ADMINISTRATIVE MESSAGE
 
ROUTINE
 
R 301704Z NOV 00 ZYB MIN PSN 010817J17
 
FM CNO WASHINGTON DC//N6//
 
TO NAVADMIN
 
UNCLAS 
NAVADMIN 303/00
 
MSGID/GENADMIN/CNO WASH DC//
 
SUBJ/NAVY PUBLIC KEY INFRASTRUCTURE (PKI) IMPLEMENTATION//
 
REF/A/MEMO/DEPSECDEF/06MAY2000/U07287/NOTAL//
 
REF/B/MSG/CNO WASHINGTON DC/011504ZMAY1999//
 
REF/C/MSG/CNO WASHINGTON DC/141404ZJUL2000//
 
REF/D/MEMO/DEPSECDEF/10NOV1999/U17006/NOTAL//
 
REF/E/MEMO/ASD(C3I)/12AUG2000/-/NOTAL//
 
NARR/REF A ESTABLISHED DOD PKI POLICY AND IMPLEMENTATION MILESTONES.
 REFS B AND C PROVIDED DETAILED GUIDANCE ON THE IMPLEMENTATION OF
SERVER
CERTIFICATES WITHIN THE NAVY.  REF D ESTABLISHED THE DOD WIDE COMMON
ACCESS CARD (CAC) PROGRAM.  REF E REISSUED REF A TO ALIGN MILESTONES
OF REFS A AND D.//
POC/ROBERT WEILMINSTER/CIV/CNO N64322/LOC:WASHINGTON DC
/EMAIL:WEILMINSTER.ROBERT@HQ.NAVY.MIL;(703)601-1414 [DSN 329-1414]//
 
RMKS/1.  THIS MESSAGE IS THE THIRD IN A SERIES PROVIDING DETAILS AND
GUIDANCE ON THE IMPLEMENTATION OF PKI WITHIN NAVY.  THIS MESSAGE
ALSO DETAILS REPORTING REQUIREMENTS FOR THE FIRST STEP OF NAVY PKI
IMPLEMENTATION.
 
2.  ON 12 AUG 2000 ASD/C3I REISSUED REF A TO ALIGN PKI ACTIVITIES
AND MILESTONES WITH THOSE OF THE CAC AS PROMULGATED BY REF D.  THE
FOLLOWING SUMMARIZES SPECIFIC POLICY AND MILESTONES CONTAINED IN REF
E.  POLICY IS EFFECTIVE IMMEDIATELY AND APPLIES TO ALL DOD
UNCLASSIFIED AND CLASSIFIED INFORMATION SYSTEMS, WITH THE EXCEPTION
OF COMPARTMENTED INTELLIGENCE NETWORKS OR SYSTEMS.
 
