This is a reminder that the enforcement for TFA exceptions will go into effect tomorrow. Any exception that has been in the list for longer than 7 days will be removed per previously communicated DOI policy (OCIO Directive 2016-006: Strong Authentication Exception Policy). Please reference email from Paul Exter sent 11/22/2016, copied below:
Information Technology Specialists,
The purpose of this communication is to make USGS Science Center and Offices aware of a new Department of the Interior (DOI) requirement on establishing limited sets of Personal Identity Verification (PIV), Two Factor Authentication (TFA) exceptions. Please see the attached DOI Policy Directive and the use case examples of time limited exceptions.
Currently, all DOI/USGS employees are required to use their PIV smart card to access DOI/USGS desktop, laptop, e-mail and remote access systems (USGS Apple and Microsoft). At times, when it is not possible to meet this requirement, (lost/stolen card, malfunctioning device, forgotten card), DOI/USGS employees require an exception.
Effective January 9, 2017, exceptions to the TFA requirement will be limited to the attachment: Strong Authentication Exceptions for unprivileged employees, contractors and associates. In this new requirement, exceptions will not exceed 7 calendar days, at the maximum.
Private sector employees, non-DOI personnel, and other members of the public who require access to DOI/USGS training, kiosks, or other scenarios will be allowed to only authenticate to local accounts or resources specifically created for such, exercising limited use. These systems must be physically or logically isolated from the DOI network.
DOI Policy now prohibits TFA exceptions for privileged accounts or any forms of remote access.
Action Required
Information Technology Specialists need to review the attachment: TFA Exceptions 11-21 and then take corrective action on all associated impacts for USGS employees, contractors, etc listed, under your administration, to meet this new requirement.
Effective January 9, 2017, 12:00 pm ET, Active Directory will remove USGS exceptions that are older than 7 calendar days, (at present 340 exceptions), requiring the employee to use TFA. Employees, contractors, etc. that have an approved waiver to the mandatory TFA requirement are not included in this action. Certified Organization Unit Administrators will still have delegated access to add and remove employees from the exceptions group, however, now with the understanding all exceptions are time limited.
Please further communicate this new requirement to your Science Center or Office. Please direct questions to your Information Technology Liaison (gs-d-oei_liaisons@usgs.gov) or Sam Martinez (scmartinez@usgs.gov).
Thank You,
Paul E. ExterChief Technology Officer, U. S. Geological SurveyWork: 443 498 5534 Cell: 410 375 0120
