MFA Access Control Solutions & Protection | Enterprise Password Management | Access Smart

Archive for Government regulations

Cybersecurity Executive Order – Letter to President Trump

Cybersecurity Executive Order – Open Letter to President Trump

February 8, 2017Cybersecurity Executive Order

 

President Donald Trump
The White House
1600 Pennsylvania Avenue NW
Washington DC 20500

Re: Small Business Response to President’s Cybersecurity Executive Order

 

Dear Mr. President,

Thank you so much for your initiative with our nation’s Cybersecurity.

As a California Certified Small Business owner who offers a multi-factor authentication (MFA) product on the GSA Schedule, I have an important concern: Currently, there are no NAICS, SIC or SIN procurement codes for cybersecurity products on the GSA Schedule. This makes it difficult for government agencies and departments to find, let alone implement, the products you are mandating.

A year ago, I sent a similar letter to President Obama. NOTHING has changed. I trust that you are the man to fix this ridiculous problem. By simply adding cybersecurity procurement codes on the GSA Schedule as part of your Executive Order implementation, cybersecurity solutions will be implemented much faster.

Without cybersecurity procurement codes, government agencies and departments are unable to find, let alone implement, targeted products and services to help keep our Nation’s electronic data secure. Their current procedure is to do keyword searches on the GSA Schedule and hope they find something. If they don’t put in the appropriate keywords or vendors have not listed those keywords, the agency finds no match. Their only recourse is to generate expensive and time consuming RFIs, RFP’s and RFQ’s. Cybersecurity NAICS, SIN and SIC codes would streamline the entire process, save money, and ensure fast implementations.

Without updated procurement codes, small businesses like mine (and many others) are at a great disadvantage. We don’t have the ability to lobby all the agencies about our state-of-the-art solutions, so contracts are always awarded to the major primes. Sadly, they often are not up to speed fighting the latest hacking technology or methodology. When we contact the primes to tell them what we offer with hopes to be a supplier, they too don’t know how to classify our products to easily drop into their government bids (no codes to match against). Cybersecurity procurement codes will help to even the playing field for small businesses.

One federal agency’s Cyber Labs, has evaluated, purchased and successfully implemented our multi-factor authentication password manager to protect hundreds of their many high value servers. Our product, Power LogOn, saved this agency both money and implementation time because it works with their existing PIV ID badge, creating both high level MFA cybersecurity and convenience. They put Power LogOn through a rigorous evaluation process during which it acquired a FIPS 140-2 verification from an independent NIST laboratory (InfoGard) and a NIST FIPS 201 waiver.

My problem is that this agency cannot tell any other agency about our product because they will be seen as promoting a vendor. It’s a daunting task for an SMB to have to start from scratch with every agency and department when the proper placement of our services on a dedicated NAICS code for Multi-Factor Authentication Cybersecurity would allow agencies and departments to easily find and implement the products and services they need. This would help all companies to be easily identified for cybersecurity products and services on the GSA Schedule, not just mine.

Cybersecurity is one of this nation’s biggest security concerns. With the recent data breaches at the IRS, OPM, DoD, DNC, and even Congress, government agencies should be keen on finding solutions today that can help safeguard their networks.

The reason the GSA Schedule is so important to your Cybersecurity Executive Order is that agencies will be able to find and simply purchase what they need. They will not be burdened by the time and cost of a large and cumbersome procurement bidding process. Because Power LogOn is already on the GSA Schedule, agencies can implement multi-factor authentication quickly and easily, immediately plugging any holes in their current infrastructure.

Our product takes only hours to implement because it leverages existing technologies. It works with the existing PIV, PIV-I, CIV and CAC cards so re-badging. The FIPS 140-2 verification means government approved security. The FIPS 201 waiver means no expensive re-certification of government issued cards. Now agencies can add secure computer, network and application logon immediately, while saving taxpayer’s a significant amount of money.

I have been in this industry for over 25 years. I am the author of Making Passwords Secure, Fixing the Weakest Link in Cybersecurity which outlines how to implement cybersecurity authentication solutions.

