DFAS and AFGE Council 171

CAC Card Negotiation Session

9 Dec 2003

In Attendance: Kelley Dull, Connie Townes, Frank Rock, Ron Coe, Mark McDonald, Mark Durinski, Teresa Briley, Pablo Rodriguez, Pete Heins, Peggy Coleman, Jackie Riley, Bob McNamara

Admin Issues: Copier use. The Union didnít have copies because no one had it on their orders. Connie was concerned about her not having her orders before leaving. Her office has problems with her going without orders. From 11-1 tomorrow the room we are using is needed for another meeting. Union needs to be out by 4 tomorrow. We will start at 7:30 in the morning to accommodate.

Received copy of how cards are being used at each site for building access. Also received list of card issuing locations and distance from DFAS site. Faxed yesterday a copy of the codes used on the CAC.

Begin with proposals:

Concern with transportation to get cards. We want the Agency to provide the transportation, no public transportation. Defining that employees will not be made to use their own vehicle.

Teresa: if a person uses their own transportation they can request reimbursement through the correct channels.

It is in two different sections in the policy.

C4 is for a future need to get card not for initial issue (C3).

It doesnít say that and needs to be addressed.

There can be public transportation used without cost to the employee.

When it talks about public transportation it is referring to areas like D.C. where the Metro is available and the employee can be given a card making it no cost to the employee.

Mark: Not all employees can afford to pay for transportation and then wait for reimbursement.

Teresa: Some locations have the ability to give bus/metro passes so there is no cost to the employee. An effort was made to write this so that the transportation would be at no cost to the employee via government transportation or reimbursement.

Pablo: If there is only one person it is not cost effective for the Agency to rent a car or make other arrangements when the employee can be reimbursed for mileage.

Teresa: It would be the employeeís responsibility to say if there is a reason why they do not want to drive their own pov.

Pablo: We have employees who do not have a pov and cannot drive. There is a coordinator at each site for the CAC. It should be that personís responsibility to work this out. The employeeís are all receiving cards at the same time and are going to expire at the same time.

Kelley: We are trying to address the individual oneís because of loss, damage, etc.

Ron: We have supervisors that are not employee friendly people.

Pete: Mr. Bradley has said he will get personally involved with complaints and problems that are brought up to him per chapter 1. We do have people that take the bus to work and they need to be considered. If there is a disagreement on the type of transportation then there is a process set up to work it.

Pete: The way the policy is written an employee is never responsible for finding his or her own transportation to get a card.

Teresa: Weíve covered and provided flexibility for the various scenarios that can be thought of.

Management meeting

Bob: What are we looking for at the end of the week? We will work on the list of concerns and if something we decide effects the regulation we will look at changing it.

Teresa: We need to leave the options open for the means of transportation. We have to at least start out with some level of trust that we are looking for this process to work.

Kelley: We need to rewrite the language.

Pete: When it comes to POV there are limitations.

Ron: Add language saying supervisor and employee will jointly decide the best means of transportation.

Pablo: We cannot make decisions based on a small percentage of Supervisors out there. There needs to be a degree of credibility.

Teresa: C4.7. The supervisor working with the employee and Admin Services will determine the best possible method to get the employee to the location of the nearest DEERS/RAPIDS machine.

Language agreed upon to change the policy.

For the MOA:

The Agency will ensure the transportation need of the employees is arranged per DFAS 5200.9-R.

Kelley: An employee should not be forced to use their POV if they canít really afford it.

Teresa: That is why we rewrote C4.7. so that between the three an acceptable mode of transportation can be decided upon.

Bob: Why not put the changed sentence from the Regulation as the bullet on the MOA.

Kelley: We want it know by the employees that they cannot be forced to use their own POV. One word can make a big difference in language. We want the employees to read the regulation but will they.

Pete: Why canít we do a document that tells how we interpret the Regulation without changing the Regulation?

Kelley: That sounds good but I do see some changes that need to be made to the Regulation. I think itís a good idea to define the intent so that it isnít lost. What language do you think would get us there?

The Agency will provide transportation to and from the DEERS/RAPIDS station. With the supervisorís approval, employees will have the option to use other methods of transportation.

The supervisor working with the employee and Admin Services will determine the best method of transportation.

First bullet on MOA: The Agency is responsible to provide transportation to and from the DEERS/RAPIDS station to obtain a CAC. However, with Supervisory approval, the employee may elect to use their privately owned vehicle for this purpose. Approved.

Second bullet on MOA: CAC issuance will occur during employeeís normal duty hours, while in a paid status, and will not result in charge to an employeeís leave. Approved.

