RTTUZYUW RUEWMCS0000 0721935-UUUU--RUCRNAD
ZNR UUUUU
R 121935Z MAR 12
FM CNO WASHINGTON DC
TO NAVADMIN
UNCLAS//N05239//
NAVADMIN 084/12
BT
MSGID/GENADMIN/CNO WASHINGTON DC/N2N6BC/-/MAR//
SUBJ/PUBLIC KEY ENABLEMENT OF NAVY SECRET INTERNET PROTOCOL
ROUTER NETWORK//
REF/A/DOC/DOD WASH DC/24MAY2011//
REF/B/DOC/CNSS/MAR2009//
REF/C/DOC/DOD WASH DC/14OCT2011//
REF/D/DOC/DOD WASH DC/13MAY2011//
NARR/REF A IS DOD INSTRUCTION 8520.02, PUBLIC KEY INFRASTRUCTURE
(PKI) AND PUBLIC KEY (PK) ENABLING. REF B IS THE COMMITTEE ON
NATIONAL SECURITY SYSTEMS (CNSS) POLICY NUMBER 25, NATIONAL
POLICY FOR PUBLIC KEY INFRASTRUCTURE IN NATIONAL SECURITY SYSTEMS.
REF C IS DOD CHIEF INFORMATION OFFICER MEMO, DOD SIPRNET PUBLIC
KEY INFRASTRUCTURE CRYPTOGRAPHIC LOGON AND PUBLIC KEY ENABLEMENT
OF SIPRNET APPLICATIONS AND WEB SERVERS. REF D IS DOD INSTRUCTION
8520.03, IDENTITY AUTHENTICATION FOR INFORMATION SYSTEMS. REFS
A THROUGH D ARE LOCATED ON THE PKI PAGE OF THE INFOSEC WEB SITE AT
HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)NSS.HTML.
UNIFORM RESOURCE LOCATOR (URL) MUST BE IN ALL LOWERCASE.
POC/CDR JULIANA ROSATI/MIL/OPNAV N2N6BC4/LOC:WASH DC/TEL:
(571)256-8523/TEL:DSN:260-8523/E-MAIL:juliana.rosati@navy.mil/
MS. KRISTEN WAYNE/CTR/OPNAV N2N6BC4/LOC:WASH DC/TEL:(571)256-8522/
TEL:DSN:260-8522/E-MAIL:kristen.wayne.ctr@navy.mil//
RMKS/1. IAW REFS A THROUGH D, THIS MESSAGE DIRECTS ACTION BY NAVY
COMMANDERS TO SUPPORT PUBLIC KEY (PK) ENABLEMENT OF THE SECRET
INTERNET PROTOCOL ROUTER NETWORK (SIPRNET).
2. SCOPE AND APPLICABILITY. THIS MESSAGE APPLIES TO ALL NAVY
OWNED, OPERATED OR CONTROLLED SIPRNET-CONNECTED NETWORKS, WEB
SERVERS, AND APPLICATIONS. THIS MESSAGE DOES NOT APPLY TO NETWORKS
CLASSIFIED HIGHER OR LOWER THAN SECRET.
3. BACKGROUND. PK ENABLING ENHANCES THE SECURITY POSTURE OF THE
GLOBAL INFORMATION GRID. REF A DIRECTS PK ENABLEMENT OF ALL SECRET
AND UNCLASSIFIED DEPARTMENT OF DEFENSE (DOD) NETWORKS. REF B
PROVIDES POLICY REGARDING THE USE OF PUBLIC KEY INFRASTRUCTURE (PKI)
IN CLASSIFIED ENVIRONMENTS. PREVIOUS DOD AND NAVY EFFORTS HAVE
FOCUSED ON PK ENABLING OF UNCLASSIFIED NETWORKS. REF C DIRECTS THE
PK ENABLEMENT OF THE SIPRNET AND INCLUDES A SPECIFIC TIMELINE FOR
IMPLEMENTATION IN DOD. REF D PROVIDES POLICY ON WHEN PKI MUST BE
USED FOR AUTHENTICATION.
