Marine Corps Enterprise Network (MCEN) Unclassified Network Identification and Authentication Policy

1. PURPOSE. THE PURPOSE OF THIS MARADMIN IS TO
UPDATE MARINE CORPS POLICY FOR IDENTIFICATION AND AUTHENTICATION TO
UNCLASSIFIED NETWORKS. THIS MEETS THE REQUIREMENTS OF REF A AND B.
REF C IS HEREBY CANCELLED.
2. BACKGROUND. RECENT CYBER ATTACKS HAVE FOCUSED ON OBTAINING
VALID USERNAMES AND PASSWORDS FOR USE IN FURTHER EXPLOITATION AND
ACCESS. THIS SITUATION REPRESENTS A DIRECT AND GROWING DANGER TO
THE PROTECTION OF THE GLOBAL INFORMATION GRID. REF A MANDATES THE
USE OF A STRONG, TWO-FACTOR AUTHENTICATION (SOMETHING THE INDIVIDUAL
KNOWS, THEIR CAC PIN AND SOMETHING THE INDIVIDUAL HAS, THEIR CAC) TO
UNCLASSIFIED NETWORKS THROUGH THE USE OF THE DEPARTMENT OF DEFENSE
(DOD) PKI AND THE COMMON ACCESS CARD (CAC). THE CAC IS MORE THAN
JUST AN IDENTITY CARD. IT CONTAINS AN INTEGRATED CIRCUIT CHIP WHICH
HAS PUBLIC KEY CERTIFICATES ISSUED TO THE CARD HOLDER. THESE
CERTIFICATES CAN BE USED FOR CONFIDENTIALITY, INTEGRITY,
NONREPUDIATION AND AUTHENTICATION OF INFORMATION ON THE UNCLASSIFIED
NETWORK. AN UNAUTHORIZED USER WISHING TO GAIN ACCESS TO YOUR
ACCOUNT WOULD HAVE TO PHYSICALLY POSSESS YOUR CAC AND KNOW YOUR PIN.
THESE MEASURES WILL MAKE IT MUCH MORE DIFFICULT FOR OUR ADVERSARIES
TO COMPROMISE DOD NETWORKS.
3. SCOPE. THIS POLICY APPLIES TO ALL GOVERNMENT OWNED OR FUNDED
AUTOMATED INFORMATION SYSTEMS (AIS) TO INCLUDE COMPUTER HARDWARE,
SOFTWARE, PERIPHERALS, AND NETWORK CONNECTIVITY OWNED, OPERATED, OR
USED BY USMC PERSONNEL.
4. POLICY. IAW REFS A AND B, IDENTIFICATION AND AUTHENTICATION TO
UNCLASSIFIED NETWORKS REQUIRES THE USE OF DOD PKI CERTIFICATES FOR
CRYPTOGRAPHIC LOGON (CLO). ANY USER ACCOUNT NOT IN COMPLIANCE WITH
THIS POLICY WILL BE DISABLED UNTIL SUCH TIME AS CLO IS ENABLED AND
ENFORCED OR AUTHORITY TO OPERATE AS A CLO EXCEPTION IS GRANTED (SEE
PARA 4A). DUE TO THE SECURITY RISK ASSOCIATED WITH EXCEPTION
ACCOUNTS, THESE ACCOUNTS WILL BE KEPT TO THE MINIMUM NECESSARY FOR
THE EFFECTIVE CONDUCT OF OPERATIONS.
4.A. CLO EXCEPTION ACCOUNTS. DUE TO SEVERAL TECHNICAL LIMITATIONS
AND DOD POLICIES, SOME ACCOUNTS MUST BE IDENTIFIED AS EXCEPTION
ACCOUNTS AND WILL BE EXEMPT FROM CLO ENABLEMENT AND ENFORCEMENT.
AUTHORIZED EXCEPTION ACCOUNT TYPES ARE DEFINED BELOW. ADDITIONAL
EXCEPTION ACCOUNT TYPES WILL ONLY BE AUTHORIZED AFTER BEING APPROVED
BY THE MCEN DESIGNATED APPROVAL AUTHORITY (DAA). AUTHORIZED
EXCEPTION ACCOUNT TYPES WILL BE MAINTAINED ON THE C4 IA WEBSITE:
HTTPS:/HQDOD.HQMC.USMC.MIL/IA.ASP. AS TECHNOLOGY AND DOD POLICIES
CHANGE AND ALLOW EXCEPTION ACCOUNTS TO PERFORM CLO, THOSE ACCOUNTS
WILL BE CLO ENABLED AND ENFORCED. THE MARINE CORPS PLANS TO EQUIP
ALL FUTURE DEPLOYABLE FORCES WITH THE INFRASTRUCTURE/EQUIPMENT AND
TRAINING TO ENABLE CLO.
