The Department Needs to Fully Implement Strong Multifactor Authentication for Its High Value Assets to Protect Them from Cyberattacks

For our audit of the Department's multifactor authentication (MFA) for its high value assets (HVA), our objective was to determine whether the Department has implemented MFA for its HVAs in accordance with zero trust architecture (ZTA) principles. To address this objective, we determined the extent to which four selected bureaus had implemented MFA for their HVAs in accordance with Office of Management and Budget requirements. The four selected bureaus were the Bureau of Economic Analysis (BEA), the U.S. Census Bureau (Census), the National Institute of Standards and Technology (NIST), and the National Telecommunications and Information Administration (NTIA).We were able to exploit a weak MFA implementation to gain access to one NTIA system through a simulated phishing attack. We also found that none of the five selected HVAs had fully implemented all three OMB requirements: 1. phishing-resistant MFA, 2. application-layer MFA, and 3. modern password policies.Specifically, we found: I. NTIA Did Not Implement Adequate MFA to Protect an HVA Against Phishing AttacksII. Selected Bureaus Had Not Fully Implemented MFA for Their HVAs in Accordance with ZTA Principles