RTTUZYUW RUEWMCS0000 0721935-UUUU--RUCRNAD ZNR UUUUU R 121935Z MAR 12 FM CNO WASHINGTON DC TO NAVADMIN UNCLAS//N05239// NAVADMIN 084/12 BT MSGID/GENADMIN/CNO WASHINGTON DC/N2N6BC/-/MAR// SUBJ/PUBLIC KEY ENABLEMENT OF NAVY SECRET INTERNET PROTOCOL ROUTER NETWORK// REF/A/DOC/DOD WASH DC/24MAY2011// REF/B/DOC/CNSS/MAR2009// REF/C/DOC/DOD WASH DC/14OCT2011// REF/D/DOC/DOD WASH DC/13MAY2011// NARR/REF A IS DOD INSTRUCTION 8520.02, PUBLIC KEY INFRASTRUCTURE (PKI) AND PUBLIC KEY (PK) ENABLING. REF B IS THE COMMITTEE ON NATIONAL SECURITY SYSTEMS (CNSS) POLICY NUMBER 25, NATIONAL POLICY FOR PUBLIC KEY INFRASTRUCTURE IN NATIONAL SECURITY SYSTEMS. REF C IS DOD CHIEF INFORMATION OFFICER MEMO, DOD SIPRNET PUBLIC KEY INFRASTRUCTURE CRYPTOGRAPHIC LOGON AND PUBLIC KEY ENABLEMENT OF SIPRNET APPLICATIONS AND WEB SERVERS. REF D IS DOD INSTRUCTION 8520.03, IDENTITY AUTHENTICATION FOR INFORMATION SYSTEMS. REFS A THROUGH D ARE LOCATED ON THE PKI PAGE OF THE INFOSEC WEB SITE AT HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)NSS.HTML. UNIFORM RESOURCE LOCATOR (URL) MUST BE IN ALL LOWERCASE. POC/CDR JULIANA ROSATI/MIL/OPNAV N2N6BC4/LOC:WASH DC/TEL: (571)256-8523/TEL:DSN:260-8523/E-MAIL:JULIANA.ROSATI(AT)NAVY.MIL/ MS. KRISTEN WAYNE/CTR/OPNAV N2N6BC4/LOC:WASH DC/TEL:(571)256-8522/ TEL:DSN:260-8522/E-MAIL:KRISTEN.WAYNE.CTR(AT)NAVY.MIL// RMKS/1. IAW REFS A THROUGH D, THIS MESSAGE DIRECTS ACTION BY NAVY COMMANDERS TO SUPPORT PUBLIC KEY (PK) ENABLEMENT OF THE SECRET INTERNET PROTOCOL ROUTER NETWORK (SIPRNET). 2. SCOPE AND APPLICABILITY. THIS MESSAGE APPLIES TO ALL NAVY OWNED, OPERATED OR CONTROLLED SIPRNET-CONNECTED NETWORKS, WEB SERVERS, AND APPLICATIONS. THIS MESSAGE DOES NOT APPLY TO NETWORKS CLASSIFIED HIGHER OR LOWER THAN SECRET. 3. BACKGROUND. PK ENABLING ENHANCES THE SECURITY POSTURE OF THE GLOBAL INFORMATION GRID. REF A DIRECTS PK ENABLEMENT OF ALL SECRET AND UNCLASSIFIED DEPARTMENT OF DEFENSE (DOD) NETWORKS. REF B PROVIDES POLICY REGARDING THE USE OF PUBLIC KEY INFRASTRUCTURE (PKI) IN CLASSIFIED ENVIRONMENTS. PREVIOUS DOD AND NAVY EFFORTS HAVE FOCUSED ON PK ENABLING OF UNCLASSIFIED NETWORKS. REF C DIRECTS THE PK ENABLEMENT OF THE SIPRNET AND INCLUDES A SPECIFIC TIMELINE FOR IMPLEMENTATION IN DOD. REF D PROVIDES POLICY ON WHEN PKI MUST BE USED FOR AUTHENTICATION. 