UPDATED COMMON ACCESS CARD RECONFIGURATION AND PERSONAL IDENTITY VERIFICATION AUTHENTICATION CERTIFICATE GUIDANCE:
R 121659Z DEC 19 MID510000801738U
FM CNO WASHINGTON DC
INFO CNO WASHINGTON DC
MSGID/GENADMIN/CNO WASHINGTON DC/N2N6/DEC// PASS TO OFFICE CODES:
FM CNO WASHINGTON DC//N2N6//
INFO CNO WASHINGTON DC//N2N6//
SUBJ/UPDATED COMMON ACCESS CARD RECONFIGURATION AND PERSONAL IDENTITY
VERIFICATION AUTHENTICATION CERTIFICATE GUIDANCE//
REF/D/GENADMIN/CNO WASHINGTON DC/N2N6/171409ZAUG18//
NARR/REF (A) IS HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12, POLICY FOR A
COMMON IDENTIFICATION STANDARD FOR FEDERAL EMPLOYEES AND CONTRACTORS.
REF (B) IS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY FEDERAL INFORMATION
PROCESSING STANDARD (FIPS) 201-2, PERSONAL IDENTITY VERIFICATION OF FEDERAL
EMPLOYEES AND CONTRACTORS.
REF (C) IS DEPARTMENT OF DEFENSE (DOD) MEMO, MODERNIZING THE COMMON ACCESS
CARD STREAMLINING IDENTITY AND IMPROVING OPERATIONAL INTEROPERABILITY.
REF (D) IS NAVADMIN 200/18, ACTIONS FOR ALL NAVY PERSONNEL AND NON-CLASSIFIED
INTERNET PROTOCOL ROUTER NETWORK (NIPRNet) NETWORK, WEB, AND APPLICATION
OWNERS AS DOD CHANGES THE CERTIFICATES ON THE COMMON ACCESS CARD.
REF (E) IS AMPLIFYING GUIDANCE TO NAVADMIN 200/18 ACTIONS FOR ALL NAVY
PERSONNEL AND NON-CLASSIFIED INTERNET PROTOCOL ROUTER NETWORK (NIPRNet)
NETWORK, WEB, AND APPLICATION OWNERS AS DOD CHANGES THE CERTIFICATES ON THE
COMMON ACCESS CARD//
POC/PLANKENHORN/CIV/OPNAV N2N6G5/TEL: (703) 692-1896/
RMKS/1. This NAVADMIN provides updated guidance that supports correct and
consistent implementation of references (a) through (e) which directed Navy
personnel and Non-classified Internet Protocol Router Network (NIPRNet)
network, web, and application owners to transition to the Personal Identity
Verification Authentication (PIV_Auth) certificate for all authentication
2. Action for All Navy Personnel:
a. In accordance with references (d) and (e), beginning in February
2018, new Navy issued Common Access Cards (CAC) had the PIV_Auth certificate
activated and visible. No further action is required.
b. All ashore Navy personnel to include contractors, Foreign Liaisons
/Officers and REL - A NIPRNet users who have not received a new CAC since 24
February 2018 and/or cannot see their PIV_Auth certificate, are overdue and
must follow the procedures located on the Navy Marine Corps Internet
cert), and Information Security Online Services, (https://infosec.navy.mil
/PKI/) to activate the PIV_Auth certificate via the Defense Manpower Data
Center (DMDC) Real-Time Automated Personal Identification Systems (RAPIDS)
Self-Service website, (https://www.dmdc.osd.mil/self_service).
c. All afloat users on Consolidated Afloat Network and Enterprise
Services (CANES) who have not received a new CAC since 24 February 2018
and/or cannot see their PIV_Auth certificate, must activate it no later than
31 January 2020.
3. Actions for all Navy owners of PK-enabled networks, websites, and
applications requiring CAC for authentication (this ONLY applies to the CAC):
a. All Navy owners of NIPRNet networks, websites, and applications must
ensure their systems are capable of supporting the PIV_Auth certificate for
authentication functions no later than 29 February 2020. No waivers will be
considered or granted for this transition.
