[Directives and Handbooks]
NASA Handbook
NHB 1600.6
Effective Date: May 1, 1993
Expiration Date:
Responsible Office: JL / Security, Logistics, & Industrial Relations Division
NASA COMMUNICATIONS SECURITY (COMSEC) MANUAL
PREFACE
The NASA Communications Security (COMSEC) Manual provides basic
information for assignment of individual communications security
responsibilities within NASA. It sets forth minimum standards,
procedures, specifications, and guidelines for safeguarding and
control of COMSEC material in NASA's possession. It expands upon
and further specifies NASA security policy in NMI 1600.2, "NASA
Security Program."
This Manual implements the provisions concerning the National
Policy for the Security of National Security Telecommunications
and Information Systems, dated July 5, 1990, and National
Communications Security Instruction 4005, "Safeguarding and
Control of COMSEC Material," dated October 12, 1979. This Manual
will be used by NASA COMSEC Custodians in place of the National
Security Agency Manual 90-2, "COMSEC Material Control Manual,"
dated October 1989, and will provide core guidance for NASA's
COMSEC operations.
Comments or suggestions concerning this Manual should be
addressed to the Chief, NASA Security Office, Code JIS, NASA
Headquarters, Washington, DC 20546.
This Manual is issued in loose-leaf form and will be revised by
page changes.
Jeffrey E. Sutton
Director, Security, Logistics
and Industrial Relations Division
DISTRIBUTION:
SDL 1 (SIQ)
TABLE OF CONTENTS
Page
CHAPTER 1: INTRODUCTION . . . . . . . . . . . . . . . . . . .1-1
100 General . . . . . . . . . . . . . . . . . . . . . . . . .1-1
101 Purpose . . . . . . . . . . . . . . . . . . . . . . . . .1-1
102 Applicability and Scope . . . . . . . . . . . . . . . . .1-1
103 References. . . . . . . . . . . . . . . . . . . . . . . .1-2
104 Objectives. . . . . . . . . . . . . . . . . . . . . . . .1-3
105 Definitions . . . . . . . . . . . . . . . . . . . . . . .1-3
106 Revisions . . . . . . . . . . . . . . . . . . . . . . . .1-3
CHAPTER 2: COMMUNICATIONS SECURITY (COMSEC)
MATERIAL CONTROL . . . . . . . . . . . . . . . . .2-1
200 General . . . . . . . . . . . . . . . . . . . . . . . . .2-1
1. Channels of Communication. . . . . . . . . . . . . .2-1
2. Responsibilities and Organization. . . . . . . . . .2-1
201 The COMSEC Account. . . . . . . . . . . . . . . . . . . .2-4
1. Requirement for a COMSEC Account . . . . . . . . . .2-4
2. Request to Establish a COMSEC Account. . . . . . . .2-4
3. COMSEC Account Approval. . . . . . . . . . . . . . .2-4
4. COMSEC Custodian and Alternate COMSEC
Custodian Training . . . . . . . . . . . . . . . . .2-5
5. Selecting a COMSEC Custodian and Alternate
Custodian. . . . . . . . . . . . . . . . . . . . . .2-5
6. Duties of the COMSEC Custodian and Alternate
Custodian. . . . . . . . . . . . . . . . . . . . . .2-5
7. Witness. . . . . . . . . . . . . . . . . . . . . . .2-8
8. Temporary Absence of the COMSEC Custodian. . . . . .2-8
9. Return of the COMSEC Custodian from Temporary
Absence. . . . . . . . . . . . . . . . . . . . . . .2-9
10. Change of COMSEC Custodian . . . . . . . . . . . . .2-9
11. Change of Alternate Custodian. . . . . . . . . . . 2-10
12. Sudden, Indefinite, or Permanent Departure
of the COMSEC Custodian. . . . . . . . . . . . . . 2-10
13. Sudden, Indefinite, or Permanent Departure
of the Alternate COMSEC Custodian. . . . . . . . . 2-11
14. COMSEC Officer, COMSEC/TEMPEST Point of
Contact. . . . . . . . . . . . . . . . . . . . . . 2-11
202 COMSEC Material . . . . . . . . . . . . . . . . . . . . 2-12
1. Short Titles . . . . . . . . . . . . . . . . . . . 2-12
2. Accounting Numbers . . . . . . . . . . . . . . . . 2-13
3. Edition. . . . . . . . . . . . . . . . . . . . . . 2-13
4. CRYPTO Marking . . . . . . . . . . . . . . . . . . 2-13
5. Subdivisions of Equipment. . . . . . . . . . . . . 2-13
203 COMSEC Material Accountability. . . . . . . . . . . . . 2-13
1. COMSEC Material in the National Security Agency
(NSA) COMSEC Material Control System . . . . . . . 2-13
2. Accounting Legend Code (ALC) . . . . . . . . . . . 2-14
204 COMSEC Material Control . . . . . . . . . . . . . . . . 2-15
1. Forms, Reports, and Files. . . . . . . . . . . . . 2-15
2. COMSEC Register File . . . . . . . . . . . . . . . 2-17
3. Preparing COMSEC Accounting Reports. . . . . . . . 2-18
4. Receipt of COMSEC Material . . . . . . . . . . . . 2-19
5. Procedures for Handling Keying Material. . . . . . 2-23
6. Transferring COMSEC Material . . . . . . . . . . . 2-24
7. Military Department Accounting Headquarters. . . . 2-27
8. Packaging COMSEC Material. . . . . . . . . . . . . 2-28
9. Authorized Modes of Transportation . . . . . . . . 2-29
10. Shipping Unclassified COMSEC Material. . . . . . . 2-32
11. Authorized Modes of Transportation for Controlled
Cryptographic Item (CCI) Equipment and Components
Within CONUS, U.S. Territories and Possessions . . 2-34
12. Hand Receipts. . . . . . . . . . . . . . . . . . . 2-37
13. Possession Reports . . . . . . . . . . . . . . . . 2-39
14. Converted COMSEC Material. . . . . . . . . . . . . 2-39
15. Inventory Report . . . . . . . . . . . . . . . . . 2-40
16. Destruction. . . . . . . . . . . . . . . . . . . . 2-43
17. Accounting for and Entering Amendments to
COMSEC Publications. . . . . . . . . . . . . . . . 2-44
18. Accounting for COMSEC Material Launched into
Space. . . . . . . . . . . . . . . . . . . . . . . 2-45
205 Audit of COMSEC Accounts. . . . . . . . . . . . . . . . 2-46
1. Basis. . . . . . . . . . . . . . . . . . . . . . . 2-46
2. Notification . . . . . . . . . . . . . . . . . . . 2-46
3. Auditor Access . . . . . . . . . . . . . . . . . . 2-46
4. Scope of the Audit . . . . . . . . . . . . . . . . 2-46
5. Audit Report . . . . . . . . . . . . . . . . . . . 2-47
206 Closing a COMSEC Account. . . . . . . . . . . . . . . . 2-47
CHAPTER 3: CONTROLLING AUTHORITIES. . . . . . . . . . . . . .3-1
300 General . . . . . . . . . . . . . . . . . . . . . . . . .3-1
301 Keying Material Source. . . . . . . . . . . . . . . . . .3-1
302 Establishing the Cryptonet and Designating the
Controlling Authority . . . . . . . . . . . . . . . . . .3-1
303 NASA Contractors Currently Designated as
Controlling Authorities . . . . . . . . . . . . . . . . .3-2
304 Controlling Authority Responsibilities. . . . . . . . . .3-2
1. Cryptonet Management . . . . . . . . . . . . . . . .3-2
2. Evaluating COMSEC Incidents. . . . . . . . . . . . .3-5
3. Reacting to Incidents. . . . . . . . . . . . . . . .3-8
305 Considerations When Establishing a Cryptonet. . . . . . 3-11
306 Keying Material Support Plan (KMSP) . . . . . . . . . . 3-11
307 Contents of the KMSP. . . . . . . . . . . . . . . . . . 3-12
308 Annual Reviews of the KMSP. . . . . . . . . . . . . . . 3-13
309 Defective Keying Material . . . . . . . . . . . . . . . 3-14
CHAPTER 4: COMSEC INFORMATION ACCESS REQUIREMENTS . . . . . .4-1
400 Criteria for Access to COMSEC Information . . . . . . . .4-1
401 COMSEC Briefing Requirements. . . . . . . . . . . . . . .4-1
CHAPTER 5: TWO-PERSON INTEGRITY/NO-LONE ZONE CONTROLS . . . .5-1
500 General . . . . . . . . . . . . . . . . . . . . . . . . .5-1
501 Procedures for Handling and Safeguarding. . . . . . . . .5-1
TOP SECRET Keying Material. . . . . . . . . . . . . . . .5-1
1. Transportation . . . . . . . . . . . . . . . . . . .5-1
2. TPI Handling of Packages Received. . . . . . . . . .5-2
3. Wrapping TOP SECRET Material . . . . . . . . . . . .5-2
4. Storage. . . . . . . . . . . . . . . . . . . . . . .5-2
5. Use. . . . . . . . . . . . . . . . . . . . . . . . .5-3
6. Record of Combinations . . . . . . . . . . . . . . .5-3
CHAPTER 6: COMSEC INCIDENT REPORTING REQUIREMENTS . . . . . .6-1
600 General . . . . . . . . . . . . . . . . . . . . . . . . .6-1
601 Types of COMSEC Incidents . . . . . . . . . . . . . . . .6-1
602 Types of Written Reports. . . . . . . . . . . . . . . . .6-4
603 Reporting Incidents . . . . . . . . . . . . . . . . . . .6-5
604 Report Addressing . . . . . . . . . . . . . . . . . . . .6-6
605 Format and Content of Written COMSEC Incident
Reports . . . . . . . . . . . . . . . . . . . . . . . . .6-7
CHAPTER 7: ROUTINE DESTRUCTION OF COMSEC MATERIAL . . . . . .7-1
700 General . . . . . . . . . . . . . . . . . . . . . . . . .7-1
701 Training Destruction Personnel. . . . . . . . . . . . . .7-1
702 Routine Destruction Procedures for COMSEC
Material. . . . . . . . . . . . . . . . . . . . . . . . .7-1
703 Routine Destruction Methods and Standards . . . . . . . .7-3
704 Approved Routine Destruction Devices. . . . . . . . . . .7-3
705 Reporting Routine Destruction . . . . . . . . . . . . . .7-3
CHAPTER 8: SECURE TELECOMMUNICATIONS FACILITIES . . . . . . .8-1
800 Physical Security Requirements for Classified
and Unattended Keyed CCI Equipment. . . . . . . . . . . .8-1
801 CCI Access Controls . . . . . . . . . . . . . . . . . . .8-2
802 Storage Requirements. . . . . . . . . . . . . . . . . . .8-3
803 Record of Individuals Having Knowledge of
Combinations to Containers Storing Classified
COMSEC Material . . . . . . . . . . . . . . . . . . . . .8-3
CHAPTER 9: SECURE TELEPHONE UNIT (STU) III's. . . . . . . . .9-1
900 General . . . . . . . . . . . . . . . . . . . . . . . . .9-1
901 Responsibilities. . . . . . . . . . . . . . . . . . . . .9-1
902 STU-III Security Education. . . . . . . . . . . . . . . .9-3
903 Protecting CIK's. . . . . . . . . . . . . . . . . . . . .9-4
904 Incidents . . . . . . . . . . . . . . . . . . . . . . . .9-5
905 STU-III Terminal Keying and Rekeying. . . . . . . . . . .9-6
906 Secure Data Mode. . . . . . . . . . . . . . . . . . . . .9-6
907 Sensitive Compartmented Information
Facilities (SCIF's) . . . . . . . . . . . . . . . . . . .9-7
908 Installations in Residences, Hotels, or
Commercial Conference Facilities. . . . . . . . . . . . .9-8
909 Vehicle Installations . . . . . . . . . . . . . . . . . .9-8
910 Acoustic Security . . . . . . . . . . . . . . . . . . . .9-8
CHAPTER 10: COMSEC EMERGENCY ACTION PROCEDURES. . . . . . . 10-1
1000 Requirements. . . . . . . . . . . . . . . . . . . . . . 10-1
1001 Preparedness. . . . . . . . . . . . . . . . . . . . . . 10-1
1002 Preparing the Emergency Plan. . . . . . . . . . . . . . 10-2
1003 Emergency Action Procedures Review. . . . . . . . . . . 10-2
APPENDIXES
APPENDIX A Definitions. . . . . . . . . . . . . . . . . . . .A-1
APPENDIX B Sample Communications Security (COMSEC)
Briefing . . . . . . . . . . . . . . . . . . . . .B-1
APPENDIX C Sample Cryptographic Access Certification. . . . .C-1
Cryptographic Access Termination . . . . . . . . .C-2
Privacy Act Statement. . . . . . . . . . . . . . .C-3
Attachment to Appendix C . . . . . . . . . . . . .C-4
Pertinent Provisions of Title 18 of the
United States Codes. . . . . . . . . . . . . . . .C-4
APPENDIX D Sample Emergency Action Plan . . . . . . . . . . .D-1
APPENDIX E Figures. . . . . . . . . . . . . . . . . . . . . .E-1
1 Sample Change of COMSEC Custodian
Inventory (SF 153) . . . . . . . . . . . . . . . .E-1
2 Table of TSEC Nomenclature System Designators. . .E-2
3 COMSEC Material Record (L6061) . . . . . . . . . .E-4
4 DCS Station Addresses. . . . . . . . . . . . . . .E-5
5 Sample Report of COMSEC Material Transferred
to a Military Account (SF 153) . . . . . . . . . .E-6
6 Sample Report of COMSEC Material Transferred to
an Account Other than Military (SF 153). . . . . .E-7
7 Sample COMSEC Material Identification Markings . .E-8
8 Sample COMSEC Material Hand Receipt (SF 153) . . .E-9
9 Sample Possession Report Prepared When
COMSEC Material is Received Without Transfer
Paperwork (SF 153) . . . . . . . . . . . . . . . E-10
10 Sample Preprinted Inventory with Supplement. . . E-11
10a Supplement to Preprinted Inventory (SF 153). . . E-12
11 Sample Destruction Report (SF 153) . . . . . . . E-13
12 COMSEC Material Destruction Standards. . . . . . E-14
APPENDIX F Classification Guide . . . . . . . . . . . . . . .F-1
CHAPTER 1: INTRODUCTION
100 GENERAL
The United States Communications Security (COMSEC) effort is
controlled and managed under a separate set of security
standards and procedures from those that apply to other
classified information. The reasons for this are that
COMSEC techniques and materials are used to protect other
information, and because the loss of U.S. COMSEC information
and materials can seriously damage the national interest.
Also, a significant body of information indicates that TOP
SECRET keying material is a high-priority target for
exploitation by hostile intelligence services and,
therefore, must be afforded special attention.
101 PURPOSE
This Manual contains COMSEC information and guidance
necessary for the successful day-to-day operations of NASA's
COMSEC Program.
102 APPLICABILITY AND SCOPE
The provisions of this Manual apply to NASA Headquarters and
Field Installations. It specifically applies to all NASA
COMSEC Custodians, security organizations, and other
personnel using or otherwise having access to COMSEC
materials at NASA Field Installations and NASA Headquarters.
This Manual also supports contractors, as appropriate, under
law and/or contract as implemented by the appropriate
contracting officer. Contractor COMSEC Custodians and
Alternates of NASA COMSEC accounts come under the purview of
this document, and the responsibilities are identical to
civil service COMSEC Custodians and Alternates. This Manual
will be used in lieu of National Security Agency (NSA)
Manual 90-2 and supersedes the NASA COMSEC Accounting Guide,
dated January 1978. Whenever system doctrine requirements
conflict with procedures in this Manual, the system doctrine
requirements take precedence.
1. This Manual is not site specific; it outlines minimum
standards and is intended to be used as guidance by
COMSEC Custodians and Chiefs of Security in formulating
and implementing effective COMSEC operations. Each
site is encouraged to supplement this Manual with
procedures, duties, and titles to tailor this guidance
to their unique environments.
2. This Manual specifically addresses COMSEC Custodians
and Alternate COMSEC Custodians of COMSEC accounts
designated and established by NASA, and those
custodians who fall under the purview of the NASA
COMSEC Central Office of Record (COR).
103 REFERENCES
1. NCSC-1, "National Policy for Safeguard and Control of
COMSEC Material," January 16, 1981.
2. NACSI 4005, "Safeguarding and Control of COMSEC
Material," October 12, 1979.