4. IMPLEMENTATION. DOD HAS DEVELOPED A PKI HARDWARE TOKEN, SIMILAR TO THE COMMON ACCESS CARD (CAC), FOR USE ON THE SIPRNET. FULL DEPLOYMENT OF THIS TOKEN BEGINS IN EARLY CALENDAR YEAR 2012 WITH A TARGETED COMPLETION DATE OF DECEMBER 2012 FOR ISSUANCE TO ALL SIPRNET USERS. TO ACCOMPLISH FULL OPERATIONAL CAPABILITY, ALL SIPRNET ACCOUNTS MUST BE ENABLED FOR CRYPTOGRAPHIC LOGON (CLO) BY 31 MARCH 2013. APPLICATIONS WHICH RELY ON ACTIVE DIRECTORY (AD) FOR AUTHENTICATION MUST BE PK-ENABLED BEFORE THIS DEADLINE TO ENABLE AD ACCOUNTS FOR CLO. ADDITIONALLY, ALL WEB SERVERS AND APPLICATIONS SHALL SUPPORT TWO-WAY PKI AUTHENTICATION WITH ACCESS REQUIRING PKI CREDENTIALS BY 30 JUNE 2013. USCYBERCOM WILL ESTABLISH A REPORTING PROCESS TO TRACK COMPLIANCE AND PROGRESS TOWARD MEETING THESE DEADLINES. SHIPS AND SUBMARINES SHALL IMPLEMENT SIPRNET CLO AS TECHNOLOGICALLY FEASIBLE. THIS IS DEPENDENT ON SPAWAR SIPRNET TOKEN BACK-FIT AND CLO BACK-FIT TO INTERNAL SHIPBOARD NETWORKS. NOTE: IN THE DOD INFORMATION TECHNOLOGY PORTFOLIO REPOSITORY - DEPARTMENT OF NAVY (DITPR-DON), "APPLICATIONS" DISCUSSED IN THIS NAVADMIN ARE CALLED "SYSTEMS." 5. DEFINITIONS. THE FOLLOWING DEFINES THE KEY TRUSTED ROLES INVOLVED IN THE TOKEN DISTRIBUTION PROCESS. A. REGISTRATION AUTHORITY (RA). AN ENTITY (ORGANIZATION) NOMINATED BY OPNAV (N2N6BC) AND AUTHORIZED BY THE NATIONAL SECURITY SYSTEMS (NSS) DOD SUBORDINATE CERTIFICATION AUTHORITY SYSTEM (CAS) TO COLLECT, VERIFY, AND SUBMIT INFORMATION PROVIDED BY POTENTIAL SIPRNET ACCOUNT HOLDERS FOR ENTRY INTO PK CERTIFICATES. RA OPERATIONS ARE PERFORMED IAW THE CAS CERTIFICATION PRACTICE STATEMENT (CPS) AND THE NSS PKI DOD REGISTRATION PRACTICE STATEMENT (RPS). BOTH DOCUMENTS ARE AVAILABLE ON THE NAVY INFOSEC WEBSITE AT HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)NSS.HTML. NAVY RAS ARE LOCATED AT NAVAL COMMUNICATIONS SECURITY MATERIAL SYSTEM (NCMS) WASHINGTON DC, SPACE AND NAVAL WARFARE SYSTEMS COMMAND SYSTEMS CENTER ATLANTIC (SSC LANT) CHARLESTON, SC, AND NCMS DETACHMENT HAWAII. B. REGISTRATION AUTHORITY OFFICER. AN INDIVIDUAL NOMINATED BY OPNAV (N2N6BC) AND AUTHORIZED BY THE NSS PKI DOD SUBORDINATE CAS TO EXECUTE THE RA FUNCTIONS OUTLINED IN PARA 5A. THE RA OFFICER IS RESPONSIBLE FOR CERTIFICATE REGISTRATION, REVOCATION, SUSPENSION, AND RESTORATION AS WELL AS KEY RECOVERY. THE FOLLOWING PRIVILEGES ARE UNIQUE TO RA OFFICERS: APPROVING THE REVOCATION OR SUSPENSION OF ANY CERTIFICATE; RESTORING SUSPENDED CERTIFICATES; REGISTERING AND TERMINATING LOCAL REGISTRATION AUTHORITIES; AND PERFORMING KEY RECOVERY OPERATIONS. C. LOCAL REGISTRATION AUTHORITY (LRA). AN RA WITH RESPONSIBILITY FOR A LOCAL COMMUNITY. LRAS