DODD 8520.03 CE-01
Identity Authentication for Information Systems
|Publication Date:||27 July 2017|
PURPOSE. In accordance with the authority in DoD Directive (DoDD) 5144.1 (Reference (a)), this Instruction:
a. Implements policy in DoD Instruction (DoDI) 8500.01 (Reference (b)), assigns responsibilities, and prescribes procedures for implementing identity authentication of all entities to DoD information systems.
b. Establishes policy directing how all identity authentication processes used in DoD information systems will conform to Reference (b)
c. Implements use of the DoD Common Access Card, which is the DoD personal identity verification credential, into identity authentication processes in DoD information systems where appropriate in accordance with Deputy Secretary of Defense Memorandum (Reference (c)).
d. Aligns identity authentication with DoD identity management capabilities identified in the DoD Identity Management Strategic Plan (Reference (d)).
e. Establishes and defines sensitivity levels for the purpose of determining appropriate authentication methods and mechanisms. Establishes and defines sensitivity levels for sensitive information as defined in Reference (b) and sensitivity levels for classified information as defined in Volume 1 of DoD Manual 5200.01 (Reference (e)).
a. This Instruction applies to:
(1) OSD, the Military Departments, the Office of the Chairman of the Joint Chiefs of Staff and the Joint Staff, the Combatant Commands, the Office of the Inspector General of the DoD, the Defense Agencies, the DoD Field Activities, and all other organizational entities within the DoD (hereinafter referred to collectively as the "DoD Components").
(2) The United States Coast Guard. The United States Coast Guard will adhere to DoD cybersecurity requirements, standards, and policies in this instruction in accordance with the direction in Paragraphs 4a, b, c, and d of the Memorandum of Agreement Between the Department of Defense and the Department of Homeland Security (Reference (q)).
(3) All DoD unclassified and classified information systems including networks (e.g., non-classified Internet Protocol Router Network, Secret Internet Protocol Router Network (SIPRNET)), Defense Research and Engineering Network, Secret Defense Research and Engineering Network web servers, and e-mail systems.
(4) All DoD and non-DoD personnel entering or exiting DoD facilities or installations that authenticate to a physical access control system (PACS).
(5) All DoD and non-DoD entities (human and non-person) logically accessing DoD unclassified and classified information systems including, but not limited to, DoD web-based systems, DoD websites, DoD web servers, and DoD networks. Hereinafter in this Instruction, use of "entities" refers to human and non-person users.
b. This Instruction does NOT apply to:
(1) Unclassified internet-based systems specifically intended to engage DoD mission partners, known and unknown, in nontraditional missions such as humanitarian assistance, disaster response, stability operations, or building partner capacity.
(2) Sensitive Compartmented Information and information systems operated within the DoD that fall under the authority provided in Intelligence Community Directive 503 (Reference (f)). This Instruction also does not apply to Top Secret collateral systems, special access programs, and stand-alone networks with no connection to the Global Information Grid.