A report led by the National Security Agency and the Cybersecurity and Infrastructure Security Agency suggested that multifactor authentication, or MFA, in organizations must have clearer definitions and security properties in order to protect enterprise systems.

The public-private technical report highlights key challenges and corresponding actions for developers and vendors of MFA and single sign-on, or SSO technologies, NSA said Wednesday.

The study, which was developed through the cross-sector group Enduring Security Framework, tied the increasing multiple use of computers in organizations to identity verification and access management vulnerabilities. Furthermore, lower levels of MFA have become susceptible to phishing attacks and other malicious activity.

The experts urged developers to create secure-by-default SSO and MFA tools for organizations. Identity standards and terminology must also be refined when it comes to enterprise IT systems, they recommended.

James Shappell, director of the DOD Insider Threat Management and Analysis Center at the Defense Counterintelligence and Security Agency, discussed at a recent symposium how DITMAC works to mitigate and prevent insider threats at the installation level through the Prevention, Assistance and Response program, DVIDS reported Wednesday.

Under the PAR program, DITMAC hires, trains and assigns PAR coordinators to Department of Defense joint bases in an effort to help civilian leaders and commanders understand and counter insider risks.

“Our PAR program is designed to give commanders the right amount of detail and information so they can make informed, risk-based decisions on how they should best move forward to support their personnel,” Shappell said at the event.

He went on to explicate DCSA’s efforts to mitigate risks from trusted insiders across the enterprise, including initiatives to meet its personnel security mission.

“We run 95% of the background investigations for the federal government and we adjudicate the security clearances for the Department of Defense,” Shappell said. “Then we run Continuous Vetting for the Department of Defense and a large population of non-DOD entities. So, from a personal security perspective, the gatekeepers at DCSA have a great opportunity to lead the charge on stopping people from getting in the front door.”

The DSCA official also raised the agency’s Center for Development of Security Excellence and how it helps promote security education training and awareness.

Data-centric cybersecurity and automated classification can help the U.S. military achieve battlespace dominance due to their ability to protect information regardless of its location or users, Shannon Vaughn, general manager of Virtru Federal and U.S. Army Reserve officer, wrote in an article in C4ISRNET.

In his opinion piece, Vaughn talks about the emergence of data dominance as one of the most critical elements of military missions, and how non-conventional cyber defense is the ideal approach moving forward.

To implement a data-centric approach, the military must classify and tag their information according to level of sensitivity. Effective tagging and classification can be leveraged by mission teams to control the access and use of their information, giving them built-in security controls instead of device-based protection, according to Vaughn.

Mission teams should utilize a combination of attribute-based access control, or ABAC, and automated classification and tagging to streamline and expedite the process. Vaughn recommended ABAC that is enabled by the Trust Data Format standard, which features military-grade encryption and is approved by the Office of the Director of National Intelligence.

The General Services Administration, NASA and the Department of Defense are seeking feedback on a proposed rule that intends to standardize cybersecurity contractual requirements for unclassified federal information systems as part of the implementation of a section within the 2021 cybersecurity executive order.

The proposed rule outlines cybersecurity procedures, policies and requirements for contractor services to build, implement, maintain or operate a FIS, including policies for using cloud and non-cloud computing services, according to a Federal Register notice published Tuesday.

“This rule underscores that compliance with these requirements is material to eligibility and payment under Government contracts,” the notice reads.

The proposed policy, which was introduced as an amendment to the Federal Acquisition Regulation, will apply to the acquisition of commercial products and services.

For FIS using non-cloud computing services, the proposed regulation details requirements for records management and government access, assessments, specification of additional security and privacy controls and cyber supply chain risk management, among others.

Comments on the proposed rule are due Dec. 4.