UNCLASSIFIED

UNCLASSIFIED // FOUO

LandWarNet 2009
Track 2

Information Assurance: The Defenders Challenge

Army Identity Protection & Management Initiatives

Session 3 August 19, 2009/0945-1100

Ms. Tracy Traylor, NETC-ES-IA Director, IA Programs/CAC PKI - Tracy.traylor@us.army.mil, 703-602-7496

UNCLASSIFIED Track #. Session #

UNCLASSIFIED

LandWarNet 2009
Purpose to provide Current and Future Initiative of the Armys CAC/PKI program
OBJECTIVES: By the end of this presentation you will be able to: (List of take-aways from this session)
A. B. C. D. Know where the Army is headed in CAC/PKI Discuss logical access ID for volunteers Know the Army status of JTF-GNO CTO 07-015 Discuss Army TPKI and SIPRNet Pilots

UNCLASSIFIED

Track #. Session #

UNCLASSIFIED

LandWarNet 2009
Agenda
CAC/PKI Division Overview Alternate Smartcard for System Administrators Smartcard for Volunteers Italian Foreign Nationals Certificate Validation DoD Approved Certificate Authorities Army HSPD-12 Army Pilots
Tactical SIPRNET

JTF-GNO CTO 07-015 Accelerated PKI Implementation Phase 2 Reporting

UNCLASSIFIED 3 Track #. Session #

UNCLASSIFIED

CAC/PKI Division Overview

CAC/PKI Policy and Guidance Army DoD Other Federal Agencies

Test and Evaluation Public Key Enabling Technology

Registration Authority SIPRNET Certificates Key Recovery Alternative Smart Card Logon Token

Help Desk - (866) 738-3222

UNCLASSIFIED

4 Track #. Session #

UNCLASSIFIED

Alternative Smart Card Logon Token

Alternative Smart Card Logon Token (ASCL)
Originally developed for Systems Administrators Extended for Italian Foreign Nationals
Must be Department of Army Civilian or contractor with logical access requirements Memorandum pending to allow email signing and encryption certificates

Stats
729 ASCL Trusted Agents appointed 17,746 ASCL tokens processed 16,000 tokens in use

UNCLASSIFIED

5 Track #. Session #

UNCLASSIFIED

Logical Access ID for Volunteers

Three-year pilot to issue logical access credentials to DoD volunteers

Eligible population includes all volunteers as outlined in DoDI 1100.21 Unpaid Red Cross volunteers Boy & Girl Scout Volunteers Civil Air Patrol (CAP) YMCA/YWCA Volunteers Volunteers at Military Treatment Facilities
Issued only to U.S. citizens Not to be used for physical access to military installations

Smartcard holds standard 3 DoD PKI certificates

Requires submission of NAC paperwork and favorable completion of automated FBI National Criminal History (fingerprint) check
G2 is responsible for cost

UNCLASSIFIED

Track #. Session #

UNCLASSIFIED

Parameters for the Volunteer Smartcard

Volunteers must be registered in DEERS via the Contractor Verification System (CVS)
CVS Trusted Agents must re-verify volunteer sponsorship just like contractors

AHRC will provide Army procedures/controls for issuance and lifecycle management for the Volunteer Smartcard Volunteers must be sponsored by DoD military or civilian employee
Sponsors follows AHRC-designed process

Sponsor collects card when volunteer is no longer eligible or associated with organization

UNCLASSIFIED

Track #. Session #

UNCLASSIFIED

VISUAL: Volunteer (Network Access) Card

1 2 3 4

1. 2. 3. 4.

Seal of sponsoring agency No photograph or barcodes for physical access Authorized for network access only Volunteer status must be entered & verified by CVS

UNCLASSIFIED

Track #. Session #

UNCLASSIFIED UNCLASSIFIED

UNCLASSIFIED

General Outline

In order to facilitate the operational requirement for CAC like functionality to be provided to Local Foreign Nationals, the following process has been adjusted to create and issue ASCL tokens with three certificates. This ASCL token will have the following certificates installed:
1. Alternate Logon Certificate 2. Digital Signing Certificate 3. Digital Encryption Certificate

The issuance process will be split into two phases.

Phase 1: Standard ASCL token issuance Phase 2: Generation and installation of signing and encryption certificates

UNCLASSIFIED UNCLASSIFIED

Track #. Session #

UNCLASSIFIED

UNCLASSIFIED // FOUO

Phase 1
Phase 1 will be the current ASCL token issuance process 1. Nomination of a Trusted Agent Europe already has Trusted Agents in place 2. Trusted Agent requests ASCL tokens 3. Army Registration Authority (RA) issues ASCL tokens and ships them to Trusted Agent 4. Trusted Agent gives ASCL tokens to their users DD2842s are signed and sent to the Army RA 5. Users request PINs 6. Users begin using ASCL token once PIN is received w/logon certificate

