Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
John W. Milton
Chief, DMS Division
DMS Global Service Manager
Summary of Changes
The following change was made to the Interim Procedure 33-V02, Version 3 X.509
GENSER End User Certificate Request Forms Package: Placed asterisk next to Border
Device in Block 30, Version 3 GENSER Security Policy on the Version 3, X.509
Certificate Request Form.
IP 33-V01
Para 6.7.1 (page 15) was modified to reference Allied Communications Publication
(ACP) 117.
Table of Contents
SUMMARY OF CHANGES.........................................................................................................................1
IP 33-V01........................................................................................................................................................1
TABLE OF CONTENTS...............................................................................................................................I
1. PURPOSE....................................................................................................................................................I
2. APPLICABILITY.......................................................................................................................................I
3. BACKGROUND.........................................................................................................................................I
4. END USER REQUEST FORMS PACKAGE INSTRUCTIONS.........................................................II
5. HOW TO FILL OUT THE X.509 CERTIFICATE REQUEST FORM ELECTRONICALLY.....III
6. INSTRUCTIONS FOR COMPLETING THE X.509 CERTIFICATE REQUEST FORM.............IV
6.1. PAGE NUMBERING (TOP LEFT ENTRY ON EACH PAGE)................................................................................IV
6.2. USER INFORMATION..................................................................................................................................IV
6.3. SUPPORTING INFORMATION........................................................................................................................VII
6.4. ADMINISTRATIVE/SIGNATURE BLOCK ..........................................................................................................X
6.5. VERSION 3 SIGNATURE CERTIFICATE INFORMATION ....................................................................................XIII
6.6. VERSION 3 ENCRYPTION CERTIFICATE INFORMATION...................................................................................XIII
6.7. VERSION 3 GENSER SECURITY POLICY INFORMATION..............................................................................XIV
APPENDIX A - X.509 END USER REQUEST FORMS PACKAGE......................................................1
1. Purpose
This IP provides instructions to complete the X.509 End User Request Forms Package to
obtain a Class 4 Certificate and FORTEZZA® card with the minimum requirements to
facilitate successful DMS GENSER messaging.
2. Applicability
This IP is applicable through the chain of authority from the requesting user to the
approving authority. This includes the user, security officer, registration authority, sub-
registration authority and certification authority. Definitions of these roles are contained
in the current D0D X.509 Certificate Policy.
3. Background
X.509 certificates contains such information as the version number of the certificate, the
certificate’s identifying serial number, the signature algorithm used to sign the certificate,
the issuer’s distinguished name, the validity period of the certificate, the distinguished
name of the subject, and information about the subject’s public key. More detailed
information about X.509 certificates can be found in ITU-T Recommendation X.509,
dated June 1997.
The “End user” includes organizations, organizational roles, and devices that support
organizational messaging. An end user may require one or more certificates depending
on the organization, organizational role, or device needs. If end users work on different
projects or with multiple departments, they may need separate certificates for each role
(i.e., project or department). Similarly, if end users need to communicate between
i
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
different classified networks, they will require separate certificates with different
classification levels in order to communicate with the other networks.
With the advent of “domain FORTEZZA®” devices, most X.509 certificates are for the
server application that sends/receives the organization’s organizational messages.
Individuals no longer require their own FORTEZZA® X.509 certificates when using a
domain FORTEZZA® server, but use a DoD PKI certificate (or other Identification (ID)
and password on SIPRNet or Top Secret/Collateral (TS/C domain) for authentication to
the server. In this context, the “user” on the X.509 End User Request Form (EURF) is
the server administrator or other individual designated to be responsible for the
FORTEZZA® cards the server uses.
“Classic” DMS users (e.g., users using a DMS Outlook client and DMS Exchange server)
will still require an X.509 certificate and FORTEZZA® card.
Note: These instructions apply only to X.509 certificate and FORTEZZA requests for
GENSER DMS.
The X.509 Certificate Request Form is the vehicle by which an organizational end user
initiates an action for a V3 X.509 certificate and/or a FORTEZZA® card. It documents
the user, certificate, and signature information for the end user and is used to record the
appropriate administrative data. The following steps outline the recommended process to
complete the form:
1. The end user obtains the X.509 Certificate Request Form and determines the name
and location of the Registration Authority (RA) or Certification Authority (CA).
