[Federal Register Volume 75, Number 151 (Friday, August 6, 2010)]
[Proposed Rules]
[Pages 47515-47519]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-19315]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 161

[Docket ID: DOD-2009-OS-0184]
RIN 0790-AI61


Identification (ID) Cards for Members of the Uniformed Services, 
Their Dependents, and Other Eligible Individuals

AGENCY: Office of the Under Secretary of Defense for Personnel and 
Readiness, DoD.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Defense (DoD) proposes to establish policy, 
assign responsibilities, and provide procedures for the issuing of 
distinct DoD ID cards. The ID cards shall be issued to uniformed 
service members, their dependents, and other eligible individuals and 
will be used as proof of identity and DoD affiliation.

DATES: Comments must be received by October 5, 2010.

ADDRESSES: You may submit comments, identified by docket number and/or 
RIN number and title, by any of the following methods:
     Federal Rulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Mail: Federal Docket Management System Office, 1160 
Defense Pentagon, Washington, DC 20301-1160.

[[Page 47516]]

    Instructions: All submissions received must include the agency name 
and docket number or Regulatory Information Number (RIN) for this 
Federal Register document. The general policy for comments and other 
submissions from members of the public is to make these submissions 
available for public viewing on the Internet at http://www.regulations.gov as they are received without change, including any 
personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: Chris Fagan at 703-696-0848.

SUPPLEMENTARY INFORMATION:

Regulatory Procedures

Executive Order 12866, ``Regulatory Planning and Review''

    It has been certified that 32 CFR part 161 does not:
    (1) Have an annual effect on the economy of $100 million or more or 
adversely affect in a material way the economy; a section of the 
economy; productivity; competition; jobs; the environment; public 
health or safety; or State, local, or Tribal governments or 
communities;
    (2) Create a serious inconsistency or otherwise interfere with an 
action taken or planned by another Agency;
    (3) Materially alter the budgetary impact of entitlements, grants, 
user fees, or loan programs, or the rights and obligations of 
recipients thereof; or
    (4) Raise novel legal or policy issues arising out of legal 
mandates, the President's priorities, or the principles set forth in 
this Executive Order.

Sec. 202, Public Law 104-4, ``Unfunded Mandates Reform Act''

    It has been certified that 32 CFR part 161 does not contain a 
Federal mandate that may result in expenditure by State, local and 
Tribal governments, in aggregate, or by the private sector, of $100 
million or more in any one year.

Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. 601)

    It has been certified that 32 CFR part 161 is not subject to the 
Regulatory Flexibility Act (5 U.S.C. 601) because it would not, if 
promulgated, have a significant economic impact on a substantial number 
of small entities.

Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)

    It has been certified that 32 CFR part 161 does impose reporting or 
recordkeeping requirements under the Paperwork Reduction Act of 1995.

Executive Order 13132, ``Federalism''

    It has been certified that 32 CFR part 161 does not have federalism 
implications, as set forth in Executive Order 13132. This rule does not 
have substantial direct effects on:
    (1) The States;
    (2) The relationship between the National Government and the 
States; or
    (3) The distribution of power and responsibilities among the 
various levels of Government.

List of Subjects in 32 CFR Part 161

    Administrative practice and procedure, Armed forces, Military 
personnel, National defense, Privacy, Security measures.

    Accordingly, 32 CFR part 161 is proposed to be added to subchapter 
F to read as follows:

SUBCHAPTER F--SECURITY

PART 161--IDENTIFICATION (ID) CARDS FOR MEMBERS OF THE UNIFORMED 
SERVICES, THEIR DEPENDENTS, AND OTHER ELIGIBLE INDIVIDUALS

Sec.
161.1 Purpose.
161.2 Applicability.
161.3 Policy.
161.4 Responsibilities.
161.5 Procedures.

    Authority: 18 U.S.C. 499, 506, 509, 701, 1001.

PART 161--IDENTIFICATION (ID) CARDS FOR MEMBERS OF THE UNIFORMED 
SERVICES, THEIR DEPENDENTS, AND OTHER ELIGIBLE INDIVIDUALS


Sec.  161.1  Purpose.

