Marines

HomeNewsMessagesMessages Display

ISSUANCE AND USE OF MOBILE CODE SIGNING CERTIFICATES WITHIN THE MARINE CORPS
Date Signed: 1/12/2012 | MARADMINS Number: 028/12
PRINT
MARADMINS : 028/12
R 121340Z JAN 12
UNCLASSIFIED//
MARADMIN 028/12
MSGID/GENADMIN/CMC WASHINGTON DC C4//
SUBJ/ISSUANCE AND USE OF MOBILE CODE SIGNING CERTIFICATES WITHIN THE MARINE CORPS//
REF/A/DOC/DOD/23OCT06//
AMPN/DOD INST 8552.01 USE OF MOBILE CODE TECHNOLOGIES IN DOD INFORMATION SYSTEMS.//
POC/RAY LETTEER/CIV/HQMC C4 CY/LOC: ARLINGTON, VA/TEL: 703-693-3490/E-MAIL: RAY.LETTEER(AT)USMC.MIL//
POC/MARK SCHAEFER/LTCOL/HQMC C4 CY/LOC: ARLINGTON, VA/TEL: 703-693-3490/E-MAIL: MARK.R.SCHAEFER(AT)USMC.MIL//
POC/CHRISTINE HESEMANN/CIV/HQMC C4 CY/LOC: ARLINGTON, VA/TEL: 703-693-3490/E-MAIL: CHRISTINE.HESEMANN(AT)USMC.MIL//
GENTEXT/REMARKS/1.  PURPOSE.  THIS MESSAGE IMPLEMENTS POLICY ON USING MOBILE CODE SIGNING CERTIFICATES IAW REF A.
2.  BACKGROUND. REF A DEFINES MOBILE CODE AS "SOFTWARE OBTAINED FROM REMOTE SYSTEMS OUTSIDE THE ENCLAVE BOUNDARY, TRANSFERRED ACROSS A NETWORK, AND THEN DOWNLOADED AND EXECUTED ON A SYSTEM WITHOUT EXPLICIT INSTALLATION OR EXECUTION BY THE RECIPIENT."  MOBILE CODE CERTIFICATE IS DEFINED AS "A PUBLIC KEY INFRASTRUCTURE (PKI) CERTIFICATE WHO'S ASSOCIATED PRIVATE KEY CAN BE USED FOR DIGITALLY SIGNING CODE.  SUCH A CERTIFICATE HAS A SPECIALLY ASSIGNED ATTRIBUTE, REFERRED TO AS THE CODE-SIGNING OBJECT IDENTIFIER, SET TO "ENABLED."
3.  POLICY.  THIS POLICY APPLIES TO ALL SYSTEMS OWNED OR OPERATED ON BEHALF OF THE MARINE CORPS USED TO PROCESS, TRANSMIT, STORE OR DISPLAY MARINE CORPS INFORMATION, INCLUDING MOBILE DEVICE CAPABLE OF EXECUTING MOBILE CODE.
A.  MOBILE CODE TECHNOLOGY USED IN MARINE CORPS ENTERPRISE NETWORK (MCEN) INFORMATION SYSTEMS WILL MEET THE REQUIREMENTS OF REF A.  AUTOMATIC EXECUTION OF ALL CATEGORIES OF MOBILE CODE IN EMAIL BODIES AND ATTACHMENTS SHALL BE DISABLED.  MOBILE CODE SIGNING CERTIFICATES SHALL BE REQUESTED BY THE PROGRAM MANAGER.
B.  MOBILE CODE SIGNED BY A MARINE CORPS CODE SIGNER WITH A VALID DOD CERTIFICATE PROVIDES ASSURANCE THE MOBILE CODE COMES FROM A TRUSTED SOURCE AND HAS NOT BEEN MODIFIED IN TRANSIT.  MOBILE CODE SIGNING CERTIFICATES WITH A THREE YEAR VALIDITY PERIOD SHALL BE ISSUED FOR A PERIOD OF 12 MONTHS CODE SIGNING USE.  CODE SIGNERS REQUIRING CONTINUED MOBILE CODE SIGNING CAPABILITY WILL BE ISSUED NEW CERTIFICATES AFTER REAPPOINTMENT.
