(a) The DoD ID card life cycle shall be supported by an infrastructure that is predicated on a systems-based model for credentialing as described in FIPS Publication 201-2. Paragraphs (a)(1) through (7) of this section represent the baseline requirements for the life cycle of all DoD ID cards. The specific procedures and sequence of order for these items will vary based on the applicant's employment status or affiliation with the DoD and the type of ID card issued. Detailed procedures of the ID card life cycle for each category of applicant and type of ID card shall be provided by the responsible agency.
(1) Sponsorship and eligibility. Sponsorship shall incorporate the processes for confirming eligibility for an ID card. The sponsor is the person affiliated with the DoD or other Federal agency who takes responsibility for verifying and authorizing the applicant's need for an ID card. Applicants for a CAC must be sponsored by a DoD government official or employee.
(2) Registration and enrollment. Sponsorship and enrollment information on the ID card applicant shall be registered in DEERS prior to card issuance.
(3) Background investigation. Background investigation is required for those individuals eligible for a CAC. A background investigation is not currently required for those eligible for other forms of DoD ID cards. Sponsored CAC applicants shall not be issued a CAC without a favorably adjudicated background investigation stipulated in FIPS Publication 201-2. Applicants that have been denied a CAC based on an unfavorable adjudication of the background investigation may submit an appeal in accordance with FIPS Publication 201-2 and Office of Personnel Management Memorandum, “Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12.”
(4) Identity and eligibility verification. Identity and eligibility verification shall be completed at a RAPIDS workstation. Verifying officials (VOs) shall inspect identity and eligibility documentation and RAPIDS shall authenticate individuals to ensure that ID cards are provided only to those sponsored and with a current affiliation with the DoD. RAPIDS shall also capture uniquely identifying characteristics that bind an individual to the information maintained on that individual in DEERS and to the ID card issued by RAPIDS. These characteristics may include, but are not limited to, digital photographs and fingerprints.
(5) Issuance. ID cards shall be issued at the RAPIDS workstation after all sponsorship, enrollment and registration, background investigation (CAC only), and identity and eligibility verification requirements have been satisfied.
(6) Use and maintenance. ID cards shall be used as proof of identity and DoD affiliation to facilitate access to DoD facilities and systems. Additionally, ID cards shall represent authorization for entitled benefits and privileges in accordance with DoD policies.
(7) Retrieval and revocation. ID cards shall be retrieved by the sponsor or sponsoring organization when the ID card has expired, when it is damaged or compromised, or when the card holder is no longer affiliated with the DoD or no longer meets the eligibility requirements for the card. The active status of an ID card shall be revoked within the DEERS and RAPIDS infrastructure and the PKI certificates on the CAC shall be revoked.
(b) The guidelines and restrictions of this paragraph apply to all forms of DoD ID cards.
(1) Any person willfully altering, damaging, lending, counterfeiting, or using these cards in any unauthorized manner is subject to fine or imprisonment or both, as prescribed in 18 U.S.C. 499, 506, 509, 701, and 1001. Section 701 of 18 U.S.C. prohibits photographing or otherwise reproducing or possessing DoD ID cards in an unauthorized manner, under penalty of fine or imprisonment or both. Unauthorized or fraudulent use of ID cards would exist if bearers used the card to obtain benefits and privileges to which they are not entitled. Examples of authorized photocopying include photocopying of DoD ID cards to facilitate medical care processing, check cashing, voting, tax matters, compliance with 50 U.S.C. appendix 501 (also known as “The Service member's Civil Relief Act”), or administering other military-related benefits to eligible beneficiaries. When possible, the ID card will be electronically authenticated in lieu of photographing the card.
(2) International agreements (including status-of-forces agreements) and host-nation law may limit and/or define the types of support available to personnel in overseas areas. Although an ID card may be used to verify eligibility in the United States for access to, for example, commissary or exchange facilities, the use of such facilities overseas may be limited to persons who are stationed or performing temporary duty in a foreign country under official orders in support of a mutual defense mission with the host nation. ID cards shall be issued only for the purposes identified in and in accordance with this Instruction, and the Heads of the DoD Components shall use other means, such as ration cards, to implement provisions in international agreements or to prevent violations of applicable host-nation law. ID cards shall not be issued for the sole purpose of implementing provisions of international agreements or restrictions based on applicable host-nation law.
(3) All ID cards are property of the U.S. Government and shall be returned upon separation, resignation, firing, termination of contract or affiliation with the DoD, or upon any other event in which the individual no longer requires the use of such ID card.
(4) To prevent any unauthorized use, ID cards that are expired, invalidated, stolen, lost, or otherwise suspected of potential or actual unauthorized use shall be revoked in DEERS along with the PKI certificates on the CACs immediately revoked.
