DFAS and AFGE Council 171
CAC Card Negotiation Session
11 Dec 2003
In Attendance: Kelley Dull, Connie Townes, Frank Rock, Ron Coe, Mark McDonald, Mark Durinski, Teresa Briley, Pablo Rodriguez, Pete Heins, Jackie Riley, Bob McNamara
Telephone conference: Richard Westmark, Bob Goodwin, LTC Marie Regotti, Jim
Teresa: Encryption on the E-Portal. Documents being encrypted. What are some questions?
Frank: Will documents on the E-Portal be encrypted?
Bob G: It would be up to the individual who is putting the document on the E-Portal. There are instances where it may be necessary i.e. BRAC 05. Encryption would ensure that only the people the document is intended for can read it.
Marie: DFAS personnel should only encrypt when the confidentiality or integrity of the information is necessary. The guidance was sent.
Teresa: When we go live will there be any blocks of email.
Bob G: There is no intention to ever block email messages. We have customers who do not have the capability to encrypt or digitally sign.
Teresa: With encrypted email once decrypted can it be save that way?
Bob G: It is one thing that we have to work on because we need to ensure people who have encrypted email will forward the email to people who may be replacing them on the job. Email for the business of DFAS. Otherwise key recovery would need to be used. Bob needed to leave for another meeting.
Teresa: Pin resets. Tell us a little about the process how far we are in the process.
Richard: In many cases there is a DEERS/RAPIDS station on site that will be able to reset.
Teresa: Timeline for this availability
Richard: Iíd like to say we already have the capability but the Army didnít want to give us the equipment. We want to have it by the end of January to roll out to all sites.
Frank: Would you say we will have it by the April 4 deadline?
Richard: Yes. We are just sorry we donít have it already. Soft certificates wonít work with the CAC logon screens. There is not a good solution for when an employee forgets their badge. The card is your access into the system. If the system is CAC enabled you will need your CAC to do your work. Temporary cards are what we are looking at but so far it has not been able to work. As the systems are CAC enabled they will no longer accept passwords. You need your CAC card to access your system to use other programs.
Bob: If you canít get into your PC then you canít get to the applications?
Teresa: Monitoring capabilities? Will that ability remain with the encryption.
Richard: We would have to submit a key recovery if the person would not be willing to decrypt if it is necessary to read the message.
Connie: If a person opens an encrypted email can it be read by the person monitoring?
Richard: There is currently no ability for Ďover the shoulderí access.
Frank: The DFAS 8500.1. You are over the team that is revising it? It covers the infrastructure?
Teresa: can you explain how the 8500 was established?
Mark: DFAS had an 8000-R. It had a lot of guidance that supplemented DoD instructions. DoD has recently revised these instructions for Information Security. They wanted to parallel the DoD regulation. Was the 8000-R chapter G and is now the DFAS 8500. There was no changes except the name.
Teresa: That would be the same for the 8100, 8200? Were previously part of the 8000?
Mark: Yes. The regulation covers roles and responsibilities when it comes to Information Technology.
Teresa: Do you have any information about what is necessary on the card for civilians?
Mark: I donít have anything except it is different for Civilians and Military.
Richard: There is a ten-minute window that you would not have to authenticate again because it does it on your behalf. You many have to choose a certificate but not have to input your Pin. It looks like you didnít have to authenticate again but you actually did. If you bring up a whole bunch of windows then you are set to go with all of them until you sign out of those sites/programs.
Teresa: It doesnít increase the number of times you have to enter you pin?
Richard: Depends on what you are doing.
Teresa: Leaving the card in the Reader?
Richard: There will be people who get up and leave it in there machine. This is the security that DFAS wishes to have.
Marie: It is a policy decision.
Mark: There is not a DoD requirement to leave the card in the machine while using the system?
Marie: No, there isnít.
Mark: Can we get a copy of the memo that states that this policy was made by DFAS?
Kelley: Has anything been addressed on people who will be using multiple computers i.e. TSO?
Richard: It has been determined that a person can only type on one computer at a time.
Kelley: They have told me that this is going to affect their work.
