Defense Finance and Accounting Service
COMMON ACCESS CARD/SMART CARD PROGRAM
On November 10, 1999, the Deputy Secretary of Defense directed implementation of the Common Access Card (CAC), requiring the use of Smart Card technology throughout the Department of Defense (DoD). CAC is the standard identification (ID) card for active duty and selected reserve military personnel, National Guard, and DoD federal civilian personnel. Additionally, certain designated contractor personnel may be issued a CAC.
This regulation prescribes policies and procedures governing the Defense Finance and Accounting Service (DFAS) CAC/Smart Card Program. It provides standard procedures each DFAS organization will follow.
The Director for Administrative Services is responsible for the program management and administration of the CAC/Smart Card Program. This regulation may not be supplemented, and any recommended changes must be forwarded through appropriate channels to the Director for Administrative Services.
Susan J. Grant
Director, Corporate Resources
TABLE OF CONTENTS
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . i
Table of Contents . . . . . . . . . . . . . . . . . . . . ii
References . . . . . . . . . . . . . . . . . . . . . . . . iv
Definitions . . . . . . . . . . . . . . . . . . . . . . . v
Abbreviations and Acronyms . . . . . . . . . . . . . . . . vii
Chapter 1 - Introduction . . . . . . . . . . . . . . . . . 1-1
C1.1. Purpose . . . . . . . . . . . . . . . . . . . 1-1
C1.2. Objectives . . . . . . . . . . . . . . . . . . 1-1
C1.3. Cancellation . . . . . . . . . . . . . . . . . 1-1
C1.4. Applicability . . . . . . . . . . . . . . . . 1-1
C1.5. Responsibilities . . . . . . . . . . . . . . . 1-1
Chapter 2 Ė General Guidance . . . . . . . . . . . . . . . 2-1
C2.1. Common Access Card (CAC) . . . . . . . . . . . 2-1
C2.1.1. Cross Servicing . . . . . . . . . . . 2-1
C2.1.2. Expiration Dates . . . . . . . . . . 2-1
C2.1.3. Reissuance . . . . . . . . . . . . . 2-1
C2.1.4. Lost/Misplaced Cards . . . . . . . . 2-1
C2.1.5. Locked Cards . . . . . . . . . . . . 2-2
C2.1.6. Multiple Cards . . . . . . . . . . . 2-2
C2.1.7. Retrieval and Destruction of the CAC 2-2
C2.1.8. Restrictions . . . . . . . . . . . . 2-2
C2.1.9. Termination of employment . . . . . . 2-2
C2.2. Access . . . . . . . . . . . . . . . . . . . . 2-2
C2.3. Security Concept of Operations . . . . . . . . 2-3
C2.3.1. Users and Administrators . . . . . . 2-3
C2.4. Classification and Sensitivity of Data . . . . 2-3
C2.5. System User Description and Clearance Levels . 2-3
Chapter 3 Ė First Time or Initial Implementation of the CAC/Smart Card
C3.1. DFAS Pacific Only. . . . . . . . . . . . . . . 3-1
C3.2. DFAS Non-RAPIDS Sites. . . . . . . . . . . . . 3-1
C3.3. When you should obtain a CAC . . . . . . . . . 3-1
C3.4. Transportation . . . . . . . . . . . . . . . . 3-1
C3.5. General Requirements to obtain CAC . . . . . . 3-1
C3.6. Surrender of your current badge. . . . . . . . 3-2
Chapter 4 Ė Obtaining CAC/Smart Card . . . . . . . . . . . 4-1
C4.1. Current Employees . . . . . . . . . . . . . . 4-1
C4.2. New Employees/Contractors . . . . . . . . . . 4-1
C4.3. Military Retirees . . . . . . . . . . . . . . 4-2
C4.4. RAPIDS Location . . . . . . . . . . . . . . . 4-2
C4.4.1. Walking Distance . . . . . . . . . . 4-2
C4.4.2. Driving Distance . . . . . . . . . . 4-2
C4.5. Disability Accommodations . . . . . . . . . . 4-2
C4.6. Transportation . . . . . . . . . . . . . . . . 4-2
C4.7. Supervisor Responsibility . . . . . . . . . . 4-3
C4.8. Local Rules . . . . . . . . . . . . . . . . . 4-3
C4.9. Military Personnel . . . . . . . . . . . . . . 4-3
AP1. Sample DD 1172-2 . . . . . . . . . . . . . . . AP-A
AP2. Sample SF 1164 . . . . . . . . . . . . . . . . AP-B
1 December 2000.
Common Access Card (CAC). A smart card containing an Integrated Circuit Chip (ICC), bar codes, and a magnetic stripe. The CAC incorporates Public Key Infrastructure (PKI) technology and serves as an ID card for all active duty, selected reserve, DoD civilian and eligible contractor personnel. The CAC is the standard DoD ID card, the principal card to be used to enable physical access to buildings and controlled spaces, and will be used to enable Information Technology (IT) systems and applications that access the Departmentís computer systems.