4.B. DEPLOYING FORCES SHALL ENSURE EACH USER IS CAPABLE OF
PERFORMING CLO BEFORE DEPLOYMENT BY VALIDATING ALL PKI CERTIFICATES
ARE LOADED ON THE CAC, AND USERS KNOW THEIR CAC PIN. AT THIS TIME,
ENABLEMENT AND ENFORCEMENT OF CLO FOR DEPLOYED FORCES IS HIGHLY
ENCOURAGED BUT WILL BE EMPLOYED AT THE DISCRETION OF THE UNIT
COMMANDER.
4.C. EXCEPTION ACCOUNT POLICY. THE FOLLOWING ACCOUNTS ARE EXEMPT
FROM USING CLO FOR IDENTIFICATION AND AUTHENTICATION TO UNCLASSIFIED
SEATS.
(1). FUNCTIONAL OR ROLE-BASED ACCOUNTS. ACCOUNTS ALLOWING
MULTIPLE USERS ACCESS TO A SINGLE ACCOUNT DURING PERFORMANCE OF
OFFICIAL DUTIES. EXAMPLES INCLUDE WATCHSTANDER, DUTY, OR TRAINING
ACCOUNTS.
(2). CAC-INELIGIBLE USER ACCOUNTS. ACCOUNTS FOR NMCI USERS NOT
ELIGIBLE FOR A CAC. EXAMPLES OF THESE USERS INCLUDE OMBUDSMEN, FLAG
SPOUSES, KEY VOLUNTEERS, OR FOREIGN NATIONALS.
(3). SERVER-BASED COMPUTING ACCOUNTS. ACCOUNTS USED BY
SERVER-BASED COMPUTING (I.E., NMCI CLIN 0038AC-SCIENCE AND
TECHNOLOGY TERMINAL SERVICES) USERS.
(4). SECONDARY ACCOUNTS. THIS CATEGORY INCLUDES THE ACCOUNTS OF
USERS THAT REQUIRE MULTIPLE MCEN ACCOUNTS IN THE PERFORMANCE OF
THEIR OFFICIAL DUTIES. EXAMPLES OF THESE USERS INCLUDE THOSE WITH
RESERVE AND CONTRACTOR ACCOUNTS. EXCEPTIONS ARE AUTHORIZED ONLY FOR
THE SECONDARY (LEAST FREQUENTLY USED) ACCOUNT(S). THE PRIMARY (MOST
FREQUENTLY USED) ACCOUNT MUST BE CLO-ENABLED.
(5). CAP ACCOUNTS. ACCOUNTS USED BY DISABLED OR SPECIAL NEEDS
USERS PARTICIPATING IN THE COMPUTER/ELECTRONIC ACCOMMODATION PROGRAM
(CAP).
(6). ADDITIONAL EXCEPTIONS. REQUEST FOR EXEMPTION OF ANY OTHER
ACCOUNT TYPES NOT DESCRIBED ABOVE MUST SPECIFICALLY BE APPROVED BY
THE MCEN DAA. COMMANDS MAY SEND REQUESTS FOR EXCEPTION ACCOUNTS TO
THE MCEN DAA PKI REPRESENTATIVE AT HQMCIA@HQMC.USMC.MIL.
(7). EXCEPTION ACCOUNTS THAT ARE INACTIVE FOR A PERIOD EXCEEDING 30
DAYS WILL BE DISABLED.
4.D. PASSWORD POLICY. BECAUSE THE USE OF USERNAME AND PASSWORD FOR
NETWORK ACCESS IS INHERENTLY LESS SECURE THAN CLO, A STRINGENT
PASSWORD POLICY MUST BE IMPLEMENTED FOR ALL MCEN EXCEPTION
ACCOUNTS. THE FOLLOWING PASSWORD POLICY APPLIES TO NIPRNET ACCOUNTS
AUTHORIZED AS CLO EXCEPTIONS. CLO ENABLED AND ENFORCED NIPRNET
ACCOUNTS WILL NOT ALLOW USERS TO ACCESS THEIR ACCOUNTS VIA USER NAME
AND PASSWORD.
(1). PASSWORDS WILL BE SET TO A MINIMUM OF 9 CHARACTERS.
