A tangled mess: Government rules for social media security lack clarity | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/federal-government-agency-social-media-security-multifactor-authentication\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"A tangled mess: Government rules for social media security lack clarity\"> <meta property=\"og:description\" content=\"In wake of SEC breach, federal policymakers, agencies, and experts can't seem to agree on whether agencies must use MFA on social media.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/federal-government-agency-social-media-security-multifactor-authentication\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-01-29T19:53:26+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity-1.jpg\"> <meta property=\"og:image:width\" content=\"4954\"> <meta property=\"og:image:height\" content=\"2826\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1701905043g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1706140682g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1705497366g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=b50a7fc68d02387a0cbc\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/78938\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=78938\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffederal-government-agency-social-media-security-multifactor-authentication%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffederal-government-agency-social-media-security-multifactor-authentication%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-78938 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/federal-government-agency-social-media-security-multifactor-authentication\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.629032258065\">\n<div class=\"single-article__header-content\" readability=\"31.389891696751\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/government\/\"> <span>Government<\/span> <\/a> <\/li>\n<\/ul>\n<p> In wake of SEC breach, federal policymakers, agencies, and experts can’t seem to agree on whether agencies must use MFA on social media. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"365\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity.jpg?resize=640%2C365&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity-1.jpg 4954w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity-1.jpg?resize=300,171 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity-1.jpg?resize=768,438 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity-1.jpg?resize=1024,584 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity-1.jpg?resize=1536,876 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity-1.jpg?resize=2048,1168 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity-1.jpg?resize=600,342 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity-1.jpg?resize=295,168 295w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity-1.jpg?resize=591,337 591w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity-1.jpg?resize=1183,675 1183w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity-1.jpg?resize=1478,843 1478w\" sizes=\"(max-width: 1183px) 100vw, 1183px\"><figcaption> An aerial view shows a newly constructed X sign on the roof of the headquarters of the social media platform previously known as Twitter, in San Francisco, on July 29, 2023. (Photo by JOSH EDELSON\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"121.81940221019\"><body readability=\"246.37789338762\"><\/p>\n<p>Earlier this month, the Securities and Exchange Commission posted on the social media network X that it had finally approved a long-awaited bitcoin exchange-traded fund. The price of the cryptocurrency immediately spiked, but there was one problem: The SEC <a href=\"https:\/\/cyberscoop.com\/sec-bitcoin-etf-gensler\/\">hadn\u2019t actually approved the measure<\/a>. <\/p>\n<p>The SEC\u2019s X post was in fact the work of a fraudster, and the agency\u2019s social media account had been hacked, the regulatory body said in a subsequent statement. <\/p>\n<p>The incident has spotlighted the power that comes with controlling a government social media profile, and in the SEC\u2019s case, it was all too easy to hijack of an account with the ability to move markets. The hijacker did so <a href=\"https:\/\/cyberscoop.com\/sec-x-twitter-bitcoin\/\">using a sim-swapping attack<\/a> and took advantage of the fact that the SEC had <a href=\"https:\/\/cyberscoop.com\/after-hack-x-claims-sec-failed-to-use-two-factor-authentication\/\">disabled multifactor authentication<\/a>. <\/p>\n<p>Multifactor authentication is the kind of basic cybersecurity hygiene that security professionals have been promoting for years. The SEC\u2019s failure to implement this simple but effective security measure raises an equally simple question: Are federal agencies required to use multifactor authentication for their social media accounts?