NAVY POLICY ON USE OF NIPRNET PUBLIC KEY INFRASTRUCTURE (PKI) SOFTWARE CERTIFICATES:

RTTUZYUW RUEWMCS0000 1041827-UUUU--RUCRNAD
ZNR UUUUU
R 141827Z APR 09
FM CNO WASHINGTON DC
TO NAVADMIN
BT
UNCLAS//N5500//
NAVADMIN 110/09
MSGID/GENADMIN/CNO WASHINGTON DC/N6//
SUBJ/NAVY POLICY ON USE OF NIPRNET PUBLIC KEY INFRASTRUCTURE (PKI) 
SOFTWARE CERTIFICATES// 
REF/A/MSG/DON CIO WASHINGTON DC/031859Z DEC 08// 
REF/B/MSG/DON CIO WASHINGTON DC/122213Z MAY 08// 
NARR/REF A PROVIDED UPDATE TO DON PKI SOFTWARE CERTIFICATE POLICY. 

REF B ANNOUNCED THE DON CIO SOFTWARE CERTIFICATE MINIMIZATION EFFORT//
POC/JOHN ROSS/CIV/OPNAV N61/LOC: WASHINGTON DC/ EMAIL: 
john.r.ross@navy.mil/TEL:703-604-7736//
PASSING INSTRUCTIONS: NCMS: PLEASE PASS TO ALL NAVY NIPRNET LOCAL 
REGISTRATION AUTHORITY (LRAS). 
 
RMKS/1.  LAST YEAR, DON CIO RELEASED REFS A AND B ADDRESSING THE ISSUE 
OF ACCEPTABLE SOFTWARE CERTIFICATE USE.  THIS MESSAGE PROVIDES 
AMPLIFYING NAVY POLICY ON THE USE OF PKI SOFT CERTIFICATES. THE LACK OF 
APPROPRIATE HARDWARE (CARD READER) AND SOFTWARE (E.G. ACTIVCLIENT 
MIDDLEWARE) FOR USE OF THE CAC IS NO LONGER A VALID REASON FOR ISSUANCE 
OF PKI SOFTWARE CERTIFICATES FOR PERSONAL USE.  
 
2.  ACCEPTABLE SOFTWARE CERTIFICATE USE CASES ARE IDENTIFIED IN REFS A 
AND B.  SPECIFIC NAVY GUIDANCE IS AS FOLLOWS: 
A.  EXTERNAL CERTIFICATION AUTHORITY (ECA) CERTIFICATES - IF NAVY 
WEB SITES HAVE BEEN CAC ENABLED, USERS OF ECA CERTIFICATES SHOULD BE 
ADVISED TO OBTAIN MEDIUM ASSURANCE TOKEN CERTIFICATES.  THESE ARE 
SOFTWARE CERTIFICATES ON A HARDWARE TOKEN AND HAVE A UNIQUE POLICY 
OBJECT IDENTIFIER (OID) WHICH ENABLES THEIR IDENTIFICATION BY RELYING 
PARTIES. APPROPRIATE ACCESS CONTROL MEASURES MUST ALSO BE IMPLEMENTED 
TO LIMIT ACCESS TO ONLY INDIVIDUALS WITH A "NEED TO KNOW". 
B.  COALITION PARTNERS - APPROPRIATE ACCESS CONTROL MEASURES MUST BE 
IMPLEMENTED TO LIMIT ACCESS TO ONLY INDIVIDUALS WITH A "NEED TO KNOW".  
C.  AFLOAT CONTINGENCY PLAN - ALL AFLOAT USERS HAVE BEEN PROVIDED WITH 
THE REQUISITE CARD READERS AND MIDDLEWARE TO ENABLE THE USE OF PKI 
CERTIFICATES ON THE CAC.  ON SHIPS THAT DO NOT HAVE THE ABILITY TO 
ISSUE THE CAC, SOFTWARE CERTIFICATES MAY BE ISSUED AS A CONTINGENCY 
SHOULD A USER'S CAC BECOME LOST, STOLEN, LOCKED, DAMAGED OR OTHERWISE 
INOPERABLE. SOFTWARE CERTIFICATES ISSUED FOR THIS PURPOSE MUST BE 
TRACKED AND REVOKED UPON COMPLETION OF CAC MAINTENANCE OR CAC 
REPLACEMENT, AND SHALL BE ISSUED TO EXPIRE NO LATER THAN 30 DAYS AFTER 
THE END OF THE DEPLOYMENT.  SOFTWARE CERTIFICATES ISSUED AND REVOKED AS 
A RESULT OF AFLOAT CONTINGENCY OPERATIONS SHALL BE REPORTED USING THE 
SAME PROCESS IDENTIFIED IN PARAGRAPH 5.
D.  INDIVIDUALS WHO ARE AUTHORIZED A COMMON ACCESS CARD MAY NO LONGER 
BE ISSUED NIPRNET SOFTWARE CERTIFICATES UNLESS DEEMED A MISSION 
ESSENTIAL REQUIREMENT AND AUTHORIZED BY THE NAVAL COMMUNICATIONS 
SECURITY MATERIAL SYSTEM (NCMS).  AT THIS TIME THE ONLY VALID 
POPULATION AUTHORIZED FOR ISSUANCE OF SOFTWARE CERTIFICATES ARE THOSE 
FOREIGN NATIONALS WHO ARE AUTHORIZED TO RECEIVE A CAC BUT CANNOT BE 
ISSUED ONE DUE TO UNRESOLVED LOCAL OR NATIONAL ISSUES RELATED TO THE 
COLLECTION AND/OR STORAGE OF BIOMETRIC OR OTHER REQUIRED PERSONAL DATA.
 
