PUBLIC KEY ENABLEMENT OF NAVY SECRET INTERNET PROTOCOL ROUTER NETWORK

RTTUZYUW RUEWMCS0000 0721935-UUUU--RUCRNAD
ZNR UUUUU
R 121935Z MAR 12
FM CNO WASHINGTON DC
TO NAVADMIN
UNCLAS//N05239//
NAVADMIN 084/12
BT
MSGID/GENADMIN/CNO WASHINGTON DC/N2N6BC/-/MAR//
SUBJ/PUBLIC KEY ENABLEMENT OF NAVY SECRET INTERNET PROTOCOL 
ROUTER NETWORK//



REF/A/DOC/DOD WASH DC/24MAY2011//
REF/B/DOC/CNSS/MAR2009//
REF/C/DOC/DOD WASH DC/14OCT2011//
REF/D/DOC/DOD WASH DC/13MAY2011//

NARR/REF A IS DOD INSTRUCTION 8520.02, PUBLIC KEY INFRASTRUCTURE 
(PKI) AND PUBLIC KEY (PK) ENABLING.  REF B IS THE COMMITTEE ON 
NATIONAL SECURITY SYSTEMS (CNSS) POLICY NUMBER 25, NATIONAL 
POLICY FOR PUBLIC KEY INFRASTRUCTURE IN NATIONAL SECURITY SYSTEMS.
REF C IS DOD CHIEF INFORMATION OFFICER MEMO, DOD SIPRNET PUBLIC 
KEY INFRASTRUCTURE CRYPTOGRAPHIC LOGON AND PUBLIC KEY ENABLEMENT 
OF SIPRNET APPLICATIONS AND WEB SERVERS.  REF D IS DOD INSTRUCTION
8520.03, IDENTITY AUTHENTICATION FOR INFORMATION SYSTEMS.  REFS 
A THROUGH D ARE LOCATED ON THE PKI PAGE OF THE INFOSEC WEB SITE AT 
HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)NSS.HTML.
UNIFORM RESOURCE LOCATOR (URL) MUST BE IN ALL LOWERCASE.  
POC/CDR JULIANA ROSATI/MIL/OPNAV N2N6BC4/LOC:WASH DC/TEL:
(571)256-8523/TEL:DSN:260-8523/E-MAIL:JULIANA.ROSATI(AT)NAVY.MIL/
MS. KRISTEN WAYNE/CTR/OPNAV N2N6BC4/LOC:WASH DC/TEL:(571)256-8522/
TEL:DSN:260-8522/E-MAIL:KRISTEN.WAYNE.CTR(AT)NAVY.MIL// 

RMKS/1.  IAW REFS A THROUGH D, THIS MESSAGE DIRECTS ACTION BY NAVY
COMMANDERS TO SUPPORT PUBLIC KEY (PK) ENABLEMENT OF THE SECRET 
INTERNET PROTOCOL ROUTER NETWORK (SIPRNET).

2.  SCOPE AND APPLICABILITY.  THIS MESSAGE APPLIES TO ALL NAVY 
OWNED, OPERATED OR CONTROLLED SIPRNET-CONNECTED NETWORKS, WEB 
SERVERS, AND APPLICATIONS.  THIS MESSAGE DOES NOT APPLY TO NETWORKS
CLASSIFIED HIGHER OR LOWER THAN SECRET. 

3.  BACKGROUND.  PK ENABLING ENHANCES THE SECURITY POSTURE OF THE 
GLOBAL INFORMATION GRID.  REF A DIRECTS PK ENABLEMENT OF ALL SECRET 
AND UNCLASSIFIED DEPARTMENT OF DEFENSE (DOD) NETWORKS.  REF B 
PROVIDES POLICY REGARDING THE USE OF PUBLIC KEY INFRASTRUCTURE (PKI)
IN CLASSIFIED ENVIRONMENTS.  PREVIOUS DOD AND NAVY EFFORTS HAVE 
FOCUSED ON PK ENABLING OF UNCLASSIFIED NETWORKS.  REF C DIRECTS THE 
PK ENABLEMENT OF THE SIPRNET AND INCLUDES A SPECIFIC TIMELINE FOR 
IMPLEMENTATION IN DOD.  REF D PROVIDES POLICY ON WHEN PKI MUST BE 
USED FOR AUTHENTICATION.

4.  IMPLEMENTATION.  DOD HAS DEVELOPED A PKI HARDWARE TOKEN, SIMILAR
TO THE COMMON ACCESS CARD (CAC), FOR USE ON THE SIPRNET.  FULL 
DEPLOYMENT OF THIS TOKEN BEGINS IN EARLY CALENDAR YEAR 2012 WITH A 
TARGETED COMPLETION DATE OF DECEMBER 2012 FOR ISSUANCE TO ALL SIPRNET
USERS.  TO ACCOMPLISH FULL OPERATIONAL CAPABILITY, ALL SIPRNET 
ACCOUNTS MUST BE ENABLED FOR CRYPTOGRAPHIC LOGON (CLO) BY 31 MARCH 
2013. APPLICATIONS WHICH RELY ON ACTIVE DIRECTORY (AD) FOR 
AUTHENTICATION MUST BE PK-ENABLED BEFORE THIS DEADLINE TO ENABLE AD 
ACCOUNTS FOR CLO.  ADDITIONALLY, ALL WEB SERVERS AND APPLICATIONS 
SHALL SUPPORT TWO-WAY PKI AUTHENTICATION WITH ACCESS REQUIRING PKI 
CREDENTIALS BY 30 JUNE 2013.  USCYBERCOM WILL ESTABLISH A REPORTING 
PROCESS TO TRACK COMPLIANCE AND PROGRESS TOWARD MEETING THESE 
DEADLINES.  SHIPS AND SUBMARINES SHALL IMPLEMENT SIPRNET CLO AS
TECHNOLOGICALLY FEASIBLE.  THIS IS DEPENDENT ON SPAWAR SIPRNET 
TOKEN BACK-FIT AND CLO BACK-FIT TO INTERNAL SHIPBOARD NETWORKS.  
NOTE:  IN THE DOD INFORMATION TECHNOLOGY PORTFOLIO REPOSITORY - 
DEPARTMENT OF NAVY (DITPR-DON), "APPLICATIONS" DISCUSSED IN THIS 
NAVADMIN ARE CALLED "SYSTEMS."

5.  DEFINITIONS.  THE FOLLOWING DEFINES THE KEY TRUSTED ROLES INVOLVED 
IN THE TOKEN DISTRIBUTION PROCESS.  
A.  REGISTRATION AUTHORITY (RA).  AN ENTITY (ORGANIZATION) NOMINATED 
BY OPNAV (N2N6BC) AND AUTHORIZED BY THE NATIONAL SECURITY SYSTEMS (NSS)
DOD SUBORDINATE CERTIFICATION AUTHORITY SYSTEM (CAS) TO COLLECT, 
VERIFY, AND SUBMIT INFORMATION PROVIDED BY POTENTIAL SIPRNET ACCOUNT
HOLDERS FOR ENTRY INTO PK CERTIFICATES.  RA OPERATIONS ARE PERFORMED
IAW THE CAS CERTIFICATION PRACTICE STATEMENT (CPS) AND THE NSS PKI 
DOD REGISTRATION PRACTICE STATEMENT (RPS).  BOTH DOCUMENTS ARE 
AVAILABLE ON THE NAVY INFOSEC WEBSITE AT 
HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)NSS.HTML. 
NAVY RAS ARE LOCATED AT NAVAL COMMUNICATIONS SECURITY MATERIAL SYSTEM
(NCMS) WASHINGTON DC, SPACE AND NAVAL WARFARE SYSTEMS COMMAND SYSTEMS
CENTER ATLANTIC (SSC LANT) CHARLESTON, SC, AND NCMS DETACHMENT HAWAII.  
B.  REGISTRATION AUTHORITY OFFICER. AN INDIVIDUAL NOMINATED BY OPNAV 
(N2N6BC) AND AUTHORIZED BY THE NSS PKI DOD SUBORDINATE CAS TO EXECUTE 
THE RA FUNCTIONS OUTLINED IN PARA 5A. THE RA OFFICER IS RESPONSIBLE 
FOR CERTIFICATE REGISTRATION, REVOCATION, SUSPENSION, AND RESTORATION 
AS WELL AS KEY RECOVERY.  THE FOLLOWING PRIVILEGES ARE UNIQUE TO RA 
OFFICERS: APPROVING THE REVOCATION OR SUSPENSION OF ANY CERTIFICATE; 
RESTORING SUSPENDED CERTIFICATES; REGISTERING AND TERMINATING LOCAL 
REGISTRATION AUTHORITIES; AND PERFORMING KEY RECOVERY OPERATIONS.
C.  LOCAL REGISTRATION AUTHORITY (LRA).  AN RA WITH RESPONSIBILITY FOR
A LOCAL COMMUNITY.  LRAS ARE AUTHORIZED BY THE NAVY RA TO PERFORM ONLY
THE CERTIFICATE REGISTRATION FUNCTION WITHIN THEIR LOCALIZED REGION.  
THE LRA MAY PROVIDE CERTIFICATE REGISTRATION INSTRUCTIONS (CRI) TO 
ACCOUNT HOLDERS FOR CERTIFICATE ISSUANCE.  THE NAVY HAS LRAS IN THE 
FOLLOWING FLEET CONCENTRATION AREAS: WASHINGTON, DC; SAN DIEGO, CA; 
PEARL HARBOR, HI; NORFOLK, VA; AND CHARLESTON, SC.
D.  TRUSTED AGENT (TA).  THE TA IS A UNIT-LEVEL INDIVIDUAL SPECIFICALLY
ALIGNED TO AN LRA OR RA, BUT WITHOUT LRA PRIVILEGES.  THE COMMANDING 
OFFICER, RA, OR LRA MAY APPOINT A TA.  THE TA ISSUES TOKENS, TOKEN 
READERS, AND ASSOCIATED REGISTRATION INSTRUCTIONS AFTER PERFORMING 
IN-PERSON IDENTITY AND DOCUMENTATION VERIFICATION.  

6.  SIPRNET PKI TOKEN ISSUANCE PROCESS.  TOKEN DISTRIBUTION WILL BE 
EXECUTED IAW THE NAVY IMPLEMENTATION PLAN (IP) WHICH ALIGNS WITH THE 
DOD SIPRNET TOKEN MANAGEMENT SYSTEM (TMS) CONCEPT OF OPERATIONS (CONOPS).
BOTH DOCUMENTS ARE AVAILABLE ON THE NAVY INFOSEC WEBSITE AT 
HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)NSS.HTML.  
IN PRACTICE, THE SIPRNET TOKEN DISTRIBUTION WILL BE SIMILAR TO THE 
UNCLASSIFIED NAVY ALTERNATE LOGON TOKEN (ALT) PROGRAM.  EXPERIENCE WITH
THE ALT PROGRAM WILL BE VALUABLE TO ENSURE ACCURATE, EFFICIENT ISSUANCE 
OF THE SIPRNET TOKENS.  PERSONNEL ASSIGNED AS ALT TRUSTED AGENTS ARE 
FAMILIAR WITH THE IDENTITY VERIFICATION PROCESS AND MAY BE UNIQUELY 
SUITED TO PERFORM THE SIPRNET PKI TA ROLE.  INITIAL DEPLOYMENT WITHIN 
THE NAVY WILL CONCENTRATE ON ISSUING TOKENS TO USERS AND ADMINISTRATOR
ACCOUNTS ON THE NAVY MARINE CORPS INTRANET (NMCI).  NAVY RAS WILL 
DISTRIBUTE TOKENS TO LRAS IN FLEET CONCENTRATION AREAS.  SIPRNET TOKENS
SHALL ONLY BE USED WITH NATIONAL SECURITY AGENCY (NSA)-PROVIDED TOKEN 
READERS AND NOT WITH READERS EMBEDDED ON THE MACHINE OR KEYBOARD.  SSC 
LANT WILL PROVIDE THE READERS; PARA 7B PERTAINS.  WITH THE EXCEPTION OF 
SYSTEM ADMINISTRATORS, SIPRNET TOKENS ARE NOT CURRENTLY AVAILABLE FOR 
FUNCTIONAL (E.G., WATCHSTANDERS, GROUPS, ETC.) ACCOUNTS.  FLTCYBERCOM 
WILL ISSUE GUIDANCE VIA A NAVY TELECOMMUNICATIONS DIRECTIVE OR 
COMMUNICATIONS TASKING ORDER WHEN THE CAPABILITY EXISTS FOR SIPRNET 
TOKENS TO SUPPORT GROUP AND ROTATING ROLE-BASED FUNCTIONAL ACCOUNTS, 
FUNCTIONAL MAILBOXES, AND SERVICE ACCOUNTS.  
A.  TO FACILITATE TOKEN ISSUANCE, COMMANDS SHALL ASSIGN A MINIMUM OF 
THREE (3) SIPRNET PKI TRUSTED AGENTS (TAS) TO ASSIST THE LRAS TO WHOM 
THEY ARE ALIGNED.  HOWEVER, COMMANDS ARE ENCOURAGED TO ASSIGN AS MANY AS
POSSIBLE.  AT LEAST ONE OF THE COMMAND'S SIPRNET PKI TAS MUST BE 
DUAL-HATTED AS THE INFORMATION ASSURANCE MANAGER (IAM), INFORMATION 
ASSURANCE OFFICER, OR SECURITY OFFICER.  TWO TAS ARE REQUIRED TO ISSUE 
A TOKEN. ONE ISSUES THE TOKEN; THE OTHER ISSUES THE ASSOCIATED TEMPORARY
PERSONAL IDENTIFICATION NUMBER (PIN).  THE ROLE OF ONE OF THESE TAS CAN
BE EXECUTED BY AN LRA IF THE LRA IS PROVIDING THE ENROLLMENT CRI.  PKI 
TAS SHALL COMPLETE THE TRAINING AVAILABLE AT 
HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)NSS.HTML. 
PROCEDURES TO ESTABLISH A TA ARE ALSO LOCATED AT THIS UNIFORM RESOURCE 
LOCATOR (URL).
B.  COMMANDS AND SHIPS MAY NOMINATE LRAS IN ADDITION TO TAS IF DESIRED.
ONLY NCMS WASHINGTON DC CAN AUTHORIZE LRAS.  SEE PARA 7D FOR POINT OF 
CONTACT INFORMATION TO MAKE LRA REQUESTS.  DUE TO INCREASED LEVEL OF 
AUTHORITY AND RESPONSIBILITY GIVEN TO LRAS, THEY MUST SUCCESSFULLY COMPLETE
A NO COST DEFENSE INFORMATION SYSTEMS AGENCY (DISA) NATIONAL SECURITY 
SYSTEMS TRAINING COURSE IN PERSON.  LRA TRAINING IS AVAILABLE AT NCMS 
WASHINGTON DC, NORFOLK, AND SAN DIEGO.  MOBILE TRAINING TEAMS ARE ALSO 
AVAILABLE FOR WORLDWIDE TRAINING ON A LIMITED, COST BASIS.  CONTACT NCMS 
WASHINGTON DC POINT OF CONTACT IN PARA 7D TO COORDINATE. THE LRA TRAINING 
SCHEDULE IS AVAILABLE AT 
HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI(SLASH)LRAMAIN.HTML. 
THE TRAINING MATERIAL IS AVAILABLE AT 
HTTP:(SLASH)(SLASH)IASE.DISA.MIL(SLASH)PKI-PKE(SLASH). 
 