2. The end user (in conjunction with an RA or Sub-Registration Authority (SRA), as
designated by local procedures) fills in the appropriate User Information (Blocks 1-5),
Supporting Information (Blocks 6-8, 10-11), and Certificate Information sections
(Blocks 19-36) of the X.509 Certificate Request Form. Based upon the certificate(s)
being requested, the end user includes the appropriate pages of the form. The end
user numbers each page included and puts the total number of pages included on each
page in the top left of the form. The end user signs block 13 and each page of the
request form.
3. The end user’s supervisor signs Block 14 of the X.509 Certificate Request Form. The
Supervisor should verify the identity of the user by the confirmation of an authorized
government Identification card.
4. The Security Officer signs Block 15 of the X.509 Certificate Request Form and each
page of the request form. This signature provides verification that the requestor (the
organization, device, or end user the certificate is for) already is authorized to use the
requested clearances, privileges, and security categories. The Security Officer is also
responsible for ensuring that the classifications and categories requested are
consistent with the Security Policy Information File (SPIF) (e.g., do not request
SPECAT or NOFORN if the only classification selected is UNCLASSIFIED).
ii
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
5. The end user sends the X.509 Certificate Request Form to the designated organization
RA.
6. The RA confirms the “face to face” identity of the end user and completes Block 12.
7. The RA coordinates with the SRA for a Distinguish Name (DN) and completes Block
9.
8. The RA signs Block 16, enters the number of approved pages in Block 18, and sends
the X.509 Certificate Request Form to the CA.
9. The CA confirms the completeness of the form including the user identity
verification, corrects DN listing and security officer verification of the organization
user clearance and access privileges, and ensures the required mandatory and optional
security classifications and categories are selected. The CA creates the end user
certificate at the Certification Authority Workstation (CAW) using the information
provided on the X.509 Certificate Request Form. If the end user has requested
multiple certificates, each certificate is created separately.
10. After creating the X.509 certificate, the CA enters the FORTEZZA® Card Serial
Number in Block 7.
11. The CA signs the X.509 Certificate Request Form in Block 17, and enters the number
of approved pages in Block 18 (if the RA has not already filled out this field).
12. If the end user has requested multiple certificates, each certificate is requested
separately (except that a Digital Signature Standard/Key Exchange Algorithm
(DSS/KEA) pair of certificates is requested on a single X.509 form. Also, multiple
certificate (mc) users request both the Secret and Unclassified certificates on a single
form that is sent to the Secret CA). The RA forwards the certificate request to the CA
for each certificate requested. The RA signs the X.509 Certificate Request Form in
Block 16 and enters the number of approved pages in Block 18.
13. The CA/RA distributes the FORTEZZA® card and Personal Identification Number
(PIN) letter in accordance with policy.
14. Upon receipt of the FORTEZZA® card and PIN, the user must sign and return the
User Advisory Statement and Receipt (UAS&R). If the user does not return the
UAS&R to the issuing CA within the appropriate interval set by the CA, the CA will
revoke all the user certificates on the FORTEZZA card. Sixty days is the maximum
time set by policy. Service or Local policy can set this limit to a shorter time (e.g., 30
days).
The End User Request Forms (EURF) Package is a Microsoft Word template. All form
information is locked, meaning that you cannot edit any of the contents, with the
exception of the X.509 Certificate Request Form (CRF). This form can be completed
electronically from within this package, or from the Microsoft Word template CRF,
which contains only the form itself.
To complete the End User X.509 Certificate Request Form electronically, follow these
steps:
iii
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
2. Press the [TAB] to the first field of the form, and type in the required data. Press
the [TAB] key again to move from field to field within the form.
3. When you have completed the form, follow the local procedures to process it.
Select the type of request being made. Some requests require a justification in Block 11
by the end user or CA. Following each request description below is a list of X.509
Certificate Request Form block numbers. The corresponding blocks should be completed
if that request type is selected. Refer to the instructions relative to each block to
determine what information must be provided for the specific request being made. Types
of valid requests include the following:
• Change PIN. This allows the CA to change the user or System (Site) Security
Officer (SSO) PIN on a FORTEZZA® card that it originally issued. Complete the
following blocks: 1-2, 3-4 (if changed), 7, 11 (SSO or User), and 13-14. Submit
only pages 1 and 2 of the form.