    This part establishes policy, assigns responsibilities, and 
provides procedures for the issuing of distinct DoD ID cards. The ID 
cards shall be issued to uniformed service members, their dependents, 
and other eligible individuals and will be used as proof of identity 
and DoD affiliation.


Sec.  161.2  Applicability.

    This part applies to:
    (a) OSD, the Military Departments (including the Coast Guard at all 
times, including when it is a Service in the Department of Homeland 
Security by agreement with that Department), the Office of the Chairman 
of the Joint Chiefs of Staff and the Joint Staff, the Combatant 
Commands, the Office of the Inspector General of the Department of 
Defense, the Defense Agencies, the DoD Field Activities, and all other 
organizational entities within the Department of Defense (hereafter 
referred to collectively as the ``DoD Components'').
    (b) The Commissioned Corps of the U.S. Public Health Service, under 
agreement with the Department of Health and Human Services, and the 
National Oceanic and Atmospheric Administration, under agreement with 
the Department of Commerce.


Sec.  161.3  Policy.

    It is DoD policy that a distinct DoD ID card shall be issued to 
uniformed service members, their dependents, and other eligible 
individuals and will be used as proof of identity and DoD affiliation.


Sec.  161.4  Responsibilities.

    (a) The USD(P&R) shall:
    (1) Establish minimum acceptable criteria for establishment and 
confirmation of personal identity, policy for the issuance of the DoD 
enterprise personnel identity credentials, and approval of additional 
systems under the Personnel Identity Protection (PIP) Program in 
accordance with DoDD 1000.25, ``DoD Personnel Identity Protection (PIP) 
Program'' (see http://www.dtic.mil/whs/directives/corres/pdf/100025p.pdf).
    (2) Act as the Principal Staff Assistant (PSA) for the Defense 
Enrollment Eligibility Reporting System (DEERS), the Real-Time 
Automated Personnel Identification System (RAPIDS), and the Personnel 
Identity Protection (PIP) Program in accordance with DoDD 1000.25.
    (3) Maintain the DEERS data system in support of the Department of 
Defense and applicable legislation and directives.
    (4) Develop and field the required RAPIDS infrastructure and all 
elements of field support to issue ID cards including but not limited 
to software distribution, hardware procurement and installation, on-
site and depot-level hardware maintenance, on-site and Web-based user 
training and central telephone center support, and telecommunications 
engineering and network control center assistance.
    (5) In coordination with the Under Secretary of Defense for 
Intelligence (USD(I)), Assistant Secretary of Defense for Networks and 
Information Integration/DoD Chief Information Officer (ASD(NII)/DoD 
CIO), and the Under Secretary of Defense for Acquisition, Technology, 
and Logistics (USD(AT&L)), establish policy and oversight for common 
access card (CAC) life-cycle compliance with Federal Information 
Processing Standards (FIPS) Publication 201-1, ``Personal Identity 
Verification (PIV) of Federal Employees and Contractors'' (http://
csrc.nist.gov/

[[Page 47517]]