3. NACSI 4007, "Management of Manual Crypto Systems."
4. NACSI 4008, "Safeguarding COMSEC Facilities," March 4,
1983.
5. NCSC-9, "National COMSEC Glossary," September 1, 1982.
6. NTISSI 3013, "Operational Security Doctrine for the
Secure Telephone Unit III (STU-III) Type 1 Terminal,"
February 8, 1990.
7. NTISSI 4001, "Controlled Cryptographic Items (CCIs),"
March 25, 1985.
8. NTISSI 4002, "Classification Guide for COMSEC
Information," June 5, 1986.
9. NTISSI 4003, "Reporting and Evaluating COMSEC
Incidents," December 2, 1991.
10. NTISSI 4004, "Routine Destruction and Emergency
Protection of COMSEC Material," March 11, 1987.
11. NTISSI 4005, "Control of TOP SECRET Keying Material,"
July 17, 1987.
12. NTISSI 4006, "Controlling Authorities for COMSEC
Material," December 2, 1991.
13. National Policy for the Security of National Security
Telecommunications and Information Systems,
July 5, 1990.
14. NMI 1600.2, "NASA Security Program."
15. DoD 5200.28M, "Department of Defense Automatic Data
Processing Security Manual."
16. DoD 5220.22M, "Industrial Security Manual for
Safeguarding Classified Information."
17. NTISSP No. 3, "National Policy for Granting
Access to U.S. Classified Cryptographic
Information," December 19, 1988.
104 OBJECTIVES
This Manual is intended to help attain objectives essential
to maintaining the integrity of COMSEC material used to
protect sensitive or classified Government communications,
as follows:
1. To provide instructions for controlling accountable
COMSEC material furnished, to or generated by, an
activity, in order to deny access to unauthorized
persons or organizations.
2. To ensure timely disposition of Government-furnished
and contractor-generated accountable COMSEC material no
longer required for performing a contract.
105 DEFINITIONS
See definitions of terms used in this Manual in Appendix A.
106 REVISIONS
This Manual will be revised as required by Executive orders,
statutes, direction from the National Security Agency (NSA),
and the development of new and improved security concepts.
Changes to this Manual are specifically prohibited unless
officially promulgated by the NASA COMSEC Manager. NASA
Field Installations, NASA Headquarters security organiza-
tions, and NASA COMSEC Custodians may request copies of the
National Communications Security Instruction and National
Telecommunications Information System Security Instruction
containing policies and procedures governing cryptographic
operations and the physical security of COMSEC material from
the NASA COMSEC Manager.
CHAPTER 2: COMMUNICATIONS SECURITY (COMSEC) MATERIAL CONTROL
200 GENERAL
This Chapter establishes minimum COMSEC accounting
procedures to be followed by NASA COMSEC Custodians and all
other personnel using or otherwise having access to
accountable COMSEC material.
1. Channels of Communication
a. Because timely and accurate COMSEC accounting and
reporting are so necessary, direct communications
between the NASA Central Office of Record (COR)
and NASA COMSEC accounts are authorized on all
routine COMSEC accounting matters (e.g., inability
to resolve inventory discrepancies, COMSEC
incident reports, tracer actions, etc.). Send
direct communications to the NASA COR at the
following address:
NASA Headquarters
Code JIS/NASA COMSEC Manager
Washington, DC 20546
Telephone: STU-III 202/358-2455
FAX: secure 202/358-3237
nonsecure 202/358-3238
Message address: RUEANAT/NASA HQ WASHINGTON
DC//JACK SYMANEK/CODE JIS//
b. Direct communications between NASA COMSEC accounts
and the National Security Agency (NSA) Central
Office of Record (COR), Y131; NSA Central
Accounting Office (CAO), Y18 (STU III key only);
and the Insecurities, Evaluation, and Reporting
Branch, X71A, are authorized for COMSEC accounting
matters involving the direct shipment of COMSEC
material. Send direct communications to the NSA
at the following address:
Director, National Security Agency
ATTN: (appropriate office designator)
Fort George G. Meade, MD 20755-6000
Message address: RUETIAA/DIRNSA FT. GEORGE G
MEADE, MD//appropriate office
designator//
c. Direct communications are authorized between NASA
COMSEC accounts and any other COMSEC accounts
involving direct shipment of COMSEC material.
2. Responsibilities and Organization. COMSEC material
control within the U.S. Government is based on a system
of centralized accounting and decentralized custody and
protection. Timely and accurate data is essential to
continuous, effective control of COMSEC material
entrusted to or produced for NASA.
a. The NSA is responsible for the operations of the
NSA COR; for specifying control criteria for all
COMSEC material; for distributing and accounting
for all accountable COMSEC material produced by or
entrusted to the NSA until transferred; for
receiving and processing requirements for
accountable COMSEC material; for excluding the
procurement of COMSEC equipment and spare parts;
for establishing and maintaining lead-time
schedules for distributing accountable COMSEC
material; for providing disposition instructions
for COMSEC material held but no longer required,
exclusive of material for which disposition is
provided by a superseding edition or Service
status publication (e.g., Air Force General COMSEC
Publication (AFKAG)), for receiving accountable
COMSEC material; and for providing assistance to
COMSEC Custodians regarding shipping methods and
schedules. The main NSA COMSEC Account is 880099,
and its address follows:
Middle River Facility
Building A-W Dock 2
2800 Eastern Boulevard
Middle River, MD 21220
b. NASA/Code JIS is responsible for the following
tasks:
(1) Performing as COR for NASA.
(2) Establishing and closing COMSEC accounts.
(3) Maintaining a record of NASA COMSEC accounts,
COMSEC Custodians, and Alternate Custodians.
(4) Processing requests to appoint or terminate
the appointments of COMSEC Custodians and
Alternates, and verifying their clearances.
(5) Verifying the inventory of each NASA
controlled COMSEC account semiannually.
(6) Maintaining master records of all NASA COMSEC
material entered into the NASA COMSEC
Material Control System.
(7) Maintaining the financial and property
accountability records for all accountable
COMSEC equipment owned by or entrusted to
NASA.
(8) Facilitating attendance at the formal NSA
COMSEC Custodian training course (CS-140) for
all newly appointed NASA COMSEC Custodians
and Alternates. If time does not permit
formal training, Code JIS will provide
informal briefings to prospective Custodians
and Alternates until attendance at the NSA
hosted COMSEC Custodian's Training Course
(CS-140) can be arranged.
(9) Establishing procedures for accounting for
COMSEC material held within NASA.
(10) Maintaining liaison with the NSA COR, civil
agencies, NASA contractor COMSEC accounts and
the Military Services on all matters
pertaining to controlling accountable COMSEC
material.
(11) Auditing NASA COMSEC accounts established at
NASA Installations at least every 24 months
or as deemed necessary.
(12) Providing guidance and assistance on all
procedural matters pertaining to controlling
accountable COMSEC material.
(13) Preparing and distributing COMSEC Procedural
and Material Control Bulletins.
c. The Chief of each organizational element has the
ultimate responsibility for controlling all COMSEC
material held within the organizational element.
This responsibility is, by the appointment of a
COMSEC Custodian and Alternate(s), delegated to
individuals by name. However, delegating this
authority in no way relieves any individual (e.g.,
the user, the Custodian's supervisor, and other
organizational chiefs, etc.) from the inherent
responsibility for controlling COMSEC material
held within the element. The Chief of the NASA
element is also responsible for ensuring that
Custodians and Alternates receive required
training.
d. The COMSEC Custodian is, through organizational
and supervisory channels, responsible to the Chief
of the element for controlling all accountable
COMSEC material charged to the element's account.
e. The individual user or holder of COMSEC material
is personally responsible for controlling and
safeguarding COMSEC material while it is entrusted
to his or her care, and is not authorized to lend
the material to another individual without a new
hand receipt issued from the COMSEC Custodian.
See Chapter 4 for access requirements to COMSEC
information.
201 THE COMSEC ACCOUNT
1. Requirement for a COMSEC Account. Any element
requiring accountable COMSEC material must obtain such
material through a COMSEC account. If an existing
COMSEC account cannot adequately support the
requirement for COMSEC material within an organization,
a new COMSEC account will be established.
2. Request to Establish a COMSEC Account. When a new
COMSEC account must be established, submit a written
request from the Chief of the NASA organization
requiring the account.
a. Submit the request through the local security
office to NASA/Code JIS, ATTN: NASA COR. Include
the title and complete address of the element in
which the account will be located; the purpose
(justification) for establishing the COMSEC
account; the specific items of COMSEC material
required, and the desired in-place date. The
request must also include a statement that the
minimum physical security standards for
safeguarding COMSEC material can be met, and the
names, grades, and social security numbers with
Privacy Act Notice of the individuals to be
appointed as the COMSEC Custodian and Alternate
COMSEC Custodians. Normally, a single Alternate
Custodian is sufficient at each account.
Appointments of more than two Alternate Custodians
should be coordinated with the NASA COR.
Subparagraphs 5a and b contain COMSEC Custodian
selection criteria. The request must also contain
certified clearance information on the individuals
nominated as the COMSEC Custodian and Alternate
COMSEC Custodian(s). When signature cards (Form
N2942B) are used for clearance information
certification, forward these cards with the
written request. The NASA COR will initiate
clearance verification.
b. Allow a minimum of 30 days for an account to be
established and appointments confirmed.
3. COMSEC Account Approval. The NASA COR will advise the
requesting element in writing by (sending an
information copy to the Installation Security Office)
when the account is established and the COMSEC
Custodian and Alternate COMSEC Custodian(s)
appointments are approved, and will assign an account
number. Reference the account number in all subsequent
correspondence or transactions relating to the COMSEC
account. The NASA COR provides accounting forms and,
when not submitted previously, signature cards (Form
N2942B) to be completed and returned to the COR.
4. COMSEC Custodian and Alternate COMSEC Custodian
Training. A newly appointed or changed COMSEC
Custodian or Alternate will attend the NSA COMSEC
Custodian training course (CS-140) as soon as possible.
This training is mandatory for all NASA COMSEC
Custodial appointees, with the exception of those
appointed to accounts established solely for STU-III,
or those who have attended equivalent training within 2
years.
5. Selecting a COMSEC Custodian and Alternate Custodian
a. Because of the sensitivity of COMSEC material and
the rigid controls required, individuals selected
as Custodians must:
(1) Be a responsible civil servant or contractor
qualified to assume the duties and
responsibilities of a COMSEC Custodian.
(2) Not be previously relieved of COMSEC
Custodian duties for reasons of negligence or
nonperformance of duties.
(3) Be in a position that will permit maximum
tenure (not less than 1 year) as a COMSEC
Custodian or Alternate COMSEC Custodian,
thereby reducing the possibility of frequent
replacement.
(4) Not be assigned duties that will interfere
with their duties as COMSEC Custodian and
Alternate Custodian.
(5) Be actually performing the custodial
functions on a day-to-day basis. The COMSEC
Custodian position will not be assumed solely
to maintain administrative or management
control of the account functions.
b. Personnel nominated as COMSEC Custodian or
Alternate will be in grade GS-7 or above, or a
contractor at an equivalent level. Where
personnel at the appropriate grade level are not
available, include full justification to support
the appointment in the appointment request.
6. Duties of the COMSEC Custodian and Alternate Custodian
a. The COMSEC Custodian. The COMSEC Custodian is
responsible for ensuring that all COMSEC material
issued to, or generated and held by, the COMSEC
account is safeguarded in accordance with national
requirements. This includes but is not limited to
the receipt, custody, issuance, safeguarding,
accounting and, when necessary, destruction of
COMSEC material. The COMSEC Custodian is further
responsible for maintaining up-to-date records and
submitting all required accounting reports. The
Custodian will be thoroughly familiar with the
procedures for handling COMSEC material outlined
in this Manual. The COMSEC Custodian is
authorized and encouraged to inspect user areas on
a regular basis (at least semiannually). The
COMSEC Custodian must have access to all
accountable material held by users. In cases
where the material is used within a Sensitive
Compartmented Information Facility (SCIF), and the
COMSEC Custodian is not indoctrinated for special
access (SI), the area must be sanitized or the
Custodian escorted to allow the Custodian to
fulfill his or her responsibilities. In
fulfilling his or her responsibilities, the
Custodian will perform the following duties:
(1) Protect COMSEC material and limit access to
individuals with the appropriate need-to-know
and clearance.
(2) Receive, give a receipt for, and ensure the
safeguarding and accounting of all COMSEC
material issued to the COMSEC account.
(3) Maintain COMSEC accounting and related
records as outlined in paragraph 204.
(4) With a witness, conduct an inventory,
semiannually and when a new COMSEC Custodian
is appointed, by physically sighting all
COMSEC material charged to the account, and
reconciling this inventory with the COR. The
COR or other competent authority may also
direct the conduct of an inventory.
(5) Perform routine destruction of COMSEC
material when required, or otherwise dispose
of material as directed by the COR or
controlling authority.
(6) Submit transfer, inventory, destruction, and
possession reports when required.
(7) Inspect the implemented protective
technologies upon initial receipt, during
each inventory, and prior to each use to
ensure the integrity of COMSEC material (key
or equipment).
(8) Ensure prompt and accurate entry of all
amendments to COMSEC publications held by the
account.
(9) Ensure that all accountable COMSEC material
shipped outside of the account's organization
is packaged and shipped as specified in
paragraph 204.6 of this Chapter. Ensure that
all material received is inspected for
evidence of tampering and, if any is found,
immediately submit a report of suspected
physical incident according to Chapter 6 of
this Manual.
(10) Be aware at all times of the location of
every item of accountable COMSEC material
held by the account and the general purpose
for which it is being used.
(11) Establish procedures to ensure strict control
of each item of keying material whenever
operational requirements necessitate that
material be turned over from one shift to
another or from one individual to another.
(12) Ensure that appropriate COMSEC material is
readily available to properly cleared and
authorized individuals whose duties require
its use. If the material is classified,
verify that the individuals are cleared to
the level of the material. Brief recipients
of the required protection and procedures for
safeguarding the material until it is
returned to the Custodian.
(13) Report immediately to the Installation
Security Officer any known or suspected
COMSEC incident as defined in Chapter 6, and
submit a report according to Chapter 6 of
this Manual.
(14) Verify the identification, clearance and
need-to-know of any individual requesting
access to the records and/or material
associated with the COMSEC account.
(15) Prepare for safeguarding COMSEC material
during emergency situations according to
Chapter 10.
(16) When COMSEC material is properly issued to
users, according to paragraph 204.11, the
COMSEC Custodian is relieved of personal
responsibility for the security of the
material.
b. The Alternate Custodian. Individuals appointed as
Alternate COMSEC Custodians are responsible for
assisting the COMSEC Custodian in performing his
or her duties and for providing continuity of
operations in the absence of the COMSEC Custodian.
Specific duties are as follows:
(1) Keeping aware of the day-to-day activity of
the COMSEC account in order to assume the
duties of the COMSEC Custodian, whenever
necessary, without undue interruption of
operations.
(2) Performing those duties outlined in subpara-
graph 201.6a during the temporary or
permanent absence of the COMSEC Custodian.
7. Witness
a. Inventory and Destruction by the COMSEC Custodian:
Physical inventory or destruction of COMSEC
material must be witnessed by an appropriately
cleared individual. The witness should normally
be the Alternate Custodian, but another
appropriately cleared and briefed individual may
act as a witness when the Alternate Custodian is
not available. When an inventory or destruction
is completed, the witness will sign the inventory
report, keying material usage/disposition record,
or destruction report, as appropriate, attesting
that the COMSEC material listed has been
inventoried or destroyed. The witness will sign
an inventory only after having personally sighted
the material being inventoried. A destruction
report can only be signed after having personally
witnessed the destruction of the material (refer
to paragraph 703 for an exception to witnessing a
material destruction by a user).
� b. Destroying keying material that has been hand
receipted to a user requires a witness to the
destruction of individual key settings. The
witness will initial the keying material usage
record attesting that the material has been
destroyed. Under no circumstances will the
witness initial a usage record without having
personally sighted the material being destroyed.
8. Temporary Absence of the COMSEC Custodian. When the
COMSEC Custodian is to be absent for a period not to
exceed 60 days, the Alternate Custodian will assume the
responsibilities and duties of the COMSEC Custodian.
An absence in excess of 60 days that has not been
coordinated with the NASA COR must be treated as a
permanent absence, and a new Custodian must be
nominated.