Richard: We havenít seen it as an issue. A person can only work on one computer at a time. I can only attest to our experience with it.
Teresa: Is there some identification of responsibilities and liabilities of the card use?
Marie: There is a user agreement that is signed when they are issued the CAC. Brian Bradleyís memo also describes the information .
Kelley: The agreement is another form?
Richard: A statement that the employee will safeguard. It is a form you sign when you go to get the card.
Teresa: Describe the 3 certificates on the card.
Richard: Identity Certificate: Recognized as a legal signature when used to sign. The private key is how it says that yes you signed it.
Encryption Certificate: You have to use your private key to un-encrypt a document.
Frank: It has been an extended amount of time since many people have received their CAC and they may not remember what it say on the document they signed. Can that information be given to the employees again?
Teresa: That would be admin services.
Ron: Validation stations/capabilities.
Richard: Any machine that has middleware on it, they have the ability to view what is on the card. Employees will be able to view their information on their own computer.
Mark: Work stoppage. What do we have in place now if a person loses, forgets, has stolen their card? How do we get that person productive?
Richard: If lost, stolen, damaged then we need to get them a new card. If left at home, I donít know what the policy will be on it. The process and number of times weekly/monthly that the CAC can be issued needs to be addressed.
Ron: Are any of these questions been asked by Product line managers?
Richard: I havenít been in any of those talks.
Connie: Has anything been addressed about disabled employees?
Richard: I donít recall but I know discussion has taken place.
Teresa: There is currently no technology. Movement of card readers and help from other co-workers right now is the only answer we have.
Marie: The CAC reader can be put anywhere on the desktop. What are the different issues?
Mark: Limited movement, lack of ability to grip.
Marie: It is no different then using a floppy or disc drive.
Mark: They donít use them. Reasonable accommodation does not include another employee put the card in and out for them.
Richard: It is something we still need to address.
Pete: The Agency has the responsibility to provide accommodation. It is something we will have to wrestle with. Want to go back to the work stoppage and lack of ability to create cards.
Kelley: We know about Limestone but do we know if this is an issue for anyone else?
Pete: Two times a month access to create CACís is not acceptable.
Ron: We donít have a problem with the time it will take to get a card if the Agency doesnít have an issue as long as the employee is not penalized.
Marie: A lot of these issues may be Admin Services issues.
Mark: We need to add language: Employees will not be penalized for nonproductive time awaiting issuance/re-issuance of CAC. We have all agree to this in principle.
Pablo: As long as itís understood that it is for lost/stolen/damaged cards that are not deliberate.
Teresa: Would this language take care of number 14? It would cover the employee from adverse action if it does take time to get a card re-issued.
Pablo: A card left at home would not be covered under this.
Mark: Why not? It may actually be lost and that is why the employee came to work without it. They could get home and not be able to find it.
Pete: I think that this would be an exception not the vast majority who will be honest about lost or just forgetting at home. We should be able to give the employees an out especially for those in a high volume work area. The days of a network log-on are gone. They are now tied to this card to do their work.
Pablo: My concern is that Markís statement is all encompassing and covers the employees who just leave the card at home.
Mark: My proposal covers only while waiting to get a CAC, not why they need the CAC. When waiting it is not in the hands of the employee, but in the hands of the Agency.
Jackie: The language does not do it. It needs to have why they donít have the CAC.
Mark: Waiting to get a CAC is not in the control of the employee. The Agency is responsible for setting the time to go get the card.
Teresa: What about the employee who does this on purpose? Malicious.
Bob: We need the clarification. Just like you did yesterday.
Bob: Amended Language proposal: Employees will not be penalized for nonproductive time awaiting issuance/re-issuance of the CAC when the issuance/re-issuance is not the result of the employeeís negligence.
Mark: Then we would have to define negligence.
Pablo: Add caveat: through no fault of their own.
Mark: Can we agree to the language with Ďthrough no fault of the employeeí? Also add ĎPIN resetí after re-issuance.
Revised language: Employees will not be penalized for nonproductive time awaiting issuance/re-issuance or PIN reset of the CAC, through no fault of the their own. Parked language.