• Copy Certificate. This allows the user to have the same certificate on two
separate FORTEZZA® cards. Complete the following blocks: 1-2, 7 (serial number
of source card), 8, 11 (serial number of destination card), and 13-14. Submit only
pages 1 and 2 of the form.
• New Certificate. Requests a new X.509 certificate for the individual with
organizational role, device, or organization. This includes a request to change the
Distinguished Name (DN) on an existing certificate.
iv
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
• Rekey. This action replaces a signature and/or an encryption key with a new key.
The attributes for the new certificate are identical to those of the original X.509
certificate that is being rekeyed. Specify if the signature, encryption, or both
signature and encryption keys are to be rekeyed. For rekey of a version 3 certificate,
complete the following blocks: 1-2, 6, 7, 8, 13-14, 22 (if desired) and 24 (if desired).
Submit all necessary pages of the form.
• Report Compromise. When a card contains keys that have been compromised,
complete as much information in the following blocks as is known: 1-7, 8, 9, 11, and
13-14. Attach a detailed report. Block 13 is required for signature of the individual
submitting the request (the requester can be the CA). Submit only pages 1 and 2 of
the form.
• Change POC (Change Card Point of Contact). This allows the point of contact
for a device card or an organizational role card to be changed. Complete the
following blocks: 1, 2-5 (with new point of contact information), 6-7, 11 (with
original point of contact information), and 13-14. Submit only pages 1 and 2 of the
form.
• Reprint PIN. This allows the user PIN letter for a card to be reprinted.
Complete the following blocks: 1-2, 4 (if changed), 7, and 13-14. Submit only pages
1 and 2 of the form.
• Revoke Certificate. This action will result in revocation of a certificate in the
CA’s database, and placement on a Certificate Revocation List (CRL). Complete as
much information in the following blocks as is known: 1-2, 6, 7, 8, 11, and 13-14.
Submit only pages 1 and 2 of the form.
• Delete Certificate. This allows the CA to delete a certificate that the CA loaded
on the FORTEZZA® card. Complete the following blocks: 1-2, 7, 8, 13, and 14.
Submit only pages 1 and 2 of the form.
• Change User Info (Change User Information). This results in modifications to
the CA’s user registration database (e.g., name and addresses). These changes do
not affect the certificate. Complete the following blocks: Enter the updated user
name and/or addresses in blocks 1 though 5 (only fill in the blocks that have
changed). Enter the original certificate usage type in block 6 and the original name
and addresses in block 11. If the directory for one of the user's DNs has changed,
enter the DN in block 9 and the new directory in block 10. User and supervisor must
fill out and sign blocks 13-14. Submit only pages 1 and 2 of the form.
v
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
vi
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
vii
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
This is the internal chip serial number for the FORTEZZA® card, which uniquely
identifies the card. The card chip serial number is found on the label. Enter the card chip
serial number of the card on which the action is to be taken. When issuing a new card to
a user, the CA should enter the card chip serial number or attach a label. If multiple cards
are affected by the action all card chip serial numbers should be included.
For an action on an existing certificate(s), the user should enter the DN.
If request type is “Register User” and multiple DNs are required for this user, use block
11 to enter additional DNs and their associated Directory names.
viii
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
field is filled out only to document the organization, organizational role, or device’s
X.400 O/R address.
If request type is “Register User” and multiple DNs are required for this user, use block
11 to enter the directory name for each of the additional DNs entered in block 11.
• Change Card Point of Contact. Enter the original device or organizational card
user’s name, phone number(s), address, and e-mail address.
• Change PIN. Enter which PIN is to change: SSO or User.
• Change User Information. Enter the original user information.
• Copy Card to Card. Indicate the reason for the copy card request (e.g., traveling
user, card to be used outside of a classified enclave, or device requires multiple
cards). If the same PIN or Ks (i.e., storage key) is required, state so here. If
destination card is an existing card, enter the destination card serial number. If the
destination card is a new card, enter the card clearance and card type.
• Copy Certificate. Indicate the reason for the copy certificate request (i.e., certificate
to be used outside of a classified enclave), and the card chip serial number of the card
that the certificate is to be put on.
