ACCEPTANCE OF DOD APPROVED EXTERNAL PUBLIC KEY INFRASTRUCTURE (PKI) CERTIFICATES FOR LOGICAL ACCESS TO NAVY INFORMATION RESOURCES REF/A/MSG/DON CIO WASHINGTON DC/291445ZDEC09:

UNCLASSIFIED//

ROUTINE

R 141611Z JUN 10

BT
UNCLAS
PASS TO ALL OFFICE CODES:
FM CNO WASHINGTON DC//N2N6//
TO NAVADMIN
INFO DON CIO WASHINGTON DC
SPAWARSYSCEN ATLANTIC CHARLESTON SC//00// SPAWARSYSCEN PACIFIC SAN DIEGO 
CA//00// UNCLAS //N5500// 

NAVADMIN 203/10

MSGID/GENADMIN/CNO WASHINGTON DC//N2N6//

SUBJ/ ACCEPTANCE OF DOD APPROVED EXTERNAL PUBLIC KEY INFRASTRUCTURE (PKI) 
CERTIFICATES FOR LOGICAL ACCESS TO NAVY INFORMATION RESOURCES

REF/A/MSG/DON CIO WASHINGTON DC/291445ZDEC09//

REF/B/DOC/DOD/01APR04//

REF/C/DOC/SECNAV/17JUN09

REF/D/DOC/JTF-GNO/07APR08//

REF/E/MSG/DON CIO WASHINGTON DC/262302ZSEP09// REF/F/DOC/DOD/24JAN07//

REF/G/DOC/DOD/22JUL08//

REF/H/DOC/WHITE HOUSE/27AUG04//

REF/I/DOC/NIST/MAR06//

NARR/ REF A PROMULGATED DON POLICY ON PUBLIC KEY ENABLEMENT OF DEPARTMENT OF 
THE NAVY UNCLASSIFIED PRIVATE WEB SERVERS AND APPLICATIONS. REF B IS DODINST 
8520.2, PUBLIC KEY INFRASTRUCTURE (PKI) AND PUBLIC KEY ENABLING (PKE).  REF C 
IS SECNAVINST 5239.3B, DEPARTMENT OF NAVY (DON) INFORMATION ASSURANCE (IA).  
REF D IS JTF-GNO CTO 07-015, REVISION 1, PUBLIC KEY INFRASTRUCTURE (PKI) 
IMPLEMENTATION, PHASE 2.  REF E IDENTIFIES THE DON NIPRNET PKE WAIVER PROCESS.  
REF F IS DOD CIO MEMO, COMPLIANCE AND REVIEW OF LOGICAL ACCESS CONTROL IN 
DEPARTMENT OF DEFENSE PROCESSES.  REF G IS DOD CIO MEMO, APPROVAL OF EXTERNAL 
PUBLIC KEY INFRASTRUCTURES.  REF H IS HSPD-12 ESTABLISHED REQUIREMENT FOR A 
MANDATORY GOVERNMENT WIDE STANDARD FOR SECURE AND RELIABLE FORMS OF 
IDENTIFICATION.  REF I IS FIPS-201-1 CHANGE 1 WHICH DESCRIBES THE MINIMUM 
REQUIREMENTS FOR A FEDERAL PERSONAL IDENTITY VERIFICATION (PIV) SYSTEM THAT 
MEETS OBJECTIVES OF HSPD-12 AND PROVIDES DETAILED SPECIFICATIONS THAT WILL 
SUPPORT TECHNICAL INTEROPERABILITY AMONG PIV SYSTEMS OF FEDERAL DEPARTMENTS 
AND AGENCIES.
POCS/THERESA EVERETTE/CDR/N2N6F113/LOC:ARLINGTON, VA/TEL: 703-601-1450/E-MAIL: 
THERESA.EVERETTE@NAVY.MIL/ ROBERT WEILMINSTER/CTR/N2N6F1135/LOC:ARLINGTON, 
VA/TEL: 703-601-1264/E-MAIL: ROBERT.WEILMINSTER1.CTR@NAVY.MIL/ PASSING 
INSTRUCTIONS:
PLEASE PASS TO COMMAND INFORMATION OFFICER (IO), N6 AND OTHERS DEEMED 
APPROPRIATE/

