ACCEPTANCE OF DOD APPROVED EXTERNAL PUBLIC KEY INFRASTRUCTURE (PKI) CERTIFICATES FOR LOGICAL ACCESS TO NAVY INFORMATION RESOURCES REF/A/MSG/DON CIO WASHINGTON DC/291445ZDEC09:
UNCLASSIFIED// ROUTINE R 141611Z JUN 10 BT UNCLAS PASS TO ALL OFFICE CODES: FM CNO WASHINGTON DC//N2N6// TO NAVADMIN INFO DON CIO WASHINGTON DC SPAWARSYSCEN ATLANTIC CHARLESTON SC//00// SPAWARSYSCEN PACIFIC SAN DIEGO CA//00// UNCLAS //N5500// NAVADMIN 203/10 MSGID/GENADMIN/CNO WASHINGTON DC//N2N6// SUBJ/ ACCEPTANCE OF DOD APPROVED EXTERNAL PUBLIC KEY INFRASTRUCTURE (PKI) CERTIFICATES FOR LOGICAL ACCESS TO NAVY INFORMATION RESOURCES REF/A/MSG/DON CIO WASHINGTON DC/291445ZDEC09// REF/B/DOC/DOD/01APR04// REF/C/DOC/SECNAV/17JUN09 REF/D/DOC/JTF-GNO/07APR08// REF/E/MSG/DON CIO WASHINGTON DC/262302ZSEP09// REF/F/DOC/DOD/24JAN07// REF/G/DOC/DOD/22JUL08// REF/H/DOC/WHITE HOUSE/27AUG04// REF/I/DOC/NIST/MAR06// NARR/ REF A PROMULGATED DON POLICY ON PUBLIC KEY ENABLEMENT OF DEPARTMENT OF THE NAVY UNCLASSIFIED PRIVATE WEB SERVERS AND APPLICATIONS. REF B IS DODINST 8520.2, PUBLIC KEY INFRASTRUCTURE (PKI) AND PUBLIC KEY ENABLING (PKE). REF C IS SECNAVINST 5239.3B, DEPARTMENT OF NAVY (DON) INFORMATION ASSURANCE (IA). REF D IS JTF-GNO CTO 07-015, REVISION 1, PUBLIC KEY INFRASTRUCTURE (PKI) IMPLEMENTATION, PHASE 2. REF E IDENTIFIES THE DON NIPRNET PKE WAIVER PROCESS. REF F IS DOD CIO MEMO, COMPLIANCE AND REVIEW OF LOGICAL ACCESS CONTROL IN DEPARTMENT OF DEFENSE PROCESSES. REF G IS DOD CIO MEMO, APPROVAL OF EXTERNAL PUBLIC KEY INFRASTRUCTURES. REF H IS HSPD-12 ESTABLISHED REQUIREMENT FOR A MANDATORY GOVERNMENT WIDE STANDARD FOR SECURE AND RELIABLE FORMS OF IDENTIFICATION. REF I IS FIPS-201-1 CHANGE 1 WHICH DESCRIBES THE MINIMUM REQUIREMENTS FOR A FEDERAL PERSONAL IDENTITY VERIFICATION (PIV) SYSTEM THAT MEETS OBJECTIVES OF HSPD-12 AND PROVIDES DETAILED SPECIFICATIONS THAT WILL SUPPORT TECHNICAL INTEROPERABILITY AMONG PIV SYSTEMS OF FEDERAL DEPARTMENTS AND AGENCIES. POCS/THERESA EVERETTE/CDR/N2N6F113/LOC:ARLINGTON, VA/TEL: 703-601-1450/E-MAIL: THERESA.EVERETTE@NAVY.MIL/ ROBERT WEILMINSTER/CTR/N2N6F1135/LOC:ARLINGTON, VA/TEL: 703-601-1264/E-MAIL: ROBERT.WEILMINSTER1.CTR@NAVY.MIL/ PASSING INSTRUCTIONS: PLEASE PASS TO COMMAND INFORMATION OFFICER (IO), N6 AND OTHERS DEEMED APPROPRIATE/ RMKS/1. REF A DIRECTS THAT SERVICE-SPECIFIC GUIDELINES BE PROMULGATED FOR THE USE OF CERTIFICATES ISSUED BY DOD AND DOD-APPROVED EXTERNAL PUBLIC KEY INFRASTRUCTURES (PKIS). THIS ALNAV PROMULGATES NAVY POLICY FOR THE PUBLIC KEY ENABLING (PKE) OF UNCLASSIFIED WEB SERVERS, NETWORKS, APPLICATIONS