7.  ACTION. 
A.  COMMANDERS MUST BE PREPARED TO SUPPORT THE ISSUANCE OF SIPRNET TOKENS
TO AUTHORIZED PERSONNEL UNDER THEIR COGNIZANCE, INCLUDING ASSOCIATED USER 
TRAINING AND FAMILIARIZATION.  FAILURE TO DO SO MAY RESULT IN USERS BEING 
UNABLE TO ACCESS THEIR SIPRNET ACCOUNTS.
B.  BY 31 MARCH 2012, COMMANDS SHALL IDENTIFY AT LEAST THREE (3) PKI 
TRUSTED AGENTS TO FACILITATE ISSUING TOKENS WHEN FULL DEPLOYMENT BEGINS. 
ONCE ALL TRAINING AND ADMINISTRATIVE REQUIREMENTS ARE MET, SEND THE NAMES 
OF AUTHORIZED TAS AND LRAS (AS APPLICABLE) TO 
MS. BETTY COLLINS/BETTY.COLLINS(AT)NAVY.SMIL.MIL/843-218-4633 AND MS. 
MARJORIE DIXSON/MARJORIE.DIXSON1(AT)NAVY.SMIL.MIL/240-857-7709.  
ADDITIONALLY, BY 31 MARCH PROVIDE THE TOTAL NUMBERS OF TOKENS AND TOKEN
READERS REQUIRED BY THE COMMAND.  WHEN CALCULATING THE NUMBER OF TOKENS, 
ACCOUNT FOR ONE TOKEN FOR EACH SIPRNET USER AND ONE FOR EACH SYSTEM 
ADMINISTRATOR ACCOUNT.  WHEN CALCULATING THE NUMBER OF TOKEN READERS, 
ACCOUNT FOR ONE CARD READER FOR EACH SIPRNET MACHINE, AND TWO READERS FOR
EACH WORKSTATION THAT WILL BE USED TO EXECUTE TOKEN ISSUANCE (TA, LRA, 
AND KIOSK WORKSTATIONS).  FUNDING HAS BEEN ALLOCATED TO PROVIDE TOKEN 
READERS DURING THE INITIAL TOKEN ROLLOUT.  COMMANDS WILL BE RESPONSIBLE 
FOR PROCUREMENT OF TOKEN READERS FOR SUSTAINMENT STARTING IN FY15.
C.  ON NMCI, TA, LRA, AND KIOSK WORKSTATIONS WILL REQUIRE SPECIALIZED 
SOFTWARE FOR TOKEN ISSUANCE CAPABILITY.  TO RECEIVE THE SOFTWARE, SEND 
WORKSTATION INFORMATION [MACHINE NAME, SITE (PHYSICAL SITE IDENTIFIER (PSI)
CODE), AND SEAT POC E-MAIL] TO LTJG SHANNON BUCKLEY/SHANNON.R.BUCKLEY(AT)
NAVY.MIL/619-553-3382 BY 31 MARCH. 
D.  COMMANDS DESIRING TO ESTABLISH THEIR OWN LRA SHOULD CONTACT THE NAVY 
RA AT NCMS BY 31 MARCH 2012.  THE POC IS MS. MARJORIE DIXSON/ 
MARJORIE.DIXSON1(AT)NAVY.SMIL.MIL/240-857-7709.
E.  PROGRAM OFFICES AND EXCEPTED NETWORK OWNERS SHALL PROVIDE THE 
REQUIREMENTS FOR APPROPRIATE ENABLEMENT AND SUSTAINMENT FUNDING TO THEIR
RESOURCE SPONSOR.
F.  BY 31 MARCH 2012 COMMANDS SHALL ENSURE THEIR AD PERSONNEL ENTRIES 
REFLECT THE MOST ACCURATE AND CURRENT LIST OF USERS.  AN INACCURATE AD MAY
RESULT IN UNNECESSARY DELAYS DURING TOKEN ISSUANCE.  COMMANDS SHALL 
DISABLE ACCOUNTS OF PERMANENTLY DETACHING PERSONNEL TO MAINTAIN SIPRNET 
ACCESS INTEGRITY.

