Open oneilldon opened 8 years ago
3FA?
In response to 3FA?
Use three factor authentication to control access to data and information on the Internet: What you have, i.e., card, token What you are, i.e., iris, fingerprint What you know, i.e., password, security question
It seems as if specifying three-factor authentication (or two-factor authentication) should be driven by the referenced standards: SP 800-53 Rev. 4 and SP 800-171. While there might be some value to requiring three-factor authentication for various systems and under various conditions, it doesn't seem appropriate to specify that here and override the referenced supporting standards.
Comments: OMB Improving Cyber Security Protections in Federal Acquisitions Don O'Neill Independent Consultant ONeillDon@aol.com
Responsibility for controlling, securing, and protecting the dissemination of data and information must lie with those who choose to entrust proprietary data and information to the Internet. Organizations have proven that they cannot be depended upon to exercise due diligence with respect to the handling of proprietary data and information entrusted to them. If an organization decides to place its proprietary data and information on the Internet, it must acknowledge acceptance of the risk and take steps to mitigate the risk and its consequences.
The most effective, intelligent, and ethical steps to mitigate Cyber Security risk are an organization policy and assured practice to mitigate Cyber Security risk by taking the following steps: