You both can be right, US Gov will write well-intentioned policy that none of their live teams can keep up with, even after 20 years, and I haven't yet seen a practical enterprise authentication architecture that doesn't fall back on passwords somewhere.
Within the DOD the most common solutions are SSH keys using the CAC, Kerberos with PKINIT, or using some type of intermediate systems to handle the auth like CA PAM.
There can still be a root password for emergencies, but it wouldn't be available for remote access -- ILOM or some other BMC (or even a serial port concentrator) would be configured for HSPD-12-compliant auth for remote console access, then you would use the root password for system access (though you could also just reboot into a separate operating system, since disk encryption isn't required except for mobile devices).
I'm not sure what the above poster's command or organization was doing to comply with HSPD-12, but they were most likely doing something. The compliant reports are generally public, also.
Yes but PIV/CAC identity is not related to break-glass passwords. They both serve different purposes and it's safe to assume that the typical government worker will only ever need to use their smart card to authenticate into systems.
I started out as a federal civil servant in the late 90s working for the Navy and switched to contracting shortly thereafter, working at mostly US DOD customers (Navy, Army, USSOCOMHQ), but also DHS (HQ and all components minus SS and CG).
In my experience, at every place we had a different approach but all satisfied HSPD-12 and did not use passwords shortly after the various directives were promulgated through the various channels, except on classified systems since there wasn't a procedure at the time to declassify the CAC/PIV after periods processing -- though there were plans for changing that, and it may be resolved by now.
PuTTY-CAC was an interesting, although imperfect solution to using PIV/CAC cards together with SSH. I remember piloting it from 2013-2014 at an agency. Back then, it was maintained by Dan Risacher[0]. Nowadays it is maintained on GitHub[1] and adopted some interesting features like FIDO.
But could you get into the network to access the UNIX boxes without a PIV card? That's how the NIH works -- the UNIX boxes do have passwords, but unless you are on campus you have to connect to the VPN with your PIV card first.
NIST has a similar setup. There’s an exemption for e.g. summer students who are issued temporary non-PIV badges, but they’re issued a yubikey that’s required to access the network from off campus
There is a lot of variety in how different places implement Homeland Security Presidential Directive 12 (HSPD-12), but the reports on compliance are public and since it's an initiative that's been going on since 2004, compliance is high.