UNCLASSIFIED

Track #. Session #

UNCLASSIFIED UNCLASSIFIED

UNCLASSIFIED

Phase 2
Phase 2 of the process will be the issuance and installation of the digital signing and encryption certificates to the ASCL token. Phase 2 can begin once the user has received their PIN. 1. User logs into workstation using ASCL token 2. User navigates to one of the following links:

https://email-ca-17.c3pki.chamb.disa.mil/ca/emailauth.html
https://email-ca-18.c3pki.den.disa.mil/ca/emailauth.html

3. User chooses the Both Signing and Encryption Certificate option on the first line 4. User types their AKO email address on the lines requesting their email address

UNCLASSIFIED UNCLASSIFIED

Track #. Session #

UNCLASSIFIED UNCLASSIFIED

UNCLASSIFIED

Certificate Request Page

UNCLASSIFIED UNCLASSIFIED

Track #. Session #

UNCLASSIFIED UNCLASSIFIED

UNCLASSIFIED

Phase 2 cont.
5. User then clicks Get Certificate and the certificates are generated and installed on the ASCL token
User will be prompted for their PIN in order for the process to complete

6. User now has 3 certificates on their ASCL token 7. User can now digitally sign and encrypt emails as if the ASCL token was a CAC

Important: The Army RA office has produced a guide covering this process. The guide has been sent to Trusted Agents in Europe requiring this functionality.

UNCLASSIFIED UNCLASSIFIED

Track #. Session #

UNCLASSIFIED

Army Certificate Validation

Tumbleweed Desktop Validator (DV) OCSP client
Army end user computers
Distributed through the Army Golden Master Supports email signatures

Army Domain Controllers

Support CCL throughout the Armys Enterprise

Private Web Servers

Authentication to private web servers as directed by JFT-GNO (Task 12)

Defense Information Security Agency (DISA) Robust Certificate Validation Service (RCVS)
4 CONUS Nodes 2 OCONUS (EUCOM, PAC)

Army OSCP Responders

National Guard, Reserve Command, Accessions Command, Corp of Engineers, MEDCOM, USAREUR, USAPAC, 8th Army Korea 7th Signal Command Enterprise management of OCSP
UNCLASSIFIED Track #. Session #

UNCLASSIFIED

DoD Approved PKIs

JTF-GNO-CTO 07-015 states all web servers that host sensitive information will be configured to only trust DoD PKI approved certificate authorities (CAs)
DoD PKI DoD External CA (ECA) Federal Bridge Certificate Authority (FBCA) an members https://informationassurance.us.army.mil/cacpki/default.h tm

UNCLASSIFIED

Track #. Session #

UNCLASSIFIED

Army HSPD-12 Implementation

HSPD-12 Purpose
Enhance security Reduce identity fraud Increase Government efficiency Protect personal privacy

Army HSPD-12 Working Group

Co-led by G-2 and G-6 (NETCOM CAC/PKI) Formal participation from G-1, G-2, G-3/5/7, G-4, G-6, OPMG, ASA(ALT) Currently developing Army HSPD-12 Implementation Plan

CAC is the DoDs HSPD-12 Personal Identity Verification (PIV) credential HSPD-12 vetting requirements apply to all PIV cardholders
National Agency Check with Written Inquiries (NAC-I)

UNCLASSIFIED

Track #. Session #

UNCLASSIFIED

DoD Tactical PKI Process Action Team

Army CAC PKI is the TPKI PAT Lead
Review and Integrate DoD PKI/Service PKI Architecture
Review and Integrate DoD PKI/Service Schedules

Determine Joint and service operational requirements

Develop Joint Tactical Pilot Test Plan Develop Service level Tactical Pilot Test Plans

Prepare for DoD PKI Tactical PKI Pilot

Pre-Pilot Activities Began 1ST QTR FY09 Phase I JITC Lab Environment 3RD QTR FY09 Phase II Joint Tactical Testing Facility 2ND QTR FY10 Phase III Limited / Controlled COCOM Operational Environment 3RD QTR FY10
Track #. Session #

UNCLASSIFIED

UNCLASSIFIED

SIPRNet Card Management Pilot

Two Locations 200 Tokens Fort Meade Evaluating the issuance process

Centralized De-centralized Kiosk FT Belvoir Evaluating the issuance process Login Web server authentication Email signing and encrypting RA training Sept 09 Oct - Dec 09

UNCLASSIFIED

18 Track #. Session #

UNCLASSIFIED

PKI Phase 2 Overview

JTF-GNO CTO 07-015, Public Key Infrastructure (PKI) Implementation, Phase 2 Background: The 12 tasks in JTF-GNO CTO 07-015 address the common attack vectors used by our adversaries to include socially engineered emails, traditional username and password vulnerabilities, and improper installation of PKI software certificates.