C.  THE USMC APPROVING AUTHORITY (AO) IS THE CODE SIGNING ATTRIBUTE AUTHORITY (CSAA) WHO APPROVES NOMINATIONS BY COMMANDING OFFICERS (CO)/OFFICERS IN CHARGE (OIC) OF CODE SIGNERS AND APPROVES PROGRAM MANAGER'S (PM) REQUESTS FOR MOBILE CODE SIGNING CERTIFICATES.
D.  CO/OIC WILL NOMINATE CODE SIGNERS ON AN ANNUAL BASIS. NOMINATIONS WILL BE ON COMMAND LETTERHEAD AND SUBMITTED FOR AO AUTHORIZATION BY EMAILING TO HQMC(UNDERSCORE)C4CY(UNDERSCORE)IDMGT(AT)USMC.MIL.  CODE SIGNERS WILL BE EITHER SYSTEM DEVELOPERS OR SYSTEM ADMINISTRATORS WHO:
 1.  ARE MARINE CORPS MILITARY, CIVILIAN EMPLOYEE OR CONTRACTOR;
 2.  HAS NOT BEEN CONVICTED OF A FELONY;
 3.  HAS NOT BEEN DENIED A SECURITY CLEARANCE OR HAD A SECURITY CLEARANCE REVOKED FOR CAUSE;
 4.  HAS NOT BEEN RELIEVED OF CERTIFICATE AUTHORITY (CA), REGISTRATION AUTHORITY (RA) OR LOCAL REGISTRATION AUTHORITY (LRA) DUTIES OR DUTIES RELATED TO A POSITION OF TRUST FOR NEGLIGENCE OR NON-PERFORMANCE OF DUTIES.
E.  CODE SIGNERS ARE AUTHORIZED TO SIGN CODE GENERATED IN AN APPLICATION USING A FEATURE ORGANIC TO THE APPLICATION AND/OR CODE DEVELOPED AND SIGNED BY A STAND-ALONE CODE SIGNING APPLICATION.
F.  PM WILL SUBMIT REQUESTS INITIAL OR REISSUANCE OF MOBILE CODE SIGNING CERTIFICATES VIA COMMAND LETTERHEAD FOR AO AUTHORIZATION BY EMAILING TO HQMC(UNDERSCORE)C4CY(UNDERSCORE)IDMGT(AT)USMC.MIL. REQUEST DECISIONS WILL BE PROVIDED TO THE PM WITH A COPY TO THE MCNOSC PKI TEAM.
G.  MOBILE CODE CERTIFICATES ISSUED TO A CODE SIGNER WHO DOES NOT MEET THE ANNUAL REQUIREMENT WILL BE REVOKED AT THE END OF A 30-DAY GRACE PERIOD.
4.  MOBILE CODE CERTIFICATES WILL BE REVOKED BY MCNOSC RA OPERATIONS WHEN:
A.  THE CERTIFICATE TOKEN IS LOST, STOLEN OR SUSPECTED OF BEING COMPROMISED;
B.  THE CODE SIGNER LEAVES THE SPONSORING ORGANIZATION WITHOUT RETURNING THE CERTIFICATE TOKEN; VIOLATES THE SUBSCRIBER AGREEMENT; OR IS SUSPECTED OF FRAUD OR OTHER ADVERSE BEHAVIOR;
C.  UNDER CONDITIONS AS DETERMINED BY THE AO, PM, OR MCNOSC RA OPERATIONS.  THE MARINE CORPS REGISTRATION AUTHORITY WILL PUBLISH TO THE MCNOSC WEBSITE AT HTTPS:(SLASH SLASH) WWW.MCNOSC.USMC.MIL A STANDARD OPERATING PROCEDURE WITHIN 30 DAYS OF THE DATE OF THIS POLICY WHICH WILL PROVIDE PROCEDURES, ISSUANCE, MAINTENANCE AND REVOCATION OF MOBILE CODE SIGNING CERTIFICATES.
5.  RELEASE AUTHORIZED BY BGEN K. J. NALLY, DIRECTOR, COMMAND, CONTROL, COMMUNICATIONS, AND COMPUTERS.//