Marines

HomeNewsMessagesMessages Display

UPDATED POLICY FOR PUBLIC KEY ENABLEMENT (PKE) OF ALL MARINE CORPS ENTERPRISE NETWORK (MCEN) AUTHORIZED USER AND PRIVILEGED ACCOUNTS
Date Signed: 4/1/2016 | MARADMINS Number: 185/16
PRINT
MARADMINS : 185/16
R 011555Z APR 16
MARADMIN 185/16
MSGID/GENADMIN/CMC WASHINGTON DC C4//
SUBJ/UPDATED POLICY FOR PUBLIC KEY ENABLEMENT (PKE) OF ALL MARINE CORPS ENTERPRISE NETWORK (MCEN) AUTHORIZED USER AND PRIVILEGED ACCOUNTS //
REF/A/DEP SEC DEF/OSD010602-15/CMD013989-15/20151026//
REF/B/HQMC C4 CY/021916Z FEB 16//
REF/C/HQMC C4 CY/29SEP2015//
REF/D/NIST SP 800-53R4/20150122//
REF/E/CNSSI 4009/20100426//
NARR/REF A IS DOD CYBERSECURITY CAMPAIGN-CYBERSECURITY IMPLEMENTATION PLAN. REF B IS MARADMIN 051/16, DOD CYBERSECURITY SCORECARD: UPDATED POLICY FOR PUBLIC KEY ENABLEMENT (PKE) OF ALL MARINE CORPS ENTERPRISE NETWORK (MCEN) AUTHORIZED USERS, SYSTEM ADMINISTRATORS, PRIVILEGED USERS, AND NON-PERSON ENTITIES. REF C IS ECSM-007, ENTERPRISE CYBERSECURITY MANUAL RESOURCE ACCESS GUIDE. REF D IS NIST SPECIAL PUBLICATION (SP) 800-53 REVISION 4. REF E IS COMMITTEE ON NATIONAL SECURITY SYSTEMS INSTRUCTION NO. (CNSSI) 4009.//
POC/DR. R. A. LETTEER/GS-15/UNIT:HQMC C4 CYBERSECURITY/WASHINGTON DC/TEL:703-693-3490/EMAIL: RAY.LETTEER(AT)USMC.MIL//
POC/CHRISTINE HESEMANN/GS-14/UNIT:HQMC C4 CYBERSECURITY/ WASHINGTON DC/TEL:703-693-3490/EMAIL: CHRISTINE.HESEMANN(AT) USMC.MIL//
POC/VALORIE AGUILAR/GS-13/UNIT:HQMC C4 CYBERSECURITY/WASHINGTON DC/ TEL:703-693-3490/EMAIL: VALORIE.J.AGUILAR(AT)USMC.MIL//
GENTEXT/REMARKS/1.  Adversaries are becoming increasingly aggressive, as evident by the growing number of cyber-attacks on Federal and DoD computer systems and networks.  IAW with Ref A, the Marine Corps is attempting to degrade the adversaries’ ability to maneuver on Marine Corps Networks by enforcing Strong Authentication.  This message provides policy for the documentation and compliance reporting of requirements of Refs A, B, and C.  This is a MANDATORY requirement and applies to SIPRNET and NIPRNET, garrison and tactical, all authorized users, system administrators (sysadmins), and privileged users.  The intent of this enforcement is to harden the Marine Corps Enterprise Network (MCEN) infrastructure and eliminate usernames and passwords.
2.  Marine Corps networks and network resources are required to use DoD approved PKI certificates for identification and authentication of all authorized users, system administrators, privileged users, and non-person entities.  Concurrently, all users are to authenticate with DoD approved PKI certificates assigned to the user role to all MCEN network resources.  Presently, each user role will have separate PKI credentials for sole-use for that user role.
3.  Privileged Accounts. Ref B, D and E provide the definition of privileged accounts.
4.  Policy.  NLT 01 May 2016, Marine Corps requires smart card authentication for interactive logon for authorized user and privileged accounts for all MCEN-N, MCEN-L, and MCEN-S systems.  The following items have exclusions, exemptions, and conditions for this direction.  All shall be counted, but reported as compliant in the monthly DoD Cybersecurity Scorecard to C4/CY.
4.a.  Systems that have no connection to the DoDIN/MCEN, such as specialized tactical hand-held devices, radar devices, modeling and simulation systems, measurement systems used for vehicle or aircraft, and other stand-alone information technology equipment not integrated with Microsoft Active Directory are exempted.
4.b.  Operational technology (OT) systems, such as supervisory control and data acquisition (SCADA) and industrial control systems (ISC) are exempted however, the Human Interface systems for SCADA and ICS will be compliant with this directive.
4.c.  Network Infrastructure devices (i.e., routers and switches) are exempted.
4.d.  Information Technology equipment using the Linux/Unix operating system, unless integrated with Microsoft Active Directory (AD), are exempted.
4.e.  Assured Compliance Assessment Solution (ACAS) Scanners are exempted.
4.f.  Non-Person Entity (NPE) accounts or NPE service accounts are exempted.
4.g.  Tactical networks supporting exercises outside of the garrison environment can be waivered for the duration of the exercise.  Units needing to temporarily implement user ID and password combinations for short-term tactical deployments and exercises will include the process to manage the implementation and change actions, timelines, and specific systems in any requests for waiver or exemption prior to the exercise or deployment
4.h.  Any systems appropriately entered into the Department of Defense Information Technology Portfolio Repository Department of the Navy (DITPR-DON) that have waivers or exemptions on file are exempted.  Upon expiration or revocation of any waivers or exemptions, such systems must immediately comply with this directive.  C4/CY will provide a current waiver/exemption list upon request.   
4.i.  Systems and applications accessed using username and password after having been authenticated to Active Directory using smart card authentication are exempted.  The Active Directory account must be Cryptographic Log-On (CLO) enforced.  Any applications that do not allow CLO enforced users to access that application must be approved by C4/CY.
5.  NLT 15 April 2016, all organizations in possession of systems and items within the categories listed in paragraphs 4.a through 4.i shall submit or confirm waivers and requests for exemption with justification, a POA and M for estimated full compliance, and a time-line for CLO enforcement to the Authorizing Official (AO) for approval and signature via MARFORCYBER.
6.  NLT 25 April 2016, MARFORCYBER will begin to enforce smart card authentication for interactive CLO for authorized user and privileged accounts on networks across the MCEN-N, MCEN-L, and MCEN-S.  MARFORCYBER will issue appropriate directives with additional information on these processes.  MARFORCYBER and C4 inspections or readiness visits (e.g., Pre-Command Cyber Readiness Inspections, monthly White Team reviews, and Cyber Readiness Visits) will assess CLO enforcement.  
7.  NLT 01 May 2016, Marine Corps Systems Command (MCSC) will ensure forest certificates are installed on the Marine Corps Enterprise Desktop Standardization (MCEDS) images in order to enable implementation of an Alternate Token Domain Join solution as described in Ref B.
8.  NLT 01 June 2016, MCSC will publish direction for implementing the Local Admin Password Solution (LAPS) in Windows as described in Ref B.
9.  This message updates and clarifies Ref B.   
10.  Release authorized by BGen D. A. Crall, Director, Command, Control, Communications, and Computers (C4) Department/ Deputy Department of the Navy Chief Information Officer Marine Corps.//