Defense Department broadens PKI policy

The U.S. Department of Defense has taken the step of broadening its public-key-infrastructure policy to recognize hardware-based digital credentials from civilian agencies, foreign allies and some corporations associated with the DoD.

"The policy is open now," says Paul Grant, the Defense Department's special assistant for identity management and external partnering, about the military's new perspective on PKI. The policy change is embodied officially in a memorandum issued July 22 by DoD CIO John Grimes, he notes.

By expanding its PKI policy, the DoD anticipates being able to digitally sign and encrypt e-mail more extensively with non-DoD individuals in the U.S. government, allies in foreign governments and partners in industry, and grant them access to some DoD Web portals.

Today there are about 3.4 million Common Access Cards (CAC) that hold the digital certificates used by DoD personnel and some contractors working on DoD projects inside military agencies, Grant says. The military has its own process for verifying a user's identity before issuing the digital certificates on these cards, which are used for computer access, securing messages and often building access.

The DoD today uses the CAC for security in unclassified and sensitive messages, as well as for authentication at some Web portals. The July 22 memo from Grimes details how the DoD will expand their use by cross-certifying with the so-called "federal bridge" providing PKI interoperability among federal civilian agencies, which today use the Personal Identity Verification card required under presidential mandate.

Grant says the expanded PKI policy also will lead DoD toward the greater use of secure communications with foreign citizens of allied nations, as well as with such defense-oriented corporations as Boeing, Lockheed-Martin and Raytheon that are members of the Transglobal Secure Collaboration Program.

The transition to greater PKI interaction won't happen overnight for DoD because specific interoperability testing still needs to be done, but the path forward is toward greater openness with PKI systems outside of DoD's direct control.

Why is the DoD is taking this step now?  It has had a long history pioneering the use of hardware-based digital certificates, Grant says, but "a lot of our peers have been working on the same problem, too." Opening up the DoD's PKI policy for greater inclusion in PKI-secure communications supports the military's "net-centric" concept of military readiness, he adds.