Relieving the Pain Points

of Federal IT Modernization
Securing democracy through democratized security.
Relieving the Pain Points
of Federal IT Modernization
Securing democracy through democratized security.

1.0 WHY MODERNIZE?

REDUCE RISK, PREPARE FOR THE FUTURE 3

2.0 COMPLIANCE CONFUSION 6

3.0 POOR DEVICE VISIBILITY 9

4.0 THE PIV/CAC CARD CONUNDRUM 11

5.0 LINGERING IN LEGACY LIMBO 15

6.0 GET MODERNIZING 17

 A range of traditional crimes
are now being perpetrated
through cyberspace.

35,277
F E D E R A L I N F O R M AT I O N S E C U R I T Y
I N C I D ENTS R EP O RTED TO D H S I N F Y2017

14%
I N C R E A S E I N F E D E R A L I N F O R M AT I O N
SECU RIT Y INCIDENTS

96.6
AT TA C K S P E R D AY

1
Federal and government IT and security professionals
face a unique challenge: they’re charged with
modernizing aging systems to embrace cloud and
mobility, yet they’re expected to do so with shoestring
budgets, burdensome legacy systems and a buying
process rife with fits and starts. It’s an uphill battle,
for sure.
Navigating this shift is complicated further by the
relentless attacks and threats aimed at government
bodies. According to The Washington Business
Journal, federal agencies reported 35,277 information
security incidents to the Department of Homeland
Security’s U.S. Computer Emergency Readiness Team
in fiscal 2017, which is up 14 percent from 30,899
reported the prior fiscal year. That breaks down to
about 96.6 attacks per day.
The DHS sums it up this way:
“Cyberspace and its underlying infrastructure are
vulnerable to a wide range of risk stemming from
both physical and cyber threats and hazards.
Sophisticated cyber actors and nation‑states exploit
vulnerabilities to steal information and money and
are developing capabilities to disrupt, destroy, or
threaten the delivery of essential services. A range of
traditional crimes are now being perpetrated through
cyberspace.”
Summarizing that statement:
there are risks to protect against
and vulnerabilities to shore up.
Hence, the push for IT
modernization in government.
2
1.0

Why Modernize?
Reduce Risk,
Prepare for the
Future

3
Simply put, the push for IT
modernization is fueled by two
key advancements: the cloud
and mobility — both of which are
forcing a pivot on how we think
about protecting government
data, applications and networks.
On top of the need to adopt new technology
to accommodate the shift in how users access
information and applications, the old model has
become a maintenance headache, introduces
vulnerabilities and offers a poor user experience.
Not to mention that it’s costly to run, update and
replace aging legacy gear.
The secure perimeter of
the past has crumbled.
Accessing cloud applications from anywhere on any
device and at any time has pushed that perimeter to
wherever the user is, and it’s up to security teams
to ensure those complex individual mini-perimeters
are all secure, accessible from within, protected and
frictionless.
Federal agencies, which for years had been expected
to adopt a cloud-first mindset, are now making the
move to zero-trust frameworks to accommodate
deperimeterization. Zero trust is a model in which
application access is granted based on trust in the
identity of the user and the device. It verifies trust at
the time of access and assumes no one person or
device is inherently more trustworthy than another, as
opposed to the old perimeter-based mantra of trust
anything that’s inside the corporate walls.
For agencies, modernization starts in earnest with
stronger authentication controls to verify the identity
of users accessing agency assets and then moves to
ensuring the devices accessing those assets meet an
agreed upon set of security requirements.
It sounds like a pretty easy way to modernize, but it’s
not without its challenges. In this ebook, we’ll examine
the pain points government agencies are likely to
encounter during their modernization efforts and how
to relieve them.
4
 FARS-CUI

DFARS-CUI

PIV/CAC

NIST SP 800-171
NIST 800-63-3

FIPS 140-2

5
2.0

Compliance
Confusion

FedRAMP, FISMA,
FIPS 140-2, DFARS/FAR and NIST
SP 800-63-3 AAL/FA.
Phew. That’s a lot of numbers and
letters to navigate. And they’re
all important. For agencies,
compliance is not an option.

