Update to DoD CIO Memorandum on Commercial Public Key Infrastructure Certificates on Public-Facing DoD Websites
DoD CIO Memo - Publish Date: 10/04/18
download PDF
This memorandum updates and replaces DoD Chief Information Officer (CIO)
Memorandum, "Commercial Public Key Infrastructure Certificates on Public-Facing DoD
Websites," January 5, 2018. It provides clarification on where commercial certificates may be
purchased and expands the policy for use of commercial certificates on DoD Mobile Device
Management (MOM) systems.
This memorandum updates and replaces DoD Chief Information Officer (CIO)
Memorandum, "Commercial Public Key Infrastructure Certificates on Public-Facing DoD
Websites," January 5, 2018. It provides clarification on where commercial certificates may be
purchased and expands the policy for use of commercial certificates on DoD Mobile Device
Management (MOM) systems.
Most commercial web browsers and operating systems do not explicitly trust DoD Public
Key Infrastructure (PKI) certificates. This results in external users receiving an untrusted
certificate message when trying to access DoD public facing websites. DoD and the Federal PKI
program office are working together to implement a joint PKI which will be trusted by most
widely-used commercial web browsers and operating systems. This should be available within
the next 18 months. Until this capability is fully implemented, DoD Components may use
commercial Secure Socket Layer device certificates in accordance with the attached criteria.
Commercial device certificates may be installed on unclassified public-facing DoD websites and
unclassified DoD MDM systems. DoD Components may also use commercial code-signing
certificates to certify code on their websites.
This memorandum will remain in effect for two years from the date it is signed. The
DoD CIO retains the discretion to modify the memorandum's terms and conditions, as well as its
effective term. The point of contact for this matter is Mr. Andy Seymour at: (571) 372-6990,
charles.a.seymour.civ@mail.miI.