A small independent federal agency chartered with responsibility for select commerce activities sought to comply with Executive Order (EO) 14028, which requires agencies to implement specific actions to improve the nation’s cybersecurity. In particular, this agency wanted to protect its sensitive data by implementing identity, authentication, and access management practices that incorporate Personal Identity Verification (PIV)‒based multifactor authentication (MFA).
The agency’s information technology comprised standalone devices. The absence of a domain environment meant that Active Directory, a prerequisite to smart card–based logon operations, was not in use. Further, the agency was not open to moving to an Active Directory environment.
Thus, the Electrosoft team needed to devise a creative solution responsive to the existing operating environment as well as six separate use cases. The proposed solution must allow logon:
1. With a PIV card
2. Without a PIV card (for new employees)
3. Without internet access
4. When a PIV card is broken, lost, or is not functioning properly
5. When a PIV card is forgotten at home, especially when on travel
6. When individuals share a personal computer
Electrosoft applied its deep technology expertise and recommended a middleware solution specifically designed to protect the security of standalone computers while being user-friendly and compatible with Windows’ existing security features. The software offered the capability to eliminate password usage and employ two-factor authentication via smart card use.
To address use cases where a PIV card was unavailable or not in working order, Electrosoft recommended installation of a zero trust security platform. Electrosoft set up each user in the platform’s portal and had staff register their mobile device number. However, all accounts were maintained in the disabled mode. If users encountered logon issues, they had to contact the Help Desk for assistance. The Help Desk would enable the account and have the user enter the appropriate user name. This action generated a push notification on the laptop and a popup on the mobile device requiring the user to accept or deny the access request. Response to the popup, combined with inputting the correct user name, offered an alternative form of MFA.
Electrosoft configured each individual laptop remotely, working with executives and staff to schedule installation and configuration in the least disruptive manner possible. Electrosoft trained each user on the new logon procedures and tested proper solution functioning for each use case.
The solution allowed the agency to comply with EO 14028’s requirement to adopt MFA and secure its information and data in a timely manner. Moreover, Electrosoft’s creative solution enabled the agency to achieve compliance while maintaining its preferred IT operating environment.
The devised solution was responsive to all six use cases, which spoke not only to Electrosoft’s practice of fully understanding and complying with customer needs but also our knowledge and expertise regarding product advances in an ever-changing IT landscape. Whether employees had a functioning PIV card or not, had access to the internet or not, used a laptop exclusive to them or shared with another, or did not possess a PIV card or had left it behind inadvertently, the ability to do agency work and accomplish its mission was unimpeded.
The solution had the added benefit of preventing users from attempting to circumvent MFA by inserting a PIV card and entering a password rather than the PIN associated with the PIV card. Doing so immediately launched the alternative logon process described above, incorporating another form of MFA.