB mandate required the highest level of authentication and identity validation (Level of Authentication 4). This authentication level uses a combination of verifying the user’s identity with the issuing and storing of an electronic certificate on an encrypted token. In this case, the token is located on the HSPD-12 badge itself, and the badge becomes a “smartcard.” Robyne Teslich led the implementation team of more than 30 personnel from LivIT, Computer Systems Support, Cyber Security, and the Security Organization.
The Laboratory defined a three-phase implementation approach: Readiness, Opt-in, and Mandatory. The Readiness phase included developing tools and software, procuring readers, and assessing the current environment. The team reviewed and categorized account types across Livermore computers as standard users, standard users with local administrative access, system administrators, and developers (who require privileged access to develop code due to the nature of the system). The Opt-in phase provided time for early adopters to test tools and automated processes for bypassing MFA in certain situations and for an automated exemption request system. Finally, the Mandatory phase pushed new configurations to computers enforcing the use of smartcard authentication.
“The Laboratory has 11,000 computers,” notes Teslich, citing additional challenges such as the requirement to support MFA on multiple operating systems. “The fact that all users would still need to use their username/password for application authentication meant we couldn’t enforce MFA on the accounts, but had to enforce it on the device. So implementation became more complex because we needed to determine which devices were associated with a particular user,” she explains. Furthermore, uncleared employees and foreign nationals are not issued the same type of badge as cleared employees, so those populations had to be exempted from initial deployment.
Figure 1. A secure shell protocol uses cryptography to protect data transmitted over an unsecured network. Kerberos authentication protocol uses “tickets” to communicate data across a nonsecure network, such as a system using the remote desktop protocol.
After nine months of development, initial MFA rollout began in July 2016 and concluded in September. “The timeline was very aggressive,” says Teslich. “To meet the deadline, we had to redirect resources and reprioritize other work. We had to negotiate with DOE headquarters and our local site office on technical exclusions.” In addition to requiring all users to know or reset their system personal identification numbers, smartcard readers were installed on each desktop and laptop computer. The card reader checks the specially encoded chip on the user’s Laboratory badge and authenticates the user to use a specific computer.
The implementation plan also included bypass capabilities and an exception-handling process. According to Teslich, exceptions were granted when equivalent or better security measures were already in place. “Specialized, segregated networks like the National Ignition Facility’s control network and those used for high performance computing systems already have authentication methods in place that sufficiently secured access while still enabling the function of those networks,” she says. Additional exceptions were warranted when implementation was technically impossible, such as laptops used during foreign travel or home systems used for remote access. An automated exception management system was developed to streamline the approval, implementation, and tracking of system exceptions.
The MFA team also rolled out an end-user communication strategy working with LivIT Customer Service, Operations, and Support. “The use of smartcards, especially when the smartcard is also a badge used for physical access to the site, presents a significant challenge for employees,” explains Teslich. “They forget to take the card out of the reader.” She emphasizes the importance of using multiple channels to encourage compliance: video announcements, newsletters, e-mail, bulletin boards, managers’ communications to direct reports, mailers, and signage around offices and at the point of smartcard use.
Figure 2. The Laboratory-wide communication campaign for multifactor authentication includes posters reminding users to keep their badges, which double as smartcards, with them when away from their computers.
Livermore is required to report compliance metrics to DOE headquarters monthly. Compliance measures are updated in a cybersecurity reporting system that is reviewed by the DOE, the OMB, and the National Nuclear Security Administration. Accountability is ongoing, as the team investigates alternatives to using badges as smartcards. Teslich notes, “Our goal is to continue to improve and simplify our authentication requirements for all information technology systems at the Laboratory.”