Skip Ribbon Commands Skip to main content

PKI and PKE Policies

*PKI = DoD PKI Certificate Required
 

 DISA Guidance

 
Description
There are no items to show in this view of the "Master List" list.
 

 DoD Certificate Policies

 
Description
The Committee on National Security Systems Instruction (CNSSI) No. 1300, "Instruction for National Security Systems (NSS) Public Key Infrastructure (PKI) X.509 Certificate Policy, Under CNSS Policy No. 25," states the requirements for issuing and managing certificates that Relying Parties can use in making decisions regarding what assurance they can place in a certificate issued by a NSS PKI CA. (LINK to PDF Download)
 
This Certification Practice Statement (CPS) covers the operation of PKI Online Certificate Status Protocol (OCSP) Responders that are operated by the Defense Information Systems Agency (DISA) to provide DoD Enterprise-wide PKI certificate validation services. (PDF Download) Date: 02/11/2017 | Size: 878 KB
DoD PKI Registration Authority/Local Registration Authority Certification Practice Statement *PKI
 
This Certification Practice Statement (CPS) defines the practices, policies and procedures under which the DoD Registration Authorities (RAs) and Local Registration Authorities (LRAs) operate. It also specifies security, nomination and credential issuance procedures for Non-Person Entity (NPE) Verifying Officials (NVOs). (PDF Download) Date: 06/14/2017 | Size: 1.03 MB
 
This document contains the DoD Certification Practice Statement (CPS) for the Second Layer of Certification Authorities (CAs). (PDF Download) Date: 06/14/2017 | Size: 1.46 MB
The purpose of this document is to describe the security and authentication requirements to implement key recovery operation for the External Certificate Authorities (ECAs). (PDF Download) Date: 06/04/2003 | Size: 467 KB
NSS PKI CSP Registration Practice Statement v1.2 *PKI
This Registration Practice Statement (RPS) defines the practices, policies and procedures under which the National Security Systems (NSS) Public Key Infrastructure (PKI) Common Service Provider (CSP) Registration Authorities (RAs) operate. It also specifies security, nomination and credential issuance procedures for Non-Person Entity (NPE) Verifying Officials (NVOs) under the Common Service Providers. (PDF Download) Date: 12/11/2015 | Size: 621 KB
NSS PKI DoD and CSP Subordinate Certification Authority System Certification Practice Statement *PKI
This document defines the practices and procedures under which the United States (US) Department of Defense (DoD) National Security Systems (NSS) Public Key Infrastructure (PKI) Subordinate Certification Authority Systems (CAS) operates. (PDF Download) Date: 06/21/2017 | Size: 1.41 MB
This RPS applies to all Registration Authorities (RA) from the CC/S/A that participate in the issuance process for all certificates issued under the DoD NSS PKI. This RPS also applies to the individuals responsible for these certificates, persons operating an RA System, and Trusted Agents (TAs) appointed by an RA Officer operating under this RPS. (PDF Download) Date: 12/19/2014 | Size: 958 KB
United States Department of Defense External Certification Authority X.509 Certificate Policy
 
This Certificate Policy (CP) governs the operation of the ECA Public Key Infrastructure (PKI), consisting of products and services that provide and manage X.509 certificates for public-key cryptography. The United States (US) DoD has established the External Certification Authority (ECA) program to support the issuance of DoD-approved certificates to industry partners and other external entities and organizations. The ECA program is designed to provide the mechanism for these entities to securely communicate with the DoD and authenticate to DoD Information Systems. (PDF Download) Date: 01/10/2015 | Size: 1,232 KB
The S-Interoperability Certificate Policy outlines the policy for the secret level multi-domain Public Key Infrastructure created by the S-Interop Root CA and defines the procedures for the approval and issuance of cross-certificates to member Certification Authorities. (PDF Download) Date: 01/05/2012 | Size: 449 KB
The United States Department of Defense Certificate Policy (CP) is the unified policy under which a Certification Authority (CA) operated by a DoD component is established and operates. This document defines the creation and management of Version 3 X.509 public key certificates for use in applications requiring communication between networked computer-based systems. (PDF Download) Date: 01/23/2013 | Size: 894 KB
 

 DoD Instructions & Memorandums

 
Description
 
DoDI 8520.02 is a re-release of DoDI 8520.2 that establishes the availability of the Coalition PKI for Combatant Commands (COCOMS), refers to the SIPRNET PKI that will be transitioned to operate under Committee for National Security Systems (CNSS) authority, provides specific guidance on issuance of alternate logon tokens (ALTs) to Flag-level officers or Senior Executives, and incorporates the DoD CIO "Approval of External PKIs" memorandum (circa July 2008) into the instruction. It also contains two other major changes. The first is that all policy related to authentication requirements has been moved to DoDI 8520.03. The second major change impacts pursuing waivers to DoDI 8520.02. Previously, Component CIOs had the authority to approve waivers to the instruction.
 
