LandWarNet 2009

1. LandWarNet 2009

2. LandWarNet 2009 Purpose – to provide Current and Future Initiative of the Army’s CAC/PKI program OBJECTIVES: By the end of this presentation you will be able to: (List of take-aways from this session) A. Know where the Army is headed in CAC/PKI B. Discuss logical access ID for volunteers C. Know the Army status of JTF-GNO CTO 07-015 D. Discuss Army TPKI and SIPRNet Pilots

3. CAC/PKI Division Overview Alternate Smartcard for System Administrators Smartcard for “Volunteers” Italian Foreign Nationals Certificate Validation DoD Approved Certificate Authorities Army HSPD-12 Army Pilots Tactical SIPRNET JTF-GNO CTO 07-015 Accelerated PKI Implementation Phase 2 Reporting 3

4. CAC/PKI Policy and Guidance Army DoD Other Federal Agencies Test and Evaluation Public Key Enabling Technology Registration Authority SIPRNET Certificates Key Recovery Alternative Smart Card Logon Token Help Desk - (866) 738-3222 4 Policy, Guidance, and Programmatic Support Engineering, Testing, and Technical Support Army HSPD-12/FIPS 201 Implementation Represent Army at DoD PKI and OSD Defense Manpower Data Center working groups Public Key Enabling Desktop Computers JTF-GNO Accelerated PKI Phase 2 Army Alternative Smart Card Logon Token CAC Enabling Two-Way Wireless Email Devices Army CAC PIN Reset (CPR) Tier 2 CAC PKI Technical Support Policy, Guidance, and Programmatic Support Engineering, Testing, and Technical Support Army HSPD-12/FIPS 201 Implementation Represent Army at DoD PKI and OSD Defense Manpower Data Center working groups Public Key Enabling Desktop Computers JTF-GNO Accelerated PKI Phase 2 Army Alternative Smart Card Logon Token CAC Enabling Two-Way Wireless Email Devices Army CAC PIN Reset (CPR) Tier 2 CAC PKI Technical Support

5. Alternative Smart Card Logon Token (ASCL) Originally developed for Systems Administrators Extended for Italian Foreign Nationals Must be Department of Army Civilian or contractor with logical access requirements Memorandum pending to allow email signing and encryption certificates Stats ˜ 729 ASCL Trusted Agents appointed ˜ 17,746 ASCL tokens processed ˜ 16,000 tokens in use 5

6. 6 Logical Access ID for Volunteers Three-year pilot to issue logical access credentials to DoD volunteers Eligible population includes all volunteers as outlined in DoDI 1100.21 Unpaid Red Cross volunteers Boy & Girl Scout Volunteers Civil Air Patrol (CAP) YMCA/YWCA Volunteers Volunteers at Military Treatment Facilities Issued only to U.S. citizens Not to be used for physical access to military installations Smartcard holds standard 3 DoD PKI certificates Requires submission of NAC paperwork and favorable completion of automated FBI National Criminal History (fingerprint) check G2 is responsible for cost

7. 7 Parameters for the Volunteer Smartcard Volunteers must be registered in DEERS via the Contractor Verification System (CVS) CVS Trusted Agents must re-verify volunteer sponsorship just like contractors AHRC will provide Army procedures/controls for issuance and lifecycle management for the Volunteer Smartcard Volunteers must be sponsored by DoD military or civilian employee Sponsors follows AHRC-designed process Sponsor collects card when volunteer is no longer eligible or associated with organization

8. 8 VISUAL: Volunteer (Network Access) Card

9. 9 General Outline In order to facilitate the operational requirement for CAC like functionality to be provided to Local Foreign Nationals, the following process has been adjusted to create and issue ASCL tokens with three certificates. This ASCL token will have the following certificates installed: Alternate Logon Certificate Digital Signing Certificate Digital Encryption Certificate The issuance process will be split into two phases. Phase 1: Standard ASCL token issuance Phase 2: Generation and installation of signing and encryption certificates

10. Phase 1

11. 11 Phase 2 Phase 2 of the process will be the issuance and installation of the digital signing and encryption certificates to the ASCL token. Phase 2 can begin once the user has received their PIN. User logs into workstation using ASCL token User navigates to one of the following links: https://email-ca-17.c3pki.chamb.disa.mil/ca/emailauth.html https://email-ca-18.c3pki.den.disa.mil/ca/emailauth.html User chooses the “Both Signing and Encryption Certificate” option on the first line User types their AKO email address on the lines requesting their email address

12. 12 Certificate Request Page

13. 13 Phase 2 cont. User then clicks “Get Certificate” and the certificates are generated and installed on the ASCL token User will be prompted for their PIN in order for the process to complete User now has 3 certificates on their ASCL token User can now digitally sign and encrypt emails as if the ASCL token was a CAC Important: The Army RA office has produced a guide covering this process. The guide has been sent to Trusted Agents in Europe requiring this functionality.

