The Challenge
The Virginia Department of Small Business & Supplier Diversity (SBSD) serves as the gateway for small, women-owned, minority-owned, and service-disabled veteran-owned businesses seeking to do business with the Commonwealth of Virginia. With over 65,000 small businesses relying on SBSD's digital platforms, the department faced a complex identity and access challenge that touched every corner of their operations.
Business owners had to manage separate credentials for each SBSD application — a fragmented, frustrating experience that created barriers to access and drove up support costs. At the same time, the Commonwealth of Virginia's SEC 530 cybersecurity standard imposed strict requirements for authentication strength, access controls, and audit readiness that the existing infrastructure could not meet.
The requirements were clear: provide every small business owner with a single, trusted identity that worked seamlessly across all SBSD applications, while delivering the security posture and compliance documentation the Commonwealth demanded.
"The challenge was as much about citizen experience as it was about security. Small business owners shouldn't have to think about identity management — they should just get access to the services they need, securely and without friction."— SPS Implementation Team, SBSD Engagement
The Requirements
SBSD's requirements spanned four distinct dimensions — each critical to the success of the program:
Self-Registration
Small business owners needed to register themselves into the system without IT intervention — a guided, secure, mobile-friendly self-enrollment experience that could scale to tens of thousands of users.
Multifactor Authentication
All users — external small business owners and internal SBSD staff — required MFA enforcement. Risk-based, adaptive controls had to ensure strong authentication without creating barriers to legitimate access.
Single Sign-On Across Applications
One login for all SBSD applications. Business owners needed a seamless experience — authenticate once, access everything. No more per-application passwords or credential fatigue.
Virginia Cybersecurity Standard
Full alignment with the Commonwealth of Virginia's SEC 530 cybersecurity standard — including documented controls, audit artifacts, and continuous compliance evidence for state security officers.
The SPS Solution
SPS designed and implemented a comprehensive identity platform for SBSD using two IBM technologies working in concert: IBM Verify SaaS as the identity and access backbone, and IBM QRadar for security monitoring and compliance evidence generation.
The solution was built to serve distinctly different user populations with appropriately tailored access experiences — each governed by IBM Verify's Identity Orchestration capability:
Small Business Owners
Self-registration portal, guided MFA enrollment, adaptive risk-based access, SSO to all SBSD services and certification applications.
SBSD Staff
Directory-integrated authentication, role-based access to internal systems, privileged MFA for administrative functions, SSO across business applications.
State Partners & Auditors
Controlled external access for Commonwealth partners and state security auditors, with automated audit trail generation and evidence packaging.
IBM Verify Identity Orchestration
Central to the solution was IBM Verify's Identity Orchestration capability — a visual workflow designer that allowed SPS architects to build distinct authentication journeys for each user type without custom code. Business owner self-registration, staff provisioning, MFA step-up flows, and password recovery were all designed as governed, auditable orchestration flows.
This approach meant that as SBSD's user population grew — from hundreds to thousands to tens of thousands of small businesses — the identity platform scaled elastically without any infrastructure intervention.
Identity Orchestration Workflows
Custom orchestration flows designed for each user population — self-registration, MFA enrollment, adaptive step-up, and delegated access for business owners representing multiple businesses.
Adaptive Access Controls
AI-driven risk scoring evaluated device, location, and behavioral signals for every authentication attempt — applying additional verification only when risk warranted it, keeping the experience smooth for legitimate users.
IBM QRadar Integration
QRadar monitored all authentication and access events from IBM Verify in real time — detecting anomalies, generating compliance alerts, and feeding the automated audit artifact pipeline.
Automated Audit Artifacts
SEC 530 compliance evidence was generated automatically — access logs, MFA enforcement records, policy documentation, and exception reports — ready for state security officer review at any time.
SEC 530 Compliance
The Commonwealth of Virginia's SEC 530 standard establishes cybersecurity requirements for all state agencies — covering identity management, access control, audit and accountability, and incident response. SBSD needed to demonstrate measurable alignment across all control families before go-live.
Key SEC 530 control families addressed by the SPS implementation:
AC — Access Control
Role-based access, least privilege enforcement, session management, and remote access controls — all governed through IBM Verify policy and orchestration workflows.
IA — Identification & Authentication
MFA enforcement for all user types, unique user identification, authenticator management, and cryptographic authentication via IBM Verify's FIDO2 and TOTP capabilities.
AU — Audit & Accountability
Comprehensive audit logging of all authentication and access events through IBM QRadar — with automated report generation and evidence packaging for SEC 530 assessments.
SI — System & Information Integrity
Continuous security monitoring through QRadar, anomaly detection on identity events, and automated alerting for suspicious authentication patterns or access anomalies.
Delivered in Under a Year
From initial architecture design to full production deployment serving tens of thousands of Virginia small business owners — the entire program was completed in under twelve months.
Architecture & Design
SEC 530 gap analysis, IBM Verify tenant design, user population mapping, orchestration flow design, QRadar integration architecture.
Build & Pilot
Tenant configuration, orchestration workflow build, SSO federation, MFA rollout, QRadar deployment, pilot user validation with SBSD staff.
Production & Compliance
Full small business owner onboarding, SEC 530 control validation, audit artifact generation, compliance documentation, and state security officer sign-off.
Outcomes
Small business owners across Virginia authenticated through IBM Verify at SBSD — securely accessing state applications and resources
Of Virginia's SEC 530 cybersecurity controls met through the combined IBM Verify SaaS and QRadar deployment
Single identity for all SBSD applications — one set of credentials, one MFA enrollment, seamless SSO across every service
Complete deployment from initial design to full production — serving thousands of business owners at Virginia-government scale
About the Commonwealth of Virginia SEC 530
Virginia's SEC 530 standard (Information Technology Security Audit) establishes mandatory cybersecurity requirements for all Commonwealth executive branch agencies. It aligns with NIST SP 800-53 and requires agencies to demonstrate continuous compliance through documented controls, audit evidence, and regular security reviews.