Federal Register: August 6, 2010 (Volume 75, Number 151)
DOCID: fr06au10-22 FR Doc 2010-19315
DEPARTMENT OF DEFENSE
CFR Citation: 32 CFR Part 161
Docket ID: [Docket ID: DOD-2009-OS-0184]
RIN ID: RIN 0790-AI61
NOTICE: PROPOSED RULES
DOCUMENT ACTION: Proposed rule.
Identification (ID) Cards for Members of the Uniformed Services, Their Dependents, and Other Eligible Individuals
DATES: Comments must be received by October 5, 2010.
The Department of Defense (DoD) proposes to establish policy, assign responsibilities, and provide procedures for the issuing of distinct DoD ID cards. The ID cards shall be issued to uniformed service members, their dependents, and other eligible individuals and will be used as proof of identity and DoD affiliation.
Identification (ID) Cards for Members of Uniformed Services, Their Dependents, and Other Eligible Individuals
Executive Order 12866, ``Regulatory Planning and Review''
It has been certified that 32 CFR part 161 does not:
(1) Have an annual effect on the economy of $100 million or more or
adversely affect in a material way the economy; a section of the
economy; productivity; competition; jobs; the environment; public
health or safety; or State, local, or Tribal governments or communities;
(2) Create a serious inconsistency or otherwise interfere with an action taken or planned by another Agency;
(3) Materially alter the budgetary impact of entitlements, grants, user fees, or loan programs, or the rights and obligations of recipients thereof; or
(4) Raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in this Executive Order.
Sec. 202, Public Law 1044, ``Unfunded Mandates Reform Act''
It has been certified that 32 CFR part 161 does not contain a
Federal mandate that may result in expenditure by State, local and
Tribal governments, in aggregate, or by the private sector, of $100 million or more in any one year.
Public Law 96354, ``Regulatory Flexibility Act'' (5 U.S.C. 601)
It has been certified that 32 CFR part 161 is not subject to the
Regulatory Flexibility Act (5 U.S.C. 601) because it would not, if
promulgated, have a significant economic impact on a substantial number of small entities.
Public Law 96511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)
It has been certified that 32 CFR part 161 does impose reporting or recordkeeping requirements under the Paperwork Reduction Act of 1995. Executive Order 13132, ``Federalism''
It has been certified that 32 CFR part 161 does not have federalism
implications, as set forth in Executive Order 13132. This rule does not have substantial direct effects on:
(1) The States;
(2) The relationship between the National Government and the States; or
(3) The distribution of power and responsibilities among the various levels of Government.
List of Subjects in 32 CFR Part 161
Administrative practice and procedure, Armed forces, Military personnel, National defense, Privacy, Security measures.
Accordingly, 32 CFR part 161 is proposed to be added to subchapter F to read as follows:
PART 161IDENTIFICATION (ID) CARDS FOR MEMBERS OF THE UNIFORMED SERVICES, THEIR DEPENDENTS, AND OTHER ELIGIBLE INDIVIDUALS
Authority: 18 U.S.C. 499, 506, 509, 701, 1001.
PART 161IDENTIFICATION (ID) CARDS FOR MEMBERS OF THE UNIFORMED SERVICES, THEIR DEPENDENTS, AND OTHER ELIGIBLE INDIVIDUALS
Sec. 161.1 Purpose.
This part establishes policy, assigns responsibilities, and
provides procedures for the issuing of distinct DoD ID cards. The ID
cards shall be issued to uniformed service members, their dependents,
and other eligible individuals and will be used as proof of identity and DoD affiliation.
Sec. 161.2 Applicability.
This part applies to:
(a) OSD, the Military Departments (including the Coast Guard at all times, including when it is a Service in the Department of Homeland Security by agreement with that Department), the Office of the Chairman of the Joint Chiefs of Staff and the Joint Staff, the Combatant Commands, the Office of the Inspector General of the Department of Defense, the Defense Agencies, the DoD Field Activities, and all other organizational entities within the Department of Defense (hereafter referred to collectively as the ``DoD Components'').
(b) The Commissioned Corps of the U.S. Public Health Service, under agreement with the Department of Health and Human Services, and the National Oceanic and Atmospheric Administration, under agreement with the Department of Commerce.
Sec. 161.3 Policy.
