DFAS and AFGE Council 171

CAC Card Negotiation Session

10 Dec 2003

In Attendance: Kelley Dull, Connie Townes, Frank Rock, Ron Coe, Mark McDonald, Mark Durinski, Teresa Briley, Pablo Rodriguez, Pete Heins, Peggy Coleman, Jackie Riley, Bob McNamara

Alternate means of site and computer access:

Teresa: There is no other way to access the computers because the CAC will be the only acceptable way to access the computers.

Ron: The Agency is going to have to have another way for employees to access the building and/or computers when they donít have their cards. Limited access.

Teresa: Iíve asked a lot of questions about this because I knew it was an issue. A second card would cause you to have to have two certificates.

Pablo: It does present a problem across the network. If the machine at the DEERs station is down, there will be a problem getting the employee a card.

Teresa: Weíre going to have to look at what we can do in this situation.

Connie: These employees want to be able to do their jobs.

Teresa: It is the responsibility of the employee to maintain the card and ensure that it is not lost or damaged. I donít think there are a lot of cards currently that are being lost or stolen.

Ron: It would defy logic that an alternative means would not be set up. The soft certificate is being currently used for DTS.

Teresa: Iíve sent out some inquires and havenít received any response back.

Parked.

Data Collection to discipline employees.

Teresa: This interferes with Managements right to discipline.

Kelley: What data would be collected.

Teresa: The information available today when you sign on will be available with the CAC.

Ron: Our intent is that the data that the CAC generates would not be used to discipline employees. Info such as an employee is or isnít working because they are not signed on with their CAC.

Teresa: You canít tell the Agency that they canít use data to discipline employees. You access the computer today by logging on; you will just be using a different method to sign on.

Frank: This card will have the ability to do a lot of things.

Pablo: We have the responsibility as a Manager to ensure the employees are doing their work.

Kelley: Our concern is those Managers who will use this to go after employees.

Teresa: We have not said that we are implementing this card so that we can track employees. The information already exists today. The purpose is not to implement CAC so that we can discipline employees.

Ron: The CAC itself should not alter how we currently monitor workflow. Every keystroke can be monitored because it is a government computer. What you say here and what happens elsewhere is not necessarily the same. We feel it is important to let the employees know that this is not for management to be Ďbig brotherí.

Teresa: We can say what the intent of the card is but not what the intent is not. Go back to why we are doing this.

Ron: Issuance of the CAC is not intended to negatively impact the employee.

Bob: What we can offer is defining the purpose of the CAC.

Mark: Could we pull out the last sentence in Appendix 1 Paragraph 1? The CAC is the standard DoD ID card, the principal card to be used to enable physical access to buildings and controlled spaces, and will be used to enable Information Technology (IT) systems and applications that access DFAS computer systems. Use as beginning sentence of MOA. Agreed.

Time & Attendance Data Collection

Kelley: I have a problem with the time keeping possibility. It is not a time-keeping system.

Pete: You are present for duty when you are at your workstation, not when you swipe in the door.

Kelley: This is a big concern for the employees.

Bob: Tell them to read the purpose of the CAC. Itís not in there that it is for time keeping.

Connie: What is the problem with this?

Pete: At some point in the future the CAC may be used for time keeping for some unknown reason.

Kelley: But we would come back and negotiate that.

Pete: Your right. But it is not in the definition of the CAC that it will be used for time keeping.

Mark: Managers are telling employees that this will eventually be used for time and attendance. We have a hard time changing what these Managers are saying.

Bob: Our problem is putting language down on something that is Managements right.

Pete: The use of CAC for time keeping would be negotiable.

Teresa: Weíve stated very clearly what the purpose of the CAC is.

Bob: It is a management right and we canít agree to it.

Pete: Your telling us we cannot use it for time and attendance and we cannot agree that we will never use it for time and attendance. Time and attendance is in no way related to security and it would be negotiable.

Pablo: I think we need to concentrate on what the CAC is for and not look for problems.

Bob: The communication put out should address what the CAC is for.

Break

Kelley: We still have concerns and problems but will park it for now.

Discipline employee for CAC loss, damage, or PIN reset actions.

Mark: We have employees being told they will be disciplined for these types of actions.

Teresa: This is the same, as above that we canít agree because of managements right to discipline.

Kelley: The Agency has said there isnít a policy on this but your going to have to come up with something.

Teresa: We already have policies for discipline.

Kelley: So if an employee loses their card you will go to the table of penalties and charge them with loss or damage of government property?

Teresa: If it is appropriate. Donít look at it as different as now.

Mark: But my entire work life is now dependent upon a piece of plastic. If I donít have my card, I canít work.

Jackie: But you have to have your password.

Mark: But it can be reset in a matter of minutes.

Kelley: The CAC is becoming a condition of employment. We are negotiating based on the policy that was given to us and the regulations are being published and changed.

