DOD speeds PKI development

In a sweeping move to improve computer security, the military will require all personnel to use public-key infrastructure (PKI) technologies by midsummer to log on to the Non-secure IP Router Network (NIPRNET), the military’s unclassified network.

The Joint Task Force for Global Network Operations (JTF-GNO), the organization that oversees the operation and protection of military networks, issued guidance last month to military services and agencies on configuring systems and providing training for the PKI implementation.

The initiative requires the use of Common Access Cards, digital signatures, e-mail encryption, and Web server soft certificates for desktop and notebook computers and servers that connect to NIPRNET, according to the JTF-GNO Communications Tasking Order 06-02, Tasks for Phase 1 of the Accelerated PKI Implementation.

“Ongoing intrusion activity has focused on exfiltration of valid user names and passwords for use in further exploitation and access. This situation represents a direct and growing danger to the protection of the Global Information Grid,” states an unclassified but for-official-use-only document released Jan. 17. GIG is the military’s name for its networks.

Since 2003, countries such as China, crime gangs and hackers have increasingly tried to penetrate Defense Department networks, sometimes successfully. They attempt to steal and sell U.S. military secrets and slow DOD networks.

JTF-GNO’s guidelines include target dates for implementing PKI and instructions on the use of passwords for those computers and servers that do not make the deadline.

They also require significant awareness and system configuration training for all DOD systems administrators. Federal Computer Week chose not to publish detailed information in the document for security reasons.

“Compliance with this [task order] will enhance the security of DOD information systems and establish deadlines for training, verification, installation and progress reporting,” said Tim Madden, a spokesman for JTF-GNO.

In response to the order, the Army started implementing PKI last month and plans to have 10,000 workers at Army headquarters using it by March.

Spyware or keystroke-tracking software can steal user names, passwords and personal identification numbers, but they cannot steal Common Access Cards that use electronic information and digital PKI certificates to verify users’ identities, said Lt. Gen. Steven Boutelle, the Army’s chief information officer, in a Jan. 25 Army statement.

“One of the greatest vulnerabilities of our networks is posed by weak user names and passwords,” Boutelle said. The Army has borne the brunt of the attacks.

TKC Integration Services (TKCIS) won a contract last summer worth more than $1 million to oversee the installation of PKI throughout the Army.

The Alaska Native Corporation chose Tumbleweed Communications’ Tumbleweed Validation Authority product to verify whether a user’s PKI digital certificate is valid, said Joel Lipkin, senior vice president of TKCIS’ General Services Administration and Systems Integration Division.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.