My only other question is:
How can I and my business contribute to your vision for our nation’s cybersecurity?

Thank you for your time and consideration.

 

With warmest regards,

Dovell Bonnett
Founder & CEO
Access Smart, LLC
www.Access-Smart.com/gov
(949) 218-8754

Passwords are Protected by the U.S. Constitution!

Did you know: The U.S. Courts have deemed that passwords are protected under the U.S. Constitution?

united-states-constitutionU.S. Courts have ruled that passwords are considered free speech since they are considered “knowledge”. Therefore, under the Bill of Rights, 5th amendment , no person is required to disclose information that could incriminate themselves. DNA and biometrics, on the other hand, are not protected by these same rights. What’s more, Private Keys are not protected by the Constitution since they are computer generated and not considered  an individual’s “knowledge”. Read More→

Cybersecurity NAICS Codes Maybe Coming Soon

Government CybersecurityCybersecurity NAICS Codes Lobbying

On February 9, 2016 President Obama announced that $19B should be placed in the 2017 budget for cybersecurity. Being a Cybersecurity SMB this seemed like a dream come true, but having already been on the GSA Schedule for almost two-years, my phone has not been ringing off the hook with Government interest. So I asked around and found out that many agencies did not know how to find cybersecurity products.

That same month, February 2016, I started a grassroots lobbying campaign to help government agencies find and acquire cyber security products and services. My idea seemed simple, have NAICS, SIN, and SIC procurement codes assigned specifically to cybersecurity products and services. Well, I might have achieved success. Here is the sequence of resent events.

On Feb. 27, 2016, I wrote the following letter to Senator Tom Carper (DE) as wells as many other Senators, Congressmen, Congresswomen, agency leaders, and even President Obama. I also posted articles in LinkedIn, and asked help from companies like Microsoft through their Voices for Innovations group. Here is a sample of one such letter:

Dear Senator Carper,
As the Ranking Member of Homeland Security and Government Affairs, I want to discuss President Obama’s February 9, 2016 announcement regarding Cybersecurity National Action Plan (CNAP). I appreciate that his vision includes both the immediate need to plug holes in the current infrastructure as well as a long term strategy which moves us away from the Band-Aid approach and toward keeping our nation and its people strong and secure.

As a California Certified Small Business owner who offers a multi-factor authentication (MFA) product already on the GSA Schedule, I have an important concern. Currently, there are no NAICS codes for cybersecurity products on the GSA Schedule. This makes it difficult for government agencies and departments to find, let alone implement, the products he is mandating.

One federal agency, (agency’s name removed per their request for security reasons), has evaluated, purchased and successfully implemented our multi-factor authentication password manager to protect their 700 high value servers. Our product, Power LogOn, saved them both money and implementation time because it works with their existing PIV ID badge, creating both high level MFA cybersecurity and convenience. They put Power LogOn through a rigorous evaluation process during which it acquired a FIPS 140-2 verification from an independent NIST laboratory (InfoGard) and a NIST FIPS 201 waiver.

My problem is that the agency cannot tell any other agency about our product because they will be seen as promoting a vendor. It’s a daunting task for a small company to have to start from scratch with every agency and department when the proper placement of our services on a dedicated NAICS code for Multi-Factor Authentication Cybersecurity would allow agencies and departments to easily find and implement the products and services outlined in the CNAP. This would help all companies to be easily identified for cybersecurity products and services on the GSA Schedule, not just me.

President Obama stated that Multi-Factor Authentication will be central to our new National Cybersecurity Awareness Campaign. As the large corporations in this country now scramble to create products to serve that purpose, my business has a 10-year track record of excellent performance and customer satisfaction with agencies and industries including…Government, hospitals, medical offices, education, insurance companies, law enforcement, county governments, Native American Tribal Nations, and more.

