Army Internet-Based Training: Public Key Infrastructure And Information Security Requirements

Transcription

1 Army Internet-Based Training: Public Key Infrastructure And Information Security Requirements Major Alan L. Gunnerson United States Army Distributed Learning Program (TADLP) Fort Monroe, Virginia MBA Information Technology Student, University of Dallas, Irving, Texas Abstract: The Department of Defense s mandate of a public key infrastructure (PKI) will have an impact on the Army s Distributed Learning Program (TADLP). The Army s Executive Agent for the PKI/Common Access Card (CAC) is the office of the Secure Electronic Transactions-Devices; which has established the program to field the Army s PKI/CAC/digital certificate devices through TADLP is the Army s program to provide standard distributed individual, collective, and self-development training to all Army soldiers anywhere in the world - whether at home using their personal computer, at work using their office computer, on travel, or deployed in the field. Distributed learning in the information age has unleashed the potential to transform Army training, providing the Army with a capability for obtaining the state of readiness necessary to accomplish the Army mission. This paper describes each program and the additional security impacts of the PKI/CAC program on the Army s Distributed Learning Program. 1. References Army Training Division, National Guard Bureau (NGB) (2002). Army National Guard Distributed Learning Guide, Version 1c. Department of Defense (DOD) Directive (1988). Security Requirements for Automated Information Systems. DOD Instruction (1997). DOD Information Technology Security Certification and Accreditation Process (DITSCAP). DOD Public Key Infrastructure Program Management Office (DOD PKI PMO) (2000). Public Key Infrastructure Roadmap for the Department of Defense Version 5.0. DOD Public PKI PMO (2002). X.509 Certificate Policy for the Department of Defense Version 6.0. Mulrine, Anna. USNews.com article. (Special Report: E-Learning October 28, 2002). Online Ed: It s in the Army now: A popular new program allows soldiers to study at home and abroad. New, William. (2002). Broadband Guardians. GovExec.com. Office of the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence (OASD C3I) Memorandum (2002, January 30). Subject: Army Knowledge Online (AKO). OASD C3I Memorandum (2002, May 21). Subject: Public Key Infrastructure (PKI) Policy Update. OASD C3I Memorandum (1996, January 4). Subject: Uniformed Badge System for the Department of Defense. OASD C3I Message (291900Z July 2002). SUBJECT: UNCLAS ALARACT 0077/2002, Update for Implementation of Public Key Infrastructure and Common Access Card and the Public Key Enabling of Applications, Web Servers, and Networks in the Department of the Army. Program Manager, Secure Electronic Transactions-Devices (PM SET-D) website: United States Army Training and Doctrine Command (USA TRADOC) Deputy Chief of Staff for Training (DCST) Training Development and Analysis Directorate (TDAD). (2001). The Army Distance Learning Program Campaign Plan USA TRADOC DCST TDAD Memorandum (2001, June 26). Subject: Learning Management System. United States General Accounting Office (2002). NATIONAL GUARD: Effective Management Processes Needed for Wide-Area Network. Report to Congressional Committees. United States House of Representatives Report Number , Making Federal Computers Secure: Overseeing Effective Information Security Management, Third Report by the Committee of Government Reform. Wisher, Robert A.; Champagne, Matthew V.; Pawluk, Jennifer L.; Eaton, Angela; Thornton, David M.; Curnow, Christina K.; & Moses, Franklin L. (1999). Army Research Institute Technical Report Training Through Distance Learning: An Assessment of Research Findings.