• FORTEZZA/X.509 Certificate Locality. Indicate if the organization certificate is
going to be maintained at a DMS Area Control Center/Local Control Center
(ACC/LCC) in accordance with Domain FORTEZZA policy or proxy solution, vice
delivered to the designated organization user.
• New certificate.
a. If multiple cards are needed containing the requested certificate indicate the
quantity of cards and the reason (e.g., traveling user, card to be used outside of a
classified enclave, or device requires multiple cards).
b. For Sibling organizational certificate requests, enter the user name (last name,
first name) of the owner of the organizational firstborn certificate and the
personality name of the firstborn certificate.
c. If the certificate or certification path is needed on floppy disk, state which and
enter the desired filename.
d. If the user needs a certificate from a different CA loaded on an existing card,
indicate the justification for placing the certificate on this card (e.g. temporary
assignment in region different from normal CA).
• Register User. If registering a new user with multiple Distinguished Names (DNs),
enter the additional DNs and their associated directory names.
ix
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
x
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
In addition to filling out block 15, the security officer must also sign the bottom of each
page after verifying the selections chosen on that page of the form.
If you check both boxes some information must be the same for both the signature and
encryption certificates. These items are “Subject Alternate Names” (block 20),
“Certificate Policy” (block 21), “Certificate Validity Period” (block 22),
“Communication Privileges” (block 23), and “Issuer Alternate Names” (block 25). If you
xi
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
want any of these fields to be different between the v3 signature and v3 encryption
certificates, you should fill out a separate sheet for each certificate request.
Note: If both Signature and Encryption certificate types are selected in block 19, both
certificates will contain this same value for subject alternate names. If you want this field
to be different between the v3 signature and v3 encryption certificates, you should fill out
a separate sheet for each requested certificate.
• a start date and time only that uses the normal period to determine the end date and
time
• an end date and time only with the time of certificate creation assumed as the start
date and time
• a start and end date and time
• a start date and time and the period after that date
• a period only with the time of certificate creation assumed as the start date and time.
Enter dates in the following format: MM/DD/YYYY HH:MM. Specify days, weeks,
months, or years when entering a period. The validity period can be no greater than 3
years for end users, organizations, devices, and RAs.
Note: If both Signature and Encryption certificate types are selected in block 19, both
certificates will contain this same value for certificate validity period. If you want this
field to be different between the v3 signature and v3 encryption certificates, you should
fill out a separate sheet for each certificate request.
xii
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
Note: If both Signature and Encryption certificate types are selected in block 19, both
certificates will contain this same value for communication privileges. If you want this
field to be different between the v3 signature and v3 encryption certificates, you should
fill out a separate sheet for each certificate request.
Note: If both Signature (DSS) and Encryption (KEA) certificate types are selected in
block 19, enter both a DSS and a KEA personality.
The CA uses the KEA Key PQG Source field at the CAW to enter this data.
xiii
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
The X.509 Certificate Request Form is not a process to request clearances or access.
You must already have the proper clearance and have been granted access to the
categories before you request a certificate reflecting your authorizations. If you
don’t recognize the categories on this form, you most likely have not been granted access
to that type of information.
The supervisor of the organizational role user requesting the certificate decides what
information the individual will need access to on behalf of the organization. The unit
security officer confirms whether the individual has the security clearances required to
have access to the information. For requests for an organization or device, the SSO
determines what classifications and categories the organization or device is required to
support (and that for each requested category at least one member of the organization has
the required clearance and access). The superior organization in the chain of command
verifies that the requested classifications and categories are required by the organization.
After verifying the signature of both these individuals is present on the form, the CA can
process the request.
