USMC: U.S. Government Family of Protection Profiles for Public Key-Enabled Applications for Basic Robustness Environments v2.74
| Sponsor: | United States Marine Corps |
| Point of Contact: | Lt. Col. Brad Schieferdecker Phone: (703)784-0842 |
| Assurance Level: | Basic Robustness, EAL3+, EAL4+ |
| Status: | Evaluated |
Marine Corps Systems Command (MARCORSYSCOM) is the lead United States Marine Corps (USMC) agency and Program Manager responsible for the lifecycle support of the Public Key-Enabling (PK-E) program. The USMC PK-E Program was established to implement the Department of Defense (DoD) PK-E Policy as promulgated in the Assistant Secretary of Defense, Command, Control, Communications, and Intelligence (C3I), memorandum "Public Key-Enabling of Applications, Web Servers, and Networks for the Department of Defense (DoD)," dated May 17, 2001.
Public Key -Enabling will permit an application to use security services provided by the DoD Public Key Infrastructure (PKI). These security services include: confidentiality; authentication, integrity, technical non-repudiation, and access control. The DoD PKI is more fully described in: Department of Defense (DoD) Class 3 PKI Concept of Operations, dated 10 November 1999 and X.509 Certificate Policy for the Department of Defense, v5.0, dated 13 December 1999.
The manual Department of Defense (DoD) Medium Assurance Public Key Infrastructure (PKI) Public Key-Enabling of Applications, dated 29 September 2000, describes in detail the specific functions that PK-Enabled applications must perform. These functions are grouped into: key management; PKI interface; encryption services; and certificate processing. The DoD manual states that a PK-Enabled application can either provide the required function or operate in an environment where there are other applications or services that provide necessary functions.
An application or server is PK-Enabled if it meets all of the following criteria:
- It can accept and process a DoD PKI X.509 digital certificate to support one or more application, server, or network specific function (digital signature, data encryption support, system or network access) that provide security services (reference: PK-E Policy).
- It includes an interface to a hardware token supported by the DoD PKI (reference: PK-E Policy).
- It collects, stores, and maintains the data required to support the use of signed data in a security service (reference: DoD PKI Certificate Policy, section 2.1.4, bullet 4).
A PK-Enabled application must interoperate "correctly" with the DoD PKI. The Defense Information Systems Agency (DISA), Joint Interoperability Test Command (JITC) has developed the Department of Defense Public Key Infrastructure Interoperability Generic Test Plan Version 1.1, dated May 2001. DISA has determined that a PK-Enabled application that successfully completes this test protocol does interoperate "correctly" with the DoD PKI.
The USMC proposes to use the PK-E PP in its Acquisition Strategy for PK-E. Developers, vendors, and system integrators responding to the Request for Proposal (RFP) for a PK-Enabled USMC application must describe their proposed solutions in terms of an ST. The ST will assist the USMC in evaluating competing proposals for vendor understanding of security requirements. Further, USMC acceptance criteria of completed PK-Enabling will include CCTL testing.
In general, the planning and direction of the PK-E within the USMC will be centralized. The execution of the PK-E will be decentralized to application owners. It is intended that the PP provide a significant metric for application owners and managers as they undertake PK-E.