The reason the GSA Schedule is so important to your CNAP plan is that agencies will be able to find and simply purchase what they need. They will not be burdened by the time and cost of a large and cumbersome procurement bidding process. Because Power LogOn is already on the GSA Schedule, agencies can implement multi-factor authentication quickly and easily, immediately plugging any holes in their current infrastructure.

Our product takes only hours to implement because it leverages existing technologies. This means agencies can be secured immediately. Having a multi-factor authentication password manager removes the end user from the position of Network Security Administrator by removing their need (and ability) to generate, remember, type, manage or even know their passwords. This also reduces the burden on IT administrators who no longer have to waste time resetting forgotten passwords because they can now be centrally controlled. And by leveraging the government’s existing infrastructure investments, Power LogOn also saves taxpayer’s a significant amount of money.

I have been in this industry for over 25 years and I have a book coming out next month that outlines how to implement cybersecurity authentication solutions. My only other question is: How can I and my business contribute to CNAP and the vision for our nation’s cybersecurity?

Thank you for your time and consideration.
With warmest regards,

Cybersecurity Procurement Inquiry on OMB by Senator Carper:

An article in e-Commerce Times, “Feds Prep for Cybersecurity Buying Spree” on April 18, 2016 there was this sections:

Pressure on OMB

Sen. Tom Carper, D-Del., has asked the Office of Management and Budget to respond by May 8 to his concerns that federal agencies are not taking advantage of innovative cybersecurity offerings, particularly from small businesses and startups.

“From what I understand, however, flaws in the federal acquisition process can limit the tools agency network defenders can obtain.” he noted in a letter to OMB Director Shaun Donovan.

“Our discussions made it clear that, because the techniques our adversaries use against us online are always evolving, deploying innovative products and services is critical to staying ahead of the threats we face online,” Carper said, referring to a meeting he attended with small businesses.

The companies pointed out that private sector financial institutions, power companies, retailers and others “are able to quickly reap the benefits of the many new and innovative cyberdefense products put on the market each year,” he said.

“It was not clear to them that federal agencies are similarly able to rapidly acquire new and innovative cybersecurity solutions,” Carper added.

“What are agencies doing to acquire innovative cybersolutions developed by startups and other companies that have not traditionally done business with the government? How successful have agencies been in doing so? Are any agencies piloting innovative procurement processes for rapid acquisition of cybersecurity tools? What action has OMB taken, or is planning to take, to guide agencies in the rapid procurement of new and emerging cybersecurity tools?” Carper asked.

 

Cybersecurity RFI from the GSA:

Finally, on April 11, 2016, The GSA posted an RFI (Solicitation Number: QTA00DF16DPI0002) help GSA identify current offerings available, improve the visibility of those offerings, and determine gaps that need to be filled regarding Cybersecurity products and services. We replied to the RFI. Here is one of our answers to Question 3:

 3. What are the advantages and/or disadvantages of how the government currently purchases cybersecurity products and services?
Currently, there are no Schedule 70, NAICS, SIC or SIN procurement codes for cybersecurity products on the GSA Schedule. Many cybersecurity companies have to list their products under very general codes. For example, while we are listed on the GSA Schedule, the best NAICS matches the GSA office has for our cybersecurity products and services are:

• 511210 – Software Publishers,
• 334119 – Other Computer Peripheral Equipment Manufacturing, and
• 541512 – Computer Systems Design Services.

None of these are obvious cybersecurity categories. The SIC and SIN codes are no better.

Without cybersecurity procurement codes, government agencies and departments are unable to find, let alone implement, targeted products and services to help keep our Nation’s electronic data secure. Their current procedure is to do keyword searches on the GSA Schedule and hope they find something. If they don’t put in the appropriate keywords or vendors have not listed those keywords, the agency finds no match. Their only recourse is to generate expensive and time consuming RFIs, RFPs and RFQs. Cybersecurity NAICS, SIC and SIN codes would stream line the entire process, save money, and ensure fast implementations.

