Professional Documents
Culture Documents
UNCLASSIFIED // FOUO
LandWarNet 2009
Track 2
UNCLASSIFIED
LandWarNet 2009
Purpose to provide Current and Future Initiative of the Armys CAC/PKI program
OBJECTIVES: By the end of this presentation you will be able to: (List of take-aways from this session)
A. B. C. D. Know where the Army is headed in CAC/PKI Discuss logical access ID for volunteers Know the Army status of JTF-GNO CTO 07-015 Discuss Army TPKI and SIPRNet Pilots
UNCLASSIFIED
Track #. Session #
UNCLASSIFIED
LandWarNet 2009
Agenda
CAC/PKI Division Overview Alternate Smartcard for System Administrators Smartcard for Volunteers Italian Foreign Nationals Certificate Validation DoD Approved Certificate Authorities Army HSPD-12 Army Pilots
Tactical SIPRNET
UNCLASSIFIED
UNCLASSIFIED
4 Track #. Session #
UNCLASSIFIED
Stats
729 ASCL Trusted Agents appointed 17,746 ASCL tokens processed 16,000 tokens in use
UNCLASSIFIED
5 Track #. Session #
UNCLASSIFIED
Eligible population includes all volunteers as outlined in DoDI 1100.21 Unpaid Red Cross volunteers Boy & Girl Scout Volunteers Civil Air Patrol (CAP) YMCA/YWCA Volunteers Volunteers at Military Treatment Facilities
Issued only to U.S. citizens Not to be used for physical access to military installations
UNCLASSIFIED
Track #. Session #
UNCLASSIFIED
AHRC will provide Army procedures/controls for issuance and lifecycle management for the Volunteer Smartcard Volunteers must be sponsored by DoD military or civilian employee
Sponsors follows AHRC-designed process
Sponsor collects card when volunteer is no longer eligible or associated with organization
UNCLASSIFIED
Track #. Session #
UNCLASSIFIED
1. 2. 3. 4.
Seal of sponsoring agency No photograph or barcodes for physical access Authorized for network access only Volunteer status must be entered & verified by CVS
UNCLASSIFIED
Track #. Session #
UNCLASSIFIED UNCLASSIFIED
UNCLASSIFIED
General Outline
In order to facilitate the operational requirement for CAC like functionality to be provided to Local Foreign Nationals, the following process has been adjusted to create and issue ASCL tokens with three certificates. This ASCL token will have the following certificates installed:
1. Alternate Logon Certificate 2. Digital Signing Certificate 3. Digital Encryption Certificate
UNCLASSIFIED UNCLASSIFIED
Track #. Session #
UNCLASSIFIED
UNCLASSIFIED // FOUO
Phase 1
Phase 1 will be the current ASCL token issuance process 1. Nomination of a Trusted Agent Europe already has Trusted Agents in place 2. Trusted Agent requests ASCL tokens 3. Army Registration Authority (RA) issues ASCL tokens and ships them to Trusted Agent 4. Trusted Agent gives ASCL tokens to their users DD2842s are signed and sent to the Army RA 5. Users request PINs 6. Users begin using ASCL token once PIN is received w/logon certificate
UNCLASSIFIED
Track #. Session #
UNCLASSIFIED UNCLASSIFIED
UNCLASSIFIED
Phase 2
Phase 2 of the process will be the issuance and installation of the digital signing and encryption certificates to the ASCL token. Phase 2 can begin once the user has received their PIN. 1. User logs into workstation using ASCL token 2. User navigates to one of the following links:
https://email-ca-17.c3pki.chamb.disa.mil/ca/emailauth.html
https://email-ca-18.c3pki.den.disa.mil/ca/emailauth.html
3. User chooses the Both Signing and Encryption Certificate option on the first line 4. User types their AKO email address on the lines requesting their email address
UNCLASSIFIED UNCLASSIFIED
Track #. Session #
UNCLASSIFIED UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED UNCLASSIFIED
Track #. Session #
UNCLASSIFIED UNCLASSIFIED
UNCLASSIFIED
Phase 2 cont.
5. User then clicks Get Certificate and the certificates are generated and installed on the ASCL token
User will be prompted for their PIN in order for the process to complete
6. User now has 3 certificates on their ASCL token 7. User can now digitally sign and encrypt emails as if the ASCL token was a CAC
Important: The Army RA office has produced a guide covering this process. The guide has been sent to Trusted Agents in Europe requiring this functionality.
UNCLASSIFIED UNCLASSIFIED
Track #. Session #
UNCLASSIFIED
Defense Information Security Agency (DISA) Robust Certificate Validation Service (RCVS)
4 CONUS Nodes 2 OCONUS (EUCOM, PAC)
UNCLASSIFIED
UNCLASSIFIED
Track #. Session #
UNCLASSIFIED
CAC is the DoDs HSPD-12 Personal Identity Verification (PIV) credential HSPD-12 vetting requirements apply to all PIV cardholders
National Agency Check with Written Inquiries (NAC-I)
UNCLASSIFIED
Track #. Session #
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Centralized De-centralized Kiosk FT Belvoir Evaluating the issuance process Login Web server authentication Email signing and encrypting RA training Sept 09 Oct - Dec 09
UNCLASSIFIED
18 Track #. Session #
UNCLASSIFIED
Goals: Improve overall network defense Limit phishing attacks Reduce username and password vulnerability on NIPRNet
19 Track #. Session #
UNCLASSIFIED
UNCLASSIFIED
Completed Tasks
Task 1: Task 3: Task 4: Task 5: Task 6: Task 7: Task 8: Task 11: Implement Digital Signature Policy Implement Increased Password Security Measures Removal of Software Certificate Installation Files Identification of Non-PKI based Authentication Methods Identify Username/Password Accounts Execute Enhanced Security Awareness Training Identify Non-Windows Operating Systems in Usage Activate CRL web caching capabilities at Base/Post/Camp/Station Level Task 12: Adjust Online Certificate Status Protocol (OCSP) Configurations to Increase Reliability
UNCLASSIFIED 20 Track #. Session #
UNCLASSIFIED
74% Complete
Non CAC Holders
Commercial, Federal, and State partners
Legacy Systems
UNCLASSIFIED
Track #. Session #
UNCLASSIFIED UNCLASSIFIED
UNCLASSIFIED
LandWarNet 2009
Questions??
Army CAC/PKI Army.CAC.PKI@us.army.mil Phone: 866-738-3222 US Army Registration Authority (703) 602-7527 (Desk) Email: army.ra@us.army.mil
UNCLASSIFIED UNCLASSIFIED Track #. Session #
UNCLASSIFIED
Back up Slides
UNCLASSIFIED
23 Track #. Session #
UNCLASSIFIED
DoD memo, Common Access Card (CAC) Eligibility for Foreign National Personnel, signed by USD(P&R) on 9 MAR 2007:
expanding CAC eligibility to include foreign national partners who have been properly vetted and who require access to a DoD facility or network to meet a DoD mission, ...
Fingerprints must be collected to obtain a CAC. Italian government will not allow citizens biometric information to be hosted outside EU/Italy. no CAC for them.
CIO/G-6 approved use of Alternative Smart Card Logon token for Italian Foreign Nationals (FNs) Local Army security office responsible for ensuring that FN
Is not a known or suspected terrorist Has had his/her true identity verified
Has undergone an appropriate background investigation that has been favorably adjudicated.
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
TACTICAL PKI
UNCLASSIFIED
Track #. Session #