DOD nears launch of departmentwide PKI

The Defense Department soon plans to release guidelines that will lead to a departmentwide public-key infrastructure architecture that would ensure the integrity and confidentiality of data throughout the agency.

For months DOD has wanted to move from multiple, small PKI pilots to a single PKI architecture with a common policy, but the department had not developed guidelines on how to make the switch. With the imminent release of the "DOD PKI Road Map," DOD information assurance officials may have the guidance they need to make the PKI architecture a reality.

The guidance will address issues such as merging existing components, outsourcing PKI services and using emerging PKI technologies.

DOD hosts numerous pilots, such as a medium-assurance PKI and a Naval Acquisition PKI, and the Defense Message System has its own PKI.

But the various pilots offer "no set of standards or basis for interoperability," said Richard Schaeffer, director of infrastructure and information assurance within the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence. The road map will focus on "what's the most efficient process, architecture and structure [for PKI services] for the department."

A DOD certificate policy document, which will be released with the updated road map, will address what levels of assurance are applicable and what minimum level the department will accept. "We expect that initially there will be support for two levels of assurance," Schaeffer said.

Officials with the Naval Acquisition PKI pilot welcome the DOD PKI concept. "The plan has always been: When the DOD PKI is robust enough...we'll migrate to it," said Charlene Tallman, the command information systems security program manager for the Naval Supply Systems Command.

"PKI is one of the most critical things that DOD will do but also one of the most complex," Schaeffer said. "Trying to get it right without a vision and structure - without a road map - is fruitless."

The road map will establish a vision for a single type of user registration workstation that can order keying material for any DOD voice or data communications system, classified or unclassified, although delivery mechanisms for the keys will differ - a dramatic move, Schaeffer said. But one must be careful in implementing the concept, one security expert warned. Such workstations would be "an attractive target."

The road map also will address the use of third-party, outsourced PKI services such as those from VeriSign Inc., which already claims 10 DOD PKI pilots. The use of "third-party mechanisms" is doable technically, so the remaining issues are legal ones, Schaeffer said. What would be the liability, for example, of a contracting officer if an external certificate authority passed along as valid an invalid certificate? Accepting external CAs, if they meet DOD specifications, by signing their credentials with the DOD PKI root key might be the answer, he said. The road map will be technology neutral, Schaeffer said.

-- Adams is a free-lance writer based in Alexandria, Va.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.