RMKS/1.  REF A DIRECTS THAT SERVICE-SPECIFIC GUIDELINES BE PROMULGATED FOR THE 
USE OF CERTIFICATES ISSUED BY DOD AND DOD-APPROVED EXTERNAL PUBLIC KEY 
INFRASTRUCTURES (PKIS).  THIS ALNAV PROMULGATES NAVY POLICY FOR THE PUBLIC KEY 
ENABLING (PKE) OF UNCLASSIFIED WEB SERVERS, NETWORKS, APPLICATIONS AND 
PORTALS.  ADDITIONALLY, PER REFS C, D, AND F, ALL NAVY UNCLASSIFIED PRIVATE 
WEB SERVERS, NETWORKS, APPLICATIONS, AND PORTALS SHALL IMPLEMENT AND CONFIGURE 
ACCESS CONTROLS, AS NECESSARY, TO ENFORCE NEED-TO-KNOW REQUIREMENTS.  PKI 
AUTHENTICATION ALONE DOES NOT PROVIDE THE BASIS FOR AUTHORIZATION DECISIONS. 
IMPROPER USE OF PKI AS AN ACCESS CONTROL MECHANISM MAY INADVERTENTLY ALLOW 
UNINTENDED USERS TO GAIN ACCESS TO SYSTEMS AND INFORMATION FOR WHICH THEY ARE 
NOT AUTHORIZED.  THUS, APPROPRIATE ACCESS CONTROL PROCESSES (E.G., ACCESS 
CONTROL LISTS, CERTIFICATE MAPPING, ETC.) MUST BE IMPLEMENTED.

2.  BACKGROUND.  REFS A THROUGH D REQUIRE ALL NAVY UNCLASSIFIED PRIVATE WEB 
SERVERS, NETWORKS, APPLICATIONS, AND PORTALS TO BE ENABLED TO AUTHENTICATE 
USERS VIA CERTIFICATES ISSUED BY THE DEPARTMENT OF DEFENSE (DOD) PKI OR DOD-
APPROVED EXTERNAL PKIS.  REF B DEFINES A PRIVATE WEB SERVER AS ANY DOD-OWNED, 
OPERATED, OR CONTROLLED WEB SERVER THAT PROVIDES ACCESS TO SENSITIVE 
INFORMATION THAT HAS NOT BEEN REVIEWED AND APPROVED FOR PUBLIC RELEASE.  REF 
D, TASK 10, REQUIRED ALL DOD ORGANIZATIONS OPERATING UNCLASSIFIED PRIVATE WEB 
SERVERS TO EITHER IMPLEMENT PKI CERTIFICATE-BASED CLIENT AUTHENTICATION BY 9 
JUNE 2008, OR APPLY FOR A WAIVER.

3.  REF G AUTHORIZES THE USE OF DOD EXTERNAL CERTIFICATE AUTHORITY (ECA) 
CERTIFICATES ISSUED AS PART OF THE DOD ECA PROGRAM.  REF G ALSO AUTHORIZES THE 
USE OF PKI CERTIFICATES ISSUED BY DOD-APPROVED NON-DOD ORGANIZATIONS INCLUDING 
U.S. FEDERAL AGENCIES, STATE/LOCAL/TRIBAL GOVERNMENT ORGANIZATIONS, AND 
EXTERNAL DOD BUSINESS PARTNERS.

4.  POLICY.
    A.  CERTIFICATE BASED LOGON TO NAVY NETWORKS (I.E., CRYPTOGRAPHIC LOGON 
(CLO)) WILL ONLY BE ACCOMPLISHED VIA EITHER THE USE OF HARDWARE TOKEN BASED 
CERTIFICATES ISSUED BY THE DOD PKI OR PERSONAL IDENTITY VERIFICATION (PIV) 
AUTHENTICATION CERTIFICATES (REFS H AND I GERMANE) ISSUED BY OTHER FEDERAL 
AGENCIES OF THE U.S. GOVERNMENT.
    B.  NAVY ORGANIZATIONS SHALL ACCEPT CERTIFICATES ISSUED BY DOD-APPROVED 
EXTERNAL PKIS WHEN AVAILABLE AND APPROPRIATE TO SUPPORT AUTHENTICATION FOR A 
PORTION OF A SYSTEM'S OR APPLICATION'S USER POPULATION.
    C.  NAVY COMMANDS AND ORGANIZATIONS ARE AUTHORIZED TO USE CERTIFICATES 
ISSUED BY ORGANIZATIONS ON THE LIST OF DOD-APPROVED EXTERNAL PKIS AVAILABLE AT 
HTTP://JITC.FHU.DISA.MIL/PKI/PKE_LAB/PARTNER_PKI_TESTING/PARTNER_PKI_STATUS.HT
ML TO SUPPORT AUTHENTICATION TO NAVY UNCLASSIFIED WEB SERVERS, WEB 
APPLICATIONS AND PORTALS.

