Changes to CAC Certificates

Published, January 23, 2019

Department of the Navy Common Access Cards (CACs) must align with the Federal Personal Identity-Authentication (PIV-Auth) certificate, which ensures strong authentication. Homeland Security Presidential Directive 12 (HSPD-12) requires Federal departments and agencies to use strong authentication credentials for network and IT system access, and the CAC is DoD's primary mechanism for doing so on the NIPRNet.

DoD has directed that DoD's PIV-Auth certificate become the standard for DoD IT access on the NIPRNet in order to: standardize implementations and reduce inefficiencies with mission partners, improve cybersecurity posture and change management, reduce costs associated with maintaining DoD specific legacy authentication mechanisms, and allow the DoD to use commercial products designed to read HSPD-12 compliant Public Key Infrastructure (PKI) credentials.

To accomplish this, DoD has directed DoD components to begin planning to reconfigure network and web-application user accounts to support PIV-Auth authentication. DoD also has directed the DoD Chief Information Officer (CIO) Cybersecurity Scorecard Team to document and track progress towards achieving the changes necessary for use of the PIV-Auth certificate for authentication. To support this, the Navy issued NAVADMIN 200/18 which requires all personnel to activate their PIV-Auth certificate by Jan. 31, 2019; requires website/web-application owners to post transition plans for shifting to PIV-Auth logon by the same date; and requires website/web-applications to only support use of the PIV-Auth certificate for logon by Feb. 29, 2020. The Marine Corps has issued MARADMIN 025/19 directing similar actions.

The most visible change to most unclassified IT users will be the change from selecting either an ID or Email for system logon to only selecting the PIV-Auth certificate. Though the PIV-Auth certificate is on all DoD CACs, it is not activated on CACs issued before Feb. 24, 2018. DON CIt is activated on USMC CACs issued since June 2016. DON CAC holders for which the PIV-Auth certificate is not visible do not need a new CAC, but must visit the milConnect RAPIDS Self-Service portal to activate the certificate. The Navy PKI office has posted a step-by-step guide for doing so (USN PIV Activation Instructions) at https://infosec.navy.mil/PKI/main.html.

TAGS: Cybersecurity, IA, IDManagement, NEN, NNE, PKI

Related Policy
Related News
Related CHIPS Magazine
Related Resources