ARE AUTHORIZED BY THE NAVY RA TO PERFORM ONLY THE CERTIFICATE REGISTRATION FUNCTION WITHIN THEIR LOCALIZED REGION. THE LRA MAY PROVIDE CERTIFICATE REGISTRATION INSTRUCTIONS (CRI) TO ACCOUNT HOLDERS FOR CERTIFICATE ISSUANCE. THE NAVY HAS LRAS IN THE FOLLOWING FLEET CONCENTRATION AREAS: WASHINGTON, DC; SAN DIEGO, CA; PEARL HARBOR, HI; NORFOLK, VA; AND CHARLESTON, SC. D. TRUSTED AGENT (TA). THE TA IS A UNIT-LEVEL INDIVIDUAL SPECIFICALLY ALIGNED TO AN LRA OR RA, BUT WITHOUT LRA PRIVILEGES. THE COMMANDING OFFICER, RA, OR LRA MAY APPOINT A TA. THE TA ISSUES TOKENS, TOKEN READERS, AND ASSOCIATED REGISTRATION INSTRUCTIONS AFTER PERFORMING IN-PERSON IDENTITY AND DOCUMENTATION VERIFICATION. 6. SIPRNET PKI TOKEN ISSUANCE PROCESS. TOKEN DISTRIBUTION WILL BE EXECUTED IAW THE NAVY IMPLEMENTATION PLAN (IP) WHICH ALIGNS WITH THE DOD SIPRNET TOKEN MANAGEMENT SYSTEM (TMS) CONCEPT OF OPERATIONS (CONOPS). BOTH DOCUMENTS ARE AVAILABLE ON THE NAVY INFOSEC WEBSITE AT HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)NSS.HTML. IN PRACTICE, THE SIPRNET TOKEN DISTRIBUTION WILL BE SIMILAR TO THE UNCLASSIFIED NAVY ALTERNATE LOGON TOKEN (ALT) PROGRAM. EXPERIENCE WITH THE ALT PROGRAM WILL BE VALUABLE TO ENSURE ACCURATE, EFFICIENT ISSUANCE OF THE SIPRNET TOKENS. PERSONNEL ASSIGNED AS ALT TRUSTED AGENTS ARE FAMILIAR WITH THE IDENTITY VERIFICATION PROCESS AND MAY BE UNIQUELY SUITED TO PERFORM THE SIPRNET PKI TA ROLE. INITIAL DEPLOYMENT WITHIN THE NAVY WILL CONCENTRATE ON ISSUING TOKENS TO USERS AND ADMINISTRATOR ACCOUNTS ON THE NAVY MARINE CORPS INTRANET (NMCI). NAVY RAS WILL DISTRIBUTE TOKENS TO LRAS IN FLEET CONCENTRATION AREAS. SIPRNET TOKENS SHALL ONLY BE USED WITH NATIONAL SECURITY AGENCY (NSA)-PROVIDED TOKEN READERS AND NOT WITH READERS EMBEDDED ON THE MACHINE OR KEYBOARD. SSC LANT WILL PROVIDE THE READERS; PARA 7B PERTAINS. WITH THE EXCEPTION OF SYSTEM ADMINISTRATORS, SIPRNET TOKENS ARE NOT CURRENTLY AVAILABLE FOR FUNCTIONAL (E.G., WATCHSTANDERS, GROUPS, ETC.) ACCOUNTS. FLTCYBERCOM WILL ISSUE GUIDANCE VIA A NAVY TELECOMMUNICATIONS DIRECTIVE OR COMMUNICATIONS TASKING ORDER WHEN THE CAPABILITY EXISTS FOR SIPRNET TOKENS TO SUPPORT GROUP AND ROTATING ROLE-BASED FUNCTIONAL ACCOUNTS, FUNCTIONAL MAILBOXES, AND SERVICE ACCOUNTS. A. TO FACILITATE TOKEN ISSUANCE, COMMANDS SHALL ASSIGN A MINIMUM OF THREE (3) SIPRNET PKI TRUSTED AGENTS (TAS) TO ASSIST THE LRAS TO WHOM THEY ARE ALIGNED. HOWEVER, COMMANDS ARE ENCOURAGED TO ASSIGN AS MANY AS POSSIBLE. AT LEAST