Title: Ms' Tracy Traylor, Chief, IA Programs DirectorateCAC PKI tracy'traylorus'army'mil
1Track 1 Session 5 Information Assurance Army
CAC/PKI Current Initiatives and the Road
Ahead Ms. Tracy Traylor Chief, IA Programs
Directorate/CAC PKI
Ms. Tracy Traylor, Chief, IA Programs
Directorate/CAC PKI tracy.traylor_at_us.army.mil
2Purpose
- To provide a brief overview of Army CAC/PKI
projects
3Agenda
- HSPD-12 / FIPS 201
- CAC Cryptographic Logon (CCL)
- Alternate Smart Card Logon (ASCL)
- JTF-GNO Phases 2 3
- Signing Encrypting
- Contractor Verification System (CVS)
- PK-Enabled Desktops
- Two-way Wireless Email Devices (TWEDs)
- PKI Analysis of Alternatives (AoA)
- PKE Waivers
- Coming Soon
4Threat
6,000,000
CCL implementation across DoD has resulted in a
46 reduction in successful NIPRNet intrusions.
Lt Gen Croom
5HSPD-12 / FIPS 201
- Replaces DoDD 8190.3 as CAC governing directive
- Implementation
- Current CAC Personal Identity Verification
PIV-I card - Next generation CAC PIV-II card
- Phased issuance 2007-2010
- Issues
- Pre-hire policy for new employees
- Review of background investigations for current
CAC population for compliance with FIPS 201
requirements
6CAC Cryptographic Logon (CCL)
- JTF-GNO CTO 06-02 required Smart Card Logon (SCL)
- Over 95 of Army NIPRNet user accounts
CAC-enabled - Plan of Action and Milestones - deficient
organizations - Issues
- Remote access solutions
- Students
7https//informationassurance.us.army.mil/
8Alternate Smart Card Logon (ASCL)
- ASCL Token augments CCL for System Administrators
(SAs) - Approximately 15,000 (7 - 11 mo. minimum)
- Army Registration Authority (RA) office issuing
tokens - Trusted Agents liaison between the RA and ASCL
end user - ASCL token is valid for 2 years
- SAs will use their CAC to log on to their user
account
9ASCL (Continued)
- Temporary program (3 4 years)
- Until Microsoft Vista Client operating system and
Longhorn server - ASCL target population after SA issuance
- Non-CAC holders
- Dual roles (Reservist/GS Civilian/contractor)
- Resetting PINs
- Army RA Office provides unlock code to TA or TASM
- ASCL CONOPS, SOP, TA, and User Guide on AKO
- https//www.us.army.mil/suite/folder/6250680
10https//informationassurance.us.army.mil/
11JTF-GNO Phases 2 3What Can We Expect?
- Phase 2 - WARNORD Aug (?) CTO Sep (?)
- User-Based Enforcement
- Digital Signing Encrypting of email
- Identify accounts still using username/password
- Enhanced Security Awareness Training
- Phase 3 TBD 08
- Address non-CAC holders
- Applications
- Multi-function devices
Note The Phase 2 WARNORD had NOT Been Released
before this briefing was finalized
12Signing Encrypting
- Best Business Practice (BBP)
- When and why to sign
- When and why to encrypt
- Special rules for GOs/SESs
- Organizational email accounts
- Key Recovery procedures
- Includes link to online training module
- Publish certificates to the GAL
- PKI 101
- Signing Encrypting
13https//informationassurance.us.army.mil/
14Signing Encrypting
15Contractor Verification System (CVS)
- OUSD(PR) Initiative, 10 Nov 05
- Lockdown of DEERS/RAPIDS to all but an
authoritative feed - Web-based process to automate 1172-2 (Contractor
CAC Issuance) - Army CVS Implementation- Sep 05 thru 31 Jul 07
- 83 of the Army is CVS ready
- Policy Lock Down occurred 31 Mar 07
- Contractors only get CAC via CVS process
- Waivers must be requested
- CVS Lead transferred to HRC DEERS/RAPIDS Project
Office - Bob Eves 703-325-0378 Daphne Jackson 703-325-TBD
- AKO- https//www.us.army.mil/suite/collaboration/f
older_V.do?foid961032loadtrue
16PK-Enabled Desktops
- Middleware
- ActivClient Enterprise License Agreement (ELA)
- Migrate from ActivCard 3.0 or NetSign 5.5 to
ActivClient 6.0 - Required to meet HSPD-12, FIPS 201, and PIV II
standards - Unlimited use of ActivClient middleware
- Middleware for home use is local decision
- IT support for home use - local responsibility
- Online Certificate Status Protocol (OSCP)
- Preferred solution for Certificate Validation
(CV) - Army currently using DISAs RCVS OCSP nodes
- Army OCSP fielding at the APCs this fall
- Tumbleweed OCSP client domain controllers and
desktops
17Two-way Wireless Email Devices (TWEDs)
- New Approved TWED List 29 Jun
- Apriva Sensa V1.9 products
- Apriva BT100-C Universal Bluetooth Smart Card
Reader (SCR) for use with BlackBerry and Sensa - Revised BlackBerry SOP with DISA BB Security
Checklist - Testing Windows Mobile, Palm, and Good Technology
- DISA Wireless STIG/BlackBerry Security Checklist
- Implementation required by JTF-GNO
- Requires BES 4.0 or later
18PKI Analysis of Alternatives (AoA)
- AoA Objectives
- Provide the basis for determining the PKI Way
Ahead - Status Quo/Enhanced Status Quo
- HSPD-12/FIPS 201
- Tactical Austere Environment
- SIPRNet
- Select the most viable PKI alternatives to
support efficient enterprise business and mission
processes - AoA Timelines
- AoA conducted Jul 06 Feb 07
- PAE Evaluation Mar Aug 07
- Begin Increment 2/PKI Capabilities FY 08 (based
on availability of funding)
19AoA Study Teams
20PKI AoA Preferred Alternative
21PKE Waivers
- PKE Systems and Business Process Applications
- PKE Self Assessment Questionnaire
- PMs and application owners
- Requirements and PKE prioritization support
- PKE Waiver Process
- IAW DoDI 8520.2
- In preliminary planning stage
- Will build upon existing CCL Waiver process
- Questionnaires, templates, waiver submission
forms, FAQs, planning docs - CCL Waivers first
22Army CCL Waiver Process
- CCL Waiver Submission process in place
- Waivers are temporary 1-year timeframe
- Three primary consideration factors for approval
- Legacy system to be replaced near-term by CCL
enabled system - Anticipated cost of enabling
- Other undue hardships
- First CAC Waiver Review Board Aug 07
23Coming Soon
- CACs for Foreign Nationals
- USD(PR) Memo signed on 9 Mar
- Implementing guidance expected soon
- CACs for Volunteers
- Reduce non-CAC holders on NIPRNet
- CAC PIN Reset (CPR) Version 2.0
- Pending Networthiness certification
246 Phases of a Project
- Punishment of the Innocent
- Honors Awards for the Non-Participants
25 26Contact Information
- Army CAC/PKI Hours of Operation M -F
0730-1630 EST - Toll Free 1-866-738-3222 (CONUS) Local
703-602-7514/DSN 332 - Army CAC/PKI Group Email army.cac.pki_at_us.army.mi
l
2. IA CAC/PKI Website https//informationassuran
ce.us.army.mil Email iacacpki.helpdesk_at_us.army.mi
l 3. Alternate Smart Card Logon (US Army
Registration Authority) Website
https//www.us.army.mil/suite/portal.do?p326196
vb1 Email Army.ra_at_us.army.mil