9. Return of the COMSEC Custodian from Temporary Absence.
The COMSEC Custodian will be informed of all changes to
the COMSEC account upon his or her return from a
temporary absence. If COMSEC material was transferred
to the account and accepted by the Alternate Custodian
during the absence, the COMSEC Custodian will inventory
the COMSEC material, and sign, date, and include the
remark "received from Alternate Custodian" on the front
side of the COMSEC account's copy of the transfer
report, thus relieving the Alternate Custodian of
accountability for the material. In those cases where
material was transferred from the account or destroyed,
the COMSEC Custodian should verify such actions by
comparing the transfer and destruction reports with his
or her Register File to assure the accuracy of the
actions affecting the material for which he or she is
held accountable.
10. Change of COMSEC Custodian. When it becomes necessary
to terminate the COMSEC Custodian's appointment, NASA
elements must submit a written request through the
local security office to the NASA COR and include
information and clearance certification about the
replacement nominee as prescribed in subparagraph
201.5. The training requirements specified in
subparagraph 201.4 also apply.
a. When written confirmation is received from the
NASA COR, the newly appointed COMSEC Custodian and
his or her predecessor will perform the following
duties:
(1) Conduct a physical (sight) inventory of all
COMSEC material held by the COMSEC account.
(The change of Custodian will be effective
the date the inventory is signed.)
(2) Prepare an SF 153 (see Figure 1 in Appendix
E) listing all COMSEC material to be
transferred to the new Custodian. Identify
the report in block 1 as a "change of
Custodian" and check both "received" and
"inventoried" in block 14. Address the
report from the COMSEC account (block 2) to
the NASA COR (block 3). The new Custodian
will sign in block 15 and the departing
Custodian will sign as the witness in block
17. Forward the signed original copy to the
NASA COR and retain a signed duplicate copy
in the COMSEC account's file. When an
account holds over 100 line items, a
Custodian may request a preprinted
inventory/transfer from the NASA COR. The
request for a preprinted inventory/transfer
should normally be included with the
nomination information.
b. Normally, the new COMSEC Custodian will have
received written confirmation of appointment
before action is initiated to transfer the COMSEC
account. However, if the confirmation is delayed
and the departure of his or her predecessor is
imminent, the transfer will be accomplished prior
to the receipt of written confirmation.
c. When the transfer is complete, the new Custodian
assumes full responsibility for the material
charged to the COMSEC account and for its
operation. The former COMSEC Custodian is
relieved of responsibility for only that COMSEC
material included on the transfer/inventory
report. He or she is not relieved of
responsibility for COMSEC material that is
involved in any unresolved discrepancy until a
clear COMSEC Inventory Reconciliation Report has
been received from the NASA COR.
d. Changes of COMSEC Custodian should be scheduled at
least 40 days before the former COMSEC Custodian
departs to allow for the receipt of a clear COMSEC
Inventory Reconciliation Report. However, the
former COMSEC Custodian may depart prior to the
return of the COMSEC Inventory Reconciliation
Report provided no discrepancies or irregularities
were evident when the inventory and transfer were
made. Responsibility for resolving discrepancies
discovered after a COMSEC Custodian has departed
rests with the Chief of the element.
� 11. Change of Alternate Custodian. When a change in
Alternate Custodian is necessary, NASA elements will
submit a written request through the local security
office to the NASA COR and will include information and
clearance certification about the replacement nominee
as prescribed in subparagraph 201.5. The training
requirements specified in subparagraph 201.4 also
apply. A change of Alternate Custodian should be made
before the departure of the present Alternate Custodian
unless impossible.
12. Sudden, Indefinite, or Permanent Departure of the
COMSEC Custodian
a. Under emergency circumstances such as the sudden,
indefinite or permanent departure of the COMSEC
Custodian, the Chief of the element will nominate
a new COMSEC Custodian (preferably the Alternate
Custodian) in compliance with the provisions of
subparagraph 201.5 and paragraph 200.2. The new
COMSEC Custodian and an appropriately cleared
witness will immediately conduct a complete
physical inventory of all COMSEC material held by
the COMSEC account. When the absence of the
COMSEC Custodian is unauthorized, the Chief of the
element will immediately report the circumstances
in accordance with Chapter 6.
b. Upon completion of the inventory, prepare an SF
153 Possession Report. Annotate the Possession
Report with the remark "Sudden, indefinite or
permanent departure of the COMSEC Custodian" or
"Unauthorized absence of the COMSEC Custodian," as
appropriate. The new COMSEC Custodian will sign
block 15 and the witness will sign block 17.
Forward the signed original copy of the report to
the NASA COR and retain a signed duplicate copy in
the COMSEC account's file.
13. Sudden, Indefinite, or Permanent Departure of the
Alternate COMSEC Custodian. The NASA COR should be
notified as soon as possible when an Alternate COMSEC
Custodian must be replaced due to a sudden, indefinite,
or permanent departure. An unauthorized absence must
be immediately reported in accordance with Chapter 6.
14. COMSEC Officer, COMSEC/TEMPEST Point of Contact.
Several Centers have designated a COMSEC Officer to
address policy issues and programmatic COMSEC
responsibilities beyond those specified for the COMSEC
Custodian. Although national policy does not require
the designation of a COMSEC Officer it has been NASA
policy to designate a civil servant to act as the
COMSEC and TEMPEST point of contact responsible for
ensuring oversight and implementation of NASA's COMSEC
and TEMPEST policy. It is important to emphasize,
however, that the responsibilities identified for the
COMSEC Custodian constitute minimum requirements and,
depending on the experience level of the COMSEC
Custodian, are balanced against each Center's
particular needs. These additional COMSEC/TEMPEST
duties can be performed by the same individual.
Regardless whether the COMSEC Custodian, COMSEC
Officer, or COMSEC/TEMPEST point of contact is
designated to perform these additional functions, it
must be stressed that NASA Installations not construe
this requirement as justification for establishing a
separate billet. The duties of the COMSEC Officer, or
COMSEC/TEMPEST point of contact, include the following:
a. Acting as the Installation's single focal point
for COMSEC and TEMPEST policy issues.
b. Administering one-time COMSEC briefings and/or
cryptographic access certification to civil
servants whose duties require access to COMSEC
material.
c. Ensuring that COMSEC awareness training is
integrated as part of the Installation's security
education program.
d. Providing technical assistance to Controlling
Authorities for cryptographic keying material
controlled by NASA and exercising oversight in
those instances where NASA contractor COMSEC
accounts have been established solely for the
purpose of supporting NASA.
e. Assisting project offices in the acquisition of
COMSEC material through coordination with the
supporting COMSEC Custodian and/or the NASA COMSEC
Manager.
f. Assisting the Installation's Security Office to
establish selection criteria to screen, interview,
and nominate candidates for the COMSEC Custodian.
g. Providing technical advice and assistance
concerning the use, installation, maintenance, and
procurement of STU-III's.
h. Conducting TEMPEST countermeasure determination
and coordinating with the NASA Security Office,
Code JIS, as required. NOTE: Formal training is
not required to perform countermeasure
determination using the NTISSI 7000, "TEMPEST
Countermeasures for Facilities."
202 COMSEC MATERIAL
1. Short Titles. For accounting purposes, COMSEC material
may be identified by short titles derived from the
Telecommunications Security (TSEC) nomenclature system
(see Figure 2); or bear a designator derived from the
Joint Electronics Type Designation System (JETDS); or a
Federal part number; or by short titles assigned by a
Military Department. In many cases, the Controlled
Crytographic Item (CCI) category may not be assigned
any short title, instead bearing the manufacturer's
commercial designator. This equipment will, however,
be marked "Controlled Cryptographic Item" or "CCI" and
will bear a Government Serial Number (GSN) label. The
GSN has been developed for accounting purposes and will
be the designator by which the COMSEC Custodian will
identify and control the CCI. The GSN is composed of
three fields; for example, the label may read "GSN:
PES-B4 192." The first field "PES" identifies the
manufacturer; the second field "B4" identifies the type
of product; and the third field "192" identifies the
serial number of the unit. For purposes of the SF 153
(using the above example), list the designator "PES-B4"
in the short title block and "192" in the accounting
number block. NOTE: The GSN for STU-III terminals
will vary from the above format.
2. Accounting Numbers. Most COMSEC material is assigned
an accounting (register or serial) number at its point
of origin to facilitate accounting. However, COMSEC
material may be received that does not bear an
accounting number or for which accounting by number is
impractical, and therefore not required. An example of
this type of material is a printed circuit board with a
TSEC nomenclature, which may bear a manufacturer's
serial number, but which is only accounted for by
quantity and is listed in "accounting numbers" on
accounting reports as an "N/N" (no number) item.
3. Edition. COMSEC material may be further identified by
alphabetic or numeric edition. COMSEC material is
superseded when the new COMSEC material becomes
effective (effective edition). NOTE: Identification
of the currently effective edition of operational
keying material is considered "CONFIDENTIAL." The
general rule is that this information should not be
disclosed over a mode of communications that is not
secure. However, per NTISSI 4002, A-12, under certain
circumstances the effective edition may be transmitted
in the clear when necessary to ensure that all holders
are using the same key or when confusion exists about
the effective key.
4. CRYPTO Marking. COMSEC keying material that is used to
protect or authenticate telecommunications carrying
national security and Government-sensitive information
is identified by the bold marking CRYPTO. This marking
makes such material readily identifiable from other
material so that its dissemination can be restricted to
personnel whose duties require access and, if the
material is classified, to those who have been granted
a final security clearance equal to or higher than the
classification of the keying material involved.
5. Subdivisions of Equipment. Operational COMSEC
equipment is identified and accounted for by one short
title rather than by individual components and/or
subassemblies. Classified and CCI subassemblies,
elements, and microcircuits when not incorporated in an
equipment will, however, be accounted for by type and
quantity.
203 COMSEC MATERIAL ACCOUNTABILITY
1. COMSEC Material in the National Security Agency (NSA)
COMSEC Material Control System
a. Accountable COMSEC material enters the NASA COMSEC
Material Control System at the times indicated and
remains in the system until destruction or other
authorized disposition as follows:
(1) When material is received by a COMSEC
Custodian from another department, agency,
foreign government, international
organization, or other COMSEC account.
(2) When a possession report is completed for
COMSEC material that is in the possession of
a COMSEC Custodian but which is not charged
to his or her account.
b. Refer questions regarding whether material is
qualified for entry into the COMSEC Material
Control System and the method of accounting (i.e.,
by which accounting legend code) to the NASA COR.
2. Accounting Legend Code (ALC)
a. For accounting purposes, all COMSEC material is
identified by one of the following accounting
legends:
(1) ALC-1: Continuous accountability by
accounting (register or serial) number within
the COMSEC Material Control System.
(2) ALC-2: Continuous accountability by quantity
within the COMSEC Material Control System.
(3) ALC-3: COR notification of initial receipt
required. Maintain local accountability by
accounting (register or serial) number
thereafter.
(4) ALC-4: Initial receipt required; the
custodian will maintain local accountability;
issue to authorized users on hand receipt;
maintain COMSEC register cards until material
is disposed of; and if destroyed, a local
unnumbered (no transaction number assigned)
destruction report will be filed.
b. The ALC is assigned by the originating Government
department or agency and represents the minimum
accounting standard to be applied.
c. The ALC will appear on all accounting reports but
not necessarily on the material. Holders will not
apply accounting procedures less restrictive than
those specified by the ALC assigned unless
specifically authorized by the COR.
d. Nonaccountable COMSEC material. Material such as
correspondence, logs, reports, etc., are excluded
from the COMSEC Material Control System.
204 COMSEC MATERIAL CONTROL
This section outlines the procedures for COMSEC Custodians
during day-to-day account operations.
1. Forms, Reports, and Files
a. Forms. The forms used in the COMSEC Material
Control System are limited to the multipurpose
SF 153 ("COMSEC Material Report," rev. 9-88,
NSN 7540-00-935-5861), L6061 ("COMSEC Material
Record Card"), and equivalent NASA forms.
b. Accounting Reports. Prepare accounting reports on
an SF 153 to record transfer, possession,
inventory, and destruction of COMSEC material.
The required copies and distribution of accounting
reports are covered in the paragraphs of this
Manual, which outline the detailed preparation of
particular reports. The various reports and a
brief description of their use are as follows:
(1) Transfer Report: Records COMSEC material
transferred from one COMSEC account to
another.
(2) Destruction Report: Reports the physical
destruction or other authorized expenditure
of COMSEC material.
(3) Inventory Report: Reports the physical
(sight) inventory of COMSEC material.
(4) Possession Report: Reports the possession of
COMSEC material. Specific circumstances
requiring possession reports are prescribed
in subparagraph 204.12.
c. Hand Receipt. A hand receipt records the
acceptance of and responsibility for COMSEC
material issued to a user. An SF 153, or the
reverse side of Form L6061 or a NASA equivalent
may be used to hand receipt COMSEC material.
d. Sample Forms and Reports. Samples of the forms
and reports annotated with preparation
instructions are contained in Appendix E.
e. Files. Establish and maintain COMSEC accounting
and related files listed as follows:
(1) Accounting Files:
(a) Incoming transfer reports, possession
reports.
(b) Destruction and outgoing transfer
reports.
(c) Annual or semiannual, as appropriate,
inventory reports, and change of
custodian reports.
(d) Hand receipts.
(e) COMSEC Register File (L6061) or
comparable system approved by the
NASA COR.
(f) Transaction number log. If an approved
automatic system is used, a transaction
log is not required.
(2) Related files:
(a) Courier, mail, and package receipts.
(b) Correspondence including such records as
COMSEC Custodian and Alternate Custodian
appointment confirmation letters,
memoranda, messages, and other
documentation related to COMSEC
accounting.
f. Classification of COMSEC Account Inventory and
COMSEC Account Reports/Files.
(1) Prior to 1 May 1992, NSA classification
policy required the NSA COR to classify many
COMSEC account inventories CONFIDENTIAL. NSA
classification authorities recently
determined that only certain inventories need
to be classified. However, even unclassified
inventories reflect sensitive information
which is exempt from mandatory disclosure
under the Freedom of Information Act and must
be marked FOR OFFICIAL USE ONLY. Therefore,
effective 1 May 1992, all unclassified
account inventories provided by the NSA COR,
as well as those provided by the Key
Management System (KMS), will be marked FOR
OFFICIAL USE ONLY and will be transmitted via
U.S. first-class mail or equivalent parcel
service.
(2) All NSA COR printed COMSEC account
inventories that are presently marked
CONFIDENTIAL should be declassified and
marked FOR OFFICIAL USE ONLY. The following
statement should also be placed on the
inventory: "This document has been
declassified and marked For Official Use Only
by Authority of the Deputy Director for
Information Systems Security (DDI), Central
Accounting Office (CAO), (IAW NSA COR
Accounting Bulletin 2-92)."
(3) If it is determined that a compilation of
records can be declassified, the combined
file should be marked FOR OFFICIAL USE ONLY
and "This file has been declassified and
marked For Official Use Only by Authority of
the DDI CAO (IAW NSA COR Accounting Bulletin
2-92)."
(4) All files/reports marked FOR OFFICIAL USE
ONLY should also be marked "This document
contains information EXEMPT FROM MANDATORY
DISCLOSURE UNDER THE FOIA. Exemption 3
applies." (Note: This marking is not
required on the Government printed and
supplied SF-153 form with For Official Use
Only preprinted at the bottom. It is,
however, required for the front cover of a
file containing SF-153's that are FOR
OFFICIAL USE ONLY.)
(5) When in doubt about whether or not a
record/file may be declassified and marked
FOR OFFICIAL USE ONLY, please telephone the
NASA COR via a STU-III (if available), or
request NASA COR assistance by another secure
means of communication.
(6) The guidance in previous subparagraphs will
be implemented in handling NASA COR account
inventories, reports and files. In addition,
exemption "High Two" of FOIA may be used for
COMSEC account reports, files that are
sensitive but not classified. This exemption
protects from disclosure material that would
significantly risk circumvention of an Agency
regulation, statute, or mission.
(7) Appendix F is provided as a classification
guide.
2. COMSEC Register File. All COMSEC material held by an
account is controlled internally using a COMSEC
Register File. This file consists of an active section
and an inactive section, both of which should be
maintained in alphanumeric order. Normally this file
consists of L6061's (see Figure 3 in Appendix E); it
may be maintained on a personal computer with prior
NASA COR approval. If the file is automated, take
extreme care to control the data base as much as
possible, since unauthorized persons could alter/erase
information without the immediate knowledge of the
Custodian. Follow good computer security practices,
and maintain current backups of data.
a. The active section of the Register File consists
of one Form L6061 (manual file), or one line item
(automated file), for each accountable item
currently held in the account and must include the
following information:
(1) Short title, edition, quantity, and
accounting number (if any).