6
 FedRAMP, FISMA, FIPS 140-2, DFARS/FAR and NIST
SP 800-63-3 AAL/FA. Phew. That’s a lot of numbers
and letters to navigate. And they’re all important.
For agencies, compliance is not an option.
There are dozens of laws, policies and standards
that government organizations must follow and,
sadly, there’s no map to show you the way. It’s often
so confusing that they hire consultants to help them
wade through the alphabet soup of compliance
regulations to determine which IT initiatives can help
(or hurt). And public sector organizations are regularly
subjected to audits to determine whether they’re in
compliance.
For example, NIST (National Institute of Standards
and Technology) 800-63-3 are digital identity
guidelines that allow commercial, off-the-shelf
IT solutions to stand in place of PIV/CAC cards
for logical authentication; FedRAMP (Federal Risk
and Authorization Management Program) is a
government standard that applies to cloud and SaaS
IT solutions, which must be FedRAMP approved to
be used by public sector organizations; FIPS 140-2
covers end‑to‑end encryption of data. DFARS-CUI
(Defense Federal Acquisition Regulation Supplement
- Controlled Unclassified Information) applies to
federal contractors and other non-government
organizations that store or transmit controlled
unclassified information and mandates multi-factor
authentication (MFA) for local and network access
to privileged accounts.
7
Maintaining the necessary protections to ensure
privacy and security are a lot for a small team or
individual to contend with, and can carry a costly fine
if not followed.
Duo can help you overcome
the compliance confusion by
providing a strong authentication
solution and the ability to set
access policies to ensure
compliance is maintained.
Duo is FedRAMP In-Process,
offers offline MFA functionality to
help comply with DFARS-CUI and
delivers two-factor authentication
to comply with NIST guidelines.
Duo’s trusted access solution features an easy‑to‑use,
combined admin dashboard that shows all policies
that have been configured and offers an audit of all
authentication events to make it easier for admins to
extract compliance-related data, which was once a
piecemeal process from across disparate asolutions.
With Duo, you get a trusted advisor to ensure your
security infrastructure is up to snuff to achieve
regulatory compliance and stay that way.
There are dozens of laws, policies
and standards that government
organizations must follow.
It’s often so confusing that they
hire consultants to help them
wade through the alphabet soup of
compliance regulations to determine
which IT initiatives can help (or hurt).

8
3.0

Poor Device
Visibility

Do you restrict the use of personal

devices or do you install some kind
of agent or client, like mobile device
management (MDM), on users’ personal
devices and deal with the blowback?
Neither sounds like the perfect option.

