ENFORCEMENT OF PUBLIC KEY INFRASTRUCTURE CRYPTOGRAPHIC LOGON ON ALL NMCI AND ONE-NET FUNCTIONAL NON-CLASSIFIED INTERNET PROTOCOL ROUTER AND SECRET INTERNET PROTOCOL ROUTER ACCOUNTS:
1 NAVADMINs are known that
refer back to this one:
R 151526Z MAY 18
FM CNO WASHINGTON DC
INFO CNO WASHINGTON DC
PASS TO OFFICE CODES:
FM CNO WASHINGTON DC//N2N6//
INFO CNO WASHINGTON DC//N2N6//
MSGID/GENADMIN/CNO WASHINGTON DC/N2N6/MAY//
SUBJ/ENFORCEMENT OF PUBLIC KEY INFRASTRUCTURE CRYPTOGRAPHIC LOGON ON ALL NMCI
AND ONE-NET FUNCTIONAL NON-CLASSIFIED INTERNET PROTOCOL ROUTER AND SECRET
INTERNET PROTOCOL ROUTER ACCOUNTS//
REF/A/GENADMIN/CNO WASHINGTON DC/N2N6/051443ZFEB16//
REF/C/MSG/CNO WASHINGTON DC/N2N6/291317ZJUL16//
REF/E/GENADMIN/NCMS WASHINGTON DC/291300ZMAR17//
NARR/REF A IS NAVADMIN 028/16, PUBLIC KEY INFRASTRUCTURE ENFORCEMENT ON NAVY
NONSECURE INTERNET PROTOCOL ROUTER NETWORK AND SECRET INTERNET PROTOCOL
REF B IS DDCIO(N) AMPLIFYING GUIDANCE TO NAVADMIN 028/16.
REF C IS NAVADMIN 168/16, PUBLIC KEY INFRASTRUCTURE ENFORCEMENT ON NAVY
SECRET INTERNET PROTOCOL ROUTER NETWORKS, WEB SERVERS, WEB SITES, AND PORTALS
REF D IS DOD MEMO, PUBLIC KEY INFRASTRUCTURE INCREMENT 2, SPIRAL 3, RELEASE
4, TOKEN MANAGEMENT SYSTEM ACQUISITION DECISION MEMORANDUM.
REF E IS ALCOM 056/17 PUBLIC KEY INFRASTRUCTURE FLEET SUPPORT.
REF F IS DOD MEMO, APPROVAL OF IDENTITY FEDERATION SERVICE PROVIDERS CENTRIFY
SERVER SUITE AND CENTRIFY PRIVILEGED SERVICE.
REF G is DOD MEMO, APPROVAL OF MULTI-FACTOR AUTHENTICATION ALTERNATIVES
RIVEST SHAMIR AND ADLEMAN AND YUBIKEY.
REF H IS DOD MEMO, APPROVAL OF MULTI -FACTOR AUTHENTICATION ALTERNATIVES
GEMALTO SAFNET ETOKEN PASS MODEL 3000//
POC/MR. BEN PLANKENHORN/CIV/OPNAV N2N6G51/WASHINGTON DC/TEL: (703) 692-1896/
RMKS/1. This NAVADMIN provides updated guidance to Public Key Infrastructure
(PKI) Cryptographic Log-on (CLO) enforcement deadlines on Navy Marine Corps
Internet (NMCI) and outside continental United States Navy Enterprise Network
(ONE-Net) promulgated in references (a) through (c).
2. Immediate action. Secret Internet Protocol Router (SIPR) tokens are now
available for functional (or group) accounts (i.e., Tactical Actions Officer,
Battle Watch Captain, Assistant Battle Watch Captain, Staff Duty Officer,
watch accounts) and the use of a PKI token is mandatory. All NMCI and ONE-
Net Non-classified Internet Protocol Router (NIPR) and SIPR functional
accounts using username and password must transition to PKI CLO or other
Department of Defense Chief Information officer (DoD CIO) approved forms of
Multi-Factor Authentication (MFA) by 29 June 2018. PKI CLO is a mandatory
3. Functional Account owners need to submit the required paperwork to their
Information Systems Security Manager to transition their functional accounts
from username and password to PKI CLO. Commands must request functional (or
group) account tokens through the Regional registration authority. Reference
(e) provides guidance related to PKI support. To assist with token
acquisition, a standard operating procedure is posted at:
4. Non-Windows system accounts that are unable to utilize PKI must use
another DoD CIO approved form of MFA. Per references (f) through (h), the
current approved MFAs that may be used are Centrify Server Suite and Centrify
Privileged Service; RivestShamirAdleman (RSA) SecureID tokens; YubiKey
Universal Two Factor tokens; and Gemalto SafeNet eToken PASS model 3000. DoD
CIO is the approval authority for any other alternative means of
authentication. Requests for approval of any other MFA products must be sent
to the DoD CIO via the Deputy Chief of Naval Operations for Information
Warfare (OPNAV N2N6). Contact the message point of contact for format and
5. Any NMCI and ONE-Net functional accounts that are not using PKI logon by
29 June 2018 will be disabled.
6. Exception request guidance.
a. Request for exceptions to this NAVADMIN must be staffed via the chain
of command through each respective Echelon II N6/Chief Information Officers
Office for the Deputy Chief of Naval Operations for Information Warfare
(OPNAV N2N6) approval.
b. Exception requests must be endorsed by the first Flag Officer or
Senior Executive Service in the chain of command and will only be accepted
from Echelon II commands for approval or disapproval by OPNAV N2N6.
c. The account exception request form is posted at:
7. This NAVADMIN will remain in effect until cancelled or superseded.
8. Released by VADM Jan E. Tighe, Deputy Chief of Naval Operations for
Information Warfare, OPNAV N2N6.//