Recent cyber attacks on government computer systems have prompted the Marine Corps to speed up its plans to transition from a Corps-centric security credentialing system to a Defense Department-wide system spelled out in April.
In a July 1 message, Brig. Gen. Kevin Nally, C4 director with Marine Forces Cyberspace Command at Fort Meade, Maryland, said all system administrator and privileged user accounts on Corps systems, networks and enclaves must be changed to use DoD public key infrastructure credentials or smart cards.
Public key infrastructure, or PKI, is the security architecture for validating the identities of individuals or systems accessing information stored on and moving through a network.
“It is incumbent on all Marine Corps organizations to understand that this is a mandatory requirement and must comply within the [stated] timelines,” Nally said in the message.
Last month, the Office of Personnel Management’s system was breached — reportedly by China — and the personnel records of some 4 million current or former employees may have been compromised. Previous attacks on OPM may have exposed the personal information of 14 million people.
Also in June, the U.S. Army’s website, army.mil, was defaced and temporarily brought down by a group calling itself the Syrian Electronic Army, and two Air Force subdomains were hit by a pro-Palestinian group going by the name AnonGhost.
The Pentagon released its second cyber strategy document three months ago. The first, released in 2011, is cited in the Marine Corps’ July 1 message.
Defense Secretary Ashton Carter called the latest document a guide to developing DoD’s cyber forces and strengthening its defenses against attacks.
“It focuses on building cyber capabilities and organization for DoD’s three cyber missions,” Carter said in announcing the strategy. “To defend DoD networks, systems and information, defend the U.S. homeland and U.S. national interests against cyberattacks of significant consequence and support operational and contingency plans.”
As part of the strategy, the Pentagon is building a Joint Information Environment security architecture that, among other measures, will “shift the focus from protecting service-specific networks and systems to securing the DoD enterprise in a unified manner,” the document states.
The Corps has directed that by July 8 all operating system/root domain-level individual user system administrator passwords that have not already been PKI-enabled must be changed.
By July 15, the password of every individual system administrator and privileged user for every DoD computer, system, applications software, network device and every other form of information technology must be changed.
Marine Forces Cyberspace personnel will also conduct in-person validation with system admins and privileged users’ accounts to make sure the accounts are associated with an individual requiring access to them. Any accounts not validated will be deleted.
According to the timeline detailed by Nally, the cyber command will make sure that multi-factor authentication is in place and enabled for admins and users on systems that can remotely access other devices by the end of August.
Ray Letteer, chief of the command’s Cyber Security Division, said he does not expect the Corps to have any difficulty meeting the timeline. About 90 percent of personnel who use the Corps networks and system already use the kind of access codes required under the strategy, he said.
“The Marine Corps has been doing pretty well on this,” he said.
– Bryant Jordan can be reached at firstname.lastname@example.org.