UPDATED COMMON ACCESS CARD RECONFIGURATION AND PERSONAL IDENTITY VERIFICATION AUTHENTICATION CERTIFICATE GUIDANCE:
UNCLASSIFIED// ROUTINE R 121659Z DEC 19 MID510000801738U FM CNO WASHINGTON DC TO NAVADMIN INFO CNO WASHINGTON DC BT UNCLAS NAVADMIN 291/19 MSGID/GENADMIN/CNO WASHINGTON DC/N2N6/DEC// PASS TO OFFICE CODES: FM CNO WASHINGTON DC//N2N6// INFO CNO WASHINGTON DC//N2N6// SUBJ/UPDATED COMMON ACCESS CARD RECONFIGURATION AND PERSONAL IDENTITY VERIFICATION AUTHENTICATION CERTIFICATE GUIDANCE// REF/A/HSPD-12/POTUS/27AUG04// REF/B/FIPS201-2/NIST/28FEB17// REF/C/LTR/DOD/7DEC18// REF/D/GENADMIN/CNO WASHINGTON DC/N2N6/171409ZAUG18// REF/E/LTR/DDCIO(N)/10APR19// NARR/REF (A) IS HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12, POLICY FOR A COMMON IDENTIFICATION STANDARD FOR FEDERAL EMPLOYEES AND CONTRACTORS. REF (B) IS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY FEDERAL INFORMATION PROCESSING STANDARD (FIPS) 201-2, PERSONAL IDENTITY VERIFICATION OF FEDERAL EMPLOYEES AND CONTRACTORS. REF (C) IS DEPARTMENT OF DEFENSE (DOD) MEMO, MODERNIZING THE COMMON ACCESS CARD STREAMLINING IDENTITY AND IMPROVING OPERATIONAL INTEROPERABILITY. REF (D) IS NAVADMIN 200/18, ACTIONS FOR ALL NAVY PERSONNEL AND NON-CLASSIFIED INTERNET PROTOCOL ROUTER NETWORK (NIPRNet) NETWORK, WEB, AND APPLICATION OWNERS AS DOD CHANGES THE CERTIFICATES ON THE COMMON ACCESS CARD. REF (E) IS AMPLIFYING GUIDANCE TO NAVADMIN 200/18 ACTIONS FOR ALL NAVY PERSONNEL AND NON-CLASSIFIED INTERNET PROTOCOL ROUTER NETWORK (NIPRNet) NETWORK, WEB, AND APPLICATION OWNERS AS DOD CHANGES THE CERTIFICATES ON THE COMMON ACCESS CARD// POC/PLANKENHORN/CIV/OPNAV N2N6G5/TEL: (703) 692-1896/ EMAIL: benjamin.plankenhorn@navy.mil// RMKS/1. This NAVADMIN provides updated guidance that supports correct and consistent implementation of references (a) through (e) which directed Navy personnel and Non-classified Internet Protocol Router Network (NIPRNet) network, web, and application owners to transition to the Personal Identity Verification Authentication (PIV_Auth) certificate for all authentication functions. 2. Action for All Navy Personnel: a. In accordance with references (d) and (e), beginning in February 2018, new Navy issued Common Access Cards (CAC) had the PIV_Auth certificate activated and visible. No further action is required. b. All ashore Navy personnel to include contractors, Foreign Liaisons /Officers and REL - A NIPRNet users who have not received a new CAC since 24 February 2018 and/or cannot see their PIV_Auth certificate, are overdue and must follow the procedures located on the Navy Marine Corps Internet Homeport, (https://www.homeport.navy.mil/support/articles/activate-piv_auth- cert), and Information Security Online Services, (https://infosec.navy.mil /PKI/) to activate the PIV_Auth certificate via the Defense Manpower Data Center (DMDC) Real-Time Automated Personal Identification Systems (RAPIDS) Self-Service website, (https://www.dmdc.osd.mil/self_service). c. All afloat users on Consolidated Afloat Network and Enterprise Services (CANES) who have not received a new CAC since 24 February 2018 and/or cannot see their PIV_Auth certificate, must activate it no later than 31 January 2020. 3. Actions for all Navy owners of PK-enabled networks, websites, and applications requiring CAC for authentication (this ONLY applies to the CAC): a. All Navy owners of NIPRNet networks, websites, and applications must ensure their systems are capable of supporting the PIV_Auth certificate for authentication functions no later than 29 February 2020. No waivers will be considered or granted for this transition. b. CAC Reconfiguration: For CACs issued starting 1 May 2020, reference (c) outlines the CAC modernization changes and mandates that all CACs be configured with the Department of Defense (DoD) Public Key