DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, DC 20301-6000



Similar documents
Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

Department of Defense INSTRUCTION. SUBJECT: Public Key Infrastructure (PKI) and Public Key (PK) Enabling

U.S. Department of Energy Washington, D.C.

An Operational Architecture for Federated Identity Management

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Identity, Credential, and Access Management. Open Solutions for Open Government

Department of Defense INSTRUCTION. Public Key Infrastructure (PKI) and Public Key (PK) Enabling

Department of Defense External Interoperability Plan Version 1.0

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, DC

DEPARTMENTAL REGULATION

Commonwealth of Virginia Personal Identity Verification-Interoperable (PIV-I) First Responder Authentication Credential (FRAC) Program

STATEMENT OF WORK. For

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

SUBJECT: systems. in DoD. capabilities. d. Aligns identity. (Reference (c)). (1) OSD, the Staff and

For Official Use Only (FOUO)

Department of Defense PKI Use Case/Experiences

2. APPLICABILITY AND SCOPE

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

FOUR PILLARS FOR A SUCCESSFUL PIV ECOSYSTEM

NOV q11. DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTOr D.C

Test Plan for Department of Defense (DoD) Public Key Infrastructure (PKI) Interagency/Partner Interoperability. Version 1.0.3

Identity & Privacy Protection

Department of Defense SHA-256 Migration Overview

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

Department of Defense INSTRUCTION

Identity, Credential, and Access Management

E X E C U T I V E O F F I CE O F T H E P R E S I D EN T

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

THE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON WASHINGTON, DC

SIGNIFICANT CHANGES DOCUMENT

Federal Identity, Credential, and Access Management Trust Framework Solutions. Relying Party Guidance For Accepting Externally-Issued Credentials

Subj: NAVY IMPLEMENTATION OF DEPARTMENT OF DEFENSE INTELLIGENCE INFORMATION SYSTEM (DODIIS) PUBLIC KEY INFRASTRUCTURE (PKI)

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Report No. D June 23, DoD Implementation of Homeland Security Presidential Directive-12

No additional requirements to use the PIV I card for physical facility access have been identified.

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

SUBJECT: Directive-Type Memorandum (DTM) , Interim Policy Guidance for DoD Physical Access Control

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Department of Defense INSTRUCTION. Reference: (a) DoD Directive , Defense Continuity Programs (DCP), September 8, 2004January 9, 2009

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

DoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process

UNDER SECRETARY OF DEFENSE 5000 DEFENSE PENTAGON WASHINGTON, DC

GAO ELECTRONIC GOVERNMENT ACT. Agencies Have Implemented Most Provisions, but Key Areas of Attention Remain

Federal Identity Management Handbook

Deputy Chief Financial Officer Peggy Sherry. And. Chief Information Security Officer Robert West. U.S. Department of Homeland Security.

Department of Defense INSTRUCTION

Practical Challenges in Adopting PIV/PIV-I

Small Business Administration Privacy Impact Assessment

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201-2,

ort Office of the Inspector General Department of Defense YEAR 2000 COMPLIANCE OF THE STANDARD ARMY MAINTENANCE SYSTEM-REHOST Report Number

Department of Defense DIRECTIVE

Agenda. DoD PKI Operational Status DoD PKI SIPRNET Token. Interoperability Public Key Enablement. Dynamic Access

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

Department of Defense INSTRUCTION

Information Technology Policy

Department of Defense MANUAL

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Implementing Federal Personal Identity Verification for VMware View. By Bryan Salek, Federal Desktop Systems Engineer, VMware

FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT AND PERSONAL IDENTITY VERIFICATION (PIV) SOLUTIONS

Identity and Access Management Initiatives in the United States Government

Department of Defense INSTRUCTION

Department of Defense INSTRUCTION

DEPARTMENT OF DEFENSE Defense Commissary Agency Fort Lee, VA DIRECTIVE. Social Media

Department of Defense INSTRUCTION

Federal PKI. Trust Infrastructure. Overview V1.0. September 21, 2015 FINAL

Enrolling with PIV and PIV-I Velocity Enrollment Manager

FAST FILE TRANSFER INFORMATION ASSURANCE ASSESSMENT REPORT

HSPD-12 Homeland Security Presidential Directive #12 Overview

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent

NATIONAL DIRECTIVE FOR IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT CAPABILITIES (ICAM) ON THE UNITED STATES (US) FEDERAL SECRET FABRIC

NATIONAL INCIDENT MANAGEMENT SYSTEM

Interagency Advisory Board Meeting Agenda, May 27, 2010

DoD Root Certificate Chaining Problem

Navy s Contract/Vendor Pay Process Was Not Auditable

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

Information Technology

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Federal Identity, Credentialing, and Access Management. Identity Scheme Adoption Process

Federal Identity, Credentialing, and Access Management. Personal Identity Verification Interoperable (PIV-I) Test Plan. Version 1.1.