ONE OF THE COMMAND'S SIPRNET PKI TAS MUST BE DUAL-HATTED AS THE INFORMATION ASSURANCE MANAGER (IAM), INFORMATION ASSURANCE OFFICER, OR SECURITY OFFICER. TWO TAS ARE REQUIRED TO ISSUE A TOKEN. ONE ISSUES THE TOKEN; THE OTHER ISSUES THE ASSOCIATED TEMPORARY PERSONAL IDENTIFICATION NUMBER (PIN). THE ROLE OF ONE OF THESE TAS CAN BE EXECUTED BY AN LRA IF THE LRA IS PROVIDING THE ENROLLMENT CRI. PKI TAS SHALL COMPLETE THE TRAINING AVAILABLE AT HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)NSS.HTML. PROCEDURES TO ESTABLISH A TA ARE ALSO LOCATED AT THIS UNIFORM RESOURCE LOCATOR (URL). B. COMMANDS AND SHIPS MAY NOMINATE LRAS IN ADDITION TO TAS IF DESIRED. ONLY NCMS WASHINGTON DC CAN AUTHORIZE LRAS. SEE PARA 7D FOR POINT OF CONTACT INFORMATION TO MAKE LRA REQUESTS. DUE TO INCREASED LEVEL OF AUTHORITY AND RESPONSIBILITY GIVEN TO LRAS, THEY MUST SUCCESSFULLY COMPLETE A NO COST DEFENSE INFORMATION SYSTEMS AGENCY (DISA) NATIONAL SECURITY SYSTEMS TRAINING COURSE IN PERSON. LRA TRAINING IS AVAILABLE AT NCMS WASHINGTON DC, NORFOLK, AND SAN DIEGO. MOBILE TRAINING TEAMS ARE ALSO AVAILABLE FOR WORLDWIDE TRAINING ON A LIMITED, COST BASIS. CONTACT NCMS WASHINGTON DC POINT OF CONTACT IN PARA 7D TO COORDINATE. THE LRA TRAINING SCHEDULE IS AVAILABLE AT HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)LRAMAIN.HTML. THE TRAINING MATERIAL IS AVAILABLE AT HTTP:(SLASH)(SLASH)IASE.DISA.MIL(SLASH)PKI-PKE(SLASH). 7. ACTION. A. COMMANDERS MUST BE PREPARED TO SUPPORT THE ISSUANCE OF SIPRNET TOKENS TO AUTHORIZED PERSONNEL UNDER THEIR COGNIZANCE, INCLUDING ASSOCIATED USER TRAINING AND FAMILIARIZATION. FAILURE TO DO SO MAY RESULT IN USERS BEING UNABLE TO ACCESS THEIR SIPRNET ACCOUNTS. B. BY 31 MARCH 2012, COMMANDS SHALL IDENTIFY AT LEAST THREE (3) PKI TRUSTED AGENTS TO FACILITATE ISSUING TOKENS WHEN FULL DEPLOYMENT BEGINS. ONCE ALL TRAINING AND ADMINISTRATIVE REQUIREMENTS ARE MET, SEND THE NAMES OF AUTHORIZED TAS AND LRAS (AS APPLICABLE) TO MS. BETTY COLLINS/BETTY.COLLINS(AT)NAVY.SMIL.MIL/843-218-4633 AND MS. MARJORIE DIXSON/MARJORIE.DIXSON1(AT)NAVY.SMIL.MIL/240-857-7709. ADDITIONALLY, BY 31 MARCH PROVIDE THE TOTAL NUMBERS OF TOKENS AND TOKEN READERS REQUIRED BY THE COMMAND. WHEN CALCULATING THE NUMBER OF TOKENS, ACCOUNT FOR ONE TOKEN FOR EACH SIPRNET USER AND ONE FOR EACH SYSTEM ADMINISTRATOR ACCOUNT. WHEN CALCULATING THE NUMBER OF TOKEN READERS, ACCOUNT FOR ONE CARD READER FOR EACH SIPRNET MACHINE, AND TWO READERS FOR EACH WORKSTATION THAT WILL BE