Ms' Tracy Traylor, Chief, IA Programs DirectorateCAC PKI tracy'traylorus'army'mil

1
Track 1 Session 5 Information Assurance Army
CAC/PKI Current Initiatives and the Road
Ahead Ms. Tracy Traylor Chief, IA Programs
Directorate/CAC PKI

Ms. Tracy Traylor, Chief, IA Programs
Directorate/CAC PKI tracy.traylor_at_us.army.mil
2
Purpose

• To provide a brief overview of Army CAC/PKI
  projects

3
Agenda

• HSPD-12 / FIPS 201
• CAC Cryptographic Logon (CCL)
• Alternate Smart Card Logon (ASCL)
• JTF-GNO Phases 2 3
• Signing Encrypting
• Contractor Verification System (CVS)
• PK-Enabled Desktops
• Two-way Wireless Email Devices (TWEDs)
• PKI Analysis of Alternatives (AoA)
• PKE Waivers
• Coming Soon

4
Threat
6,000,000
CCL implementation across DoD has resulted in a
46 reduction in successful NIPRNet intrusions.
Lt Gen Croom
5
HSPD-12 / FIPS 201

• Replaces DoDD 8190.3 as CAC governing directive
• Implementation
• Current CAC Personal Identity Verification
  PIV-I card
• Next generation CAC PIV-II card
• Phased issuance 2007-2010
• Issues
• Pre-hire policy for new employees
• Review of background investigations for current
  CAC population for compliance with FIPS 201
  requirements

6
CAC Cryptographic Logon (CCL)

• JTF-GNO CTO 06-02 required Smart Card Logon (SCL)
• Over 95 of Army NIPRNet user accounts
  CAC-enabled
• Plan of Action and Milestones - deficient
  organizations
• Issues
• Remote access solutions
• Students

7
https//informationassurance.us.army.mil/
8
Alternate Smart Card Logon (ASCL)

• ASCL Token augments CCL for System Administrators
  (SAs)
• Approximately 15,000 (7 - 11 mo. minimum)
• Army Registration Authority (RA) office issuing
  tokens
• Trusted Agents liaison between the RA and ASCL
  end user
• ASCL token is valid for 2 years
• SAs will use their CAC to log on to their user
  account

9
ASCL (Continued)

• Temporary program (3 4 years)
• Until Microsoft Vista Client operating system and
  Longhorn server
• ASCL target population after SA issuance
• Non-CAC holders
• Dual roles (Reservist/GS Civilian/contractor)
• Resetting PINs
• Army RA Office provides unlock code to TA or TASM
• ASCL CONOPS, SOP, TA, and User Guide on AKO
• https//www.us.army.mil/suite/folder/6250680

10
https//informationassurance.us.army.mil/
11
JTF-GNO Phases 2 3What Can We Expect?

• Phase 2 - WARNORD Aug (?) CTO Sep (?)
• User-Based Enforcement
• Digital Signing Encrypting of email
• Identify accounts still using username/password
• Enhanced Security Awareness Training
• Phase 3 TBD 08
• Address non-CAC holders
• Applications
• Multi-function devices

Note The Phase 2 WARNORD had NOT Been Released
before this briefing was finalized
12
Signing Encrypting

• Best Business Practice (BBP)
• When and why to sign
• When and why to encrypt
• Special rules for GOs/SESs
• Organizational email accounts
• Key Recovery procedures
• Includes link to online training module
• Publish certificates to the GAL
• PKI 101
• Signing Encrypting

13
https//informationassurance.us.army.mil/
14
Signing Encrypting
15
Contractor Verification System (CVS)

• OUSD(PR) Initiative, 10 Nov 05
• Lockdown of DEERS/RAPIDS to all but an
  authoritative feed
• Web-based process to automate 1172-2 (Contractor
  CAC Issuance)
• Army CVS Implementation- Sep 05 thru 31 Jul 07
• 83 of the Army is CVS ready
• Policy Lock Down occurred 31 Mar 07
• Contractors only get CAC via CVS process
• Waivers must be requested
• CVS Lead transferred to HRC DEERS/RAPIDS Project
  Office
• Bob Eves 703-325-0378 Daphne Jackson 703-325-TBD
• AKO- https//www.us.army.mil/suite/collaboration/f
  older_V.do?foid961032loadtrue

