• Military Menu                       

• Introduction
• Systems
• Facilities
• Agencies
• Industry
• Operations
• Countries
• Hot Documents
• News
• Reports
• Policy
• Budget
• Congress
• Links

• WMD
• Intelligence
• Homeland Security
• Space

Navy Networks Implement Mandatory CAC Log-On

Navy NewsStand

Story Number: NNS060518-11
Release Date: 5/18/2006 6:00:00 PM

(Captain's Call Kit - Important Navy information prepared in an easy to distribute format.)

From Naval Network Warfare Command Public Affairs

NORFOLK, Va. (NNS) -- The Navy’s three major networks are switching to mandatory log on with a Common Access Card (CAC) and Personal Identification Number (PIN).

NMCI (Navy and Marine Corps Intranet) users will be switched over by July, while ONE-NET (OCONUS Navy Enterprise Network) users will be switched by December. IT-21 (Information Technology for the 21st Century) - afloat users - won’t switch over completely until about 2010, when most Navy ships are expected to have the upgrades necessary to process CAC cards onboard. Presently, only carriers have that capability.

All remaining legacy networks are also affected.

To log on at all, computer users will now need to insert their CAC into a card reader, either on a keyboard or separate device, and type in a personal identification number.

Once the new policy is in place and enforced, users will no longer be able to log on with the traditional user name and password. The changeover is directed by DoD to ensure maximum possible security for all of its networks.

Known as cryptographic log-on (CLO), the “cryptographic” part refers to the “crypto key” information in the CAC’s chip that verifies a user’s identity. The stored information allows users to prove who they are by entering their six-to-eight digit pin after inserting their CAC. The logic is based on two-factor authentication – what you have (CAC), and what you know (password).

According to Cathy Baber, the Information Assurance lead for Naval Network Warfare Command, the transition to mandatory CAC use began this May.

“Currently, users are allowed to choose between their CAC or username and password, but this will be phased to CAC and PIN login only once the enforcement phase begins, which will be on or about May 23. After the enforcement phase is completed sometime in July, all NMCI users will only be able to log in with their CAC and PIN, unless they’ve been specifically identified as an exception.”

ONE-NET will follow a few months later.

“ONE-NET is undergoing a phased implementation and will be fully compliant by December 2006,” said Eric Markland, assistant director for ONE-NET. “We expect to be 100 percent compliant by the end of the year.”

The transition from username/password to CAC/PIN will be phased in based on each user’s last name. Users are strongly encouraged to start logging on with their CAC early to catch any problems or unforeseen issues. Once the log-on is enforced and transitioned for the individual users, there will be no alternate way to access workstations and networks. Remote users will still be required to obtain a user name and password to gain access to email through Outlook Web Access.

“During the enablement (early) phase, a pop-up window will appear, indicating that the cryptographic log-on is beginning,” explained Baber. “From this point on and once the program begins to run, it may take up to three hours before the user is able to log on using their CAC. This time frame will allow the network servers to replicate and store information, which will allow users to use their CAC instead of usernames and passwords.”

Baber explained that not everyone would be subject to mandatory CAC log-on. Some exceptions include functional or role-based accounts (watchstanders), CAC-ineligible accounts (ombudsmen), and server-based computing accounts. Exceptions will be addressed and approved on a case-by-case basis.

Users who still need to update their CAC should contact their local personnel support offices. Users must ensure they know their CAC PIN and verify that it has all three required digital certificates. If a CAC is locked or missing certificates, users can also visit their local RAPIDS (Real-time Automated Personnel Identification System) site or find the nearest site at
www.dmdc.osd.mil/rsl/owa/home.

"NMCI users who know their PIN can also click on and print the Common Access Card Setup Guide,” said Baber. “The file can be found on the desktop of NMCI computers. This will instruct the user how to use the CAC and take them step-by-step through the process.”

NMCI users can also take the computer-based Navy eLearning course “NMCI Information Security: PKI and CAC” at
https://training/mgenimg/library/html/crs_display.htm.

ONE-NET users needing assistance with their CAC should contact their Theater Network Operations Security Center (Yokosuka/Naples/Bahrain), or if at a remote site, their Local Network Support Center.

For more information on Public Key Infrastructure capabilities, policies and procedures, go to the Information Security page at https://infosec.navy.mil/PKI.

For related news, visit the Naval Network Warfare Command Navy NewsStand page at www.news.navy.mil/local/nnwc/.