A new study evaluating whether federal agencies are prepared to respond to Binding Operational Directive 18-01 found that less than half of all federal organizations have the tools and automation in place to respond to incidents that impact machine identities and many fail to regularly audit their Federal Public Key Infrastructure (FKPI) processes.
In 2017, the Department of Homeland Security established a measure to enhance email and web security when it issued the compulsory directive. To measure how well federal agencies are doing in adhering to the requirements of the directive, Dimensional Research, on behalf of Venafi, conducted a study of 100 IT security professionals who work in the federal government and found that few are actually prepared to comply with the statute.
BOD 18-01 requires that all US federal agency websites augment their policies for handling machine identities, including TLS keys and certificates used in public key infrastructure (PKI). In order to protect government web services, all federal agencies are mandated to comply with BOD 18-01.
However, “only 69% of all federal sites enable HTTPS, despite BOD 18-01 requiring 100% HTTPS usage,” said Kevin Bocek, chief cybersecurity strategist for Venafi, in a press release. “It’s great that the Department of Homeland Security is driving agencies to improve their use of machine identities, but the federal government should also develop comprehensive machine identity protection strategies to achieve this goal.”
The survey found that only 30% of respondents have a complete certificate inventory and only 29% feel confident that their certificate inventory includes the location of all those that are installed. Because certificates are often installed on multiple devices, knowing the location of each is critical to upgrade efforts. Additionally, those agencies without a complete certificate inventory lack the visibility needed to see each certificate being used, which can potentially cause both security risks and service outages.
“Unfortunately, even the world’s most sophisticated security teams rarely have the visibility, intelligence or automation necessary to effectively scale the use of their machine identities,” said Bocek.
The survey also found that only 37% of respondents said certificate ownership information is included in their certificate inventory, yet updates require administrative access. Without ownership information, updates are delayed.