publications/fips/fips201-1/FIPS-201-1-chng1.pdf).
    (b) The Assistant Secretary of Defense for Health Affairs 
(ASD(HA)), under the authority, direction, and control of the USD(P&R), 
shall develop overall policy and establish procedures for providing 
medical care through the Military Health System to authorized 
beneficiaries and eliminate fraud, waste, and abuse in the provision of 
medical benefits.
    (c) The Assistant Secretary of Defense for Reserve Affairs 
(ASD(RA)), under the authority, direction, and control of the USD(P&R), 
shall develop policies and establish guidance for the National Guard 
and Reserve Component communities that impact benefits, entitlements, 
identity, and ID cards.
    (d) The Deputy Under Secretary of Defense for Military Community 
and Family Policy (DUSD(MC&FP)), under the authority, direction, and 
control of the USD(P&R), shall develop policy and procedures to 
determine eligibility for access to DoD programs for morale, welfare, 
and recreation; commissaries; exchanges; lodging; children and youth; 
DoD schools; family support; voluntary and post-secondary education; 
and other military community and family benefits that impact identity 
and ID cards.
    (e) The Director, Defense Human Resources Activity, under the 
authority, direction, and control of the USD(P&R), shall, in accordance 
with DoDD 1000.25:
    (1) Develop policies and procedures for the oversight, funding, 
personnel staffing, direction, and functional management of the PIP 
Program.
    (2) Coordinate with the Principal Deputy Under Secretary of Defense 
for Personnel and Readiness, the ASD(HA), and the ASD(RA) on changes to 
enrollment and eligibility policy and procedures pertaining to 
personnel, medical, and dental issues that impact the PIP Program.
    (3) Develop policies and procedures to support the functional 
requirements of the PIP Program, DEERS, and the DEERS client 
applications.
    (4) Secure funding in support of new requirements to support the 
PIP Program or the enrollment and eligibility functions of DEERS and 
RAPIDS.
    (5) Approve the addition or elimination of population categories 
eligible for ID cards in accordance with applicable law.
    (6) Establish the type and form of ID card issued to eligible 
population categories and administer pilot programs to determine the 
suitable form of ID card for newly identified populations.
    (f) The USD(AT&L) shall:
    (1) Issue regulatory coverage for CAC and Homeland Security 
Presidential Directive 12, ``Policy for a Common Identification 
Standard for Federal Employees and Contractors'' (see http://www.cac.mil/assets/pdfs/HSPD_12.pdf) for contracts.
    (2) Communicate Homeland Security Presidential Directive 12 
requirements to the DoD acquisition community.
    (3) Ensure that the requirement for contractors to return CACs at 
the completion or termination of each individual's support on a 
specific contract is included in all applicable contracts.
    (g) The USD(I) shall:
    (1) Establish policy for the use of ID cards for physical access 
purposes in accordance with DoD 5200.08-R.
    (2) Establish policy for military, civilian, and contractor 
employee background investigation, submission, and adjudication across 
the Department of Defense, in compliance with Homeland Security 
Presidential Directive 12 and in accordance with DoD 5200.2-R.
    (h) The ASD(NII)/DoD CIO shall:
    (1) In coordination with the USD(I), USD(P&R), and USD(AT&L), 
establish policy and oversight for CAC life-cycle compliance with FIPS 
Publication 201-1.
    (2) Provide guidance to DoD information systems administrators 
regarding use of non-DoD identification credentials, including the 
Federal PIV cards, for authenticating to DoD network accounts and DoD 
private Web sites.
    (3) Ensure that the DoD public key infrastructure conforms to all 
applicable FIPS to the greatest extent possible.
    (i) The Assistant Secretary of Defense for Homeland Defense and 
Americas' Security Affairs (ASD(HD&ASA)), under the authority, 
direction, and control of the Under Secretary for Policy (USD(P)), 
shall facilitate force protection activities with the law enforcement 
community.
    (j) The Heads of the DoD Components, the Director, USPHS, and the 
Director, NOAA shall:
    (1) Develop and implement Component-level procedures for DoD 
directed policies or legislative requirements to support benefits 
eligibility through DEERS.
    (2) Develop and implement Component-level ID card life-cycle 
procedures to comply with the provisions of this part.
    (3) Ensure all DoD employees, Military Service members, and all 
other eligible CAC applicants, to include contract support and other 
affiliate CAC applicants, have met the background investigation 
requirements in paragraph (b)(3) of this section prior to approving CAC 
sponsorship and registration. Background investigation status must be 
verified and documented by the sponsor or sponsoring organization in 
conjunction with application for CAC issuance.
    (4) Establish processes and procedures as part of the normal check-
in and check-out process for collection of the CAC for all categories 
of DoD personnel when there is a separation, retirement, termination, 
contract termination or expiration, or CAC revocation. Since CACs 
contain personally identifiable information (PII), they shall be 
treated and controlled in accordance with DoD 5400.11-R, ``Department 
of Defense Privacy Program'' (see http://www.dtic.mil/whs/directives/corres/pdf/540011r.pdf) and DoD 5200.1-R, ``Information Security 
Program'' (see http://www.dtic.mil/whs/directives/corres/pdf/520001r.pdf). These cards shall be returned to any RAPIDS issuance 
location for proper disposal in a timely manner once surrendered by the 
CAC holder.
    (5) Provide appropriate space and staffing for ID card issuing 
operations, as well as reliable telecommunications to and from the 
Defense Information Systems Agency managed Non-Secure Internet Protocol 
Router Network.
    (6) Provide funding for CAC cardstock, printer consumables, and 
electromagnetically opaque sleeves to Defense Manpower Data Center 
(DMDC).
    (7) Protect cardstock and consumables in accordance with the 
guidelines and standards maintained by DMDC.
    (8) In accordance with FIPS Publication 201-1, provide 
electromagnetic opaque sleeves or other comparable technologies to 
protect against any unauthorized contactless access to the cardholder 
unique identification number stored on the CAC.
    (9) Manage the distribution and locations of DoD Component-specific 
CAC personal identification number (PIN) reset workstations.
    (10) To the maximum extent possible, and in accordance with DoD 
Components' designated approving authority guidelines, ensure networked 
workstations are properly configured and available for CAC holders to 
use the User Maintenance Portal-Post Issuance Portal service.
    (11) Oversee supervision of Contractor Verification System trusted 
agents (TAs) and trusted agent security managers and ensure the number 
of contractors overseen by any TA is manageable.

