What is the Manage Credentials and Authentication (CRED) security capability?
The CRED security capability helps agencies ensure that credentials for physical and logical access to facilities and systems are only assigned to and used by authorized people or services who need specific access to information, systems, and networks to perform their job duties. The security capability also gives agencies insight into risks and weaknesses associated with the management of these credentials.
What security results should we be able to achieve by implementing CRED?
Poor credential management and authentication practices increase the likelihood of unauthorized individuals gaining access to buildings, networks, and information. For instance, attackers can use the following methods to gain access to networks and the systems operating on them:
- Take advantage of weak credential reissuance processes, such as by mimicking a legitimate authorized person and going unchallenged when requesting new credentials;
- Use readily available tools to “guess” weak passwords and use that same password to access additional systems;
- Conduct Internet searches to discover default passwords, and use those to gain access;
- Steal or copy valid credentials or physical tokens used to restrict access, falsely use the credentials of legitimate users, and go undetected; and
- Target remote administrative access that does not require multi-factor authentication or the use of an out-of-band, one-time access credential.
Unauthorized access gained through mismanaged credentials and weak authentication mechanisms has the potential to cause a great deal of harm to agencies. An attacker could use this access to modify accounts, devices, or systems to enable continued remote access and/or prevent detection.
What type of security issues are addressed by the CRED security capability?
Agencies improve their security when they use strong authentication through agency-issued Personal Identity Verification (PIV) cards. The CRED security capability ensures privileged and non-privileged users on the network use strong, authorized, PIV credentials to access information, systems, and networks. This allows agencies to effectively control and monitor their systems and to ensure that only authorized users have access to the information they need to perform their jobs. Additionally, agencies can manage the number of authorized users accessing systems and ensure credentials are valid.
The following characteristics of the PIV card and its use (as specified in Federal Information Processing Standards Publication 201-2 (FIPS 201-2)) make it the preferred credential within federal civilian agencies for privileged and other network users:
- Card Attributes: These smart cards are strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation, and can be rapidly authenticated electronically.
- Credential Management: PIV cards are only issued based on sound criteria. FIPS 201-2 specifies processes for verifying an individual employee or contractor’s identity and ensuring that PIV cards are only issued by providers whose reliability has been established by an official accreditation process.
- Issuance Policy: Credentials are only issued to individuals whose identity has been verified and after a proper authority has authorized issuance. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI), contains an assessment and authorization methodology for verifying that issuers are adhering to standards and implementation directives developed under Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors.
- Revocation Policy: Certificates on the PIV card shall be revoked within 18 hours after the card is reported as being lost, stolen, or compromised, if not sooner.
- Reissuance Policy: PIV card reissuance is the same as issuance, with exceptions outlined below:
- If a PIV cardholder who has lost his or her card and has biometric enrollment records can perform a one-to-one biometric match to reconnect to the same chain-of-trust as that of initial issuance, he or she does not need to perform the identity proofing and registration processes.
- If a PIV cardholder needs to have a name change and has an official document stating the name change, he or she may receive a new card if the expiration date of the new card is no later than the expiration date of the old PIV Card and no data about the cardholder, other than the cardholder’s name, is being changed.
- If a federal employee who is transferred from one agency to another follows this process, the interaction does not need to include identity proofing and registration processes: when the employee leaves the old agency, he or she surrenders the PIV Card and it is destroyed; when the employee arrives at the new agency and is processed, the new agency requests and receives the employee’s chain-of-trust from the old agency; and the employee performs a one-to-one biometric match against the chain-of-trust.
Further implementation guidance on how to PIV-enable federal facilities and information systems, in accordance with Office of Management and Budget Memorandum 11-11 (OMB-M-11-11), Continued Implementation of Homeland Security Presidential Directive (HSPD) 12—Policy for a Common Identification Standard for Federal Employees and Contractors, is outlined in the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance.
For PIV cards, and many other credential types, there are also local policies that each agency must specify and enforce. For instance, while standard issuance policy for PIV specifies the maximum period prior to expiration is six years, local agency policy for this and other credentials may be less.
What can I do to reduce my exposure to attacks exploiting poor credential management and authentication practices?
Agencies should address privileged user credentials first, since these credentials have the highest risk of harm to systems and networks if compromised. However, all users should use agency-issued PIV cards to access their agency’s network, since this is also important to security.
OMB M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP), states that agencies are encouraged to focus on their highest-risk areas first and to leverage the investment that the government has made in strong authentication, as directed through HSPD-12 and FIPS 201-2.
How does the CRED security capability define a credential?
The capability defines a credential as information a person knows, a physical token a person possesses, or physical characteristics a person has that is used for authentication to an account or a physical location. Depending on the security level of a system or location, credentials may require one or more of these characteristics.
How does the CRED security capability support ongoing automated assessments as defined by NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations?
The CRED security capability helps to fulfill the Access Control (AC) and Identification and Authentication (IA) control families in NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.
What data should we collect to better prepare to implement the CRED security capability?
Agencies should collect data associated with the credentials issued to a user, including the credential type required for a user’s role, actual accounts the user is assigned to or authorized to use, and the locally defined policies for authentication. This will provide measurable data elements for automated security checks. These security checks provide the basis for automating the monitoring, reporting, and prioritization of credential and authentication deficiencies in an agency’s cyber environment. Continuous Diagnostics and Mitigation (CDM) will display deficiencies for review and action.
How can I assign managers for the CRED security capability?
Agencies should collaborate with their designated CDM program point of contact (POC); Identity, Credential, and Access Management (ICAM) program management office; and information security managers to identify individuals responsible for managing credentials and authentication controls on the network.
How can we prevent unauthorized users from getting on the network in the first place?
Ensuring PIV card credentials are required to access privileged accounts or user network accounts will drastically reduce a network’s unauthorized credentials or unauthorized authentication. However, ensuring proper credentials and authentication procedures are in place further reduces malicious behavior.
The following actions can help reduce the number of unauthorized credentials or authentication procedures on systems throughout an organization:
- Ensure PIV cards are required to gain access to privileged accounts,
- Ensure PIV cards are required to gain access to a network logon with Active Directory, and
- Continuously monitor the use of credentials and look for anomalies that could indicate other weaknesses within an agency’s privileged account and credential management.
While such actions will not eliminate all unauthorized credentials and authentication procedures, these actions can lower incidence rates, which is a positive step toward credential security.
How does the CRED security capability support other CDM security capabilities?
The CRED security capability supports other CDM security capabilities by providing actual state and desired state conditions related to credential and authentication management within an agency. CDM can compare these conditions to determine risk areas that agencies need to address.
What is the Master User Record (MUR)?
Each CDM Phase 2 security capability requires data on user attributes (e.g., a user’s roles, security privileges, accounts) to enforce policy and identify defects regarding who is on the network. The MUR serves as a repository for user-related data collected from CDM tools and sensors, and contains a set of attributes or assertions about each user. The MUR stores information for each user that requests access to information, information systems, and facilities. It consolidates a user’s comprehensive set of job functions and system roles and their associated accesses and privileges in one place.