MARADMINS : 672/10
R 012133Z DEC 10
UNCLASSIFIED//
MARADMIN 672/10
MSGID/GENADMIN,USMTF,2007/CMC WASHINGTON DC C4(UC)/F002//
SUBJ/POLICY FOR THE IDENTIFICATION, AUTHENTICATION AND AUTHORIZATION OF INDIVIDUALS TO ACCESS UNCLASSIFIED PRIVATE WEBSITES, PORTALS AND WEBBASED APPLICATIONS//
REF/A/MSGID:MSG/DON CIO WASHINGTON DC/YMD:20091229//
REF/B/MSGID:DOC/ASD (NII) WASHINGTON DC/YMD:20040401//
REF/C/MSGID:DOC/JTF-GNO CTO/YMD:20071211/07-015//
REF/D/MSGID:MSG/MCNOSC QUANTICO VA/YMD:20080523//
NARR/REFERENCE A IS DON CIO MESSAGE ON PUBLIC KEY ENABLEMENT OF DON UNCLASSIFIED PRIVATE WEB SERVERS AND APPLICATIONS, AND DIRECTS THE MARINE CORPS TO PROMULGATE SERVICE SPECIFIC POLICY FOR THE USE OF CERTIFICATES ISSUED BY DOD AND DOD APPROVED EXTERNAL PUBLIC KEY INFRASTRUCTURES (PKI) AND TO VERIFY THAT ALL UNCLASSIFIED PRIVATE WEB SERVERS, NETWORKS, APPLICATIONS, AND PORTALS ARE PROPERLY CONFIGURED. REFERENCE B IS DODI 8520.2, PUBLIC KEY INFRASTRUCTURE (PKI) AND PUBLIC KEY ENABLING (PKE). REFERENCE C IS JOINT TASK FORCE GLOBAL NETWORK OPERATIONS COMMUNICATIONS TASKING ORDER 07-015 REGARDING PKI IMPLEMENTATION. REFERENCE D IS MARINE CORPS ENTERPRISE NETWORK OPERATIONAL DIRECTIVE 118-08 WHICH DIRECTS ENABLEMENT OF PRIVATE WEB SERVERS IN ACCORDANCE WITH REFERENCE C.//
POC/CHRISTINE HESEMAN/CIV/UNIT:HQMC C4 IA/NAME:WASHINGTON DC /TEL:7036933490//
POC/PRASSERTH YANG/MAJ/UNIT:HQMC C4 IA/NAME:WASHINGTON DC /TEL:7036933490//
GENTEXT/REMARKS/1. PER REFERENCE A, THIS MARADMIN PROVIDES POLICY FOR THE IDENTIFICATION, AUTHENTICATION AND ACCESS CONTROL FOR MARINE CORPS PRIVATE WEBSITES, PORTALS AND WEB BASED APPLICATIONS.
2. DEFINITIONS. THE FOLLOWING DEFINITIONS APPLY.
A. "PRIVATE FACING WEBSITE" IS ANY MARINE CORPS OWNED, OPERATED, CONTROLLED OR CONTRACTED SITE THAT PROVIDES ACCESS TO SENSITIVE INFORMATION THAT HAS NOT BEEN REVIEWED AND APPROVED FOR PUBLIC RELEASE.
B. "DOD APPROVED PKI CERTIFICATES" ARE DEFINED AS THOSE CERTIFICATES ISSUED UNDER THE CURRENT DOD PKI ROOT, DOD PKI EXTERNAL CERTIFICATE AUTHORITY (CA) ROOT, AND THOSE CERTIFICATES ISSUED FROM PKI'S LISTED ON THE DOD APPROVED EXTERNAL PKI LIST. THIS INCLUDES APPROVED NON-DOD ORGANIZATIONS INCLUDING U.S. FEDERAL AGENCIES, STATE/LOCAL/TRIBAL GOVERNMENT ORGANIZATIONS, AND EXTERNAL DOD INDUSTRY PARTNERS.