[[Page 47518]]

Sec.  161.5  Procedures.

    (a) ID cards. (1) DoD ID cards shall serve as the Geneva Convention 
Card for eligible personnel in accordance with DoDI 1000.1, ``Identity 
Cards Required by the Geneva Conventions'' (http://www.dtic.mil/whs/directives/corres/pdf/100001p.pdf).
    (2) DoD ID cards shall be issued through a secure and authoritative 
process to ensure that access to DoD physical and logical assets is 
granted based on authenticated and secure identity information in 
accordance with DoDD 1000.25.
    (3) The CAC, a form of DoD ID card, shall serve as the Federal PIV 
card for DoD implementation of Homeland Security Presidential Directive 
12.
    (4) ID cards, in a form distinct from the CAC, shall be issued and 
will serve as proof of identity and DoD affiliation for eligible 
communities that do not require the Federal PIV card that complies with 
FIPS Publication 201-1 and Homeland Security Presidential Directive 12.
    (b) ID card life cycle. The ID card life cycle shall be supported 
by an infrastructure that is predicated on a systems-based model for 
credentialing as described in FIPS Publication 201-1. Paragraphs (b)(1) 
through (7) of this section represent the baseline requirements for the 
ID card life cycle. The specific procedures and sequence of order for 
these items will vary based on the applicant's employment status or 
affiliation with the Department of Defense and the type of ID card 
issued. Detailed procedures of the ID card life cycle for each category 
of applicant and type of ID card shall be provided by the responsible 
agency.
    (1) Sponsorship and eligibility. Sponsorship shall incorporate the 
processes for confirming eligibility for an ID card. The sponsor is the 
person affiliated with the Department of Defense or other Federal 
agency who takes responsibility for verifying and authorizing the 
applicant's need for an ID card. Applicants for a CAC must be sponsored 
by a government official or employee.
    (2) Registration and enrollment. Sponsorship and enrollment 
information on the ID card applicant shall be registered in DEERS prior 
to card issuance.
    (3) Background investigation. A background investigation is 
required for those individuals eligible for a CAC. A background 
investigation is not currently required for those eligible for other 
forms of DoD ID cards. Sponsored CAC applicants shall not be issued a 
CAC without the required background investigation stipulated in Federal 
Information Processing Standards Publication 201-1. Applicants that 
have been denied a CAC based on an unfavorable adjudication of the 
background investigation may submit an appeal in accordance with DoD 
5200.2-R.
    (4) Identity and eligibility verification. Identity and eligibility 
verification shall be completed at a RAPIDS workstation. Verifying 
Officials (VOs) shall inspect identity and eligibility documentation 
and RAPIDS shall authenticate individuals to ensure that ID cards are 
provided only to those sponsored and with a current affiliation with 
the Department of Defense. RAPIDS shall also capture uniquely 
identifying characteristics that bind an individual to the information 
maintained on that individual in DEERS and to the ID card issued by 
RAPIDS. These characteristics may include, but are not limited to, 
digital photographs and fingerprints.
    (5) Issuance. ID cards shall be issued at the RAPIDS workstation 
after all sponsorship, enrollment and registration, background 
investigation (CAC only), and identity and eligibility verification 
requirements have been satisfied.
    (6) Use and maintenance. ID cards shall be used as proof of 
identity and DoD affiliation to facilitate access to DoD facilities and 