USED TO EXECUTE TOKEN ISSUANCE (TA, LRA, AND KIOSK WORKSTATIONS). FUNDING HAS BEEN ALLOCATED TO PROVIDE TOKEN READERS DURING THE INITIAL TOKEN ROLLOUT. COMMANDS WILL BE RESPONSIBLE FOR PROCUREMENT OF TOKEN READERS FOR SUSTAINMENT STARTING IN FY15. C. ON NMCI, TA, LRA, AND KIOSK WORKSTATIONS WILL REQUIRE SPECIALIZED SOFTWARE FOR TOKEN ISSUANCE CAPABILITY. TO RECEIVE THE SOFTWARE, SEND WORKSTATION INFORMATION [MACHINE NAME, SITE (PHYSICAL SITE IDENTIFIER (PSI) CODE), AND SEAT POC E-MAIL] TO LTJG SHANNON BUCKLEY/SHANNON.R.BUCKLEY(AT) NAVY.MIL/619-553-3382 BY 31 MARCH. D. COMMANDS DESIRING TO ESTABLISH THEIR OWN LRA SHOULD CONTACT THE NAVY RA AT NCMS BY 31 MARCH 2012. THE POC IS MS. MARJORIE DIXSON/ MARJORIE.DIXSON1(AT)NAVY.SMIL.MIL/240-857-7709. E. PROGRAM OFFICES AND EXCEPTED NETWORK OWNERS SHALL PROVIDE THE REQUIREMENTS FOR APPROPRIATE ENABLEMENT AND SUSTAINMENT FUNDING TO THEIR RESOURCE SPONSOR. F. BY 31 MARCH 2012 COMMANDS SHALL ENSURE THEIR AD PERSONNEL ENTRIES REFLECT THE MOST ACCURATE AND CURRENT LIST OF USERS. AN INACCURATE AD MAY RESULT IN UNNECESSARY DELAYS DURING TOKEN ISSUANCE. COMMANDS SHALL DISABLE ACCOUNTS OF PERMANENTLY DETACHING PERSONNEL TO MAINTAIN SIPRNET ACCESS INTEGRITY. 8. TECHNICAL GUIDANCE AND USEFUL LINKS. ADDITIONAL RELEVANT INFORMATION IS LOCATED ON THE NAVY INFOSEC WEB SITE AT HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI OR ON THE SIPRNET AT HTTPS:(SLASH)(SLASH)INFOSEC.NAVY.SMIL.MIL(SLASH)PKI. IAMS, LRAS AND TAS SHOULD SUBSCRIBE TO THE INFOSEC MAILING LIST AT HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)SUBSCRIBE(SLASH)INDEX.JSP TO RECEIVE EMAIL UPDATES OF NEW PKI ANNOUNCEMENTS AND TRAINING MATERIALS. 9. TIMELINE SUMMARY. A. COMMANDS MUST: (1) ESTABLISH AT LEAST THREE (3) TAS BY 31 MARCH 2012. (2) SUBMIT TOKEN, TOKEN READER, AND WORKSTATION INFORMATION BY 31 MARCH 2012. (3) SCRUB ACTIVE DIRECTORY ACCOUNTS BY 31 MARCH 2012. B. A SIPRNET PKI TOKEN IS REQUIRED FOR ALL SIPRNET USERS BY 31 DECEMBER 2012. C. ALL SIPRNET ACCOUNTS MUST BE ENABLED TO USE CLO BY 31 MARCH 2013. D. APPLICATIONS THAT RELY UPON ACTIVE DIRECTORY FOR AUTHENTICATION MUST BE PK-ENABLED BEFORE 31 MARCH 2013. E. ALL WEB SERVERS AND APPLICATIONS (SYSTEMS) SHALL SUPPORT CLIENT-SIDE PKI AUTHENTICATION WITH ACCESS REQUIRING PKI CREDENTIALS BY 30 JUNE 2013. 10. THIS NAVADMIN WILL REMAIN IN EFFECT UNTIL CANCELLED OR SUPERSEDED. 11. REQUEST WIDEST DISSEMINATION. 12. RELEASED BY VADM KENDALL L. CARD, OPNAV N2N6.// BT #0000 NNNN