Without updated procurement codes, small businesses like mine are at a great disadvantage. We don’t have the ability to lobby all the agencies about our state-of-the-art solutions, so contracts are always awarded to the major primes which often are not up to speed fighting the latest hacking technology or methodology. When we contact the primes to tell them what we offer with hopes to be a supplier, they too don’t know how to classify our products to easily drop into their government bids (no codes to match against). Cybersecurity procurement codes would help to even the playing field for small businesses.

Government agencies need cybersecurity NOW. The outrageously expensive and time consuming solutions of the past cannot be implemented fast enough to keep pace with the onslaught from rogue cyber threats. Passwords are still widely used throughout the government and switching over to new authentications would be time consuming and costly. The government needs security today that can be implemented within a few days, and saves money. When passwords are compromised, all the expensive back end security in the world becomes instantly useless. Securing the front end or “virtual front door” is essential.

Access Smart allows government agencies to quickly add a new application to their existing PIV/CIV/CAC without re-calling, re-issuing, or re-programing the credential. That is why our product won a FIPS 201 waver. And because security is of high importance to Access Smart, Power LogOn was tested and received a FIPS 140-2 verification from the NIST independent test lab InfoGard.

Our Power LogOn product authenticates the user when the computer is first turned on, before the operating system fully boots-up. Power LogOn continues to authenticate the user during computer usage: when requesting logon onto a website, application, network, or cloud. This extra layer of security protects data while enhancing the user’s convenience. Making passwords convenient for the user insures they will not (or cannot) circumvent security for convenience.

Cybersecurity Scores One for the Little Guys!

How much I and my lobbying actually played into these events its anyone’s guess. Granted, I like to think I had a part. While I could not have been successful in my lobbying campaign without the assistance of a lot of people both known and unknown, I feel like I chalked one up for us little guys in helping the U.S. Government.

Finally, the real winners are the many business whose products will now be visible to the Government and Government Primes because cybersecurity products and services will become easier for agencies to identify and procure off the GSA Schedule.

 

Access Smart is taking an active role in Data Privacy

Data Security first starts with Data Privacy

Data PrivacyLast week I had meetings with aids of Senator Boxer (D-CA), Senator Feinstein (D-CA), Congressman Becerra (34th Dist., CA), Deputy Secretary Bruce Andrews  (U.S. Dept. of Commerce), and finally the leadership for the U.S. House Small Business to discuss my concerns about data privacy and why I support the LEADS (Law Enforcement Access to Data Stored Abroad) Act of 2015. Read More→

Power LogOn Passes HHS/CDC Cyber Lab’s Security Evaluation

HHS CDC passes Power LogOn securityI’d like to tell you about a new secure password management and authentication solution that passed HHS/CDC cyber lab’s security evaluation to eliminate their employee managed password burdens.  It’s called Power LogOn® Government Edition. The cyber lab now has a multi-factor, IT centralized password manager for their existing PIV, CAC, or CIV credentials.

Here are a few of the specifications Power LogOn delivers:

  • Independent FIPS 140-2 verification
  • Secure, IT centralized password management and authentication
  • Every account can have up to a 500-character long unique password that can be changed as frequently as required without user involvement
  • Convenient for employees to log into multiple server, web and application accounts without them having to know or type the passwords
  • Scalable to fit any size department or agency, without a high cost of ownership
  • Compliments existing PIV credentials without re-badging or FIPS 201 re-certification
  • And a whole lot more

With Power LogOn Government Edition, the HHS IT team now implement very long complex passwords that are changed very frequently. All password changes are automatically pushed down to all users without their involvement or knowledge. Employees no longer have to generate, remember, type or even know any network, application or computer logon passwords. Power LogOn instantly integrates with existing PIV credentials without having to program or modify any file structures, thus avoiding any FIPS 201 re-certification issues.

Power LogOn is now ready and available on GSA Advantage for other government agencies and departments who struggle with the insecurity of employee generated and managed passwords.

To learn more about Power LogOn Government Edition and download our Capabilities Line Card please visit our webpage www.access-smart.com/gov.