Practical security for FEMA in the field
Connecting state and local government leaders
Federal Emergency Management Agency employees can now securely access work email, the intranet and other applications remotely by registering their mobile devices and receiving credentials derived from their FEMA-issued personal identity verification cards.
Federal Emergency Management Agency employees can now securely access work email, the intranet and other applications remotely by registering their mobile devices and receiving credentials derived from their FEMA-issued personal identity verification cards.
“Authenticating mobile devices with PIV-derived credentials ensures that communications from FEMA mobile devices are genuine, and it allows the mobile devices to securely access the full panoply of FEMA IT resources,” said Adrian Gardner, the agency’s CIO. “In addition, using two-factor authentication makes FEMA far less vulnerable to a breach than just using a username and password.”
FEMA is the first civilian agency to implement this type of derived credential at the enterprise level, Gardner added. He cited three main benefits: freeing FEMA mobile users from complex password requirements to access devices and applications, increasing device and access point security, and reducing the risk of unauthorized access to FEMA data, systems and applications.
Under the system, FEMA mobile device users visit a Department of Homeland Security portal where they use a PIV card to authenticate themselves and request their derived credentials. The credentials are sent to FEMA’s mobile device management server. Users register their agency-issued mobile devices with the server, and in so doing, they install the MDM profile, including the derived credentials, on their mobile devices.
The agency began work on the project two years ago, and the technology went into production in April. FEMA has migrated more than 12,000 of nearly 19,000 users and expects to complete the rollout this month. The first to receive the credentials were about 600 employees in the Disaster Survivor Assistance Cadre who have been responding to the aftermaths of hurricanes Harvey, Irma and Maria.
“The cost to implement PIV-D is estimated to be $2.39 million,” Gardner said. “However, PIV-D has yielded cost avoidances by allowing us to standardize on authentication for each of our users.” As a result, he expects to see a 50 percent return on investment over two years.
NEXT STORY: Creating election security alliances