Goals: Improve overall network defense Limit phishing attacks Reduce username and password vulnerability on NIPRNet
19 Track #. Session #

UNCLASSIFIED

UNCLASSIFIED

Completed Tasks
Task 1: Task 3: Task 4: Task 5: Task 6: Task 7: Task 8: Task 11: Implement Digital Signature Policy Implement Increased Password Security Measures Removal of Software Certificate Installation Files Identification of Non-PKI based Authentication Methods Identify Username/Password Accounts Execute Enhanced Security Awareness Training Identify Non-Windows Operating Systems in Usage Activate CRL web caching capabilities at Base/Post/Camp/Station Level Task 12: Adjust Online Certificate Status Protocol (OCSP) Configurations to Increase Reliability
UNCLASSIFIED 20 Track #. Session #

UNCLASSIFIED

JTF-GNO CTO 07-015 Status

Task 2 UBE of CAC Cryptographic Logon
97% Non-Privilege Accounts 28% System Administrator Accounts
Retina, SMS, Herculesrequire username and passwords

Tasks 9 and 10 Public Key Enabling Web Servers

Web Servers that host Sensitive Information
configured to utilize ONLY certificate-based client authentication Trust ONLY DoD PKI approved certificates Validate certificates at the time of authentication

74% Complete
Non CAC Holders
Commercial, Federal, and State partners

Legacy Systems

UNCLASSIFIED

Track #. Session #

UNCLASSIFIED UNCLASSIFIED

UNCLASSIFIED

LandWarNet 2009

Questions??
Army CAC/PKI Army.CAC.PKI@us.army.mil Phone: 866-738-3222 US Army Registration Authority (703) 602-7527 (Desk) Email: army.ra@us.army.mil
UNCLASSIFIED UNCLASSIFIED Track #. Session #

UNCLASSIFIED

Back up Slides

UNCLASSIFIED

23 Track #. Session #

UNCLASSIFIED

Italian Foreign Nationals

DoD memo, Common Access Card (CAC) Eligibility for Foreign National Personnel, signed by USD(P&R) on 9 MAR 2007:
expanding CAC eligibility to include foreign national partners who have been properly vetted and who require access to a DoD facility or network to meet a DoD mission, ...

Fingerprints must be collected to obtain a CAC. Italian government will not allow citizens biometric information to be hosted outside EU/Italy. no CAC for them.
CIO/G-6 approved use of Alternative Smart Card Logon token for Italian Foreign Nationals (FNs) Local Army security office responsible for ensuring that FN
Is not a known or suspected terrorist Has had his/her true identity verified

Has undergone an appropriate background investigation that has been favorably adjudicated.

Token allows logical access only

UNCLASSIFIED Track #. Session #

UNCLASSIFIED

Army Certificate Validation Locations

Theaters USAREUR operating 2 repeaters US Eighth Army, Korea 2 responders USARPAC plans to install 10 responders at strategic locations SWA has implemented a CRL Web Caching infrastructure Army Commands The ARNG plans to operate a repeater in each state and territory and one central responder. The USAR is operating 2 responders and 4 repeaters (1 responder and 2 repeaters at 2 locations). The US Army Accessions Command is operating OCSP responders in Indianapolis, IN and Fort Knox, KY. The US Army Corps of Engineers is operating OCSP responders at Vicksburg, MS and Portland, OR. The US Medical Command has purchased 13 OCSP responders Installations Several CONUS installations have purchased OCSP responders and/or repeaters
Track #. Session #

UNCLASSIFIED

UNCLASSIFIED

Tactical PKI Pilot Testing Plan

Initiate Pilot Testing 3Qtr, FY09 Human Element
Pre-Pilot Activities Began ST QTR FY09 1 Develop baseline of business processes and policies Develop bandwidth test activities Develop test plan for JTRE and COCOM Develop Tactical Registration Authority (TRA) interface Coordinate with COCOMs in support of Tactical Pilot testing Phase I JITC Lab Environment 3RD QTR FY09 Testing activities using non-operational CAs and certificates Test the TRA in various architectural and operational environments Evaluate the TRA capabilities and identify any deficiencies and modifications required Conduct and Evaluate issuance/revocation bandwidth utilization test focusing on miniCRLs, delta CRLs, OCSP, and other potential reach back solutions Phase II Joint Tactical Testing Facility Environment 2ND QTR FY10 Testing at JITC PKI lab and in yet TBD Joint Tactical Testing Facility. Test proposed tactical enterprise solution over simulated strategic and tactical communication networks Test Token issuance and Perform a revocation bandwidth utilization test focusing on MiniCRLs, delta CRLs, OCSP, and other reach back solutions PILOT TESTING PLAN Phase III Limited / Controlled COCOM Operational Environment 3RD QTR FY10 Sub CAs deployed to COCOMs Controlled operational testing, with operational certificates conducted at a yet TBD OCONUS COCOM and associated DCSF Test tactical enterprise solution over operational strategic and tactical communication networks

TACTICAL PKI
UNCLASSIFIED

Track #. Session #