<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>It\u2019s a straightforward question that would seem to lend itself to a straightforward answer, but instead reveals a tangled web of authorities and rules. In the wake of this most recent breach, it\u2019s unclear whether the SEC \u2014 or another other federal agency \u2014 is formally required to deploy MFA on their social media. <\/p>\n<p>Scoop News Group asked federal agencies, the Office of Management and Budget, and the Cybersecurity and Infrastructure Security Agency what current rules are in place. Former White House cybersecurity officials, cybersecurity policy lawyers, congressional staffers and federal identity experts were also asked what security measures apply to government social media accounts \u2014 none could offer a definitive answer and some were wary about going on the record due to that uncertainty.<\/p>\n<p>Outside experts emphasized that protections like multifactor authentication and other phishing-resistant security measures are so fundamental to modern cybersecurity that agencies shouldn\u2019t need to have a mandate in place to do it. At the same time, according to these experts, the SEC X account hijacking indicates more clarity may be needed from the White House or Congress on baseline security expectations for social media accounts.<\/p>\n<p><strong>Multiple approaches to multifactor<\/strong><\/p>\n<p>A review of how the federal government approaches cybersecurity for social media accounts finds that while many agencies say they are utilizing two-factor or multifactor authentication and other protections, they cite a variety of authorities and reasons for doing so. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>This review reflects Scoop News Group inquiries to the 24 agencies covered by the Chief Financial Officers Act, as well as agencies like the Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau. Meanwhile, the two agencies responsible for setting security policy for civilian federal agencies \u2014 OMB and CISA \u2014 did not answer questions about whether multifactor authentication for social media is covered by existing mandates, such as the Biden administration\u2019s <a href=\"https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/\">2021 cybersecurity executive order<\/a> or past OMB memos. <\/p>\n<p>It\u2019s important to note that different agencies have vastly different needs for social media. While the Nuclear Regulatory Commission maintains just a handful of accounts, agencies like the State Department, which has offices all over the world, and NASA, which produces science content, deploy far more. <\/p>\n<p>But federal agencies appear to have no unified approach in securing their social media accounts: <\/p>\n<ul>\n<li>The Environmental Protection Agency said it uses a third-party social media management tool that\u2019s integrated with a single sign-on system that depends on a personal identity verification card or Login.gov, the government\u2019s new authentication service.<\/li>\n<li>The Department of Energy said that it uses MFA on its account and added that it \u201cencourages its offices and National Laboratories to do the same on the accounts they maintain.\u201d The agency said that before elements of the agency open new social media accounts, they need to \u201cstipulate the security measures they take\u201d and must use two-factor authentication.<\/li>\n<li>The Department of Justice said it communicates with its DOJ social media managers about best practices, including MFA.<\/li>\n<li>The CFPB said it employs multifactor authentication when available. <\/li>\n<\/ul>\n<p>The stakes for securing social media accounts are high and potentially widespread, as there are hundreds of federal agency social media accounts, according to <a href=\"https:\/\/digital.gov\/services\/u-s-digital-registry\/\">the U.S. Digital Registry<\/a>, a government-run platform where agencies register those accounts. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Yet some agencies appear to have only recently required MFA. The Department of Labor said that it only implemented multifactor authentication last year after a policy change issued by the agency\u2019s assistant secretary for administration and management. Tim Gorman, a spokesperson for the Defense Department, said that the agency\u2019s assistant director for public affairs sent guidance in April 2023 that required the use of multifactor authentication on social media accounts and pointed to specific services.<strong> <\/strong><\/p>\n<p>For others, the SEC breach served as a wake-up call. \u201cIn response to the recent SEC breach, NASA reminded communicators of social media security measures,\u201d Jennifer Dooren, the space agency\u2019s deputy news chief, said in an email. The agency requires MFA on its social media, Dooren said, adding: \u201cthe guidance provided to admins of official NASA accounts underscores the importance of this practice.\u201d<\/p>\n<p>Some agencies did point to overarching federal policy when asked about their social media security policies. The Education Department cited the president\u2019s <a href=\"https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/\">executive order on improving the nation\u2019s cybersecurity<\/a> in support of MFA, and, specifically a line \u201cestablishing multifactor, risk-based authentication and conditional access across the enterprise.