Implementation of an Alternate Token to Enable Cryptographic Logon (CLO) for System Administrators on the Marine Corps

1. PURPOSE. THE PURPOSE OF THIS MESSAGE IS TO 
DIRECT ACTIONS IN ORDER TO IMPLEMENT THE USE OF AN APPROVED 
ALTERNATE TOKEN FOR SYSTEM ADMINISTRATORS ON THE MCEN THEREBY 
REDUCING THE NUMBER OF ACCOUNTS STILL USING USERNAME AND 
PASSWORD FOR ACCESS TO THE NIPRNET. 
2. BACKGROUND. REF A DIRECTED THE ACCELERATED IMPLEMENTATION OF 
DOD PKI ON THE NIPRNET. A MAJOR TASK OF REF A WAS THE 
IMPLEMENTATION OF CRYPTOGRAPHIC LOGON (CLO). CLO IS DEFINED AS 
THE USE OF A COMMON ACCESS CARD (CAC) AND PERSONAL IDENTIFICATION 
NUMBER (PIN) TO LOG ON TO NETWORK COMPUTERS. DUE TO SEVERAL 
TECHNICAL LIMITATIONS AND DOD POLICIES, AUTHORIZED ACCOUNT TYPES 
LISTED IN REF B, HAVE BEEN IDENTIFIED AS EXCEPTION ACCOUNTS AND 
ARE CURRENTLY EXEMPT FROM CLO ENFORCEMENT. THROUGH THE APPROVAL 
FOR THE USE OF THE ALTERNATE TOKEN ON THE NIPRNET, THE DOD ASD 
NII CIO HAS PROVIDED A MEANS TO OVERCOME THE TECHNICAL AND DOD 
POLICY ISSUES THAT PREVIOUSLY EXEMPTED AUTHORIZED ACCOUNT TYPES, 
SUCH AS SYSTEM ADMINISTRATORS, FROM ENFORCEMENT OF CLO. 
3. GOAL. THE GOAL OF THIS MESSAGE IS TO PROVIDE DIRECTION AND 
GUIDANCE FOR REDUCING THE NUMBER OF EXCEPTION ACCOUNTS LISTED 
UNDER REF B. THIS MESSAGE DIRECTS THE ISSUANCE AND USE OF AN 
ALTERNATE TOKEN BY SYSTEM ADMINISTRATORS ON THE MCEN AND THE 
USMC NAVY AND MARINE CORPS INTRANET (NMCI) COMMUNITY OF INTEREST 
(COI). THE ULTIMATE GOAL IS TO ELIMINATE ALL USE OF 
USERNAME/PASSWORD ON THE NIPRNET, THROUGH TECHNOLOGICAL ADVANCES 
AND/OR POLICY CHANGES. 
4. POLICY. RECOGNIZING THAT THERE ARE CERTAIN USER GROUPS WITHIN 
THE MARINE CORPS WHERE DOD PKI CERTIFICATES ON A COMMON ACCESS 
CARD (CAC) CANNOT BE USED TO ACCESS NETWORK RESOURCES, THIS 
MARADMIN PERMITS THE USE OF AN ALTERNATE TOKEN AS SPECIFIED 
BELOW: 
A. IN ACCORDANCE WITH THE REFS, AND CONTINGENT UPON THE 
FULLFILLMENT OF RESPONSIBILITIES OUTLINED IN PARAGRAPH 5 OF THIS 
DIRECTIVE, THE USE OF AN ALTERNATE TOKEN FOR ACCESS TO MARINE 
CORPS ENTERPRISE NETWORK RESOURCES IS AUTHORIZED FOR SYSTEM 
ADMINISTRATORS. ADDITIONAL USER COMMUNITIES WILL BE ADDRESSED IN 
A FUTURE MARADMIN. 
B. THE ALTERNATE TOKEN WILL BE ISSUED SPECIFICALLY FOR 
LOGICAL ACCESS TO THE NIPRNET AND MCEN RESOURCES. IT IS NOT 
INTENDED TO PROVIDE ANY PHYSICAL SECURITY ACCESS NOR WILL IT BE 
CONSIDERED A VALID FORM OF IDENTIFICATION. 
5. ACTION. 
A. MCNOSC. 
1). UPDATE THE USMC CERTIFICATE PRACTICE STATEMENT (CPS) 
FOR REGISTRATION AUTHORITIES (RAS) AND LOCAL REGISTRATION 
AUTHORITIES (LRAS) TO ALLOW FOR THE ISSUANCE OF AN ALTENATE 
TOKEN. 
2). PROVIDE A PLAN OF ACTION AND MILESTONES (POA&M) FOR 
THE OPERATIONAL TESTING AND IMPLEMENTATION OF AN ALTENATE TOKEN 
IN ACCORDANCE WITH REF C FOR USE BY SYSTEM ADMINISTRATORS BY 
15 DEC 2006. POA&M WILL INCLUDE LIST OF RESOURCES REQUIRED TO 
IMPLEMENT; DEVELOPMENT OF CONCEPT OF OPERATIONS AND STANDARD 
OPERATING PROCEDURES FOR ISSUANCE AND REVOCATION; DATE FOR 
INITIAL OPERATIONAL CAPABILITY; AND DATE FOR FULL OPERATIONAL 
CAPABILITY. 
3). COORDINATE AS NECESSARY WITH NMCI TO ENSURE 
INTEROPERABILITY ACROSS THE MCEN AND USE ON USMC NMCI COI. 
4). COORDINATE AS NECESSARY WITH MARCORSYSCOM TO 
ENSURE PROPER IMPLEMENTATION OF REQUIREMENTS. 
B. C4, IA. UPON APPROVAL OF POA&M AND FULL OPERATIONAL 
CAPABILITY OF ALTERNATE TOKEN PROCESS, UPDATE REF B TO REFLECT 
CHANGE IN AUTHORIZED EXCEPTION LIST. 
6. TECHNICAL INQUIRIES SHOULD BE DIRECTED TO THE MCNOSC 
OPERATIONS CENTER AT DSN 278-5300, COMM 703-784-5300, OR UNCLAS 
E-MAIL: SMB USMC MCNOSC COMMAND CENTER@MCNOSC.USMC.MIL.