3.  NAVY REGISTRATION AUTHORITIES (RAS)/LOCAL REGISTRATION AUTHORITIES 
(LRAS) WILL NOT ISSUE SOFTWARE CERTIFICATES TO INDIVIDUALS WHO DO NOT 
QUALIFY UNDER PARAS 2.C OR 2.D ABOVE WITHOUT APPROVAL FROM THE NAVAL 
COMMUNICATIONS SECURITY MATERIAL SYSTEM (NCMS).
   
4.  INSTALLATION PROCEDURES FOR SOFTWARE CERTIFICATES ARE AVAILABLE 
AT HTTPS:(SLASH)(SLASH)INFOSEC.NAVY.MIL(SLASH)PKI(SLASH)TRAINING.HTML 
<HTTPS:(SLASH)(SLASH)INFOSEC.NAVY.MIL(SLASH)PKI(SLASH)TRAINING.HTML>
SOFTWARE CERTIFICATE INSTALLATION .P12 AND .PFX FILES MUST BE REMOVED 
FROM WORKSTATIONS IMMEDIATELY AFTER INSTALLATION IN WEB BROWSERS.  
 
5.  ALL INDIVIDUAL SOFTWARE CERTIFICATES MUST BE ISSUED BY AN 
AUTHORIZED NAVY REGISTRATION AUTHORITY (RA)/LOCAL REGISTRATIONAUTHORITY 
(LRA).  LRAS WILL PROVIDE A MONTHLY REPORT TO THE NAVY RA AT NCMS WHICH 
WILL CONTAIN, AS A MINIMUM, THE FOLLOWING INFORMATION FOR EACH SOFTWARE 
CERTIFICATE ISSUED:  NAME OF INDIVIDUAL CERTIFICATE(S) ISSUED TO, TYPES 
OF CERTIFICATE(S) ISSUED, VALIDITY PERIOD OF CERTIFICATE(S), 
JUSTIFICATION INCLUDING WHETHER THEY WERE ISSUED UNDER PARA 2.C OR 2.D 
ABOVE OR IF THEY WERE ISSUED BASED ON APPROVAL FROM THE NCMS, AND 
WHETHER OR NOT THE CERTIFICATE(S) HAVE BEEN REVOKED.  IN ADDITION, THE 
MONTHLY REPORT WILL PROVIDE INFORMATION ON ALL GROUP/ROLE SOFTWARE 
CERTIFICATES ISSUED.
 
6.  EFFECTIVE IMMEDIATELY, NCMS WILL PROVIDE QUARTERLY REPORTS TO 
CNO (N61 AND N6F52) WHICH WILL SUMMARIZE THE NUMBER, DESCRIPTION OF 
THE ASSOCIATED MISSION REQUIREMENT TYPES AND STATUS OF SOFTWARE 
CERTIFICATES ISSUED.
 
7.  REQUEST WIDEST DISSEMINATION OF THIS MESSAGE. 
 
8.  RELEASED BY MR. KEVIN COOLEY, DIRECTOR OF INFORMATION TECHNOLOGY 
AND INFORMATION RESOURCE MANAGEMENT.// 
 
BT
#0000
NNNN