LandWarNet Army Identity Management (IdM) PKI Initiatives. Tracy Traylor, CIO/G6, Cyber Dir, IdM Div Chief UNCLASSIFIED UNCLASSIFIED

Similar documents
Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Department of Defense SHA-256 Migration Overview

Department of Defense PKI Use Case/Experiences

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Tactics, Techniques, & Procedures (TTP) Dual Persona Personal Identity Verification (PIV) Authorization Certificate

Agenda. DoD PKI Operational Status DoD PKI SIPRNET Token. Interoperability Public Key Enablement. Dynamic Access

UNCLASSIFIED UNCLASSIFIED

How To Make A Theater Forest More Functional

Schlumberger PKI /Corporate Badge Deployment. Neville Pattinson Director of Business Development & Technology IT & Public Sector

PKI in Large Scale Environments A Look at DMS. George Hoover Jayne Schaefer PKI/KMI (480) jayne.schaefer@motorola.com

Department of Veteran Affairs. Fred Catoe Office of Cyber and Information Security AAIP Project Manager March 2004

Frequently Asked Questions

How To Improve The Defense Communications System

AFCEA Aberdeen Luncheon. Army Common Operating Environment (COE) Update. March 11, 2015

The Convergence of IT Security and Physical Access Control

Network Enabled Mission Command Strategy

Committee on National Security Systems

RAPIDS Self Service User Guide

U. S. Department of Justice Information Technology Strategic Plan. Appendix E. Public Key Infrastructure at the Department of Justice.

Cloud Computing and Enterprise Services

Subj: NAVY IMPLEMENTATION OF DEPARTMENT OF DEFENSE INTELLIGENCE INFORMATION SYSTEM (DODIIS) PUBLIC KEY INFRASTRUCTURE (PKI)

The Convergence of IT Security and Physical Access Control

TechNet Land Forces South

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Class 3 Registration Authority Charter

7 th Signal Command Enterprise - Spiral 1. Concept of Operations 2012

Tactics, Techniques, and Procedures for Manual Exporting of ARMY Knowledge Online (AKO) Data to Department of Defense Enterprise (DEE)

AKO Shutdown Quick Reference Guide

Administration Guide ActivClient for Windows 6.2

DoD Mobility Kim Rice

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

FOUR PILLARS FOR A SUCCESSFUL PIV ECOSYSTEM

Implementing Federal Personal Identity Verification for VMware View. By Bryan Salek, Federal Desktop Systems Engineer, VMware

A Comprehensive Cyber Compliance Model for Tactical Systems

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Page 1. Smart Card Applications. Lecture 7: Prof. Sead Muftic Matei Ciobanu Morogan. Lecture 7 : Lecture 7 : Smart Card Applications

Enterprise Services to the Edge

Audio: This overview module contains an introduction, five lessons, and a conclusion.

DOD INTERIM CREDENTIAL IMPLEMENTATION INSTRUCTIONS BlackBerry Devices

Government Smart Card Interagency Advisory Board Moving to SHA-2: Overview and Treasury Activities October 27, 2010

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

IA/CYBERSECURITY IS CRITICAL TO OPERATE IN CYBERSPACE

HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

LandWarNet Initial Capabilities Document NetOps Tools Convergence Strategy Update

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

ARMY PASSWORD STANDARDS Version 2.5

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

Egyptian Best Practices Securing E-Services

Enhancing Organizational Security Through the Use of Virtual Smart Cards

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Phone: Fax:

Citrix Web Client Installation and CAC Registration Guide

OUTLOOK WEB ACCESS (OWA) AND SSL VPN HOME USERS MANUAL

DoD Enterprise (DEE) Contact Information Updates Tactics, Techniques and Procedures (TTP)

Entrust Managed Services PKI

DoD s Efforts to Consolidate Data Centers Need Improvement

How to Update your Information in the DoD Enterprise (DEE), Global Address List (GAL). Army users know it as Enterprise

Transnet Registration Authority Charter

Financial Security Symposium Singapore

Space Ground Services in the Joint Information Environment (JIE)

TELSTRA RSS CA Subscriber Agreement (SA)

UNCLASSIFIED. LandWarNet 2011

Information Technology Policy

2-334 BN (BCT) - United States Army s Common Access Card (CAC) Instructional Units

UNITED STATES ARMY RESERVE COMMAND. User Guide for ARAMP

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

OUTLOOK WEB ACCESS (OWA) AND SSL VPN HOME USERS MANUAL

Certification Practice Statement

PROTECT YOUR WORLD. Identity Management Solutions and Services

What is DoD IA Workforce Compliance?

Eskom Registration Authority Charter

Working Group on. First Working Group Meeting

Security Cooperation Information Portal

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

NICE and Framework Overview

PKI Deployment Business Issues

Evolving Threat Landscape

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

Glossary of Key Terms

CAC AND KERBEROS FROM VISION TO REALITY

Use of Common Access Cards (CACs) from Home on Windows 7 without Middleware

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Instructions for completing USFK Theater Specific Required Training

Smart Card Setup Guide

Smart Phones Need Smart Security

Identity & Privacy Protection

Improvements Needed With Host-Based Intrusion Detection Systems

U.S. Department of Veterans Affairs / Department of Defense. October 14-18, 2013

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE


Utilizing the DoD PKI to Provide Certificates for Unified Capabilities (UC) Components. DISA NS2 Capabilities Center November 3, 2011 Revision 1.

