Authenticating teleworkers for secure federal systems is challenging agencies that rely on Personal Identity Verification and Common Access Cards.
Even as quarantines and self-isolation guidelines are keeping federal workers at home, not everyone has home computers that can read the Personal Identity Verification (PIV) and Common Access Cards (CAC) required to access some government systems.
Jeremy Grant, a coordinator with the Better Identity Coalition, a non-profit advocacy organization made up of companies across the financial, health care, telecommunications, payments and security sectors, said adjusting to secure remote work has been particularly problematic for the federal government.
"On the government side, it's definitely presenting some special challenges, given that while it's a great model and very secure, everything about the PIV is premised on this very robust in-person identity and proofing process," said Grant, a former senior executive advisor at the National Institute of Standards and Technology, in an interview. "The challenge has been that we built this policy assuming you can always have this in-person process. Now that it's not feasible, what are you supposed to do to make things secure?"
Further, new hires normally go through a thorough onboarding process to obtain their cards that often includes in-person interactions to collect biometrics like fingerprints for their PIV credentials. In a March 25 memo, the Office of Personnel Management noted that many of the federal, state and local offices that vet newly hired government employees are "temporarily closed" due to the coronavirus outbreak, making it difficult or impossible to fulfill FBI requirements for fingerprints to process background investigations and criminal history checks.
The memo advises agencies to use a number of alternatives during the crisis, such as deferring the fingerprint collection, delaying the final reporting and adjudication of a new employee's background investigation or conducting temporary identity proofing through remote tools like video link, fax or email. New hires that vetted under the interim guidance will be required to undergo in-person identity-proofing when their agency returns to full capacity.
Just when that will be is the subject of much debate and speculation.
"BYOD is now the reality and will continue to be in the future, because I don't think we're going back to that type of work environment that we used to be in," said Greg Touhill, former federal CISO and current president of AppGate, during an April 15 Billington CyberSecurity webinar.
A longer version of this article was first posted to FCW, a sibling site to GCN.