Cyber Access Control | MFA Enterprise Password Management | Access Smart

Archive for Data Security

Giant Hole in Government’s Cybersecurity Strategy

The government is never going to fix its cybersecurity problem until it fixes its procurement problem!

cybersecurity weakness in US Government

Shockingly, there are no NAICS, SIC or SIN CODES for cybersecurity products on the GSA Schedule. As a California Certified Small Business owner who offers multi-factor authentication (MFA) products on the GSA Schedule, this is a serious problem.

Without cybersecurity procurement codes, government agencies and departments are unable to find, let alone implement, targeted products and services to keep our nation’s electronic data secure. Current procedure involves a keyword search on the GSA Schedule. If the exact keyword is not typed or listed, no match is found. An agency’s only recourse then becomes generating expensive and time consuming RFIs, RFPs and RFQs. Cybersecurity NAICS, SIN and SIC codes are designed streamline the entire process, save money and ensure fast cybersecurity implementations. Read More→

Biometric Fanatics Missing the MFA Point When They Kill Passwords

Why do biometric fanatics want to “Kill Passwords?”

Kill passwords want solve cyber crime. It will make it worse.

When biometric fanatics evangelize “Kill Passwords!” in favor of biometrics they create a false security narrative. Replacing one form of Single Factor Authentication (SFA) with an alternate form of Single Factor Authentication adds nothing. It simply trades one factor for another. The whole security argument against any Single Factor Authentication is that the hacker only needs one piece of information to break in.

While biometric fanatics like to tout the weaknesses found in knowledge based authentication, (and I readily admit there are some), there are also a number of inherent weaknesses in biometrics. In this series of short blog posts, I will outline those weaknesses. My ultimate goal is for the reader to understand that if we go down the “either/or” cybersecurity path in choosing biometrics over passwords, everyone loses. The smart and secure cybersecurity solution is the “and” path, also known as Multi-Factor Authentication (MFA). Read More→

Passwords are Protected by the U.S. Constitution!

Did you know: The U.S. Courts have deemed that passwords are protected under the U.S. Constitution?

united-states-constitutionU.S. Courts have ruled that passwords are considered free speech since they are considered “knowledge”. Therefore, under the Bill of Rights, 5th amendment , no person is required to disclose information that could incriminate themselves. DNA and biometrics, on the other hand, are not protected by these same rights. What’s more, Private Keys are not protected by the Constitution since they are computer generated and not considered  an individual’s “knowledge”. Read More→

Cybersecurity NAICS Codes Maybe Coming Soon

Government CybersecurityCybersecurity NAICS Codes Lobbying

On February 9, 2016 President Obama announced that $19B should be placed in the 2017 budget for cybersecurity. Being a Cybersecurity SMB this seemed like a dream come true, but having already been on the GSA Schedule for almost two-years, my phone has not been ringing off the hook with Government interest. So I asked around and found out that many agencies did not know how to find cybersecurity products.

That same month, February 2016, I started a grassroots lobbying campaign to help government agencies find and acquire cyber security products and services. My idea seemed simple, have NAICS, SIN, and SIC procurement codes assigned specifically to cybersecurity products and services. Well, I might have achieved success. Here is the sequence of resent events.

On Feb. 27, 2016, I wrote the following letter to Senator Tom Carper (DE) as wells as many other Senators, Congressmen, Congresswomen, agency leaders, and even President Obama. I also posted articles in LinkedIn, and asked help from companies like Microsoft through their Voices for Innovations group. Here is a sample of one such letter:

Dear Senator Carper,
As the Ranking Member of Homeland Security and Government Affairs, I want to discuss President Obama’s February 9, 2016 announcement regarding Cybersecurity National Action Plan (CNAP). I appreciate that his vision includes both the immediate need to plug holes in the current infrastructure as well as a long term strategy which moves us away from the Band-Aid approach and toward keeping our nation and its people strong and secure.

As a California Certified Small Business owner who offers a multi-factor authentication (MFA) product already on the GSA Schedule, I have an important concern. Currently, there are no NAICS codes for cybersecurity products on the GSA Schedule. This makes it difficult for government agencies and departments to find, let alone implement, the products he is mandating.

