Cyber Access Control | MFA Enterprise Password Management | Access Smart

Archive for Data Security Management,

Cybersecurity NAICS Codes Maybe Coming Soon

Government CybersecurityCybersecurity NAICS Codes Lobbying

On February 9, 2016 President Obama announced that $19B should be placed in the 2017 budget for cybersecurity. Being a Cybersecurity SMB this seemed like a dream come true, but having already been on the GSA Schedule for almost two-years, my phone has not been ringing off the hook with Government interest. So I asked around and found out that many agencies did not know how to find cybersecurity products.

That same month, February 2016, I started a grassroots lobbying campaign to help government agencies find and acquire cyber security products and services. My idea seemed simple, have NAICS, SIN, and SIC procurement codes assigned specifically to cybersecurity products and services. Well, I might have achieved success. Here is the sequence of resent events.

On Feb. 27, 2016, I wrote the following letter to Senator Tom Carper (DE) as wells as many other Senators, Congressmen, Congresswomen, agency leaders, and even President Obama. I also posted articles in LinkedIn, and asked help from companies like Microsoft through their Voices for Innovations group. Here is a sample of one such letter:

Dear Senator Carper,
As the Ranking Member of Homeland Security and Government Affairs, I want to discuss President Obama’s February 9, 2016 announcement regarding Cybersecurity National Action Plan (CNAP). I appreciate that his vision includes both the immediate need to plug holes in the current infrastructure as well as a long term strategy which moves us away from the Band-Aid approach and toward keeping our nation and its people strong and secure.

As a California Certified Small Business owner who offers a multi-factor authentication (MFA) product already on the GSA Schedule, I have an important concern. Currently, there are no NAICS codes for cybersecurity products on the GSA Schedule. This makes it difficult for government agencies and departments to find, let alone implement, the products he is mandating.

One federal agency, (agency’s name removed per their request for security reasons), has evaluated, purchased and successfully implemented our multi-factor authentication password manager to protect their 700 high value servers. Our product, Power LogOn, saved them both money and implementation time because it works with their existing PIV ID badge, creating both high level MFA cybersecurity and convenience. They put Power LogOn through a rigorous evaluation process during which it acquired a FIPS 140-2 verification from an independent NIST laboratory (InfoGard) and a NIST FIPS 201 waiver.

My problem is that the agency cannot tell any other agency about our product because they will be seen as promoting a vendor. It’s a daunting task for a small company to have to start from scratch with every agency and department when the proper placement of our services on a dedicated NAICS code for Multi-Factor Authentication Cybersecurity would allow agencies and departments to easily find and implement the products and services outlined in the CNAP. This would help all companies to be easily identified for cybersecurity products and services on the GSA Schedule, not just me.

President Obama stated that Multi-Factor Authentication will be central to our new National Cybersecurity Awareness Campaign. As the large corporations in this country now scramble to create products to serve that purpose, my business has a 10-year track record of excellent performance and customer satisfaction with agencies and industries including…Government, hospitals, medical offices, education, insurance companies, law enforcement, county governments, Native American Tribal Nations, and more.

The reason the GSA Schedule is so important to your CNAP plan is that agencies will be able to find and simply purchase what they need. They will not be burdened by the time and cost of a large and cumbersome procurement bidding process. Because Power LogOn is already on the GSA Schedule, agencies can implement multi-factor authentication quickly and easily, immediately plugging any holes in their current infrastructure.

Our product takes only hours to implement because it leverages existing technologies. This means agencies can be secured immediately. Having a multi-factor authentication password manager removes the end user from the position of Network Security Administrator by removing their need (and ability) to generate, remember, type, manage or even know their passwords. This also reduces the burden on IT administrators who no longer have to waste time resetting forgotten passwords because they can now be centrally controlled. And by leveraging the government’s existing infrastructure investments, Power LogOn also saves taxpayer’s a significant amount of money.

