DOD INSTRUCTION 8520.03
I
DENTITY AUTHENTICATION FOR INFORMATION SYSTEMS
Originating Component: Office of the DoD Chief Information Officer
Effective: May 19, 2023
Releasability: Cleared for public release. Available on the Directives Division Website
at https://www.esd.whs.mil/DD/.
Reissues and Cancels: DoD Instruction 8520.03, “Identity Authentication for Information
Systems,” May 13, 2011, as amended
Incorporates and Cancels: See Paragraph 1.3.
Approved by: John B. Sherman, DoD Chief Information Officer
Purpose: In accordance with the authority in DoD Directive 5144.02, this issuance:
• Establishes policy, assigns responsibilities, and provides procedures for authenticating person and
non-person entities (NPEs) to DoD information systems, including credential management.
• Establishes policy and prescribes procedures for establishing credentials and performing identity
authentication of all entities accessing DoD information systems that authenticate themselves to DoD or
external entities in accordance with DoD Instruction (DoDI) 8500.01.
• Establishes sensitivity levels to align with risk management requirements as specified in
DoDI 8510.01, and establishes credential strengths to better align with identity proofing, credential
management, and authentication requirements as specified in the National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-63-3.
• Implements use of hardware public key infrastructure (PKI) certificates such as the personal identity
verification (PIV) authentication public key certificate, as defined in the NIST Federal Information
Processing Standard (FIPS) 201-2, on the DoD common access card (CAC), as the preferred
authenticator for person entities to use when accessing DoD information systems on unclassified
networks.
• Provides guidance on using authenticators including hardware and software PKI based, username
and password, multi-factor authentication (MFA), and assertions.
