NAVY POLICY FOR WAIVERS OF PUBLIC KEY INFRASTRUCTURE (PKI) AND HOST BASED SECURITY SYSTEM (HBSS):
UNCLASSIFIED//
ROUTINE
R 081208Z APR 20 MID110000562556U
FM CNO WASHINGTON DC
TO NAVADMIN
INFO CNO WASHINGTON DC
BT
UNCLAS
NAVADMIN 103/20
PASS TO OFFICE CODES:
FM CNO WASHINGTON DC//N2N6//
MSGID/GENADMIN/CNO WASHINGTON DC/N2N6/APR//
SUBJ/NAVY POLICY FOR WAIVERS OF PUBLIC KEY INFRASTRUCTURE (PKI) AND HOST
BASED SECURITY SYSTEM (HBSS)//
REF/A/MSG/CNO WASHINGTON DC/N2N6/051443ZFEB16//
REF/B/MSG/CNO WASHINGTON DC/N2N6/291317ZJUL16//
REF/C/MSG/CNO WASHINGTON DC/N2N6/151526ZMAY18//
REF/D/OPORD/ENDPOINT SECURITY DEPLOYMENT AND OPERATIONS/27MAY16/16-0080//
REF/E/OPORD/FRAGO 02 TO OPORD 16-0080/08DEC16/FRAGORD 1//
NARR/REF A IS NAVADMIN 028/16, PUBLIC KEY INFRASTRUCTURE ENFORCEMENT ON NAVY
NONSECURE INTERNET PROTOCOL ROUTER NETWORK AND SECRET INTERNET PROTOCOL
ROUTER NETWORK.
REF B IS NAVADMIN 168/16, PUBLIC KEY INFRASTRUCTURE ENFORCEMENT ON NAVY
SECRET INTERNET PROTOCOL ROUTER NETWORKS, WEB SERVERS, WEB SITES, AND PORTALS
UPDATE.
REF C IS NAVADMIN 125/18, ENFORCEMENT OF PUBLIC KEY INFRASTRUCTURE
CRYPTOGRAPHIC LOGON ON ALL NAVY AND MARINE CORPS INTRANET (NMCI) AND OCONUS
NAVY ENTERPRISE NETWORK (ONE-NET) FUNCTIONAL NON-CLASSIFIED INTERNET PROTOCOL
ROUTER AND SECRET INTERNET PROTOCOL ROUTER ACCOUNTS.
REF D IS THE USCYBERCOM OPORD ON ENDPOINT SECURITY DEPLOYMENT AND OPERATIONS
DIRECTING THE IMPLEMENTATION OF HOST BASED SECURITY SYSTEM (HBSS).
REF E IS THE FRAGO WHICH SPECIFIES THAT THE HBSS EXEMPTION DECISION RESIDES
WITH THE COMPONENT CHIEF INFORMATION OFFICERS.//
POC1/PLANKENHORN/CIV/OPNAV N2N6G5/WASHINGTON DC/TEL: 703-692-1896
/E-MAIL: benjamin.plankenhorn@navy.mil//
POC2/BASS/CIV/NIA/DAO/SUITLAND MD/TEL: 301-669-3213
/EMAIL: deidra.l.bass@navy.mil//
RMKS/1. This NAVADMIN supersedes the waiver processes outlined in references
(a) through (c) and eliminates duplicative Public Key Infrastructure (PKI)
and Host Based Security System (HBSS) waiver efforts by incorporating all
into the Risk Management Framework (RMF) authorization process.
2. This NAVADMIN is applicable to all Navy acquisition and non-acquisition
programs, regardless of designation as Information Technology (IT), Weapon
System, Platform IT (PIT), or Control System. It applies to systems
authorized by the Navy Authorizing Official (NAO), the Functional Authorizing
Officials (FAO), and the Naval Intelligence Activity (NIA) Authorizing
Official (AO).
3. Effective immediately, systems not compliant with PKI and HBSS policy
requirements established in references (a) through (e) are automatically
waived upon successful completion of the RMF process. This is a policy
waiver only, acknowledging mitigating circumstances. It does not waive the
requirement for applicable security controls; they remain non-compliant if
not implemented as required. Systems granted an RMF Authorization to Operate
(ATO) are considered to have sufficient mitigations in place to reduce
residual risk to the Navy portion of Department of Defense (DoD) Information
Networks (DoDIN-N) and Joint Worldwide Intelligence Communications System
(JWICS) and are waived from the PKI and HBSS policy requirements for the
duration of the system authorization.
4. For systems that do not have PKI (or an approved alternate form of two
factor authentication) and/or HBSS implemented, non-compliance must be mapped
to the applicable security controls. At a minimum, this will include SI-
4(23) for HBSS and IA-2(1) for PKI. Mitigation activities will be tracked in
the system Plan of Action and Milestones (POAM) and System Level Continuous
Monitoring (SLCM) plan. Additionally, the cognizant AO must include the
appropriate RMF stipulation, chosen from below (a, b, or c), in the ATO
letter /Authorization Decision Document (ADD) for each policy waiver (PKI
and/or HBSS) to be in compliance with this NAVADMIN.
a. The requirement to implement (PKI/HBSS) has been assessed and
determined to be Not Applicable (NA). The appropriate security control has
been marked as NA in (eMASS/Xacta), along with a justification statement
(e.g., the capability and control is not technically feasible or procedurally
relevant to the system).
b. The requirement to implement (PKI/HBSS) has been assessed and
determined to be Applicable but Not Compliant. There is no plan to achieve
compliance with the policy. Mitigations, compensating controls, or
alternative solutions have been implemented to sufficiently reduce residual
risk to the (DoDIN-N/JWICS) and justify a waiver of the requirement for this
system.
c. The requirement to implement (PKI/HBSS) has been assessed and
determined to be Applicable but Not Compliant. There is a POAM to achieve
compliance with policy requirements and it is documented in the [eMASS/Xacta]
record. Further, the Program Manager/Information System Owner (PM/ISO)
attests that the POAM is properly resourced. In the interim, residual risk
to the (DoDIN-N/JWICS) is acceptable.
5. Echelon II commands will maintain oversight of all authorized systems
that are not compliant with PKI and HBSS policy requirements and, on an
annual basis, provide a listing of systems with corresponding waived policies
(e.g., those where the requirement is still Applicable) to the Department of
the Navy Deputy Senior Information Security Officer (Navy) (DDSISO(N)),
copying the cognizant AO and Fleet Cyber Command/Commander, TENTH Fleet
Battle Watch Captain. This listing must be provided by 30 September and
include:
a. System name;
b. Authorization status (e.g., ATO, ATO with conditions, IATT) and
authorization termination date (ATD);
c. Enterprise Mission Assurance Support Service (eMASS) (for GENSER) or
Xacta (for TS/SCI) identification number;
d. Specific exemption in place (PKI, HBSS, or PKI and HBSS);
e. Justification for non-compliance;
f. Date by which the current POAM will achieve compliance (if
applicable).
6. For questions, contact POC1 (GENSER exceptions) and POC2 (TS/SCI or
Compartmented Access Programs). This NAVADMIN will remain in effect until
canceled or superseded.
7. Released by VADM Matthew J. Kohler, Deputy Chief of Naval Operations for
Information Warfare, OPNAV N2N6.//
BT
#0001
NNNN
UNCLASSIFIED//