Re: 2 sweet FA
The CAC, as far as I know, was universally used in DoD by 2009 or earlier. For PCs. My agency had a number of non-PC machines in locked or otherwise access controlled rooms that were not equipped for 2FA either with smartcard readers or the requisite software. I suspect that in the major DISA data centers that also was true, especially for the likes of zSeries and Unisys mainframes. I certainly wouldn't argue that it was a good thing, but it would have taken more than a minor effort to implement across the number and variety of machines I suspect are present on NSA premises.
One more comment on the finding about reduction in the number of administrators with privileged access: one of the actions taken reportedly was to do administration in pairs. That would have run seriously against an absolute reduction in privileged access personnel since it would increase the labor required for administration by a factor of at least two.
Biting the hand that feeds IT