Teresa: This one just like the other interferes with Managements right to discipline.

Kelley: Right now if employees forget their ID they can call someone, sign in, and be able to go to work. In the future it wonít happen this way. If people continuously forgot their card, itís been said discipline action could be taken.

Teresa: Whenever you have an employee who comes to work but not ready to perform work it is a problem. Just like today.

Kelley: But there is no consistency.

Teresa: You have to look at each individual case. Circumstances will be different for each instance.

Ron: There is a common interest for the employee to be able to do their work.

Pablo: So your issue isnít discipline but an employee having an ability to do their work.

Parked.

CAC usage:

Agency agrees that CAC usage (computer) will only be required for computer/application logon access, encryption etc.

Pablo: The first sentence would be solved by the earlier agreement.

Kelley: To us the three issues are combined.

Bob: The problem we have is with the word Ďonlyí.

Frank: We donít know what programs the CAC will be used.

Bob: Neither do we.

Teresa: There are other applications that are not web based that will still have passwords.

Kelley: What web-based programs will the CAC be used for?

Pablo: If you were using a laptop to sign in to DISP you would have to have your CAC.

Employees shall not be required to keep CAC in the reader to use the computer.

Teresa: It is part of the security.

Mark: DISA uses it by signing in at the beginning of the day and then take it out. They use their computer all day and only have to put the CAC back in after locking the system. You wonít forget your card in the reader.

Teresa: It is how DFAS has determined to ensure security.

Pete: Pulling the card will replace the Ďcontrol/alt/deleteí lock.

Kelley: Whatís going to happen when the employees walk away from their computer and leave the card in?

Teresa: It is what it is and itís tied to security.

Kelley: It can be argued that it is more of a security risk of an employee to leave the card in the computer leaving the ability for someone to access all systems.

Mark: The card is for authentication. If you donít need to authenticate then the password will put you in the system. The key here is the human factor. If the system says that we canít work until the card is put in, then the employee will put their card in and out and put it back on. Physical security violations at the sites would be an issue. It would also solve the possible future problem of employees pulling each otherís card to get them in trouble.

Teresa: DISA may have decided to have a different level of security then we have.

Mark: In theory, if you leave a card in a reader and walks away from it, then the certificate has been compromised.

Teresa: The card itself would not be compromised unless you give your pin to someone.

Kelley: When an employee accidentally leaves it in the reader and walks away we donít want them to be concerned about being disciplined.

Teresa: If you are digitally signing then you must retype your password.

Ron: Has the IT community been asked?

Kelley: If you send an email and you want to digitally sign you have to re-authenticate. So what about the PKI certificate. If you are going out to use another system it automatically authenticates that you are you?

Teresa: To get into any (web based) system, you will have to retype your pin.

Frank: Weíre concerned about the employeeís production. They have work requirements. The CAC is slowing down the employee production.

Teresa: You have to sign on today.

Mark: But you have a timeout on the CAC. You will be required to re-authenticate more often.

Ron: We may have to do it and let the Agency see that it is causing slowdowns in work.

Bob: We can say thanks for the notice.

Agency shall provide employee with the ability to read data on their CAC.

Kelley: There are three different areas.

Mark: The chip can be read using a CAC reader with appropriate software.

Pete: I donít think there is any problem with employees being able to look at the information.

Kelley: To alleviate concerns with the card.

Pete: I think we have the capability now and that we can agree that the employees can do it.

The Agency shall provide employees with the ability to read data on their CAC at each DFAS site. Approved.

Pablo: I donít think that all have the ability to read the data but can verify email address.

Pete: The Agency wants employees to verify their pin.

Pablo: Everything was stopped after the last session until negotiation could take place.

Pete: If the purpose is for employees to be able to read the information on their card, then we should be able to do that.

Pete: Make it available at every site where the capability exists to read the card. The LAN software should be available at all sites.

Info on card.

Mark: We went through the DoD regulation and pulled out what was required on the card and thatís what is in the proposal. If we left something out it was unintentional.

Pete: Is the purpose of the proposal to limit us on the number of compartments being used? I donít know if we can do this.

Frank: Because there is a field doesnít mean that the information is required.

Bob: It doesnít have photo, pay grade, blood type etcÖ

Pete: So you want the photo to come off?

Kelley: Is they something that are required or can be picked/chosen?

Mark: The employees are asking if the information on the chart that was handed out to the employees is the only information on the card.

Pete: There is a band of data required for civilian employees dependant upon what category they are in. If you have privileges or are deployable the number of fields could be changed. For the majority of our employees there are 46 fields.

Teresa: The code on the chart has a list of which data is on which field.

Mark: So we can let the employees know which data is not required on a DFAS CAC for a civilian employee.

Teresa: The list shows the items that must be on the CAC.

Kelley: I need something that says which information the Agency has to put on the card.

Teresa: The data elements that are in the card are listed on the element codes list.