Defense Enrollment Eligibility Reporting System (DEERS). DEERS is an automated information system (AIS) designed to provide timely and accurate information on those eligible for DoD benefits and entitlements (such as medical and dental care, commissary and exchange privileges, etc.) and to detect and prevent fraud and abuse in the distribution of these benefits and entitlements. DEERS serves as the centralized personnel data repository of enrollment and eligibility verification data on members of the DoD components, members of the Uniformed Services, and other personnel as designated by the DoD, and their eligible family members.
Information Technology (IT). The hardware, firmware, and software used as part of the information system to perform DoD information functions. This definition includes computers, telecommunications, automated information systems, and automatic data processing equipment. IT includes any assembly of computer hardware, software, and/or firmware configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or information.
Local Registry Authority (LRA). A specifically designated party responsible for verifying the identity of users (via birth certificates, driverís licenses, military ID card, etc.) and ensures each user understands the liabilities and responsibilities associated with the possession of a private key (i.e. CAC) and agrees to abide by the established rules.
Need-to-know. A determination made by an authorized holder of classified information that a prospective recipient requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function.
Public Key. The part of an asymmetric key pair that is revealed by the owner.
Public Key Infrastructure (PKI). PKI is a key and certificate management infrastructure designed to support confidentiality, integrity, availability, authentication, non-repudiation, and access control in computer networks. Using the RAPIDS platform, identity certificates will be issued on the CAC at the time of card issuance. E-mail signature and e-mail encryption certificates may be loaded onto the CAC either upon issuance or at some other time, if the individual does not have an e-mail account when the CAC is issued. Upon loss, destruction, or revocation of the CAC, the certificates thereon will be revoked and placed on the Certificate Revocation List (CRL).
Real-time Automated Personnel Identification System (RAPIDS). A network of microcomputers linking the Uniformed Services Personnel Offices to the DEERS database to provide on-line update of dependent information to the DEERS database.
ABBREVIATIONS AND ACRONYMS
CAC Common Access Card (Smart Card)
CPS Certification Practice Statement
CRL Certificate Revocation List
DEERS Defense Enrollment Eligibility Reporting System
DFAS Defense Finance and Accounting Service
DISA Defense Information Systems Agency
DoD Department of Defense
DSS Defense Security Service
E-mail Electronic Mail
FY Fiscal Year
ICC Integrated Circuit Chip
IT Information Technology
LRA Local Registration Authority
PIN Personal Identification Number
PKI Public Key Infrastructure
RA Registration Authority
RAPIDS Real-time Automated Personnel Identification System
SSN Social Security Number
VO Verification Official
C1. CHAPTER 1
C1.1. PURPOSE. This regulation establishes policies, responsibilities, and procedures for preparing, issuing, reissuing, surrendering, retrieval, and disposition of the Common Access Card for civilian employees, contractors, and military personnel.
C1.2. OBJECTIVES. To provide a uniform approach for the issuance of the Common Access Card (CAC)/Smart Card and the guidelines for all DFAS employees.
C1.3. CANCELLATION. This regulation cancels all locally developed procedures on issuance of the CAC, building passes or other IDís for civilian, contractor and military employees.
C1.4. APPLICABILITY. This regulation applies to all DFAS civilian employees, DFAS contractors, Active duty military, or selected Reserve/National Guard members or personnel.
C1.5. RESPONSIBILITIES. The Director for Administrative Services is responsible for ensuring all DFAS locations have general knowledge in obtaining the CAC.
C2. CHAPTER 2
C2.1. Common Access Card (CAC). The CAC will be issued at Real-time Automated Personnel Identification System (RAPIDS) sites installed with CAC hardware and software. The CAC is only available as generated by the RAPIDS workstations. The CAC will replace the eligible recipientís current identification (ID) card whenever that card expires, is lost or stolen, or upon direction of the Senior Site Representative. The CAC will replace ID cards and designated access passes. The initial version of the CAC will not accommodate all of the requirements within the department. For example, support for classified requirements must be accommodated through other means.
C2.1.1. Cross Servicing. DFAS locations with a RAPIDS location must service not only DFAS employees but also all eligible active duty, selected reserve personnel, DoD civilian employees and DoD contractors.
C2.1.2. Expiration Dates. Cards will be issued for a period of three years, or the individualís term of service, employment, or association with the DoD, whichever is sooner.
C2.1.3. Reissuance. A CAC will be replaced when lost or stolen, when printed information requires changing, or when any of the media (to include printed data, magnetic stripe, either of the bar codes, or the chip) become illegible or inoperable. Once an employee is entered into DEERS, he/she can obtain a new badge at any RAPIDS location worldwide with appropriate identification.