(2) Classification and ALC.
(3) Date of receipt, from whom received (account
number), and incoming transaction number.
(4) Hand receipt information (optional).
b. The inactive section of the register file consists
of one Form L6061 or one line item for each item
that has been removed from the account, and the
specific disposition data for the item, as
follows:
(1) The type of disposition (e.g., transfer,
destruction, etc.) (if transferred, also
include receiving account number).
(2) Date of action.
(3) Outgoing transaction number.
c. Give special attention to keeping the Register
File current and accurate; it is a convenient
reference and important tool for maintaining
strict control over all COMSEC material in the
account.
3. Preparing COMSEC Accounting Reports
a. Include in each report the official titles and
addresses of the elements involved; account,
transaction, contract (if applicable) numbers;
date of report (entered: year, month, day, e.g.,
880107 indicates January 7, 1988); typed or
stamped names of individuals signing reports; and
signatures in ink.
b. List all short titles in alphanumeric order,
omitting the prefix or suffix "TSEC." For
equipment controlled by Government Serial Number,
omit the prefix "GSN."
c. Single space all line item entries on a report.
Follow the last line item with the remark "NOTHING
FOLLOWS" in capital letters on the next line.
d. For items having accounting numbers running
consecutively, the inclusive accounting numbers
may be entered as a single line entry (e.g.,
1-10) in block 11.
e. Enter "N/N" in block 11 for items not having an
accounting number or for which accounting by
number is not required (i.e., ALC-2 material).
f. Ensure that consecutive accounting numbers agree
with the entries made in the "quantity" column.
g. Include any clarifying remarks deemed appropriate
for the receiving COMSEC Custodian or the COR in
Block 13 or below the "NOTHING FOLLOWS" line.
h. Initial all deletions or corrections in ink.
i. Assign each accounting report (i.e., incoming and
outgoing transfers, possession, inventory, and
destruction reports) a transaction number,
starting over with "1" each calendar year. When
using a manual system, maintain a log to ensure
that transaction numbers do not get duplicated.
NOTE: Do not assign transaction numbers to hand
receipts, accounting bulletins, reconciliation
statements or inventories.
j. Return preprinted inventories to the COR within 10
working days after receipt. Submit all other
reports within 48 hours after receipt or
preparation, or as otherwise directed.
k. Review all reports for completeness and accuracy,
and ensure each copy is legible.
4. Receipt of COMSEC Material
a. Sources. Accountable COMSEC material may be
received from the NSA, military departments, other
Government agencies, allied governments,
international organizations, and contractors.
b. DCS Form 10-R. The Defense Courier Service (DCS)
regulations require personnel who may be required
to accept DCS material to complete a DCS
Authorization Record (Form 10-R) before receipting
for material. DCS Form 10-R may be obtained from
the serving DCS station. Figure 4 lists DCS
addresses. Contact the NASA COR if necessary for
proper instructions to complete DCS Form 10-R.
c. Receiving Packages and Examining Containers (refer
to subparagraph g for equipment). Packages
receipted for by individuals other than the COMSEC
Custodian will be delivered to the Custodian
unopened. When COMSEC material is delivered,
examine the packages carefully for evidence of
tampering or exposure of the contents. If either
is evident and the contents are classified, CCI,
or marked CRYPTO, submit a COMSEC incident report
as required by Chapter 6 of this Manual. Do not
open packages showing evidence of tampering until
approval is received from the NASA COR.
(1) Report any discrepancy in short title,
accounting number, or quantity between the
contents of the package and the transfer
report to the sender and the COR. Correct
the transfer report to agree with the
material actually received. If the material
is classified, CCI, or marked CRYPTO, and the
discrepancy cannot be resolved with the
sender, submit a report of possible
compromise.
(2) When the incoming check has been completed,
sign and distribute the transfer report as
follows:
(a) One copy to the NASA COR.
(b) One copy to the shipment originator.
(c) One copy for file.
(d) Additional copies as directed by the
shipment originator.
NOTE: It may be necessary to reproduce additional
copies of the SF 153.
(3) When a package is received and the package
inner wrap is stamped TOP SECRET CRYPTO or
contains TOP SECRET keying material,
immediately initiate two-person integrity
(TPI) controls, and inspect the package for
evidence of damage or tampering. Both
individuals will then open the package and
compare the contents with the enclosed
"COMSEC Material Report" (SF 153). If
classification cannot be determined before
opening, and when material received is
routinely TOP SECRET, assume that the
material is TOP SECRET. If the contents are
TOP SECRET operational keying material, both
TPI participants will sign the SF 153 (Blocks
15 and 16) and immediately place the material
into TPI storage. Submit the SF 153 to the
NASA COR. If it is found that the contents
do not include TOP SECRET operational keying
material, follow standard receipting
procedures.
d. Receipting for keying material in protective
packaging. Certain items of COMSEC material are
protectively packaged at production time and will
not, in most cases, be opened until they are to be
employed by the actual user. To ensure the
integrity of key, inspect all protective
packaging. If no special handling instructions
are provided, though, open the keying material and
page check as outlined in subparagraph h.
Protective packaging applied to individual items
of TOP SECRET key must not be removed except under
TPI conditions. Inventory key tapes in canisters
by noting the short title and accounting number on
the leading edge of the tape segment, which
appears through the window of the plastic
canister. Do not remove tape or lists from key
tapes or key lists in protective canisters. Do
not open test keying material until it is to be
used. Report shipping discrepancies to the COR.
e. Receipting for Tapes (Magnetic/Paper). Upon
receipt of a shipment of tapes, inventory each
reel by short title, edition, and accounting
number. Report discrepancies to the COR.
f. Receipting for Hardware/Firmware Keying Material.
Upon receipt, inventory each item by short title,
edition, and accounting number. Report
discrepancies to the COR.
g. Receipting for Equipment
(1) Equipment received in sealed shipping cartons
that have not been opened or do not exhibit
signs of tampering may be receipted for
without physically sighting the material
inside as long as the label on the carton
agrees with the transfer report; if it does
not, the contents must be physically
inventoried. Inspect any implemented
protective technologies on the equipment.
Although certain types of material do not
need to be opened before actual use, allow
time between opening and use to obtain
replacements for incomplete or defective
items. Report shipping discrepancies to
the COR.
(2) Since the CCI category of COMSEC equipment
was introduced, much existing/new stand-alone
cryptographic equipment, telecommunications
and information handling equipment with
embedded cryptography, and associated
ancillary equipment, may now be controlled
outside of traditional COMSEC control
channels. When CCI equipment is received via
other than traditional COMSEC control
channels, sign the accompanying paperwork,
and return a copy to the shipper. Initiate
an SF 153 possession report for the receipted
material as prescribed in paragraph 204.12
and submit a copy to the COR.
h. Page Checking. Conduct page checks of unsealed
material to ensure the presence of all required
pages. Where the COMSEC account is so large that
the COMSEC Custodian cannot personally perform
page checks or post amendments, other
appropriately cleared individuals who have been
properly instructed by the COMSEC Custodian may
perform these actions. To conduct the page check,
verify the presence of each page against the "List
of Effective Pages" or the "Handling Instruc-
tions," as appropriate. Sign and date the "Record
of Page Checks" page; or, if the publication has
no "Record of Page Checks" page, place the
notation on the "Record of Amendment" page or the
cover.
(1) Key cards and/or key lists in sealed
transparent plastic wrap, and authenticators
shipped in envelopes, should not be opened
until 72 hours before the effective date;
therefore, do not page check until ready to
use. Do not open test keying material until
it is to be used. When preparing for actual
use, open and page check keying material
according to the handling instructions
provided with the material. If no special
handling instructions are provided, open and
page check the keying material. Do not
remove key tapes or key lists from
protective canisters for inventory or check
purposes.
(2) Other Material. Classified COMSEC
publications must be page checked according
to the handling instructions provided with
the material. If no special handling
instructions are provided, page check upon
initial receipt, when entering an amendment
that requires removing and/or inserting
pages, before destroying, before shipping to
another COMSEC account, and upon return from
an authorized hand receipt user.
(3) If any pages are missing upon initial
receipt, Y13 should be notified of a possible
production error. When page checking before
destroying, before shipping to another COMSEC
account, upon return from an authorized hand
receipt user or when entering an amendment,
annotate the "Record of Page Checks" page.
If the publication is classified, submit a
COMSEC incident report as outlined in
Chapter 6 of this Manual. Submit requests
for disposition instructions and a
replacement publication to the NASA COR.
(4) In the case of duplicate pages, remove and
destroy the duplicate page(s). Prepare one
copy of a destruction report citing the page
number and the accounting number of the basic
publication (e.g., duplicate page number 72
removed from KAM-130A, Number 813). No
notification to the NASA COR is required and
do not assign a COMSEC account transaction
number to this locally retained destruction
report. In addition, note the duplicate page
and the resultant destruction on the "Record
of Page Checks" page.
(5) When a change of COMSEC Custodian has
occurred, the incoming COMSEC Custodian must
perform a page check of all unsealed material
after the change of Custodian takes place.
Where the COMSEC account has a prohibitive
number of documents requiring page checks,
the incoming COMSEC Custodian must submit a
request for an extension to the NASA COR to
allow more time to complete all page checks.
It is recommended that the outgoing COMSEC
Custodian complete page checks before
transferring control of the COMSEC account to
the incoming COMSEC Custodian.
5. Procedures for Handling Keying Material. All keying
material must be stored in GSA-approved security
containers. Restrict access to the container storing
future editions of classified keying material marked
CRYPTO to the COMSEC Custodian and Alternate
Custodian(s). Where this restriction cannot be applied
because others must have access to the container for
either current editions of keying material or other
material in the container, store future editions of
keying material separately in a locked strongbox that
can be opened only by the COMSEC Custodian and
Alternate Custodian(s). Keep the strongbox in the
security container. Exceptions may be made in
operational areas to allow shift supervisors access to
the next edition of keying material, but not to later
editions. Routine destruction of keying material is
addressed in Chapter 7.
a. Key Lists/Key Tapes
(1) When it is necessary to relinquish physical
control of operational key lists to a user,
do so on a hand receipt. If issuing
individual settings is warranted, the hand
receipt user's signature or initials and the
date in the "ISSUED TO" column on the
"DISPOSITION RECORD" on the inside front
cover serves in lieu of a hand receipt.
(2) Key lists/key tapes packaged in protective
canisters will not be page checked. Annotate
the record of use card with the short title,
edition, and register number of the material.
Issue the entire canister to a user on a hand
receipt. The hand receipt user, however,
must not remove more tape segments from the
canister than are required for current use.
As each segment is removed, have the hand
receipt user sign or initial and date the
"USED" column of the "USAGE RECORD" card
applicable to the material.
NOTE: Do not affix labels to keying material
canisters or any other implemented protective
technology since it may hamper laboratory
inspections. Should additional identification of
the classification be necessary beyond that
visible through the window of the canister itself,
the preferred means is to mark or affix a label or
tag to a zip-lock bag, if available, or mark the
classification on the plastic canister using a
grease pencil. Zip-lock containers are available
through the Federal Stock System - Stock Number
8105-00-837-7754 (1000 per box).
6. Transferring COMSEC Material
a. General. COMSEC material may be transferred from
one COMSEC account to another only as prescribed
by the procedures in this Manual. Before
transferring accountable COMSEC material, verify
the receiving activity's official address, COMSEC
account number, and authorization to hold the
material being shipped. When the validity of a
shipping address or authority for shipment is in
question, contact the NASA COR before making the
shipment. Ensure that shipping is only by one of
the authorized modes of transportation prescribed
in this Manual.
(1) Do not ship accountable COMSEC material,
regardless of the accounting legend code
(ALC) assigned, unless a COMSEC account
number is provided with the shipping address.
CCI equipment may, however, be transferred to
a Military Department standard logistics
system account. Verify account numbers and
shipping addresses by contacting the
appropriate Military Department's Accounting
Headquarters. Use an SF 153 for such
transfers, just as with any other outgoing
transaction of COMSEC material. Ensure that
equipment and page checking provisions
outlined in subparagraphs g and h are
accomplished before packing COMSEC material
for transfer, and that shipping is only by
authorized modes. Conduct page and equipment
checks no earlier than 48 hours before
packing.
(2) When transferring Government-furnished
equipment (GFE) to a contractor COMSEC
account, annotate the SF 153 in block 13 to
identify those items as GFE, and identify the
contract number on the form.
NOTE: Transfer of material to external
organizations (e.g., civil agencies, contractors,
etc.) is authorized to expedite delivery of
material and eliminate unnecessary handling of the
material between locations. The shipping COMSEC
Custodian assumes full responsibility for all
aspects of the shipment. When transfers are made
to an organization external to NASA, include the
following information in the "Remarks" portion of
the transfer report: ownership of the equipment,
purpose of the transfer, contract numbers, project
name, and instructions for the receiving
Custodian. Prepare and forward copies of the SF
153 as outlined below, as appropriate:
(a) Transferring COMSEC Material to the U.S.
Military Departments. Prepare five
copies of the SF 153 and enclose the
original and one copy with the shipment
(see Figure 5 in Appendix E). Put the
notation "ADVANCE COPY" on two copies,
and immediately forward one to the NASA
COR and one to the appropriate Military
Department Accounting Headquarters.
Retain the final copy for file. Include
the following notations, as appropriate,
on all copies of transfer reports going
to the U.S. military departments:
equipment owner (NASA, Air Force, etc.);
purpose of the transfer/loan; length of
loan; repayment of loan; transfer of
ownership and authority for the
transfer; and the contract
number/project name (if appropriate).
Place the following statement on all
SF 153s reporting the transfer of COMSEC
material:
"Custodian:
Sign all copies and distribute as prescribed by
the accounting instructions of your service. This
shipment consists of ________ containers."
(b) Transferring of COMSEC Material to All
Other Activities. Prepare four copies
of the SF l53 (see Figure 6) and enclose
the original and one copy with the
shipment. Note "ADVANCE COPY" on the
third copy and forward it to the NASA
COR. Retain the fourth copy for file.
Put the following notation on all copies
of transfer reports going to activities
other than the U.S. Military
Departments:
"Custodian:
Sign all copies. Return original copy to:
National Aeronautics and Space Administration
NASA Security Office
Code: JIS/COMSEC Manager
Washington, DC 20546
Dispose of remaining copies as prescribed by the
accounting instructions of your organization. This
shipment consists of ________ containers."
(c) Transfer of Material Between NASA
Accounts. Prepare four copies of the
SF 153 and enclose the original and one
copy with the shipment. Note "ADVANCE
COPY" on the third copy and forward it
immediately to the NASA COR. Retain the
fourth copy for file. The material may
be transferred through internal mail
channels provided it is properly
packaged, handled as controlled mail,
and the package is covered by a
transmittal receipt.
b. Receipt/Transfer Responsibility. When COMSEC
material is shipped to a military activity, the
NASA COR and the Military Department Accounting
Headquarters, when appropriate, are responsible
for ensuring that the material is received by the
intended recipient on a timely basis. When an
"ADVANCE COPY" of an SF 153 is received, a receipt
suspense date is established by the NASA COR and
the Military Department Accounting Headquarters,
who take any subsequent tracer action required.
Tracer actions for shipments to military
department standard logistics accounts are handled
solely with the appropriate Military Service
Accounting Headquarters. The shipping Custodian
is not responsible for ensuring that the material
reaches the intended recipient, provided
packaging, addressing, and shipping instructions
are correct. This procedure in no way relieves
the shipping Custodian of responsibility for
errors that normally can be detected only when the
recipient opens the package (e.g., shipping the
wrong item, incorrect nameplate, etc.). In lieu
of a signed copy of the transfer report, recorded
proof of shipment is the file copy of the transfer
report combined with a signed transmittal form,
Government Bill of Lading (SF 1103), U.S.
Registered Mail receipt, or other shipping
document. The NASA COR will not initiate tracer
actions for material shipped from other
agencies/departments unless requested to do so.
NOTE: In order to avoid tracer action, COMSEC
Custodians of NASA COMSEC accounts will: upon
receipt of COMSEC material shipped from a
contractor COMSEC account send a copy of the
SF 153 to NSA (Y-131) as well as to the NASA COR.
c. Nonroutine Disposition of COMSEC Material. Remove
accountable COMSEC material that is lost,
compromised, or inadvertently destroyed, from a
COMSEC account only with the specific written
approval of the NASA COR.