4. IMPLEMENTATION. DOD HAS DEVELOPED A PKI HARDWARE TOKEN, SIMILAR
TO THE COMMON ACCESS CARD (CAC), FOR USE ON THE SIPRNET. FULL
DEPLOYMENT OF THIS TOKEN BEGINS IN EARLY CALENDAR YEAR 2012 WITH A
TARGETED COMPLETION DATE OF DECEMBER 2012 FOR ISSUANCE TO ALL SIPRNET
USERS. TO ACCOMPLISH FULL OPERATIONAL CAPABILITY, ALL SIPRNET
ACCOUNTS MUST BE ENABLED FOR CRYPTOGRAPHIC LOGON (CLO) BY 31 MARCH
2013. APPLICATIONS WHICH RELY ON ACTIVE DIRECTORY (AD) FOR
AUTHENTICATION MUST BE PK-ENABLED BEFORE THIS DEADLINE TO ENABLE AD
ACCOUNTS FOR CLO. ADDITIONALLY, ALL WEB SERVERS AND APPLICATIONS
SHALL SUPPORT TWO-WAY PKI AUTHENTICATION WITH ACCESS REQUIRING PKI
CREDENTIALS BY 30 JUNE 2013. USCYBERCOM WILL ESTABLISH A REPORTING
PROCESS TO TRACK COMPLIANCE AND PROGRESS TOWARD MEETING THESE
DEADLINES. SHIPS AND SUBMARINES SHALL IMPLEMENT SIPRNET CLO AS
TECHNOLOGICALLY FEASIBLE. THIS IS DEPENDENT ON SPAWAR SIPRNET
TOKEN BACK-FIT AND CLO BACK-FIT TO INTERNAL SHIPBOARD NETWORKS.
NOTE: IN THE DOD INFORMATION TECHNOLOGY PORTFOLIO REPOSITORY -
DEPARTMENT OF NAVY (DITPR-DON), "APPLICATIONS" DISCUSSED IN THIS
NAVADMIN ARE CALLED "SYSTEMS."
5. DEFINITIONS. THE FOLLOWING DEFINES THE KEY TRUSTED ROLES INVOLVED
IN THE TOKEN DISTRIBUTION PROCESS.
A. REGISTRATION AUTHORITY (RA). AN ENTITY (ORGANIZATION) NOMINATED
BY OPNAV (N2N6BC) AND AUTHORIZED BY THE NATIONAL SECURITY SYSTEMS (NSS)
DOD SUBORDINATE CERTIFICATION AUTHORITY SYSTEM (CAS) TO COLLECT,
VERIFY, AND SUBMIT INFORMATION PROVIDED BY POTENTIAL SIPRNET ACCOUNT
HOLDERS FOR ENTRY INTO PK CERTIFICATES. RA OPERATIONS ARE PERFORMED
IAW THE CAS CERTIFICATION PRACTICE STATEMENT (CPS) AND THE NSS PKI
DOD REGISTRATION PRACTICE STATEMENT (RPS). BOTH DOCUMENTS ARE
AVAILABLE ON THE NAVY INFOSEC WEBSITE AT
HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)NSS.HTML.
NAVY RAS ARE LOCATED AT NAVAL COMMUNICATIONS SECURITY MATERIAL SYSTEM
(NCMS) WASHINGTON DC, SPACE AND NAVAL WARFARE SYSTEMS COMMAND SYSTEMS
CENTER ATLANTIC (SSC LANT) CHARLESTON, SC, AND NCMS DETACHMENT HAWAII.
B. REGISTRATION AUTHORITY OFFICER. AN INDIVIDUAL NOMINATED BY OPNAV
(N2N6BC) AND AUTHORIZED BY THE NSS PKI DOD SUBORDINATE CAS TO EXECUTE
THE RA FUNCTIONS OUTLINED IN PARA 5A. THE RA OFFICER IS RESPONSIBLE
FOR CERTIFICATE REGISTRATION, REVOCATION, SUSPENSION, AND RESTORATION
AS WELL AS KEY RECOVERY. THE FOLLOWING PRIVILEGES ARE UNIQUE TO RA
OFFICERS: APPROVING THE REVOCATION OR SUSPENSION OF ANY CERTIFICATE;
RESTORING SUSPENDED CERTIFICATES; REGISTERING AND TERMINATING LOCAL
REGISTRATION AUTHORITIES; AND PERFORMING KEY RECOVERY OPERATIONS.