C2.1.4. Lost/Misplaced Cards. Report the missing card to your supervisor, security advisor, or the nearest DEERS/RAPIDS issuance site as soon as possible. Your card will be "cancelled," all private keys, certificates, benefits, and privileges will be revoked, and a new CAC will be issued to you at your local DEERS/RAPIDS station. If you are traveling, your local DEERS/RAPIDS station should be able to refer you to the nearest issuance site. Administrative Services will ensure a method is in place to permit building access to DFAS active duty and civilian personnel until a lost/misplaced card is replaced. In these instances a temporary badge requiring supervisor sign-in and escort required will be provided to minimize mission impact.
C2.1.5. Locked Cards. When a CAC becomes locked due to three consecutive incorrect PIN entries, employees must return to the nearest RAPIDS location to have their cards unlocked.
C2.1.6. Multiple Cards. Initially, individuals shall be issued a separate CAC or ID card in each category for which they qualify. Each CAC will have a Public Key Infrastructure (PKI) identity certificate. In instances where an individual has been issued more than one CAC, e.g., a Reservist who is also a DoD contractor employee, only the CAC that most accurately depicts the capacity in which the individual will operate with respect to the facility, will be activated for access to that facility.
C2.1.7. Retrieval and Destruction of the CAC. Invalid, inaccurate, inoperative, or expired CACs shall be returned to a RAPIDS location for disposition. Once retrieved, these CACs shall either be in a totally locked state, or the private key must be erased.
C2.1.8. Restrictions. The CAC shall not be amended, modified, or overprinted by any means. No stickers or other adhesive materials are to be placed on either side of the CAC. The CAC must remain in tact with no holes punched in the card.
C2.1.9. Termination of employment. The CAC will be surrendered immediately to the local DFAS Security Officer upon termination of employment with DFAS. Whether termination is due to retirement, transferring to another DoD Agency or Non DoD Agency, the CAC will be immediately surrendered. Military personnel will surrendered the CAC to the appropriate military personnel. If DFAS employees transfer to a different location but remains a DFAS employee, they will retain the CAC.
C2.2. Access. The CAC shall be used to control access to DFAS facilities and controlled spaces. This does not require DFAS components to immediately dismantle current access systems. Moreover, this policy does not preclude the continued use of supplemental badging systems that are considered necessary to provide an additional level of security not presently afforded by the CAC. However, DFAS activities are to plan for migration to the CAC for general access control using any of the CACs present or future access control capabilities.
C2.3. Security Concept of Operations. RAPIDS operators are not required to hold a security clearance, but must have a need-to-know for operational data handled by the RAPIDS. RAPIDS is not required to institute controls to partition operational data according to need-to-know, since access to RAPIDS operational data is controlled by the identification and authentication mechanisms of the RAPIDS.
C2.3.1. Users and Administrators. There are numerous categories of RAPIDS users. From a security perspective, there are two major classes, Users and Administrators. Ordinary RAPIDS operators are assigned to the Users group. The operators in this group are limited to running only the specialized applications developed for the RAPIDS and other non-administrative programs. Ordinary operators have no access to administrative programs, audit data, and critical system files. They are also prevented from administering operator accounts, taking ownership of files and other objects, accessing audit event records, and deleting or modifying any software files within the RAPIDS. Administrators have the capability to access all information on RAPIDS. The Director for Administrative Services will determine who will be classified as administrators.
C2.4. Classification and Sensitivity of Data Processed. Classification is a measure of how important the protection of specific data is to national security. The term sensitivity refers to a caveat of informationthat may require unique or additional counter measures beyond its classification level. Thus many of the implemented security requirements depend on the security policy associated with the various classifications and sensitivity levels of information processed on the system. RAPIDS is utilized to process sensitive unclassified data and information that is protected under the Privacy Act of 1974.
C2.5. System User Description and Clearance Levels. Only authorized users will be granted access to RAPIDS. Each user should have an official need-to-know for all information to which they have access.
C3. CHAPTER 3
FIRST TIME OR INITIAL IMPLEMENTATION OF THE CAC/SMART CARD
C3.1. DFAS Pacific Only. DFAS Pacific is the only DFAS site identified to issue the CAC. The local Administrative Services staff of this location will issue guidance on when each employee should proceed to the ID area for CAC issuance. Since the time to issue a single card can take upwards of 15 minutes, employees will be scheduled depending on a time schedule.
C3.2. DFAS Non-RAPIDS Sites. DFAS sites without CAC issuance capability will have a designated RAPIDS location close by. Every RAPIDS location has entered into an agreement to issue cards to eligible personnel within its servicing area. Your local Administrative Services staff will arrange and coordinate CAC issuance with the nearest RAPIDS location because Non-DFAS sites may have different CAC issuance procedures.
C3.3. When should you obtain a CAC? RAPIDS locations are being deployed around the world incrementally. You must wait until your local Administrative Services staff has contacted you before you can obtain the CAC. The current DoD deadline for CAC issuance is the end of FY 2003. If a RAPIDS location is near your DFAS location, you must wait until directed by Administrative Services before proceeding to that location. Administrative Services has the lead in coordinating the schedule for DFAS personnel to be issued cards at these non-DFAS locations.
C3.4. Transportation. During the initial implementation phase, methods of transportation will be determined by Administrative Services. Depending on the location and feasibility, Administrative Services will coordinate the transport of employees by use of government vehicles, rental vans, or other available means.
C3.5. General Requirements to obtain CAC. Requirements are outlined in Chapter 4, but for the first time issuance, you must also abide by the items outlined in Chapter 3.
C3.6. Surrender of your current badge. Upon receipt of the new CAC, an employee must immediately surrender his/her current DFAS badge to the local Administrative Services Security Manager or designee. If the current ID is used for other purposes, approval from the current Security Manager must be granted to keep this card. Military members will be required to surrender the current military identification card to the RAPIDS location where obtaining the new CAC.
C4. CHAPTER 4
OBTAINING CAC/SMART CARD
C4.1. Current Employees. Current employees are loaded into the DEERS machine by way of payroll records. Current employees are defined as DoD civilians, Active Duty military and selected reserves who have been working for a minimum of 30 consecutive days. Current employees must have the below items to obtain the CAC.
C4.1.1. A Picture ID.
C4.1.2. Government e-mail address if using a government computer.
C220.127.116.11. If e-mail address is invalid and/or it is entered incorrectly, the employee will have to return at a later date to correct the mistake.
C18.104.22.168. Personal e-mail addresses (e.g., AOL accounts) will not be accepted.
C4.1.3. A six to eight digit number to use as a Personal Identification Number (PIN). It should not be a number derived from something easily known about you such as portion of a Social Security Number (SSN), birthday or anniversary date, telephone number, address, etc.
C4.1.4. If an employee has any problems obtaining a CAC, the local Administrative Services representative should be contacted by the employee(s) with all the details of why the CAC could not be issued.
C4.2. New Employees/Contractors. New employees and contractors will be loaded into the DEERS machine upon completion of a DD Form 1172-2. DD Form 1172-2 can ONLY be approved by the Security Manager or designated official. Appendix A shows a sample DD Form 1172-2 form. The items below will be required to obtain a CAC.
C4.2.1. Two picture IDs.
C4.2.2. Government e-mail address.
C4.2.3. A six to eight digit number to use as PIN.
C4.2.4. Completed and signed DD 1172-2.
C4.3. Military Retirees. Military retirees are not entitled to a CAC, but personnel information is already loaded into DEERS because of the retired status. If the retiree is a new DFAS employee (less than 30 days) or contractor, he/she is required to complete DD Form 1172-2 to receive a CAC.
C4.4. RAPIDS Location. RAPIDS sites have been placed in general areas to accommodate all DoD employees. Depending on the location of the nearest RAPIDS workstation, (after the first issuance), employees will either need to drive to or walk to the nearest location. The local Administrative Services office will provide guidance on obtaining a CAC and the nearest location.
C4.4.1. Walking Distance. If a DEERS/RAPIDS machine is located within walking distance, the employee should obtain a CAC/Smart Card during normal duty hours.
C4.4.2. Driving Distance. If a DEERS/RAPIDS machine is not available within walking distance, DFAS employees may drive to the nearest DEERS/RAPIDS machine after obtaining supervisorís approval. Employees may request travel reimbursement by completing a SF 1164 and submitting it to their supervisor. Each organization will be responsible for providing a fund cite on the SF 1164 for reimbursement. An example of a SF 1164 can be found in Appendix B.
C4.5. Disability Accommodations. If an employee is unable to easily get to the nearest RAPIDS location, the employee's supervisor should make alternate means of transportation available.
C4.6. Transportation. When an employee does not have transportation to reach the nearest RAPIDS location, the employee should notify his/her supervisor to verify if government owned or leased transportation is available.
C4.7. Supervisor Responsibility. The supervisor will determine the best possible method to get the employee to the location of the nearest DEERS/RAPIDS machine. The best possible methods may include use of government vehicles and/or public transportation.
C4.8. Local Rules. Each RAPIDS location will service not only DFAS employees, but all eligible members. Therefore, each location will have rules to follow in obtaining a CAC. DFAS employees will follow the rules established by each agency or office when obtaining the CAC.
C4.9. Military Personnel. All military personnel will follow previous guidelines to obtain the CAC. The CAC is similar in nature to the previously issued military ID card.
Sample DD 1172-2
Sample SF 1164