R 021916Z FEB 16
MARADMIN 051/16
MSGID/GENADMIN,USMTF,2007/CMC WASHINGTON DC C4//
SUBJ/DOD CYBERSECURITY SCORECARD: UPDATED POLICY FOR PUBLIC KEY ENABLEMENT (PKE) OF ALL MARINE CORPS ENTERPRISE NETWORK (MCEN) AUTHORIZED USERS, SYSTEM ADMINISTRATORS, PRIVILEGED USERS, AND NON-PERSON ENTITIES//
REF/A/MSGID:MARADMIN/CMC/DTG:012133ZDEC10//
REF/B/MSGID:MARADMIN/CMC/DTG:151650ZOCT12//
REF/C/MSGID:DOC/CMC/YMD:29SEP2015//
REF/D/MSGID:MARADMIN/CMC/DTG:080001ZSEP06//
REF/E/MSGID:MARADMIN/CMC/DTG:101724ZAPR13//
REF/F/MSGID:MARADMIN/CMC/DTG:261825ZSEP22//
REF/G/MSGID:DOC/NIST/YMD:20150122//
REF/H/MSGID:DOC/CNSSI/YMD:20100426//
NARR/REF A IS MARADMIN 672/10, POLICY FOR THE IDENTIFICATION, AUTHENTICATION, AND AUTHORIZATION OF INDIVIDUALS TO ACCESS UNCLASSIFIED PRIVATE WEBSITES, PORTALS, AND WEB-BASED APPLICATIONS. REF B IS MARADMIN 591/12, DOD SECRET INTERNET PROTOCOL ROUTER NETWORK (SIPRNET) PUBLIC KEY INFRASTRUCTURE (PKI), CRYPTOGRAPHIC LOGON (CLO), AND PUBLIC KEY ENABLEMENT (PKE) OF SIPRNET APPLICATIONS AND WEB SERVERS. REF C IS ECSM-007, ENTERPRISE CYBERSECURITY MANUAL RESOURCE ACCESS GUIDE. REF D IS MARADMIN 425-06, CRYPTOGRAPHIC LOGON (CLO) EXCEPTION ACCOUNT MANAGEMENT RESPONSIBILITIES TO COMMAND INFORMATION ASSURANCE MANAGERS (IAMS). REF E IS MARADMIN 197/13 USMC ENFORCEMENT OF CLO FOR USER ACCOUNTS ON SIPRNET. REF F is MARADMIN 557/11 MARINE CORPS PUBLIC KEY ENABLEMENT WAIVER REQUEST PROCESS. REF G IS NIST SPECIAL PUBLICATION (SP) 800-53 REVISION 4. REF H IS COMMITTEE ON NATIONAL SECURITY SYSTEMS INSTRUCTION NO. (CNSSI) 4009.//
POC/DR. R. A. LETTEER/GS-15/UNIT:HQMC C4 CYBERSECURITY/ WASHINGTON DC/ TEL:703-693-3490/EMAIL: RAY.LETTEER(AT)USMC.MIL//
POC/CHRISTINE HESEMANN/GS-14/UNIT:HQMC C4 CYBERSECURITY/ WASHINGTON DC/ TEL:703-693-3490/EMAIL: CHRISTINE.HESEMANN(AT)USMC.MIL//
POC/VALORIE AGUILAR/GS-13/UNIT:HQMC C4 CYBERSECURITY/ WASHINGTON DC/ TEL:703-693-3490/EMAIL: VALORIE.J.AGUILAR(AT)USMC.MIL//
GENTEXT/REMARKS/1.  This message provides policy for the documentation and compliance reporting of requirements of refs A through D.  This is a mandatory requirement and applies to SIPRNET and NIPRNET, garrison and tactical, and all authorized users, system administrators (sysadmins), privileged users, and non-person entities (NPE).  The intent of this enforcement is to harden the Marine Corps Enterprise Network (MCEN) infrastructure and eliminate usernames and passwords.
2.  IAW ref A and B, all Marine Corps networks and network resources are required to use DoD approved PKI certificates for identification and authentication of all authorized users, system administrators, privileged users, and non-person entities.  Concurrently, all users are to authenticate with DoD approved PKI certificates assigned to the user role to all MCEN network resources.  Presently, each user role will have separate PKI credentials for sole-use for that user role.
3.  Definitions.
3.A.  IAW ref G and H, the definition of privileged account is an information system account with approved authorizations of a privileged user.  For purposes of the Scorecard this definition includes but is not limited to:
3.A.1.  Microsoft operating system privileged accounts, oftentimes referred to as “administrator accounts.”  (The count of this type of account can be derived through use of the DISA script, after subtracting out "service accounts.")
3.A.2.  Linux, Unix, or other operating system privileged accounts, oftentimes referred to as “root accounts.”
3.A.3.  Application privileged accounts, such as data base privileged accounts, web server privileged accounts, etc. (Sometimes referred to as “sa” on SQL Server, “Systemaccounts” on Oracle databases, etc.)
3.A.4.  Developer privileged accounts.
3.A.5.  For purposes of the DoD Cybersecurity Scorecard, this definition DOES NOT include Service accounts.
3.B.  IAW ref H, the definition of privileged user is a user that is authorized (and therefore trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
3.C.  "Emergency" and "backup" privileged accounts required by Security Technical Implementation Guides (STIGs) or other policy to be password only are to be dealt with as follows:
3.C.1.  Include them in the total number of privileged accounts.
3.C.2.  Do NOT include them as accounts technically requiring login via PKI.
3.C.3.  Do NOT count them as using an alternate 2-factor technology.
3.C.4.  In the comment field of the Cyberscope tool section 1.1.1o, identify how many of the non-PKI accounts are emergency or backup accounts and cite the STIGs or other authority requiring such accounts.  This will bring proper cognizance of the situation to senior leadership.
3.D.  Individuals with authorized user accounts, privileged user accounts, and/or privileged user accounts at the Domain or Enterprise level (for Microsoft, or the comparable level for other operating systems) will be addressed as follows:
3.D.1.  Authorized user account PKI certificates must be on a smartcard that is separate from privileged user account PKI certificates.
3.D.2.  Domain and Enterprise level account PKI certificates must be on a smartcard that is separate from lower level privileged account PKI certificates.
3.D.3.  For individuals with all three types of user accounts, three separate smartcards are required to accommodate the PKI certificates.
4.  Policy.  NLT 10 Mar 2016, all MCEN sysadmin and privileged user accounts will enforce PK-enabled, 2-factor log-in for all MCEN-N/S/L systems.
4.A.  DoD CIO no longer authorizes User ID/Password combinations.
4.B.  Waivers will only be considered for MCEN-S systems.  The G/S-6 via the MAGTF Information Technology Support Center (MITSC) Director may submit a funded POA&M, with a time-line not to exceed 180 days IAW procedures in ref G, thru raoperations(at)usmc.mil to the AO for approval and signature.
5.  Policy.  Effective 10 Mar 2016 MARFORCYBER will direct the immediate account disablement for users who are PK-enabled, but are not enforced or compliant due to convenience.
5.A.  SIPRNET authorized users will cease to be CLO-exempt for access to Marine Corps SIPRNET systems.
5.B.  Units that have less than 95% issuance of SIPRNET Tokens will have the non-compliant authorized user accounts suspended until tokens are issued and enforced.
6.  Immediate Action.  MARFORCYBER will direct MCNOSC to remove CLO Exceptions for “.s accounts”.
6.A.  Ensure forest certificates are installed on the Marine Corps Enterprise Desktop Standardization (MCEDS) image and current workstations.
6.B.  Ensure the Local Policy is set to enable "Allow User Name Hint”.
6.C.  Update MCEDS image and current workstations with new forest certificates as released.
6.D.  An acceptable alternative would be to issue Alt Tokens with the domain certs pre-loaded.  This would eliminate the need to load the cert package on every workstation.
7.  Immediate Action.  MARFORCYBER will direct MCNOSC to remove the CLO Exceptions for “.w accounts” by the use of one-time passwords.
7.A.  Implement the Local Admin Password Solution (LAPS) in Windows.
7.B.  Administrators would obtain the local admin password from LAPS through a Privileged Access Workstation accessed through the use of CAC, Alt Token, or SIPR Token.
7.C.  Administrators would then remote into the user's computer using the local admin account to provide the support.
7.D.  Once the Administrator logs off, the local admin password is then reset automatically to another random password, essentially making the local admin password a one-time use.
8.  Long Term Action.  The Marine Corps plans to acquire a trusted proxy gateway solution that would allow PK-enabled, 2-factor access to all devices, regardless of operating system.
9.  This message supersedes and cancels refs D and E.
10.  Release authorized by BGen D. A. Crall, Director, Command, Control, Communications, and Computers (C4) Department/Deputy Department of the Navy Chief Information Officer of the Marine Corps.//