Return to #5
Teresa: Language was: The Agency will provide CAC issuance procedures for each site for employees to review prior to issuing/reissuing/resetting of CAC. Local rules that conflict with DFAS 5200.9-R should be brought to the attention of the local Administrative Services Manager or Field Operations Manager for adherence to the DFAS Regulation.
Kelley: As long as you have the hard copies available for those who ask for it.
Teresa: Admin services would have the ability to provide a hard copy upon request of an employee.
Mark: Do we need to add a sentence saying they can get them from Admin services? I have employees who do not have a computer.
Teresa: Do we want to encourage them to go and get a hard copy when itís available on the computer?
Kelley: It wouldnít be encouraging but informing.
Pete: Using e-mail we could send all employees the link.
Kelley: But we have employees without a computer and we want them to know that they can get a copy.
Add to the end of the language: A hardcopy of the procedures will be made available in the Administrative Services/Field Operations office.
The Agency will provide CAC issuance procedures for each site for employees to review prior to issuing/reissuing/resetting of CAC. Local rules that conflict with DFAS 5200.9-R should be brought to the attention of the local Administrative Services Manager or Field Operations Manager for adherence to the DFAS Regulation. A hardcopy of the procedures will be made available in the Administrative Services/Field Operations office. Approved.
Teresa: I have asked Richard about a schedule of who will be turned on for the CAC in the phased implementation. The PIN reset should not be a reissue if we start resetting cards now before the phase implementation begins so that the PIN reset capability would not be an issue.
The intention is that all sites will have the ability to reset, even Arlington who has a DEERS site within walking distance.
Mark: If the implementation word is the problem we could strike it. Changed language would be: The Agency will acquire and maintain the ability to reset the CAC PIN at each DFAS site.
Teresa: If we agree to this and then DoD denies our request, could we just let Kelley know?
Language as amended approved.
Mark: Need equal access to communicate with the bargaining unit employees. It may not have anything to do with the CAC. We are asking for help to be able to distinguish between bargaining and non-bargaining unit employees and to be able to communicate.
Pete: There is a policy about sending mass emails. If it needs to go out to many people, then there are other methods of communication. If you create a group mailing address, it wouldnít keep with the Agency policy on group/distribution list mailings.
Teresa: The ability to send to the entire Agency is restricted. There is not going to be a change to the email program. You have the ability to create a list from Outlook without any extra work to the Agency.
Pete: We could set up a group today, and the bargaining unit could change tomorrow because of promotion.
Mark: There is no difference in setting it up or a person going through and selecting them.
Ron: Would the Agency have a problem with us setting up our own distribution lists?
Teresa: I would need to check to find out how that would affect the system with it being a large group. I donít know what it would do to the system.
Pete: They can set up a group in Outlook. When you press send does that create a problem? Asking us to set it up for you is a different issue.
Bob: can we put the Union in contact with someone to address this issue?
Pete: Corporate Communications.
Pablo: Also the LAN employees at each site.
Mark is going to pursue this with the Agency.
Pete: I think we can also let Claudia know this is a good thing.
Issue # 11
Kelley: propose language: The Agency will publish guidelines on the use of encryption.
Kelley: This issue is on the personal documents.
Mark: Since the CACís can change information such as 52ís should not be encrypted.
Teresa: We could include this with the encryption guidelines saying there are no plans to do this.
Kelley: Itís just basically that the employees wonít get their personal information encrypted.
Teresa: Could the published guidelines we establish cover this if it is included?
Kelley: The guidelines are getting pretty big but when it is complete we will need to see it and make sure that it is within the negotiated agreement.
Bob: Agreement was reached that e-portal document encryption will be included in the guidance.
Teresa: I have asked about JITC and have not received a response yet. When the information on what reports they have we will get them and give them to you.
Teresa: Language proposed: The Agency will respond to requests for information pertaining to the CAC. Agreed to this language.
Pete: If we are collecting this data we will provide it.