16
PK-Enabled Desktops

• Middleware
• ActivClient Enterprise License Agreement (ELA)
• Migrate from ActivCard 3.0 or NetSign 5.5 to
  ActivClient 6.0
• Required to meet HSPD-12, FIPS 201, and PIV II
  standards
• Unlimited use of ActivClient middleware
• Middleware for home use is local decision
• IT support for home use - local responsibility
• Online Certificate Status Protocol (OSCP)
• Preferred solution for Certificate Validation
  (CV)
• Army currently using DISAs RCVS OCSP nodes
• Army OCSP fielding at the APCs this fall
• Tumbleweed OCSP client domain controllers and
  desktops

17
Two-way Wireless Email Devices (TWEDs)

• New Approved TWED List 29 Jun
• Apriva Sensa V1.9 products
• Apriva BT100-C Universal Bluetooth Smart Card
  Reader (SCR) for use with BlackBerry and Sensa
• Revised BlackBerry SOP with DISA BB Security
  Checklist
• Testing Windows Mobile, Palm, and Good Technology
• DISA Wireless STIG/BlackBerry Security Checklist
• Implementation required by JTF-GNO
• Requires BES 4.0 or later

18
PKI Analysis of Alternatives (AoA)

• AoA Objectives
• Provide the basis for determining the PKI Way
  Ahead
• Status Quo/Enhanced Status Quo
• HSPD-12/FIPS 201
• Tactical Austere Environment
• SIPRNet
• Select the most viable PKI alternatives to
  support efficient enterprise business and mission
  processes
• AoA Timelines
• AoA conducted Jul 06 Feb 07
• PAE Evaluation Mar Aug 07
• Begin Increment 2/PKI Capabilities FY 08 (based
  on availability of funding)

19
AoA Study Teams
20
PKI AoA Preferred Alternative
21
PKE Waivers

• PKE Systems and Business Process Applications
• PKE Self Assessment Questionnaire
• PMs and application owners
• Requirements and PKE prioritization support
• PKE Waiver Process
• IAW DoDI 8520.2
• In preliminary planning stage
• Will build upon existing CCL Waiver process
• Questionnaires, templates, waiver submission
  forms, FAQs, planning docs
• CCL Waivers first

22
Army CCL Waiver Process

• CCL Waiver Submission process in place
• Waivers are temporary 1-year timeframe
• Three primary consideration factors for approval
• Legacy system to be replaced near-term by CCL
  enabled system
• Anticipated cost of enabling
• Other undue hardships
• First CAC Waiver Review Board Aug 07

23
Coming Soon

• CACs for Foreign Nationals
• USD(PR) Memo signed on 9 Mar
• Implementing guidance expected soon
• CACs for Volunteers
• Reduce non-CAC holders on NIPRNet
• CAC PIN Reset (CPR) Version 2.0
• Pending Networthiness certification

24
6 Phases of a Project

• Enthusiasm

• Disillusionment

• Panic

• Search for the Guilty

• Punishment of the Innocent

• Honors Awards for the Non-Participants

25

• Questions?

26
Contact Information

• Army CAC/PKI Hours of Operation M -F
  0730-1630 EST
• Toll Free 1-866-738-3222 (CONUS) Local
  703-602-7514/DSN 332
• Army CAC/PKI Group Email army.cac.pki_at_us.army.mi
  l

2. IA CAC/PKI Website https//informationassuran
ce.us.army.mil Email iacacpki.helpdesk_at_us.army.mi
l 3. Alternate Smart Card Logon (US Army
Registration Authority) Website
https//www.us.army.mil/suite/portal.do?p326196
vb1 Email Army.ra_at_us.army.mil