2 2. Overview In an alarming report released on November 18, , the U.S. Congressional Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations flunked 16 federal agencies on their computer security efforts, while giving barely passing grades to a host of other agencies. In his opening remarks upon presenting the annual computer security report card, Subcommittee Chairman Representative Stephen Horn (R-CA) stated, "It is disappointing to announce that the federal government has received a failing grade on its security efforts." The subcommittee began grading 24 major executive branch departments of the U.S. government last year after the 106 th Congress passed the Government Information Security Reform Act of 2000, which requires federal agencies to establish agency wide computer security programs that protect the systems that support their missions. Critical agencies such as the DOD, Department of Transportation, Department of Health and Human Services, and Department of Energy, as well as the Nuclear Regulatory Commission, all received "F's," a failing grade. Representative Horn continued, "All of us in Congress are well aware that the nation is in a state of war. It is not anyone's intention to place this great land at further risk of attack. It is, however, very important that the new administration take heed of the sobering assessment the subcommittee is providing and work to expeditiously address this most important need." The major findings within the report included: Agencies are not conducting periodic risk assessments. Federal computer systems have significant and pervasive weaknesses in their security controls. Federal information technology systems rely on commercial software that is vulnerable to attack. Agencies Capital Planning and Investment Control processes do not include information technology security. Congress does not have consistent and timely access to the information it needs to fulfill its oversight responsibilities for Federal information security and related budget deliberations. 2.1 Common Access Card (CAC)/Public Key Infrastructure (PKI) As part of the GISRA, DOD developed a Key Management Infrastructure (KMI) to provide engineered solutions (consisting of products and services) for security of networked computer-based systems and is part of the part of the Defense-in-Depth strategy to achieve information superiority by protecting vital information. Programs which carry out or support the mission of the US DOD require services such as authentication, confidentiality, technical non-repudiation, and access control. These services are met with an array of network security components such as workstations, guards, firewalls, routers, in-line network encryptors (INE), and trusted database servers. The operation of these components is supported and complemented by use of public key cryptography. 2 The National Security Agency (NSA) has the responsibility for the management of the DOD PKI Program Management Office (PKI PMO) as designated by the OASD C3I and the DOD CIO. NSA provides the system security assessments in support of the PKI PMO to include the Defense Eligibility Enrollment Reporting System (DEERS) and Real-time Automated Personnel Identification System (RAPIDS) infrastructure used to issue CACs (which will function as PKI tokens). 3 PKI also provides authentication, confidentiality, integrity, and non-repudiation needed to migrate business operations to a paperless environment. PKI is being implemented in conjunction with CAC, the first Departmentwide implementation of smart cards. 4 The Army s Executive Agent (AEA) for the CAC/PKI is the office of SET -D; which has established the program to field the Army s CAC/PKI/digital certificate devices through [1] US House of Representatives, Report Number , Making Federal Computers Secure: Overseeing Effective Information Security Management, Third Report by the Committee of Government Reform. [2] DOD PKI PMO. (31 May 2002). X.509 Certificate Policy for the United States Department of Defense Version 6.0. Page 1. [3] The CAC is being issued at only the RAPID-installed sites and is only available as generated by the RAPIDS. [4] HQDA Message, Office Symbol SAIS-ZA. (291900Z July 2002). SUBJECT: UNCLAS ALARACT 0077/2002, Update for Implementation of Public Key Infrastructure and Common Access Card and the Public Key Enabling of Applications, Web Servers, and Networks in the Department of the Army. The Army CIO/G-6 released this HQDA message to provide immediate guidance to all Army units and activities concerning the implementation of the Army PKI/CAC program.

