The FIDO Alliance is speaking out in support of Joe Biden’s recent Executive Order concerning cybersecurity. The Executive Order was signed on May 12, and was issued in response to several high-profile cyberattacks that affected the US government and the national infrastructure. That includes the SolarWinds hack and the more recent ransomware attack against Colonial Pipeline that limited the availability of gasoline.
The Executive Order attempts to shore up some of the security gaps that were exposed in those attacks. To that end, it mandates that government agencies adopt strong multi-factor authentication (MFA) protocols, and encrypt sensitive information to the best of their abilities. That applies both to information being stored in databases and data that is in transit.
Federal Civilian Agencies have 180 days to comply with the Order, and are expected to file a progress update every 60 days. Those that cannot meet the deadline will have to send an explanation to the Secretary of Homeland Security.
For its part, the FIDO Alliance praised the order for emphasizing the importance of MFA, and for making it a priority across the entire federal infrastructure (and not just on the government’s existing PIV/PKI platform). The organization also celebrated the fact that Biden did not specify any one type of MFA, which gives agencies more freedom to implement their preferred authentication system. In that regard, the Order overrides the previous rule that prevented agencies from using any non-PIV authenticator.
The new Order, on the other hand, will allow agencies to use FIDO Authentication as an alternative to PIV technology. FIDO noted that products built to its standards offer full protection against phishing, which is still responsible for the majority of the cyberattacks targeting the government.
The organization has previously worked with the government to bring FIDO authentication protocols to the login.gov web portal. With that in mind, FIDO argued that public and private organizations will need to work together to raise the level of security for essential systems.
May 17, 2021 – by Eric Weiss