C. LOCAL REGISTRATION AUTHORITY (LRA). AN RA WITH RESPONSIBILITY FOR
A LOCAL COMMUNITY. LRAS ARE AUTHORIZED BY THE NAVY RA TO PERFORM ONLY
THE CERTIFICATE REGISTRATION FUNCTION WITHIN THEIR LOCALIZED REGION.
THE LRA MAY PROVIDE CERTIFICATE REGISTRATION INSTRUCTIONS (CRI) TO
ACCOUNT HOLDERS FOR CERTIFICATE ISSUANCE. THE NAVY HAS LRAS IN THE
FOLLOWING FLEET CONCENTRATION AREAS: WASHINGTON, DC; SAN DIEGO, CA;
PEARL HARBOR, HI; NORFOLK, VA; AND CHARLESTON, SC.
D. TRUSTED AGENT (TA). THE TA IS A UNIT-LEVEL INDIVIDUAL SPECIFICALLY
ALIGNED TO AN LRA OR RA, BUT WITHOUT LRA PRIVILEGES. THE COMMANDING
OFFICER, RA, OR LRA MAY APPOINT A TA. THE TA ISSUES TOKENS, TOKEN
READERS, AND ASSOCIATED REGISTRATION INSTRUCTIONS AFTER PERFORMING
IN-PERSON IDENTITY AND DOCUMENTATION VERIFICATION.
6. SIPRNET PKI TOKEN ISSUANCE PROCESS. TOKEN DISTRIBUTION WILL BE
EXECUTED IAW THE NAVY IMPLEMENTATION PLAN (IP) WHICH ALIGNS WITH THE
DOD SIPRNET TOKEN MANAGEMENT SYSTEM (TMS) CONCEPT OF OPERATIONS (CONOPS).
BOTH DOCUMENTS ARE AVAILABLE ON THE NAVY INFOSEC WEBSITE AT
HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)NSS.HTML.
IN PRACTICE, THE SIPRNET TOKEN DISTRIBUTION WILL BE SIMILAR TO THE
UNCLASSIFIED NAVY ALTERNATE LOGON TOKEN (ALT) PROGRAM. EXPERIENCE WITH
THE ALT PROGRAM WILL BE VALUABLE TO ENSURE ACCURATE, EFFICIENT ISSUANCE
OF THE SIPRNET TOKENS. PERSONNEL ASSIGNED AS ALT TRUSTED AGENTS ARE
FAMILIAR WITH THE IDENTITY VERIFICATION PROCESS AND MAY BE UNIQUELY
SUITED TO PERFORM THE SIPRNET PKI TA ROLE. INITIAL DEPLOYMENT WITHIN
THE NAVY WILL CONCENTRATE ON ISSUING TOKENS TO USERS AND ADMINISTRATOR
ACCOUNTS ON THE NAVY MARINE CORPS INTRANET (NMCI). NAVY RAS WILL
DISTRIBUTE TOKENS TO LRAS IN FLEET CONCENTRATION AREAS. SIPRNET TOKENS
SHALL ONLY BE USED WITH NATIONAL SECURITY AGENCY (NSA)-PROVIDED TOKEN
READERS AND NOT WITH READERS EMBEDDED ON THE MACHINE OR KEYBOARD. SSC
LANT WILL PROVIDE THE READERS; PARA 7B PERTAINS. WITH THE EXCEPTION OF
SYSTEM ADMINISTRATORS, SIPRNET TOKENS ARE NOT CURRENTLY AVAILABLE FOR
FUNCTIONAL (E.G., WATCHSTANDERS, GROUPS, ETC.) ACCOUNTS. FLTCYBERCOM
WILL ISSUE GUIDANCE VIA A NAVY TELECOMMUNICATIONS DIRECTIVE OR
COMMUNICATIONS TASKING ORDER WHEN THE CAPABILITY EXISTS FOR SIPRNET
TOKENS TO SUPPORT GROUP AND ROTATING ROLE-BASED FUNCTIONAL ACCOUNTS,
FUNCTIONAL MAILBOXES, AND SERVICE ACCOUNTS.
