Multifactor authentication could be long haul for some federal agencies, CISA official says

Eric Goldstein said agencies are focusing hard on adopting MFA, but some are dealing with older IT.
Two Factor Multi-Factor Authentication Security Concept (Getty Images)

It could be a lengthy path for some federal agencies to adopt the key security step of multifactor authentication required under an executive order last summer, a top federal cybersecurity official told CyberScoop Wednesday.

While Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said agencies were applying “extraordinary attention and focus and effort on this issue,” there are difficulties that will take time to overcome for agencies that still haven’t met a November deadline on multifactor authentication (MFA). MFA requires users to access websites and systems by entering a password, then also using another device to verify their identity.

“The challenge is that no insignificant number of federal systems are running on legacy infrastructure, which means that it’s not just as simple as deploying a modern authentication stack on top of your modernized infrastructure,” Goldstein, whose agency is housed within the Department of Homeland Security, said in an interview at the 2022 RSA Conference.

“I don’t think it’s years away. Obviously, every agency and every system is going to be unique.”

Eric goldstein, cisa

In other words, those old, outdated systems have to be substantially updated or fully replaced to comply with newer security tech.

Asked whether it might years take for some agencies to get up to speed, Goldstein answered, “I don’t think it’s years away. Obviously, every agency and every system is going to be unique.”

Congressional exasperation with the slow pace of agencies deploying MFA emerged at a House hearing last month. The May executive order had “aggressive but achievable” deadlines, a White House official said last year.

MFA, that same official said, could prevent 80 to 90% of all successful cyberattacks.

Goldstein said the solution involves agencies increasingly adjusting their budgets to get to a place where they can get their systems in a place for being able to adopt MFA — something he’s seeing happening. They also are tapping Technology Modernization Fund (TMF) money.


The Biden administration is seeking $300 million for the fund in fiscal 2023, which dedicates dollars to agencies upgrading aging IT systems and expects recipients to reimburse the TMF from cost savings gained via improved efficiency with the better tech.

Latest Podcasts