It is DoD policy that a distinct DoD ID card shall be issued to
uniformed service members, their dependents, and other eligible
individuals and will be used as proof of identity and DoD affiliation. Sec. 161.4 Responsibilities.
(a) The USD(P&R) shall:
(1) Establish minimum acceptable criteria for establishment and confirmation of personal identity, policy for the issuance of the DoD enterprise personnel identity credentials, and approval of additional systems under the Personnel Identity Protection (PIP) Program in accordance with DoDD 1000.25, ``DoD Personnel Identity Protection (PIP) Program'' (see http://www.dtic.mil/whs/directives/corres/pdf/ 100025p.pdf).
(2) Act as the Principal Staff Assistant (PSA) for the Defense Enrollment Eligibility Reporting System (DEERS), the RealTime Automated Personnel Identification System (RAPIDS), and the Personnel Identity Protection (PIP) Program in accordance with DoDD 1000.25. (3) Maintain the DEERS data system in support of the Department of Defense and applicable legislation and directives.
(4) Develop and field the required RAPIDS infrastructure and all elements of field support to issue ID cards including but not limited to software distribution, hardware procurement and installation, on site and depotlevel hardware maintenance, onsite and Webbased user training and central telephone center support, and telecommunications engineering and network control center assistance.
(5) In coordination with the Under Secretary of Defense for Intelligence (USD(I)), Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer (ASD(NII)/DoD CIO), and the Under Secretary of Defense for Acquisition, Technology, and Logistics (USD(AT&L)), establish policy and oversight for common access card (CAC) lifecycle compliance with Federal Information Processing Standards (FIPS) Publication 2011, ``Personal Identity Verification (PIV) of Federal Employees and Contractors'' (http:// csrc.nist.gov/
(b) The Assistant Secretary of Defense for Health Affairs (ASD(HA)), under the authority, direction, and control of the USD(P&R), shall develop overall policy and establish procedures for providing medical care through the Military Health System to authorized beneficiaries and eliminate fraud, waste, and abuse in the provision of medical benefits.
(c) The Assistant Secretary of Defense for Reserve Affairs (ASD(RA)), under the authority, direction, and control of the USD(P&R), shall develop policies and establish guidance for the National Guard and Reserve Component communities that impact benefits, entitlements, identity, and ID cards.
(d) The Deputy Under Secretary of Defense for Military Community and Family Policy (DUSD(MC&FP)), under the authority, direction, and control of the USD(P&R), shall develop policy and procedures to determine eligibility for access to DoD programs for morale, welfare, and recreation; commissaries; exchanges; lodging; children and youth; DoD schools; family support; voluntary and postsecondary education; and other military community and family benefits that impact identity and ID cards.
(e) The Director, Defense Human Resources Activity, under the authority, direction, and control of the USD(P&R), shall, in accordance with DoDD 1000.25:
(1) Develop policies and procedures for the oversight, funding, personnel staffing, direction, and functional management of the PIP Program.
(2) Coordinate with the Principal Deputy Under Secretary of Defense for Personnel and Readiness, the ASD(HA), and the ASD(RA) on changes to enrollment and eligibility policy and procedures pertaining to personnel, medical, and dental issues that impact the PIP Program. (3) Develop policies and procedures to support the functional requirements of the PIP Program, DEERS, and the DEERS client applications.
(4) Secure funding in support of new requirements to support the PIP Program or the enrollment and eligibility functions of DEERS and RAPIDS.
(5) Approve the addition or elimination of population categories eligible for ID cards in accordance with applicable law.
(6) Establish the type and form of ID card issued to eligible population categories and administer pilot programs to determine the suitable form of ID card for newly identified populations.
(f) The USD(AT&L) shall:
(1) Issue regulatory coverage for CAC and Homeland Security Presidential Directive 12, ``Policy for a Common Identification Standard for Federal Employees and Contractors'' (see http:// www.cac.mil/assets/pdfs/HSPD_12.pdf) for contracts.
(2) Communicate Homeland Security Presidential Directive 12 requirements to the DoD acquisition community.
(3) Ensure that the requirement for contractors to return CACs at the completion or termination of each individual's support on a specific contract is included in all applicable contracts.
(g) The USD(I) shall:
(1) Establish policy for the use of ID cards for physical access purposes in accordance with DoD 5200.08R.
