Marines

StartseiteNewsMessagesMessages Display

IMPLEMENTATION OF DIGITAL SIGNATURE SIGNING FOR MICROSOFT VISUAL BASIC FOR APPLICATIONS (VBA) MACROS REQUIREMENT
Date Signed: 5/29/2024 | MARADMINS Number: 250/24
PRINT
MARADMINS : 250/24

R 291756Z MAY 24
MARADMIN 250/24
MSGID/GENADMIN/CMC DCI WASHINGTON DC//
SUBJ/SUBJECT// IMPLEMENTATION OF DIGITAL SIGNATURE SIGNING FOR MICROSOFT VISUAL BASIC FOR APPLICATIONS (VBA) MACROS REQUIREMENT//
REF A/ STIG O365 - STIG RULE V-223311//
REF B/ECSM 013 PUBLIC KEY INFRASTRUCTURE (PKI)//
NARR/REF A IS NIST RULE ON VBA SIGNING REQUIREMENT. REF B IS PUBLIC KEY INFRASTRUCTURE (PKI) POLICY INCLUDING THE NOMINATION AND USE OF MOBILE CODE SIGNING CERTIFICATES IN THE MARINE CORPS.//
POC-DC I IC4/WILLIAM BUSH/AODR, DC I IC4/703-693-3490/[email protected]//
POC-DC I IC4/DANIEL NORTON/ANALYST, DC I IC4/703--693-3490/[email protected]//
POC-DC I IC4/CHRISTINE HESEMANN/ANALYST, DC I IC4/703-693-3490/[email protected]//
GENTEXT/REMARKS/1. (U) Purpose.  The purpose of this message is to enforce digital signature signing for Microsoft Office Macros.
2. (U) Background. Implementation of the STIG rules for digitally signing Microsoft Office Macros on both NIPR and SIPR networks using current established Department of Defense (DoD) and National Security System code signing policies and is applicable to Marine Corps Total Force. 
2.A. (U) Macros not digitally signed using DoD approved PKI certificates (DoDI 8520.02) must be blocked in Microsoft Office applications per the following phased enforcement approach in compliance with STIG rules.
2.A.1. (U) Phase One Microsoft Publisher 1 July 2024
2.A.2. (U) Phase Two Microsoft PowerPoint 1 August 2024
2.A.3. (U) Phase Three Microsoft Visio 1 September 2024
2.A.4. (U) Phase Four Microsoft Project 1 October 2024
2.A.5. (U) Phase Five Microsoft Word 1 November 2024
2.A.6. (U) Phase Six Microsoft Access 1 December 2024
2.A.7. (U) Phase Seven Microsoft Excel 1 January 2025
3. (U) Execution.
3.A. (U) The Macro Code creator/owner is responsible for ensuring the macro is reviewed and validated and will coordinate with the Command, Unit, or Programs approved Mobile Code signer signs the code prior to the deadline.
3.A.1. (U) The Mobile Code signer will support the Command, Unit, or Program by validated macros being used in Microsoft Office applications when presented.  The Mobile Code signer will not exceed written authorities by signing code outside the Command, Unit, or Programs nor unvalidated macros.
3.A.2. (U) Command nominator will be an Officer in Charge (OIC), Program Manager or Resource Sponsor for the Command, Unit or Programs and will ensure nominees comply with the requirements of ECSM 013.
3.A.3. (U) Group Policy Object (GPO) implementation and management will be under the operational control of the Marine Corps Cyberspace Operations Group (MCCOG).
3.A.4. (U) DC I IC4 ICC CY shall process all nominations and maintain the approval documentation.
3.A.5. (U) USMC PKI team shall issue Mobile Code certificates to the approved nominee.
3.B. (U) Supporting Information.
3.B.1. (U) Mobile Code is software programs or parts of programs obtained from remote information systems, transmitted across a network, and executed on a local information system without explicit installation or execution by the recipient. Mobile Code technologies are software technologies that provide the mechanisms for the production and use of Mobile Code such as Java, JavaScript, ActiveX, and VBScript.
3.B.2. (U) Commands, Division, and Activities shall identify VBA macros used within operations and identify the VBA code owner.  
3.b.3. (u) All VBA macros shall be reviewed and validated for security compliance and submitted to the Command, Division, Activity VBA Macro Mobile Code signer for action.  
3.B.4. (U) Commands, Division, and Activities shall identify up to two (2) Persons to be nominated as VBA Macromobile Code signer. Commands are responsible for ensuring that VBA code creators and code signers are appropriately trained and follow all applicable policy and operational directives for Mobile Code in general and VBA macros specifically. 
3.B.5. (U) Nominations shall be made on Command Letter Head, digitally signed by the Command nominator, and follow the Mobile Code signer eligibility and nomination process outlined in ECSM 013.  Nominations must specify requirement for VBA macros in Microsoft Applications, Major Command, Command, Division/Office being supported.  Nomination template may be found on https:(slash)(slash)usmc.sharepoint-mil.us/sites/mcen_usmc_pki/codesign/forms/allitems.aspx.
3.B.6. (U) Commands are responsible for logging all VBA macros signed, by who and when signed for management and audit by the Command Information System Security Manager (ISSM).  Audit logs will be reported to the code signing attribute authority on a quarterly basis through the Cyber Scorecard reporting chain
3.B.7. (U) MCEN users are not authorized to use the Microsoft self-signing certificate capability or any other signing capability outside approved DoD PKI certificates.
3.B.8. (U) Code owned by other Commands is the responsibility of the code owner.  Commands, Units, and Programs using VBA macros owned and maintained by Non-Marine Corps organizations will need to coordinate with the code owner prior to the deadline to continue use on the MCEN.
3.B.9. (U) MCEN users are not authorized to copy and paste VBA code without review and validation prior to signing and use.
4. (U) Direct all questions to message POCS.
5. (U) Release authorized by LtGen M. G. Glavy, Headquarters Marine Corps, Deputy Commandant For Information.//