A. TO FACILITATE TOKEN ISSUANCE, COMMANDS SHALL ASSIGN A MINIMUM OF
THREE (3) SIPRNET PKI TRUSTED AGENTS (TAS) TO ASSIST THE LRAS TO WHOM
THEY ARE ALIGNED. HOWEVER, COMMANDS ARE ENCOURAGED TO ASSIGN AS MANY AS
POSSIBLE. AT LEAST ONE OF THE COMMAND'S SIPRNET PKI TAS MUST BE
DUAL-HATTED AS THE INFORMATION ASSURANCE MANAGER (IAM), INFORMATION
ASSURANCE OFFICER, OR SECURITY OFFICER. TWO TAS ARE REQUIRED TO ISSUE
A TOKEN. ONE ISSUES THE TOKEN; THE OTHER ISSUES THE ASSOCIATED TEMPORARY
PERSONAL IDENTIFICATION NUMBER (PIN). THE ROLE OF ONE OF THESE TAS CAN
BE EXECUTED BY AN LRA IF THE LRA IS PROVIDING THE ENROLLMENT CRI. PKI
TAS SHALL COMPLETE THE TRAINING AVAILABLE AT
HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)NSS.HTML.
PROCEDURES TO ESTABLISH A TA ARE ALSO LOCATED AT THIS UNIFORM RESOURCE
LOCATOR (URL).
B. COMMANDS AND SHIPS MAY NOMINATE LRAS IN ADDITION TO TAS IF DESIRED.
ONLY NCMS WASHINGTON DC CAN AUTHORIZE LRAS. SEE PARA 7D FOR POINT OF
CONTACT INFORMATION TO MAKE LRA REQUESTS. DUE TO INCREASED LEVEL OF
AUTHORITY AND RESPONSIBILITY GIVEN TO LRAS, THEY MUST SUCCESSFULLY COMPLETE
A NO COST DEFENSE INFORMATION SYSTEMS AGENCY (DISA) NATIONAL SECURITY
SYSTEMS TRAINING COURSE IN PERSON. LRA TRAINING IS AVAILABLE AT NCMS
WASHINGTON DC, NORFOLK, AND SAN DIEGO. MOBILE TRAINING TEAMS ARE ALSO
AVAILABLE FOR WORLDWIDE TRAINING ON A LIMITED, COST BASIS. CONTACT NCMS
WASHINGTON DC POINT OF CONTACT IN PARA 7D TO COORDINATE. THE LRA TRAINING
SCHEDULE IS AVAILABLE AT
HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)LRAMAIN.HTML.
THE TRAINING MATERIAL IS AVAILABLE AT
HTTP:(SLASH)(SLASH)IASE.DISA.MIL(SLASH)PKI-PKE(SLASH).
7. ACTION.
A. COMMANDERS MUST BE PREPARED TO SUPPORT THE ISSUANCE OF SIPRNET TOKENS
TO AUTHORIZED PERSONNEL UNDER THEIR COGNIZANCE, INCLUDING ASSOCIATED USER
TRAINING AND FAMILIARIZATION. FAILURE TO DO SO MAY RESULT IN USERS BEING
UNABLE TO ACCESS THEIR SIPRNET ACCOUNTS.
B. BY 31 MARCH 2012, COMMANDS SHALL IDENTIFY AT LEAST THREE (3) PKI
TRUSTED AGENTS TO FACILITATE ISSUING TOKENS WHEN FULL DEPLOYMENT BEGINS.
ONCE ALL TRAINING AND ADMINISTRATIVE REQUIREMENTS ARE MET, SEND THE NAMES
OF AUTHORIZED TAS AND LRAS (AS APPLICABLE) TO
MS. BETTY COLLINS/betty.collins@navy.smil.mil/843-218-4633 AND MS.
MARJORIE DIXSON/marjorie.dixson1@navy.smil.mil/240-857-7709.
ADDITIONALLY, BY 31 MARCH PROVIDE THE TOTAL NUMBERS OF TOKENS AND TOKEN
READERS REQUIRED BY THE COMMAND. WHEN CALCULATING THE NUMBER OF TOKENS,
ACCOUNT FOR ONE TOKEN FOR EACH SIPRNET USER AND ONE FOR EACH SYSTEM
ADMINISTRATOR ACCOUNT. WHEN CALCULATING THE NUMBER OF TOKEN READERS,
ACCOUNT FOR ONE CARD READER FOR EACH SIPRNET MACHINE, AND TWO READERS FOR
EACH WORKSTATION THAT WILL BE USED TO EXECUTE TOKEN ISSUANCE (TA, LRA,
AND KIOSK WORKSTATIONS). FUNDING HAS BEEN ALLOCATED TO PROVIDE TOKEN
READERS DURING THE INITIAL TOKEN ROLLOUT. COMMANDS WILL BE RESPONSIBLE
FOR PROCUREMENT OF TOKEN READERS FOR SUSTAINMENT STARTING IN FY15.