8.  TECHNICAL GUIDANCE AND USEFUL LINKS.  
ADDITIONAL RELEVANT INFORMATION IS LOCATED ON THE NAVY INFOSEC WEB SITE 
AT HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)PKI OR ON THE SIPRNET
AT HTTPS:(SLASH)(SLASH)INFOSEC.NAVY.SMIL.MIL(SLASH)PKI. IAMS, LRAS AND TAS 
SHOULD SUBSCRIBE TO THE INFOSEC MAILING LIST AT
HTTPS:(SLASH)(SLASH)INFOSEC.NMCI.NAVY.MIL(SLASH)SUBSCRIBE(SLASH)INDEX.JSP 
TO RECEIVE EMAIL UPDATES OF NEW PKI ANNOUNCEMENTS AND TRAINING MATERIALS. 

9.  TIMELINE SUMMARY. 
A.  COMMANDS MUST: 
(1)  ESTABLISH AT LEAST THREE (3) TAS BY 31 MARCH 2012. 
(2)  SUBMIT TOKEN, TOKEN READER, AND WORKSTATION INFORMATION BY 31 MARCH
2012. 
(3)  SCRUB ACTIVE DIRECTORY ACCOUNTS BY 31 MARCH 2012.
B. A SIPRNET PKI TOKEN IS REQUIRED FOR ALL SIPRNET USERS BY 31 DECEMBER 
2012. 
C. ALL SIPRNET ACCOUNTS MUST BE ENABLED TO USE CLO BY 31 MARCH 2013.
D. APPLICATIONS THAT RELY UPON ACTIVE DIRECTORY FOR AUTHENTICATION MUST BE 
PK-ENABLED BEFORE 31 MARCH 2013.
E. ALL WEB SERVERS AND APPLICATIONS (SYSTEMS) SHALL SUPPORT CLIENT-SIDE 
PKI AUTHENTICATION WITH ACCESS REQUIRING PKI CREDENTIALS BY 30 JUNE 2013.

10.  THIS NAVADMIN WILL REMAIN IN EFFECT UNTIL CANCELLED OR SUPERSEDED. 

11.  REQUEST WIDEST DISSEMINATION.

12.  RELEASED BY VADM KENDALL L. CARD, OPNAV N2N6.//
BT
#0000
NNNN

%d bloggers like this: