MANDATORY ACTIONS TO SECURE CONNECTIONS ACROSS MARINE CORPS WEBSITES AND WEB SERVICES
Date Signed: 6/14/2018 | MARADMINS Number: 335/18
MARADMINS : 335/18
R 141912Z JUN 18
MARADMIN 335/18
MSGID/GENADMIN/CMC WASHINGTON DC C4//
SUBJ/MANDATORY ACTIONS TO SECURE CONNECTIONS ACROSS MARINE CORPS WEBSITES AND WEB SERVICES//
REF/A/MSGID:DOC//OMB MEMORANDUM M-15-13/08 JUN 2015//
REF/A/MSGID:DOC//HQMC C4 CY WRAC/05JUN2018//
NARR/REF A IS OMB MEMORANDUM M-15-13, POLICY TO REQUIRE
SECURE CONNECTIONS ACROSS FEDERAL WEBSITES AND WEB
SERVICES, REF B IS EXPORT OF RESULTS OF HQMC C4 CY WEB
RISK ASSESSMENT CELL (WRAC) AUDIT//
POC/LETTEER, RAY A./GS15/HQMC C4 CY/TEL(COMM):703-693-3490/-//
GENTEXT/REMARKS/
1.  Purpose. In accordance with ref (a), this MARADMIN provides direction to Marine Corps units and web system owners to take actions to secure public facing websites.
2.  Background. Ref (a) directs that all publicly accessible Federal websites and web services only provide services through a secure connection; specifically that “Agencies must make all existing websites and services accessible through a secure connection (HTTPS-only, with HSTS) by December 31, 2016.”  An audit of USMC public facing sites (ref (b)) revealed that a number of sites were not in compliance.
3. Actions and Coordinating Instructions:
3.A. Owning Marine Corps Units / Organizations / System Owners
3.A.1. All Marine Corps units / organizations / system owners who are responsible for the websites or web services identified in ref (b) are hereby directed to take corrective actions to comply with ref (a), within 60 days of issuance of this MARADMIN by:
3.A.1.A.  Ensuring all public-facing websites and web services provide service through a secure connection (HTTPS-only, with HSTS).
3.A.1.B.  Ensuring SSLv2 and SSLv3 are disabled on web servers, and 3DES and RC4 ciphers are disabled on web servers.
3.A.1.C.  Technical instructions and guidelines for implementation of HTTPS-only with HSTS can be found at: https:(slash)(slash)https.cio.gov
3.A.2.  Marine Corps units / organizations / system owners who are unable to comply with this MARADMIN within the established timeline will submit justification via official message correspondence to HQMC DC-I C4 Cybersecurity Division, NLT 45 days from issuance of this MARADMIN.
3.B.  MARFORCYBERCOM
3.B.1.  Within 24 hours issue a task order with the list of non-compliant websites directing the actions listed in paragraph 3A.
3.B.2.  Within 60 days of issuance of this MARADMIN, MARFORCYBER will:
3.B.2.A.  Submit a list of Marine Corps domains / subdomains to HQMC C4 CY, for potential submission to “HSTS preload”.  The intent is to determine which of these domains / subdomains will automatically redirect HTTP requests to the HTTPS version of the same URL, for any URL on that domain or its subdomains, by supporting web browsers allowing HSTS Pre-load.
3.B.2.B.  In coordination with HQMC C4 CY, validate the existing list of USMC websites / web services on the DoD DMZ Whitelist to ascertain which, if any, require removal or update from the list. Intent is to ensure the Whitelist has accurate up-to-date information, and that websites that are no longer in use are removed from the list.
4.  Release authorized by Col L. M. Mahlock, Director, Command, Control, Communications, and Computers, Chief Information Officer of the Marine Corps.//