5.  IN IMPLEMENTING THE POLICY STATED IN PARA 4.A ABOVE, PIV AUTH CERTIFICATES 
MAY BE ACCEPTED FOR LOGON TO FULLY PROVISIONED ACCOUNTS ON NAVY NETWORKS.  ANY 
SUCH IMPLEMENTATION SHALL INCLUDE:
    A. TRUSTING, VIA DIRECT TRUST, THE ROOT AND SUBORDINATE CA CERTIFICATES IN 
THE ISSUANCE CHAIN FOR THE END USER CERTIFICATE;
    B. ENSURING THAT ALL CERTIFICATES USED FOR NETWORK LOGON CAN BE AND ARE 
VALIDATED;
    C. PROVIDING ACCESS TO NETWORK ASSETS ON A STRICT "NEED-TO-KNOW" BASIS; 
AND,
    D. OBTAINING APPROVAL FROM THE APPROPRIATE NAVY DESIGNATED ACCREDITING 
AUTHORITY (DAA) BEFORE IMPLEMENTATION.

6.  IN IMPLEMENTING THE POLICY STATED IN PARAS 4.B AND 4.C ABOVE, NAVY 
COMMANDS AND ORGANIZATIONS SHALL COMPLETE THE FOLLOWING ACTIONS PRIOR TO 
OPERATIONAL ACCEPTANCE OF CERTIFICATES FROM ANY DOD APPROVED EXTERNAL PKI:
    A.  VERIFY THAT UNCLASSIFIED PRIVATE WEB SERVERS, WEB APPLICATIONS, AND 
PORTALS ARE PROPERLY CONFIGURED BY:
        1.  TRUSTING, VIA DIRECT TRUST, ONLY THE MINIMUM SET OF APPROVED PKI 
ROOT AND SUBORDINATE CA CERTIFICATES REQUIRED FOR PROPER OPERATION AND AS 
INCORPORATED INTO THE UPDATED RISK ASSESSMENT.
        2.  ENSURING THAT ALL EXTERNAL CERTIFICATES USED FOR AUTHENTICATION 
ARE VALIDATED PRIOR TO ACCEPTANCE (E.G., CERTIFICATE REVOCATION LIST (CRL) 
CACHING AND CHECKING, USE OF ON-LINE CERTIFICATE STATUS PROTOCOL (OCSP)).
        3.  IMPLEMENTING ACCESS CONTROL MEASURES (E.G. ACCESS CONTROL LISTS 
(ACLS) OR PKI CERTIFICATE MAPPING) TO ENABLE ENFORCEMENT OF NEED-TO-KNOW 
REQUIREMENTS.
        4.  IMPLEMENTING ONLY FIPS 140-2 OR 140-3 VALIDATED ALGORITHMS AND 
CRYPTOGRAPHIC MODULES FOR SECURE SOCKET LAYER/TRANSPORT LAYER SECURITY 
(SSL/TLS) SESSIONS.
    B.  UPDATE AND SUBMIT THE NAVY SYSTEM'S RISK ASSESSMENT ASSOCIATED WITH 
THE CURRENT C&A DOCUMENTATION TO ADDRESS THE ACCEPTANCE OF EXTERNAL PKIS FOR 
EVALUATION AND APPROVAL BY THE APPROPRIATE DAA, INCLUDING THE PROCESSES AND 
PROCEDURES USED TO ENSURE COMPLIANCE WITH THE REQUIREMENTS OF PARA 7.A ABOVE. 
SUBMIT A RISK ASSESSMENT MEMORANDUM TO THE APPROPRIATE DAA VIA ECHELON II.

7.  ONCE DAA APPROVAL FOR USE OF EXTERNAL PKI CERTIFICATES HAS BEEN RECEIVED, 
THE REQUESTING ORGANIZATION CAN ACCESS THE EXTERNAL PKI PAGE AT 
HTTPS://INFOSEC.NAVY.MIL, PROVIDE THE REQUIRED INFORMATION, AND THE COMMAND 
POC IDENTIFIED WILL BE SENT THE REQUESTED EXTERNAL PKI ROOT CA CERTIFICATE(S) 
IN A DIGITALLY SIGNED AND ENCRYPTED EMAIL.

8.  WAIVERS. THERE WILL BE NO WAIVERS TO THIS POLICY. ALL USES OF DOD APPROVED 
EXTERNAL PKIS MUST COMPLY WITH THE REQUIREMENTS DETAILED HEREIN BEFORE 
CERTIFICATES ISSUED BY THESE PKIS CAN BE RECOGNIZED FOR AUTHORIZATION 
DECISIONS BY NAVY SYSTEMS.

9.  RELEASED BY VADM DORSETT DCNO INFORMATION DOMINANCE (N2N6).//

BT
#0001
NNNN