7. Military Department Accounting Headquarters
a. Army Accounting Headquarters:
Commander
U.S. Army Communications Electronics Command
Communications Security Logistics Activity
ATTN: SELCL-NICP-OR
Fort Huachuca, AZ 85613
b. Navy, Marine, and Coast Guard Accounting
Headquarters:
Director
COMSEC Material System
3801 Nebraska Avenue, NW
Washington, DC 20390
c. Air Force Accounting Headquarters:
Headquarters
U.S. Air Force Cryptologic Support Center
ATTN: MMIA
San Antonio, TX 78243
Verify Air Force standard logistics system account
numbers and shipping addresses by calling
(512) 925-2771.
8. Packaging COMSEC Material
a. Securely package classified COMSEC material for
shipping in two opaque wrappers with no indication
of the classification on the outside wrapper. Use
packaging material strong and durable enough to
provide secure protection while in transit,
prevent items from breaking through the container,
and facilitate detecting tampering with the
container. Mark each wrapper with the "TO" and
"FROM" addresses. The outer wrapper must never
carry identification of the contents that directly
discloses a cryptographic or COMSEC association
(e.g., a system indicator, the acronym "TSEC,"
etc.). Instead, label the crate or outer wrapper
with the short title of the equipment, less the
"TSEC" designation, followed by the accounting
number (e.g., KW-59/101) to identify the contents.
Identify assemblies, ancillary devices, elements,
and subassemblies shipped individually by short
titles, accounting numbers, and the short titles
of the equipment in which the items are to be
used. Identify items not accountable by
accounting number by short title and quantity.
Figure 7 provides examples of COMSEC material
identification markings. Ensure that the markings
on the crate or outer wrapper identifying the
COMSEC material within agree with the accompanying
"COMSEC Material Report" (SF 153). When material
is to be hand-carried, a briefcase, pouch, or box
is an appropriate outer wrapper. Specialized
shipping containers for COMSEC equipment, such as
locked and twice-banded repair kits, may be
considered the outer wrapper.
b. Mark the inside wrapper of classified
cryptographic material with the designator
"CRYPTO" and the classification. If the shipment
contains keying material designated for "U.S. Use
Only," mark the inner wrapper with the remark
"SPECIAL HANDLING REQUIRED, NOT RELEASABLE TO
FOREIGN NATIONALS." If the shipment contains
keying material that is releasable, mark the inner
wrapper with the remark "SPECIAL HANDLING
REQUIRED, FOR U.S. AND SPECIFIED ALLIES ONLY."
Mark the inside wrapper of all accountable COMSEC
material with the notation "TO BE OPENED ONLY BY
THE COMSEC CUSTODIAN." If the classified material
is an internal component of an unclassified
packable equipment, the outside equipment shell
may be considered as the component's inner
wrapper; that is, only one additional wrapper is
required.
c. Mark all transfer reports and other forms covering
an individual DCS shipment with the individual
shipment control number; affix the reports to the
inner wrapper of the package. NOTE: Do not place
the transfer report inside the sealed container
with the COMSEC material because this defeats the
purpose of marking the short title and accounting
numbers on the outside of the container. For
multiple package shipments, number each container
beginning with package Number 1, followed by a
slash and the total number of packages making up
the shipment (e.g., for a shipment consisting of
three packages, the first box would be marked 1/3;
the second one marked 2/3; and the third (last)
one marked 3/3). Affix the shipping document (SF
153) to the inner wrapper of the first package of
multiple package shipments. Do not annotate the
serial package number(s) and transaction number in
the immediate vicinity of DCS control numbers.
d. Package keying material separately from its
associated cryptographic equipment, unless the
application or design of the equipment is such
that the corresponding keying material cannot be
physically separated from it.
e. Securely package CCI equipment in a way that
reveals tampering and guards against damage in
transit. Annotate the equipment designator on the
package. The "CCI" marking may be placed on the
exterior of the package if so requested. Place
the accompanying paperwork in an envelope securely
fastened to the outside of the package and mark
the envelope with the "TO" and "FROM" addresses,
including the account number, without the word
"COMSEC."
f. Wrap unclassified COMSEC material, except keying
material marked CRYPTO, as any other unclassified
material according to packaging requirements of
the agency or activity.
9. Authorized Modes of Transportation. An appropriately
cleared individual may move COMSEC material locally
(e.g., within an Installation). Various modes of
transportation are authorized for COMSEC material. The
authorized mode for each specific type of COMSEC
material is as follows:
a. Shipping Classified Keying Material and Classified
COMSEC Equipment. In time-critical situations, on
a case-by-case basis, the NASA COR, in conjunction
with the appropriate NASA Installation Security
Officer, may approve using commercial passenger
aircraft within the United States to transport
current or superseded keying material as long as
the material is hand-carried by an appropriately
cleared individual and provided that departmental
and Federal Aviation Authority procedures are
followed. This policy does not apply to the use
of NASA-owned and -operated aircraft, which may be
used to transport material within the continental
United States with approval from the Installation
Security Officer. When commercial passenger
aircraft must be used, written courier
authorization is required.
(1) Classified Keying Material. When practical,
limit individual shipments to not more than
three editions or 3 months' supply of a
particular item of keying material (whichever
is the greater amount). This restriction
does not apply to packaged irregularly
superseded materials. The NASA COR may waive
this restriction when material is issued to a
newly established account or in cases where
supply is difficult and the number of
shipments is limited. The NASA COR may
authorize using U.S. Registered Mail to ship
individual editions of CONFIDENTIAL keying
material, provided the material does not at
any time pass out of U.S. citizen control,
and does not pass through a foreign postal
system or any foreign inspection. Do not
send keying material classified SECRET or
higher through the mail without prior
approval of the NASA COR. Except when using
systems specifically designed for electronic
rekeying, transmit operational keying
variables electrically only under emergency
conditions and only when the communications
system provides end-to-end encryption equal
to the classification of the transmitted key
setting, and the key setting does not appear
in plain text anywhere in the communications
path. Under normal conditions, ship
classified keying material only by one of the
following means:
(a) Defense Courier Service (DCS).
(b) Appropriately cleared Government
personnel who have been designated in
writing to act as couriers for
cryptographic material.
(c) U.S. Diplomatic Courier Service.
(d) Appropriately cleared and briefed
contractor personnel who have been
designated in writing by competent
authority to act as couriers, provided
the material is classified no higher
than SECRET. For TOP SECRET keying
material, courier authorization must be
obtained from the appropriate NASA
Installation Security Officer on a
case-by-case basis.
NOTE: Two-person integrity (TPI) controls
must be applied whenever local couriers
transport TOP SECRET keying material from one
location to another. See Chapter 5.
(2) Classified COMSEC Equipment and Components.
Do not ship classified COMSEC equipment and
components in a keyed condition unless the
physical configuration of the equipment makes
segregating the keying material impossible.
For equipment using a Crypto-Ignition Key
(CIK), removing the CIK permits the equipment
to be treated as unkeyed. Ship the CIK
separately from the equipment. Transport
COMSEC equipment and components classified
higher than CONFIDENTIAL by any of the means
identified for keying material, or by a
cleared commercial carrier under Protective
Security Service (PSS). Transport COMSEC
equipment and components classified
CONFIDENTIAL by any of the means specified
above, or any of the following:
(a) U.S. Registered Mail, provided it does
not at any time pass out of U.S. control
and does not pass through a foreign
postal system or any foreign inspection.
(b) Commercial carriers (or U.S. military or
military contractor air service)
provided a continuous chain of
accountability and custody for the
material is maintained while it is in
transit.
(c) U.S. military or military-contractor air
service (e.g., MAC, LOGAIR, QUICKTRANS),
provided the requirements for DoD CSS
are observed.
b. Other Classified COMSEC Material. Transport
classified material, other than keying material
and COMSEC equipment, as follows:
(1) Use one of the methods below to transport
media that embodies, describes, or implements
a classified cryptographic logic, such as
full maintenance manuals, cryptographic logic
descriptions, drawings of cryptographic
logics, specifications describing a
cryptographic logic, cryptographic computer
software, and operating manuals. These items
may not be transported through any postal
system.
(a) Defense Courier Service (DCS).
(b) Appropriately cleared and briefed U.S.
Government, contractor or military
personnel who have been designated in
writing by proper authority to act as
courier for the material.
(2) Use any of the means below to transport media
that does not embody, describe, implement, or
contain a classified cryptographic logic.
NOTE: Using Standard First Class Mail service
is not acceptable for transporting any
classified COMSEC material.
(a) Any of the means authorized in
subparagraph 9a.
(b) U.S. Registered Mail or by a cleared
commercial carrier using PSS for media
classified SECRET.
(c) U.S. Registered Mail or U.S. Postal
Service Certified Mail for media
classified CONFIDENTIAL.
10. Shipping Unclassified COMSEC Material
a. Unclassified Keying Material Marked CRYPTO.
Within CONUS, transport unclassified material
marked CRYPTO by U.S. Registered Mail or
authorized U.S. Government, contractor, or
military personnel. Outside CONUS, use authorized
department, agency, or contractor couriers; U.S.
Diplomatic Courier Service; or the Defense Courier
Service. Where practical, limit shipments of
unclassified keying material marked CRYPTO
transported by courier to no more than three
editions; when shipped by U.S. Registered Mail, no
more than one edition.
b. Shipping Controlled Cryptographic Item (CCI)
Material. Do not transport CCI material in a
keyed condition, unless the equipment is designed
to operate with a permanently installed hard-wired
key. Ship CCI material by the following means:
(1) Within CONUS:
(a) Authorized department, agency, or
contractor courier.
(b) U.S. Registered Mail.
(c) Authorized U.S. Government courier
service (e.g., Diplomatic Courier
Service).
(d) Commercial carrier providing DoD
Constant Surveillance Service (CSS).
Coordinate the shipment with the
Transportation Officer.
(2) Outside CONUS. CCI equipment may be sent by
U.S. Registered Mail if the package will
remain in U.S. mail channels (e.g., mailed to
an APO or FPO address) or be carried by an
individual who has been briefed as a courier.
The courier must be briefed on proper
security procedures and be aware of all
requirements for access and the physical
security of the equipment or materials.
Transportation may be by any means that
permits the courier to maintain continuous
accountability and provide protection against
loss and unauthorized access while in
transit. Where transportation is by
commercial aircraft, the CCI equipment should
be stowed in the cabin where the courier can
maintain constant surveillance. If equipment
bulk will not permit cabin storage or creates
an excessive burden for the courier, CCI
circuit boards may be removed for cabin
storage, and the remainder of the equipment
may be checked as hold baggage. CCI
equipment must not be transported through
countries other than those authorized to
receive the equipment. All incidents of
impoundment, seizure, or loss of CCI
equipment while it is being couriered must be
reported in accordance with Chapter 6 of this
Manual.
c. All other unclassified COMSEC material may be
shipped by any means that will reasonably assure
safe and undamaged arrival at the destination.
Ship unclassified COMSEC items as classified
COMSEC material when an operational need exists to
provide both types of material together.
11. Authorized Modes of Transportation for Controlled
Cryptographic Item (CCI) Equipment and Components
Within CONUS, U.S. Territories and Possessions
a. NSA has noticed an increasing number of reported
incidents (within the COMSEC community) involving
CCI equipment and components being shipped by
improper means. The majority of these incidents
involve either material improperly shipped through
the United States Postal Service (USPS), or
material improperly transported via commercial
carrier within CONUS. They believe this has been
caused by a general lack of understanding of the
proper procedures to be followed. Although
unkeyed CCI equipment and components are not
classified, they do require controls while in
transit. These controls must ensure continuous
accountability of the material.
b. When CCI equipment and components are shipped by
the USPS, Registered Mail must be used. Items
shipped by USPS Registered Mail must not at any
time pass out of U.S. control nor pass through any
foreign postal system. There are, however,
certain restrictions governing the size and weight
of packages that can be shipped via USPS
Registered Mail. These restrictions may preclude
using this service. It is suggested that the
responsible individual check with USPS authorities
to determine whether the package material
qualifies. USPS First Class Mail, Fourth Class
Mail, Parcel Post, Certified Mail, Insured Mail,
and Express Mail are not authorized for shipping
CCI equipment/components.
c. When using commercial carriers to transport CCI
equipment and components, an adequate degree of
physical control and accountability for the
material must be maintained while it is in
transit. However, the small number of commercial
carriers that provide an approved constant
surveillance service (CSS) has greatly restricted
the ability of shipping activities to move CCI
material. Therefore, the existing requirement
that commercial carriers must provide approved CSS
is being modified to allow shipping activities to
use commercial carriers that can satisfy the
requirements set forth below. This change only
applies to shipments within CONUS, U.S.
territories and possessions.
(1) CCI equipment and components may be
transported by any commercial carrier that
warrants in writing to the shipping activity
that it can satisfy all of the following
requirements. The carrier must:
(a) Be a firm incorporated in the United
States that provides door-to-door
service;
(b) Guarantee delivery within a reasonable
number of days based on the distance to
be traveled;
(c) Have a means of tracking individual
packages within its system to the extent
that should a package become lost, the
carrier can, within 24 hours following
notification, provide information
regarding the package's last known
location;
(d) Guarantee the integrity of the vehicle's
contents at all times (e.g., while a
driver is making pickup/delivery stops,
the vehicle must be locked); and
(e) Guarantee that the package will be
stored in a security cage should it
become necessary for the carrier to make
a prolonged stop at a carrier terminal.
(2) In addition to satisfying the above
requirements, the carrier must either:
(a) Use a signature/tally record that
accurately reflects a continuous chain
of accountability and custody by each
individual who assumes responsibility
for the package/shipment while it is in
transit (the carrier may either provide
its own signature/tally record form or
agree to use the DD Form 1907 or Form
AC-10); or
(b) Use an electronic tracking system that
reflects a chain of accountability and
custody similar to that provided by a
manually prepared signature/tally
record. Positive identification of the
actual recipient of the material at the
final destination must be indicated. A
hard-copy printout shall be provided as
proof of service and the printout must
reflect those points, during transit,
where electronic tracking of the
package/shipment occurred.
d. Regardless of the method of transportation
selected, the NASA activity shipping CCI
equipment/components shall provide the receiving
custodian with timely notification of a scheduled
shipment. Preferably, notification should be
provided at least 24 hours prior to the estimated
delivery date. This procedure will help to
readily identify any shipment that might unduly
delayed or lost enroute. It is emphasized that
CCI equipment/components may only be shipped to
authorized activities/contractors and shall be
labeled in a way that will ensure delivery to an
individual who is designated to accept custody of
the material at the contractor facility/activity.
Do not use the individual's name on the delivery
label; rather, use functional designators such as
office symbols or mail station codes. If using a
commercial carrier, the accompanying shipping
documents will provide an emergency telephone
number(s) of an individual(s) authorized to
receipt for the material in the event the carrier
attempts to make delivery during other than normal
duty/work hours.
e. If a shipment of CCI equipment/components has not
been received by the intended recipient within
five working days following the expected delivery
date, the originating shipper's custodian will be
contacted immediately. Unless there is a valid
explanation for the delay, tracer action shall be
initiated on the shipment by the shipping
custodian. If its location cannot be determined,
the CCI equipment/components shall be assumed to
be lost in transit and reported in accordance with
the guidelines provided below.
f. The following types of incidents involving CCI
shipments shall be reported to NSA, ATTN: X71
(COMSEC Incidents), for evaluation. An
information copy shall be forwarded to NASA
Headquarters, Code JIS.
(1) When tracer actions have determined that a
CCI equipment/components is lost in transit;
and
(2) Shipments that are received that show
evidence of possible tampering, or
unauthorized access to the CCI
equipment/components.
g. All other incidents involving improper shipment or
handling of CCI equipment/components (e.g., CCI
shipped via certified mail; shipping activity
failed to request signature/tally service; etc.)
shall be considered administrative in nature and
reported in accordance with the guidelines set
forth below. If a commercial carrier is involved,
the name(s) of the carrier(s) shall be included in
the report.
(1) NASA Installations shall report such
incidents to the originator of the shipment
who shall be responsible for any corrective
action. A copy of the report shall also be
provided to NASA Headquarters, Code JIS and
NSA, ATTN: X722, for information purposes
only.
(2) If a NASA contract/memorandum of
understanding is involved, such incidents
will be reported to the originator of the
shipment who shall be responsible for any
corrective action. A copy of the report
shall also be provided to NASA Headquarters,
Code JIS and NSA, ATTN: X722 for information
purposes.
12. Hand Receipts. Formal SF 153 transfers are required
for issuing COMSEC material between COMSEC accounts
unless other special arrangements have been approved by
the NASA COR. Issue material for internal temporary
use via a hand receipt to only properly cleared
personnel.
a. An SF 153 (see Figure 8), the reverse side of Form
L6061 (Figure 3), or equivalent NASA form may
serve as a hand receipt. Before issuing material,
determine that the proposed recipient:
(1) Has the need-to-know, has a COMSEC briefing
as applicable, and has the appropriate
clearance. Clearance or rank does not, in
itself, entitle any individual to have access
to keying material. Each person having
access to keying material must need the
material in the performance of duties and be
familiar with his or her responsibilities for
its protection, use, and disposition.
(2) Will be the actual user of the material
(clerical or other personnel who are not the
user may not sign hand receipts).
(3) Knows the physical security measures
necessary to protect the material, and the
possible consequences of compromise.
(4) Has the physical means to secure and use the
material, commensurate with the
classification of the item. The file safe
should be located in the user's immediate
work area.
b. Advise the proposed recipient:
(1) That COMSEC material issued on hand receipt
shall be signed for and controlled by the
actual user, and he or she is accountable
until the material is returned to the issuing
COMSEC account. Under no circumstances will
the recipient reissue the material to another
individual without the consent of the COMSEC
Custodian/Manager. If the material is needed
by another individual outside the immediate
office of the original recipient, the
material must be returned to the issuing
COMSEC account for reissuance.
(2) Of the physical security measures necessary
to protect the material, and the possible
consequences of compromise.
(3) That the file safe must be located in the
recipient's immediate work area.
(4) That pages are not to be removed from basic
documents. Reproduction authorization of a
document in whole or in part is contained in
the handling instructions (usually the front
cover) of each document produced.
(5) That a user is relieved of responsibility for
material received on a hand receipt when the
material has been returned to the issuing
COMSEC Custodian and the original copy of the
hand receipt (SF l53) is given to the user,
or when the Custodian initials and dates the
reverse side of Form L6061 or an equivalent
form, as appropriate.
(6) That any accountable COMSEC item issued on a
hand receipt must be returned to the issuing
COMSEC Custodian before the individual is
transferred, reassigned, or absent for more
than 30 days.
(7) That any possible compromise, access by
unauthorized persons, or violation of
security regulations affecting the material
(user cannot locate or suspects document was
borrowed) must be reported to the issuing
COMSEC Custodian immediately.
(8) That the recipient's signature on the hand
receipt certifies his or her understanding of
the above handling requirements.
c. Semiannually review hand receipts for accuracy and
update as necessary.
13. Possession Reports
a. Prepare possession reports under the following
circumstances:
(1) When COMSEC material is received without
accompanying transfer reports.
(2) When reporting conversion of COMSEC material.
(See subparagraph 204.14.)
(3) When COMSEC material was previously lost or
removed from accountability, but subsequently
recovered.
(4) When a new COMSEC Custodian is appointed
because of the sudden permanent departure or
unauthorized absence of the COMSEC Custodian.
When the holdings of the COMSEC account are
large, a preprinted inventory may be
requested from the NASA COR for this purpose,
and the properly completed inventory with a
notation explaining the circumstances may
serve as the possession report.
(5) When a document with a TSEC nomenclature that
requires control in the COMSEC Material
Control System is originated or reproduced.
b. To submit a possession report, prepare an SF l53
(see Figure 9) and enter appropriate remarks below
the "NOTHING FOLLOWS" line, citing the reason for
the report. Forward the signed original copy to
the NASA COR and retain a signed duplicate copy
for file. When COMSEC material is received
without an accompanying transfer report, forward a
signed copy of the possession report to the
shipping COMSEC account, if known, and to the
Military Department Accounting Headquarters, if
applicable.
14. Converted COMSEC Material. When it is necessary to
convert the short title and/or accounting number of an
item of COMSEC material, report the conversion to the
NASA COR so that accounting records may be properly
adjusted. A conversion can result from major
modification of an equipment requiring the equipment to
be redesignated (e.g., TSEC/KL-60, redesignated as
TSEC/KL-60A). Report a conversion by simultaneously
submitting a possession report and a destruction report
prepared on SF 153's. On the possession report, list
the item by its new short title and accounting number,
and include a remark referencing the associated
destruction report. On the destruction report, list
the previous short title and accounting number, and
include a remark that the destruction is for record
purposes only and reference the associated possession
report. Forward one signed copy of each report to the
NASA COR, and retain one signed copy of each report for
file.
15. Inventory Report
a. Preprinted inventories are issued semiannually by
the NASA COR and reflect all accountable COMSEC
material charged to the account as of the date the
report was printed. Conduct 100 percent physical
(sight) inventories and return inventory reports
to the NASA COR no later than 10 days after
receipt. Hold inventories forwarded in
preparation for an audit at the account until the
auditor arrives. Upon arrival, the auditor and
COMSEC Custodian will jointly conduct the
inventory.
b. Conducting the Physical Inventory. Conduct a
physical (sight) inventory of all accountable
COMSEC material held by the account, and all
material issued on hand receipts, with the
Alternate Custodian or another properly cleared
witness. The following additional procedures
apply when conducting the semiannual physical
inventory:
(1) Assume COMSEC equipment in use to contain all
the required subassemblies and elements, so
it need not be opened for semiannual
inventory purposes.
(2) Check implemented protective technology for
possible signs of tampering before the
equipment will be used operationally.
Inventory equipment that remains in sealed
shipping cartons against the marking on the
outer wrapper or crate identifying the
contents, and inspect each carton for
evidence of tampering.
(3) Inventory COMSEC material that is unit packed
by the label affixed to the exterior of the
package. Inspect each unit package for
evidence of tampering.
(4) COMSEC publications need not be page checked
at the time of the semiannual inventory.
(5) Do not use the preprinted inventory as a
checklist when conducting the inventory.
c. Completing the Inventory. Compare the results of
the physical (sight) inventory against the
preprinted inventory. Resolve any discrepancies
that exist by comparing the preprinted inventory
against the COMSEC Register File. Give particular
attention to additions to, or deletions from, the
account made close to the date of the report,
since these transactions may not be reflected in
the inventory. Update the report by deleting an
item or supplementing the report with an SF 153.
(1) Line out in ink each item to be deleted from
the inventory (erasures are not authorized).
Provide complete details to support the
deletion in the "remarks" column opposite the
item. If the item was transferred, include
the receiving account number, the outgoing
transfer number, the transfer report date and
the Custodian's initials. If the item was
destroyed, provide the date, transaction
number, and initial the entry. Attach a copy
of the referenced SF l53 reports to the
inventory report.
(2) Items listed on the preprinted inventory, but
not physically sighted will be lined out and
the appropriate paperwork attached (i.e.,
Transfer or Destruction Reports).
(3) When material held is not listed on the
inventory, list the material on an SF l53,
appropriately classified, signed by the same
individuals signing the inventory, and attach
as a supplement to the preprinted report.
Annotate the SF 153 below the "NOTHING
FOLLOWS" line to indicate for each item the
name and account number of the sender; the
incoming transaction number and date; and/or
details, as appropriate, to support the
supplement. Assign the same transaction
number to the supplement to the preprinted
inventory as that given to the inventory
report (see Figure 10a in Appendix E). When
all the material to be put on the supplement
is from a complete shipment received on an
individual SF 153, do not list the material
on the supplemental SF 153. Instead, enclose
the supporting SF 153 with the report,
annotate the supplemental SF 153 report "See
attached SF l53," and list the transaction
number and date of receipt.
(4) During the course of updating the preprinted
inventory, review each item on the inventory
to determine if the material is still
required. If any material is found to be no
longer needed, place a remark to that effect
in the "Remarks" column opposite each item.
(5) When the preprinted inventory has been
reconciled to agree with the account's actual
holdings, the Custodian and witness will sign
and date the certification on the preprinted
inventory and any supplemental SF 153s.
Indicate the number of supplemental forms in
the space provided in the Custodian's
certification block; if no supplement was
created, mark "NONE." Then make a final
review of the inventory ensuring that any
deletions or additions are fully documented,
that the certification blocks are signed and
dated. Forward the original preprinted
inventory, along with any supplemental SF
153's, to the NASA COR, and retain a copy of
these, along with all working papers used in
performing the physical inventory, for file.
d. When the certified inventory is received by the
NASA COR, it will be reconciled with the COR
records. The COR will respond only if
discrepancies are noted. If the account is cited
with any discrepancy, take corrective action
within 48 hours of being notified, advise the NASA
COR of the action taken, and submit to the COR any
substantiating reports required.
e. Change of COMSEC Custodian Inventory. Accomplish
the inventory required upon change of COMSEC
Custodian as prescribed in paragraph 201.10.
Complete this inventory before the outgoing
Custodian departs, and account for all
transactions so that the completed inventory
reflects that material actually held by the
account on the date of the changeover.
f. Special Inventories. Conduct a special inventory
when directed by the NASA COR or other competent
authority or if loss of COMSEC material is
suspected or frequent deviation from accounting
procedures are found. Record special inventories
on an SF 153. Do not forward the report to the
NASA COR unless requested by the NASA COR or
unless the authority directing the special
inventory desires that the NASA COR verify its
accuracy.
g. Negative Inventories. When a COMSEC account does
not hold accountable COMSEC material, the COMSEC
Custodian and a witness (usually the Alternate
COMSEC Custodian) should sign the negative
inventory, certifying that the account does not
hold accountable COMSEC material. COMSEC accounts
will continue to receive semiannual inventories
until a requirement for the COMSEC account no
longer exists, and the COMSEC account is formally
closed. If the COMSEC account has received or
still holds accountable COMSEC material when a
negative preprinted inventory is received,
supplement the inventory to reflect the
accountable COMSEC material held by the COMSEC
account.
16. Destruction. Chapter 7 contains routine destruction
procedures and requirements, as well as destruction
methods and minimum standards that ensure that COMSEC
material is adequately destroyed.
a. Except as authorized by Chapter 7, COMSEC material
is routinely destroyed by the COMSEC Custodian and
witnessed by the Alternate COMSEC Custodian.
Verify the short title, edition designation, and
accounting number, if any, of each item
immediately before destruction. Verify equipment
and complete page checks according to paragraph
204.4h, no earlier than 48 hours prior to
scheduled destruction.
b. Because destroying the wrong item can result in a
possible compromise, take extreme care to ensure
that the correct COMSEC material is destroyed and
that the destruction report is completely accurate
(preparing the destruction report SF l53 before
destruction and using it as a check list will
help).
c. Prepare a destruction report (see Figure 11 in
Appendix E) for both classified and unclassified
accountable COMSEC material. Review completed
use/disposition records to ensure that all
settings were used and properly recorded. Then
prepare the destruction report and forward one
copy to the NASA COR. Enter the authority for
destruction in the "Remarks" column or below the
"NOTHING FOLLOWS" line (e.g., Superseded by KAM-
220B; residue of Amend 2 of KAM-212; letter from
controlling authority, dated January 1, 1982).
Place the following remark below the "NOTHING
FOLLOWS" line on the SF 153 only when the material
was actually destroyed by an individual other than
the COMSEC Custodian (or in his or her absence,
the Alternate): "The official records in my
possession indicate that the above listed item(s)
have been properly destroyed by duly authorized
individuals." Forward the signed and properly
witnessed original copy of the destruction report
to the NASA COR no later than the 16th of each
month (no exceptions are authorized) and retain
the signed duplicate copy for file (see Chapter
7). However, if used or superseded material is
not held, negative reports are not required.
17. Accounting for and Entering Amendments to COMSEC
Publications
a. Message Amendments. A message amendment is used
to announce information that must be immediately
entered in a COMSEC publication. After posting
the amendment and noting the entry on the "Record
of Amendments" page, destroy classified message
amendments. Do not report the destruction of
message amendments to the NASA COR.
b. Printed Amendments. Account for printed
amendments as COMSEC publications until they have
been posted, the residue destroyed, and the
destruction reported to the NASA COR. Since
printed amendments (ALC-l through ALC-3) are
accountable, and will reflect on inventories,
provide an SF 153 Destruction Report to the NASA
COR to remove them from the account after they
have been posted to the basic documents. Take
care when preparing the SF 153 to report the short
title, edition, and accounting number of the
amendment, and not that of the basic document.
c. Posting the Amendment. Post amendments as soon as
possible after receipt or effective date to keep
the basic publication current. The following
guidance is to help avoid errors that commonly
occur when posting amendments:
(1) Untrained personnel will not post amendments.
(2) Read and understand the specific instructions
contained in the letter of promulgation or
handling instructions before posting. Post
the entire amendment at one time; do not
extend over a period of time.
(3) If replacement pages are included in the
amendment, page check both the basic
publication and the residue of the amendment
before destroying the residue. Inadvertently
destroying effective portions of documents
together with residue from amendments is a
major cause of COMSEC material security
violations.
(4) Note the amendment was posted on the "Record
of Amendments" page, and, if pages were added
to or removed from the publication, date and
sign the "Record of Page Checks" page.
(5) If the amendment is posted by an individual
other than the COMSEC Custodian, return all
residue of the amendment, including any pages
removed from the basic publication, to the
COMSEC Custodian for destruction.
(6) To preclude loss, place any residue of an
amendment that is being held pending
destruction in a sealed envelope marked with
the short title, accounting number, and
classification of the amendment. Destroy the
residue within 5 days after entering the
amendment.
18. Accounting for COMSEC Material Launched into Space.
Accountable COMSEC material launched into space aboard
expendable vehicles or in shuttle deployed payloads is
normally considered unrecoverable. COMSEC equipment
installed aboard shuttle vehicles does not fall into
this category. Take the following steps to remove
unrecoverable COMSEC material from accountability
records at the NASA COR:
a. Prior to launch: Strip TSEC nomenclature
nameplates and any other markings from
cryptographic equipment and keying elements at the
time equipment is installed in a payload.
Unclassified photographs that show COMSEC
equipment installation in the payload will be
made. Keep nomenclature nameplates and
photographs with COMSEC accounting paperwork until
after launch or certain destruction of the space
vehicle.
b. Following the launch: Complete a destruction
report as described in subparagraph 204.15c.
Below the "NOTHING FOLLOWS" line include the date
of launch, identify the launch vehicle, briefly
explain events, and request that COR account-
ability be dropped because of launch. Attach
equipment nomenclature nameplates and forward the
report to the NASA COR. The COMSEC Custodian will
retain a copy of nomenclature nameplates and
photographs with COMSEC accounting paperwork as
part of official records. Classify any
correspondence associating COMSEC equipment use
aboard space vehicles, except shuttle vehicles, at
the minimum level of CONFIDENTIAL.
c. With today's technology, recovery from space is
possible. When COMSEC materials are recovered
from space, the receiving COMSEC Custodian will
file a Possession Report in accordance with
subparagraph 204.12. Because nomenclature
nameplates will not be attached to recovered
cryptographic equipment, the Possession Report
must identify the spacecraft from which the
equipment was recovered and must reference the
Destruction Report that removed the material from
accountability following launch. The receiving
COMSEC Custodian may be required to coordinate
this action with the losing Custodian if the
spacecraft was launched from a location other than
the receiving Custodian's. This information will
allow the NASA COR to positively identify and
properly track recovered COMSEC materials.
205 AUDIT OF COMSEC ACCOUNTS
1. Basis. NASA COMSEC accounts will be audited by the
NASA COR at least every 24 months on an announced basis
and/or as deemed necessary based on the following
factors:
a. Size of the COMSEC account and volume of
transactions.
b. Frequency of COMSEC Custodian changes.
c. Classification and sensitivity of the COMSEC
material held.
d. Frequency of deviation from COMSEC accounting
procedures.
2. Notification. Prior notice may or may not be provided
when a COMSEC account has been selected for an audit
other than the regularly scheduled audit.
3. Auditor Access. The auditor will have access to all
accountable COMSEC material held by the NASA COMSEC
Account. The auditor will present proper
identification prior to gaining access to the COMSEC
account.
4. Scope of the Audit. The audit of a COMSEC account will
include the following actions:
a. Verifying the completeness and accuracy of COMSEC
accounting reports and files.
b. Determining the COMSEC Custodian and Alternate
COMSEC Custodian's knowledge of and adherence to
the provisions of this Manual.
c. A review of all procedures related to the control
and safeguarding of COMSEC material.
d. Physically sighting all accountable COMSEC
material.
e. Verifying compliance with packaging, marking, and
shipping procedures.
f. Soliciting any problems encountered by the COMSEC
Custodian in maintaining the account.
g. Recommendations for improving local COMSEC
accounting and control procedures.
h. A cursory inspection of implemented protective
technologies.
i. Verification of current COMSEC briefings for
contractor personnel who have access to COMSEC
material.