C. ON NMCI, TA, LRA, AND KIOSK WORKSTATIONS WILL REQUIRE SPECIALIZED
SOFTWARE FOR TOKEN ISSUANCE CAPABILITY. TO RECEIVE THE SOFTWARE, SEND
WORKSTATION INFORMATION [MACHINE NAME, SITE (PHYSICAL SITE IDENTIFIER (PSI)
CODE), AND SEAT POC E-MAIL] TO LTJG SHANNON BUCKLEY/SHANNON.R.BUCKLEY(AT)
NAVY.MIL/619-553-3382 BY 31 MARCH.
D. COMMANDS DESIRING TO ESTABLISH THEIR OWN LRA SHOULD CONTACT THE NAVY
RA AT NCMS BY 31 MARCH 2012. THE POC IS MS. MARJORIE DIXSON/
marjorie.dixson1@navy.smil.mil/240-857-7709.
E. PROGRAM OFFICES AND EXCEPTED NETWORK OWNERS SHALL PROVIDE THE
REQUIREMENTS FOR APPROPRIATE ENABLEMENT AND SUSTAINMENT FUNDING TO THEIR
RESOURCE SPONSOR.
F. BY 31 MARCH 2012 COMMANDS SHALL ENSURE THEIR AD PERSONNEL ENTRIES
REFLECT THE MOST ACCURATE AND CURRENT LIST OF USERS. AN INACCURATE AD MAY
RESULT IN UNNECESSARY DELAYS DURING TOKEN ISSUANCE. COMMANDS SHALL
DISABLE ACCOUNTS OF PERMANENTLY DETACHING PERSONNEL TO MAINTAIN SIPRNET
ACCESS INTEGRITY.
8. TECHNICAL GUIDANCE AND USEFUL LINKS.
ADDITIONAL RELEVANT INFORMATION IS LOCATED ON THE NAVY INFOSEC WEB SITE
AT HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI OR ON THE SIPRNET
AT HTTPS:(SLASH)(SLASH)INFOSEC.NAVY.SMIL.MIL(SLASH)PKI. IAMS, LRAS AND TAS
SHOULD SUBSCRIBE TO THE INFOSEC MAILING LIST AT
HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)SUBSCRIBE(SLASH)INDEX.JSP
TO RECEIVE EMAIL UPDATES OF NEW PKI ANNOUNCEMENTS AND TRAINING MATERIALS.
9. TIMELINE SUMMARY.
A. COMMANDS MUST:
(1) ESTABLISH AT LEAST THREE (3) TAS BY 31 MARCH 2012.
(2) SUBMIT TOKEN, TOKEN READER, AND WORKSTATION INFORMATION BY 31 MARCH
2012.
(3) SCRUB ACTIVE DIRECTORY ACCOUNTS BY 31 MARCH 2012.
B. A SIPRNET PKI TOKEN IS REQUIRED FOR ALL SIPRNET USERS BY 31 DECEMBER
2012.
C. ALL SIPRNET ACCOUNTS MUST BE ENABLED TO USE CLO BY 31 MARCH 2013.
D. APPLICATIONS THAT RELY UPON ACTIVE DIRECTORY FOR AUTHENTICATION MUST BE
PK-ENABLED BEFORE 31 MARCH 2013.
E. ALL WEB SERVERS AND APPLICATIONS (SYSTEMS) SHALL SUPPORT CLIENT-SIDE
PKI AUTHENTICATION WITH ACCESS REQUIRING PKI CREDENTIALS BY 30 JUNE 2013.
10. THIS NAVADMIN WILL REMAIN IN EFFECT UNTIL CANCELLED OR SUPERSEDED.
11. REQUEST WIDEST DISSEMINATION.
12. RELEASED BY VADM KENDALL L. CARD, OPNAV N2N6.//
BT
#0000
NNNN