How Two Agencies Handled Expired Credentials After Historic Shutdown

Many furloughed federal employees returning from the 35-day shutdown came back to a mess—in some cases literally. And for many feds, being on hiatus due to a lapse in appropriations resulted in a lapse in their security credentials, including personal identity verification, or PIV, cards and log-in passwords.

The longest federal government shutdown in history began on Dec. 22 and lasted through Jan. 25, for a total of 35 days. During the shutdown, furloughed federal employees were not allowed to log in to their work accounts—for some triggering a reset due to inactivity—and many saw the security credentials linked to their PIV cards expire—locking them out of systems.

Some agencies were prepared. The day before employees returned to work at the Food and Drug Administration, Commissioner Scott Gottlieb posted a thread on Twitter noting that IT and security issues were expected.

In his thread, Gottlieb said FDA would have tables set up in one of the cafeterias to help with re-entry issues, including “IT issues, badging and other shutdown-related matters.” The FDA set up IT kiosks to let employees self-serve and established mobile device reset stations for people having issues logging into their agency phones.

The agency also made the decision to extend certification of PIV cards that expired during the shutdown to Feb. 1, giving employees one week to get reauthorized.

That should have been plenty of time so long as the number of employees affected wasn’t too large, according to Jeremy Grant, managing director of technology business strategy at Venable and former senior executive adviser on identity issues at the National Institute of Standards and Technology. Grant recalled needing to reauthorize his credentials while at NIST, which entailed a trip to the badging office and a few minutes at a computer console.

“Normally this is not a big deal—you schedule it well in advance of the cert’s expiring,” he told Nextgov. “But a 30-plus-day shutdown is going to create a backlog.”

In most instances, agencies renew PIV credentials on a rolling basis, based on the time of hire, rather than doing an entire program, office or agency at the same time every year.

“The good news is that certs are good for a few years—and are tied to time of issuance—so it should be a small portion of an agency’s employees,” Grant said. “But the backlog is no doubt going to take a day or two to clear, and cause some disruptions.”

Security and IT officials at the Interior Department experienced just such a backlog but knew it would be coming, according to meeting notes reviewed by Nextgov. The designated IT furlough team met daily by video conference throughout the shutdown to compare notes on ongoing issues and plan for problems they knew were coming, including expired PIV cards and passwords.

In total, 1,032 Interior employees’ PIV cards expired during the shutdown, with an additional 807 impacted by not being able to complete some part of the process, such as enrollment, pickup or activation, for a total of 1,839 employees affected of the department's nearly 70,000 staff, the logs show.

The security team initially extended credentials for all cards set to expire between Dec. 22—when the shutdown began—and Jan. 31—several days after the shutdown had ended. However, anticipating a backlog, officials decided to open the aperture further to Feb. 15. Any employee whose credentials expired or will expire within that window received a waiver to log on to the network without a PIV card until their credentials are reauthorized.

The furlough team also compiled a list of those who would be affected by expiring PIV cards, sent them emails with instructions for when they returned and distributed that list to managers, who could then be prepared to work with impacted employees.

Interior IT officials had to make similar adjustments for user accounts on the agency’s network. Under their current rules, accounts expire and become locked if inactive for 30 days. After 35 days of shutdown, all furloughed employees would have had to reactivate their accounts and reset their passwords. Interior avoided this problem altogether by temporarily disabling this security measure so everyone’s accounts remained active when they returned to work.

Interior and FDA represent two case examples for how agencies can think about these issues as they update internal contingency plans ahead of the next appropriations deadline on Feb. 15. A senior administration official from the Office of Management and Budget said the agency will not be issuing special guidance on this, as it is on departments to develop these plans ahead of time.

“Each agency has various protocols for physical and information security, therefore they are responsible for addressing their individual orderly restart planning,” the official told Nextgov.