5. Audit Report. After completing the audit, the auditor
will notify the COMSEC Custodian and consult with the
Installation Security Officer regarding any situation
requiring immediate action and will conduct an exit
interview with the Custodian's supervisor. A formal
report of audit outlining any discrepancies noted
during the audit, the condition of the COMSEC account,
and any recommendations for improvement will be
included as an appendix to the Functional Management
Review Report. When serious deficiencies are found, a
Certificate of Action Statement will be submitted
independently to the COMSEC Custodian. All actions
required in the report must be completed within 10
working days after the report is received.
206 CLOSING A COMSEC ACCOUNT
When it has been determined that a COMSEC Account should
be closed because it no longer is required and all COMSEC
material has been properly disposed of and no discrepancies
exist, submit a formal written request to the NASA COR. The
NASA COR will notify the element/activity in writing that
the COMSEC account has been closed and the appointments of
the COMSEC Custodian and Alternate(s) have been terminated.
Dispose of COMSEC accounting records and files according to
paragraph 204.15.
CHAPTER 3: CONTROLLING AUTHORITIES
300 GENERAL
This Chapter applies to organizations within NASA that own,
hold, or use classified or CCI equipment, and it only
addresses "hard copy" keys (i.e., physical keying material
such as printed key lists, punched key tapes, etc.). "Soft
keys" in electronic form are often employed in newer
cryptographic equipment for key updating and similar
functions, and are addressed in the operating instructions
for the particular equipment.
301 KEYING MATERIAL SOURCE
Keying material is produced and provided by the NSA.
Equipment operating in a cryptonet must have compatible
keying material to be able to correctly encrypt and decrypt
communications. To manage establishing a cryptonet, and to
ensure the correct keying materials are provided to each
member of the cryptonet, a controlling authority is
designated to manage the operation of the cryptonet and the
associated keying material.
302 ESTABLISHING THE CRYPTONET AND DESIGNATING THE CONTROLLING
AUTHORITY
Whenever a new cryptonet is established, a controlling
authority must be designated to oversee and manage the
operational use and control of keying material.
1. The lead NASA Government element (e.g., project office
or circuit demander) is responsible for initiating the
request to establish a cryptonet and performing
controlling authority functions, and coordinates with
the local security office and COMSEC Custodian to
submit a brief written proposal to the NASA COR.
2. When no lead Government office is identified, contact
your Installation Security Office or the NASA COR for
technical advice. For electronically generated key,
the element that directed the key generation performs
the controlling authority functions unless those
functions are specifically delegated to another
organization.
3. Include controlling authority designation by name in
the proposal.
4. A controlling authority must be a member of the
cryptonet and as controlling authority have authority
over the other members; i.e., all net members,
including net members from other agencies or
departments, must abide by any direction given to the
net by the controlling authority. The controlling
authority must have the expertise to perform essential
management functions described in this Chapter, and
must have the means to communicate securely with
cryptonet members (preferably redundant means) and must
be in a position to monitor the status of the
cryptonet; i.e., to identify problems or receive
adequate information about net problems.
5. Controlling authority designation must be made early in
the process of establishing a cryptonet, since this is
the first step in obtaining the keying material
necessary for net operations.
6. All cryptonet proposals and controlling authority
designations are subject to review and validation by
the NASA COR.
7. All cryptonet members, appropriate distribution
authorities, the NASA COR, and the NSA must be notified
of all controlling authority designations and changes.
303 NASA CONTRACTORS CURRENTLY DESIGNATED AS CONTROLLING
AUTHORITIES
Where contractors currently perform this function, the
lead Government office in coordination with the local
security office will designate a U.S. Government Civil
Servant to ensure that controlling authority functions
of the contractor are being performed adequately.
304 CONTROLLING AUTHORITY RESPONSIBILITIES
The controlling authority for a cryptonet has
responsibilities in three broad categories: cryptonet
management, evaluating COMSEC incidents, and reacting to
keying material compromises or suspected compromises.
1. Cryptonet Management. To manage the cryptonet
effectively, maintain accurate records in sufficient
detail to assess the impact of, and to recover from, a
compromise. Direct communication with cryptonet
members is authorized. Cryptonet management includes:
a. Designating and maintaining a record of cryptonet
members and the quantity of key each is authorized
to hold. Know the identity of all cryptonet
members, the problems users may be experiencing
with the keying material, the distribution
authorities that support the holders of the
material, and the most expeditious ways of
promulgating supersession and other emergency
information to all holders of the keying material.
b. Coordinating the establishment of a cryptonet and
the logistic support for the net, by advising
appropriate distribution authorities, the NASA
COR, and the NSA, Y13, of the COMSEC accounts that
will be issued keying material and the number of
copies to be issued.
c. Coordinating with distribution authorities to
ensure timely resupply of keying material.
(1) When user accounts have only a 2-month supply
of key remaining, promptly ascertain the
status of follow-on material; and
(2) If user accounts cannot be ensured of
resupply before the remaining key is
expended, direct users to implement the
longest authorized cryptoperiod extension for
each remaining key setting (see subparagraph
e, immediately following). If the extension
is insufficient, report by initiating a
message at the IMMEDIATE precedence to the
NASA COR and the NSA, X72 and Y13, so that
contingent arrangements can be made. Include
in the message the short title and number of
net members; describe the type of operations
(i.e., full- or part-time, etc.); and explain
the necessity for the cryptoperiod extension.
NOTE: When time is of the essence, controlling
authorities may verbally request emergency cryptoperiod
extensions from the NSA, X72. When authorization is
given verbally, take immediate action; do not wait for
message documentation. Net members must abide by all
verbal instructions relayed by the controlling
authority.
d. Whenever necessary, authorizing cryptoperiod
extensions of manual crypto systems up to 72 hours
and auto-manual and machine crypto systems up to 1
week, unless the specific crypto system doctrine
prohibits such extension or authorizes a longer
cryptoperiod extension. In cases of conflict,
crypto system doctrine takes precedence.
Controlling authorities must inform the NASA COR,
but are not required to report these extensions to
the NSA.
e. Net members can extend crypto periods up to 2
hours to complete a transmission or conversation
in progress at key change (HJ) time. Controlling
authority approval is not required and net members
are not required to report these extensions.
f. Specifying the date the first edition of keying
material becomes effective and the effective dates
of remaining material, designating contingency
editions, and informing cryptonet members,
appropriate distribution authorities, the NASA
COR, and the NSA, Y13. The controlling authority
sends an activation message when material is in
place throughout the new cryptonet. NOTE: For
classified keying material, the effective dates
are classified CONFIDENTIAL.
NOTE: Supersession rates are established by the NSA,
based on security, operational need, and
production/resupply constraints. Except in
emergencies, controlling authorities cannot change
supersession rates.
g. Knowing the operations and operational
requirements supported by the cryptonet, proper
use of the key, and being familiar with the
operation and capabilities of the associated
equipment.
h. Specifying key change time for the cryptonet when
the time is not prescribed in the keying material.
The time selected for key change must be
consistent throughout the cryptonet and be chosen
to have the least operational impact.
i. Notifying all net members, appropriate
distribution authorities, the NASA COR, and the
NSA, Y13, of any changes in net configuration, or
keying material status.
j. Authorizing electronic generation and distribution
of key (except that key encryption key (KEK) must
be physically distributed), physical transfer of
key in a common fill device, or local reproduction
of key in situations where established channels
cannot supply the material in time to meet urgent,
unprogrammed, operational requirements. Ensure
that reproduced material is kept to the minimum
amount essential, and is properly classified,
controlled, and destroyed in the same manner as
the original keying material. If reproduction of
the same material is authorized routinely,
increase the copy count of that material instead.
k. Approving the number of extracts of keying
material that may be issued to a user at any one
time, except where specified in the material.
NOTE: Issuing extracts of protectively packaged keying
material defeats the purpose of protective packaging,
and increases the vulnerability of the key. Always
issue protectively packaged keying material as entire
editions, except where operational necessity precludes
such issue.
l. Reporting COMSEC incidents according to Chapter 6
of this Manual.
m. Ensuring that COMSEC incident reporting
instructions (Chapter 6) are disseminated to all
cryptonet members (with special emphasis on how
and where to send incident reports).
n. Establishing procedures to ensure that all holders
of the cryptonet key can be contacted with minimum
delay in an emergency (i.e., maintain a current
list of all holders with up-to-date telephone
numbers and correct message addresses).
o. Reporting defective keying material according to
paragraph 309.
p. Ensuring that COMSEC accounts supporting cryptonet
members have enough material on hand for regular
and emergency supersession, but not too much
material, which negatively affects security,
storage, bookkeeping, etc.
(1) User COMSEC account inventories should
generally not exceed 4 months' supply of
monthly superseded material, including
effective material.
(2) A minimum of one backup edition of keying
material must be held at the user COMSEC
account regardless of the normal cryptoperiod
length.
q. Conducting annual reviews to confirm that the
requirement for the cryptonet keying material
continues, and verifying the quantity, quality,
and operational effectiveness of that material.
This review will normally be conducted as an
annual update of the Keying Material Support Plan
(see paragraph 305).
2. Evaluating COMSEC Incidents. Controlling authorities
must ensure that COMSEC incidents involving the keying
material under their control are reported properly and
evaluated rapidly. As stated in Chapter 6 of this
Manual, the controlling authority must sometimes
determine if a COMSEC incident has resulted in an
insecurity, and the appropriate recovery measures to
take. Each incident is different, so each case must be
evaluated independently. COMSEC incident evaluation is
often a subjective process, even when all pertinent
facts are available. While it is not possible to
discuss all types of COMSEC incidents that controlling
authorities may be called upon to assess, the following
guidance will enable controlling authorities to
effectively evaluate the most commonly encountered
incidents. Controlling authorities may contact the
NASA COMSEC Manager for assistance with evaluating
incidents.
a. The following steps are involved in making an
evaluation:
(1) Be familiar with requirements of Chapter 6.
(2) Gather the facts.
(3) Determine the probability of compromise or
loss of the cryptographic system, keying
material, etc.
(4) Determine the type and amount of information
that may have been compromised because of the
incident, and ensure that appropriate
officials are notified so they can take
action to limit the damage caused by actual
or potential loss of the information.
(5) Consider the various options for actions to
avoid or reduce damage caused by the COMSEC
incident (e.g., superseding key).
(6) Direct corrective action implementation.
b. When an incident report is received for
evaluation, if the facts reported are not
adequate, request additional information from the
reporting organization. Specify as much as
possible the additional information required.
c. Keying material discovered to be lost or
temporarily out of prescribed control, or found in
an unauthorized location, are considered
compromised. For instance, keying material that
was lost but later recovered, but continuous
secure handling cannot be verified, is considered
compromised.
d. Unauthorized access to keying material is
considered a compromise.
(1) Keying material exposed to casual view by
unauthorized U.S. personnel under
circumstances where copying, photographing,
or memorizing would be difficult is
considered compromise improbable.
(2) Keying material accessed by unauthorized U.S.
personnel under circumstances where a
reasonable opportunity existed to copy,
photograph, or memorize key is considered a
compromise.
(3) Keying material exposed to view by
unauthorized foreign personnel is considered
a compromise unless substantial evidence
suggests no compromise occurred (i.e., the
circumstances effectively precluded the
possibility the keying material was copied,
photographed, or memorized).
e. Unauthorized absence of personnel who have access
to keying material is considered compromise
improbable unless evidence suggests defection,
theft, or loss of keying material. When someone
who has had access to keying material is
officially reported as absent without
authorization, all cryptographic equipment, key
and other materials to which the person could have
had access must be inventoried. If evidence
suggests theft or loss of keying material, or
defection of personnel, consider the material
compromised and initiate emergency supersession at
the earliest practical time.
f. Controlling authorities should be conservative
when evaluating incident reports involving keying
material. Key may be stolen, copied,
photographed, changed, or substituted in a very
short period if material is not under proper
control.
g. Time Limits for Evaluating COMSEC Incidents.
COMSEC incident reports must be evaluated within
the time limits specified below. Time limits
begin when the initial report, or amplifying
report if the initial report does not contain
sufficient information to permit an evaluation, is
received. Solicit any additional information
required to make an evaluation.
(1) If the initial report is sent at IMMEDIATE
precedence, the action official must provide
a response/evaluation within 24 hours.
Report and evaluate the following types of
COMSEC incidents at IMMEDIATE precedence:
(a) Currently effective keying material or
keying material scheduled to become
effective within 15 days.
(b) Defection, espionage, hostile cognizant
agent activity, clandestine
exploitation, tampering, sabotage, or
unauthorized copying, reproduction, or
photography.
(2) If the initial report is sent at PRIORITY
precedence, the action official must provide
a response/evaluation within 48 hours.
Report and evaluate the following types of
COMSEC incidents at PRIORITY precedence:
(a) Future keying material scheduled to
become effective beyond the next 15
days.
(b) Superseded, reserve, or contingency
keying material.
(3) If the initial report is sent at ROUTINE
precedence, the action official must provide
a response/evaluation within 72 hours.
Assign ROUTINE precedence to an initial
report of any COMSEC incident not covered
above.
3. Reacting to Incidents. Cryptographic equipment is
designed so that security depends primarily on the
changing keys used to encrypt and decrypt information.
When evaluating incidents then, corrective actions fall
into different categories, one for equipment and other
materials that do not change, and another for keying
materials.
a. Incidents involving cryptographic equipment and
related materials other than keying material
require corrective followup actions focused on
preventing a recurrence of the incident, although
certain cases, such as suspected tampering with a
cryptographic device, may merit special actions
(e.g., notifying the NSA so that a technical
evaluation may be made). The evaluation response
should center on informing appropriate
organizations (e.g., for lost CCI equipment,
ensure that the accountability requirements to a
COR are addressed), and correcting the problems
that allowed or caused the incident to happen.
b. Where substantial evidence suggests that keying
material has been compromised, take immediate
action. Ideally, announce precautionary
supersession and direct early implementation of
uncompromised future material. Report
supersession immediately to the appropriate
distribution authorities and the NASA COR so that
resupply action may be taken, replacement material
produced, and status documents corrected.
(1) If superseded or effective keying material
has been compromised, then by extension,
assume that all information encrypted using
that keying material has been compromised.
Direct reviews of record traffic encrypted
with the compromised keying material when
warranted. Notify appropriate officials so
they may take action to minimize damage
caused by actual or possible disclosure of
information.
(2) If future keying material (not yet used) has
been compromised, then take steps to avoid
its use and replace it with keying material
that has not been compromised.
(3) The decision to supersede a current or future
edition of keying material in an emergency
must take into account the time required to
notify all cryptonet members, the number of
editions held at cryptonet member COMSEC
accounts, the ability to acquire replacement
editions, and the time required for members
to implement the new key. Coordinate all
emergency supersession actions with the NSA,
Y1, so replacement materials may be produced
and shipped.
c. Direct the net to implement emergency or spare key
settings when keying materials provide such spare
settings.
d. Direct early implementation of uncompromised
future editions of keying material.
e. The following options are available to controlling
authorities when supersession is warranted, but
not all net members hold replacement key. In
order of preference:
(1) Key may be electronically generated and
transmitted to net members via an
uncompromised crypto system approved for
over-the-air key transfer.
(2) Printed key settings may be transmitted by a
crypto system that provides end-to-end
encryption equal to the classification of the
transmitted key (e.g., the Automatic Digital
Network (AUTODIN) system, secure facsimile,
or secure telephone). Printed key settings
can also be encrypted by auto-manual or one-
time pad system and transmitted over a system
that is secured at a lower level than the
encrypted key.
(3) Printed key settings may be reproduced and
physically transferred to net members.
Punched tape will not be reproduced without
the authorization of NSA, X72. Converting
hard copy keying material to electronic form
for equipment fill is not considered
reproduction.
(4) Key may be physically transferred to net
members in a common fill device or other
approved transfer device. When keyed, the
common fill device must be protected at the
same level as the key it contains.
f. When supersession is warranted but not feasible,
the following options are available in order of
preference:
(1) Extend the cryptoperiod of uncompromised
keying material in accordance with doctrinal
constraints.
(2) Exclude from net operations those members who
do not hold or cannot be furnished
replacement material.
(3) Suspend cryptonet operations until key can be
resupplied.
(4) As a last resort, continue to use the
compromised key when:
(a) Normal supersession of the compromised
material will take place before
emergency supersession can be
accomplished;
(b) Keying material changes would have a
serious detrimental effect on essential
operations; or,
(c) No replacement keying material is
available by any means.