I have been in this industry for over 25 years and I have a book coming out next month that outlines how to implement cybersecurity authentication solutions. My only other question is: How can I and my business contribute to CNAP and the vision for our nation’s cybersecurity?

Thank you for your time and consideration.
With warmest regards,

Cybersecurity Procurement Inquiry on OMB by Senator Carper:

An article in e-Commerce Times, “Feds Prep for Cybersecurity Buying Spree” on April 18, 2016 there was this sections:

Pressure on OMB

Sen. Tom Carper, D-Del., has asked the Office of Management and Budget to respond by May 8 to his concerns that federal agencies are not taking advantage of innovative cybersecurity offerings, particularly from small businesses and startups.

“From what I understand, however, flaws in the federal acquisition process can limit the tools agency network defenders can obtain.” he noted in a letter to OMB Director Shaun Donovan.

“Our discussions made it clear that, because the techniques our adversaries use against us online are always evolving, deploying innovative products and services is critical to staying ahead of the threats we face online,” Carper said, referring to a meeting he attended with small businesses.

The companies pointed out that private sector financial institutions, power companies, retailers and others “are able to quickly reap the benefits of the many new and innovative cyberdefense products put on the market each year,” he said.

“It was not clear to them that federal agencies are similarly able to rapidly acquire new and innovative cybersecurity solutions,” Carper added.

“What are agencies doing to acquire innovative cybersolutions developed by startups and other companies that have not traditionally done business with the government? How successful have agencies been in doing so? Are any agencies piloting innovative procurement processes for rapid acquisition of cybersecurity tools? What action has OMB taken, or is planning to take, to guide agencies in the rapid procurement of new and emerging cybersecurity tools?” Carper asked.

 

Cybersecurity RFI from the GSA:

Finally, on April 11, 2016, The GSA posted an RFI (Solicitation Number: QTA00DF16DPI0002) help GSA identify current offerings available, improve the visibility of those offerings, and determine gaps that need to be filled regarding Cybersecurity products and services. We replied to the RFI. Here is one of our answers to Question 3:

 3. What are the advantages and/or disadvantages of how the government currently purchases cybersecurity products and services?
Currently, there are no Schedule 70, NAICS, SIC or SIN procurement codes for cybersecurity products on the GSA Schedule. Many cybersecurity companies have to list their products under very general codes. For example, while we are listed on the GSA Schedule, the best NAICS matches the GSA office has for our cybersecurity products and services are:

• 511210 – Software Publishers,
• 334119 – Other Computer Peripheral Equipment Manufacturing, and
• 541512 – Computer Systems Design Services.

None of these are obvious cybersecurity categories. The SIC and SIN codes are no better.

Without cybersecurity procurement codes, government agencies and departments are unable to find, let alone implement, targeted products and services to help keep our Nation’s electronic data secure. Their current procedure is to do keyword searches on the GSA Schedule and hope they find something. If they don’t put in the appropriate keywords or vendors have not listed those keywords, the agency finds no match. Their only recourse is to generate expensive and time consuming RFIs, RFPs and RFQs. Cybersecurity NAICS, SIC and SIN codes would stream line the entire process, save money, and ensure fast implementations.

Without updated procurement codes, small businesses like mine are at a great disadvantage. We don’t have the ability to lobby all the agencies about our state-of-the-art solutions, so contracts are always awarded to the major primes which often are not up to speed fighting the latest hacking technology or methodology. When we contact the primes to tell them what we offer with hopes to be a supplier, they too don’t know how to classify our products to easily drop into their government bids (no codes to match against). Cybersecurity procurement codes would help to even the playing field for small businesses.

Government agencies need cybersecurity NOW. The outrageously expensive and time consuming solutions of the past cannot be implemented fast enough to keep pace with the onslaught from rogue cyber threats. Passwords are still widely used throughout the government and switching over to new authentications would be time consuming and costly. The government needs security today that can be implemented within a few days, and saves money. When passwords are compromised, all the expensive back end security in the world becomes instantly useless. Securing the front end or “virtual front door” is essential.