AND PORTALS. ADDITIONALLY, PER REFS C, D, AND F, ALL NAVY UNCLASSIFIED PRIVATE WEB SERVERS, NETWORKS, APPLICATIONS, AND PORTALS SHALL IMPLEMENT AND CONFIGURE ACCESS CONTROLS, AS NECESSARY, TO ENFORCE NEED-TO-KNOW REQUIREMENTS. PKI AUTHENTICATION ALONE DOES NOT PROVIDE THE BASIS FOR AUTHORIZATION DECISIONS. IMPROPER USE OF PKI AS AN ACCESS CONTROL MECHANISM MAY INADVERTENTLY ALLOW UNINTENDED USERS TO GAIN ACCESS TO SYSTEMS AND INFORMATION FOR WHICH THEY ARE NOT AUTHORIZED. THUS, APPROPRIATE ACCESS CONTROL PROCESSES (E.G., ACCESS CONTROL LISTS, CERTIFICATE MAPPING, ETC.) MUST BE IMPLEMENTED. 2. BACKGROUND. REFS A THROUGH D REQUIRE ALL NAVY UNCLASSIFIED PRIVATE WEB SERVERS, NETWORKS, APPLICATIONS, AND PORTALS TO BE ENABLED TO AUTHENTICATE USERS VIA CERTIFICATES ISSUED BY THE DEPARTMENT OF DEFENSE (DOD) PKI OR DOD- APPROVED EXTERNAL PKIS. REF B DEFINES A PRIVATE WEB SERVER AS ANY DOD-OWNED, OPERATED, OR CONTROLLED WEB SERVER THAT PROVIDES ACCESS TO SENSITIVE INFORMATION THAT HAS NOT BEEN REVIEWED AND APPROVED FOR PUBLIC RELEASE. REF D, TASK 10, REQUIRED ALL DOD ORGANIZATIONS OPERATING UNCLASSIFIED PRIVATE WEB SERVERS TO EITHER IMPLEMENT PKI CERTIFICATE-BASED CLIENT AUTHENTICATION BY 9 JUNE 2008, OR APPLY FOR A WAIVER. 3. REF G AUTHORIZES THE USE OF DOD EXTERNAL CERTIFICATE AUTHORITY (ECA) CERTIFICATES ISSUED AS PART OF THE DOD ECA PROGRAM. REF G ALSO AUTHORIZES THE USE OF PKI CERTIFICATES ISSUED BY DOD-APPROVED NON-DOD ORGANIZATIONS INCLUDING U.S. FEDERAL AGENCIES, STATE/LOCAL/TRIBAL GOVERNMENT ORGANIZATIONS, AND EXTERNAL DOD BUSINESS PARTNERS. 4. POLICY. A. CERTIFICATE BASED LOGON TO NAVY NETWORKS (I.E., CRYPTOGRAPHIC LOGON (CLO)) WILL ONLY BE ACCOMPLISHED VIA EITHER THE USE OF HARDWARE TOKEN BASED CERTIFICATES ISSUED BY THE DOD PKI OR PERSONAL IDENTITY VERIFICATION (PIV) AUTHENTICATION CERTIFICATES (REFS H AND I GERMANE) ISSUED BY OTHER FEDERAL AGENCIES OF THE U.S. GOVERNMENT. B. NAVY ORGANIZATIONS SHALL ACCEPT CERTIFICATES ISSUED BY DOD-APPROVED EXTERNAL PKIS WHEN AVAILABLE AND APPROPRIATE TO SUPPORT AUTHENTICATION FOR A PORTION OF A SYSTEM'S OR APPLICATION'S USER POPULATION. C. NAVY COMMANDS AND ORGANIZATIONS ARE AUTHORIZED TO USE CERTIFICATES ISSUED BY ORGANIZATIONS ON THE LIST OF DOD-APPROVED EXTERNAL PKIS AVAILABLE AT HTTP://JITC.FHU.DISA.MIL/PKI/PKE_LAB/PARTNER_PKI_TESTING/PARTNER_PKI_STATUS.HT ML TO SUPPORT AUTHENTICATION TO NAVY UNCLASSIFIED WEB SERVERS, WEB APPLICATIONS AND PORTALS. 