Security News > 2023 > October > CISA and NSA Issues New Identity and Access Management Guidance for Vendors

In an email interview with TechRepublic, Jake Williams, faculty member at IANS Research and former NSA offensive hacker, said, "The publication highlights the challenges with comparing the features provided by vendors. CISA seems to be putting vendors on notice that they want vendors to be clear about what standards they do and don't support in their products, especially when a vendor only supports portions of a given standard."

According to CISA and the NSA, the definitions and policies of the different variations of MFAs are unclear and confusing.

The CISA-NSA report notes that vendors are not offering clear definitions when it comes to the level of security that different types of MFAs provide, as not all MFAs offer the same security.

McDonald said the industry would welcome standard MFA terminology to allow equitable comparison of products, the prioritization of user-friendly MFA solutions for both mobile and desktop platforms to drive wider adoption and the implementation of broader support for and development of identity standards in the enterprise ecosystem.

Create phishing-resistant authenticators and then standardize their adoption In response to the lack of clarity on the security properties that certain MFA implementations provide, CISA and NSA recommended additional investment by the vendor community to create phishing-resistant authenticators to provide greater defense against sophisticated attacks.

The report also concludes that simplifying and standardizing the security properties of MFA and phishing-resistant authenticators, including their form factors embedded into operating systems, "Would greatly enhance the market." CISA and NSA called for more investment to support high-assurance MFA implementations for enterprise use.

News URL

https://www.techrepublic.com/article/new-nsa-cisa-iam-guidance/