Infrastructure (PKI) certificate profile: (1) PIV_Auth Certificate: Per references (a) and (b), the PIV_Auth certificate will be the only technically capable PKI certificate on the CAC to support network, web, or application authentication. The PIV_Auth certificate will be the only certificate capable of NIPRNet authentication. (2) Identity Certificate: This PKI certificate will no longer be included on the CAC. (3) Email Signing Certificate: This PKI certificate will no longer be technically capable of supporting network, web, or application authentication. The Extended Key Usage (EKU) is being removed and will no longer support authentication capabilities. This PKI certificate will be used for the intended purpose of signing emails and documents. Additionally, this certificate will be renamed the Signature certificate beginning 1 May 2020. (4) Email Encryption Certificate: No change to this PKI certificate. c. Legacy CAC Attrition and Certificate Usage: Reference (c) mandates that DoD component NIPRNet network, web, and application owners configure CAC user accounts to support the PIV_Auth certificate. DoD recognizes that CACs issued with the legacy configuration (CACs issued prior to 1 May 2020) and any PKI certificates capable of supporting authentication functions are still considered valid DoD PKI certificates. These legacy PKI certificates can still be used for authentication if the NIPRNet network, web, or application owner allows. The legacy configuration of authentication capable certificates include: (1) PIV_Auth Certificate. (2) Identity Certificate. (3) Email Signing Certificate: Includes the EKU. (4) Legacy CAC configurations will be removed from DoD and Navy environments via attrition as legacy CACs expire. 4. NIPRNet Alternate Logon Token (ALT) or NIPRNet Enterprise Alternate Token System (NEATS) Use-Case Impacts. a. NIPRNet ALT or NEATS Token users are not impacted, as the PIV_Auth certificate implementation is only applicable to the CAC. b. The PIV_Auth certificate is defined in reference (b) as a mandatory certificate to be included on federally issued PIV cards, to include the DoD CAC. Certificates issued on other DoD-approved form factors (i.e., ALT or NEATS tokens) cannot have PIV_Auth certificates. c. ALT and NEATS tokens have certificates which are approved for use in authentication. These non-CAC authentication certificates may continue to be used in accordance with DoD policy, but are not referred to as PIV_Auth certificates. d. Role-based user accounts (i.e., System Administrators, Foreign Nationals, Code Signers, and other NIPRNet use-cases) can continue utilization of their tokens and certificates without loss of access. Navy NIPRNet network, web, and application owners must ensure their systems support the ALT and/or NEATS token users. 5. Impacts to DoD approved External Certificate Authorities (ECA). ECAs may continue to be used for authentication to unclassified DoD websites and applications; however, ECAs are not and have not been approved for cryptographic logon/authentication to DoD networks. 6. For additional detail regarding CAC PKI certificate mapping options for PIV _Auth and/or legacy CAC certificate options, a Frequently Asked Questions document is available at https://intelshare.intelink.gov/sites/disa-pki-pke/ _layouts/15/start.aspx#/SitePages/Home.aspx. Owners or technical teams can contact PMW 130 and NIWC PKI if technical assistance is required: a. PMW 130: Mr. Cody Persinger, cody.persinger.ctr@navy.mil b. NIWC Atlantic: Ms. Noni Jenkins, noni.jenkins@navy.mil c. NIWC Pacific: Mr. Gary Delgado, gary.delgado@navy.mil 7. This NAVADMIN will remain in effect until canceled or superseded. 8. Released by VADM Matthew J. Kohler, Deputy Chief of Naval Operations for Information Warfare, OPNAV N2N6.// BT #0001 NNNN UNCLASSIFIED//