\u201d <\/p>\n<p>Publicly available social media policies of agencies also reveal divergent approaches. Social media policies at the <a href=\"https:\/\/fam.state.gov\/FAM\/10FAM\/10FAM0180.html\">State Department<\/a> and <a href=\"https:\/\/www.commerce.gov\/about\/policies\/social-media#it-security\">Commerce Department<\/a> mention MFA but cite different documents, or no documents at all, in support of that requirement. Policies at other agencies don\u2019t mention multifactor authentication \u2014 including at <a href=\"https:\/\/www.governmentattic.org\/38docs\/SECsocialMediaPgmPolicy_2019.pdf\">the SEC<\/a>, <a href=\"https:\/\/www.gsa.gov\/directives-library\/gsa-social-media-policy-2\">the General Services Administration<\/a> and the <a href=\"https:\/\/www.nsf.gov\/social\/policies.jsp#:~:text=Comments%20published%20on%20NSF%20social,will%20find%20specific%20contact%20information.\">National Science Foundation.<\/a> <\/p>\n<p>Several agencies did not respond to comment or declined to comment on their commitment to MFA on social media accounts, including the Transportation Department, the Department of Agriculture and the Commerce Department. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>It\u2019s not clear what security practices the SEC \u2014 which is an independent agency often exempt from rules and regulations that govern other civilian agencies \u2014 was employing or required on its account when it was breached. <\/p>\n<p>In its Jan. 22 statement, the SEC said it did have MFA enabled prior to July 2023 but asked X\u2019s support team to disable the feature due to account access issues. A <a href=\"https:\/\/www.governmentattic.org\/38docs\/SECsocialMediaPgmPolicy_2019.pdf\">social media policy<\/a> from 2019 that was obtained by the watchdog group GovernmentAttic states that the SEC\u2019s general counsel and information technology office are supposed to ensure social media accounts comply with security and legal requirements. A <a href=\"https:\/\/www.sec.gov\/about\/privacy\/pia\/pia-twitter.pdf\">2017 SEC privacy impact assessment<\/a> notes that a primary account manager within the SEC\u2019s public affairs office is supposed to provide \u201ctechnical guidance to individual account holders\u201d and ensure \u201cthat the account is regularly monitored for security issues.\u201d <\/p>\n<p>Neither document explicitly cites MFA \u2014 and the SEC did not respond to questions about whether the documents have been updated since they were issued. <\/p>\n<p><strong>A tangled policy landscape<\/strong><\/p>\n<p>In theory, requiring federal agencies to secure their social media accounts should be a simple matter. Existing cybersecurity regulations might already address this issue, but both experts and policymakers can\u2019t seem to agree on whether that\u2019s actually the case. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>An OMB<a href=\"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2022\/01\/M-22-09.pdf\"> memo<\/a> issued in 2022 requires agencies to implement a \u201czero trust\u201d security architecture mandated by a 2021 Biden administration executive order on cybersecurity. The memo states that federal agencies \u201cmust use strong MFA throughout their enterprise,\u201d implement phishing-resistant authentication for staff, contractors and partners and enforce MFA \u201cat the application layer, instead of the network layer.\u201d<\/p>\n<p>Some experts argue that the executive order and the OMB\u2019s guidance should require federal agencies to use multifactor authentication. Jeremy Grant, who served as program lead for the White House National Strategy for Trusted Identities in Cyberspace in the Obama administration, said that while he is not aware of any specific mandates around the implementation of multifactor authentication for social media accounts, the OMB memo\u2019s security requirements should capture third-party applications such as X.<\/p>\n<p>\u201cIt\u2019s pretty clear you should be securing all your enterprise systems with not just MFA but phishing-resistant authentication,\u201d said Grant, now a managing director of technology business strategy at Venable. \u201cI think where there\u2019s confusion or ambiguity is the question of, where do your enterprise systems stop?\u201d<\/p>\n<p>The wide range of authorities cited by federal agencies regarding security measures for social media platforms points toward a lack of clarity about what rules apply. And at least one former White House cybersecurity official believes OMB and CISA may ultimately lack the authority to regulate how civilian agencies secure their social media accounts. <\/p>\n<p>Grant Schneider, the federal chief information security officer and senior director of cybersecurity on the National Security Council during the Trump administration, said that much of the authority those agencies have over civilian federal cybersecurity policy derives from FISMA, a law originally passed in 2002 and updated in 2014. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Because that law is focused on \u201cfederal information and federal information systems,\u201d when an agency is using a social media platform that is not housing or processing federal data, \u201cI\u2019m not convinced that OMB or CISA, at least under FISMA, has the authority to direct how agencies secure those accounts,\u201d Schneider said. <\/p>\n<p>Confusion about whether the OMB\u2019s zero trust rules require multifactor authentication is shared across government. In a<a href=\"https:\/\/www.wyden.senate.gov\/imo\/media\/doc\/wyden_lummis_letter_to_sec_oig_about_social_media_hack.pdf\"> letter<\/a> to the SEC following the breach, Sens. Ron Wyden, D-Ore., and Cynthia Lummis, R-Wyo., expressed the view that \u201cthe OMB policy only applies to agency-hosted systems, and not social media websites.