Simplifying Secure Authentication for the Federal Government

When a large agency in the federal government first dreamed up a shared authentication platform that would allow citizens to log in to dozens of government websites with a single username and password, they planned to tackle the project internally. But as more and more government agencies became interested in the product, the list of required features grew exponentially — as did the security requirements.

To serve more than 30 million potential end-users, this agency knew they would need support from a partner who could build responsive tools and work in an agile, iterative and secure way. They wanted to use Amazon Web Services (AWS) tools to get the job done — and to enhance security and streamline user experience, they called CDW Government.

When CDW Government joined the project, our primary role was consulting with this agency on application development and AWS security. Following a consistent and modern DevSecOps approach, CDW Government supported the federal agency to scale their new application quickly, while keeping users’ private information safe.

First, CDW Government leveraged its close relationship with AWS and deep knowledge of DevSecOps to build a secure platform for the agency. As we built the platform, we also consulted with the agency’s team to share best practices for implementing critical security tools, including Macie, Guard Duty, WAF and rotating KMS keys. Notably, a citizen’s personal information is dual encrypted using KMS and the account password. This means that only citizens have the unique power to unlock their personal information.

“Only a user’s password can unlock their personally identifiable information (PII) — which means as a user, you can rest assured that your information is safe,” explains Aaron Chapman, director of software engineering at CDW Government. “Even Congress couldn’t access the encrypted personal information in this system.”

Next, the CDW Government team-built automation tools into the platform to support ongoing security and compliance and ensure seamless disaster recovery. We leveraged automated alerting to keep user data safe without tasking engineers with mundane and repetitive work. And we worked closely with AWS to ensure the platform could scale and failover into another AWS region — a critical element of disaster recovery if the platform’s primary region goes down.

As part of their security efforts, CDW Government also helped this federal agency team get ready for Identity Assurance Level 2 (IAL2) compliance. “IAL1 compliance asks for only a username and password to log in, while IAL2 requires that users complete an identity proofing process for higher level of assurance that they are who they say they are,” notes Chapman. “That verification includes a driver’s license and SSN or government ID that can be tied to the users address or phone number through financial documents and DMV records.”

The National Institute of Standards and Technology (NIST) recommends that agencies follow IAL2 standards — and because this agency wanted to serve as many government agencies as possible, they needed to incorporate IAL2 compliance into their platform.

To ready the platform for IAL2 compliance, the CDW Government team built a system that enables users to upload a photo of their driver’s license, which is then proofed against DMV and financial records. Once the identity is confirmed, they receive a code via an SMS message to their verified phone number or letter to their verified address, which they input into the system to log in.

Security wasn’t the only factor at play here, however — the verification also needed to work quickly and seamlessly for the end-users. To speed up verification of government IDs, CDW Government developed a proofing process that cryptographically verify the user using the digital certificate stored in their ID. This secure form of multi-factor authentication streamlined the log-in process while protecting user data.

The CDW Government team played a crucial role in enhancing security and ensuring compliance for this agenc. We helped them achieve Federal Information Security Management Act (FISMA) moderate compliance and IAL2 authentication, and we helped them prepare for Federal Risk and Authorization Management Program (FedRAMP) Moderate Authority to Operation (ATO).

But their cybersecurity expertise doesn’t just benefit their agency staff. As experts in user experience design, the CDW Government team also provided UX content for their platform. This content includes FAQs and guidance that are written in basic language that any user can understand. With these tips in hand, the users themselves can take steps to protect their private information from bad actors — on the government site and beyond.

Today, this website is operational at several agencies. The project, which began with only one or two government agencies on board, has expanded to support over 20 agencies and 30 million end users. The site continues to grow, the GSA can rest assured that their system is secure, scalable and user-friendly — thanks in large part to the strong foundation laid by the CDW Government team.