DoDI 8520.03 is a new instruction that requires that all authentications of users be conducted with an appropriate credential that is approved for use by a DoD authority and has been verified as active (not revoked) and not expired by the credential issuing authority. It defines four levels of data sensitivity granularity for sensitive but unclassified information, and three levels of data sensitivity granularity for Secret or Confidential information. It then provides specific requirements for authentication credentials based on these levels of sensitivity. Policy related to authentication requirements was previously found in DoDI 8520.2 which has been obsoleted by DoDI 8520.02.DoD Instruction 8520.03, Identity Authentication for Information Systems (Web Link)
DoD Memorandum - Department of Defense Acceptance and Use of Personal Identity Verification-Interoperable (PIV-I) Credentials
This DoD Memorandum permits acceptance of PIV-I credentials for authentication and access when DoD relying parties, installation commanders, and facility coordinators determine that granting access is appropriate and the appropriate vetting requirements are met. (PDF Download) Date: 06/28/2012 | Size: 663 KB
DoD Memorandum - Department of Defense Requirements for Accepting Non-Federally Issued Identity Credentials
This DoD Memorandum provides Federal Government Guidance on acceptance and use of Non-Federal Issuer (NFI) identity credentials and specific DoD policies and practices for accepting credentials for logical access to DoD applications and websites. (PDF Download) Date: 03/04/2013 | Size: 2,465 KB
This DoD Memorandum provides instructions for the issuance and use of Non-Person Entity (NPE) PKI certificates for devices both within and outside of key terrain. (PDF Download) Date: 05/10/2013 | Size: 461 KB
 

 Federal PKI Certificate Policies

 
Description
X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA)
This Certificate Policy (CP) defines ten certificate policies for use by the Federal Bridge Certification Authority (FBCA) to facilitate interoperability between the FBCA and other Entity PKI domains. The FBCA enables interoperability among Entity PKI domains in a peer-to-peer fashion. The FBCA issues certificates only to those CAs designated by the Entity operating that PKI (called Principal CAs). The DoD Interoperability Root Certificate Authority (IRCA) is one such Principle CA.
This Certificate Policy (CP) defines ten certificate policies for use by the Federal Bridge Certification Authority (FBCA) to facilitate interoperability between the FBCA and other Entity PKI domains. The FBCA enables interoperability among Entity PKI domains in a peer-to-peer fashion. The FBCA issues certificates only to those CAs designated by the Entity operating that PKI (called Principal CAs). The DoD Interoperability Root Certificate Authority (IRCA) is one such Principle CA.
 

 Federal Policy & Guidance

 
Description
IPS PUB 140-2 specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information in computer and telecommunication systems. FIPS PUB 140-2, Security Requirements for Cryptographic Modules (Download Link)
 
FIPS PUB 201 specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors. This standard specifies a PIV system within which a common identity credential can be created and later used to verify a claimed identity.FIPS PUB 201, Personal Identity Verification (PIV) of Federal Employees and Contractors (Download Link)
HSPD 12 is a presidential directive requiring all Federal Executive Departments and Agencies to implement a government-wide standard for secure and reliable forms of identification for employees and contractors, for access to Federal facilities and information systems.HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors (Download Link)
NIST SP 800-63 provides technical guidelines to federal agencies implementing digital identity services on topics related to identity proofing and authentication of users. NIST SP 800-63, Digital Identity Guidelines (Download Link)
NIST SP 800-78-4 specifies the cryptographic algorithms and key sizes for PIV systems and is a companion document to FIPS 201.NIST SP 800-78-4, Cryptographic Algorithms and Key Sizes for PIV (Download Link)
OMB M-04-04 requires requires agencies to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance. It establishes and describes four levels of identity assurance for electronic transactions requiring authentication.OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies (Download Link)
OMB Memorandum 11-11, Continued Implementation of HSPD-12
OMB M-11-11 requires that all federal agencies continue implementing the requirements outlined in Homeland Security Presidential Directive (HSPD) 12 to enable agency-wide use of the Personal Identity Verification (PIV) card. This includes enabling agency IT systems, applications, and facilities to be capable of using the PIV card as the mechanism for granting user access.OMB M-11-11, Continued Implementation of HSPD-12 (Download Link)
This OMB Memorandum requires agencies to begin leveraging externally-issued credentials, in addition to continuing to offer federally-issued credentials. The use of externally-issued credentials (i.e., those that have been issued by an entity other than the federal government) will decrease the burden on uses of government information systems and reduce costs associated with managing credentials.OMB's Requirements for Accepting Externally-Issued Identity Credentials (Download Link)
 

 Relevant Links

 
Description
The official DoD web site for DoD Issuances including Directives, Instructions and Memos.DOD Issuances (Link)
 

 US Cyber Command Orders & Directives

 
Description
US Cyber Command Orders and Directives links page.US Cyber Command Orders and Directives (Web Link)
PKI-PKE