\u201d<\/p>\n<p>Alex Howard, a long-time digital government transparency advocate, told Scoop News Group that federal policy for social media accounts should be crystal clear to both the public and agencies. Government accounts, as well as personal accounts for high-level officials, \u201cshould have the level of security that is commensurate with the impact they would have if compromised.\u201d<\/p>\n<p>Meanwhile, the two agencies with the broadest view and authority over federal civilian security policy have not provided clear answers regarding what power they have to mandate multifactor authentication.<\/p>\n<p>Scoop News Group submitted questions to CISA\u2019s public affairs office asking if the cybersecurity executive order or any other federal mandates compelled agencies to use multifactor authentication for social media accounts. CISA spokesperson Antonio Soliz responded with a two-sentence statement that it described as \u201cgeneral policy\u201d and not related to the SEC X account incident.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cMultifactor authentication is one of the most effective cybersecurity measures to prevent intrusions. As directed by Executive Order 14028, CISA works with federal agencies to drive adoption of strong MFA methods wherever feasible,\u201d\u202fthe agency said in response.<\/p>\n<p>The agency did provide <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/CISA_CEG_Social_Media_Account_Protection_508.pdf\">detailed steps<\/a> to federal agencies in 2021 on how to secure their social media accounts. However, the document is described as recommended guidance and does not cite any federal rules or regulations. <\/p>\n<p>And the breach of the SEC\u2019s X account does not appear to have prompted any updated guidance. <\/p>\n<p>\u201cFollowing the recent SEC breach, we have not received any new guidance from the Cybersecurity and Infrastructure Security Agency (CISA) but continue to follow the best practice security protocols previously established,\u201d said Ryan Honick, a public affairs specialist at the Department of Labor. NASA also said it has not received any specific guidance from CISA.<\/p>\n<p>Meanwhile, OMB did not respond to inquiries about its authority over security for agency social media accounts. At an event in Washington last week, federal CISO Chris DeRusha declined to answer whether agencies are required to use MFA for their agency accounts, telling Scoop News Group he would need to check with staff and follow up. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>At time of publication, OMB had not provided an answer to the simple question that began this investigation: What power does the federal government have to require multifactor authentication on government social media accounts?<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"0.30593607305936\">\n<div class=\"author-card\" readability=\"7\">\n<p><h4 class=\"author-card__name\">Written by Rebecca Heilweil and Derek B. Johnson<\/h4>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/federal-government-agency-social-media-security-multifactor-authentication\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A tangled mess: Government rules for social media security lack<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[452,117,1396,522,1324,1460],"tags":[454,119,1397,525,1326,1461],"class_list":["post-2446","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-and-infrastructure-security-agency-cisa","category-government","category-multi-factor-authentication-mfa","category-omb","category-securities-and-exchange-commission-sec","category-social-media-security","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-government","tag-multi-factor-authentication-mfa","tag-omb","tag-securities-and-exchange-commission-sec","tag-social-media-security"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/multi-factor-authentication-mfa\/\" rel=\"category tag\">multi-factor authentication (MFA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/omb\/\" rel=\"category tag\">OMB<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/securities-and-exchange-commission-sec\/\" rel=\"category tag\">Securities and Exchange Commission (SEC)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/social-media-security\/\" rel=\"category tag\">social media security<\/a>","tag_info":"social media security","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2446"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2446\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2446,"date":"2024-01-29T19:53:26","date_gmt":"2024-01-29T19:53:26","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=78938"},"modified":"2024-01-29T19:53:26","modified_gmt":"2024-01-29T19:53:26","slug":"a-tangled-mess-government-rules-for-social-media-security-lack-clarity","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/01\/29\/a-tangled-mess-government-rules-for-social-media-security-lack-clarity\/","title":{"rendered":"A tangled mess: Government rules for social media security lack clarity"},"content":{"rendered":"