MARADMINS : 073/07
UNCLAS
021346Z FEB 07
CMC WASHINGTON DC(UC)
AL MARADMIN(UC)
MARADMIN
MARADMIN 073/07
MSGID/GENADMIN/R1//
SUBJ/IMPLEMENTATION OF AN ALTERNATE TOKEN TO ENABLE CRYPTOGRAPHIC
/LOGON (CLO) FOR SYSTEM ADMINISTRATORS ON THE MARINE CORPS //
REF/A/DESC:MSG-GLOBAL NETWORK DEFENSE COMMUNICATIONS TASKING ORDER/-
/171100Z0JAN2006//
REF/B/MSGID:GENADMIN/CMC WASHINGTON DC C4/300733Z6MAR2006//
REF/C/DESC:MEMO-ASD NII CIO-APPROVAL OF THE ALTERNATE LOGON TOKEN/-
/14AUG2006//
REF/D/DESC:MEMO-HQMC C4 IA TO MARDORSYSCOM/ALT TOKEN REQUIREMENTS DOC
/05OCT2006//
NARR/REF A MANDATED THE ACCELERATED IMPLEMENTATION OF PUBLIC KEY
INFRASTRUCTURE (PKI) ACROSS THE DOD TO INCLUDE CLO. REF B IS
MARADMIN 155/06 WHICH PROVIDES USMC POLICY FOR IDENTIFICATION AND
AUTHENTICATION TO NETWORK RESOURCES. REF C IS ASD NII CIO
MEMORANDUM APPROVING THE USE OF AN ALTERNATE LOGON TOKEN. REF D
IS HQMC, C4 IA MEMO TO MARCORSYSCOM PROVIDING REQUIREMENTS
GUIUDANCE TO IMPLEMENT THE ALTERNATE TOKEN WITHIN THE MCEN.//
POC/J. UCHYTIL/CAPT/HQMC C4 IA/LOC:WASHINGTON DC/TEL:DSN 223-3490
/TEL:703-693-3490/EMAIL:joseph.uchytil@usmc.mil//
POC/COMMAND CENTER/WATCH OFFICER/MCNOSC OPERATIONS/LOC:QUANTICO, VA
/TEL:DSN 278-5300/TEL:COM 703-784-5300/EMAIL:mcnoscwo@mcnosc.usmc.mil
//
GENTEXT/REMARKS/1. PURPOSE. THE PURPOSE OF THIS MESSAGE IS TO
DIRECT ACTIONS IN ORDER TO IMPLEMENT THE USE OF AN APPROVED
ALTERNATE TOKEN FOR SYSTEM ADMINISTRATORS ON THE MCEN THEREBY
REDUCING THE NUMBER OF ACCOUNTS STILL USING USERNAME AND
PASSWORD FOR ACCESS TO THE NIPRNET.
2. BACKGROUND. REF A DIRECTED THE ACCELERATED IMPLEMENTATION OF
DOD PKI ON THE NIPRNET. A MAJOR TASK OF REF A WAS THE
IMPLEMENTATION OF CRYPTOGRAPHIC LOGON (CLO). CLO IS DEFINED AS
THE USE OF A COMMON ACCESS CARD (CAC) AND PERSONAL IDENTIFICATION
NUMBER (PIN) TO LOG ON TO NETWORK COMPUTERS. DUE TO SEVERAL
TECHNICAL LIMITATIONS AND DOD POLICIES, AUTHORIZED ACCOUNT TYPES
LISTED IN REF B, HAVE BEEN IDENTIFIED AS EXCEPTION ACCOUNTS AND
ARE CURRENTLY EXEMPT FROM CLO ENFORCEMENT. THROUGH THE APPROVAL
FOR THE USE OF THE ALTERNATE TOKEN ON THE NIPRNET, THE DOD ASD
NII CIO HAS PROVIDED A MEANS TO OVERCOME THE TECHNICAL AND DOD
POLICY ISSUES THAT PREVIOUSLY EXEMPTED AUTHORIZED ACCOUNT TYPES,
SUCH AS SYSTEM ADMINISTRATORS, FROM ENFORCEMENT OF CLO.