DISTRIBUTION: ASSISTANT G-1 FOR CIVILIAN PERSONNEL POLICY, DEPARTMENT OF THE ARMY DIRECTOR, PLANS, PROGRAMS, AND DIVERSITY, DEPARTMENT OF THE NAVY

Department of Defense INSTRUCTION. SUBJECT: Fellowships, Scholarships, Training With Industry (TWI), and Grants for DoD Personnel

Department of Defense INSTRUCTION

Department of Defense INSTRUCTION

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Department of Defense INSTRUCTION. SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing

Recommendations for the PIA. Process for Enterprise Services Bus. Development

Funding Invoices to Expedite the Closure of Contracts Before Transitioning to a New DoD Payment System (D )

Department of Defense DIRECTIVE

THE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON WASHINGTON, DC

Transcription:

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, DC 20301-6000 CHIEF INFORMATION OFFICER OCT 05 2010 MEMORANDUM FOR SECRETARIES OF THE MILITARY DEPARTMENTS CHAIRMAN OF THE JOrNT CHIEFS OF STAFF UNDER SECRETARIES OF DEFENSE DEPUTY CHIEF MANAGEMENT OFFICER ASSISTANT SECRETARIES OF DEFENSE GENERAL COUNSEL OF THE DEPARTME T OF DEFENSE DIRECTOR, OPERATIONAL TEST AND EVALUATIO DIRECTOR, COST ASSESSMENT AND PROGRAM EVALUATION INSPECTOR GENERAL OF THE DEPARTMENT OF DEFENSE ASSISTANTS TO THE SECRETARY OF DEFENSE DIRECTOR, NET ASSESSMENT DIRECTORS OF THE DEFENSE AGENCIES DIRECTORS OF THE DOD FIELD ACTIVITIES SUBJECT: Department ofdefense Acceptance and Use ofpersonal Identity Verification -Interoperable (piv-1) Credentials The Federal CIO Council issued guidance to assist non-federal issuers of identity cards in achieving interoperability with Federal government PIV systems. In May 2010 the credentialing standards for PIV-1 non-federal credential providers were formalized and included in the X509 Certificate Palicy For The Federal Bridge Certification Authority. The policy's documented requirements for PIV-I non-federal issuers meets minimum 000 concerns regarding establishing trust relationships, trust paths, identity proofing, topology, issuer certification and auditing. The Department is aggressively moving to accept qualified PIV-I credentials for access to physical and logical resources, A PIV-I credential, when electronically validated and where accepted by the relying party (DoD installation commander or information system owner), provides a fraud resistant, federally interoperable identity solution for populations of000 mission partners and commercial vendors that interact with the Department of Defense on a recurring basis. Generally, use of PIV-I credentials, wherever possible, reduces overhead costs of issuing additional credentials, while still ensuring appropriate security, risk management, and identity proofing and vetting. The

process for qualifying PIV-I credentials for use in the Department of Defense is outlined in the attachment to this memorandum. DoD relying parties granting access to DoD infonnation resources or facilities must continue to be in compliance with applicable federal laws, regulations and current 000 physical security or infonnation security and infonnation assurance policies. Acceptance ofpiv-i credentials is expected to be contingent on a risk management approach and comply with identification and authentication requirements, where applicable. In those cases where DoD relying parties, installation commanders, and facility coordinators detennine that granting access is appropriate and that appropriate vetting requirements are met, they should begin accepting DoD-approved PIV-I credentials for authentication and access. There are two exceptions. The first is authentication directly to DoD networks (e.g., NIPR, SIPR) as opposed to authenticating to web portals, applications, and websites. The second exception is physical access control systems where electronic identification systems are not in place. In either ofthese cases, a PIV-I credential cannot be used. This memo should be given the widest dissemination throughout the Department and to the public. My points ofcontact are Mr. Tim Fong, timothy.fong@osd.mil, 703 604-5522 ext 109, or Mr. Keith Minard, Attachments: As stated avid M. Wennergren DoD Deputy Chief Information Officer

