R 192131Z AUG 20
MARADMIN 475/20
MSGID/GENADMIN/CMC DCI IC4 WASHINGTON DC//
SUBJ/GUIDANCE FOR THE ACCEPTANCE OF DOD APPROVED PKI CERTIFICATES FOR MCEN USER AUTHENTICATION//
REF/A/ECSM 013/DTD 08 AUG 2018//
REF/B/MARADMIN 225/20/DTD 08 APR 2020//
REF/C/MARADMIN 152/19/DTD 12 MAR 2019//
POC/DR. R. A. LETTEER/CIV/DC I IC4/TEL: 703-693-3490/EMAIL: RAY.LETTEER@USMC.MIL//
POC/C. A. HESEMANN/CIV/DC I IC4/TEL: 703-693-3490/EMAIL: CHRISTINE.HESEMANN@USMC.MIL//
NARR/REF A IS ENTERPRISE CYBERSECURITY MANUAL (ECSM) 013 PUBLIC KEY INFRASTRUCTURE (PKI). REF B MARADMIN 225/20 “UPDATED GUIDANCE AND TIMELINE FOR MODERNIZING THE COMMON ACCESS CARD (CAC) – STREAMLINING IDENTITY AND IMPROVING OPERATIONAL INTEROPERABILITY.”  REF C IS MARADMIN 152/19 “ACCEPTANCE OF NON-DOD FEDERAL PERSONNEL PERSONAL IDENTIFICATION VERIFICATION (PIV) CARDS FOR LOGICAL AND PHYSCIAL ACCESS.”//
GENTEXT/REMARKS/1.  Background.  Ref (a) aligns the Marine Corps’ activities with DoD-directed requirements to leverage all DoD approved PKI certificate types for network and other resource user authentication based upon user population type and credential eligibility.  Ref (b) provides updated guidance and deadlines for network resources to transition to the Federal PIV Authentication (Auth) certificate for authentication of users presenting CAC-based PKI certificates.  Ref (c) provides policy for the acceptance of non-DoD Other Federal PKI certificates when users present a non-DoD Federal PIV-based PKI certificate for authentication to Marine Corps Enterprise Network resources for logical access.
2.  Guidance.  In accordance with refs (a) and (c), the Marine Corps has approved PKI use of different types of certificates, including identity, authentication, signature, encryption, group/role, device, and code signing to satisfy operational requirements for user authentication.  System, application, and web resource owners and administrators shall:
2.a.  NLT 1 Sep 2020 ensure compliance with ref (b) for users authenticating with DoD-issued PIVAuth PKI certificates encoded to a CAC per SECDEF direction.
2.b.  Review user base roles and ensure users presenting other DoD-approved PKI certificates as outlined in refs (a) and (c) can authenticate based upon role and credential eligibility.
3.  External Certificate Authority (ECA) certificates are specifically authorized for applying digital signatures, encrypting email, and accessing web based systems, applications and sites.  Effective immediately, ECA certificates will be implemented for use in the Marine Corps for web based systems and applications.  ECA certificates are not authorized for authentication to network accounts.  Systems relying on Active Directory for authentication are not authorized to accept ECA certificates due to the network account restriction.
4.  Foreign Military Affiliates (FMA), to include International Military Students (IMS), are transitioning from CAC to Alternate Login Tokens (AltTokens).  Organizations hosting FMA and IMS will request and issue AltTokens through the local Marine Corps PKI Trusted Agents at the organizational level.
5.  Failure to accept DoD-approved PKI certificates for non-DoD issued PKI will create a denial of service to the impacted user base until the system, application, or web based resource is updated.
6.  Release authorized by BGen Lorna M. Mahlock, Director, Information, Command, Control, Communications and Computers (IC4) Deputy Commandant for Information (DCI).//