A.  DOD PKI CERTIFICATE ISSUANCE MILESTONES:
   (1)  ALL UNCLASSIFIED DOD PRIVATE WEB SERVERS SHALL BE ISSUED A
CLASS 3 SERVER CERTIFICATE BY DEC 2000.
   (2)  ALL DOD USERS SHALL BE ISSUED A CLASS 3 CERTIFICATE BY OCT
2002.  DOD USERS ARE DEFINED AS ALL ACTIVE DUTY MILITARY PERSONNEL,
MEMBERS OF THE SELECTED RESERVE, DOD CIVILIAN EMPLOYEES AND ELIGIBLE
CONTRACTOR PERSONNEL WHO HAVE ACCESS TO A DOD AUTOMATED INFORMATION
SYSTEM (AIS).
   (3)  UNCLASSIFIED MISSION CRITICAL SYSTEMS THAT EMPLOY PK
TECHNOLOGY SHALL MIGRATE TO TARGET CLASS 4 CERTIFICATES BY 31 DEC
2003.
   (4)  ALL DOD SYSTEMS AND APPLICATIONS THAT EMPLOY PK TECHNOLOGY
WILL EVOLVE TO TARGET CLASS 4 CERTIFICATES.  ISSUANCE OF TARGET
CLASS 4 CERTIFICATES WILL BEGIN BY OCT 2002.  CLASS 3 CERTIFICATES
WILL CONTINUE TO BE SUPPORTED IN PARALLEL WITH TARGET CLASS 4 FOR A
LIMITED PERIOD AND MAY BE ISSUED THROUGH DEC 2004.
   (5)  THE CAC WILL BE THE PRIMARY TOKEN CARRIER FOR BOTH CLASS 3
AND CLASS 4 CERTIFICATES.  THE GOAL IS TO ISSUE THE CAC ACROSS THE
NAVY TARGET POPULATION BY THE END OF FY2002.  IF REQUIRED, CLASS 3
CERTIFICATES MAY BE DISTRIBUTED ON SOFTWARE TOKENS (FLOPPY DISKS)
DURING THIS PERIOD TO MEET NEAR-TERM OPERATIONAL REQUIREMENTS.
B.  DEPLOYMENT OF PKI REGISTRATION CAPABILITY:
   (1)  CLASS 3 REGISTRATION CAPABILITY, INCLUDING TRAINED PERSONNEL,
SHALL BE IMPLEMENTED IAW REF E BY 31 DEC 2001.  THIS CAPABILITY WILL
BE UPGRADED FOR TARGET CLASS 4 BY OCT 2002.
   (2)  DEFENSE ENROLLMENT ELIGIBILITY REPORTING SYSTEM/REAL-TIME
AUTOMATED PERSONNEL IDENTIFICATION SYSTEM (DEERS/RAPIDS)
WORKSTATIONS INTEGRATED WITH PKI CAPABILITY SHALL BE THE PRIMARY
REGISTRATION PLATFORM FOR PERSONNEL (IOC NLT JAN 2001).  THIS
INFRASTRUCTURE WILL BE REFERRED TO AS THE RAPIDS-LOCAL REGISTRATION
AUTHORITY (RAPIDS-LRA).
   (3)  IN ADDITION TO RAPIDS-LRAS, CONVENTIONAL CLASS 3 PKI LRAS
WILL BE FIELDED TO SUPPORT DEVICE/SERVER CERTIFICATE ISSUANCE,
CERTIFICATE REVOCATIONS AND INDIVIDUAL CERTIFICATE ISSUANCE NOT
SUPPORTED BY THE RAPIDS-LRA.  THIS INFRASTRUCTURE, WHICH IS
ESTABLISHED UNDER THE NAVY RA (DCMS), CURRENTLY HAS OVER 200 ACTIVE
LRAS.  MOST ARE WITHIN THE CONUS, WITH OCONUS LRAS IN NAPLES,
YOKOSUKA, AND HAWAII.  LOCATION OF NAVY LRAS CAN BE OBTAINED AT THE
WEB SITE PROVIDED IN PARAGRAPH 7.
C.  SPECIFIC IMPLEMENTATION MILESTONES:
   (1)  IMMEDIATE:  BEGIN TRANSITION FROM USE OF ANY NON-DOD PKI TO
THE DOD PKI (I.E., CERTIFICATES ISSUED FROM A DISA-OPERATED CA OR A
CLASS 4 CAW).  ALL SUCH TRANSITIONS SHALL BE COMPLETED BY OCT 2002.
(2)  31 DEC 2000:  UNCLASSIFIED PRIVATE WEB SERVERS (SEE
DEFINITION BELOW) SHALL BE ISSUED A CLASS 3 DOD PKI SERVER
CERTIFICATE AND SHALL USE THIS CERTIFICATE TO SUPPORT SERVER
AUTHENTICATION VIA SECURE SOCKETS LAYER (SSL) PROTOCOL.  NAVY
SPECIFIC INSTRUCTIONS FOR SERVER CERTIFICATE IMPLEMENTATION WERE
PROVIDED IN PARA 5 OF REF B AND REF C.
   (3)  OCT 2002:
      (A) CLIENT (USER) IDENTIFICATION AND AUTHENTICATION USING
CLASS 3 USER CERTIFICATES WILL BE REQUIRED FOR ACCESS TO ALL PRIVATE
DOD AND DOD-INTEREST WEB SERVERS LOCATED ON UNCLASSIFIED NETWORKS.
      (B) ALL E-MAIL SENT WITHIN DOD WILL BE DIGITALLY SIGNED USING
DOD PKI ISSUED CERTIFICATES.  E-MAIL ENCRYPTION FOR
CONFIDENTIALITY/PRIVACY IS NOT REQUIRED.  HOWEVER, NAVY POLICY IS TO
ENCRYPT E-MAIL WHENEVER POSSIBLE.
      (C) DOD UNCLASSIFIED NETWORKS SHALL BE ENABLED FOR HARDWARE
TOKEN (CAC) CERTIFICATE BASED ACCESS CONTROL.
      (D) ISSUANCE OF CLASS 3 CERTIFICATES ON SOFTWARE TOKENS ENDS.
      (E) TARGET CLASS 4 INFRASTRUCTURE DEPLOYED.
   (4) 31 DEC 2003.  UNCLASS NETWORKS HOSTING MISSION CRITICAL
SYSTEMS SHALL MIGRATE TO CERTIFICATE-BASED ACCESS CONTROL USING
TARGET CLASS 4 TOKENS AND CERTIFICATES.
   (5)  31 DEC 2004.  ISSUANCE OF CLASS 3 CERTIFICATES ENDS.
 
