Implementation of DoD Public Key Infrastructure (PKI) and Public Key Enablement

1. THIS IS A DC C4 AND DC I&L COORDINATED MESSAGE. 
AS WE MOVE STEADILY INTO THE FUTURE, NET CENTRIC CONCEPTS WILL
PROVIDE ACCESS TO INFORMATION RESOURCES NEEDED TO BE SUCCESSFUL
WHETHER IN GARRISON OR DEPLOYED. SECURE, TRUSTED ACCESS TO
INFORMATION RESOURCES IS VITAL TO THE SUCCESSFUL IMPLEMENTATION OF
NET CENTRIC CONCEPTS. FOR EXAMPLE, IN THE PAST A DEPLOYED MARINE
USING MERIT (MARINE CORPS EQUIPMENT READINESS INFORMATION TOOL)
WOULD ACCESS INFORMATION UTILIZING A USERNAME AND PASSWORD. 
SIMILARLY, DEPLOYED MARINES NEEDING ACCESS TO MAINTENANCE PUBS WOULD
ACCESS THE LOGCOM OR OTHER APPROPRIATE WEB SITE USING USERNAME AND
PASSWORD. PRIOR TO THE DEPLOYMENT OF DTS (DEFENSE TRAVEL SYSTEM) A
MARINE WOULD USE A PAPER FORM TO REQUEST AND AUTHORIZE OFFICIAL
TRAVEL AS WELL AS SETTLE THE TRAVEL CLAIM.
2. SECURE, TRUSTED ACCESS TO INFORMATION RESOURCES DEPENDS ON THE
USE OF PERSONAL CERTIFICATES ISSUED BY THE DOD PKI. A PKI
CERTIFICATE IS A TRUSTED METHOD OF IDENTIFYING AN INDIVIDUAL
DIGITALLY ON A NETWORK THEREBY REDUCING PASSWORD MANAGEMENT
REQUIREMENTS. TODAY A MARINE FORWARD DEPLOYED WILL GAIN ACCESS TO
MERIT AND ONLINE MAINTENANCE PUBS VIA A DIGITAL CERTIFICATE LOCATED
ON HIS CAC. A MARINE USING DTS WILL USE THE CAC TO ACCESS HIS
ACCOUNT AS WELL AS DIGITALLY SIGN TRAVEL REQUESTS AND VOUCHERS
ALLOWING FOR PAPERLESS TRANSACTIONS. BY USING A CAC READER ON
THE WORKSTATION THE MARINE IS ASKED TO PROVIDE HIS PERSONAL
IDENTIFICATION NUMBER (PIN) TO BOTH UNLOCK AND PROVIDE HIS 
CERTIFICATE TO A PUBLIC KEY ENABLED SYSTEM. IN THE EVENT THAT A 
CAC READER IS UNAVAILABLE A "SOFTWARE CERTIFICATE" CAN BE ISSUED.
A LOCAL REGISTRATION AUTHORITY (LRA) HAS THE ABILITY TO ISSUE 
INDIVIDUAL SOFTWARE CERTIFICATES VIA TRANSPORTABLE MEDIA. THESE 
SOFTWARE CERTIFICATES CAN THEN BE LOADED INTO THE WORKSTATION'S 
WEB BROWSER AND ACCESSED BY THE USER VIA A PASSWORD. SOFTWARE 
CERTIFICATES MAY BE USED IN LIEU OF A CAC CERTIFICATE ONLY WHEN
OPERATIONALLY REQUIRED. 
3. THE PURPOSE OF THIS MARADMIN IS TO RESTATE POLICY FOR
IMPLEMENTATION OF DOD PKI AND PKE WITHIN THE MARINE CORPS IAW REF A.
PKI IS THE FRAMEWORK ESTABLISHED TO ISSUE, MAINTAIN, AND REVOKE
PUBLIC KEY CERTIFICATES. PKE IS THE USE OF CERTIFICATES FOR
SECURITY SERVICES SUCH AS AUTHENTICATION, CONFIDENTIALITY, DATA
INTEGRITY, AND NONREPUDIATION. PKE INVOLVES REPLACING EXISTING OR
CREATING NEW USER AUTHENTICATION SYSTEMS THAT USE CERTIFICATES
INSTEAD OF OTHER TECHNOLOGIES SUCH AS USER ID AND PASSWORD. DOD PKI
CERTIFICATES ARE ISSUED ON THE CAC IN ACCORDANCE WITH REF A. 
4. BACKGROUND. 
A. PER REF A, DOD WEBSITES HOSTING LOGISTICAL INFORMATION, PERSONAL
INFORMATION, MISSION RELATED DATA OR ANY INFORMATION NOT AUTHORIZED
FOR PUBLIC RELEASE ARE NOW REQUIRED BY DOD TO BE PUBLIC KEY ENABLED 
AND IN ACCORDANCE WITH REF A ARE REFERRED TO AS PRIVATE WEB SERVERS.