systems. Additionally, ID cards shall represent authorization for 
entitled benefits and privileges in accordance with DoD policies.
    (7) Retrieval and revocation. ID cards shall be retrieved by the 
sponsor or sponsoring organization when the ID card has expired, when 
it is damaged or compromised, or when the card holder is no longer 
affiliated with the Department of Defense or no longer meets the 
eligibility requirements for the card. The active status of an ID card 
shall be revoked within the DEERS and RAPIDS infrastructure and, for 
CAC, the PKI certificates on the CAC shall be revoked.
    (c) Guidelines and restrictions. The guidelines and restrictions in 
this paragraph (c) apply to all forms of DoD ID cards.
    (1) Any person willfully altering, damaging, lending, 
counterfeiting, or using these cards in any unauthorized manner is 
subject to fine or imprisonment or both, as prescribed in 18 U.S.C. 
499, 506, 509, 701, and 1001. Section 701 prohibits photographing or 
otherwise reproducing or possessing DoD ID cards in an unauthorized 
manner, under penalty of fine or imprisonment or both. Unauthorized or 
fraudulent use of ID cards would exist if bearers used the card to 
obtain benefits and privileges to which they are not entitled. 
Photocopying of DoD ID cards to facilitate medical care processing, 
check cashing, voting, tax matters, the Servicemember's Civil Relief 
Act, or administering other military-related benefits to eligible 
beneficiaries are examples of authorized photocopying. When possible, 
the ID card will be electronically authenticated in lieu of 
photographing the card.
    (2) Treaties, status-of-forces agreements (SOFAs), or military base 
agreements in overseas areas may place limitations on the logistical 
support that otherwise might be available to eligible personnel. SOFAs 
with foreign countries may limit the use of commissary or exchange 
facilities to persons who are stationed or performing temporary duty 
with the host nation under official orders in support of the mutual 
defense mission. ID cards shall not be issued for the sole purpose of 
implementing restrictions under SOFAs. ID cards shall be issued in 
accordance with this part and the uniformed services shall use other 
means, such as ration cards, to implement restrictions under SOFAs as 
required.
    (3) All ID cards are property of the U.S. Government and shall be 
returned upon separation, resignation, firing, termination of contract 
or affiliation with the Department of Defense, or upon any other event 
in which the individual no longer requires the use of such ID card.
    (4) ID cards that are expired, invalidated, stolen, lost, or 
otherwise suspected of potential or actual unauthorized use shall have 
the status of the cards revoked in DEERS and, for CACs, have the PKI 
certificates immediately revoked to prevent any unauthorized use.
    (5) There are instances where graphical representations of ID cards 
are necessary to facilitate the DoD mission. When used and/or 
distributed, the replicas must not be the same size as the ID card, 
must have the word ``SAMPLE'' written on them, and shall not contain an 
individual's PII. All sample ID cards must be maintained in a 
controlled environment and shall not serve as a valid ID.
    (6) Individuals within the Department of Defense who have multiple 
personnel category codes (e.g., an individual who is both a reservist 
and a contractor) shall be issued a separate ID card in each personnel 
category for which they are eligible. Multiple current ID cards of the 
same form (e.g., CAC) shall not be issued or exist for an individual 
under a single personnel category code.
    (7) ID cards shall not be amended, modified, or overprinted by any 
means.