(2) Establish policy for military, civilian, and contractor employee background investigation, submission, and adjudication across the Department of Defense, in compliance with Homeland Security Presidential Directive 12 and in accordance with DoD 5200.2R. (h) The ASD(NII)/DoD CIO shall:
(1) In coordination with the USD(I), USD(P&R), and USD(AT&L), establish policy and oversight for CAC lifecycle compliance with FIPS Publication 2011.
(2) Provide guidance to DoD information systems administrators regarding use of nonDoD identification credentials, including the Federal PIV cards, for authenticating to DoD network accounts and DoD private Web sites.
(3) Ensure that the DoD public key infrastructure conforms to all applicable FIPS to the greatest extent possible.
(i) The Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD(HD&ASA)), under the authority, direction, and control of the Under Secretary for Policy (USD(P)), shall facilitate force protection activities with the law enforcement community.
(j) The Heads of the DoD Components, the Director, USPHS, and the Director, NOAA shall:
(1) Develop and implement Componentlevel procedures for DoD directed policies or legislative requirements to support benefits eligibility through DEERS.
(2) Develop and implement Componentlevel ID card lifecycle procedures to comply with the provisions of this part.
(3) Ensure all DoD employees, Military Service members, and all other eligible CAC applicants, to include contract support and other affiliate CAC applicants, have met the background investigation requirements in paragraph (b)(3) of this section prior to approving CAC sponsorship and registration. Background investigation status must be verified and documented by the sponsor or sponsoring organization in conjunction with application for CAC issuance.
(4) Establish processes and procedures as part of the normal check in and checkout process for collection of the CAC for all categories of DoD personnel when there is a separation, retirement, termination, contract termination or expiration, or CAC revocation. Since CACs contain personally identifiable information (PII), they shall be treated and controlled in accordance with DoD 5400.11R, ``Department of Defense Privacy Program'' (see http://www.dtic.mil/whs/directives/ corres/pdf/540011r.pdf) and DoD 5200.1R, ``Information Security Program'' (see http://www.dtic.mil/whs/directives/corres/pdf/ 520001r.pdf). These cards shall be returned to any RAPIDS issuance location for proper disposal in a timely manner once surrendered by the CAC holder.
(5) Provide appropriate space and staffing for ID card issuing operations, as well as reliable telecommunications to and from the Defense Information Systems Agency managed NonSecure Internet Protocol Router Network.
(6) Provide funding for CAC cardstock, printer consumables, and electromagnetically opaque sleeves to Defense Manpower Data Center (DMDC).
(7) Protect cardstock and consumables in accordance with the guidelines and standards maintained by DMDC.
(8) In accordance with FIPS Publication 2011, provide
electromagnetic opaque sleeves or other comparable technologies to protect against any unauthorized contactless access to the cardholder unique identification number stored on the CAC.
(9) Manage the distribution and locations of DoD Componentspecific CAC personal identification number (PIN) reset workstations. (10) To the maximum extent possible, and in accordance with DoD Components' designated approving authority guidelines, ensure networked workstations are properly configured and available for CAC holders to use the User Maintenance PortalPost Issuance Portal service. (11) Oversee supervision of Contractor Verification System trusted agents (TAs) and trusted agent security managers and ensure the number of contractors overseen by any TA is manageable.
Sec. 161.5 Procedures.
(a) ID cards. (1) DoD ID cards shall serve as the Geneva Convention Card for eligible personnel in accordance with DoDI 1000.1, ``Identity Cards Required by the Geneva Conventions'' (http://www.dtic.mil/whs/ directives/corres/pdf/100001p.pdf).
(2) DoD ID cards shall be issued through a secure and authoritative process to ensure that access to DoD physical and logical assets is granted based on authenticated and secure identity information in accordance with DoDD 1000.25.
(3) The CAC, a form of DoD ID card, shall serve as the Federal PIV card for DoD implementation of Homeland Security Presidential Directive 12.
(4) ID cards, in a form distinct from the CAC, shall be issued and will serve as proof of identity and DoD affiliation for eligible communities that do not require the Federal PIV card that complies with FIPS Publication 2011 and Homeland Security Presidential Directive 12. (b) ID card life cycle. The ID card life cycle shall be supported by an infrastructure that is predicated on a systemsbased model for credentialing as described in FIPS Publication 2011. Paragraphs (b)(1) through (7) of this section represent the baseline requirements for the ID card life cycle. The specific procedures and sequence of order for these items will vary based on the applicant's employment status or affiliation with the Department of Defense and the type of ID card issued. Detailed procedures of the ID card life cycle for each category of applicant and type of ID card shall be provided by the responsible agency.