3 The CAC will serve as the: Standard identification card for active-duty military personnel, members of the Selected Reserve, Army civilian employees, and eligible contractor personnel; Principal card used to enable physical access to Army facilities, installations, and controlled spaces 1 ; Principal card used to enable computer network and system access via digital signature and data encryption; and Primary PKI token platform for Class 3 certificates. 2.2 The Army Distributed Learning Program (TADLP) A marked shift in military training is underway. Today, many aspects of training and education are carried out via distributed learning (DL), essentially synonymous with distance learning, and the potential for DL to support soldiers will significantly increase in the future. DL is defined as the delivery of training to soldiers and units through the application of multiple means of technology. The amount and kind of training appropriate for DL application will be determined by the tasks to be trained. DL allows students, leaders, and units centralized access to essential information and training. DL in the information age has unleashed the potential to transform Army training, providing the Army with a capability for obtaining the state of readiness necessary to accomplish the Army mission. In 1996, General Reimer, the Chief of Staff, Army approved TADLP for implementation and appointed the Commanding General, TRADOC as the AEA. The program was designated an Acquisition Category (ACAT) I-AC and was implemented through the Major Automated Information System Review Council process in accordance with DOD Regulation R and Army Regulation TADLP is funded FY98-FY10 to field Digital Training Facilities (DTFs) and convert TRADOC courses to DL delivery media. TADLP is the Army s program to provide standard distributed individual, collective, and self-development training to all Army soldiers (Active, Reserve and National Guard) anywhere in the world - whether at home using their personal computer, at work using their office computer, on travel, or deployed in the field. The mission of TADLP is to improve readiness and training and support Army Transformation. TADLP supports this mission by exploiting current and emerging technologies, delivering the right training to the right soldier, at the right time and place. 2 TADLP is an integral part of the DOD Advanced Distributed Learning (ADL) initiative, which is setting standards for courseware collaboration, development, and content reuse across the DOD. For the purpose of this paper, TADLP consists of the following elements: The Army Distributed Learning Program (TADLP) - Redesigned courseware for DL delivery, acquisition and sustainment of DTFs, Classroom XXI upgrade initiative, acquisition and sustainment of the Army Learning Management System (LMS), and Deployable Training Campus. The Army National Guard s Distributive Training Technology Project (DTTP) - Redesigned courseware for DL delivery and Acquisition and sustainment of Digital Training Facilities (DTFs). Reserve Education and Learning (REAL) program Homeland Defense ADL SmartForce E-Learning As part of the TADLP Campaign Plan, approximately 525 Army courses are programmed for DL redesign between FY98 through FY10. Course media includes web-based, computer-based training (CBT), simulations, video teletraining (VTT) and audio-conferencing. The Project Manager, Distributed Learning Systems (PM DLS), has the responsibility to field the Army and Army Reserve DTFs and fielding the Army s LMS. The combined requirements of TADLP and the ARNG include approximately 850 TADLP/DTTP facilities worldwide based on distributed training requirements and soldier demographics. The fielding of the DTFs will put 95% of all soldiers within 50 miles or 90 minutes in driving time of a DTF by 4 th Quarter FY06. The ultimate goal is to bring training from the schoolhouse to wherever soldiers are located - in their homes, in their units, and to soldiers anywhere in the world. All of this while decreasing the number of days a soldier has to be away from their unit or family. [1] In accordance with the OASD C3I memorandum of January 4, 1996, Subject: Uniformed Badge System for the Department of Defense, the magnetic stripe on the CAC is to comply with the Security Equipment Integration Working Group Specification 012 for the ordering of magnetic stripe information for badging and access control systems. [2] USA TRADOC DCST TDAD. The Army Distance Learning Program Campaign Plan 2001 (21 August 2001). The Army DL Program became The Army Distributed Learning Program in 2002.