b. CAC Reconfiguration: For CACs issued starting 1 May 2020, reference
(c) outlines the CAC modernization changes and mandates that all CACs be
configured with the Department of Defense (DoD) Public Key Infrastructure
(PKI) certificate profile:
(1) PIV_Auth Certificate: Per references (a) and (b), the PIV_Auth
certificate will be the only technically capable PKI certificate on the CAC
to support network, web, or application authentication. The PIV_Auth
certificate will be the only certificate capable of NIPRNet authentication.
(2) Identity Certificate: This PKI certificate will no longer be
included on the CAC.
(3) Email Signing Certificate: This PKI certificate will no longer
be technically capable of supporting network, web, or application
authentication. The Extended Key Usage (EKU) is being removed and will no
longer support authentication capabilities. This PKI certificate will be
used for the intended purpose of signing emails and documents. Additionally,
this certificate will be renamed the Signature certificate beginning 1 May
(4) Email Encryption Certificate: No change to this PKI
c. Legacy CAC Attrition and Certificate Usage: Reference (c) mandates
that DoD component NIPRNet network, web, and application owners configure CAC
user accounts to support the PIV_Auth certificate. DoD recognizes that CACs
issued with the legacy configuration (CACs issued prior to 1 May 2020) and
any PKI certificates capable of supporting authentication functions are still
considered valid DoD PKI certificates. These legacy PKI certificates can
still be used for authentication if the NIPRNet network, web, or application
owner allows. The legacy configuration of authentication capable
(1) PIV_Auth Certificate.
(2) Identity Certificate.
(3) Email Signing Certificate: Includes the EKU.
(4) Legacy CAC configurations will be removed from DoD and Navy
environments via attrition as legacy CACs expire.
4. NIPRNet Alternate Logon Token (ALT) or NIPRNet Enterprise Alternate Token
System (NEATS) Use-Case Impacts.
a. NIPRNet ALT or NEATS Token users are not impacted, as the PIV_Auth
certificate implementation is only applicable to the CAC.
b. The PIV_Auth certificate is defined in reference (b) as a mandatory
certificate to be included on federally issued PIV cards, to include the DoD
CAC. Certificates issued on other DoD-approved form factors (i.e., ALT or
NEATS tokens) cannot have PIV_Auth certificates.
c. ALT and NEATS tokens have certificates which are approved for use in
authentication. These non-CAC authentication certificates may continue to be
used in accordance with DoD policy, but are not referred to as PIV_Auth
d. Role-based user accounts (i.e., System Administrators, Foreign
Nationals, Code Signers, and other NIPRNet use-cases) can continue
utilization of their tokens and certificates without loss of access. Navy
NIPRNet network, web, and application owners must ensure their systems
support the ALT and/or NEATS token users.
5. Impacts to DoD approved External Certificate Authorities (ECA). ECAs may
continue to be used for authentication to unclassified DoD websites and
applications; however, ECAs are not and have not been approved for
cryptographic logon/authentication to DoD networks.
6. For additional detail regarding CAC PKI certificate mapping options for
PIV _Auth and/or legacy CAC certificate options, a Frequently Asked Questions
document is available at https://intelshare.intelink.gov/sites/disa-pki-pke/
_layouts/15/start.aspx#/SitePages/Home.aspx. Owners or technical teams can
contact PMW 130 and NIWC PKI if technical assistance is required:
a. PMW 130: Mr. Cody Persinger, firstname.lastname@example.org
b. NIWC Atlantic: Ms. Noni Jenkins, email@example.com
c. NIWC Pacific: Mr. Gary Delgado, firstname.lastname@example.org
7. This NAVADMIN will remain in effect until canceled or superseded.
8. Released by VADM Matthew J. Kohler, Deputy Chief of Naval Operations for
Information Warfare, OPNAV N2N6.//