Third bullet on MOA: CAC will be issued/reissued/reset at no expense to the employee. Approved.

Handicapped employees. Ability to put the card in and out of the reader is an issue.

Teresa: Itís our responsibility to provide accommodation. I have sent this to the people in IT to see if anything has been looked at to take care of this.

Pablo: Is the intent to delay implementation until the appropriate equipment has been purchased or created.

Mark M.: We want no employeeís left behind in the change. No implementation until all are able to use.

Jackie: Why would we even put a reader on the desk of an employee who canít use it?

Mark M.: Because itís been mandated that this will be the way to log into the system.

Bob: We donít want this to effect the implementation of the entire CAC.

Kelley: We need to identify where the need is to address how to implement for these employees.

Frank: So we donít know yet if anything has even been looked at as to how many employeeís and how to correct. It should have been addressed in the process of beginning implementation. There should have been a pro-active approach to this issue.

Kelley: We have a plan or a process that when it comes down to implementing they are not sitting there waiting on someone to figure out how to accommodate.

Ron: Work with the DoD Caps program for this issue.

Kelley: We want these issues to be worked upfront and not after the fact. Park the issue until more information can be received. Completed.

Agency will provide a copy of CAC issuance rules for each siteÖ

Kelley: This is because of the different procedures at the sites for issuance of the card.

Teresa: The process at the various sites is different.

Kelley: If employees donít know the rules, they may inadvertently break one of the rules.

Ron: We donít want these rules to be in excess of the DFAS Regulation.

Teresa: There is a variety of individualís issuing the cards. It is recognized that training needs to be done for these individuals.

Kelley: Why even have the paragraph C4.8?

Pete: I think getting the employeeís a copy of the local rules is workable. Admin Services is responsible for telling the local DEERís site the DFAS needs.

Bob: The Agency will provide issuance rules for each site.

Kelley: Instead of the employeeís having to go search for it, have it emailed to them.

Teresa: The Agency will provide CAC issuance rules for each site for employees to review prior to issuing/reissuing/resetting of CAC. Local rules that conflict with the DFAS 5200.9-R should be brought to the attention of the local Administrative Services representative or Field Operations Manager for adherence to the DFAS Regulation. Parked.

At the time of issuance/re-issuance, Agency will provide a statement to the employee defining the liabilities and responsibilities associated with the possession of a private key.

Kelley: PKI/Encryption can be used in court.

Pablo: There is an annual requirement for a security briefing.

Kelley: That briefing doesnít tell anything about the PKI or my responsibility with it.

Frank: If someone enters a system with a card that is not theirsí a security breach has occurred.

Teresa: The level of security has increased with the card. Possession of the card and the pin is now required to access a system.

Bob: If the Agency put out a communication that describes the security would that suffice.

Kelley: There are differences between using the old ID cards and the CAC. Stickers, pins, holes cannot be put on/in card. Employees currently do this.

Bob: A doís and doníts message is what you are wanting?

Teresa: There was some conversation that not a lot of information would be going out to the employees until this session took place. Information is planned to go out to let them know these things.

Parked until Brian Bradley can be contacted.

Agency shall ensure that employee data is safeguarded in accordance with Privacy Act, as amended. Approved.

Mark: This is a feel good thing. We know the Agency will safeguard but just want to assure the employees.

Teresa: We are in the process of obtaining the ability to reset pins at the sites. Donít have the timeline yet, but itís just a matter of purchasing software.

Mark: We have a problem because there are sites that can only reset or reissue on certain days.

Teresa will find out where we are in the process before deciding Managements position.

Parked.

Agency shall not block non-encrypted or non-digitally signed email.

Kelley: Originally it was said everything will be digitally encrypted but they backed off of that.

Teresa: Digital signature is when you want to and employees will be encouraged to not encrypt everything because itís not necessary. Itís not going to change anything of what we have today in the flow of email.

Kelley: I tried to send an email to another DoD entity and it would not accept unless there was a PKI certificate on file.

Pablo: The only thing changing is the way you will sign in to the ELAN and e-mail.

Break

Teresa: Got in touch with Bob Goodwin and they are looking at the accommodation issue. If we could identify which people are effected we could hold off putting them under CAC use. Need to find what is needed and look at it once we know what is needed. I was going to talk to the DoD representative because this should be an issue for others.

The Agency will provide all necessary accommodations for usage of the CAC by disabled employees. The Agency and Union will identify special needs of employees and the Agency will provide accommodation as appropriate prior to use of the CAC for these individual employees. Approved.

