search

GSA / idmanagement.gov

IDManagement.gov is a collaboration between GSA and the Federal CIO Council. It is managed by the Identity Assurance and Trusted Access Division in the GSA Office of Government-wide Policy.
Other
37 stars 67 forks source link

Phishing Resistance Issues in IA Control Mapping Comments #969

Closed TheInfinityBeyonder closed 4 months ago

TheInfinityBeyonder commented 6 months ago

https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L5365

Depending on other decisions, some Out Of Band products are not phishing-resistant, so they would not be approved.

https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L5654

Single-factor OTP has been deprecated as non-phishing resistant.

https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L5884

OTP is not phishing-resistant

https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L5781

If OTP are not phishing resistant, and in light of OMB 22-09, should we not direct agencies to sections that are not compliant based on other Executive Memos?

https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L5718

Non-Phishing Resistant

https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L6504

Non-Phishing Resistant

JBPayne007 commented 4 months ago

Didn't receive stakeholder feed back on items.