DOD SERVICES AND AGENCIES HAVE ALREADY BEGUN TO PUBLIC KEY ENABLE
PRIVATE WEB SERVERS AND APPLICATIONS SUCH AS DEFENSE TRAVEL SYSTEM
(DTS), GIG ENTERPRISE SERVICES (GES) PORTAL, GLOBAL DIRECTORY
SERVICES, AND OUTLOOK WEB ACCESS (OWA). REF B PROVIDED
IMPLEMENTATION MILESTONES TO ENSURE THE MARINE CORPS' COMPLIANCE
WITH THIS DOD POLICY. THOSE MILESTONES INCLUDED:
(1). AS OF OCT 2004 USMC USERS SHALL DIGITALLY SIGN E-MAIL MESSAGES
REQUIRING MESSAGE INTEGRITY AND/OR NON-REPUDIATION, AND ENCRYPT
MESSAGES CONTAINING SENSITIVE INFORMATION AS DETAILED IN REF D.
(2). BY 1 FEB 2005, ALL MARINE CORPS PRIVATE WEB SERVERS, WEB BASED
APPLICATIONS AND NETWORKS REQUIRING PUBLIC KEY ENABLING WERE TO BE
IDENTIFIED.
(3). AS OF APR 2005 ALL NON-CLASSIFIED WORKSTATIONS WERE TO HAVE
CAC READERS DEPLOYED, WHICH WAS AN EXTENSION FROM THE ORIGINAL
MANDATE OF OCT 2004.
(4). AFTER APR 2005 THE USES OF PRIVATE WEB SERVERS AND APPLICATIONS
THAT HAVE NOT BEEN ENABLED OR WHICH HAVE NOT YET SUBMITTED A POA&M 
SHOULD BE DISCONTINUED.
B. THERE ARE TWO WAYS TO OBTAIN PERSONAL DOD PKI CERTIFICATES. THE
PRIMARY IS ISSUANCE OF DOD PKI CERTIFICATES ON THE CAC PROVIDING ONE
TOKEN AS AN ENABLER FOR LOGICAL ACCESS TO UNCLASSIFIED NETWORKS AND
RESOURCES. ALTERNATIVELY, INDIVIDUALS MAY BE ISSUED DOD PKI
SOFTWARE CERTIFICATES IN ACCORDANCE WITH REF B DUE TO MISSION NEED.
5. ACTION.
A. COMMANDERS, G-6, AND FUNCTIONAL AREA ADVOCATES:
(1). ENSURE CAC READERS AND MIDDLEWARE ARE DEPLOYED ON ALL NIPRNET
WORKSTATIONS. ANY ISSUES REGARDING CAC READERS AND MIDDLEWARE WILL
BE DIRECTED TO THE MCNOSC PKI HELPDESK.
(2). PUBLIC KEY ENABLE PRIVATE WEB SERVERS AND APPLICATIONS:
(A). IDENTIFY PRIVATE WEB SERVERS AND WEB BASED APPLICATIONS
REQUIRING PKI IN ACCORDANCE WITH REF B. 
(B). DEVELOP POA&M'S FOR WEB SERVERS AND APPLICATIONS NOT PUBLIC
KEY ENABLED IMMEDIATELY. POA&M SHALL AT A MINIMUM PROVIDE
DETAILS AS TO WHY THE WEB SERVER/APPLICATION CANNOT BE PUBLIC KEY
ENABLED BY THE DEADLINE AND PROVIDE TIMELINE AS TO WHEN ENABLEMENT
WILL BE COMPLETE. IN ACCORDANCE WITH REF B THE DUE DATE FOR THE
SUBMISSION OF IDENTIFICATION OF PRIVATE WEB SERVERS AND APPLICATIONS
AND POA&M'S WAS 30 APR 2005. HQMC C4 IS SEEKING AN EXTENSION OF THIS
DEADLINE TO 1 JUN 2005.
(C). NON-COMPLIANCE PLACES PRIVATE INFORMATION AT RISK, IS NOT IN
COMPLIANCE WITH REF A AND MAY RESULT IN ACTION BEING TAKEN BY THE
MCEN DAA TO ISOLATE NON-COMPLIANT APPLICATIONS AND WEB SERVERS FROM
THE NETWORK.
(3). CRYPTOGRAPHIC LOGON TO UNCLASSIFIED NETWORKS. REF B REQUIRES
THE USE OF THE CAC AND PERSONNEL IDENTIFICATION NUMBER (PIN) FOR
AUTHENTICATION AND ACCESS TO UNCLASSIFIED NETWORKS. AT THIS TIME
THE IMPLEMENTATION OF THIS MILESTONE WILL BE MET IN THE GARRISON
ENVIRONMENT BY NMCI. ANY UNCLASSIFIED NETWORK NOT PARTICIPATING IN
NMCI THAT HAS NOT STARTED CRYPTOGRAPHIC LOGON WILL CONTACT THE
MCNOSC PKI HELPDESK FOR IMPLEMENTATION GUIDANCE.
B. NETWORK USERS.
(1). ENSURE YOUR WORKSTATION HAS A CAC READER.
(2). ENSURE YOU USE YOUR CAC.
(3). WHEN A WORKSTATION DOES NOT HAVE A CAC READER, OBTAIN A
SOFTWARE CERTIFICATE FROM AN LRA IF OPERATIONALLY REQUIRED.
(4). DIGITALLY SIGN AND/OR ENCRYPT EMAIL IN ACCORDANCE WITH REF D.
6. ONLY THROUGH A COMBINATION OF NETWORK PROTECTIVE MEASURES FOR
PRIVATE INFORMATION, USE OF CAC READER AND THE USE OF PKI
CERTIFICATES CAN FULL CAPABILITY OF NET CENTRIC CONCEPTS ASSURE THE
INFORMATION ON OUR NETWORKS.