DEPARTMENT OF THE NAVYOFFICE OF THE CHIEF OF NAVAL OPERATIONS

2000 NAVY PENTAGONWASHINGTON, DC 20350-2000

IN REPLY REFER TO

OPNAVINST 5239.3AN218 January 2008

OPNAV INSTRUCTION 5239.3A

From: Chief of Naval Operations

Subj: NAVY IMPLEMENTATION OF DEPARTMENT OF DEFENSE INTELLIGENCEINFORMATION SYSTEM (DODIIS) PUBLIC KEY INFRASTRUCTURE(PKI)

Ref: (a)

(b)

(c)

(d)

(e)(f)

(g)(h)

Director of Central Intelligence Directive (DCID)6/3, 5 Jun 99000 Instruction 8500.2, Information Assurance (IA)Implementation, 6 Feb 03DODI 8520.2, Public Key Infrastructure (PKI) andPublic Key (PK) Enabling, 1 Apr 2004DODIIS Security Certification and Accreditation Guide,Apr 01DODIIS-PKI Concept of Operations, 4 Mar 04000 Sensitive Compartmented Information AdministrativeSecurity Manual 000 5105.21-M-1, Aug 98SECNAV M-5510.36, 30 Jun 06DODIIS-PKI Trusted Agent Handbook, 1 Aug 07

Encl: (1) Obtaining a User's DODIIS PKI Certificate

1. Purpose. This instruction:

a. Supports protection requirements for information systemsused within the Intelligence Community (IC) as directed byreferences (a) and (b).

b. Directs the use of 000 Intelligence Information System(DODIIS) Public Key Infrastructure (PKI) as an InformationAssurance (IA) protection safeguard within the Navy by all NavyCommands with access to the Joint World-Wide IntelligenceCommunications System (JWICS). Reference (c) directs the use ofthe 000 PKI as an IA protection safeguard within the Navy by allNavy Commands accessing the Unclassified but Sensitive InternetProtocol Router Network (NIPRNet) or SECRET Internet ProtocolRouter Network (SIPRNet).

OPNAVINST 5329.3A18 January 2008

c. Assigns responsibilities for implementation of DODIIS PKI.

2. Cancellation. OPNAVINST 5239.3 is cancelled.

3. Applicability. This instruction applies to all Navy Commandswith access to JWICS. Marine Corps personnel assigned to thesecommands will be supported in accordance with this instruction.

4. Background: The Director, Defense Intelligence Agency (DIAlis assigned by reference (a) the responsibility for JWICS IAthrough a Certification and Accreditation (C&A) process. Therequirements of this process are detailed in reference (d). Aspart of the specific JWICS IA effort, DIA mandated DODIIS PKIuse on JWICS in reference (e). All DoD personnel who requireJWICS access must possess and use a DODIIS PKI certificate ontheir command's JWICS terminal in order to securely utilize theJWICS environment. Increasingly, JWICS applications are beingPublic Key Enabled (PKE) , requiring users to hold a valid DODIISPKI certificate to obtain specific information accessed throughthe PKE application. Enclosure (1) provides Department of theNavy (DON) JWICS users a general set of steps required to obtaina DODIIS PKI user certificate.

5. Scope. All Navy Commands with access to JWICS will implementthe use of DODIIS PKI certificates for all users and equipmentas specified in reference (d), and as amplified in thisinstruction.

6. Key Definitions

a. Pubic Key Infrastructure (PKI) - An enabling technologythat enhances information systems security by providing a highdegree of assurance of data confidentiality, integrity,authentication, and user identification among users of publickey enabled information systems, including network login, e­mail, and web-based information services.

b. DODIIS Full Service Directory (FSD) - A directory ofverified JWICS users that permits the issuance of a DODIIS PKIcertificate. It is also the repository of JWICS userinformation, including their public key certificates. Thisdirectory is maintained by DIA. The Navy users are entered intothe DODIIS FSD through the automated service directory,maintained by Ground Intelligence Support Activity (GISA), FortBragg, NC.

