COMMON ACCESS CARD/SMART CARD PROGRAM

12/11/03

C1. CHAPTER 1

C1.1. PURPOSE. This Regulation establishes policies, responsibilities, and procedures for preparing, issuing, reissuing, surrendering, retrieval, and disposition of the Common Access Card (CAC) for civilian employees, contractors, and military personnel.

C1.2. OBJECTIVES. To provide a uniform approach for the issuance of the CAC/Smart Card and the guidelines for all DFAS employees.

C1.3. CANCELLATION. This Regulation cancels all locally developed procedures on issuance of the CAC, building passes or other ID’s for civilian, contractor and military employees.

C1.4. APPLICABILITY. This Regulation applies to all DFAS civilian employees, DFAS contractors, active duty military, or selected Reserve/National Guard members or personnel.

C1.5. RESPONSIBILITIES. The Director for Administrative Services is responsible for ensuring all DFAS locations have general knowledge in obtaining the CAC.

C1.5.1. The Administrative Services Manager and/or Field Operations Manager is responsible for:

C1.5.1.1. Ensuring the transportation needs of the employees are arranged.

C1.5.1.2. Coordinating times and schedules with the nearest RAPIDS location.

C1.5.1.3. Handling complaints or issues and directing any unresolved problems to the CAC Program Manager for Implementation and notifying the Local Union President (or designee) when bargaining unit employees are involved.

C1.5.2. CAC Program Manager for Implementation is responsible for:

C1.5.2.1. Providing general direction to Administrative Services Managers and/or Field Operations Managers on possible transportation arrangements and coordination with DEERS locations.

C1.5.2.2. Promptly handling all complaints or issues and working with the DoD DEERS/RAPIDS Program Management Office to get these problems resolved.

C1.5.3. The Employee is responsible for:

C1.5.3.1. Following the direction given by the Administrative Services Manager and/or Field Operations Manager.

C1.5.3.2. Promptly bringing any issues or concerns to the Administrative Services Managers and/or Field Operations Managers.

C1.6. POLICY. This Regulation establishes a Common Access Card Program in accordance with the DoD CAC policy.

1-2

C2. CHAPTER 2

C2.1. Common Access Card (CAC). The CAC will be issued at Real-time Automated Personnel Identification System (RAPIDS) sites installed with CAC hardware and software. The CAC is only available as generated by the RAPIDS workstations. The CAC replaces the eligible recipient’s current identification (ID) card whenever that card expires, is lost or stolen, or upon direction of the Site Director. The CAC replaces ID cards and designated access passes. The initial version of the CAC does not accommodate all of the requirements within the Agency. For example, support for classified requirements must be accommodated through other means.

C2.1.1. Cross Servicing. DFAS locations with a RAPIDS location must service not only DFAS employees but also all eligible active duty, selected reserve personnel, DoD civilian employees and DoD contractors.

C2.1.2. Expiration Dates. Cards will be issued for a period of three years, or the individual’s term of service, employment, or association with the DoD, whichever is sooner.

C2.1.3. Reissuance. A CAC will be replaced when lost or stolen, when printed information requires changing, or when any of the media (to include printed data, magnetic stripe, either of the bar codes, or the chip) become illegible or inoperable. Once an employee is entered into DEERS, he/she can obtain a new badge at any RAPIDS location worldwide with appropriate identification.

C2.1.4. Lost/Misplaced Cards. Report the missing card to your supervisor, security advisor, or the nearest DEERS/RAPIDS issuance site as soon as possible. The card is then "cancelled," all private keys, certificates, benefits, and privileges will be revoked, and a new CAC issued at the local DEERS/RAPIDS station. If an employee is traveling, their local DEERS/RAPIDS station refers them to the nearest issuance site. Administrative Services ensures that a method is in place to permit building access to DFAS active duty and civilian personnel until a lost/misplaced card is replaced. In these instances a temporary badge requiring supervisor sign-in and escort is then provided to minimize mission impact.

