Smart Employee ID for Personal Identity Verification (PIV)
For government agencies seeking to comply with the Homeland Security Presidential Directive 12, ActivIdentity provides a Smart Employee ID solution that allows organizations to issue, use and manage Personal Identity Verification (PIV) cards in compliance with the FIPS 201 standard issued by the National Institute of Standards and Technology (NIST).
The solution includes the ActivIdentity market-leading ActivClient® middleware and ActivID™ Card Management System (CMS), and provides out-of-the-box support for multiple Smart Cards, Certificate Authorities, Directories, Digital Signatories, Identity Management Systems (IDMS), Identity Registration and Proofing Systems (IDRPS), Card Production Facilities (CPS) and Physical Access Control Systems (PACS) for a complete end-to-end HSPD-12 solution.
With ActivIdentity Smart Employee ID for PIV, agencies ensure that their compliance investment provides an identity assurance infrastructure that will support the new identity applications they need in the future such as strong authentication as well as secure information and transactions.
What is PIV?
Homeland Security Presidential Directive 12 (HSPD-12) was announced by the White House on August 27, 2004 to address the problem of inconsistent and potentially insecure forms of identification that have been used to access Federal buildings and information systems. The goals are to increase security, reduce identity fraud and to increase efficiencies within the government.
The FIPS 201 standard from NIST provides the structure needed for Federal agencies to realize the critical security vision established in HSPD 12, and specifies smart cards as the device that will be used to implement this vision. FIPS 201 is comprised of two parts:
- Personal Identity Verification (PIV)-I describes the minimum requirements for a system that meets the control and security objectives including the identity proofing process.
- Personal Identity Verification (PIV)-II provides detailed technical specifications to support the control and security objectives in PIV-I and the details for technical interoperability of PIV cards with the authentication, access control, and management systems across the Federal Government.
ActivIdentity PIV support
The ActivIdentity Smart Employee ID for PIV solution supports the PIV-II specifications and enables government agencies to comply to the HSPD-12 mandate and use the PIV cards for their current and future security applications, such as:
- Strong Authentication to IT resources via strong authentication for remote access, workstation and network access, application access.
- Secure information and transactions via secure e-mails and documents, file and disk encryption, signed transactions, and secure auditing.
- Secure access to facilities using standardized PIV data structures and contactless smart card technology.
Business benefits
- Risk mitigation: In today’s world, a security or privacy breach can result in grave consequences, especially for government agencies who handle sensitive information. ActivIdentity Smart Employee ID solutions reduce the risk of such events by enabling the PIV infrastructure to strengthen proof of identity and secure access to information.
- Accountability: When a security incident occurs, the organization must be able to identify the individuals who broke the rules. Strong proof of identity and tight integration between security audits are the keys to providing legally enforceable proof of any access to facilities, IT systems and information.
- Cost reduction: Most organizations have separate processes and systems for issuance of facility access badges, identity cards and IT security tokens. This results in high cost and increased security risk. With the ActivIdentity Smart Employee ID solution, PIV cards can be used interoperably for all identity and access control needs throughout the enterprise - increasing security and reducing operating costs.
- Productivity: In a typical organization, users login with user names and static passwords multiple times per day. With smart card authentication, the login experience is fast with an ATM-like experience (insert your card and type your PIN).
- Employee education: Frustrated users tend to work around security policies to make logging into computers easier. With ActivIdentity Smart Employee ID solutions, convenience and security are tied together. For example, the card is required to access facilities, so employees must take their card with them when leaving their office and the card removal automatically locks the screen and the application.
- Organizational efficiency: As recent regulations have increased the accountability of executives, many businesses are merging their facility and IT security teams into a single organization. ActivIdentity Smart Employee ID solution enables alignment of processes and technology to reinforce these efforts.
Technical benefits
- Field-proven – ActivIdentity Smart Employee ID solutions are used by many government agencies around the world including the U.S. DoD, Veterans Affair and Department of Interior, as well as Singapore Defense (DSTA).
- Security across IT infrastructures – Enable multi-factor security with PIV cards across the IT infrastructure, including secure remote access, secure workstation and network access, secure application access (single sign on) as well as secure information such as signed and encrypted e-mail, documents and files and secure transactions.
- Ease of deployment – Most government agencies can deploy the ActivIdentity solution without the need for custom integration work, since it comes pre-integrated with leading vendors of PIV components: Smart Cards, Certificate Authorities (CA), Directories, Digital Signatories, Identity Management Systems (IDMS), Identity Registration and Proofing Systems (IDRPS), Card Production Facilities (CPF) and Physical Access Control Systems (PACS).
- Extensible and Open – Public APIs and SDKs allow easy integration with more environments such as additional IDMS, IDRPS, CPF and PACS vendors that may not be pre-integrated. Open standards-based architecture allowing integration with virtually any third party system or application.
- Future proof – ActivID™ Card Management System (CMS) allows organizations to quickly deploy PIV cards for immediate HSPD-12 compliance, and to update the cards post-issuance securely in the field. ActivClient® middleware shields organizations from the headaches of evolving interoperability standards by providing transparent support for multiple generations of specifications including CAC, GSC-IS 2.1 and PIV and will continue to evolve to support new standards.
- A name you can trust – With over a decade of domain expertise, a broad patent portfolio and an extensive investment in ongoing research and development, ActivIdentity develops all its software products internally and ensures that its solutions continue to provide the industry-leading security, usability, and interoperability that government agencies require.
How it works
- Once the Identity Management System (IDMS) has captured, proofed and vetted the identity of the applicant, it submits a card issuance request to the ActivIdentity Card Management System (CMS) in a secure and digitally signed format containing the basic information required to generate the PIV Card and its credentials.
- ActivID™ CMS allows real-time encoding and printing of the PIV card by an operator via its own web-based console or via any third party badging application integrated with CMS through its Open APIs. Alternatively, ActivIdentity Batch Management System (BMS) allows interfacing with a Card Production Facility for batch issuance of the PIV cards.
- During real-time encoding of the PIV card with CMS or the preparation of data with BMS, the ActivIdentity server connects to all appropriate systems such as Certificate Authorities (CA), Hardware Security Modules (HSM), Digital Signatory, Databases and LDAP directories to securely obtain all the credentials to be injected in the PIV Card.
- If PIV cards are personalized from a Card Production Facility, they are shipped in a deactivated state to prevent any unauthorized use. Upon validation of the rightful applicant identity, the cards are activated by an operator via the CMS web-based console or any third party application integrated with CMS through its Open APIs.
- Once the PIV card is issued, CMS sends a notification to the IDMS to confirm the issuance and further activates the identity and its access privileges across multiple systems.
- The PIV card is now ready to be used for access to government facilities, and with ActivClient® it also enables strong authentication to workstations, networks and applications, as well as secure information and transactions.
Certifications
- ActivClient™ PIV Middleware is validated by NIST for FIPS 201
- ActivID™ Card Management System is validated by NIST for FIPS 201
Support for Standards
- PIV / FIPS 201 validated cards and applications
- FIPS 140-2 certified cards and applications
- FIPS 140-2 certified Hardware Security Modules
- Directory interface: LDAP v3.0
- Web communications: SSL 3.0
- Accessibility: Section 508
- PKI: PKCS#7, PKCS#10, PKCS#11, X509, CRMF / CMMF / CRM
- U.S. DoD GSC-IS and CAC
ActivIdentity products used in this solution
Partner Solutions
Register for the
Robert Brandewie on the right choice for PIV deployment and drawing on the strengths of PIV cards.
An introduction to Smart Card Management Systems by independent Mike Hendry Free Download