Skip Main Navigation
Official Nebraska Government Website
Skip Side Navigation
Standards and Guidelines Icon

NITC 8-302: Identity and Access Management Standard for State Government Agencies

Category: Security Architecture
Applicability: Applies to all state agencies, boards, and commissions, excluding higher education
History: Adopted on March 15, 2005. Amended on March 4, 2008 (by NITC 1-103).

1. Standard

All state government web applications that require authentication and authorization of users will utilize the enterprise directory, known as Nebraska Directory Services.

2. Purpose and Objectives

The purpose of this standard is to provide an enterprise solution for identity and access management capabilities to reduce security administration costs, ensure regulatory compliance, and increase operation efficiency and effectiveness. This standard focuses on web applications, because most if not all new applications will utilize web technology. To incorporate non-web applications into the Nebraska Directory Services would require additional cost and different policies to implement.

Objectives include:

  • Build an identity-based portal that can integrate disparate applications, enable secure web access to applications and data, and enable users to access applications from their offices or remote locations.
  • Implement a standardized, secure identify and access management architecture that provides c entralized management with local administration of users, centralized user identity information, synchronized user identity information across multiple applications (where appropriate), and application-level authentication and authorization based on the unique identity of the user (as opposed to a shared logon ID).
  • Use standards-based technology to ease application integration, provide for reuse of components and remain adaptable in the face of changing technology products.
  • Ensure a solution that is scalable to meet the current and future needs of state agencies, their employees, clients and customers, and business partners.
  • Meet federal security requirements for identity and access management, including HIPAA and NCIC security regulations.
  • Provide a high level of security including the option of two-factor identification.

3. Definitions

Authentication: The process of uniquely identifying an individual. Authentication ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.

Authorization: The process of giving individuals access to system objects based on their identity which allows them to add, update, delete or view information for a web application.

Identify and Access Management: Enterprise Identity Management is a system of technologies, business practices, laws and policies that manages common identification of user objects; reduce the costs while enhancing the quality of government services; protects the integrity of state resources; and safeguards the privacy of the individual.

LDAP: LDAP (Lightweight Directory Access Protocol) is an Internet protocol that applications use to look up user information from a server, such as Novell's eDirectory.

Web Applications: Web server based applications that are accessed using a web browser. This definition includes custom developed systems and third party software systems.

4. Applicability

4.1 State Government Agencies

This standard applies to all state government agencies, boards, and commissions, except Higher Education.

4.1.1 State Agencies, Boards, and Commissions

All new web applications requiring authentication and authorization of individuals must comply with the standard listed in Section 1. All existing web applications requiring authentication and authorization must convert to the standard listed in Section 1 as soon as fiscally prudent or upon an upgrade to the web application, whichever comes first, unless the application is exempt.

5. Responsibility

5.1 IMServices

IMServices will incorporate the needed hardware and software into their infrastructure to provide the following:

  • LDAP directory for user /entity objects.
  • Role-based authentication and authorization to the enterprise LDAP directory and applicable applications for registered users.
  • Business/disaster recovery.
  • Authentication methods available:
  • User ID and password
  • Two-factor authentication
  • X.509 certificates

5.2 State Agencies, Boards and Commissions

Agencies, Boards and Commissions will carry out the following responsibilities:

  • Web applications requiring authentication and authorization must comply with the standard listed in Section 1.
  • Require this standard be referenced in all RFPs (Requests for Purchase) for web applications covered by this standard.

5.3 State Government Council Directory Services Workgroup

The State Government Council's Directory Services Workgroup will provide ongoing advice and direction, including but not limited to:

  • Policies for implementation;
  • Benchmarks and service level agreements;
  • Funding options.