9
As mobility infiltrates federal agencies and other
government bodies, keeping tabs on those devices,
what they do and what they can access becomes
increasingly difficult. The private sector is currently
living in the era of bring your own device (BYOD),
but federal agencies aren’t quite ready to embrace it
(maybe it’s due to policy, maybe a bit of paranoia?).
But to keep pace with their enterprise counterparts,
agencies must understand that end users want to use
their own devices – smartphones, tablets, laptops,
watches, you name it – to access data and solutions
that were once only accessible via a government
owned and issued device.
For admins this shift will create a dilemma: do you
restrict the use of personal devices or do you install
some kind of agent or client, like mobile device
management (MDM), on users’ personal devices
and deal with the blowback? Neither sounds like the
perfect option.
Visibility without intrusion is key to
identifying at-risk devices before
they gain access to your systems.
But when it comes to IT in the
government, freedom is somewhat
of a foreign concept.
Federal agencies must determine their comfort
level with BYOD and user-owned devices and set
security policies reflective of that. Do you want to
restrict access to certain operating systems? Do you
want to ensure devices have a screen lock in place?
How about ensuring that encryption is turned on?
Or, perhaps most importantly, do you want to ensure
that devices adhere to a Comply to Connect (C2C)
framework that enforces that patches and hardened
configuration are applied to a device before it is
allowed to connect? And that the device is updated
continually? All of these are considerations.
When you enforce device‑level security policies, you
give your users freedom while you remain in control.
You have visibility into which devices are accessing
which applications and the security posture of
those devices.
Duo helps you face BYOD head
on. With Unified Endpoint
Visibility, government IT admins
can have insight into what
devices are accessing which
apps and from where. From
there, admins can set strict
device policies to ensure that
only trusted devices that meet
their security requirements
can access anything.
Duo takes it one step further, with features such as
Self-Remediation, which notifies users directly if their
device software is out of date and helps them update
it immediately before they can gain access.
When you can enforce strict device and application
access policies and have visibility into the security
health of every device authenticating to your
environment, at the time of access, you strengthen
your overall security posture and can support modern
approaches to mobility, like BYOD. Oh, and it keeps
your users happy.
With Duo, federal agencies can get over the
BYOD hump and better embrace modern mobility.
10
4.0
The PIV/CAC
Card Conundrum
Let’s address the elephant in
the room: Common Access Card
(CAC) and Personal Identity
Verification (PIV) deployments.
PIV/CAC requires a very heavy lift in supporting
a full-blown PKI (public key infrastructure), which
is incredibly difficult to set up and maintain. Not
to mention, each workstation requires a card
reader, which pushes the cost and maintenance
headaches even higher.
Admins can’t stand them. Cards are hard to issue,
challenging to replace when they’re lost and the
process of revoking and renewing certifications
and recovering users PINs is thorny.
And for users they’re tedious
for authentication.
11
At the same time, PIV/CAC cards can’t be
used to authenticate to cloud and SaaS
applications or from mobile devices, which
severely limits an agency’s mobility and cloud
options. Attempts have been made to make
this easier with the introduction of the derived
credential (SP-800-157), otherwise known as
PIV-D, but this only solves half of the problem.
Due to its limitations, the derived credentials
approach has not really been widely adopted.
While the physical card requirement goes away,
you still need to stand up, and maintain a very
complex, proprietary PKI. And contactors, which
make up a good portion of the workforce, can’t
always use them for all of their functions.
 PIV/CAC cards are so deeply
ingrained in the federal workflow
(roughly 95 percent of the federal
workforce uses them) that we’re
sort of stuck with them.

But PIV/CAC cards are so deeply ingrained in the

federal workflow (roughly 95 percent of the federal
workforce uses them) that we’re sort of stuck
with them. And for physical access, that’s fine, but
for IT and/or logical application access there is a
better way.

Fast-forward to today: a newer standard –

NIST 800-63-3, Digital Identity Guidelines – aims to
overcome the shortcomings of PIV/CAC and derived
credentials by letting public sector organizations
use selected commercially‑available solutions
for authentication. And while it appears that NIST
has relaxed password guidance, they’ve added
compensating controls, such as MFA, as their
reasoning since they acknowledged that strict
password policies punished users.