4 The LMS is an outgrowth of the need for an integrated system - automated whenever possible - to perform learning management functions (i.e. registration, enrollment, scheduling, student progress, etc.) for both resident and DL training/education instruction for Army civilian and military personnel. 1 The LMS will enable soldiers to register for self-paced courses, distribute on-line courseware, test and evaluate soldiers, enable Training NCOs to schedule events & resources, enable soldiers to evaluate training courses, facilitate on-line collaboration, provide course management tools for, and provide and maintain product and course catalogs.the Classroom XXI upgrade initiative will modernize 270 TRADOC schoolhouse resident classrooms with an open architecture, standards compliant, and fully networked multimedia infrastructure. The Classroom XXI classrooms are being used by the proponent school for resident training, as well as, acting as the front-end for distributed training in DTFs worldwide. The Deployable Training Campus, although still a proof of concept, has delivered DL-formatted military training, civilian education, and morale and welfare to soldiers deployed in the Sinai, Bosnia, Kosovo, and Hungary, as well as stationed in Germany. 2.3 earmyu Program Although the earmyu program falls outside of TADLP, it does fall under the oversight of the DL General Officer Steering Committee (DL GOSC) and therefore will be included in this paper. The US Army has created one of the most innovative programs of higher education in the world Army University Access Online (known as earmyu). EArmyU provides access to quality education for enlisted soldiers across the globe, helping them further their professional and personal goals and providing the Army with top preparation for its forces. 2 earmyu brings together a unique collaboration of colleges and universities offering a broad range of educational opportunities. earmyu offers approximately 116 programs from 21 different educational institutions. Through earmyu, soldiers have the opportunity to earn a certificate, associate, bachelor or master s degree from a home institution while taking courses from mu ltiple colleges and universities. It enrolls 31,000 soldier students, more than 5 percent of the Army's ranks, and is on track to expand to additional sites, reaching 80,000 enlistees by EArmyU provides soldiers with the tools they need to succeed in the online environment. Once enrolled, soldiers receive up to $4,500 per year for tuition, books and course fees, as well as a personal laptop, printer, account, an Internet Service Provider (ISP) account (Fiberlink), and a user ID and password. The user ID and password gives them access to their classes and additional student services, such as online tutoring assistance, access to an electronic library, software downloads, program mentoring services, and technical support from a 24/7 online help-desk. 3. Scope of Programs 3.1 Common Access Card (CAC)/Public Key Infrastructure (PKI) [The Army] Public Key encryption (PKE) guidance applies to all DA systems and networks, including networklevel applications, automated information systems, web server-level applications, and client software-level applications. It does not apply to the intelligence community sensitive compartmented information (SCI) and information systems operated within the DOD intelligence community that fall under the authority of the Director of Central Intelligence, or to users or applications on encrypted networks or in the tactical environment. Until policy is published for PKI in these environments, Army application requirements for those environments will be handled on a case-by-case basis. The guidance does not apply to any unclassified Army web server providing non-sensitive, publicly releasable information categorized as a private web server solely because it limits access to preserve copyright protection of information sources, facilitate its own development, or limit access to link(s) to limited access site(s). [1] ATTG-CF Memorandum, dated 26 June 01. SUBJECT: Army Learning Management System Update. This memorandum provides update to the Army concerning the Army s LMS, being developed and fielded by the PM, DLS. [2] Information on earmyu. Website located at [3] Mulrine, Anna. USNews.com article. (Special Report: E-Learning 10/28/02). Online Ed: It s in the Army now: A popular new program allows soldiers to study at home and abroad.

5 Applications that do not use or require the use of public key cryptography are not required to be enabled for the DOD PKI. However, applications that will benefit from the use of public key cryptography should be considered for inclusion if warranted by business case analysis CAC Implementation The CAC will be issued to eligible recipients by October The CAC will replace the eligible recipient s current Uniformed Services identification card for the same status whenever that card expires, is lost or stolen, or upon direction of local the command. All existing smart card implementations will migrate to the CAC by October Additionally, all applications using the barcode on the personnel identification card will migrate to the CAC by June Current Army guidance concerning the use of the CAC as the principal card to enable physical access does not require Army components to dismantle current access systems and it does not preclude the continued use of supplemental badging systems that are considered necessary to provide