One federal agency, (agency’s name removed per their request for security reasons), has evaluated, purchased and successfully implemented our multi-factor authentication password manager to protect their 700 high value servers. Our product, Power LogOn, saved them both money and implementation time because it works with their existing PIV ID badge, creating both high level MFA cybersecurity and convenience. They put Power LogOn through a rigorous evaluation process during which it acquired a FIPS 140-2 verification from an independent NIST laboratory (InfoGard) and a NIST FIPS 201 waiver.

My problem is that the agency cannot tell any other agency about our product because they will be seen as promoting a vendor. It’s a daunting task for a small company to have to start from scratch with every agency and department when the proper placement of our services on a dedicated NAICS code for Multi-Factor Authentication Cybersecurity would allow agencies and departments to easily find and implement the products and services outlined in the CNAP. This would help all companies to be easily identified for cybersecurity products and services on the GSA Schedule, not just me.

President Obama stated that Multi-Factor Authentication will be central to our new National Cybersecurity Awareness Campaign. As the large corporations in this country now scramble to create products to serve that purpose, my business has a 10-year track record of excellent performance and customer satisfaction with agencies and industries including…Government, hospitals, medical offices, education, insurance companies, law enforcement, county governments, Native American Tribal Nations, and more.

The reason the GSA Schedule is so important to your CNAP plan is that agencies will be able to find and simply purchase what they need. They will not be burdened by the time and cost of a large and cumbersome procurement bidding process. Because Power LogOn is already on the GSA Schedule, agencies can implement multi-factor authentication quickly and easily, immediately plugging any holes in their current infrastructure.

Our product takes only hours to implement because it leverages existing technologies. This means agencies can be secured immediately. Having a multi-factor authentication password manager removes the end user from the position of Network Security Administrator by removing their need (and ability) to generate, remember, type, manage or even know their passwords. This also reduces the burden on IT administrators who no longer have to waste time resetting forgotten passwords because they can now be centrally controlled. And by leveraging the government’s existing infrastructure investments, Power LogOn also saves taxpayer’s a significant amount of money.

I have been in this industry for over 25 years and I have a book coming out next month that outlines how to implement cybersecurity authentication solutions. My only other question is: How can I and my business contribute to CNAP and the vision for our nation’s cybersecurity?

Thank you for your time and consideration.
With warmest regards,

Cybersecurity Procurement Inquiry on OMB by Senator Carper:

An article in e-Commerce Times, “Feds Prep for Cybersecurity Buying Spree” on April 18, 2016 there was this sections:

Pressure on OMB

Sen. Tom Carper, D-Del., has asked the Office of Management and Budget to respond by May 8 to his concerns that federal agencies are not taking advantage of innovative cybersecurity offerings, particularly from small businesses and startups.

“From what I understand, however, flaws in the federal acquisition process can limit the tools agency network defenders can obtain.” he noted in a letter to OMB Director Shaun Donovan.

“Our discussions made it clear that, because the techniques our adversaries use against us online are always evolving, deploying innovative products and services is critical to staying ahead of the threats we face online,” Carper said, referring to a meeting he attended with small businesses.

The companies pointed out that private sector financial institutions, power companies, retailers and others “are able to quickly reap the benefits of the many new and innovative cyberdefense products put on the market each year,” he said.

“It was not clear to them that federal agencies are similarly able to rapidly acquire new and innovative cybersecurity solutions,” Carper added.

“What are agencies doing to acquire innovative cybersolutions developed by startups and other companies that have not traditionally done business with the government? How successful have agencies been in doing so? Are any agencies piloting innovative procurement processes for rapid acquisition of cybersecurity tools? What action has OMB taken, or is planning to take, to guide agencies in the rapid procurement of new and emerging cybersecurity tools?” Carper asked.

