Transcription of DoD Instruction 8520.02, May 24, 2011
1 Department of Defense Instruction NUMBER May 24, 2011 ASD(NII)/DoD CIO SUBJECT: Public Key Infrastructure (PKI) and Public Key (PK) enabling References: See Enclosure 1 1. PURPOSE. This Instruction : a. Reissues DoD Instruction (DoDI) (Reference (a)) in accordance with the authority in DoD Directive (DoDD) (Reference (b)) to establish and implement policy, assign responsibilities, and prescribe procedures for developing and implementing a DoD-wide PKI and enhancing the security of DoD information systems by enabling these systems to use PKI for authentication, digital signatures, and encryption.
2 B. Prescribes DoD PKI and PK- enabling activities consistent with the policy established in DoDD (Reference (c)) and DoDI (Reference (d)). c. Supplements the implementing guidance provided in DoDI (Reference (e)). d. Prescribes DoD PKI activities on the Secret Internet Protocol Router Network (SIPRNET) consistent with requirements stated in References (c) and (e). e. Incorporates and cancels DoDD and Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer (ASD(NII)/DoD CIO) memorandums (References (f), (g), and (h), respectively).
3 2. APPLICABILITY a. This Instruction applies to: (1) OSD, the Military Departments, the Office of the Chairman of the Joint Chiefs of Staff and the Joint Staff, the Combatant Commands, the Office of the Inspector General of the Department of Defense, the Defense Agencies, the DoD Field Activities, and all other organizational entities within the DoD (hereinafter referred to collectively as the DoD Components ). DoDI , May 24, 2011 (2) All unclassified and classified DoD information systems and networks ( , Non-classified Internet Protocol Router Network (NIPRNET), SIPRNET, Defense Research and Engineering Network (DREN), Secret Defense Research and Engineering Network (SDREN)), web servers, and e-mail systems).
4 (3) All users accessing unclassified and classified DoD information systems ( , DoD web-based systems, DoD websites, DoD web servers) and networks ( , NIPRNET, SIPRNET, DREN, SDREN). b. This Instruction does NOT apply to sensitive compartmented information and other information systems operated within the DoD that fall under the authority of the Director of National Intelligence in accordance with Intelligence Community Directive 503 (Reference (i)). This Instruction also does not apply to Top Secret collateral systems, special access programs, and stand-alone networks with no connection to the Global Information Grid (GIG).
5 3. DEFINITIONS. See Glossary. 4. POLICY. It is DoD policy that: a. The DoD shall implement a DoD-wide PKI to maintain the certificate lifecycle, including, but not limited to, issuance, suspension, and revocation. The DoD shall issue certificates to DoD PKI Certificate Eligible Users in accordance with United States Department of Defense Certificate Policy (Reference (j)). The DoD PKI also shall support requirements for group, role, information systems, device, and code signing certificates. The DoD PKI shall provide first and third party key recovery for private keys associated with encryption certificates.
6 B. The DoD shall enable DoD information systems to use PKI for digital signature and encryption as specified in this Instruction . The DoD shall enable DoD information systems to use DoD-approved PKIs for authentication in accordance with DoDI (Reference (k)). c. The DoD shall only rely on certificates that are issued by the DoD PKI or by a DoD-approved PKI for authentication, digital signature, or encryption. External PKIs are approved for use by the ASD(NII)/DoD CIO. The process for recommending approval for external PKIs is outlined in the DoD External Interoperability Plan (Reference (l)).
7 DoD mission partners shall use certificates issued by the DoD External Certification Authority (ECA) program or a DoD-approved PKI, when interacting with the DoD in unclassified domains. DoD ECA PKI and External PKI certificates are not used in the DoD classified domain. d. The DoD shall establish and maintain a cross certification with the Federal PKI to comply with Federal Information Processing Standards Publication 201-1 (Reference (m)). The DoD shall facilitate the issuance of any new PKI certificates necessary to comply with Federal or Office of Management and Budget issuances or mandates and be consistent with DoD 2 DoDI , May 24, 2011 3 implementation plans.
8 DoD PKI shall comply with Reference (m) for mandatory certificates issued on the Common Access Card (CAC). e. PKIs operating under the purview of the DoD ( , DoD ECA, DoD Coalition PKI) are approved for use for their intended purpose and environment. The types of external PKIs that can be approved for use in the DoD are described in this Instruction . Implementation and use of DoD-approved PKI certificates for identity authentication is described in Reference (k). f. DoD digital signers of mobile code shall use DoD-issued code-signing certificates to allow validation of both the integrity of the code and the authenticity of its source in accordance with DoDI (Reference (n)).
9 5. RESPONSIBILITIES. See Enclosure 2. 6. PROCEDURES. See Enclosure 3. 7. RELEASABILITY. UNLIMITED. This Instruction is approved for public release and is available on the Internet from the DoD Issuances Website at 8. EFFECTIVE DATE. This Instruction is effective upon its publication to the DoD Issuances Website. Teri M. Takai Principal Deputy Assistant Secretary of Defense For Networks and Information Integration/ DoD Chief Information Officer Enclosures 1. References 2. Responsibilities 3. Implementation Procedures Glossary DoDI , May 24, 2011 TABLE OF CONTENTS ENCLOSURE 1: REFERENCES.
10 5 ENCLOSURE 2: RESPONSIBILITIES ..7 ASD(NII)/DoD DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY (DISA) ..8 DIRECTOR, DoD PKI PMO ..8 DIRECTOR, IDENTITY ASSURANCE AND PKI ..11 UNDER SECRETARY OF DEFENSE FOR PERSONNEL AND READINESS (USD(P&R)) ..11 CHAIRMAN OF THE JOINT CHIEFS OF STAFF ..11 HEADS OF THE OSD AND DoD COMPONENTS ..12 ENCLOSURE 3. IMPLEMENTING PROCEDURES ..14 DOD PKI ..14 Certificate Issuance ..14 Certificate Types.