6.7.1. Classifications (Block 29 on the X.509 Certificate Request Form) (Block 29)
If you are requesting a new version 3 encryption KEA certificate, this block must be
filled in. Select all classification levels to be supported by the requested X.509
certificate. Note that, unlike Automated Digital Network (AUTODIN) where Secret
meant Secret and below, each classification must be checked if the user desires access to
that level of information. For example, a Secret user would normally check the Secret,
Confidential, and Unclassified blocks. If the user also has access to North Atlantic
Treaty Organization (NATO) information, then the user would also check the NATO
Unclassified, NATO Restricted, NATO Confidential, and NATO Secret blocks, likewise
for Foreign Government classifications. Mandatory and optional classification levels
applicable to each network are provided in Table 6-1, below.
xiv
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
Strike through the names of the classifications not supported by this certificate (this
guarantees that additional boxes cannot be checked after the security officer has signed
for the selected classifications). The requested classifications cannot exceed the
clearance level of the user role or organization, device or network. The level requested
depends on the classification of the networks this end user communicates with
electronically. If the user needs to communicate between different classified levels (e.g.
SIPRNET and NIPRNET), separate certificates will have to be ordered for each security
domain. Each certificate must be requested on a separate X.509 Certificate Request
Form. For the special case of (mc) users, both the Secret and Unclassified certificate
must be on the same X.509 request form and sent to the Secret CA. The additional KEA
for (mc) users requires a second page of blocks 19 – 31.
If your organization is listed in Allied Communications Publication (ACP) 117, then you
must also select the appropriate NATO classifications so that messages from the allies do
not cause a non delivery notice (NDN).
For CAs and RAs: If the user requests Foreign Government (FG) classifications, the
certificate must also contain the equivalent FG classification and BORDERDEVICE
categories since these are required by the SPIF (e.g., if the user requests Foreign
Government Secret, then you should enable the SECRET and BORDERDEVICE
categories from the GENSER Non-US Classification tag set in the user’s certificate as
well).
Important:
• If the end user is a US citizen (block 31) with only “unclassified” classifications
selected (block 29), DO NOT select the “NOFORN”, “Release to None”, “DOD
Eyes Only”, or “REL TO” categories.
• If the end user is a US citizen and the certificate has a classification (block 29) higher
than Unclassified, always select the “NOFORN”, “Release to None”, “DOD Eyes
Only”, and “REL TO” categories.
xv
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
• If the end user is NOT a US citizen, do not select “NOFORN” or “Release to None”
and do not use country code USA for “DOD Eyes Only” and “REL TO” categories, if
selected.
Table 6-2 shows which classification must be selected for each category requested, based
on the GENSER v2.4 SPIF.
xvi
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
For CAs and RAs: The Citizenship field is used to determine the country code category
to use when the user’s X.509 Certificate Request Form includes enumerated categories
SOSUS Eyes Only, DOD Eyes Only, IC Eyes Only, or REL TO. Only the category for
the country of citizenship should be selected for these categories ( e.g., if Rel To is
selected and Citizenship = USA, then select only category USA (LACV=840) in the Rel
To tag set).
xvii
FOR OFFICIAL USE ONLY
IP 33-V02 October 17, 2005
X.509 End User Certificate Request Forms Package
Appendix A
X.509 End User Request Forms Package
1
FOR OFFICIAL USE ONLY
IP 33-V02 (Appendix A) October 17, 2005
X.509 End User Certificate Request Forms Package
X.509 Certificate Request Form
Page _____ of _____
User Information
1. Request Type (Select only one)
Change PIN Report Compromise Delete Certificate Send Certificate
Copy Certificate Change POC Change User Info Copy Card to Card
New Certificate Reprint PIN Restore Certificate Register User
Rekey Certificate Revoke Certificate Renew Certificate Update Certificate
3. Card Address (See instructions if card is to be mailed) 4. PIN Address (See instructions if card is to be mailed)
Org. Org.
Street Street
City City
State/AA, AE, AP Postal Code State/AA, AE, AP Postal Code
Country Country
Remarks: Remarks:
5. E-mail Address(es) (Use SMTP and or X.400 for contact information)
A-2
FOR OFFICIAL USE ONLY
IP 33-V02 (Appendix A) October 17, 2005
X.509 End User Certificate Request Forms Package
Page ____ of ____
Supporting Information
6. Certificate Usage (See instructions for additional 7a. Card Serial Number
information required) (Select only one)
Individual Registration Authority
7b. Card Clearance (Select highest level on card)
Organizational: Firstborn Sibling
Top Secret Secret Confidential Unclassified
Org Name
7c. Card Type
Device: Type
8. Certificate Identifier (For existing certificate only, enter certificate serial number or see instructions)
9a. Distinguished Name (See instructions for inclusion of blank spaces)
9b. X.400 O/R Address
10. Directory Name (to which certificate is to be posted)
11. Explanatory Information (See instructions; continue on separate sheet if necessary)
Administrative/Signature Block
12. Type of Identification (e.g. drivers license, military ID, government ID, passport.)
DSN
15. Security Officer Name (Print) Phone Signature (see instructions) Date
Comm.