2

OPNAVINST 5329.3AIB January 200B

c. Special Security Officer (SSO) - An active duty servicemember or DoD civilian at Navy commands handling SCI material,designated in writing by the Commanding Officer who isresponsible for the security management, operation,implementation, use and dissemination of all CommunicationsIntelligence and other types of SCI material within the command.Specific grade requirements for the SSO are detailed inreference (d).

d. Special Security Representative (SSR) - An active dutyservice member or DoD civilian at Navy commands handlingSensitive Compartmented Information (SCI) material, designatedin writing by the Commanding Officer to assist the command's SSOin the security management, operation, implementation, use anddissemination of all Communications Intelligence and other typesof SCI material within the command. Specific grade requirementsfor the SSR are detailed in reference (f).

e. Information Assurance Manager (lAM) - An active dutyservice member or DoD civilian at Navy commands, designated inwriting by the Commanding Officer to be the point of contact forthe command for all command IA matters and implements thecommand's IA program. Appointment of an lAM is required byreference (g).

f. Information Assurance Officer (lAO) - An active dutyservice member or DoD civilian at Navy commands, designated inwriting by the Commanding Officer to be responsible forimplementing and maintaining the command's informationtechnology systems and network security requirements. An lAO isappointed for each information system and network in the commandand is required by reference (g). The lAO supports the lAM.

g. Trusted Agent (TA) - An individual with JWICS accessassigned in writing within a Navy command and locally trained toaccomplish the task of verifying the identity (face-to-face) ofa user requesting a DODIIS PKI certificate. After identityverification the TA can then provide the user with the one-timepersonal identification number (PIN) required for completion ofthe certificate application process. The duties andresponsibilities of the TA are specified in reference (g). Thecommand's SSO or SSR may also accomplish the user identificationverification and issue the PIN.

h. User - A person assigned to a Navy command that has arequirement to access JWICS in the execution of duties andrequires the issuance of a DODIIS PKI certificate.

3

OPNAVINST 5329.3A18 January 2008

7. Responsibilities

a. Office of the Chief of Naval Operations (OPNAV) N2, as theNavy's Senior Official of the Intelligence Community (SOIC):

(1) Coordinate the DON IA requirements for the DON SCIIntelligence program, and the DON portion of the DODIIS with DIAper reference (g).

(2) Promulgate DODIIS PKI policies within the Navy tosupport DIA IA policy and management of JWICS.

(3) Make recommendations to DIA and the Director ofNational Intelligence Chief Information Officer (DNI CIO) asnecessary to incorporate Navy requirements for JWICS use.

(4) Maintain this instruction

b. Office of Naval Intelligence (ONI)

(1) Assist OPNAV N2 through the administration andmanagement of the IA requirements for the DON SCI IntelligenceProgram, and the DON portion of DODIIS and providerecommendations for changes to SCI IA policy for discussion withDIA and ODNI CIO.

(2) Initiate and maintain appropriate service levelagreements with the Army's GISA to host the Navy's FSD entriesand all necessary support to access the DODIIS FSD.

(3) Incorporate DODIIS PKI certificate requirements inexisting ONI training courses for SSO/SSRs and JWICS users toinclude procedures for obtaining a DODIIS PKI certificate andhow to export a certificate for personnel being sent ontemporary duty to another command.

(4) Provide DODIIS PKI training to the Office of the Chiefof Naval Operations, COMUSFLTFORCOM/COMPACFLT, Numbered Fleetsand regional Naval Commanders' staffs.

(5) Provide on-site DODIIS PKI training to other Navycommands in conjunction with other scheduled ONI visits or whenrequested.

4

OPNAVINST 5329.3A18 January 2008

(6) Publish and maintain on JWICS a Navy DODIIS websitewhere DON SSOs and SSRs and users may obtain DODIIS PKIinformation.

(7) Publish and maintain a list of all Navy SSO/SSRs bycommand on the Navy DODIIS website.

(8) Task Regional Special Security Offices (SSO) andInformation Systems Security Managers (ISSM) to:

(a) Review individual command implementation of DODIISPKI certificates and use within their geographic area ofresponsibility and make available DODIIS PKI training materialsdeveloped by ONI as part of normal command visits.

(b) Identify DODIIS PKI certificate trainingdiscrepancies and refer them to the appropriate ONI points ofcontact for additional training. Regional SSO/ISSMs must ensureimmediate corrective actions are taken against any issues thatthreaten the security of JWICS in accordance with thisinstruction and references (a), (b) and (d) through (h).

