Examining the Executive Order’s MFA Requirement

In past Executive Orders and Presidential Cyber Security Sprints, agencies were required to use MFA to secure privileged / administrative accounts. However, it was left to the agencies to determine what user and system accounts that were not administrative in nature would require MFA.

With this recent Executive Order, that appears to change.

Now ALL accounts will require MFA, and that may mean some changes in how agencies answer the MFA requirement.  In the past, because the amount of accounts was a smaller subset, many agencies relied on hard token MFA, mostly through PIV cards.  This just will not scale to all accounts and users — especially contractors that outnumber government administrators by significant multiples. Agencies can use a mix of hard token MFA for administrative privileged accounts, while leveraging soft tokens for other accounts  to bring down the cost of meeting the EO requirements and the ephemeral nature of some users.  

The best soft token solution for agencies are authenticator phone apps that allow for “push notifications” while  also rotating number codes in case the user does not get the push quickly. These types of solutions are fairly ubiquitous, well understood, and require less trouble-shooting during installation and in ongoing administration.  

Something  for agencies to consider is to deploy MFA along with a centralized SSO solution, which  allows for a separation of directory services for contractors and permanent users such as government employees.  By segmenting these users, agencies can ensure an additional layer of security on top of the MFA roll out.