OFFICIALS LEGISLATION INTEREST GROUPS PUBLIC STATEMENTS COMMITTEES VETOES

Letter to Hon. Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency - Reps. Clarke and Torres Push for Adoption of Multi-Factor Authentication to Reduce Federal Security Risks

Letter

Date: Jan. 11, 2022
Location: Washington, DC
Issues: Technology and Communication

Dear Director Easterly:

We write to express strong support for the Administration's efforts to reduce security risks to Federal networks by imposing multifactor authentication requirements and to inquire about the implementation status of recent mandates.

As we work to strengthen the security of Federal networks, one of the most critical tools to implement is multifactor authentication. Six years ago, as part of the Federal Cybersecurity Enhancement Act of 2015, Congress required Federal agencies to adopt multifactor authentication for remote access and privileged accounts unless they receive a waiver from the Office of Management and Budget. Unfortunately, it is apparent that not all Federal agencies have complied with this requirement, so a new urgency is needed to address this challenge.

Therefore, we were pleased that President Biden included a mandate that Federal agencies adopt
multifactor authentication as part of Executive Order 14028, Improving the Nation's Cybersecurity. Under Section 3(d), Federal agencies were required to implement multifactor authentication by November 8, 2021, or provide a written rationale as to why they were unable to meet this requirement.It is essential that agencies adoptmultifactor authentication that reduces the risk of phishing attacks and provides the greatest level of security. Accordingly, we were glad to see that as part of the Office of Management and Budget's draft zero trust strategy released in September, Federal agencies would be required to adopt phishing-resistant multifactor authentication for agency staff, contractors, and partners. As previous efforts to implement multifactor authentication across the executive branch have clearly not achieved their intended goals, it is important that we work together to ensure that this mandate is implemented effectively in a timely fashion.

As Congress seeks to partner with the executive branch to enhance the security of Federal networks
and ensure implementation of multifactor authentication across Federal agencies, we request that
you respond to the following questions no later than February 4, 2022:

1. Did all Federal agencies comply with Executive Order 14028's requirement to notify CISA of their adoption of multifactor authentication or provide a written rationale as to why they had not met this mandate? If not, which agencies did not provide the required notice by the deadline stated in the executive order?

2. How many agencies fully adopted multifactor authentication by November 8, 2021, and how many agencies did not?

3. For agencies that were unable to fully implement multifactor authentication by November 8, 2021, what were the most common rationales for why they were unable to do so?

4. What kind of assistance is CISA providing to Federal agencies to assist them in implementing multifactor authentication?

5. What additional resources or authorities are needed to expedite the implementation of multifactor authentication across the Federal government?

6. When do you anticipate Federal agencies will be able to achieve full compliance with multifactor authentication requirements?

Thank you for your attention to this important matter, and we look forward to your responses.

Sincerely,


Source
arrow_upward