2021 marks the year that two game-changing events have put onboarding remote employees and strong authentication on the radar for many public sector agency heads. Since March 2020 most government workers, like everyone else, have been forced to work remotely in systems that were not designed for secure work-from-home situations. IT executives scrambled to find ways for workers to continue to be productive at home without “giving away the store” on security.
In January 2021 the problem got stickier: tens of thousands of new employees that were brought on with the new Biden administration had to be onboarded, and the usual federal government onboarding process involves a fairly COVID-unsafe procedure of visiting physical sites for identity-proofing and personal identity verification (PIV) cards or common access cards (CAC). The challenge of this year came into focus: how do you securely onboard many people at once – and make it easy for the new hire to figure out the federal onboarding process – in a remote worker environment?
The good news is that help is on the way. Authentication protocols and standards are adapting to make this process easier. The bad news is that government agencies are not known for lightning speed when it comes to change and security innovation. So while we should expect to see more products this year that are aimed at making the federal government onboarding process easier and more secure, adoption won’t be instantaneous.
Is this the end of PIV and CAC? Not yet.
Nearly everyone who works for the government has either a PIV card or CAC. PIVs are used for non-military agencies, and CAC is a Department of Defense standard. These physical smart cards are a familiar, robust way to verify that someone who logs into a system is actually who they say they are. But this system is tethered to the physical card readers that are required to read them, both at the point of validation and the workstation. The pandemic has permanently changed the way agency heads think about where PIV/CAC is most useful. It works well for physical work sites but trusted, next-gen authentication is needed for the remote onboarding process of thousands of workers in the next decade, for non-PIV/CAC eligible users, for mobile devices, and for non-GFE (government furnished equipment) users.
“The pandemic has raised the urgency levels within the government,” says Fadi Jarrar, Yubico’s Federal Sales Director. “Some agencies need to onboard 500 people immediately to support COVID requirements. They can’t wait for PIV cards to be processed because it often takes two or three months.”
Any PIV or CAC alternative authentication solution has to be compliant with Federal Identity Processing Standards (FIPS). The YubiKey for example, is FIPS 140-2 validated, and the YubiKey 5 Series with passwordless authentication support, is slated to achieve FIPS 140-2 validation in 2021. Additionally, YubiKeys were added to the DHS CDM program to support “Secondary Authentication” needs as required by OMB Memo M-19-17. With trusted solutions like this in place, and already approved by the DoD, it gives the green light to agency heads to consider an adoption plan for YubiKeys as an alternate authenticator to augment PIV/CAC cards.
While the pace of adoption of next gen authentication in the public sector will take awhile as policies get built out, YubiKeys offer a bridge during the transition period. They work in parallel with PIV/CAC for remote workers, mobile devices and non-GFE users, and non PIV/CAC eligible employees, by offering high-assurance strong multi-factor authentication. Plus, YubiKeys don’t require peripheral devices for mobile device users, unlike PIV and CAC.
There are legends – and not the good kind — about the difficulties government workers face when they must log on to multiple systems, all with their own authentication protocols.
Jeff Phillips, VP of Public Sector at Yubico, says it’s common that agency employees who work across different government departments juggle many cell phones at once to accommodate separate authentication systems. “I’ve known employees who are carrying five phones just to get through the day,” Phillips said.
SolarWinds aftermath still being sorted
The SolarWinds security debacle exposed a soft underbelly for all of the federal agencies that use it. It happened so recently that most agencies are still in triage mode, trying to collect more information about what needs to be immediately patched. While SolarWinds was a breach of an on-premises installation, the inevitable reviews that will come this year and next will surface many proposed cloud security upgrades as well. While agencies are moving to secure the supply chain they might transfer more processes to the cloud, making strong authentication solutions an even higher priority.
2021 marks the convergence of two unforeseen events – COVID and the rush to a remote work environment, plus SolarWinds – and one predictable event: the political transition in Washington D.C. and other government entities after an election. These three trends have lit a fire – or at least added fuel to a fire that was already burning – under many agency leaders to get serious about securing the cloud and providing simple, easy-to-use strong authentication outside of traditional PIV/CAC for remote workers.
Investing in a remote onboarding solution like the YubiKey is a recommended approach for agencies or companies that want to streamline their employee onboarding process, and has the added benefit of keeping you in compliance.
Join Jeff Phillips, VP Public Sector Yubico, Alexander Forti, US Department of Treasury, and Danelle Barrett, Retired Rear Admiral US Navy on April 8, for a roundtable discussion Federal government authentication lessons from 2020.