PASSWORDS WILL CONTAIN A MIX OF AT LEAST TWO LOWERCASE LETTERS, TWO
UPPERCASE LETTERS, TWO NUMBERS, AND TWO SPECIAL CHARACTERS.
PASSWORDS MUST NOT BE COMMON DICTIONARY WORDS OR NAMES, BIRTHDAYS,
PHONE NUMBERS, OR THE USER IDENTIFICATION (USERID).
(2). PASSWORDS MUST BE CHANGED OR INVALIDATED AT LEAST EVERY 60
DAYS. USMC ORGANIZATIONS ARE AUTHORIZED TO ELECT SHORTER PERIODS
BASED ON AN ELEVATED SECURITY POSTURE OR OPERATIONAL NECESSITY.
(3). INFORMATION TECHNOLOGY SYSTEMS WILL BE CONFIGURED TO NOT ALLOW
USERS TO REUSE A PASSWORD FOR 10 CYCLES.
(4). THE MINIMUM PASSWORD AGE WILL BE 7 DAYS. ONCE A PASSWORD IS
SET, A USER WILL NOT BE ABLE TO CHANGE THE PASSWORD FOR 7 DAYS.
THIS PREVENTS USERS FROM CYCLING THROUGH PASSWORDS TO RESELECT THE
ONE THEY HAVE ALWAYS USED.
(5). UNSUCCESSFUL LOGON ATTEMPT COUNTER SHALL BE SET TO 3 WITH A
COUNTER RESET OF NO LESS THAN 60 MINUTES. THIS ALLOWS NO MORE THAN
TWO UNSUCCESSFUL LOGON ATTEMPTS WITHIN A 60 MINUTE PERIOD. AFTER
THE THIRD UNSUCCESSFUL LOGON ATTEMPT, THE ACCOUNT LOCKOUT DURATION
IS SET TO "FOREVER" REQUIRING THE ACCOUNT TO BE UNLOCKED BY A SYSTEM
ADMINISTRATOR.
(6). PASSWORD SHARING IS PROHIBITED.
(7). VENDOR-SELECTED DEFAULT PASSWORDS MUST BE CHANGED DURING OR
IMMEDIATELY AFTER SYSTEM INSTALLATION. NULL OR BLANK PASSWORDS ARE
NOT AUTHORIZED UNDER ANY CIRCUMSTANCES.
(8). SYSTEMS WILL BE RECHECKED PERIODICALLY TO CONFIRM UPGRADES/
PATCHES HAVE NOT REINSTALLED FACTORY PASSWORD DEFAULTS OR OTHER
TYPES OF BACKDOORS.
(9). SEPARATE USER AND NETWORK ADMINISTRATOR ACCOUNTS/PASSWORDS
MUST BE USED.
(10). IF AN ACCOUNT OR PASSWORD IS SUSPECTED TO HAVE BEEN
COMPROMISED, SUSPEND THE ACCOUNT AND REQUIRE THE PASSWORD TO BE
RESET PRIOR TO REACTIVATION. REPORT THE INCIDENT TO THE INFORMATION
ASSURANCE OFFICER (IAO) OR INFORMATION ASSURANCE MANAGER (IAM).
(11). SYSTEM MESSAGES WILL DISPLAY A LEGAL WARNING WHICH REQUIRES
THE USER TO CONSENT TO ACTIVE MONITORING.
(12). DISABLE THE "DISPLAY THE USERNAME OF THE LAST SUCCESSFUL
LOGON" FEATURE.
(13). ENABLE THE LAST SUCCESSFUL LOGON MESSAGE FEATURE THAT TELLS
THE USER THE LAST SUCCESSFUL AND UNSUCCESSFUL LOGON TIME AND DATE.
5. ACTION. COMMANDERS WILL ENSURE THE IMPLEMENTATION OF THIS POLICY
WITHOUT DELAY AND ENSURE THE INCLUSION OF ITS CONTENT WITHIN
RESIDENT INFORMATION ASSURANCE TRAINING. COMMANDERS SHALL ENSURE
THIS INFORMATION IS DISSEMINATED THROUGH WIDEST MEANS, INCLUDING
POSTING ON ORGANIZATIONAL BULLETIN BOARDS.
6. TECHNICAL INQUIRIES SHOULD BE DIRECTED TO THE MCNOSC OPERATIONS
CENTER AT DSN 278-5300, COMM 703-784-5300, OR UNCLAS E-MAIL: SMB
USMC MCNOSC COMMAND CENTER@MCNOSC.USMC.MIL.