Introduction
Today, government agencies rely heavily on cloud services to store sensitive data and deliver critical services. However, ensuring the security of these cloud environments is crucial, demanding robust measures to safeguard sensitive information. This is where the Federal Risk and Authorization Management Program (FedRAMP), comes into play.
FedRAMP establishes a standardized approach to evaluate the security of cloud service providers (CSPs) seeking to provide service to the federal government. Multi-factor authentication (MFA) emerges as a crucial security control as part of this rigorous process, ensuring a higher level of security for cloud services used by government agencies.
Introduction to MFA and Its Importance in FedRAMP
MFA is a security protocol that requires users to provide two or more verification factors to gain access to a resource, such as an application, online account, or a virtual private network (VPN). MFA combines two or more independent credentials: what the user knows (password), what the user has (security token), and what the user is (biometric verification). This layered defense significantly challenges unauthorized parties aiming to access sensitive locations, devices, or data.
Technical Underpinnings of MFA
At the core of MFA’s efficacy are the distinct categories of authentication factors it utilizes, comprising:
- Knowledge factors: Information known to the user, such as passwords or PINs.
- Possession factors: Items possessed by the user, like smart cards or mobile apps generating time-based one-time password (TOTPs). This can also include geographic location.
- Inherence factors: Biometric characteristics unique to the user, including fingerprints or facial recognition.
- These factors, especially when combined, create a robust barrier against unauthorized access, aligning with FedRAMP’s stringent security requirements.
How MFA Works: A Technical Breakdown
The authentication process begins when a user attempts to access a resource protected by MFA, the process initiates with the user submitting their primary authentication factor, usually a password. Upon successful verification of the password, the server triggers a request for a second factor. If the second factor is a TOTP generated by an authenticator app, the server, knowing the shared secret and the current time, calculates the expected TOTP value. The user enters the TOTP displayed on their authenticator app, which the server compares against its calculated value. Only if both factors are verified successfully does the server grant access to the user.
MFA Standards
The security and efficacy of MFA are bolstered by adherence to key standards and protocols designed to ensure a uniform and secure authentication experience, including:
- The Initiative for Open Authentication (OATH) for TOTP and HOTP (hash-based message authentication code (HMAC)-based one-time password), provides guidelines for one-time passwords.
- Fast Identity Online 2 (FIDO2), supporting next-generation hardware tokens and biometric authenticators for passwordless authentication through WebAuthn protocol.
- WebAuthn, facilitating browser-based authentication.
These standards ensure MFA systems are both secure against attacks and interoperable across different platforms and devices.
MFA Requirements for CSPs Pursuing FedRAMP Authorization
- FedRAMP’s MFA mandates are firmly rooted in the comprehensive control catalog of NIST Special Publication 800-53. To achieve FedRAMP authorization, CSPs must comply with stringent identification and authentication (IA) and cryptography requirements, which are the cornerstone of a secure cloud service environment.
IA-2: Identification and Authentication (Organizational Users)
- Requirement: Establish and implement policies and procedures for identifying and authenticating organizational users who access organizational information systems.
- Implementation Guidance: CSPs must ensure that user authentication processes are robust, compliant with FedRAMP standards, and tailored to the risk level of the user’s role within the organization.
IA-2 (1): Multi-factor Authentication to Privileged Accounts
- Requirement: Requires MFA to gain access to systems for privileged accounts.
- Implementation Guidance: CSPs are required to implement phishing-resistant MFA methods, such as hardware tokens or biometrics, in accordance with NIST SP 800-63B, especially for environments demanding higher assurance levels.
IA-2 (2): Multi-factor Authentication to Non-privileged Accounts
- Requirement: Extends the requirement of MFA to non-privileged accounts to secure system access.
- Implementation Guidance: CSPs must apply consistent MFA for all user accounts, utilizing methods that effectively balance security with usability i.e., the CISA’s Zero Trust principles.
IA-2 (5): Individual Authentication with Group Authentication
- Requirement: This control also requires the use of MFA when shared accounts or authenticators are employed.
- Implementation Guidance: CSPs must enforce individual authentication for all users before granting access to the shared accounts or resources. Furthermore, the shared account must also enforce the use of MFA.
IA-2 (6): Access to Accounts — Separate Device
- Requirement: Ensures one factor of MFA must originate from a separate device.
- Implementation Guidance: CSPs are required to use separate physical devices for MFA components, like tokens or mobile devices, to enhance security measures against compromised user devices.
IA-2 (8): Access to Accounts — Replay Resistant
- Requirement: Demands authentication mechanisms that are resistant to replay attacks.
- Implementation Guidance: CSPs should employ authentication solutions like cryptographic tokens that cannot be reused, effectively safeguarding against the replay of credentials.
IA-2 (12): Acceptance of PIV Credentials
- Requirement: Obliges the system to accept Personal Identity Verification (PIV) credentials from users for access to information systems.
- Implementation Guidance: CSPs should integrate systems to accept and validate PIV credentials, allowing for a standardized authentication process across federal entities.
Aligning IA Controls with Assurance Levels
FedRAMP emphasizes robust authentication practices, mandating compliance with levels defined in NIST Special Publication 800-63B and its companion documents, 800-63A for Identity Assurance Level (IAL) and 800-63C for Federated Assurance Level (FAL).
Assurance Levels:
Within the IA framework, it is essential to understand the graded assurance levels that span from IALs, which ensure the identity proofing of users, to Authenticator Assurance Levels (AALs) and FALs, which secure authentication and federation processes, respectively.
Identity Assurance Levels:
- IAL1: does not require evidence that the applicant is linked to