levels of security not presently afforded by the CAC. However, Army activities are to plan for migration to the next -generation CAC for general access control using any of the CAC's present or future access control capabilities. Under the DOD Common Access Card policy dated April 18, 2002, Those DOD Components currently using smart cards and smart card applications related to personnel are directed to migrate those card applications to the CAC no later 30 September, Issuance of the CAC will be conducted using the existing and planned infrastructure provided by DEERS/RAPIDS. Functions within the CAC include: Barcode for Functional Applications. Examples - Army Food Management Information System and US Air Force Military Immunization Tracking System Integrated Circuit Chip Location - SET-D Certificates and future space for other functional and service applications Magnetic Stripe - Proposed use for building and facility access and ATM access (latter Navy only) Medical Data: Shows the blood type and organ donor status Barcode for Personnel Data The certificates contained on the CAC will be issued against the users' Army Knowledge Online (AKO) accounts. All Army personnel, whether military or civilian, are required to have AKO account with an AKO address. AKO is moving to be the single point of entry into the Army s robust and scalable knowledge management system. Within the next couple of years, Army websites will utilize this single point of entry or the PKI certificates on the individuals CAC or both. 3 Teleworkers will require CAC readers on their telework computers if they access PK-enabled DOD networks and systems or send encrypted or digitally signed s from their telework location. Teleworkers qualify for PM SET-D centrally procured readers if they are regular and recurring teleworkers. Installations should submit any additional CAC reader requirements through their Major Commands to the PM SET-D. Major Commands are responsible for the cost of installing the reader/middleware for teleworkers. Ad hoc teleworkers will not qualify for PM SET D-procured readers, but local installations may choose to purchase CAC readers for them if there is a need for CAC functionality from an alternate worksite. 4 Current prices of CAC readers and middleware are included later in this paper. Teleworkers within this definition do not include personnel on travel or temporary duty. Further definition of telework is provided within DOD Directive , dated September 9, Eligible contractors who work at onsite DA facilities qualify for PM SET-D-procured CAC readers. Eligible contractors who work at offsite contractor facilities do not qualify for PM SET -D-procured readers. Army organizations may reimburse contractors for the purchase of CAC readers if there are provisions in their contract for reimbursable expenses. [1] HQDA Message, Office Sy mbol SAIS-ZA. (291900Z July 2002), op. cit., Section 1 of 5. [2] OSD Memorandum. (April 18, 2002). Subject: Common Access Card Changes. Page 3, paragraph 1. [3] SAIS-EIT Memorandum, dated January 30, Subject: Army Knowledge Online (AKO). [4] HQDA Message, Office Symbol SAIS-ZA. (291900Z July 2002), op. cit. section 2 of 5.

6 3.1.2 PKI Implementation The CAC is the official, standard implementation of class 3 PKI within the Department of the Army (DA), and all eligible Army users shall be issued Class 3 certificates on the CAC by October 2003 in compliance with the X.509 Certificate Policy. By October 2003, the DOD Class 3 PKI signing certificates will be used to digitally sign messages that are created and sent from any DA electronic mail system other than the Defense Message System (DMS). All messages created and sent from any DA system (other than DMS) will require encryption using the CAC encryption certificates. All new procurement actions that require public key cryptography will include in the solicitation process the requirement to use the DOD Class 3 PKI certificates no later than October Similarly, all Army initiatives that currently use public key cryptography must migrate to use DOD Class 3 PKI certificates by October Legacy systems targeted for replacement within 5 years that currently use non-dod Class 3 PKI will not migrate to the DOD Class 3 PKI infrastructure unless the migration is required to maintain current system interfaces. Army unclassified networks that authenticate users will be PK-enabled for client authentication by October 2003, conditional with (1) the availability of commercial certificate-based access control applications compatible with the network operating system and (2) the issuance of access control application-compatible certificates to all network users. 3.2 TADLP The DL program currently includes DA military and civilian training/education: Military Occupational Specialty (MOS) qualification courses; Additional Skill Identifier (ASI) and Skill Qualification Identifier (SQI) courses; reclassification courses; officer functional area and branch qualification courses; warrant officer technical certification; professional military education courses for officer (OES), warrant officer (WOES) and Noncommissioned Officer (NCOES); and functional training education courses which can be delivered via DL. The Enterprise Management Center (EMC), located at Fort Eustis, Virginia, manages this DTF information network. The EMC provides network connectivity and systems management for DTFs throughout the world via a 24/7 technical help desk. The EMC also ensures total information security. At each Active Army and USAR DTF is located a NetFortress network security device. The NetFortress provides high speed point to point encryption securing all communications within a single network and creation of a Virtual Private Networks and utilizes the highest levels of encryption technology to secure the integrity and confidentiality of your communications. The overall TADLP DTF system architecture is accredited in accordance with DOD and Army information security policies. 