[[Page 47519]]

No stickers or other adhesive materials are to be placed on either side 
of an ID card. Holes shall not be punched into ID cards, except when a 
CAC has been requested by the next of kin for an individual who has 
perished in the line of duty. A CAC provided to next of kin shall have 
the status of the card revoked in DEERS, have the certificates revoked, 
and have a hole punched through the integrated circuit chip prior to 
release of the CAC to the next of kin.
    (8) An ID card shall be in the personal custody of the individual 
to whom it was issued at all times. If required by military authority, 
it shall be surrendered for ID or investigation.
    (d) CAC migration to Federal PIV requirements. The Department of 
Defense is currently migrating the CAC to meet the Federal requirements 
for credentialing contained within FIPS Publication 201-1 and Homeland 
Security Presidential Directive 12. Migration will take place over 
multiple years as the card issuance hardware, software, and supporting 
systems and processes are upgraded. Successful migration will require 
coordination and collaboration within and among all CAC communities 
(e.g., personnel security, operational security, industrial security, 
information security, physical security, and information technology). 
The following organizations will support the migration in conjunction 
with the responsibilities listed in Sec.  161.3:
    (1) The DMDC shall:
    (i) Procure and distribute CAC consumables, including card stock, 
electromagnetically opaque sleeves, and printer supplies, commensurate 
with funding received from the DoD Components.
    (ii) In coordination with the Office of the Under Secretary of 
Defense for Policy (OUSD(P)), establish an electronic process for 
securing CAC eligibility information on foreign government military, 
employee, or contract support personnel whose visit status and 
background investigation has been confirmed, documented, and processed 
by OUSD(P) according to DoDD 5230.20 (see http://www.dtic.mil/whs/directives/corres/pdf/523020p.pdf).
    (iii) In accordance with DoD Directive 5400.11, electronically 
capture and store source documents in the identity proofing process at 
the accession points for eligible ID card holders
    (iv) Implement modifications to the CAC applets and interfaces, add 
contactless capability to the CAC platform, and, in accordance with DoD 
5400.11-R, implement modifications to the CAC topology to support 
compliance with FIPS Publication 201-1.
    (v) Establish and implement procedures for capturing biometrics 
required to support CAC issuance, which includes fingerprints and 
facial images specified in FIPS Publication 201-1 and National 
Institute of Standards and Technology Special Publication 800-76-1, 
``Biometric Data Specification for Personal Identity Verification'' 
(see http://csrc.nist.gov/publications/nistpubs/800-76-1/SP800-76-1_012407.pdf).
    (vi) In coordination with the Executive Manager for DoD Biometrics 
and the Office of the USD(AT&L), implement the capability to obtain two 
segmented images (primary and secondary) fingerprint minutia from the 
full 10-print fingerprints captured as part of the initial background 
investigation process for CAC issuance.
    (vii) Maintain a capability for a CAC holder to reset or unlock 
PINs from a system outside of the CAC issuance infrastructure.
    (2) The Executive Manager for DoD Biometrics shall:
    (i) Establish biometric standards for the collection, storage, 
capture, and subsequent transmittal of biometric information in 
accordance with DoDD 8521.01E, ``Department of Defense Biometrics'' 
(see http://www.dtic.mil/whs/directives/corres/pdf/852101p.pdf).
    (ii) In coordination with the Offices of the USD(P&R) and USD(I) 
and the DoD Components, establish capability for biometric capture and 
enrollment operations to support CAC issuance in accordance with DoD 
5400.11-R and National Institute of Standards and Technology Special 
Publication 800-76-1.
    (3) The Identity Protection and Management Senior Coordinating 
Group shall:
    (i) Monitor the CAC and identity management related activities 
outlined within this part in accordance with DoDD 1000.25.
    (ii) Maintain a configuration management process for the CAC and 
its related components to monitor DoD compliance with FIPS Publication 
201-1.

    Dated: July 26, 2010.
Patricia L. Toppings,
OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2010-19315 Filed 8-5-10; 8:45 am]
BILLING CODE 5001-06-P