Securing Administrator Access to Internal Windows Servers

Army Internet-Based Training: Public Key Infrastructure And Information Security Requirements

SUBJECT: systems. in DoD. capabilities. d. Aligns identity. (Reference (c)). (1) OSD, the Staff and

Transcription:

LandWarNet 2011 Army Identity Management (IdM) PKI Initiatives Tracy Traylor, CIO/G6, Cyber Dir, IdM Div Chief

SIPRNet Tokens Tactical PKI SHA-256 Questions/POC s 2011-08-23T08:00Z // SIPRNet Token Implementation 2 2

What it is: Token (smart card) for strong authentication and logon to the SIPRNet, signing & encrypting email, and connecting to secure websites Replacement for current logon that requires user names and 15-character recommended passwords that are: Lengthy and difficult to remember Must frequently change Easier for adversaries to exploit Initially funded by DoD PKI PMO National Security System (NSS) Certificate Authority (vs. DoD) Why it is being implemented: Follows Department of Defense (DoD) Instruction 8520.2 procedures to implement PKI on DoD classified networks Makes it more difficult for adversaries to compromise SIPRNet 2011-08-23T08:00Z // SIPRNet Token Implementation 3 3

Army G3/5/7 EXORD 074-11 (14 Jan 11) tasked commands and staffs to participate in IOT&E and FOC USCYBERCOM Coordination Alert Message (26 Jan 11) required SIPRNet token implementation for IOT&E and preparation for full implementation Army Cyber Command EXORD 2011-018 (4 Mar 11) provided technical information and direction to Signal Commands Army Initial Operational Test and Evaluation (IOT&E) Implementation Plan Addresses preparation for and participation in DoD IOT&E Includes Army issuance of up to 2000 SIPRNet tokens to various Army organizations and commands tokens are issued with a three (3) year certificate life span and can remain in use through Full Operational Capability (FOC) 2011-08-DDT08:00Z // SIPRNet Token Implementation 4

Configure the Infrastructure Distribute token readers provided by Army CIO/G6 Install device certificates and Tumbleweed Enterprise on domain controllers and web servers Configure SIPRNet workstations with 90Meter middleware (similar in function to ActivClient for DoD CACs) and Tumbleweed desktop validation application Establish a Chain of trust Identify locations of Local Registration Authorities (LRAs) and Trusted Agents (TAs) Establish and train LRAs and TAs with CIO/G6 support Get SIPRNet tokens into the hands of SIPRNet users Require SIPRNet users to obtain SIPRNet tokens TAs forward completed DoD PKI Certificate of Acceptance and Acknowledgement of Responsibilities (DD Form 2842) to LRAs Conduct face-to-face identity verification between TAs and users 2011-08-DDT08:00Z // SIPRNet Token Implementation 5

1. Army CIO/G6 Cyber CAC/PKI Division RA prepositions formatted tokens, inactive tokens with LRA at decentralized issuance locations. 1: RA sends formatted tokens to LRA 2. Command/SIPRNet user submits request for SIPRNet PKI token to LRA or remote TA to validate. 3. On a SIPRNet workstation, LRA accesses TMS to register user and get a temporary pin. LRA enrolls user and places certs on token. 4. LRA sends enrolled token to remote TA1 and sends temporary pin to remote TA2 via NSSencrypted email. 5. TA receives token, conducts a face-to-face validation of identity of user, completes DD Form 2842, and issues token to user. User changes token PIN on a SIPRNet workstation in the presence of TA and becomes a SIPRNet PKI token subscriber. 6. TA sends signed DD Form 2842 to LRA. Army CIO/G6 RA SIPRNet User Remote TA 5: TA/User Validation & Token Issuance to User Decentralized LRA For Example: #1: FT Belvoir- refine process & expand to include MDW; #2: FT Gordon- mix of CONUS, tactical, & MI users Remote TA & User Attempt to leverage existing TAs distributed across Army installations at startup 6: Signed DD Form 2842 to LRA 2011-08-DDT08:00Z // SIPRNet Token Implementation 6

Command/Organization Token Issuance to Users CIO/G-6 USAREUR AFRICOM EUCOM 106th Signal Brigade ATEC ATEC OTC INSCOM/513th DA Chief of Engineers 335th Signal 52nd ID NTC 7th SC USARPAC TRADOC IOT&E token Issuance requirement 2,000 Tokens Issued 2,403 as of 12 Aug 2011 2011-03-23T08:00Z // Presentation Title Goes Here 7

IOT&E Observations Senior leadership awareness and support are needed Network support organizations must take advantage of available accreditation and test documentation and eliminate or reduce local testing Users still need to update SIPRNet passwords to prevent account lockout until User Based Enforcement (UBE), using SIPRNet token only, is implemented Thin client workstations generally not included in IOT&E due to interoperability issues with token readers and middleware IOT&E Successes Army Theater Network Operations and Security Centers (TNOSCs) have already configured most domain controllers needed for full implementation in several theaters Positive feedback received on use of token and PIN vs. user ID and password Weekly teleconferences support knowledge sharing and progress reporting 2011-08-DDT08:00Z // SIPRNet Token Implementation 8