1 Each DTF is accredited to the Sensitive but Unclassified (SBU) level. Each DTF has security policies and procedures and is maintained by a DTF Manager that has the responsibility for overall security of the information and facility. 3.3 Distributive Training Technology Project (DTTP) Per the DTTP website 2, DTTP is a state-of-the-art communications and learning-delivery system designed to support the National Guard's traditional and expanding missions at home and abroad. Using DTTP resources, soldiers can now study foreign languages and improve skills in reading, writing, critical thinking, and information technology. There are more than 300 specially designed multimedia classrooms throughout the country, linked by a terrestrial network and emerging satellite technologies. DTTP classrooms consist of various hardware and software components that support the delivery of training and the exchange of knowledge across the country. Components are included from GuardNet XXI and the Integrated Information System. GuardNet XXI is the NGB s Asynchronous Transfer Mode (ATM) telecommunications network that supports DTTP as well as a number of Army National Guard enterprise management programs. According to William New of the National Journal in his article Broadband Guardians, GuardNet XXI operates on a broadband network that [1] DOD Instruction : DOD Information Technology Security Certification and Accreditation Process (DITSCAP), (Dec. 30, 1997); DOD Directive (DODD): Security Requirements for Automated Information Systems (DODD , Mar. 21, 1988); Army Regulation : Information Systems Security (Feb. 27, 1998); and Army Regulation [2] DTTP website is located at tp.ngb.army.mil/

7 was developed by a not-for-profit entity called the Community Learning and Information Network, or CLIN. Launched under a slightly different name in 1991 as a $500,000 project of the U.S. Chamber of Commerce, CLIN initially received funding from the Defense Advanced Research Projects Agency. Today, the National Guard is the primary user of CLIN's technology. 1 The existing GuardNet XXI infrastructure consists of seven regional hubs, 54 State Area Commands (STARCs), and classroom servers. Each GuardNet XXI regional hub serves a predefined geographical region of the United States. In each state, a STARC level node functions as an ATM switching center between that state s classroom server(s) and the corresponding regional hub. 2 DTTP is administered through the Integrated Information System (IIS), a system of hardware and software that provides classroom capabilities to support readiness training and shared use. The IIS is centrally managed yet allo ws sites to operate independently at the classroom level. It provides users with access to all network content and services and maintains a repository of content (i.e., courses and information) at the national level. When users request content, the IIS downloads the specific content to their local servers. 4. CAC/PKI/PKE Impact on DL Programs The largest impact to the DL programs is with the PKI requirement. All four major DL programs will have systems that must be PK-enabled to use identity certificates for user authentication and logon. Every workstation used to access DL programs will be required to have a functional smart card reader. 4.1 TADLP In coordination with TRADOC, the Army Training Support Center (ATSC) requested a study be conducted by the Army Research Institute to identify various forms of training compromise, such as obtaining questions beforehand or enlisting a proxy for test taking in non-proctored, web-based learning environments. The request stated that there is no definitive evidence that such training compromise is currently a problem in the Army, but greater use of distributed learning in the future coupled with reported trends of high levels of cheating among high school students, the Army s prime enlistment pool, is reason for concern. The study examined potential solutions, such as proctored test environments and biometric measures, recommended by a group of experts during a workshop hosted by Carnegie Mellon University. 3 The method of the study looked at solutions to training compromise from experts in the areas of test security practices, training design considerations, PKI, biometrics, and legal perspectives. Experts presented potential solutions to training compromise at a one-day workshop. The workshop was followed by a brainstorming session during which the 31 invited participants from government, academia, and industry generated 40 potential solutions. An Army advisory panel assessed the solutions based on cost, feasibility of implementation, ease of use, reliability and accuracy, then developed a final list of recommended solutions. The panel stated in their findings and recommendations, using affirmative obligations; live and virtual proctoring; multimodal biometrics and/or biographical information integrated into course design; implementing PKI to limit inappropriate access to courseware and tests; and considering test designs such as randomizing items, performance testing, time limits, limiting testing attempts, using no print/capture options, and tracking where test takers have been online. The recommendations are meant to function as general guidelines for solutions to training compromise. The usefulness of implementing any particular set of solutions is in large part dependent on the criticality of the train ing and testing under consideration. 