ACTIONS FOR ALL NAVY PERSONNEL AND NON-CLASSIFIED INTERNET PROTOCOL ROUTER NETWORK (NIPRNet) NETWORK, WEB, AND APPLICATION OWNERS AS DEPARTMENT OF DEFENSE CHANGES THE CERTIFICATES ON THE COMMON ACCESS CARD

UNCLASSIFIED

ROUTINE

R 171409Z AUG 18

FM CNO WASHINGTON DC

TO NAVADMIN

BT
UNCLAS

NAVADMIN 200/18

PASS TO OFFICE CODES:
FM CNO WASHINGTON DC//N2N6//
INFO CNO WASHINGTON DC//N2N6//


SUBJ/ACTIONS FOR ALL NAVY PERSONNEL AND NON-CLASSIFIED INTERNET PROTOCOL 
ROUTER NETWORK (NIPRNet) NETWORK, WEB, AND APPLICATION OWNERS AS DEPARTMENT 
OF DEFENSE CHANGES THE CERTIFICATES ON THE COMMON ACCESS CARD//


REF/A/HSPD-12/POTUS/27AUG04//

REF/B/FIPS201-2/NIST/28FEB17//


NARR/REF (A) IS HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12, POLICY FOR A 
COMMON IDENTIFICATION STANDARD FOR FEDERAL EMPLOYEES AND CONTRACTORS.  REF 
(B) IS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGYS FEDERAL INFORMATION 
PROCESSING STANDARD (FIPS) 201-2, PERSONAL IDENTITY VERIFICATION OF FEDERAL 
EMPLOYEES AND CONTRACTORS//

POC/MR. BEN PLANKENHORN/CIV/OPNAV N2N6G51/WASHINGTON DC/
TEL:  (703) 692-1896/EMAIL:  benjamin.plankenhorn@navy.mil//

RMKS/1.  This NAVADMIN provides guidance for all Navy personnel and to Navy 
Non-classified Internet Protocol Router Network (NIPRNet) network, web, and 
application owners as Department of Defense (DoD) changes the certificates on 
Common Access Card (CAC) certificate.


2.  Background
    a.  Per references (a) and (b), DoD is transitioning to one common 
authentication (logon) certificate on CACs called the Personal Identity 
Verification (PIV) Authentication.  The PIV_Auth certificate is mandated as 
the new standard for NIPRNET network, web, and application login.  Users will 
no longer have to choose between e-mail and identity certificates when 
logging in.  This modification will establish continuity across federal and 
mission partner organizations with regard to the use of DoD Public Key 
Infrastructure (PKI) certificates.
    b.  The planned DoD CAC end-state will reduce the CAC user certificate 
profile to three certificates:  PIV_Auth for authentication, signature for e-
mail/document signing, and E-mail Encryption for e-mail encryption.  The 
Identity certificate will be removed.
    c.  The PIV_Auth certificate is on all CACs but is not activated for Navy 
users at issuance, thus the PIV_Auth certificate is not visible.  You do not 
have to replace your CAC to activate this new certificate.


3.  Action for All Navy Personnel
    a.  As of 24 February 2018, new Navy personnel issued a CAC will have the 
PIV_Auth certificate activated and visible.  No further action is required.
    b.  All Navy personnel to include contractors, Foreign Liaisons/Officers 
and REL - A NIPRNet users who have not received a new CAC since 24 February 
2018 and/or cannot see their PIV_Auth certificate, must follow the procedures 
on the Navy Marine Corps Internet 
Homeport,(https://www.homeport.navy.mil/cms/preview
/21094),
and Information Security Online Services, (https://infosec.navy.mil /PKI/).
These procedures will instruct users on how to activate the PIV_Auth 
certificate via the Defense Manpower Data Center (DMDC) Real-Time Automated 
Personal Identification Systems (RAPIDS) Self-Service website, 
https://www.dmdc.osd.mil/self_service.
    c.  All personnel must activate their PIV_Auth certificate no later than 
31 January 2019.


4.  Action for All Navy NIPRNet Network, Web, and Applications Owners.
Owners should work to quickly shift to supporting the PIV_Auth certificate 
and maintain their PKI login/validation mechanism.
Owners should announce a date/time that they will transition from accepting 
the E-mail or Identity certificates to accepting only the PIV_Auth 
certificate.  Owners must post a transition plan on their website/application 
by 31 January 2019 to inform users of the pending transition from supporting 
PIV_Auth, Identity, and E-Mail Signing/Encryption certificates to PIV_Auth 
certificate only.
The PMW-130, SSC Pacific, and SSC Atlantic PKI teams are available to assist 
owners in their transition away from the use of E-mail Signing and/or 
Identity certificates, to the PIV_Auth certificate.


5.  By 29 February 2020, All Navy NIPRNet Network, Web, and Applications must 
only support the PIV_Auth certificate for network Cryptographic Logon (CLO) 
and web/application CLO and/or authentication.  No waivers will be considered 
or granted for this transition.


6.  This NAVADMIN will remain in effect until canceled or superseded.


7.  Released by VADM Matthew J. Kohler, Deputy Chief of Naval Operations for 
Information Warfare, OPNAV N2N6.//


BT
#0001
NNNN
UNCLASSIFIED//
ACTIONS FOR ALL NAVY PERSONNEL AND NON-CLASSIFIED INTERNET PROTOCOL ROUTER NETWORK (NIPRNet) NETWORK, WEB, AND APPLICATION OWNERS AS DEPARTMENT OF DEFENSE CHANGES THE CERTIFICATES ON THE COMMON ACCESS CARD:
