Defense Information Systems Agency, DITCO-NCR, 701 South Court House Road, Arlington, VA 22204-2199

D -- INTERIM EXTERNAL CERTIFICATE AUTHORITY (IECA) REQUEST FOR IECA CANDIDATES DUE 052899 POC IECA Customer Support Center, (703) 848-2898 INTERIM EXTERNAL CERTIFICATE AUTHORITY (IECA) REQUEST FOR IECA CANDIDATES..MAY 10, 1999 ..STATEMENT OF INTENT The Paperless Contracting Wide-Area Work Flow (WAWF) Electronic Document Access (EDA), and Defense Travel System (DTS) applications and other DOD Public Key Infrastructure (PKI) External Certificate Authority (ECA) programs must issue PKI client certificates to their non-Department of Defense (DOD) users by June 1999. Therefore, the DOD is releasing a "Request for IECA Candidates" to support the DOD PKI IECA. Interested U.S. companies are encouraged to serve as IECAs. DOD will begin accepting IECA Candidate Packages on the published date of this announcement until the tenth working day thereafter. Mandatory IECA testing, application interoperability testing and IECA Candidate Package review will begin when the DOD receives its first IECA candidate's package. The IECA duration will be one year from the date a Memorandum of Agreement (MOA) is signed by DOD. This release supercedes July 13th, 1998, "Request For Information" "External Certification Authorities" (ECAs). INTRODUCTION The Defense Information Systems Agency (DISA) and the National Security Agency (NSA) are taking steps to establish a DOD PKI. The DOD PKI will be used for certificate and key management and to provide directory services for the storage and archiving of certificates and certificate revocation lists (CRLs). The DOD PKI is intended to be sufficient to support internal DOD business practices As public key cryptography continues to be adopted as part of the overall security solution for a variety of applications, both inside and outside of the DOD, there exists an increased need for interoperable PKIs. Recognizing the need to interoperate with Certificate Authorities (CAs) outside of the DOD domain, DOD plans to establish trust relationships with CAs that achieve a satisfactory assurance level. These (ECAs) will provide non-DOD personnel with certificate services that interoperate with the DOD PKI. Contractors, vendors and other interested parties may use certificates obtained from an accredited ECA to transact electronic business with DOD entities. The DOD will require that all accredited ECAs achieve an assurance level equivalent to or greater than the DOD PKI class 3 policy (Certificate Policy) THE INTERIM EXTERNAL CERTIFICATE AUTHORITY (IECA) In an effort to more quickly establish the ECA capability, IECAs will not operate under the DOD Root CA. The IECA will follow the same submission process as the ECA; support the same or equivalent certificate policy, provide the same level of assurance in their operations, and assign subject distinguished names. However, IECAs may only issue client certificates to identified non-DOD users of the EDA, WAWF, DTS applications and other as identified DOD PKI/ECA programs IECAs will provide certification services to a limited number of DOD contractors that support specified programs requiring PKI support in the near term. These programs include, but are not limited to EDA, WAWF and DTS. IECAs mayhave the opportunity to transition to an ECA SUPPORTING DOCUMENTATION The DOD PKI ECA Web Page (www.disa.mil/infosec/pkieca) contains the DOD PKI supporting documentation. This documentation includes: DOD Medium Assurance Public Key Infrastructure Functional Specification (Draft), (Version 0.3, October 20, 1998), IECA Candidate Pass/Fail Criteria, (Version 1.0, May 5, 1999), X.509 Certificate Policy, Modified for IECAs, (Draft) (May 4, 1999), Guidelines for External Certification Authority Interoperability with the Department of Defense Public Key Infrastructure (Draft) (ECA Guidelines), (Version 0.7, April 29, 1999), Interim External Certificate Authority X.509 Certificate Compliance Test Plan, (May 5, 1999) and Memorandum Of Agreement (MOA) between the DOD and the Interim External Certificate Authority. In addition two illustrations; Diagram 1: Interim and Objective ECA and Diagram 2: IECA Candidate Process are provided. Both the ECA Guidelines and the IECA Pass/Fail criteria were written for the ObjectiveECA under the DOD Root but identify the streamlined requirements for IECA Candidates. Combining the Interim and the Objective ECA documentation was intended to allow the IECA providers to recognize where their operations will need to change when transitioning to the fully developed ECA under the DOD Root. [Note: The ECA Guidelines take precedence over the DOD PKI Functional Specification Document.] ..CUSTOMER SUPPORT The DOD PKI ECA Web site contains the IECA Candidate Package, DOD PKI ECA Customer Support email address and a phone number for potential IECAs who have questions or issues with the IECA Candidate Package or process. The DOD PKI ECA Web address is www.disa.mil/infosec/pkieca. As they become available, the Joint Electronic Commerce Program Office Web Site, www.acq.osd.mil/ec, DTS Web Site, www.dtic.mil/travelink/industry, the Electronic Commerce Resource Centers (ECRC) Web Site, www.ecrc.ctc.com and other program sites requiring IECA support will be linked to the DOD PKI ECA Web page to provide widest dissemination of information to DOD IECAs and its users. In addition, this site will list accepted IECAs, lessons learned, and frequently asked questions (FAQ's) from users and vendors with their responses .IECA CANDIDATE PACKAGE Each IECA Candidate is required to submit an IECA Candidate Package consisting of the IECA Candidates Certificate Practice Statement, System documentation and architecture, sample certificates and CRLs, X.509 Version 3 Standard Profile, and a signed MOA. Supporting documentation and details can be found on the DISA PKI ECA Web Site. All IECA Candidate Packages shall be sent by courier (e.g., FedEx, UPS, etc.) in hardcopy and, where applicable, in magnetic form (3 inch floppy) to DOD PKI IECA Candidate Processing Office, Suite 100 West, 7927 Jones Branch Drive, McLean, VA 22102-3305 .IECA CANDIDATE PROCESS All IECA Candidate Packages will be accepted by the DOD, however, the DOD will permit only the first three IECA Candidates who submit a complete IECA candidate package, pass all the required criteria to operate as an IECA, and who can efficiently service at competitive rates the WAWF, EDA, DTS and other DOD programs. Any IECA Candidate, who does not meet all required qualifications, may be removed from processing .DOD PKI REVIEW PROCESS The DOD will review IECA Candidate Packages submitted by candidate ECAs. The review committee composed of members from DISA, NSA and PKI and legal experts will ensure that the IECA Candidate's Certificate Practice Statement complies with the DOD Certificate Policy, and the system documentation and architecture support DOD policy and documentation. If the IECA Candidate's package is compliant, and includes a properly signed DOD IECA MOA, the committee will recommend that the DOD Chief Information Officer (CIO) sign the IECA Candidate's MOA and allow the IECA to operate. The IECAs must be capable of providing certificates within five days of notification of acceptance from the DOD .COMPLIANCE AND INTEROPERABILITY TESTING The IECA Candidate's X.509 certificate will be tested by the DOD Joint Interoperability Test Command (JITC) for compliance to the DOD X.509 Version 3 Standard profile. The IECA Candidate will be permitted to test two times with the JITC before they are removed from the candidate list. A report of findings with recommendations will be provided to the failed IECA Candidate. The DOD will provide a list of IECAs to vendors requesting the same and post the list on the DOD PKI ECA Internet web Page .Each IECA Candidate is required to test with the EDA; WAWF, DTS applications and any other identified DOD PKI/ECA application for interoperability .TRANSITION OF IECA TO OBJECTIVE ECA UNDER DOD ROOT The DOD plans to transition IECAs to the objective ECA. Objective ECA's will be under the DOD Root. DOD intends to provide a transition plan to all IECAs by December 30, 1999 .LEGAL LIABILITY DOD assumes no liability for the operations of the IECA or their subscribers. YEAR 2K COMPLIANCE All information technology provided under, or in support of, this IECA package by the IECA Candidate or its subcontractors shall be Year 2000 compliant. "Year 2000 compliant" means, with respect to information technology, that the information technology accurately processes date/time data (including, but not limited to, calculating, comparing and sequencing) from, into and between the twentieth and twenty-first centuries, and the years 1999 and 2000 and leap year calculations, to the extent that other information technology, used in combination with the information technology being acquired, properly exchanges date/time data with it MEMORANDUM OF AGREEMENT All IECA Candidates must submit a signed DOD IECA MOA with their IECA candidate package. Submitting a signed MOA signifies that the IECA Candidate has read and complies with all of the DOD PKI ECA Documentation that is referenced or contained herein. The candidate package may be returned if the MOA is not signed. After processing, the DOD CIO will sign the MOA. DOD CIO signature authorizes the IECA to issue certificates to the EDA, WAWF, DTS and other DOD initiatives' customers identified by the DOD. Posted 05/13/99 (W-SN331253). (0133)

Loren Data Corp. http://www.ld.com (SYN# 0043 19990517\D-0015.SOL)