(1) Sponsorship and eligibility. Sponsorship shall incorporate the processes for confirming eligibility for an ID card. The sponsor is the person affiliated with the Department of Defense or other Federal agency who takes responsibility for verifying and authorizing the applicant's need for an ID card. Applicants for a CAC must be sponsored by a government official or employee.
(2) Registration and enrollment. Sponsorship and enrollment information on the ID card applicant shall be registered in DEERS prior to card issuance.
(3) Background investigation. A background investigation is required for those individuals eligible for a CAC. A background investigation is not currently required for those eligible for other forms of DoD ID cards. Sponsored CAC applicants shall not be issued a CAC without the required background investigation stipulated in Federal Information Processing Standards Publication 2011. Applicants that have been denied a CAC based on an unfavorable adjudication of the background investigation may submit an appeal in accordance with DoD 5200.2R.
(4) Identity and eligibility verification. Identity and eligibility verification shall be completed at a RAPIDS workstation. Verifying Officials (VOs) shall inspect identity and eligibility documentation and RAPIDS shall authenticate individuals to ensure that ID cards are provided only to those sponsored and with a current affiliation with the Department of Defense. RAPIDS shall also capture uniquely identifying characteristics that bind an individual to the information maintained on that individual in DEERS and to the ID card issued by RAPIDS. These characteristics may include, but are not limited to, digital photographs and fingerprints.
(5) Issuance. ID cards shall be issued at the RAPIDS workstation after all sponsorship, enrollment and registration, background investigation (CAC only), and identity and eligibility verification requirements have been satisfied.
(6) Use and maintenance. ID cards shall be used as proof of identity and DoD affiliation to facilitate access to DoD facilities and systems. Additionally, ID cards shall represent authorization for entitled benefits and privileges in accordance with DoD policies. (7) Retrieval and revocation. ID cards shall be retrieved by the sponsor or sponsoring organization when the ID card has expired, when it is damaged or compromised, or when the card holder is no longer affiliated with the Department of Defense or no longer meets the eligibility requirements for the card. The active status of an ID card shall be revoked within the DEERS and RAPIDS infrastructure and, for CAC, the PKI certificates on the CAC shall be revoked.
(c) Guidelines and restrictions. The guidelines and restrictions in this paragraph (c) apply to all forms of DoD ID cards.
(1) Any person willfully altering, damaging, lending,
counterfeiting, or using these cards in any unauthorized manner is subject to fine or imprisonment or both, as prescribed in 18 U.S.C. 499, 506, 509, 701, and 1001. Section 701 prohibits photographing or otherwise reproducing or possessing DoD ID cards in an unauthorized manner, under penalty of fine or imprisonment or both. Unauthorized or fraudulent use of ID cards would exist if bearers used the card to obtain benefits and privileges to which they are not entitled. Photocopying of DoD ID cards to facilitate medical care processing, check cashing, voting, tax matters, the Servicemember's Civil Relief Act, or administering other militaryrelated benefits to eligible beneficiaries are examples of authorized photocopying. When possible, the ID card will be electronically authenticated in lieu of photographing the card.
(2) Treaties, statusofforces agreements (SOFAs), or military base agreements in overseas areas may place limitations on the logistical support that otherwise might be available to eligible personnel. SOFAs with foreign countries may limit the use of commissary or exchange facilities to persons who are stationed or performing temporary duty with the host nation under official orders in support of the mutual defense mission. ID cards shall not be issued for the sole purpose of implementing restrictions under SOFAs. ID cards shall be issued in accordance with this part and the uniformed services shall use other means, such as ration cards, to implement restrictions under SOFAs as required.
(3) All ID cards are property of the U.S. Government and shall be returned upon separation, resignation, firing, termination of contract or affiliation with the Department of Defense, or upon any other event in which the individual no longer requires the use of such ID card. (4) ID cards that are expired, invalidated, stolen, lost, or otherwise suspected of potential or actual unauthorized use shall have the status of the cards revoked in DEERS and, for CACs, have the PKI certificates immediately revoked to prevent any unauthorized use. (5) There are instances where graphical representations of ID cards are necessary to facilitate the DoD mission. When used and/or distributed, the replicas must not be the same size as the ID card, must have the word ``SAMPLE'' written on them, and shall not contain an individual's PII. All sample ID cards must be maintained in a controlled environment and shall not serve as a valid ID.
