NAVY POLICY FOR WAIVERS OF PUBLIC KEY INFRASTRUCTURE (PKI) AND HOST BASED SECURITY SYSTEM (HBSS):

UNCLASSIFIED//
ROUTINE
R 081208Z APR 20 MID110000562556U
FM CNO WASHINGTON DC
TO NAVADMIN
INFO CNO WASHINGTON DC
BT
UNCLAS

NAVADMIN 103/20

PASS TO OFFICE CODES:
FM CNO WASHINGTON DC//N2N6//

MSGID/GENADMIN/CNO WASHINGTON DC/N2N6/APR//

SUBJ/NAVY POLICY FOR WAIVERS OF PUBLIC KEY INFRASTRUCTURE (PKI) AND HOST 
BASED SECURITY SYSTEM (HBSS)//

REF/A/MSG/CNO WASHINGTON DC/N2N6/051443ZFEB16//
REF/B/MSG/CNO WASHINGTON DC/N2N6/291317ZJUL16//
REF/C/MSG/CNO WASHINGTON DC/N2N6/151526ZMAY18//
REF/D/OPORD/ENDPOINT SECURITY DEPLOYMENT AND OPERATIONS/27MAY16/16-0080//
REF/E/OPORD/FRAGO 02 TO OPORD 16-0080/08DEC16/FRAGORD 1//

NARR/REF A IS NAVADMIN 028/16, PUBLIC KEY INFRASTRUCTURE ENFORCEMENT ON NAVY 
NONSECURE INTERNET PROTOCOL ROUTER NETWORK AND SECRET INTERNET PROTOCOL 
ROUTER NETWORK.  
REF B IS NAVADMIN 168/16, PUBLIC KEY INFRASTRUCTURE ENFORCEMENT ON NAVY 
SECRET INTERNET PROTOCOL ROUTER NETWORKS, WEB SERVERS, WEB SITES, AND PORTALS 
UPDATE.  
REF C IS NAVADMIN 125/18, ENFORCEMENT OF PUBLIC KEY INFRASTRUCTURE 
CRYPTOGRAPHIC LOGON ON ALL NAVY AND MARINE CORPS INTRANET (NMCI) AND OCONUS 
NAVY ENTERPRISE NETWORK (ONE-NET) FUNCTIONAL NON-CLASSIFIED INTERNET PROTOCOL 
ROUTER AND SECRET INTERNET PROTOCOL ROUTER ACCOUNTS.  
REF D IS THE USCYBERCOM OPORD ON ENDPOINT SECURITY DEPLOYMENT AND OPERATIONS 
DIRECTING THE IMPLEMENTATION OF HOST BASED SECURITY SYSTEM (HBSS).  
REF E IS THE FRAGO WHICH SPECIFIES THAT THE HBSS EXEMPTION DECISION RESIDES 
WITH THE COMPONENT CHIEF INFORMATION OFFICERS.// 

POC1/PLANKENHORN/CIV/OPNAV N2N6G5/WASHINGTON DC/TEL:  703-692-1896
/E-MAIL:  benjamin.plankenhorn@navy.mil//
POC2/BASS/CIV/NIA/DAO/SUITLAND MD/TEL:  301-669-3213
/EMAIL:  deidra.l.bass@navy.mil//

RMKS/1.  This NAVADMIN supersedes the waiver processes outlined in references
(a) through (c) and eliminates duplicative Public Key Infrastructure (PKI) 
and Host Based Security System (HBSS) waiver efforts by incorporating all 
into the Risk Management Framework (RMF) authorization process.

2.  This NAVADMIN is applicable to all Navy acquisition and non-acquisition 
programs, regardless of designation as Information Technology (IT), Weapon 
System, Platform IT (PIT), or Control System.  It applies to systems 
authorized by the Navy Authorizing Official (NAO), the Functional Authorizing 
Officials (FAO), and the Naval Intelligence Activity (NIA) Authorizing 
Official (AO).

3.  Effective immediately, systems not compliant with PKI and HBSS policy 
requirements established in references (a) through (e) are automatically 
waived upon successful completion of the RMF process.  This is a policy 
waiver only, acknowledging mitigating circumstances.  It does not waive the 
requirement for applicable security controls; they remain non-compliant if 
not implemented as required.  Systems granted an RMF Authorization to Operate 
(ATO) are considered to have sufficient mitigations in place to reduce 
residual risk to the Navy portion of Department of Defense (DoD) Information 
Networks (DoDIN-N) and Joint Worldwide Intelligence Communications System 
(JWICS) and are waived from the PKI and HBSS policy requirements for the 
duration of the system authorization.

4.  For systems that do not have PKI (or an approved alternate form of two 
factor authentication) and/or HBSS implemented, non-compliance must be mapped 
to the applicable security controls.  At a minimum, this will include SI-
4(23) for HBSS and IA-2(1) for PKI.  Mitigation activities will be tracked in 
the system Plan of Action and Milestones (POAM) and System Level Continuous 
Monitoring (SLCM) plan.  Additionally, the cognizant AO must include the 
appropriate RMF stipulation, chosen from below (a, b, or c), in the ATO 
letter /Authorization Decision Document (ADD) for each policy waiver (PKI 
and/or HBSS) to be in compliance with this NAVADMIN.
    a.  The requirement to implement (PKI/HBSS) has been assessed and 
determined to be Not Applicable (NA).  The appropriate security control has 
been marked as NA in (eMASS/Xacta), along with a justification statement 
(e.g., the capability and control is not technically feasible or procedurally 
relevant to the system).
    b.  The requirement to implement (PKI/HBSS) has been assessed and 
determined to be Applicable but Not Compliant.  There is no plan to achieve 
compliance with the policy.  Mitigations, compensating controls, or 
alternative solutions have been implemented to sufficiently reduce residual 
risk to the (DoDIN-N/JWICS) and justify a waiver of the requirement for this 
system.
    c.  The requirement to implement (PKI/HBSS) has been assessed and 
determined to be Applicable but Not Compliant.  There is a POAM to achieve 
compliance with policy requirements and it is documented in the [eMASS/Xacta] 
record.  Further, the Program Manager/Information System Owner (PM/ISO) 
attests that the POAM is properly resourced.  In the interim, residual risk 
to the (DoDIN-N/JWICS) is acceptable.

5.  Echelon II commands will maintain oversight of all authorized systems 
that are not compliant with PKI and HBSS policy requirements and, on an 
annual basis, provide a listing of systems with corresponding waived policies 
(e.g., those where the requirement is still Applicable) to the Department of 
the Navy Deputy Senior Information Security Officer (Navy) (DDSISO(N)), 
copying the cognizant AO and Fleet Cyber Command/Commander, TENTH Fleet 
Battle Watch Captain.  This listing must be provided by 30 September and 
include:
    a.  System name;
    b.  Authorization status (e.g., ATO, ATO with conditions, IATT) and 
authorization termination date (ATD);
    c.  Enterprise Mission Assurance Support Service (eMASS) (for GENSER) or 
Xacta (for TS/SCI) identification number;
    d.  Specific exemption in place (PKI, HBSS, or PKI and HBSS);
    e.  Justification for non-compliance;
    f.  Date by which the current POAM will achieve compliance (if 
applicable).

6.  For questions, contact POC1 (GENSER exceptions) and POC2 (TS/SCI or 
Compartmented Access Programs).  This NAVADMIN will remain in effect until 
canceled or superseded.

7.  Released by VADM Matthew J. Kohler, Deputy Chief of Naval Operations for 
Information Warfare, OPNAV N2N6.//

BT
#0001
NNNN
UNCLASSIFIED//