The National Institute of Standards and Technology has expanded the list of credentials that federal employees and contractors can use as digital identities to enter secure government sites and access information technology resources.

A new update to Federal Information Processing Standard 201 provides more options such as Fast ID Online tokens and one-time passwords aside from personal identity verification cards currently used as the primary authentication medium, NIST said Monday.

Hildegard Ferraiolo, a computer scientist with the institute, explained that the update keeps the previous FIPS standard on par with existing technological capabilities and needs and recent federal policies on identity, credential and access management.

He added that the new options would help address the need for credentials by personnel who owns computers without built-in PIV card slots and cloud applications that do not accept PIV card’s public-key infrastructure.

According to Ferraiolo, the institute is currently working on new guidelines for the expanded list and a new concept for credential interoperability across different agencies.

The National Security Agency provided a set of recommendations to help organizations protect very small aperture terminals and understand associated risks.

The cybersecurity advisory titled “Protecting VSAT Communications” recommends enabling all available capabilities that secure transmissions across VSAT networks, NSA said Tuesday.

These capabilities include encryption, which the agency advises to use on communications prior to transmissions.

NSA also urges organizations to keep information technology hardware up to date; change default, vendor-specific credentials that come in VSAT systems; and isolate the network’s management plane via firewalls.

Isolating the management plane or system would make it inaccessible to remote modems, which could be openings to threats. The agency noted that VSAT technology was not made with a strict security focus, and thus recommends precautionary steps to mitigate risks.

Bob Kolasky, assistant director of the Cybersecurity and Infrastructure Security Agency’s National Risk Management Center, said cyber risk management not only requires agencies to perform information sharing but also demands an evolved approach that includes the analysis of existing and potential risks.

“It means using existing efforts around vulnerability management, threat detection and network defense as a springboard for connecting the relationship between threat, vulnerability and consequence with actionable metrics that drive decision-making,” Kolasky wrote in an article published Tuesday on FedTech Magazine.

He highlighted the need to establish the architecture to analyze cyber risks for critical infrastructure and noted that NRMC is working with the Environmental Protection Agency and other sector-specific agencies to create a “National Critical Functions risk architecture” to serve as an engine that will combine all data layers into a single analytics tool.

“Supporting efforts to better grasp the impact of cyber risk across the critical infrastructure community will involve developing usable metrics to quantify cyber risk in terms of functional loss,” Kolasky wrote.

“The goal is to more precisely understand the relationship between threat, vulnerability and consequence on critical functions, and to bring that thinking into cost-benefit analysis for mitigating risks,” he added.

He also discussed how security ratings have helped organizations measure exposure to cyber risks and the need to better understand and reduce systemic cyber risk.

Rep. Carolyn Maloney, D-N.Y., chairwoman of the House Oversight and Reform Committee, and ranking member James Comer, R-Ky., have proposed a bipartisan bill to improve the federal government’s defenses against cyberattacks.

“The Federal Information Security Modernization Act of 2022 elevates our federal cyber defenses to the next level, taking a cutting-edge and strategic approach to ensure federal IT systems can better prepare for and respond to today’s cyber challenges,” Maloney said in a statement published Tuesday.

FISMA 2022 would promote shared services; push for a risk-based cybersecurity posture through adoption of zero trust, automation, cloud migration and other principles; streamline and modernize reporting requirements through the use of automation; and require agencies to maintain inventories of internet-accessible information systems and advance information sharing.

The proposed legislation would also clarify the roles of the Office of Management and Budget, National Cyber Director, Cybersecurity and Infrastructure Security Agency, Federal Chief Information Security Officer and other federal offices to facilitate cooperation on cyber incidents.