Access Smart allows government agencies to quickly add a new application to their existing PIV/CIV/CAC without re-calling, re-issuing, or re-programing the credential. That is why our product won a FIPS 201 waver. And because security is of high importance to Access Smart, Power LogOn was tested and received a FIPS 140-2 verification from the NIST independent test lab InfoGard.

Our Power LogOn product authenticates the user when the computer is first turned on, before the operating system fully boots-up. Power LogOn continues to authenticate the user during computer usage: when requesting logon onto a website, application, network, or cloud. This extra layer of security protects data while enhancing the user’s convenience. Making passwords convenient for the user insures they will not (or cannot) circumvent security for convenience.

Cybersecurity Scores One for the Little Guys!

How much I and my lobbying actually played into these events its anyone’s guess. Granted, I like to think I had a part. While I could not have been successful in my lobbying campaign without the assistance of a lot of people both known and unknown, I feel like I chalked one up for us little guys in helping the U.S. Government.

Finally, the real winners are the many business whose products will now be visible to the Government and Government Primes because cybersecurity products and services will become easier for agencies to identify and procure off the GSA Schedule.

 

You Need Password Authentication Infrastructure

Password Authentication InfrastructureEvery day I read another post, hear another news story, or have another conversation that passwords are insecure and that PKI and digital certificates must replace passwords. Comparing passwords to certificates, or PKI, is not correct because:

  1. A passwords is a single component within multifactor authentication.
  2. Certificates and PKI are a complete infrastructure made up of many different components.
  3. What keeps certificates secure is how their keys are safeguarded, generated, protected, and managed

Read More→

When is a Password like a Private Key?

Password vs KeyMy stance on passwords is well known – “Passwords are secure, people managing them aren’t.” Whenever I make this claim, some computer security pundits vehemently disagree with me. They bring up technologies like PKI, digital certificates, and all the advanced hardware technology, encryption algorithms and infrastructure. Their arguments are true, but why is all this advanced security technology needed? Answer: to protect the cryptographic keys. Read More→

Power LogOn is available on Amazon

Power LogOn on AmazonI’m excited to announce that Power LogOn Administrator Starter Kit is available on Amazon. After placing Power LogOn on Amazon, I asked a number of our users if they wouldn’t mind adding a comment and a rating. We received great testimonials and more are coming in daily.  While I write about how passwords are secure – but the way they are managed isn’t – it is important to hear from actual users about the problems they were facing and how Power LogOn helped them.

 

IT Professionals love Power LogOn because it’s fast, easy and customizable.

From Mr. Cervantez, IT Installer Professional: I’m an IT pro and have installed it on my clients Windows Server 2008 along with 6 Windows 7 Pro workstations. It’s been about 1 yr and both doctors love it, they go from exam room to exam room insert their smart card into a slot on the Dell keyboard/smart card reader and securely logs them in, and when they’re finished with their patient they remove the card and the computer securely locks. Everything is customizable and the company has excellent support if you ever need it. Highly recommend it.

Read More→

ACCESS SMART® AWARDED GSA SCHEDULE CONTRACT

GSA Schedule Contract Awarded  to Access Smart® to purchase of multifactor cybersecurity IT products.

GSA scheduleLadera Ranch, CA – June 2, 2014 – Access Smart, LLC, a leading supplier of logical access control solutions (LACS), wins a General Service Administration (GSA) schedule contract.  As the US Government announces new cybersecurity regulations, Access Smart is proud that our Power LogOn® enterprise password management solution is now available to government sectors to address these regulations.

 

This contract will enable government agencies and the Department of Defense (DoD) procurement officials streamlined access to purchase a multi-factor authentication password manager that quickly integrates with existing CAC, PIV and CIV credentials. Power LogOn is FIPS 140-2 validated that uses AES-256 and SHA-256 encryption, password “salting” and builds upon an agency’s existing cyber infrastructure.

Read More→