 

Cybersecurity RFI from the GSA:

Finally, on April 11, 2016, The GSA posted an RFI (Solicitation Number: QTA00DF16DPI0002) help GSA identify current offerings available, improve the visibility of those offerings, and determine gaps that need to be filled regarding Cybersecurity products and services. We replied to the RFI. Here is one of our answers to Question 3:

 3. What are the advantages and/or disadvantages of how the government currently purchases cybersecurity products and services?
Currently, there are no Schedule 70, NAICS, SIC or SIN procurement codes for cybersecurity products on the GSA Schedule. Many cybersecurity companies have to list their products under very general codes. For example, while we are listed on the GSA Schedule, the best NAICS matches the GSA office has for our cybersecurity products and services are:

• 511210 – Software Publishers,
• 334119 – Other Computer Peripheral Equipment Manufacturing, and
• 541512 – Computer Systems Design Services.

None of these are obvious cybersecurity categories. The SIC and SIN codes are no better.

Without cybersecurity procurement codes, government agencies and departments are unable to find, let alone implement, targeted products and services to help keep our Nation’s electronic data secure. Their current procedure is to do keyword searches on the GSA Schedule and hope they find something. If they don’t put in the appropriate keywords or vendors have not listed those keywords, the agency finds no match. Their only recourse is to generate expensive and time consuming RFIs, RFPs and RFQs. Cybersecurity NAICS, SIC and SIN codes would stream line the entire process, save money, and ensure fast implementations.

Without updated procurement codes, small businesses like mine are at a great disadvantage. We don’t have the ability to lobby all the agencies about our state-of-the-art solutions, so contracts are always awarded to the major primes which often are not up to speed fighting the latest hacking technology or methodology. When we contact the primes to tell them what we offer with hopes to be a supplier, they too don’t know how to classify our products to easily drop into their government bids (no codes to match against). Cybersecurity procurement codes would help to even the playing field for small businesses.

Government agencies need cybersecurity NOW. The outrageously expensive and time consuming solutions of the past cannot be implemented fast enough to keep pace with the onslaught from rogue cyber threats. Passwords are still widely used throughout the government and switching over to new authentications would be time consuming and costly. The government needs security today that can be implemented within a few days, and saves money. When passwords are compromised, all the expensive back end security in the world becomes instantly useless. Securing the front end or “virtual front door” is essential.

Access Smart allows government agencies to quickly add a new application to their existing PIV/CIV/CAC without re-calling, re-issuing, or re-programing the credential. That is why our product won a FIPS 201 waver. And because security is of high importance to Access Smart, Power LogOn was tested and received a FIPS 140-2 verification from the NIST independent test lab InfoGard.

Our Power LogOn product authenticates the user when the computer is first turned on, before the operating system fully boots-up. Power LogOn continues to authenticate the user during computer usage: when requesting logon onto a website, application, network, or cloud. This extra layer of security protects data while enhancing the user’s convenience. Making passwords convenient for the user insures they will not (or cannot) circumvent security for convenience.

Cybersecurity Scores One for the Little Guys!

How much I and my lobbying actually played into these events its anyone’s guess. Granted, I like to think I had a part. While I could not have been successful in my lobbying campaign without the assistance of a lot of people both known and unknown, I feel like I chalked one up for us little guys in helping the U.S. Government.

Finally, the real winners are the many business whose products will now be visible to the Government and Government Primes because cybersecurity products and services will become easier for agencies to identify and procure off the GSA Schedule.

 

Power LogOn® now supports Windows 10

Access Smart® Improves Cybersecurity with Power LogOn – Multifactor Password Manager for Business.

Office-with-Power-LogOn---smallLadera Ranch, CA – Nov 10, 2015Access Smart, LLC today announced that the Power LogOn software now supports all versions of Windows 10 and Internet Explorer 11.  Power LogOn – multifactor password manager for business, adds an extra layer of cybersecurity during the initial logon process to Windows 10/IE11 with an efficient authentication solution. Now IT can keep passwords secure, and employees don’t have to manage passwords.

A cyber-attack can cost a company about $248 per record stolen. That’s why cybersecurity must start before the firewall. Power LogOn complements computer logon by adding on a security-enhanced password manager. The greatest cyber threat to any company is employee managed user names and passwords. To access the power of Windows 10/IE11, employees don’t need to type in their user name and password. By removing this cybersecurity vulnerability, Power LogOn puts the control of sensitive data back in the hands of IT professionals where it belongs. Read More→