(6) Individuals within the Department of Defense who have multiple personnel category codes (e.g., an individual who is both a reservist and a contractor) shall be issued a separate ID card in each personnel category for which they are eligible. Multiple current ID cards of the same form (e.g., CAC) shall not be issued or exist for an individual under a single personnel category code.
(7) ID cards shall not be amended, modified, or overprinted by any means.
No stickers or other adhesive materials are to be placed on either side of an ID card. Holes shall not be punched into ID cards, except when a CAC has been requested by the next of kin for an individual who has perished in the line of duty. A CAC provided to next of kin shall have the status of the card revoked in DEERS, have the certificates revoked, and have a hole punched through the integrated circuit chip prior to release of the CAC to the next of kin.
(8) An ID card shall be in the personal custody of the individual to whom it was issued at all times. If required by military authority, it shall be surrendered for ID or investigation.
(d) CAC migration to Federal PIV requirements. The Department of Defense is currently migrating the CAC to meet the Federal requirements for credentialing contained within FIPS Publication 2011 and Homeland Security Presidential Directive 12. Migration will take place over multiple years as the card issuance hardware, software, and supporting systems and processes are upgraded. Successful migration will require coordination and collaboration within and among all CAC communities (e.g., personnel security, operational security, industrial security, information security, physical security, and information technology). The following organizations will support the migration in conjunction with the responsibilities listed in Sec. 161.3:
(1) The DMDC shall:
(i) Procure and distribute CAC consumables, including card stock, electromagnetically opaque sleeves, and printer supplies, commensurate with funding received from the DoD Components.
(ii) In coordination with the Office of the Under Secretary of Defense for Policy (OUSD(P)), establish an electronic process for securing CAC eligibility information on foreign government military, employee, or contract support personnel whose visit status and background investigation has been confirmed, documented, and processed by OUSD(P) according to DoDD 5230.20 (see http://www.dtic.mil/whs/ directives/corres/pdf/523020p.pdf).
(iii) In accordance with DoD Directive 5400.11, electronically capture and store source documents in the identity proofing process at the accession points for eligible ID card holders
(iv) Implement modifications to the CAC applets and interfaces, add contactless capability to the CAC platform, and, in accordance with DoD 5400.11R, implement modifications to the CAC topology to support compliance with FIPS Publication 2011.
(v) Establish and implement procedures for capturing biometrics required to support CAC issuance, which includes fingerprints and facial images specified in FIPS Publication 2011 and National Institute of Standards and Technology Special Publication 800761, ``Biometric Data Specification for Personal Identity Verification'' (see http://csrc.nist.gov/publications/nistpubs/800761/SP800761_ 012407.pdf).
(vi) In coordination with the Executive Manager for DoD Biometrics and the Office of the USD(AT&L), implement the capability to obtain two segmented images (primary and secondary) fingerprint minutia from the full 10print fingerprints captured as part of the initial background investigation process for CAC issuance.
(vii) Maintain a capability for a CAC holder to reset or unlock PINs from a system outside of the CAC issuance infrastructure. (2) The Executive Manager for DoD Biometrics shall:
(i) Establish biometric standards for the collection, storage, capture, and subsequent transmittal of biometric information in accordance with DoDD 8521.01E, ``Department of Defense Biometrics'' (see http://www.dtic.mil/whs/directives/corres/pdf/852101p.pdf). (ii) In coordination with the Offices of the USD(P&R) and USD(I) and the DoD Components, establish capability for biometric capture and enrollment operations to support CAC issuance in accordance with DoD 5400.11R and National Institute of Standards and Technology Special Publication 800761.
(3) The Identity Protection and Management Senior Coordinating Group shall:
(i) Monitor the CAC and identity management related activities outlined within this part in accordance with DoDD 1000.25.
(ii) Maintain a configuration management process for the CAC and its related components to monitor DoD compliance with FIPS Publication 2011.
Dated: July 26, 2010.
Patricia L. Toppings,
OSD Federal Register Liaison Officer, Department of Defense. [FR Doc. 201019315 Filed 8510; 8:45 am]
BILLING CODE 500106P
FOR FURTHER INFORMATION CONTACT
Chris Fagan at 703-696-0848.