DSN
16. Registration Authority Name Phone
(Print) Comm. Signature Date
DSN
17. Certification Authority Name Phone
(Print) Comm. Signature Date
DSN
A-3
FOR OFFICIAL USE ONLY
IP 33-V02 (Appendix A) October 17, 2005
X.509 End User Certificate Request Forms Package
18. Number of pages approved (CA or RA use only)
Each signer of this form certifies that the statements or signatures made on this form are true, complete, and correct to the best of my knowledge. I understand
that false statements are subject to civil and criminal penalties, including but not limited to penalties under 18 U.S.C. Section 1001.
A-4
FOR OFFICIAL USE ONLY
Page ____ of ____
Version 3 Certificate General Information
19. Certificate 20. Subject Alternate Names (Optional)
Type (check all Directory Name
that apply) DNS Name
Signature (DSS) Uniform Resource Name.
Encryption (KEA)
E-mail Address
21 Certificate 22. Certificate Validity Period 23. Communication Privileges (Select
Policy Use default period Routine through the highest level
Specify period authorized)
US DoD Class 4 Start Routine Override (not used)
End Priority ECP
or Period Immediate Critic
Flash Deferred (not used)
24. Personality (maximum length of 16 characters for OrgName 25. KEA Universals (aka p,q,g’s) (Optional)
without suffix) KEA-U (NIPRNet)
DSS e.g., OrgName(sc) KEA-S (SIPRNet)
KEA e.g., OrgName(sc)-S KEA-T (TS Collateral)
KEA-Y (JWICS)
Version 3 Signature Certificate Information
26. Signature Privileges (Select all that apply)
Roles: Devices:
Organizational Releaser (Org Release) Network Guard (Guard)
(for users who can send organizational messages) Multifunction Interpreter (MFI)
Domain Manager Mail List Agent (MLA)
Security Officer
Sub-Registration Authority (SRA)
Organizational Registration Authority (ORA)
Version 3 Encryption Certificate Information
27. Encryption Privileges (Select all that apply) 28. Security Policy
Network Guard (Guard) GENSER
Read Only (for users who can read messages but cannot send messages) Other
Mail List Agent (MLA)
Multifunction Interpreter [(MFI) for MFI device only]
Facility Remote Access Server
Version 3 GENSER Security Policy Information
29. Classifications 30. Security Policy Categories for GENSER (Select all authorizations to
(Select all clearances to be supported. Strike through categories not supported. Bolded selections 31.
be supported. Strike are required for classified US citizens. All classifications, except asterisked Citizenship
through clearances not ones, are restricted to classified networks.)
supported. All GENSER Categories
classifications except Citizenship:
asterisked ones are
* DOD CNI Restricted Data - RD
restricted to classified * DOE CNI SIOP-ESI
networks ) Exclusive Distribution-EXDIS SOSUS USA/GBR Eyes Only
Formerly Restricted Data-FRD SPECAT
* Unclassified No Distribution-NODIS USA/GBR Eyes Only Enter the user’s
Confidential & Secret NOFORN (US citizens only, not valid on NIPRNet) country of
Top Secret Release to None (US citizens only, not valid on NIPRNet) citizenship. For
* NATO Unclassified devices, enter
NATO Restricted GENSER NATO Categories GENSER Non-US Classification the country(s)
NATO Confidential ATOMAL * Unclassified - FU this device
NATO Secret Cryptosecurity Restricted - FR sends on behalf
COSMIC Top Secret EXCLUSIVE Confidential - FC of.
* Foreign Unclassified Secret - FS
Foreign Restricted (Enumerated) Top Secret - FT
Foreign Confidential GENSER SOSUS Eyes Only * Border Device
Foreign Secret GENSER DOD Eyes Only
Foreign Top Secret GENSER Intelligence Community Eyes Only
GENSER REL TO Categories