C2.1.5. Locked Cards. When a CAC becomes locked due to three consecutive incorrect PIN entries, employees must return to the nearest RAPIDS location to have their cards unlocked.

C2.1.6. Multiple Cards. Initially, individuals shall be issued a separate CAC or ID card in each category for which they qualify. Each CAC will have a Public Key Infrastructure (PKI) identity certificate. In instances where an individual has been issued more than one CAC, e.g., a Reservist who is also a DoD contractor employee, only the CAC that most accurately depicts the capacity in which the individual will operate with respect to the facility, will be activated for access to that facility.

C2.1.7. Retrieval and Destruction of the CAC. Invalid, inaccurate, inoperative, or expired CACs are returned to a RAPIDS location for disposition. Once retrieved, these CACs are either be in a totally locked state, or the private key must be erased.

C2.1.8. Restrictions. The CAC shall not be amended, modified, or overprinted by any means. No stickers or other adhesive materials are to be placed on either side of the CAC. The CAC must remain in tact with no holes punched in the card.

C2.1.9. Termination of employment. The CAC will be surrendered immediately to the local DFAS Security Officer upon termination of employment with DFAS. Whether termination is due to retirement, transferring to another DoD Agency or Non DoD Agency, the CAC will be immediately surrendered. Military personnel surrender the CAC to the appropriate military personnel. If DFAS employees transfer to a different location but remain a DFAS employee, they retain the CAC.

C2.2. Access. The CAC is used to control access to DFAS facilities and controlled spaces. This does not require DFAS components to immediately dismantle current access systems. Moreover, this policy does not preclude the continued use of supplemental badging systems that are considered necessary to provide an additional level of security not presently afforded by the CAC. However, DFAS activities are to plan for migration to the CAC for general access control using any of the CACs present or future access control capabilities.

C2.3. Security Concept of Operations. RAPIDS operators are not required to hold a security clearance, but must have a need-to-know for operational data handled by the RAPIDS. RAPIDS is not required to institute controls to partition operational data according to need-to-know, since access to RAPIDS operational data is controlled by the identification and authentication mechanisms of the RAPIDS.

C2.3.1. Users and Administrators. There are numerous categories of RAPIDS users. From a security perspective, there are two major classes, users and administrators. Ordinary RAPIDS operators are assigned to the users’ group. The operators in this group are limited to running only the specialized applications developed for the RAPIDS and other non-administrative programs. Ordinary operators have no access to administrative programs, audit data, and critical system files. They are also prevented from administering operator accounts, taking ownership of files and other objects, accessing audit event records, and deleting or modifying any software files within the RAPIDS. Administrators have the capability to access all information on RAPIDS. The Director for Administrative Services determines who is classified as an administrator.

C2.5. System User Description and Clearance Levels. Only authorized users are granted access to RAPIDS. Each user should have an official need-to-know for all information to which they have access.

C3. CHAPTER 3

C3.1. DFAS Pacific Only. DFAS Pacific is the only DFAS site identified to issue the CAC. The local Administrative Services staff of this location issues guidance on when each employee should proceed to the ID area for CAC issuance. Since the time to issue a single card can take upwards of 15 minutes, employees will be scheduled depending on a time schedule.

C3.2. DFAS Non-RAPIDS Sites. DFAS sites without CAC issuance capability are to have a designated RAPIDS location close by. Every RAPIDS location has entered into an agreement to issue cards to eligible personnel within its servicing area. The local Administrative Services staff arranges and coordinates the CAC issuance with the nearest RAPIDS location because Non-DFAS sites may have different CAC issuance procedures.

C3.3. When should you obtain a CAC? RAPIDS locations are being deployed around the world incrementally. You must wait until your local Administrative Services staff has contacted you before you can obtain the CAC. The current DoD deadline for CAC issuance is the end of FY 2003. If a RAPIDS location is near your DFAS location, you must wait until directed by Administrative Services before proceeding to that location. Administrative Services has the lead in coordinating the schedule for DFAS personnel to be issued cards at these non-DFAS locations.

C3.4. Transportation. During the initial implementation phase, methods of transportation will be determined by Administrative Services. Depending on the location and feasibility, Administrative Services coordinates the transport of employees by use of government vehicles, rental vans, or other available means.

C3.5. General Requirements to obtain CAC. Requirements are outlined in Chapter 4, but for the first time issuance, you must also abide by the items outlined in Chapter 3.

C3.6. Surrender of your current badge. Upon receipt of the new CAC, an employee must immediately surrender his/her current DFAS badge to the local Administrative Services Security Manager or designee. If the current ID is used for other purposes, approval from the current Security Manager must be granted to keep this card. Military members will be required to surrender the current military identification card to the RAPIDS location when obtaining the new CAC.

C4. CHAPTER 4

C4.1. Current Employees. Current employees are loaded into the DEERS machine by way of payroll records. Current employees are defined as DoD civilians, Active Duty military and selected reserves who have been working for a minimum of 30 consecutive days. Current employees must have the below items to obtain the CAC.

C4.1.1. A Picture ID.

C4.1.2. Government e-mail address if using a government computer.

C4.1.2.1. If e-mail address is invalid and/or it is entered incorrectly, the employee will have to return at a later date to correct the mistake.

C4.1.2.2. Personal e-mail addresses (e.g., AOL accounts) ARE NOT accepted.

C4.1.3. A six to eight digit number to use as a Personal Identification Number (PIN). It should not be a number derived from something easily known, such as a portion of a Social Security Number (SSN), birthday or anniversary date, telephone number, address, etc.

C4.1.4. If an employee has any problems obtaining a CAC, the local Administrative Services representative should be contacted by the employee(s) with all the details of why the CAC could not be issued.

C4.2. New Employees/Contractors. New employees and contractors will be loaded into the DEERS machine upon completion of a DD Form 1172-2, Application for Department of Defense Common Access Card-DEERS Enrollment. DD Form 1172-2 can ONLY be approved by the Security Manager or designated official. The items below will be required to obtain a CAC.

C4.2.1. Two picture IDs.

C4.2.2. Government e-mail address.

C4.2.3. A six to eight digit number to use as PIN.

C4.2.4. Completed and signed DD 1172-2.

C4.3. Military Retirees. Military retirees are not entitled to a CAC, but personnel information is already loaded into DEERS because of the retired status. If the retiree is a new DFAS employee (less than 30 days) or contractor, he/she is required to complete DD Form 1172-2 to receive a CAC.

C4.4. RAPIDS Location. RAPIDS sites have been placed in general areas to accommodate all DoD employees. Depending on the location of the nearest RAPIDS workstation, (after the first issuance), employees need to either drive or walk to the nearest location. The local Administrative Services office provides guidance on obtaining a CAC and the nearest location.

C4.4.1. Walking Distance. If a DEERS/RAPIDS machine is located within walking distance, the employee should obtain a CAC/Smart Card during normal duty hours.

C4.4.2. Driving Distance. If a DEERS/RAPIDS machine is not available within walking distance, DFAS employees may drive to the nearest DEERS/RAPIDS machine after obtaining supervisor’s approval. Employees may request travel reimbursement by completing a SF 1164, Claim for Reimbursement for Expenditures on Official Business, and submitting it to their supervisor. Each organization is responsible for providing a fund cite on the SF 1164 for reimbursement.

C4.5. Disability Accommodations. If an employee is unable to easily get to the nearest RAPIDS location, the employee's supervisor should make alternate means of transportation available.

C4.6. Transportation. When an employee does not have transportation to reach the nearest RAPIDS location, the employee should notify his/her supervisor to verify if government owned or leased transportation is available.

C4.8. Local Rules. Each RAPIDS location services not only DFAS employees, but all eligible members. Therefore, each location will have rules to follow in obtaining a CAC. DFAS employees will follow the rules established by each agency or office when obtaining the CAC.

C4.9. Military Personnel. All military personnel will follow previous guidelines to obtain the CAC. The CAC is similar in nature to the previously issued military ID card.