Identity Assurance for HSPD-12

If you have to comply with HSPD-12, Novell has you covered. The Novell Identity Assurance solution enables federal agencies to comply with the physical and logical access requirements of Homeland Security Presidential Directive 12 (HSPD-12). The Novell solution provides convenient yet controlled access to disparate logical IT systems and physical facilities using combinations of biometrics, passwords, personal identification numbers, smart cards, X.509 digital certificates and other forms of advanced authentication.

The solution is based on Novell Identity Assurance, which combines best-in-class directory services, authentication, credentialing, provisioning, auditing and identity synchronization capabilities to securely deliver information to users based on their roles and relationships with the organization. This solution will protect highly sensitive information while improving end user productivity; provide convenient, single sign-on access to logical systems; and support compliance with myriad government regulations.

The Novell Identity Assurance Solution for HSPD-12 PIV comprises of four key sub-systems: 1) Enrollment and Registration, 2) Card Issuance and Maintenance, 3) Physical and Logical Access Control and 4) Event Monitoring and Management:

Enrollment and Registration

The processes a government employee or contractor follows to request and obtain a PIV card are automated through a series of customizable workflows and e-mail notifications. The applicant, sponsor, registrar, enrollment officer and card issuance officer are guided through the steps required to validate the applicant's identity and complete the identity proofing and verification process. The Enrollment sub-system not only manages the workflows and sends e-mail notifications to complete the verification and vetting process, but it also integrates with third-party systems such as Daon, Viisage, Lenel, EDS and others as well as existing HR or contractor management systems.

Card Issuance and Maintenance

The card issuance process automates the creation of a PIV card for federal employees and contractors who have successfully completed the enrollment and identity verification process (based on individual agency guidelines). The applicants' identity information is passed to the Card Management System (CMS), and the CMS automatically sends the information and digital certificate to a card production and badging station for card creation. Once the card is created, the applicant is notified and makes arrangements to obtain his or her PIV card from the issuing officer and to securely receive the PIN. The PIV card's unique identifier is automatically captured in a central repository that holds the identity profile for the federal employees or contractors.

The card issuance and maintenance systems are also designed to support typical lifecycle maintenance processes including:

• Card issuance
• Card replacement and temporary card issuance
• Card termination

The Novell Identity Assurance Solution is designed with extensibility in mind. In addition to meeting PIV solution requirements, this solution can easily be extended to integrate with employee and contractor systems of record (i.e., authoritative data sources) and provision users to the appropriate physical and logical IT systems based on their roles. In addition, this solution can be further extended to support typical employee and contractor lifecycle activities such as the following:

• Employee or contractor termination
• Employee role changes such as (transfers between departments and locations)
• Employee information changes such as (name, address and phone number)

When a federal employee or contractor is terminated or fails the vetting process, their access rights are revoked instantaneously and the card management system receives instructions to terminate the card. Upon receiving this notification, the CMS system disassociates the user from the card and revokes the digital certificate on the PIV card rendering it invalid.

Logical and Physical Access Control

The Logical and Physical Access Control sub-system is responsible for enforcing access control policies at run time when the federal employee or contractor tries to access the logical IT systems or physical facilities. Access control policies are enforced based on the federal employee or contractor identity and authentication credentials stored on the PIV card issued by the card issuance and maintenance sub-system.

Event Monitoring and Management

The Event Monitoring and Management sub-system is an optional component of the Novell Identity Assurance Solution for HSPD-12 PIV. This system provides a flexible and scalable solution to capture events triggered during the PIV card lifecycle activities. This system also provides a set of reports that allows authorized users to see the state of the PIV processes in real time; it can be extended to support enterprise-level security event monitoring and management needs as well as audit and compliance reporting requirements. Administrators can also create custom reports and graphs to monitor a variety of conditions.

Preserving Your Investments

The platform-independent nature of the Novell solution enables federal agencies to build on its existing smart card and public key infrastructure (PKI) investments, instead of ripping and replacing systems to install proprietary alternatives. In fact, the solution provides freedom of choice in server hardware and operating system selection. It uses a standards-based authentication overlay that lets users log in to all network resources. It makes the authentication process transparent for users and easily manageable for the IT staff via a Java-based management console. The solution also scales from workgroup-level applications to the largest global enterprise environments, and will interoperate with any internal or external certificate authority. Another benefit from this comprehensive solution is improved business continuity that supports disconnected users and provides temporary authentication for users who have lost or forgotten their Personal Identity Verification cards.

Identity-driven Computing: Planning Beyond HSPD-12

If you expand your concept of identity, you'll see that its power extends far beyond authentication to encompass every enterprise asset today. A comprehensive Identity management solution affects everything from identity proofing and smart card issuance to safeguarding sensitive information from unauthorized access and regulatory compliance. It means that your government agency is able to adapt—to be flexible and to effectively address needs as they arise.

Consider investigating solutions that extend the power of identity to all facets of your organization's computing infrastructure. By embracing identity-driven computing, you build substantial benefits. You can automate the management and security of your organization—beyond the requirements of HSPD-12—improve user productivity, increase service levels and enable secure inter-agency information sharing.

Novell works with many of the integrators that service federal agencies to ensure that the solution meets each agency's unique requirements. For more information contact your Novell Solutions Provider, your Novell representative or call 1-888-321-4272.

Solution Resources

• Secure Identity Management for HSPD-12, Smart Card Authentication: Department of Defense case study (PDF)
• Department of Defense Solution Spotlight, Federal Computer Week—Identity Assurance for HSPD-12 (PDF)
• HSPD-12 position paper, Identity Assurance Solution for HSPD-12 (PDF)
• Novell Identity Assurance Solution brochure (PDF)

Additional Resources

• Honeywell and Novell integrated HSPD-12 solution flyer (PDF)
• Honeywell FIPS Solution web-site
• GSA certifies Novell Identity Assurance Solution for HSPD-12
• Novell helps federal agencies go beyond Basic HSPD-12 requirements with enhanced Identity Assurance Solution