Post-IOT&E Implementation Strategy SIPRNet tokens will continue to be issued to Army organizations that are prepared to accept them Revisions being made to AR 25-2 (Information Assurance) and Standard Operating Procedures, based on National Security Systems (NSS) Registration Practice Statement (RPS) Full Fielding Strategy Army will field up to 300,000 tokens from FY12 to FY16 Draft Implementation and EXORD for FOC, suspense 31 Aug 2011 Initial rollout of tokens, readers, and middleware funded by DoD PKI PMO Army has requested LRAs beginning in FY12 Army organizations must plan and budget for sustainment beginning in FY14 2011-08-DDT08:00Z // SIPRNet Token Implementation 9

The Army is leading the DoD Tactical Technical Interchange Meeting (TIM) under the direction of the DoD PKI PMO Tactical TIM oversees Pilot Activities The pilot approach is to evaluate alternative certificate validation (CV) approaches suited to bandwidth challenged environments, e.g., delta CRL, mini-crl Develop notional joint PKI operational architecture to support planning and implementation of the Tactical PKI Pilot Coordinates Service and Agency planning and participation in the DoD PKI Tactical Pilot Coordinates functional requirements, test plans and policy changes to use in the Tactical Pilot Implementation at tactical level presents unique challenges PKI Integration with Battle Command and Warfighter s Information Network-Tactical (WIN-T) programs and systems IdM is coordinating and working closely with Program Executive Office for Command, Control and Communications-Tactical (PEO-C3T) 10 10

Army CIO/G6 IdM funded TRADOC Capability Manager (TCM) Global Network Enterprise (GNE) and CERDEC to conduct testing and validation of Tactical PKI (TPKI). SIPR Token DEERS Rapids SHA-256 NPE IPv6 Validating the TPKI CONOPS on tactical systems will provide valuable information to develop Tactics, Techniques, Procedures (TTP s), identify gaps, and provide a basis for assessing Doctrine, organization, training, material, leadership, personnel and facilities (DOTMLPF) Potential follow on operational testing to take place at the Network Integration Rehearsal / Network Integration Exercise (NIR/NIE) in Fort Bliss, TX. 11 11

The Common Access Card (CAC) uses a Secure Hash Algorithm (SHA-1) to authenticate and be granted access to networks, web applications and to digitally sign documents which provides authentication and non-repudiation. SHA protects information by detecting data tampering. The National Institute of Standards and Technology (NIST) determined SHA-1 has come to the end of its security lifecycle and SHA 256 (a stronger algorithm allowing for better security) will be its replacement. The Federal government has mandated the use of SHA-256 as of 01 JAN 11 with an exemption that allows Agencies/Departments/Services to use SHA 1 at their own risk until 31 DEC 13. SHA-1 impacts the Army s capability to interoperate with other Federal organizations (Department of Homeland Security, Department of State, Department of Justice, Veterans Affairs, Center for Disease Control, Federal Bureau of Investigation,..) that utilize or are migrating to SHA-256. The Army will transition the NIPRNET (Infrastructure, Servers, Web Applications, Workstations) from SHA-1 to SHA-256 over the next two years with a proposed completion date of 31 DEC 13. This migration provides a standard SHA across the Federal Government for interoperability. 12 12

The Army s SHA 256 Working Group is producing FRAGO 1 for the Army s Data Center Consolidation Plan (ADCCP) EXORD to implement SHA 256 throughout the Army s NIPRNet. The Army s plan is to fully support SHA 256 NLT 31 DEC 13. Transition Plan for Infrastructure, servers, applications and desktops 25% by 01 FEB 13, 50% by 1 MAY 13, 75% by 1 AUG and 100% completed by 01 NOV 13. The Army will conduct remediation and final verification from 1 NOV- 31 DEC 13. Army ceases issuing tokens with SHA-1, 31 Dec 2013 Army starts issuing tokens with SHA-256, 1 Jan 2014 13 13

? Tracy Traylor, CIO/G6 Cyber Directorate, IdM Division Chief, 703-545-1732, tracy.n.traylor.civ@mail.mil Mark Dickson, CIO/G6 Cyber Directorate, PKI SIPR/Tactical Lead, 703-545-1736, mark.a.dickson2civ@mail.mil Dennis Nalli, CIO/G6 Cyber Directorate, PKI SIPR/Tactical, 703-545-1746, dennis.p.nalli.ctr@mail.mil Phil Juchem, CIO/G6 Cyber Directorate, PKI Tactical/SIPR, 703-545-1740, philip.e.juchem.ctr@mail.mil Tim Hiligh, CIO/G6 Cyber Directorate, PKI SHA-256/Wireless, 703 545-1741, timothy.r.hiligh.ctr@mail.mil Army SIPRNet PKI Token AKO Site: https://www.us.army.mil/suite/page/636329 14 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information