Attachment: Department ofdefense Acceptance and Use ofpersonal Identity Verification-Interoperable (PIV-I) Credentials After the establishment ofthe Homeland Security Presidential Directive (HSPD) 12 mandate and the release ofthe federal credentialing standard, Federal Information Processing Standard (FIPS) 201, "Personal Identity Verification (PIV) for Federal Employees and Contractors"), there was a great deal of interest from parties external to the Federal government to develop high quality identity credentials for use by "non-piv eligible" persons that interacted with federal information systems or accessed federal facilities regularly. These non-federal organizations desired identity credentials that are (a) technically interoperable with Federal public key-enabled information systems and (b) issued in a manner that allows Federal government relying parties to place trust in the identity asserted by the credentials. A credentialing standard was needed that was applicable to non-federal issuers of identity credentials and assisted credential holders in achieving interoperability with Federal government systems that have been public key enabled to perform authentication using PIV credentials and PKI certificates. The Federal PKI Policy Authority, in coordination with the Federal Identity, Credentialing and Access Management Subcommittee (ICAM SC), defined the requirements for the issuance ofsmart cards with PKI certificates (commonly known as PIV-Interoperable (PIV-I) credentials) that are designed to be interoperable with federal agency Personal Identity Verification (PIV) infrastructures. The credentialing requirements for nonfederal identity credential issuers to produce federally interoperable credentials were incorporated in the latest version ofthe X509 Certificate Policy For The Federal Bridge Certification Authority (FBCA)2, making it the credentialing standard for PIV-I credential providers. DoD participated actively in the revision ofthe FBCA certificate policy to ensure that documented requirements for PIV-I non-federal issuers met minimum DoD concerns regarding establishing trust relationships, trust paths, identity proofing, topology, issuer certification and auditing. Identity credential providers are certified to issue PIV-Interoperable credentials following an approved cross-certification with the FBCA and mapping ofthe PIV-I 1 Documents available at: http://www.idmanagement.gov/drilldown.cfm?action=library 2 Document download available at: http://www.idmanagement.gov/fpkipa/ Points of contact are Tim Fong, timothy.fong@osd.mil, 703-604-5522 ext 109, or Keith Minard, Page 1

object identifier. Federal guidance for achieving PIV-I cross certification with the FBCA is available at the idmanagement.gov website. PIV-I credential providers are issuers ofpublic key infrastructure (PKI) based credentials. DoD policy authorizes DoD relying parties to accept for use all DoDapproved external PKI certificates. PIV-I providers are considered external PKls. It is highly recommended that PIV-I providers apply to become "DoD-approved" to ensure interoperability of credentials with DoD. PIV-I credential issuers can initiate the DoD approval process by contacting the External Interoperability Working Group (EIWG) at: ExternaIPKI.lnteroperability@osd.mil. In order to use PIV-I credentials to access DoD information systems or facilities, DoD mission partners or commercial vendors should procure qualified PIV-I credentials from credential providers that have been approved in accordance with the DoD External Interoperability Plan 3. That plan outlines the steps to be accomplished to have a non DoD issued PKI credential design ted as "approved for use" within the Department of Defense. The authoritative list 0 DoD-approved PKIs and PIV-I credential issuers is at htl s://www.us.arm.mil/suite/ e/571419. DoD Instruction 8520.0 authorizes DoD relying parties to accept for use all DoDapproved identity credentials fi r authentication and access to web portals, applications, and websites. At this time, PIV- quality credentials shall NOT be used for authentication directly to DoD networks (e.g., on-secure Internet Protocol Router Network (NIPRNet), Secret Internet Protoc I Router Network (SIPRNet)). Relying party systems accepting PIV-I quality credentials part ofrole-based access control procedures must ensure that the system threat assessm t and risks inherent in PKI-based credential usage meet the requirements stated in DoD In truction 8510.01. 4 DoD 5200.08R, DoD Physical sec~'ty Program, is under revision to incorporate Directive Type Memorandum (DTM) 09-0 2. The revision will include policy addressing the use ofdod-approved PIV-I redentials for physical access control. Use Points ofcontact are Tim Fong, timothy.fong@osd.mil, 7q3-604-5522 ext 109, or Keith Minard, Pa~e 2

ofpiv-i credentials for physical access must include the following: acceptance by the installation commander, a deployed and operational electronic physical access control system, all PIV-I credentials electronically authenticated and a basic name check conducted through the National Crime Information Center (NCIC). DoD relying parties granting access to DoD information resources or installations/facilities based on presentation ofa validated non-federally issued identity credential is strongly encouraged. Current budget constraints and strong leadership initiatives to reduce overhead should be seriously considered prior to incurring direct/indirect costs of issuing DoD credentials to PIV-I credential holders. DoD applications, installations and facilities should begin planning for and implementing the ability to authenticate and grant access based on the presentation ofa valid PIV-I credential listed on the authoritative list mentioned above. PIV-I credentials will be an additional authorized form of identity to those already issued by the Department of Defense or Federal authorities. Technical support and guidance for enabling DoD websites and NIPRNET-based applications to accept the use ofdod-approved PKI credentials are available from the DoD Public Key Enabling team (pke support@disa.mil) or at the DoD PKE web site: (https://www.us.army.millsuite/grouppage/58452 ) Points ofcontact are Tim Fong, timothy.fong@osd.mil, 703-604-5522 ext 109, or Keith Minard, Page 3

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information