12
So where does
that leave us?

13
This method helps admins push
toward IT modernization while
giving users a fresh and frictionless
trusted access method.
While PIV/CAC cards serve several key functions,
most government agencies would consider
an additional technology to complement card
deployments as an alternative for logical access and
authentication. Replacing PIV/CAC altogether would
be too complex, too costly and wasteful of previous
investments, but replacing the authentication and
application access function of PIV/CAC cards is an
attractive compromise for agencies.
That’s where Duo comes in. Duo satisfies the
recent NIST regulations that allow for commercial
alternatives to be used in place of the authentication
function of PIV/CAC cards. And because Duo is
FedRAMP In-Process, federal agencies can buy the
solution. Duo’s MFA is not a replacement for PIV/CAC,
rather it supports them – cards still have other critical
uses, such as physical ID and identity proofing.
Using Duo for the authentication function once
offered by PIV/CAC carries a host of benefits: users
can authenticate into cloud and SaaS apps and
access apps from mobile devices.
Meanwhile, for admins it offers much lower total
cost of ownership (TCO); and it's easy to deploy,
administer, manage and support. Duo’s Device Insight
also gives admins the ability to support BYOD while
ensuring both government-issued and user-owned
devices are trusted, which enables contractors
access to the applications they need when working
with agencies and government bodies.
Duo makes it so users can use
their phones as a second factor
for authentication, instead
of their PIV/CAC cards.
Here’s how it works: through the Duo Mobile app on
a smartphone users can easily and quickly configure,
provision and allow users to self-enroll in Duo’s
service. From there, users log in with their username
and password, which triggers the Duo Mobile app
to send a push notification (Duo Push) to that user’s
phone. They can quickly complete the second factor
authentication by pressing Approve (or Deny if it’s
deemed a fraudulent authentication request).
14
5.0
Lingering in
Legacy Limbo
Much like PIV/CAC cards’ stranglehold on federal
agencies and government organizations, their
infrastructures are often built on legacy systems.
There are a lot of contributors
to agencies being stuck
in legacy limbo.
For example, they operate under a high level of risk
aversion. That, combined with the uncertainties of
funding, unbearably long buying cycles and often tight
budgets, tends to make government organizations
very slow to adopt new technology.
Agencies are also restricted mostly to solutions that
have been formally approved for use in government,
limiting their freedom to source and buy a solution
that fulfills their use case. This results in a higher level
of expectation that new technologies integrate into
their existing IT investments.
Federal agencies often must maintain original legacy
equipment that significantly lags behind the private
sector market in technology usage and updates.
They’re not early adopters, which has made the push
toward IT modernization appear daunting, despite
its necessity.
15
Duo can integrate into federal
infrastructure smoothly and without
the need for agencies to rip and
replace their legacy gear, helping
them meet modernization needs
while protecting their IT investment
and not breaking the budget.
This also helps agencies prepare for the future and
lay the groundwork for zero-trust security, as MFA
is a building block to a zero-trust model. And when
the time comes to replace legacy gear, Duo will
integrate seamlessly with new vendors, as well.
This is especially important as agencies prepare to
move applications to the cloud. Duo protects both
on‑premises applications supported by legacy gear
and cloud applications, which are a key component of
modernization effort.
Duo’s trusted access solution works with what
you have and will work with what you get in the
future, meaning agencies can start fortifying their
security posture now as they embark on their
IT modernization journey.
16
6.0

Get Modernizing
Cloud and mobility are pushing federal agencies
and government organizations to modernize their
IT – think of them as a forcing function for several
necessary updates to accommodate modern
workflows and alleviate the hassles of outdated
infrastructure.
Duo helps you:
• Overcome the compliance confusion
• Gain deep visibility into devices
• Solve the PIV/CAC conundrum
• Escape from legacy limbo

Duo is democratizing security so you can secure

IT modernization marks the our democracy.
perfect time for government
organizations to strengthen
their security and start planning
for the zero-trust future, and Learn more at duo.com/gov
Duo’s trusted access is an
imperative starting point.

Here, we examined the key pain points that can make

that modernization a headache. But none of them
are insurmountable. Duo can be your trusted advisor
as you dive into IT modernization and examine how
to secure access to data and applications. Duo’s
trusted access solution arms you with the protections
necessary to ensure only trusted users and trusted
devices can access your applications and data. And it
helps you defend against potential breaches.

17
Duo is democratizing security
so you can secure our democracy.

18
19
Access
Trusted Users. Trusted Devices. Every Application.
Duo Access takes everything in Duo MFA and
supercharges it. It delivers detailed visibility into the
security hygiene of every device, gives your users
a seamless and secure single sign‑on experience
and lets you quickly conduct phishing vulnerability
assessments and simulations to determine where
phishing risks exist in your organization.
Learn more about Duo and get a
free 30‑day trial at duo.com
Duo Access packs intelligence to check devices
for secure, up‑to‑date software; enabled security
settings on mobile devices; and location and network
data – actionable data that’s available through the
Device Insight dashboard. You can set policies
for groups to allow or restrict access and secure
BYOD environments by encouraging users to update
their software. It’s complete visibility without the
need for agents.
20
21