Best Practices for Managing Workstations NOT Smart Card Enabled

[djpackham]

Description of Issue:

What are the best practices for local admins managing workstations that an agency "won't" smart card enable?

Details of Issue:

For some reason or another, an agency "won't" smart card enable a system. In that case, how should the local admins manage those workstations?

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

[lachellel]

@djpackham did this come from the playbooks session?

In general, my thought is that management of workstations is a configuration management/vulnerability management/asset management set of activities that is very broad and we have best practices elsewhere in govt.

Do you have more info to share on the following:

• are these workstations joined to a govt network domain
• is it just workstations or servers (different use scenarios)
• what is the driver for "won't"? physically unable to, not joined to a network, OS challenges, hardware challenges etc?

I'm asking the above questions to focus the scenario and the questions related to 2FA, AuthN/AuthZ, and perhaps privileged users!

[djpackham]

I captured this question from Ross. I believe it was due to an agency in a mixed environment of PIV enabled systems and then a group of systems that for some reason or another would not be PIV enabled. I'll follow-up with Ross.

[maxwellfunk]

Closing due to lack of scope; local policy will dictate what authentication and authorization mechanisms are needed for certain devices on a given network.