DOD speeds PKI development

In a sweeping move to improve computer security, the military will require all personnel to use public-key infrastructure (PKI) technologies by midsummer to log on to the Non-secure IP Router Network (NIPRNET), the military’s unclassified network.

The Joint Task Force for Global Network Operations (JTF-GNO), the organization that oversees the operation and protection of military networks, issued guidance last month to military services and agencies on configuring systems and providing training for the PKI implementation.

The initiative requires the use of Common Access Cards, digital signatures, e-mail encryption, and Web server soft certificates for desktop and notebook computers and servers that connect to NIPRNET, according to the JTF-GNO Communications Tasking Order 06-02, Tasks for Phase 1 of the Accelerated PKI Implementation.

“Ongoing intrusion activity has focused on exfiltration of valid user names and passwords for use in further exploitation and access. This situation represents a direct and growing danger to the protection of the Global Information Grid,” states an unclassified but for-official-use-only document released Jan. 17. GIG is the military’s name for its networks.

Since 2003, countries such as China, crime gangs and hackers have increasingly tried to penetrate Defense Department networks, sometimes successfully. They attempt to steal and sell U.S. military secrets and slow DOD networks.

JTF-GNO’s guidelines include target dates for implementing PKI and instructions on the use of passwords for those computers and servers that do not make the deadline.

They also require significant awareness and system configuration training for all DOD systems administrators. Federal Computer Week chose not to publish detailed information in the document for security reasons.

“Compliance with this [task order] will enhance the security of DOD information systems and establish deadlines for training, verification, installation and progress reporting,” said Tim Madden, a spokesman for JTF-GNO.

In response to the order, the Army started implementing PKI last month and plans to have 10,000 workers at Army headquarters using it by March.

Spyware or keystroke-tracking software can steal user names, passwords and personal identification numbers, but they cannot steal Common Access Cards that use electronic information and digital PKI certificates to verify users’ identities, said Lt. Gen. Steven Boutelle, the Army’s chief information officer, in a Jan. 25 Army statement.

“One of the greatest vulnerabilities of our networks is posed by weak user names and passwords,” Boutelle said. The Army has borne the brunt of the attacks.

TKC Integration Services (TKCIS) won a contract last summer worth more than $1 million to oversee the installation of PKI throughout the Army.

The Alaska Native Corporation chose Tumbleweed Communications’ Tumbleweed Validation Authority product to verify whether a user’s PKI digital certificate is valid, said Joel Lipkin, senior vice president of TKCIS’ General Services Administration and Systems Integration Division.

Featured

  • Management
    people standing on keyboard (Who is Danny/Shutterstock.com)

    OPM-GSA merger plan detailed in legislative proposal

    The White House is proposing legislation for a dramatic overhaul of human resources inside government and wants $50 million to execute the plan.

  • Cloud
    cloud applications (chanpipat/Shutterstock.com)

    GSA plans civilian DEOS counterpart

    GSA is developing a cloud email and enterprise services contract inspired by the single-source vehicle the Department of Defense devised for back-office software.

  • Defense
    software (whiteMocca/Shutterstock.com)

    DOD looks to unify software spending for 2020

    Defense Department acquisition head, Ellen Lord, hopes to simplify software buying and improve business systems following the release of the Defense Innovation Board's final software acquisition study.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.