Kelley: Richard said that they are pursuing alternate means because it is going to be a problem. Language: The Agency agrees to pursue development of an alternate means of access when CAC is lost, damaged, or otherwise unavailable.
Frank: There is going to be some human error in this process until the employee gets accustomed to the CAC.
Bob: We may not be pursuing an alternate means other than getting them a new card.
Jackie: He said the temporary badge would have limited access.
Ron: They speak about milestones and there are alternatives to the CAC. Milestone one is having two databases: CAC and password access. There seems to be a planned migration.
Teresa: That is for web access not system logon. At first they will establish which way the application can be accessed. Once they establish the system for CAC then their passwords no longer work. If you canít get into the system then you canít access applications.
Bob: You canít get into the ELAN without the CAC once itís enabled.
Teresa: The dual paths are for the web applications as a phased implementation.
Kelley: The concern is that if it is possible to alleviate the impact to the employees and the Agency is pursuing it thatís what we want.
Teresa: Theyíve pursued the temporary card, for example, and it doesnít give us the access we want they will be going back to DoD to work on it. Pursuing it doesnít mean they will come up with another option. The key is the CAC is the way to access your system.
Pete: They are just looking for something to say we will explore it. Not that it will be explored and implemented. You are looking for something to tell the members that the Agency will look at this. Even in the face that the CAC is it. Letís say we got beat up at DoD and we come back to tell you, what happens next.
Kelley: If you explore it and DoD doesnít approve it then you explored it. There is nothing that can then be done.
The Agency agrees to explore alternative means of computer access when CAC is unavailable. Agreed.
Bob: Our position is still that it is Managements right and we cannot agree to it.
Kelley: I guess I donít understand the position because we understand it is your determination of technology, but how it is used doesnít infringe on managements right.
Teresa: We do not use the computer now to track time and attendance so if there were a change in the future we would give it to you because it is a change. It is covered in the other bullet that tells what the CAC is used for.
Kelley: You had said a statement that would work for us. We just want the employees to know that it is not currently intended for use as time and attendance.
Pete: In earlier discussion we told the intended use of the CAC and no where in there does it say time and attendance.
Kelley: But web-based does describe E-Biz.
Teresa: You use the CAC to access web-based applications.
Pete: We could add a sentence that says E-Biz is the current time and attendance program.
Kelley: Currently there are no plans to use CAC for time and attendance purposes.
Bob: The implementation of the CAC is not intended to replace the current time and attendance system. If the Agency decides to do so, the Agency will negotiate the implementation with the Union. Agreed to.
Kelley: Proposed language: Employees will not be penalized for loss, damage, misplacement, or pin reset unless the preponderance of evidence shows the employee at fault.
Frank: Preponderance is the Agencies language on how they decide if the employee is at fault.
Teresa: It is the Agencies responsibility to prove the preponderance of evidence on a disciplinary action but there are other actions that donít require it.
Bob: Why would we even be disciplining employees?
Mark: Employees are already being told that they can be disciplined.
Teresa: When there exists a preponderance of evidence is the only time you are saying a Supervisor can discipline. I donít think the intent here is to find another way to hammer the employees.
Connie: You act like this isnít real. You need to go out and be in the employeesí shoes because it is real. We are trying to build something in to protect the employees who donít do anything wrong.
Bob: How about misuse of the card will be dealt with accordingly.
Pablo: I think we are trying to find a means to identify those caveman supervisors out there. I know you donít think that the grievance procedures work but the process has to work.
Kelley: The employees could be dead before we finish the grievance procedures.
Pablo: Then we need to deal with the caveman supervisors.
Pete: In the rare cases when discipline is imposed, the Agency will adhere to DFAS 1426.1 and the applicable bargaining agreements. Agreed to.
Teresa: We believe the first part is addressed in the first paragraph of the MOA. Keeping the cards in the readers was explained on the conference call. It was the Agencies determination that it is the level of security that DFAS will have.
Kelley: We disagree.
Ron: We are seeking some flexibility on behalf of the employees. We are not trying to impede the DFAS security.
Pete: Impasse means the parties have exchanged proposals and cannot reach agreement. We feel this is not negotiable.
