The federal
government’s identity
(management) crisis
For years, agencies have relied on card-based credentials
to manage employees’ access to IT resources.The COVID-19 outbreak could change that.
BY DEREK B. JOHNSON
The coronavirus pandemic has shut- tered federal office buildings and sent employees to work from home. Although government facilities will eventually reopen, the shift to tele- work is forcing agencies to change the way they handle identity and access management.
For years, Personal Identity Verifi- cation (PIV) cards for civilian agencies and Common Access Cards (CACs) for Defense Department agencies have been the preferred tools for regulating access to physical and IT resources. That dominance may be coming to an end.
The federal government and its base of contractors use nearly 5 mil- lion PIV cards, according to a National Institute of Standards and Technology estimate released in January. Digital security contractor Gemalto, which makes smart cards, estimates that DOD has approximately 4.5 million CACs in use at any given time.
But as quarantines and self-isola- tion guidelines took hold, the govern- ment discovered that many employees did not have agency-issued comput- ers with card readers at home, which meant some feds and contractors had no easy way to use the government’s primary means of authentication.
Civilian and military agencies are scrambling to purchase new comput-
ers and other equipment, but they are competing with industry and other organizations for limited supplies. In April, the Army cited impending sup- ply chain shortages as justification for its sole-source purchase of 200 ruggedized Dell laptops and docking stations that will “allow government workers to telework to avoid expo- sure to the potential COVID-19 while still completing the mission.” The Inte- rior Department and other agencies have made similar purchases.
“Every day that passes, confirmed COVID-19 cases spike and the death toll increases,” the Army wrote in its justification. “It is imperative that these [notebooks] are obtained as quickly as possible to protect public health.”
The limits of in-person
identity proofing
Shifting to telework has been par- ticularly problematic for the federal government because of its reliance on PIV cards and CACs, said Jeremy Grant, a coordinator at the Better Identity Coalition, a nonprofit orga- nization that works with policymakers to advance cybersecurity initiatives. And that’s not just because employees lack card-reading devices at home.
“On the government side, it’s defi- nitely presenting some special chal-
lenges, given that while it’s a great model and very secure, everything about the PIV is premised on this very robust in-person identity and proof- ing process,” said Grant, former senior executive adviser for identity manage- ment at NIST. “The challenge has been that we built this policy assuming you can always have this in-person pro- cess. Now that it’s not feasible, what are you supposed to do to make things secure?”
Under normal conditions, new hires obtain their PIV cards during an onboarding process that often includes in-person interactions to col- lect biometrics such as fingerprints. In a March 25 memo, the Office of Per- sonnel Management notes that many of the federal, state and local offices that vet newly hired government employees are temporarily closed due to the coronavirus outbreak, making it difficult or impossible for agencies to fulfill FBI requirements to collect fingerprints for background investiga- tions and criminal history checks.
The memo advises agencies to use
a number of
alterna-
tives
30 May/June 2020 FCW.COM