3. BACKGROUND. IN ACCORDANCE WITH REFERENCES B, C, AND D, ALL MARINE CORPS NETWORKS AND NETWORK RESOURCES ARE REQUIRED TO USE DOD APPROVED PKI CERTIFICATES FOR IDENTIFICATION AND AUTHENTICATION. CERTAIN WEBSITES, PORTALS AND WEB-BASED APPLICATIONS CONTAIN SENSITIVE INFORMATION NOT APPROVED FOR PUBLIC RELEASE AND REQUIRE MORE STRINGENT ACCESS BASED UPON NEED-TO-KNOW RESTRICTIONS. THESE PRIVATE WEBSITES, PORTALS AND WEB BASED APPLICATIONS SHOULD ONLY GRANT ACCESS TO THE INFORMATION BASED UPON THE INDIVIDUAL'S AUTHORIZATION TO VIEW THAT INFORMATION. PKI AUTHENTICATION ALONE DOES NOT PROVIDE THE BASIS FOR AUTHORIZATION DECISIONS. IMPROPER USE OF PKI AS AN ACCESS CONTROL MECHANISM MAY INADVERTENTLY ALLOW UNINTENDED USERS TO GAIN ACCESS TO SYSTEMS AND INFORMATION FOR WHICH THEY ARE NOT AUTHORIZED. CONVERSELY, ONLY ACCEPTING DOD ISSUED PKI CERTIFICATES RESTRICT ACCESS TO INFORMATION NEEDED BY NON-DOD INDIVIDUALS, WHICH POSE OPERATIONAL DIFFICULTIES IN INFORMATION SHARING. IN AN EFFORT TO USE OTHER PKI'S, THE DOD PKI PROGRAM MANAGEMENT OFFICE HAS APPROVED THE USE OF EXTERNAL PKI'S THAT ARE CROSS CERTIFIED WITH THE FEDERAL BRIDGE. A LIST OF THE DOD APPROVED EXTERNAL CERTIFICATES IS AVAILABLE ON THE ARMYKNOWLEDGE ONLINE (AKO) PUBLIC KEY ENABLEMENT (PKE) WEBSITE LOCATED AT HTTPS:(SLASH SLASH) WWW.US.ARMY.MIL/SUITE/PAGE/571419.
4. POLICY. ALL MARINE CORPS OWNED, OPERATED, AND CONTROLLED UNCLASSIFIED PRIVATE WEBSITES, PORTALS AND WEB BASED APPLICATIONS ARE REQUIRED TO LIMIT INFORMATION ACCESS TO ONLY AUTHORIZED INDIVIDUALS ON A NEED-TO-KNOW BASIS USING DOD APPROVED PKI'S AND ESTABLISHED USER ACCOUNTS.
A. IN ACCORDANCE WITH REFERENCE A, ALL OWNERS OF UNCLASSIFIED PRIVATE WEBSITES, WEB APPLICATIONS, AND PORTALS SHALL VERIFY PROPER CONFIGURATION NO LATER THAN 365 DAYS FROM THE RELEASE OF THIS MARADMIN.
B. THE MARINE CORPS NETWORK OPERATIONS AND SECURITY COMMAND (MCNOSC) WILL ISSUE AN OPERATIONAL DIRECTIVE (OPDIR) DETAILING IMPLEMENTATION, SCHEDULE, AND REQUIRED REPORTING GUIDANCE.
C. ALL OWNERS SHALL UPDATE AND SUBMIT THE CURRENT CERTIFICATION AND ACCREDITATION TO DOCUMENT THE ACCEPTANCE OF PKI CERTIFICATES AND USER AUTHORIZATION METHODOLOGY FOR EVALUATION AND APPROVAL BY THE USMC DESIGNATED ACCREDITING AUTHORITY (DAA).
5. CANCELLATION CONTINGENCY. THIS MARADMIN, UNLESS SUPERSEDED, IS CANCELLED 30 NOVEMBER 2011.
6. RELEASE AUTHORIZED BY BGEN K. J. NALLY, DIRECTOR, COMMAND, CONTROL, COMMUNICATIONS, AND COMPUTERS.//