Bob: We have declared it non-negotiable.
Kelley: We will file a negotiability appeal for requiring the CAC card to be kept in the reader.
Ron: I want to say this will cause additional time for the employees to keep putting in your pin.
It is clear the Agencies position negates the Unions position that leaving the CAC card in the machine will cause additional security violations from people forgetting it.
Teresa: If you have no time-outs, then it poses an additional security concern. With a 10-minute window it doesnít mean you will have to resign in, but only if you need to re-authenticate in a new system or with a signature/encryption. It is a safeguard for the employee and the system.
Kelley: It is a negotiability appeal as well because you are saying it is a security issue.
Teresa: 18 b & c will be a negotiability issue.
Kelley: Do you have the information yet?
Teresa: I have the information that was provided in the chart.
Kelley: Weíve looked at it and we donít believe that all of the information is required.
Teresa: It is information is from the DEERS/RAPIDS program and is already there. The fields are being populated from that system.
Kelley: We are taking it out of a secured system to making them carry it around with them.
Pete: The one on the back links you to DEERS it is not the actual information that is in DEERS. It identifies your file and pulls it up.
Mark: I suggest we go through the chart and see if there is anything objectionable.
Teresa: I donít know if as DFAS we can say we want or donít want fields.
Ron: I believe having your gender on it would be in conflict with the EEO law.
Teresa: By being on the chip, itís not printed; otherwise it would be a violation.
Mark: After looking at them, is there anything we have a problem with any of it?
Kelley: We still have a problem with it. SSN is a problem. The reason I have the card is that Iím me and that is has been verified.
Mark: 3 and 4 are just 2 different types of barcodes. It is on there because they use it to pull you up on DEERS. The mag stripe identifies you instead of someone with the same or similar name.
Connie: I donít see why all of the fields are necessary. You have not shown me anything that tells me why they are all needed.
Kelley: Other concerns than the SSN.
Ron: Do we need to ask if they are required fields?
Teresa: The information is populated from DEERS. Your pay grade is public record.
Pablo: The information is already available.
Kelley: But I wasnít made to carry it around.
Teresa: There has to be a number on it that identifies it as yours.
Kelley: You can tell me how secure it is but there are hackers out there getting into things everyday.
Returned to language: Employees will not be penalized for nonproductive time awaiting issuance/re-issuance or PIN reset of the CAC, through no fault of the their own. Agreed to.
Pete: The purpose of this is so that if an employee is waiting on getting a new card and missing production time?
Pete: What type of training are you talking about?
Connie: Maybe an all hands session with slides.
The Agency will ensure that all employees are provided training on the proper use of the CAC. Approved.
Kelley: There are things like the DD Form 2842 that employees are signing that they need to understand what they are signing and who is referenced on it. Concern that employees were not made to sign form or donít remember what was signed.
Pete: The information on the card data requested is being researched and we will get back with you.
Reviewing MOA and word-smithing.
Kelley: Agreed to make the change of taking out future implementation and leave in allowable. Concern that we are redoing what weíve already done.
Pete: If we have a new policy that the Agency wants to implement that would change this agreement, we would negotiate those changes.
Mark: Just the changes? We donít want to have to redo this agreement over and over.
Pete: Just the things changed.
Kelley: What about if itís something that we didnít address here?
Pete: Then we would come back here.
Kelley: All of the things that people are working on but we donít have, we want to be able to come back if necessary.
Pete: If we issue Management guidance that implements this, would you want to come back and negotiate it? It would have to create a substantive change to return for negotiation.
Add language to Regulation:
C18.104.22.168. Handling complaints or issues and directing any unresolved problems to the CAC Program Manager for Implementation and notifying the Local Union President (or designee) when bargaining unit employees are involved.
Teresa: The fields identified are resident on the card for specific purposes even if it is just a code.
Mark: I think this is not something that DFAS can negotiate.
Let the Record Reflect that Bob stated that the data fields is non-negotiable.
Kelley: Then we can file a negotiability appeal on this as well.
Final changes to 5200.9-R are approved by all.
MOA completed and signed.