(5) There are instances where graphical representations of ID cards are necessary to facilitate the DoD mission. When used and distributed, the replicas must not be the same size as the ID card, must have the word “SAMPLE” written on them, and shall not contain an individual's PII. All SAMPLE ID cards must be maintained in a controlled environment and shall not serve as a valid ID.
(6) Individuals within the DoD who have multiple personnel category codes (e.g., an individual who is both a reservist and a contractor) shall be issued a separate ID card in each personnel category for which they are eligible. Multiple current ID cards of the same form (e.g., CAC) shall not be issued or exist for an individual under a single personnel category code.
(7) ID cards shall not be amended, modified, or overprinted by any means. No stickers or other adhesive materials are to be placed on either side of an ID card. Holes shall not be punched into ID cards, except when a CAC has been requested by the next of kin for an individual who has perished in the line of duty. A CAC provided to next of kin shall have the status of the card revoked in DEERS, have the certificates revoked, and have a hole punched through the integrated circuit chip before it is released to the next of kin.
(8) An ID card shall be in the personal custody of the individual to whom it was issued at all times. If required by military authority, it shall be surrendered for ID or investigation.
(c) CAC migration to Federal PIV requirements. The DoD is migrating the CAC to meet the Federal requirements for credentialing contained within Homeland Security Presidential Directive 12 and FIPS Publication 201-2. Migration will take place over multiple years as the card issuance hardware, software, and supporting systems and processes are upgraded. Successful migration will require coordination and collaboration within and among all CAC communities (e.g., personnel security, operational security, industrial security, information security, physical security, and information technology). The organizations listed in this section will support the migration in conjunction with the responsibilities listed in § 161.5:
(1) The Director, DMDC shall:
(i) Procure and distribute CAC consumables, including card stock, electromagnetically opaque sleeves, and printer supplies, commensurate with funding received from the DoD Components.
(ii) In coordination with the Office of the Under Secretary of Defense for Policy, establish an electronic process for securing CAC eligibility information on foreign government military, employee, or contract support personnel whose visit status and background investigation has been confirmed, documented, and processed in accordance with DoD Directive 5230.20, “Visits and Assignments of Foreign Nationals” (available at http://www.dtic.mil/whs/directives/corres/pdf/523020p.pdf).
(iii) In accordance with FIPS Publication 201-2, electronically capture and store source documents in the identity-proofing process at the accession points for eligible ID card holders.
(iv) Implement modifications to the CAC applets and interfaces, add contactless capability to the CAC platform and implement modifications to the CAC topology to support compliance with FIPS Publication 201-2.
(v) Establish and implement procedures for capturing biometrics required to support CAC issuance, which includes fingerprints and facial images specified in FIPS Publication 201-2 and National Institute of Standards and Technology Special Publication 800-76-1, “Biometric Data Specification for Personal Identity Verification” (available at http://csrc.nist.gov/publications/nistpubs/800-76-1/SP800-76-1_012407.pdf).
(vi) In coordination with the Executive Manager for DoD Biometrics and the Office of the USD(AT&L), implement the capability to obtain two segmented images (primary and secondary) fingerprint minutiae from the full 10-print fingerprints captured as part of the initial background investigation process for CAC issuance.
(vii) Maintain a capability for a CAC holder to reset or unlock PINs from a system outside of the CAC issuance infrastructure.
(2) The Executive Manager for DoD Biometrics, as appointed by the Secretary of the Army as DoD Executive Agent for DoD Biometrics in accordance with DoD Directive 8521.01E, “Department of Defense Biometrics” (available at http://www.dtic.mil/whs/directives/corres/pdf/852101p.pdf), shall:
(i) Establish biometric standards for collection, storage, and subsequent transmittal of biometric information in accordance with DoD Directive 8521.01E (available at http://www.dtic.mil/whs/directives/corres/pdf/852101p.pdf).
(ii) In coordination with the USD(P&R), the USD(I), and the Heads of the DoD Components, establish capability for biometric collection and enrollment operations to support CAC issuance in accordance with 32 CFR part 310 and National Institute of Standards and Technology Special Publication 800-76-1 (available at http://csrc.nist.gov/publications/nistpubs/800-76-1/SP800-76-1_012407.pdf).
(3) The Identity Protection and Management Senior Coordinating Group shall:
(i) Monitor the CAC and identity management related activities outlined within this Instruction in accordance with DoD Instruction 1000.25 (available at http://www.dtic.mil/whs/directives/corres/pdf/100025p.pdf).
(ii) Maintain a configuration management process for the CAC and its related components to monitor DoD compliance with FIPS Publication 201-2.
[79 FR 709, Jan. 6, 2014, as amended at 81 FR 74878, Oct. 27, 2016]