3. ACTION:  TO ENABLE SERVER IMPLEMENTATION REPORTING, INPUT FROM
SECOND ECHELONS TO DCMS IS DUE ON 12 DEC 2000.  THIS INPUT WILL
IDENTIFY TOTAL NUMBER OF PRIVATE WEB SERVERS WITHIN CLAIMANCY WHICH
REQUIRE CERTIFICATES AND NUMBER IMPLEMENTED. SUBSEQUENT REPORTS
INDICATING PROGRESS TOWARD COMPLETION BY 31 DEC 00 ARE DUE ON 22 DEC
AND 29 DEC.
 
4.  PRIVATE WEB SERVER DEFINITION:  "A WEB SERVER THAT IS DESIGNED
FOR AND/OR PROVIDES INFORMATION RESOURCES THAT ARE LIMITED TO A
PARTICULAR AUDIENCE (I.E., DOD) OR A SUBSET THEREOF.  (THIS INCLUDES
WEB SERVERS THAT PROVIDE INTERFACES TO E-MAIL SYSTEMS.)  A PRIVATE
WEB SERVER RESTRICTS OR ATTEMPTS TO RESTRICT GENERAL PUBLIC ACCESS
TO IT.  THE COMMON MEANS OF RESTRICTION ARE BY THE USE OF DOMAIN
RESTRICTION (E.G., .MIL AND/OR .GOV), FILTERING OF SPECIFIC INTERNET
PROTOCOL (IP) ADDRESSES, USERID AND/OR PASSWORD AUTHENTICATION,
ENCRYPTION (I.E., DOD CERTIFICATES), AND PHYSICAL ISOLATION.  ANY
DOD OPERATED WEB SERVER THAT PROVIDES ANY INFORMATION RESOURCES THAT
ARE NOT INTENDED FOR THE GENERAL PUBLIC SHALL BE CONSIDERED A
PRIVATE WEB SERVER AND IS SUBJECT TO THIS POLICY.  PERSONAL WEB
SERVERS (I.E., THOSE THAT ONLY ALLOW ONE USER ARE NOT ONLY
ACCESSIBLE FROM THE MACHINE TO WHICH IT IS INSTALLED) ARE NOT
 
SUBJECT TO THIS MEMORANDUM."  THE REQUIREMENT FOR PKI SERVER
CERTIFICATES APPLY TO ALL NAVY SERVERS, EVEN THOSE BEHIND A
FIREWALL, WHICH CONTAIN INFORMATION NOT INTENDED FOR GENERAL PUBLIC
ACCESS
 
5.  THE NAVY PKI IMPLEMENTATION PLAN IS CURRENTLY BEING DRAFTED AND
IS ANTICIPATED TO BE ISSUED BY THE END OF 1QTR FY 01.
 
6.  THE DIRECTOR, INFORMATION WARFARE (N64) IS THE NAVY FUNCTIONAL
SPONSOR FOR PKI RELATED ISSUES WITH THE EXCEPTION OF COMPARTMENTED
INTELLIGENCE NETWORKS AND SYSTEMS WHICH ARE UNDER THE PURVIEW OF SSO
NAVY-521.  DIR IW PROVIDES OVERALL LEADERSHIP TO PKI IMPLEMENTATION
ACTIVITIES WITHIN THE NAVY.  SPAWARSYSCOM (PMW 161) WILL PROVIDE
PROGRAM MANAGEMENT SUPPORT FOR THE PKI PROGRAM.
 
7.  SPAWARSYSCOM (PMW 161) HAS ESTABLISHED A PKI WEB PAGE ON THE NAVY
INFOSEC WEB SITE.  PKI URL IS:  INFOSEC.NAVY.MIL/PKI.  REFS A THROUGH
E ARE AVAILABLE AT THIS SITE.
 
8.  NAVY PKI POINTS OF CONTACT ARE:
          ROBERT WEILMINSTER, CNO (N64322), PKI AO, (703)601-1414,
DSN 329-1414, EMAIL: WEILMINSTER.ROBERT(AT)HQ.NAVY.MIL
          SAMIR OTHMAN, SPAWARSYSCOM (PMW 161-1G), TECHNICAL
IMPLEMENTATION, (619)524-7369, DSN 524-7369, EMAIL:
OTHMANS(AT)SPAWAR.NAVY.MIL
          RON BURNSIDE, DCMS (D30), NAVY RA, (202)764-0259, DSN
764-0259, EMAIL: DONPKIRA(AT)NCTC.NAVY.MIL
          TIM SIGNOR, SSO NAVY-521, INTEL PKI POC, (301)669-2018,
DSN  659-2018.
 
9.  RELEASED BY VADM R. W. MAYO, USN.//
 
BT