SBA rethinks PIV cards, State Dept. eyes zero trust with employees working remotely

Agencies early in the coronavirus pandemic scrambled to scale up their IT infrastructure to handle mandatory telework and enable secure access to networks remotely.

Nearly half a year into this work arrangement, agencies are making the most of it and have overcome the challenges of onboarding new employees who in some cases have yet to set foot in a physical office or meet their coworkers in-person.

While initially creating hurdles from an Identity, Credentialing, and Access Management (ICAM) perspective, this new work environment has challenged some agency officials to rethink security beyond the four walls of an office.

The Small Business Administration, over the course of the pandemic, had to scale its network to handle a workforce of 20,000 personnel, about five times what it was before the coronavirus pandemic.

Advertisement

Meanwhile, this surge of new users accessing the network happened at a time when the agency closed its offices that were issuing Personal Identity Verification cards.

As a workaround, SBA Chief Information Security Officer James Saunders said the agency leveraged its cloud identity infrastructure to launch “conditional access” that would put users on a trusted network using a trusted device to login using a username and password.

Those not on a trusted network or using a trusted device would have to go through multi-factor authentication, with the type of authentication changing based on the level of risk assessed by the system.

“We were able to put that in place and meet the same level of security requirements and rigor without requiring that PIV card. Now, once the pandemic lifts, and we get back to steady-state, we’re going to take a really good look to see which part of that stays around and which part goes back to PIV cards. But for the most part, it works,” Saunders said Wednesday at AFCEA’s Federal Identity Forum.

SBA isn’t alone in creating PIV workarounds. The Departments of Homeland Security and Treasury have also issued alternative login credentials to employees who have joined the agency during the pandemic.

SBA’s leading efforts on continuous diagnostics and mitigation (CDM) program and with the Trusted Internet Connection program, both run by DHS, has also led the agency to consider zero trust as its next goal for identity management.

Saunders said this foundation helped the agency stand up new infrastructure under the coronavirus pandemic.

“When the new systems came up to support the PPP and CARES Act, we already had a game plan of exactly what needed to be in place, how it’s going to connect back to the CDM infrastructure, how can I expect to have different requirements, and it was not much of a discussion, it was already baked into the requirements,” he said.

Kevin Cox, the Cybersecurity and Infrastructure Security Agency’s CDM program manager, said earlier this summer that CISA will establish the information exchange between agency dashboards and the new federal CDM dashboard in the second quarter of fiscal 2021, and will complete the migration by the end of the fourth quarter.

Ross Foard, a senior engineer in CISA’s cybersecurity division, said the agency’s next step is to apply the CDM model to federal mobile infrastructure.

“We’re going to move the ecosystem into mobile next, and we’ll do it the same way we did CDM on-premise. We’ll look into devices first — asset management is your foundation, if you don’t know what devices you have, you can’t manage anything — and then right after that, we’ll start managing users,” Foard said.

Meanwhile, the State Department is moving toward a “zero trust-like solution,” according to Robert Hankinson, the director of the agency’s office IT infrastructure.

Hankinson said that as an agency that lacked a strong telework culture before the pandemic, State had to rethink security measures. Before the pandemic, he estimated that only about 2% of the agency’s workforce worked remotely on any given day.

“The biggest time you would see anybody teleworking is when there was a big snowstorm or something like that. We just didn’t have the culture, a lot of our systems are classified systems, so you can’t do that off-prem, or you really couldn’t at the time,” he said.

During the pandemic, Hankinson said the agency had to quickly transition more than 100,000 users across the world for remote access. That meant acquiring more licenses, firewalls, laptops and web cameras, as well as standing up classified systems that could support remote access.

“Through this process, we found that we owned already most of the equipment and the technology that we needed to make this reality. The difference was how it was configured, where they were positioned, how they were used, and the culture and the mindset around that,” he said. “Security for the Department of State was largely a castle-and-moat sort of thing — big high walls, that everything sits on the inside.”

State operates 277 embassies and consulates around the world, all with their own infrastructure a “backbone” that Hankinson said has to go through a Trusted Internet Connect in the U.S., which takes up a lot of bandwidth and comes with tremendous costs.

With employees still working out of the office for the foreseeable future, Hankinson said his office is looking at zero trust in the context of a larger “smart infrastructure effort.”