Teresa: Bob Goodwin is checking on a timeline for getting reset capabilities at each site. There is currently a process to verify your pin. If you have forgotten your pin we can go ahead and have the pins reset so that they are ready upon implementation. We can identify sites like Limestone who have limited access to reset/issue capabilities and deal with them separately.

This validation process you put your card in and type your pin. If your pin is correct than your information is show but if you donít have the pin correct it wonít work and you know you need to get your pin reset.

Bob: There isnít going to be any change to email send and receive because of the CAC. We donít want to put anything that binds us forever and ever. We donít know what will be necessary later.

Mark: What would we do if there were a change? We would negotiate and implement.

Pete: If for security reason we would need to block unencrypted mail it would not be negotiated. Only adverse impact would be addressed.

Kelley: Iím not trying to say itís forever or to tie managementís hands. We just want that understanding that we agree it isnít going to change.

Pablo: Current procedures for receiving and sending e-mail will remain unchanged upon implementation of the CAC.

Bob: The point is we donít know what could change.

Peggy: We canít say that at any time the Agency cannot block it.

Kelley: Put something in that any future changes will be subject to bargaining

Bob: Could this go back to the communication that will be going out.

Kelley: On this paper we just want employees to understand that itís not going to change. On the surface they will see that it wonít be blocked because they didnít encrypt or digitally sign. Some employees may work on things at home and email it to themselves at work. They want to know that their email will go through.

Jackie: When is it appropriate to send encrypted emails?

Kelley: We need to inform employees of when and how to encrypt or digitally sign. This language is to ensure the employees that their emails will go through. If you send a message and thereís a program out there that kicks the message back saying itís undeliverable because of lack of encryption.

Mark: It tells the employee that it wasnít DFAS that caused an email to not be delivered.

Kelley: We have a lot of customers out there that may not have a CAC and their emails may not be allowed to go to the employee because of the lack of a CAC. Blocks are done on a case-by-case basis now.

Pablo: Each Agency can define their own processes.

Teresa: The only thing that will change is that if you encrypt a message than the person receiving will have to have the ability to un-encrypt. There shouldnít be any change for any other email.

Pete: The software for outlook is already set up. Unless there is a requirement to send encrypted messages, other messages will still flow as they do now.

Bob: Implementation of the CAC will not result in the block of non-encrypted or non-digitally signed email.

Kelley: I have a problem with the language of Ďbecause of implementationí. We donít want it to be limited to actual implementation.

Implementation of the CAC will not change the current procedures for sending/receiving non-encrypted/non-digitally signed email. Agreed

Teresa: How does this address adverse impact as a result of the implementation of the CAC?

Kelley: Goes with sending and receiving non-encrypted emails.

Pete: There is no plan for ordinary communications to be interrupted. It is only designed to encrypt and un-encrypt web-based email.

Kelley: How do we ensure that we will be able to send and receive emails within the bargaining unit?

Pete: Only those communications that need to be encrypted should be encrypted. If it ever became necessary to encrypt everything, then we would then be back here.

Parked.

Kelley: We have a great concern with having the ability to communicate with the employees. The exchange of information.

Pete: If you open it and un-encrypted the email then it is open. If it is in your in-box and is encrypted and you switch your card you would not be able to read it. When you un-encrypt it and read it that is the end of it being secure.

Mark: We were briefed that an encrypted email is always encrypted. You cannot forward an email that has been encrypted.

Kelley: The average employee would never have the need to send a message encrypted. What happens if an employee does send an email encrypted (i.e. grievance with personal information to the Union President)?

Pete: There will be a policy that tells what type of emails will be encrypted. The employee who sends emails that are not on this list could be subject to disciplinary actions.

Kelley: I want to see that policy and you have a demand to bargain.

Pablo: Encryption is only for email. It is not capable on the E-portal.

Teresa: If it was encrypted or not wouldnít matter because you have to have your CAC to sign on to your computer. Iíll ask if the capability is there but I donít think it. Can you transmit an encrypted document to the e-portal?

Reports:

JITC:

Kelley: They are doing evaluation of problems. We want to see these so that we can see what problems are being addressed. The report didnít have the name, just that they would be evaluating problems and concerns.

Pablo: The testing phase is complete and we are in the implementation phase. They would not still be evaluating the program.

Kelley: It makes us aware of problems, concerns, and issues with the CAC.

Number of CAC issued during quarter:

Teresa: May not be appropriate because many have reached 100%.

Connie: After reaching 100% how many re-issues, new issues, and resets.

Teresa: I will check to see if there is a plan to get and keep this information.

Ron: To some degree the Agency should want to know how the CAC implementation is working. We want to help alleviate the problems and concerns with the CAC.