3. GOAL. THE GOAL OF THIS MESSAGE IS TO PROVIDE DIRECTION AND
GUIDANCE FOR REDUCING THE NUMBER OF EXCEPTION ACCOUNTS LISTED
UNDER REF B. THIS MESSAGE DIRECTS THE ISSUANCE AND USE OF AN
ALTERNATE TOKEN BY SYSTEM ADMINISTRATORS ON THE MCEN AND THE
USMC NAVY AND MARINE CORPS INTRANET (NMCI) COMMUNITY OF INTEREST
(COI). THE ULTIMATE GOAL IS TO ELIMINATE ALL USE OF
USERNAME/PASSWORD ON THE NIPRNET, THROUGH TECHNOLOGICAL ADVANCES
AND/OR POLICY CHANGES.
4. POLICY. RECOGNIZING THAT THERE ARE CERTAIN USER GROUPS WITHIN
THE MARINE CORPS WHERE DOD PKI CERTIFICATES ON A COMMON ACCESS
CARD (CAC) CANNOT BE USED TO ACCESS NETWORK RESOURCES, THIS
MARADMIN PERMITS THE USE OF AN ALTERNATE TOKEN AS SPECIFIED
BELOW:
A. IN ACCORDANCE WITH THE REF�S, AND CONTINGENT UPON THE
FULLFILLMENT OF RESPONSIBILITIES OUTLINED IN PARAGRAPH 5 OF THIS
DIRECTIVE, THE USE OF AN ALTERNATE TOKEN FOR ACCESS TO MARINE
CORPS ENTERPRISE NETWORK RESOURCES IS AUTHORIZED FOR SYSTEM
ADMINISTRATORS. ADDITIONAL USER COMMUNITIES WILL BE ADDRESSED IN
A FUTURE MARADMIN.
B. THE ALTERNATE TOKEN WILL BE ISSUED SPECIFICALLY FOR
LOGICAL ACCESS TO THE NIPRNET AND MCEN RESOURCES. IT IS NOT
INTENDED TO PROVIDE ANY PHYSICAL SECURITY ACCESS NOR WILL IT BE
CONSIDERED A VALID FORM OF IDENTIFICATION.
5. ACTION.
A. MCNOSC.
1). UPDATE THE USMC CERTIFICATE PRACTICE STATEMENT (CPS)
FOR REGISTRATION AUTHORITIES (RA�S) AND LOCAL REGISTRATION
AUTHORITIES (LRA�S) TO ALLOW FOR THE ISSUANCE OF AN ALTENATE
TOKEN.
2). PROVIDE A PLAN OF ACTION AND MILESTONES (POA&M) FOR
THE OPERATIONAL TESTING AND IMPLEMENTATION OF AN ALTENATE TOKEN
IN ACCORDANCE WITH REF C FOR USE BY SYSTEM ADMINISTRATORS BY
15 DEC 2006. POA&M WILL INCLUDE LIST OF RESOURCES REQUIRED TO
IMPLEMENT; DEVELOPMENT OF CONCEPT OF OPERATIONS AND STANDARD
OPERATING PROCEDURES FOR ISSUANCE AND REVOCATION; DATE FOR
INITIAL OPERATIONAL CAPABILITY; AND DATE FOR FULL OPERATIONAL
CAPABILITY.
3). COORDINATE AS NECESSARY WITH NMCI TO ENSURE
INTEROPERABILITY ACROSS THE MCEN AND USE ON USMC NMCI COI.
4). COORDINATE AS NECESSARY WITH MARCORSYSCOM TO
ENSURE PROPER IMPLEMENTATION OF REQUIREMENTS.
B. C4, IA. UPON APPROVAL OF POA&M AND FULL OPERATIONAL
CAPABILITY OF ALTERNATE TOKEN PROCESS, UPDATE REF B TO REFLECT
CHANGE IN AUTHORIZED EXCEPTION LIST.
6. TECHNICAL INQUIRIES SHOULD BE DIRECTED TO THE MCNOSC
OPERATIONS CENTER AT DSN 278-5300, COMM 703-784-5300, OR UNCLAS
E-MAIL: SMB USMC MCNOSC COMMAND CENTER@MCNOSC.USMC.MIL.//