A Federal Government Agency
A federal government agency with 8,000 employees and 200+ contractor personnel remediated over 14,000 orphaned SSH keys, closed persistent FISMA IA-5 audit findings, and implemented just-in-time SSH access controls — achieving its first clean SSH key management audit in five years.
SSH Key Governance Challenges in a Federal Environment
Persistent FISMA IA-5 findings from unmanaged SSH keys
The agency's annual FISMA assessment had flagged SSH key management deficiencies under NIST SP 800-53 control IA-5 (Authenticator Management) for three consecutive years. Auditors identified that SSH keys were created without expiration policies, never rotated, and lacked centralized inventory. The agency had no authoritative record of which keys granted access to which systems, making it impossible to demonstrate compliance with IA-5 requirements for authenticator lifecycle management. The Plan of Action and Milestones (POA&M) for this finding had been extended twice, and the agency CISO faced escalation to the Inspector General.
Over 14,000 orphaned SSH keys across production systems
A preliminary scan revealed approximately 14,000 SSH public keys deployed across 1,200 Linux and Unix servers in the agency's data centers and FedRAMP-authorized cloud environments. Of these, an estimated 40% were orphaned — associated with personnel who had separated from the agency or contractors whose engagements had ended. Many keys had been in place for over 4 years without rotation. The orphaned keys represented persistent unauthorized access paths that violated both FISMA requirements and the agency's own access control policies.
Contractor SSH access without lifecycle controls
The agency relied on approximately 200 contractor personnel for system administration and application support. Contractors were provisioned SSH key pairs during onboarding, but no automated process existed to revoke or rotate keys when contracts ended, personnel changed, or access requirements shifted. Exit interviews and manual key removal were inconsistent — a spot audit found active SSH keys for 23 contractors whose engagements had ended 6 to 18 months prior. This gap directly contradicted NIST SP 800-53 AC-2 (Account Management) and PS-4 (Personnel Termination) controls.
SSH Key Lifecycle Management with QCecuring
Comprehensive SSH key discovery and orphaned key identification
QCecuring SSH KLM scanned all 1,200 servers across the agency's on-premises data centers and FedRAMP cloud environments, building a complete inventory of every SSH public key, its associated user identity, trust relationships, and last-used timestamp. The platform cross-referenced discovered keys against the agency's identity provider and HR system, flagging 5,600 keys as orphaned — associated with separated employees or terminated contractors. Each orphaned key was tagged with risk severity based on the sensitivity of the systems it could access.
SSH Key Lifecycle ManagementAutomated key rotation and policy-driven lifecycle governance
QCecuring enforced SSH key policies aligned with NIST SP 800-53 IA-5 requirements — mandatory 90-day key rotation, minimum 3072-bit RSA or Ed25519 key algorithms, prohibition of shared keys, and automated expiration for keys not used within 60 days. The platform orchestrated key rotation across all managed servers without disrupting active sessions, replacing legacy keys with policy-compliant keys on a rolling schedule. Orphaned keys were quarantined and removed after a 30-day review period with system owner approval.
SSH Key Lifecycle ManagementJust-in-time SSH access for contractor personnel
QCecuring replaced persistent contractor SSH keys with just-in-time (JIT) access provisioning. Contractors requested SSH access through an approval workflow integrated with the agency's ticketing system. Approved access generated short-lived SSH certificates valid for the duration of the maintenance window — typically 4 to 8 hours. When the certificate expired, access was automatically revoked without manual intervention. This eliminated the persistent key problem entirely for contractor access and provided a complete audit trail of every contractor SSH session.
SSH Key Lifecycle ManagementMeasurable Impact on Security Posture and Compliance
100% FISMA IA-5 findings closed
The agency closed all SSH key management findings under NIST SP 800-53 IA-5 and related controls (AC-2, PS-4) in the next annual FISMA assessment — the first clean audit for SSH key management in five years. The POA&M was formally closed and the Inspector General escalation was withdrawn.
5,600 orphaned keys removed
QCecuring identified and remediated 5,600 orphaned SSH keys across the agency's infrastructure, eliminating persistent unauthorized access paths that had accumulated over years of manual key management. Each remediation was documented with system owner approval for audit evidence.
Key exposure: months to hours
Just-in-time SSH access reduced contractor key exposure from an average of 14 months (the time between provisioning and eventual manual removal) to a maximum of 8 hours per access session. The agency achieved zero persistent contractor SSH keys across its entire infrastructure.
SSH key sprawl was our most persistent FISMA finding and our biggest blind spot. We had thousands of keys we could not account for and no way to prove who had access to what. QCecuring gave us complete visibility, automated the remediation of orphaned keys, and replaced persistent contractor access with short-lived certificates. For the first time in five years, we passed our SSH key management audit with no findings.
Related Products & Industry
Frequently Asked Questions
How long did it take to discover and inventory all SSH keys across the agency? +
The initial discovery scan completed within 72 hours, covering all 1,200 servers across on-premises data centers and FedRAMP cloud environments. The platform identified every SSH public key, mapped trust relationships, and cross-referenced keys against the agency's identity provider within the first week. Orphaned key remediation was completed over the following 8 weeks with a phased approach prioritizing high-sensitivity systems.
Does QCecuring SSH KLM support FedRAMP-authorized cloud environments? +
Yes. QCecuring SSH KLM discovers and manages SSH keys across both on-premises and cloud environments, including FedRAMP-authorized IaaS platforms. The platform uses agentless scanning for cloud instances and integrates with cloud provider APIs for key inventory. All data remains within the agency's authorization boundary.
How does just-in-time SSH access work for contractors? +
Contractors request SSH access through an approval workflow integrated with the agency's ticketing system. Once approved, QCecuring generates a short-lived SSH certificate — typically valid for 4 to 8 hours — scoped to the specific servers and commands authorized for the maintenance task. When the certificate expires, access is automatically revoked. Every session is logged with the contractor identity, target systems, approval chain, and session duration for audit purposes.
Ready to Secure Your Enterprise?
Experience how our cryptographic solutions simplify, centralize, and automate identity management for your entire organization.