14. 14 Army Certificate Validation Tumbleweed Desktop Validator (DV) OCSP client Army end user computers Distributed through the Army Golden Master Supports email signatures Army Domain Controllers Support CCL throughout the Army’s Enterprise Private Web Servers Authentication to private web servers as directed by JFT-GNO (Task 12) Defense Information Security Agency (DISA) Robust Certificate Validation Service (RCVS) 4 CONUS Nodes 2 OCONUS (EUCOM, PAC) Army OSCP Responders National Guard, Reserve Command, Accessions Command, Corp of Engineers, MEDCOM, USAREUR, USAPAC, 8th Army Korea 7th Signal Command – Enterprise management of OCSP

15. DoD Approved PKI’s JTF-GNO-CTO 07-015 states all web servers that host sensitive information will be configured to only trust DoD PKI approved certificate authorities (CA’s) DoD PKI DoD External CA (ECA) Federal Bridge Certificate Authority (FBCA) an members https://informationassurance.us.army.mil/cacpki/default.htm

16. HSPD-12 Purpose Enhance security Reduce identity fraud Increase Government efficiency Protect personal privacy Army HSPD-12 Working Group Co-led by G-2 and G-6 (NETCOM CAC/PKI) Formal participation from G-1, G-2, G-3/5/7, G-4, G-6, OPMG, ASA(ALT) Currently developing Army HSPD-12 Implementation Plan CAC is the DoD’s HSPD-12 Personal Identity Verification (PIV) credential HSPD-12 vetting requirements apply to all PIV cardholders National Agency Check with Written Inquiries (NAC-I) 16

17. DoD Tactical PKI Process Action Team Army CAC PKI is the TPKI PAT Lead Review and Integrate DoD PKI/Service PKI Architecture Review and Integrate DoD PKI/Service Schedules Determine Joint and service operational requirements Develop Joint Tactical Pilot Test Plan Develop Service level Tactical Pilot Test Plans Prepare for DoD PKI Tactical PKI Pilot Pre-Pilot Activities Began 1ST QTR FY09 Phase I – JITC Lab Environment 3RD QTR FY09 Phase II – Joint Tactical Testing Facility 2ND QTR FY10 Phase III – Limited / Controlled COCOM Operational Environment 3RD QTR FY10 17

18. Two Locations 200 Tokens Fort Meade Evaluating the issuance process Centralized De-centralized Kiosk FT Belvoir Evaluating the issuance process Login Web server authentication Email signing and encrypting RA training Sept 09 Oct - Dec 09 18

19. 19 PKI Phase 2 Overview JTF-GNO CTO 07-015, Public Key Infrastructure (PKI) Implementation, Phase 2 Background: The 12 tasks in JTF-GNO CTO 07-015 address the common attack vectors used by our adversaries to include socially engineered emails, traditional username and password vulnerabilities, and improper installation of PKI software certificates. Goals: Improve overall network defense Limit phishing attacks Reduce username and password vulnerability on NIPRNet

20. 20 Task 1: Implement Digital Signature Policy Task 3: Implement Increased Password Security Measures Task 4: Removal of Software Certificate Installation Files Task 5: Identification of Non-PKI based Authentication Methods Task 6: Identify Username/Password Accounts Task 7: Execute Enhanced Security Awareness Training Task 8: Identify Non-Windows Operating Systems in Usage Task 11: Activate CRL web caching capabilities at Base/Post/Camp/Station Level Task 12: Adjust Online Certificate Status Protocol (OCSP) Configurations to Increase Reliability Completed Tasks

21. JTF-GNO CTO 07-015 Status Task 2 UBE of CAC Cryptographic Logon 97% Non-Privilege Accounts 28% System Administrator Accounts Retina, SMS, Hercules…require username and passwords Tasks 9 and 10 Public Key Enabling Web Servers Web Servers that host Sensitive Information configured to utilize ONLY certificate-based client authentication Trust ONLY DoD PKI approved certificates Validate certificates at the time of authentication 74% Complete Non CAC Holders Commercial, Federal, and State partners Legacy Systems 21

22. 22 Questions?? Army CAC/PKI Army.CAC.PKI@us.army.mil Phone: 866-738-3222 US Army Registration Authority (703) 602-7527 (Desk) Email: army.ra@us.army.mil

23. Back up Slides 23

24. 24

25. 25 Army Certificate Validation Locations Theaters USAREUR operating 2 repeaters US Eighth Army, Korea 2 responders USARPAC plans to install 10 responders at strategic locations SWA has implemented a CRL Web Caching infrastructure Army Commands The ARNG plans to operate a repeater in each state and territory and one central responder. The USAR is operating 2 responders and 4 repeaters (1 responder and 2 repeaters at 2 locations). The US Army Accessions Command is operating OCSP responders in Indianapolis, IN and Fort Knox, KY. The US Army Corps of Engineers is operating OCSP responders at Vicksburg, MS and Portland, OR. The US Medical Command has purchased 13 OCSP responders Installations Several CONUS installations have purchased OCSP responders and/or repeaters

26. Tactical PKI Pilot Testing Plan 26