Kelley: It doesnít say that all of those elements are required on the card. The DoD regulation doesnít say all of this.

Teresa: Can we not see that the chart does that?

Kelley: I think it tells which fields are on there and can be used. I donít see anything that says these items are required.

Parked while Pete goes to get information.

Agency agrees to negotiate implementation of changes to CAC usage, issuance, policy, regulations or employee obligation/responsibility with Council 171 prior to implementation.

Teresa: Why do you feel this is necessary?

Kelley: Because the intent is that this will continue to expand and grow.

Teresa: We would need to put as applicable or to fullest extent allowable by law. Why is this necessary because it is already known with or without the language?

Kelley: It brings it to the front for the employees.

Frank: Itís not only a feel good thing, but also an assurance that it will happen.

Kelley: We are talking about other functional changes.

Mark: What we were trying with the word Ďissuanceí was that if different requirements would be set up for the employee to get the card.

Kelley: We talked about how we are going to do these things. If there were changes to what we have already agree to we would want to renegotiate.

Pete: We say this is for the employees, but.

Ron: Itís more to memorialize it for us the exclusive representatives.

Kelley: The employees are constantly being forced to do things without us getting the chance to negotiate. E-biz is an example. We have not negotiated but the employees are being forced to use it without the chance to bring out problems or concerns.

Proposal: The Agency agrees to negotiate future implementation or changes to the CAC usage, issuance, policy, regulations or employee obligations/responsibility with the Union prior to implementation, to the extent allowable by law. Approved.

Bob: The Ďorí is a problem because there are policies that may not be necessary to be negotiated.

Mark: That is why we have to the extent allowable by law.

Bob: I guess thatís true. Do we have any problems? Can you reread it?

Read above Language. Agree to by all.

Upgrade of Union computers:

Bob: Why does this need to be done? Is it Union computers?

Pete: The union computers would need to be able to use the CAC to get into web-based email etc.

Mark: The Agency shall upgrade/replace all Agency provided computers/laptops of Union officials to ensure CAC compatibility prior to implementation of CAC.

Kelley: For those computers that are not compatible they cannot be implemented on those computers until they are compatible.

Pablo: Would this impede implementation for the Agency on 1 April?

Kelley: We want to have ours replaced at the same time as the rest of the office so that we can continue our operations.

Jackie: You would think that if they are Agency computers then they are already scheduled for upgrade.

Kelley: I go back to if the computer is not compatible then they will not be implemented. Some may already have been upgraded. It may not have a large impact.

Mark: Is DFAS worried that they will not be able to come up with the resources before 1 April?

Bob: We are mandated to be done by 1 April.

Kelley: We know that by 1 April everyone has to be CAC compatible and that this includes us.

Teresa: It wonít be a switch turned on and everyone will be using CAC. It will be a phase approach. The way this reads, we may have a problem with that.

Kelley: Part of implementation would be when they go around and upgrade those computers. We just want to make sure we are included.

Pete: Leave off Ďprior to implementationí so that someone coming after us would know what we wanted. We know that by April 1st all computers must be compatible.

Kelley: We know how the scheme of things works and we could be upgraded last.

Teresa: Concurrent with Agency Site deployment schedule the Agency shall upgrade/replace all Agency provided computers/laptops of Union officials to ensure CAC compatibility. Agreed to language.

Mark: As long as it is understood that it means equipment is replaced/upgraded prior to implementation at that site.

Teresa: I have an answer on the encryption. If you receive an email that is encrypted once you open it, you can move to archives unencrypted and forward with the decision to re-encrypt it.

Documents posted on the web can be encrypted but the person putting it there would need to know who they want to be able to read it.

Mark: But if your card is changed you cannot open it. You would need to understand it is going to the card.

 

Currently parked items: 5,6,8,10,11,12,13,14,16,17,18,21

Kelley: Some additional concerns/questions:

  1. Applications that will be used with CAC. What web-based applications? All with HTTPS. Can we get a list or example of the applications? The original briefing gave an example of what applications. Outlook, E-biz, DTS, EDA/EDM, DDRS.
  2. DoD guidelines on encryption. They are on E-portal under infrastructure support. Takes you to the DoD CAC information/guidelines. There is an Executive that has been designated to say what will or wonít be encrypted.
  3. Can encrypted messages be monitored by TSO? If the message is encrypted, when I open it and my machine is being monitored, can they read that encrypted message as I read it? The Agency is pushing it for security purposes. So we are going to send secure messages and someone other than that person may be able to read it. Messages sent on Agency computers are subject to monitoring. The sender is encrypting the message is doing so to ensure only the person it is sent to can be read. Is there someone in TSO that can access encrypted messages?
  4. Guidelines on what must be on the CAC.
  5. Rapids administrators- who has access to the information and what levels of access do they have? Who employs the DEERS/RAPIDS employees? Varies by site.