A March 22 memo from the White House’s Office of Management and Budget encouraged agencies to consider alternative methods of authentication in case of an extended telework period caused by the new coronavirus.
The guidance comes as federal networks are strained and employees in headquarters reduced as the federal government makes adjustments to ensure its workforce remains safe from exposure to COVID-19.
The guidance works to address the potential that agencies will be unable to issue new personal identity verification (PIV) cards in case of an extended telework period. In the FAQ section of the memo, OMB encouraged agencies to work with it and the General Services Administration to “resolve any issues" with issuing PIV cards.
“If agencies are unable to issue a PIV credential, they should be prepared to issue an alternate credential/authenticator for physical and logical access,” Deputy Director for Management Margaret Weichert wrote in the guidance.
The guidance from OMB was praised by Sean Frazier, federal advisory chief information security officer at Cisco’s Duo Security, a multi-authentication platform.
“Users who are being asked to work from home — some of whom never have — will need the same level of security as if they were working in the office,” Frazier said in a statement. “This means consistent, easy to use security across all applications, across all access methods. If agencies use smart cards (PIV/CAC) with inherent multi-factor authentication on government work systems, they need to be sure federal workers and contractors have comparative controls when they work from home.”
The increase in telework provides great risk for federal networks outside of the authentication. Experts told Fifth Domain that users are more susceptible to spear-phishing attacks and that the difficulty of pushing security patches increases. Experts also warned about people performing official business on personal devices.
“Agency technology leaders also need to anticipate their workforce may be using their own devices and technology,” Frazier said. “If a user is moved to remote status and these basic protections don’t exist, a threat vector will be created.”