I started out as a federal civil servant in the late 90s working for the Navy and switched to contracting shortly thereafter, working at mostly US DOD customers (Navy, Army, USSOCOMHQ), but also DHS (HQ and all components minus SS and CG).
In my experience, at every place we had a different approach but all satisfied HSPD-12 and did not use passwords shortly after the various directives were promulgated through the various channels, except on classified systems since there wasn't a procedure at the time to declassify the CAC/PIV after periods processing -- though there were plans for changing that, and it may be resolved by now.
PuTTY-CAC was an interesting, although imperfect solution to using PIV/CAC cards together with SSH. I remember piloting it from 2013-2014 at an agency. Back then, it was maintained by Dan Risacher[0]. Nowadays it is maintained on GitHub[1] and adopted some interesting features like FIDO.
In my experience, at every place we had a different approach but all satisfied HSPD-12 and did not use passwords shortly after the various directives were promulgated through the various channels, except on classified systems since there wasn't a procedure at the time to declassify the CAC/PIV after periods processing -- though there were plans for changing that, and it may be resolved by now.