A March 22 memo from the White House’s Office of Management and Budget encouraged agencies to consider alternative methods of authentication in case of an extended telework period caused by the new coronavirus.

The guidance comes as federal networks are strained and employees in headquarters reduced as the federal government makes adjustments to ensure its workforce remains safe from exposure to COVID-19.

The guidance works to address the potential that agencies will be unable to issue new personal identity verification (PIV) cards in case of an extended telework period. In the FAQ section of the memo, OMB encouraged agencies to work with it and the General Services Administration to “resolve any issues" with issuing PIV cards.

“If agencies are unable to issue a PIV credential, they should be prepared to issue an alternate credential/authenticator for physical and logical access,” Deputy Director for Management Margaret Weichert wrote in the guidance.

The guidance from OMB was praised by Sean Frazier, federal advisory chief information security officer at Cisco’s Duo Security, a multi-authentication platform.

“Users who are being asked to work from home — some of whom never have — will need the same level of security as if they were working in the office,” Frazier said in a statement. “This means consistent, easy to use security across all applications, across all access methods. If agencies use smart cards (PIV/CAC) with inherent multi-factor authentication on government work systems, they need to be sure federal workers and contractors have comparative controls when they work from home.”

The increase in telework provides great risk for federal networks outside of the authentication. Experts told Fifth Domain that users are more susceptible to spear-phishing attacks and that the difficulty of pushing security patches increases. Experts also warned about people performing official business on personal devices.

“Agency technology leaders also need to anticipate their workforce may be using their own devices and technology,” Frazier said. “If a user is moved to remote status and these basic protections don’t exist, a threat vector will be created.”

Andrew Eversden covered all things defense technology for C4ISRNET. Beforehand, he reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.

More In IT & Networks
NORTHCOM wants millions more for AI and data handling
U.S. Northern Command has asked Congress for almost $30 million to buy information technology equipment and to optimize infrastructure for artificial intelligence and machine learning at its joint operations center with the North American Aerospace Defense Command.
How to put the joint in JADC2
As DoD continues to advance JADC2, it must contend with how to create a truly joint approach while avoiding the pitfalls of past attempts at joint systems.