4 Specifically speaking to PKI recommendations, the panel stated, PKI could be adopted in Army training as it is adopted Army -wide. Implementing PKI in training could provide the added benefit of creating ready access to a career management account that could be used as a transcript to document a soldier s education. This recommendation is not likely to be implemented in the short term, as it does rely on a change to the current infrastructure. 5 [1] New, William. (July 23, 2002). Broadband Guardians. GovExec.com. [2] GAO. (September 2002). NATIONAL GUARD: Effective Management Processes Needed for Wide-Area Network. [3] Army Research Institute. (June 2002). Study Report : Training on the Web: Identifying and Authenticating Learners. [4] Ibid, p. vii. [5] Ibid., p. 24

8 In speaking to the PM, DLS Security Officer, Tim Donahue, he stated the impact for the DTFs was negligible: 1 PM, DLS coordinated with PM SET-D to preposition current and future requirements for the CAC reader and required middleware for every seat within TADLP DTFs world wide - a total of 5,405 available seats. Concerning the digital signature requirement, the impact is also negligible since the DTFs do not allow exchange on the DTF computers. The DTF manager does have a computer that will be required to be PK-enabled. Current DTF security policy requires students to receive a local user ID and password that is at least 8 alpha-numeric characters. The students will use this local user ID and password while they are attending a DL course within the DTF. With the future PKE requirements, local domains and local user ID and passwords will not be supported. PK-enabling will include replacing existing or creating a new user authentication system that uses personal digital certificates instead of other technologies such as username/password or IP filtering. The Army is currently working on developing a PKE Waiver Policy that will establish the process by which a Command can submit an application for a waiver from the PKE requirement. This waiver may include issuing for varying lengths of time, and will require the application owners to develop a plan for how they will PK-enable their application in the future. TADLP is most impacted with personnel taking training courses from their home. Home computers will not come equipped with smart card readers or middleware and there is no plan to provide these items to users for their home computers. Part of the TADLP mission includes providing military training to the soldier wherever he or she is located, which does include attending DL courses from their home. A soldier is not expected to purchase their own CAC reader and middleware to attend a military DL course or an affiliated civilian education course. A policy must be developed to accommodate home computers used for DL training. 4.2 DTTP DTTP is impacted since its envisioned future includes shared use by industry, academia, and the general public. These external groups are not eligible to receive the CAC or its associated PKI certificates and will not be able to log on to networks or web servers. In addition, the Fiscal Year 2002 Defense Authorization act required the Government Accounting Office (GAO) to review GuardNet, which is used to support various Defense applications and was used to support homeland security activities after 9/11. GAO was asked to determine the current and potential requirements for GuardNet and the effectiveness of the processes for managing the network s requirements, configuration, and security. The GAO found deficiencies in requirements (requirements management plan not established), configuration (documentation of actual network configuration), and security (insufficient security controls to protect GuardNet). 2 The PKI requirement will compound correcting these deficiencies. 5. Conclusion The Army s implementation of DOD s PKI will impact information technology procedures throughout the Army, not just in DL programs. The PKI/CAC concept will change how the Army works on the internet and how it exchanges information. SET -D was established to field the Army s portion of the PKI/CAC/digital certificate devices but it falls short on the amount needed for the entire Army that includes soldiers and civilians taking DL training/education courses while at home or on temporary duty. Commands are required to program funding for additional CAC readers and middleware as well as the needed digital certificates for these situations. The PKI/CAC infrastructure will help in the some of the deficiencies noted within the Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations report on the US government s computer security vulnerabilities. PKI/CAC/digital certificates are only part of the DOD s computer security defense-in-depth. The level of impact to Distributed Learning programs is dependent on each agencies security policies and procedures. [1] Personal communication between Tim Donahue and author, December 20, 2002, via personal interview. [2] GAO. (September 2002), op. cit.