NIST Cyber Security Framework

NIST first responder guidance: Balancing mobile security with response time

November 18, 2021 by Howard Poston

In August 2021, the National Institute of Standards and Technology (NIST) published another standard in its Special Publication (SP) 1800 series of documents designed to provide accessible cybersecurity solutions to problems. The new standard NIST SP 1800-13 is Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders.

The problem

This NIST special publication focuses on providing first responders with the information that they require. During an incident, first responders need prompt access to data, and agencies are increasingly taking advantage of smartphones and other mobile devices to provide access to this information.

The challenge is that the data that first responders require often includes sensitive information such as personally identifiable information (PII), law enforcement data, and protected health information (PHI). This information is protected by law, making it necessary to ensure that only authorized parties have access to it.

At the same time, peoples’ health, lives, and property is at risk during these incidents. Delayed responses caused by a first responder’s inability to gain prompt access to data can amplify the damage incurred during emergency scenarios.

The solutions

The 1800 series of NIST publications focuses on providing cybersecurity solutions to various problems. In this case, NIST demonstrated how three cybersecurity solutions could be applied to the problem of balancing accessibility and security of sensitive data for first responders.

Single sign-on

A major problem that first responders face is that they require access to various tools and databases to do their jobs. Security best practices state that users should have unique, strong passwords for each application and website.

The problem is that individually authenticating to each of these sites can be difficult and time-consuming. As a result, first responders may feel forced to choose between usability and security.

Single sign-on (SSO) provides a solution to this problem. With SSO, a first responder can authenticate once at the beginning of their shift to the system. Then, when the first responder attempts to access another tool or system, their authenticated can be securely passed to this system as well. By eliminating the need to memorize and enter multiple different passwords on different systems, SSO makes it possible to improve usability and speed access without compromising security.

Identity federation

First responders need to use multiple tools and databases to do their jobs. For example, a law enforcement officer may need to access data managed at the city, county, state, national and international levels. These tools and databases are often also owned by different agencies and organizations.

Each of these tools and databases is maintained by a different organization with its own access rules. SSO on its own does not provide a solution to this problem because SSO is designed to centralize authentication within a particular environment. With many different environments, no central authority exists to approve or deny requests.

Federation allows user identities to be passed between and trusted by different organizations. For example, once a law enforcement officer’s identity has been verified at the local level, this verified identity can be transmitted to other organizations when the officer requests access to their systems. Access can then be permitted or denied based on access controls without revalidating that the officer is who they claim to be. For this reason, NIST recommends the use of an identity federation for first responders.

Multi-factor authentication

SSO and identity federation are designed to eliminate unnecessary authentication steps for first responders. However, the underlying assumption is that the initial authentication process has accurately verified the user’s identity.

The types of data that first responders access requires strong authentication, and password-based authentication is not enough. Poor password security is a common problem, and passwords are commonly leaked or guessed.

By providing recommendations for implementing multi-factor authentication (MFA), NIST provides a solution to this problem. With MFA, first responders must authenticate using multiple factors such as a password and a digital certificate stored on an ID badge. By requiring a user to both know a password and have a physical credential in their possession, MFA increases the strength of the user authentication process.

Providing solutions to first responders’ problems

NIST SP 1800-13 does not only provide recommended solutions it also offers guidance for implementing them. This publication was drafted with Ping Identity, Motorola Solutions, Yubico, Nok Nok Labs and StrongKey.

Each of these organizations submitted information about their capabilities regarding federation servers, mobile apps, external authenticators, fast identity online (FIDO) universal authentication framework (UAF) servers and FIDO universal second factor (U2F) servers, respectively. The NIST report describes exactly how to use these capabilities to solve the challenge faced by first responders, making strong cybersecurity accessible.

 

Sources

Posted: November 18, 2021
Author
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity research and development at Sandia National Labs. He currently works as a freelance consultant providing training and content creation for cyber and blockchain security.

Leave a Reply

Your email address will not be published.