(c) Inspect DODIIS PKI certificate implementation andcompliance for all commands within their geographic area ofresponsibility during normal security inspections or as directedby higher authorities.

c. COMUSFLTFORCOM/COMPACFLT

(1) Provide direction and assistance to the typecommander's designated SSO/SSR as required to support fleetunits DODIIS PKI requirements.

(2) Assist shore installations SSO/SSRs in the registrationof users for DODIIS PKI certificates.

(3) Collect feedback and recommendations from fleet andshore commands regarding the DODIIS PKI requirements and provideto ONI for discussion with DIA by OPNAV N2.

(4) Issue written guidance to tailor procedures for use andissuance of DODIIS PKI, if necessary.

5

OPNAVINST 5329.3A18 January 2008

d. Type Commander

(I) Provide support to fleet units in registering new usersfor OOOIIS PKI certificates when requested.

(2) Modify fleet unit pre-deployment checklists to includeOOOIIS PKI policy implementation in the training certificationprocess and verify unit compliance with this instruction.

(3) Inspect fleet unit OOOIIS PKI certification proceduresas part of command inspections.

(4) Assist fleet units in obtaining OOOIIS PKIcertification training from ONI, if required.

e. Numbered Fleets/Regional Naval Commanders

(I) Support OCONUS shore installations within their AOR anddeployed fleet unit requirements to register new users forOOOIIS PKI certificates, if required.

(2) Assist OCONUS shore installations in obtaining OOOIISPKI certification training from ONI, if required.

f. All Afloat/Shore JWICS-Capable Commands

(1) Appoint a command SSO and SSR in writing, providing acopy of their appointment letters to GISA, Fort Bragg, NC,(Facsimile OSN: 239-2962, Commercial: 910-432-2962) and ONI(ONI­5, OSN: 659-4146, Commercial: 301-669-4146).

(2) Appoint command TAs in writing and ensure each TAcompletes all necessary training as specified in references (e)and (h).

(3) Ensure that the SSO/SSR/TAs fully comply with allrequirements to authenticate an individual's identity prior toissuing the one-time PIN as required by reference (h) and developsite specific documentation and process to include anauthentication checklist. Site specific documentationrequirements for the authentication process may be accessed onJWICS at http://www.dia.ic.gov/proj/dodiis/documentation.

(4) Ensure that all assigned JWICS users and appropriateequipment are issued OOOIIS PKI certificates, and ensure thesecertificates are maintained.

6

OPNAVINST 5329.3A18 January 2008

(5) Ensure the command lAM and JWICS lAO have incorporatedthe requirements for JWICS DODIIS PKI certificates into theirdocumentation and assist the SSO/SSR in maintaining DODIIS PKIproficiency by all JWICS users.

(6) Maintain a command listing of all user and equipmentDODIIS PKI certificates issued to include expiration date.

(7) Conduct annual DODIIS PKI training to all assignedusers.

(8) Request DODIIS PKI training assistance from ONI orother sources as necessary to ensure user awareness andproficiency.

(9) Develop command procedures to address acceptance andinstallation of user certificates from other commands in theevent of short-duration augmentation of personnel.

(10) Develop command procedures to ensure user certificatesfor command personnel are forwarded to other commands whenpersonnel are being sent as short-duration augmentationassignments.

(11) Demonstrate DODIIS PKI certificate compliance as partof the type commander's training certification process, allsecurity inspections and during command inspections.

(12) Execute pre-deployment checklists to minimizerequirements for registering new users during deployment.

!~-Director of Naval Intelligence

Distribution:Electronic only, via Department of the Navy Issuances websitehttp://doni.daps.dla.mil

7

OPNAVINST 5329.3A18 January 2008

Obtaining a User's OOOIlS PKI Certificate

Afloat/Shore Command User

lInitiates certificate registration on

JWICS(htto:/IFSO.Armv.IC.GOV\

+I Command SSO/SSR validates JWICS User's certificate application' I

•I OIA issues one-time use PIN for User to complete PKI certification issue I+

Command SSO/SSRlTA receives PIN via email from OIA. Issues PIN to Userafter conducting face-to-face verification of user's identity.'

+User goes to JWICS (https:/Inediacweb0005.dodiis.ic.gov), enters

PIN and downloads PKI certificate.

lSS0/SSR may also reject or cancel the registration. This diagram assumes neither of these actions is taken.2Command may appoint in writing one or more Trusted Agents, if desired.

ENCL (1)

8