The Department of Homeland Security is issuing alternative credentials to its employees and contractors who need access to the agency’s networks but can’t physically visit a DHS facility to replace or get a new personal identity verification (PIV) card during the coronavirus pandemic.
In collaboration with the department’s chief information officer and agency subcomponents, the DHS Office of the Chief Security Officer has created a new, derived alternative credential over the last month, the department told Federal News Network.
The new credential allows existing employees and contractors to continue to receive remote access to DHS networks — and new employees to gain the logical access they need to begin work during the pandemic.
DHS has issued 76 credentials as of May 8, the department said. Most have gone to employees at DHS headquarters so far, but employees and contractors who work for any of the department’s components can seek approval for a derived alternative credential.
The derived alternative credentials technically expire after one year, but DHS security professionals expect they will eventually ask employees and contractors who have been issued temporary credentials to exchange them for a PIV card at some point before that.
There’s no specific timeline for when DHS will reopen shuttered credentialing facilities and ask employees and contractors to return to their physical office spaces.
“DHS is in the process of developing a plan concerning when teleworking employees will be returning to their workplaces, but no final decisions have been made yet as to when it will be considered safer for DHS personnel to work in and visit a credentialing facility,” the department said in an email to Federal News Network.
DHS’ derived alternative credential was in the works well before the start of the pandemic, though the project initially was geared only to employees with PIV cards who were on temporary assignments at other department components. DHS couldn’t issue these alternative credentials virtually, and employees still had to pick them up at one of the department’s credentialing facilities.
But when the pandemic hit in March, the department realized it needed to find a new approach. Some DHS credentialing offices take fingerprints and require managers to to verify an employee’s identity in person before issuing a PIV card, and some of those facilities were forced to close, the department said.
DHS’ Office of the Chief Security Officer then led an effort to re-purpose the original derived credential and began searching for ways it could grant access to new and existing employees remotely.
Testing for the new, virtually-issued alternative credentials began April 6, the department said. The derived alternative credential was ready three weeks later on April 21.
Today, DHS can get its employees and contractors up and working with the proper access within 24 hours of gaining approval for a new alternative credential, the department said.
First, DHS hiring managers must decide whether their employees or contractors can temporarily defer the issuance of a new PIV card. If they can, a DHS security professional will confirm the employee’s identity with them over video conference.
Once the employee or contractor is cleared for an alternative credential, the department can issue the access card and other equipment needed to work remotely by mail the next day.
The alternative credentials themselves contain logical access tokens and allow employees and contractors to gain access to DHS networks only, the department said. They’re similar to a PIV card, but the alternative credentials don’t have the employee or contractor’s ID photo and don’t allow physical access to a DHS building.
Industry has long bemoaned the suitability and credentialing process at DHS, which, depending on the subcomponent, can be long, confusing and sometimes redundant. Standards for determining an employee or contractor’s suitability have often varied by subcomponent.
Recognizing the limitations the current pandemic had placed on the typical suitability and credentialing procedures, the Office of Personnel Management told agencies in March they could forego the collection of fingerprints and onboard new employees and contractors anyway.
OPM also began allowing agencies to remotely verify an employee’s identity — again as a temporary method so organizations could continue to onboard new staff during the pandemic.
To start virtually issuing its own alternative credentials, DHS had to find a way to work within OPM’s suitability and credentialing standards and then settle on common procedures for all of its subcomponents, the department said.
“Several teams from throughout DHS had to collectively agree upon a virtual proofing process that leveraged available services and technologies and remained in compliance with federal policies,” the department told Federal News Network. “Once approval authorities for deferring PIV issuance to eligible employees and contractors were identified, new procedures were documented and tested for issuing the new credential during the pandemic and then provided to all of the 480 credential facilities that DHS operates across the globe.”
It’s unclear exactly how many other agencies may be using a similar approach as DHS to issue temporary credentials during the pandemic. The Department of Veterans Affairs, which has been on its own hiring spree in recent weeks, is issuing temporary credentials during the pandemic.