5. IN IMPLEMENTING THE POLICY STATED IN PARA 4.A ABOVE, PIV AUTH CERTIFICATES MAY BE ACCEPTED FOR LOGON TO FULLY PROVISIONED ACCOUNTS ON NAVY NETWORKS. ANY SUCH IMPLEMENTATION SHALL INCLUDE: A. TRUSTING, VIA DIRECT TRUST, THE ROOT AND SUBORDINATE CA CERTIFICATES IN THE ISSUANCE CHAIN FOR THE END USER CERTIFICATE; B. ENSURING THAT ALL CERTIFICATES USED FOR NETWORK LOGON CAN BE AND ARE VALIDATED; C. PROVIDING ACCESS TO NETWORK ASSETS ON A STRICT "NEED-TO-KNOW" BASIS; AND, D. OBTAINING APPROVAL FROM THE APPROPRIATE NAVY DESIGNATED ACCREDITING AUTHORITY (DAA) BEFORE IMPLEMENTATION. 6. IN IMPLEMENTING THE POLICY STATED IN PARAS 4.B AND 4.C ABOVE, NAVY COMMANDS AND ORGANIZATIONS SHALL COMPLETE THE FOLLOWING ACTIONS PRIOR TO OPERATIONAL ACCEPTANCE OF CERTIFICATES FROM ANY DOD APPROVED EXTERNAL PKI: A. VERIFY THAT UNCLASSIFIED PRIVATE WEB SERVERS, WEB APPLICATIONS, AND PORTALS ARE PROPERLY CONFIGURED BY: 1. TRUSTING, VIA DIRECT TRUST, ONLY THE MINIMUM SET OF APPROVED PKI ROOT AND SUBORDINATE CA CERTIFICATES REQUIRED FOR PROPER OPERATION AND AS INCORPORATED INTO THE UPDATED RISK ASSESSMENT. 2. ENSURING THAT ALL EXTERNAL CERTIFICATES USED FOR AUTHENTICATION ARE VALIDATED PRIOR TO ACCEPTANCE (E.G., CERTIFICATE REVOCATION LIST (CRL) CACHING AND CHECKING, USE OF ON-LINE CERTIFICATE STATUS PROTOCOL (OCSP)). 3. IMPLEMENTING ACCESS CONTROL MEASURES (E.G. ACCESS CONTROL LISTS (ACLS) OR PKI CERTIFICATE MAPPING) TO ENABLE ENFORCEMENT OF NEED-TO-KNOW REQUIREMENTS. 4. IMPLEMENTING ONLY FIPS 140-2 OR 140-3 VALIDATED ALGORITHMS AND CRYPTOGRAPHIC MODULES FOR SECURE SOCKET LAYER/TRANSPORT LAYER SECURITY (SSL/TLS) SESSIONS. B. UPDATE AND SUBMIT THE NAVY SYSTEM'S RISK ASSESSMENT ASSOCIATED WITH THE CURRENT C&A DOCUMENTATION TO ADDRESS THE ACCEPTANCE OF EXTERNAL PKIS FOR EVALUATION AND APPROVAL BY THE APPROPRIATE DAA, INCLUDING THE PROCESSES AND PROCEDURES USED TO ENSURE COMPLIANCE WITH THE REQUIREMENTS OF PARA 7.A ABOVE. SUBMIT A RISK ASSESSMENT MEMORANDUM TO THE APPROPRIATE DAA VIA ECHELON II. 7. ONCE DAA APPROVAL FOR USE OF EXTERNAL PKI CERTIFICATES HAS BEEN RECEIVED, THE REQUESTING ORGANIZATION CAN ACCESS THE EXTERNAL PKI PAGE AT HTTPS://INFOSEC.NAVY.MIL, PROVIDE THE REQUIRED INFORMATION, AND THE COMMAND POC IDENTIFIED WILL BE SENT THE REQUESTED EXTERNAL PKI ROOT CA CERTIFICATE(S) IN A DIGITALLY SIGNED AND ENCRYPTED EMAIL. 8. WAIVERS. THERE WILL BE NO WAIVERS TO THIS POLICY. ALL USES OF DOD APPROVED EXTERNAL PKIS MUST COMPLY WITH THE REQUIREMENTS DETAILED HEREIN BEFORE CERTIFICATES ISSUED BY THESE PKIS CAN BE RECOGNIZED FOR AUTHORIZATION DECISIONS BY NAVY SYSTEMS. 9. RELEASED BY VADM DORSETT DCNO INFORMATION DOMINANCE (N2N6).// BT #0001 NNNN