(d) In such a case, the controlling
authority must alert all cryptonet
members (by some secure means other than
the compromised system) that a
compromise has occurred and that
transmissions with the compromised key
may also be compromised and so should be
minimized. (Use this option only when
continued cryptonet operation is
absolutely essential to the mission.)
305 CONSIDERATIONS WHEN ESTABLISHING A CRYPTONET
A controlling authority requires accurate information on all
aspects of the cryptonet in order to properly manage the
net. In particular, the controlling authority should be
familiar with all aspects of handling keying material in the
net, and with the most expeditious ways to promulgate
supersession and other emergency information to all holders
of the keying material. Some specific items to consider
include the following:
1. Effective key change times should be as convenient as
possible for all members of the net. Knowing the net
operations at members locations, across different time
zones, is helpful when picking an optimum key change
time. Key change should occur during a period of low
traffic volume. For systems that are superseded more
than once a day, the time for key change should bisect
the period of maximum use as nearly as is practical.
2. The date and time of key changes must be uniform
throughout the cryptonet.
3. Cryptonets should be kept as small as operationally
feasible. Generally, small cryptonets narrow the
exposure of individual editions of keying material,
limit the consequences of keying material compromises
in terms of vulnerable communications, and lessen the
problems associated with resupply.
4. Crypto logistics need to be considered carefully, i.e.,
how keying material will get to each member of the
cryptonet, if new COMSEC accounts or subaccounts should
be established, or if existing accounts can be closed.
5. To perform responsibilities properly, the controlling
authority must know the current status of the
cryptonet. Determine what net operations information
is available and how it will reach the controlling
authority.
6. Operational interoperability requirements may dictate
certain cryptographic netting and subnetting schemes.
7. The classification of the keying material for the net
is determined by the quantity, sensitivity, and
classification of the information to be transmitted
over the cryptonet.
306 KEYING MATERIAL SUPPORT PLAN (KMSP)
The controlling authority must prepare a KMSP, which
establishes how keying material will be provided to the
cryptonet during its operational lifetime. Prepare the KMSP
as outlined in paragraph 308, and submit to the NASA COR,
who will review and forward the KMSP to the NSA. Allow
sufficient time when filing the KMSP with the NSA for
producing and distributing the keying material. For
planning purposes, a minimum of 120 days is required by the
NSA from the time an order is received until it is produced
and shipped.
307 CONTENTS OF THE KMSP
The KMSP must contain adequately detailed information about
the cryptonet so that the NSA can produce and provide the
correct types and amounts of keying materials to the right
places at the right times. Enough information must be
included so that the NSA can be satisfied that security
concerns are addressed (e.g., ensuring that no SECRET keying
material is sent to an account authorized to hold only
CONFIDENTIAL material). Address each of the following
specifically in the KMSP:
1. Operational Need. Briefly state the need for the
cryptonet (i.e., the Government contracts and types of
information involved). Specify the classification
and/or sensitivity of the information to be
transmitted.
2. Operational Concept. State the operational structure
of the net; days/times of operation; identification of
net control and alternates, and subnetting.
3. Controlling Authority. Identify the cryptonet
controlling authority, including names of points of
contact, complete address information, and telephone
numbers.
4. Contracting Office(s). Identify the Government
contracting office or offices served by or associated
with the cryptonet; include names, addresses, and
telephone numbers of contracting officers.
5. Keying Material Specification
a. Identify the cryptographic equipment and fill
devices that will use the keying material;
b. Specify the use of the keying material:
operational, maintenance, training;
c. Identify the quantity required (copy counts).
Also identify editions if circumstances warrant;
d. Specify the date initial operational capability is
required;
e. List classification (or specify UNCLASSIFIED).
6. Distribution Plan. Describe shipping of the keying
materials, identifying the originator (normally the
NSA) and the receivers. Include a block diagram of the
shipping paths from the originator to the final
destinations of the material (only the major points of
accounting transfers need be shown). Provide complete
COMSEC account information for each of the major modes
in the distribution plan. Identify any primary COMSEC
accounts that will receive materials in bulk shipments,
and any subaccounts that will be serviced by other than
their primary accounts. Address how the keying
materials will be distributed from the COMSEC accounts
to the actual users.
7. Other Information. Include any additional information
that is significant or unique to the particular
cryptonet or keying material.
308 ANNUAL REVIEWS OF THE KMSP
Review the adequacy and currency of the KMSP annually, and
provide any changes in writing to the NASA COR and the NSA,
Y1, no later than July 1 of each year. Written negative
reports (indicating no changes are necessary to the current
KMSP) are required when applicable.
1. Confirm cryptonet structure, quantities, and adequacy
of key to meet operational requirements and continuing
requirement for the key. Deactivate the cryptonet if
it is no longer needed. During the review, identify
any crypto systems that should be put into contingency
status (see subparagraph 4e.)
2. Review manual crypto system keying material and
participate in surveys and reviews according to
NACSI 4007.
3. Recommend changes in keying material content, format,
or classification to the NSA, Y13, and in the case of
manual crypto systems, V27.
4. Include the following particular points to be addressed
in the report:
a. Changes in cryptonet membership;
b. Changes in addresses, names of contacts, and
telephone numbers;
c. Changes in the classification or sensitivity of
the information being communicated on the net;
d. Any changes in the quantity of materials
distributed;
e. Any planned changes or cancellations of
requirements.
5. Designating Contingency Keying Material. When large
amounts of cryptographic materials are provided for
regular consumption, and are destroyed unused, consider
placing the material into contingency status.
Contingency keying material is that slated for a
specific, yet irregularly occurring, requirement. The
material is not activated until needed for the specific
requirement, and is not destroyed until after use.
Substantial savings in production, distribution,
accounting, and destruction are realized when
contingency materials are used instead of regularly
superseded effective key. Coordinate actions to
establish a contingency cryptonet with the NASA COR,
appropriate distribution authorities, and the NSA, Y13.
309 DEFECTIVE KEYING MATERIAL
When keying material is found to be defective, direct that
the defective material and all associated packaging
materials be retained pending disposition instructions.
Address reports to the NSA, Y13 and X712, with information
to the NASA COR. The NSA will provide disposition
instructions for defective key and packaging materials by
message and, if the material is to be recalled, will provide
specific instructions for its return. Return recalled
keying material via the Defense Courier Service, Department
of State Courier System, or cleared agency or contractor
courier. In the transfer report, state the reason for
return, refer to the recall message, and include any other
remarks requested in the recall message.
CHAPTER 4: COMSEC INFORMATION ACCESS REQUIREMENTS
400 CRITERIA FOR ACCESS TO COMSEC INFORMATION
U.S. classified COMSEC information, the loss of which could
cause serious or exceptionally grave damage to U.S. national
security, requires special access controls. Accordingly,
access to U.S. classified cryptographic information shall
only be granted to individuals who satisfy the following
criteria:
1. Is a U.S. citizen.
2. Is an employee of the U.S. Government, is a U.S.
Government-cleared contractor, or is employed as a U.S.
Government representative (including consultants of the
U.S. Government).
3. Has been granted a security clearance by the U.S.
Government appropriate to the classification of the
cryptographic information to be accessed. The security
clearances of personnel occupying the positions of
COMSEC Custodian and Alternate COMSEC Custodian of NASA
COMSEC accounts must be based on a background
investigation (BI) current within 5 years. Other
employees who require access to COMSEC information that
is classified SECRET or below do not require a security
clearance based on a BI.
4. Possesses a valid need-to-know as determined necessary
to perform duties for, or on behalf of, the U.S.
Government.
5. Receives a security briefing appropriate to the U.S.
classified cryptographic information to be accessed.
6. Acknowledges access by signing a cryptographic access
certificate (sample in Appendix B).
401 COMSEC BRIEFING REQUIREMENTS
1. A member of the Installation Security Office, COMSEC
Custodian, Alternate COMSEC Custodian, or member of the
NASA Security Office will administer a COMSEC briefing
to all employees whose duties require accessing COMSEC
materials and maintaining associated records. For U.S.
Government personnel, this is a one-time briefing that
remains in effect during the time the employee has
uninterrupted access. NASA contractor personnel who
have a continuing need for access to classified COMSEC
information must be rebriefed periodically, at least
annually. Personnel whose access is strictly limited to
unclassified COMSEC keying material and/or CCI equipment
require only an initial briefing. A COMSEC briefing is
not required for individuals who only need access to a
STU-III, unclassified CRYPTO, or to unclassified
NACSEM's, NACSI's, NTISSI's, etc. Local security
requirements may augment these minimum briefing
requirements.
2. As a result of the briefing, employees shall understand
their individual responsibilities in handling and
safeguarding procedures for classified COMSEC material.
A sample briefing is included as Appendix B.
3. Complete Section One of the cryptographic access
certificate after the COMSEC briefing is received, and
before access is granted to U.S. classified COMSEC
information. Execute Section Two of this form when the
individual no longer requires such access. Make the
signed certificate (original) a permanent part of the
official security records of the individual.
CHAPTER 5: TWO-PERSON INTEGRITY/NO-LONE ZONE CONTROLS
500 GENERAL
TOP SECRET keying material is our nation's most sensitive
keying material, since it is used to protect the most
sensitive U.S. national security information and its loss to
an adversary could compromise all information protected by
the key. Also, a significant body of information indicates
that TOP SECRET keying material is a high-priority target
for exploitation by hostile intelligence services. For
these reasons, TOP SECRET keying material is afforded the
special protection of two-person integrity (TPI) and no-lone
zone (NLZ) controls.
1. Waivers to requirements in this Chapter may be
requested; however, maintaining a strong national COMSEC
posture dictates that waivers be granted on a case-by-
case basis only when a genuine hardship exists. Direct
written requests for waivers, containing justification,
through the COMSEC Custodian and Installation Security
Officer to the NASA COMSEC Manager. When the
controlling authority for the material is not within
NASA, the requester must notify that controlling
authority of the waiver as soon as it is received.
2. Any violation of the TPI/NLZ requirements in this
Chapter is reportable as a COMSEC incident in accordance
with Chapter 6, paragraph 601.3j.
501 PROCEDURES FOR HANDLING AND SAFEGUARDING TOP SECRET KEYING
MATERIAL
TPI control of TOP SECRET key requires that COMSEC accounts
and all local holders (hand receipt users) have TPI storage
capabilities and procedures to ensure that lone individuals
will not have access to TOP SECRET keying material and key
generators. Procedures in this Chapter do not apply to key
locally generated for immediate use, but they do apply to
locally generated key that is held in physical or electronic
form for future use. TPI controls must be maintained for
TOP SECRET materials at all times, except as specified
below:
1. Transportation. TPI controls apply whenever local
couriers transport TOP SECRET keying material from one
location to another. Receipts for this material must be
signed by two individuals who are cleared for TOP SECRET
and authorized to receive the material. TPI controls
are not required for TOP SECRET keying material while it
is in the custody of the Defense Courier Service or the
Diplomatic Courier Service.
2. TPI Handling of Packages Received
a. It is a requirement that upon initial receipt of
TOP SECRET operational keying material by the
COMSEC Custodian, TPI controls shall be
implemented immediately. For those accounts who
are authorized to receive TOP SECRET operational
material, keep the following in mind: When a
package is received and the classification cannot
be determined by the COMSEC Custodian prior to
opening, assume that the material is TOP SECRET.
The COMSEC Custodian and a TOP SECRET cleared TPI
participant will then inspect the package for
evidence of damage or tampering. Both individuals
will then open the package and compare the
contents with the enclosed COMSEC Material Report
(SF-153). If the material is TOP SECRET
operational keying material, both TPI participants
will sign the SF-153 (Blocks 15 and 16) and
immediately place the material into TPI storage.
A copy of the SF-153 will then be submitted to the
NASA COR. (If the material is not TOP SECRET
operational key, standard procedures for the
receipt of COMSEC material is specified in
paragraph 204 of this manual.)
b. The above procedure provide a written record that
reflects TPI controls were implemented upon
initial receipt by the COMSEC Custodian. The SF-
153's reflecting receipt of TOP SECRET operational
keying material will be reviewed by NASA auditors
during audits to ensure compliance with the two
signature requirement.
3. Wrapping TOP SECRET Material
a. On Installations, enclose material in a sealed
package or within a locked briefcase or other
closed bag or container.
b. Off Installations, place material in sealed inner
and outer wrappers. Wrappers can be paper, canvas
or briefcases. Briefcases must be locked, with
built-in combination locks or padlocks that are
key or combination operated. Mark the inner
wrapper with the highest classification of the
material inside, and with the "To" and "From"
addresses.
4. Storage. TPI storage for TOP SECRET keying material
requires two different approved combination locks (see
Annex E to NACSI 4005 for criteria for approved
combination locks), with no one person authorized access
to both combinations. TPI storage can be in a strongbox
within a security container, in a security container
within a vault, or in a security container with two
combination locks. At least one of the locks must be
built into the vault/container.
5. Use. Establish NLZ wherever COMSEC equipment contains
TOP SECRET key in hard copy form or in a mechanical
permuter installed in a piece of equipment. User
locations where equipment holds TOP SECRET key in key
card form or has key set on mechanical permuters will be
operated as no-lone zones (i.e., space in which at least
two appropriately cleared individuals must be present).
NLZ controls are not required when the key is resident
in the cryptographic equipment in electronic form or
where the cryptographic equipment has been modified to
preclude access by a single individual to the hard copy
key inside. However, TPI controls always apply to
initial keying and rekeying operations.
NOTE: Whenever possible, persons designated as TPI team
members should have previous COMSEC experience. If this
is not possible, then the COMSEC Custodian should ensure
that team members become familiar with those aspects of
COMSEC operations i.e., key loading procedures,
necessary in fully understanding TOP procedures.
6. Record of Combinations. So that TPI secured materials
may be accessed in emergencies, maintain a central
record of combinations to the containers. Record and
protectively package each lock combination separately to
prevent unauthorized access to the combinations. Store
the record of combinations as TOP SECRET material. One
method that may be used to protectively package records
of lock combinations is contained in NACSI 4008,
Annex F.
CHAPTER 6: COMSEC INCIDENT REPORTING REQUIREMENTS
600 GENERAL
COMSEC incident reports provide the information necessary
for responsible officials to determine if a COMSEC incident
results in a COMSEC insecurity. Adhering to the following
guidelines will ensure that all detected incidents involving
COMSEC material are reported and evaluated promptly so that
responsible officials can initiate action to minimize
adverse impacts on security, take recovery measures, and
prevent similar incidents from occurring. Incidents
involving unkeyed CCI equipment are now exempt from the
reporting requirements of other COMSEC material. The NTISSI
4001 reporting requirements must be followed for unkeyed CCI
equipment. Joint Staff positive control material and
devices and Data Encryption Standard (DES) keying material
are no longer exempt.
1. Every person who uses, handles, or has access to COMSEC
material must be aware of reportable COMSEC incidents
and understand the responsibility to immediately report
them, with no delay for any reason beyond the basic fact
gathering.
2. Individuals will not be disciplined for reporting a
COMSEC incident. Corrective measures are most
productive when aimed at the national doctrine or the
organizational policy or procedure that allowed or
contributed to the incident. Disciplinary action should
be considered for individuals who, through either gross
negligence or willful acts, jeopardize the security of
COMSEC material.
601 TYPES OF COMSEC INCIDENTS
COMSEC incidents fall into three categories. Included under
each category are representative types of reportable
incidents. Additional reportable incidents that are
peculiar to a given crypto system are listed in the
operational security doctrine, operating instructions, and
maintenance manual(s) for that crypto system.
1. Cryptographic Incidents
a. Cryptographic Incidents include the use of a
COMSEC key which is compromised, superseded,
defective, previously used and not authorized for
reuse, or in any way incorrect for the
cryptoperiod or application in which it is used.
See the following examples:
(1) Use of keying material that was produced
without the authorization of NSA (e.g.,
homemade maintenance or DES key, or homemade
codes).
(2) Use, without the authorization of NSA, of any
keying material for other than its intended
purpose (e.g., use of a test key for
operational purposes or use of a key on more
than one type of equipment).
(3) Unauthorized extension of a cryptoperiod.
b. Use of COMSEC equipment having defective
cryptographic logic circuitry, or use of an
unapproved operating procedure, such as the
following examples:
(1) Plain text transmission resulting from COMSEC
equipment failure or malfunction.
(2) Any transmission during a failure, or after
an uncorrected failure that may cause
improper operation of COMSEC equipment.
(3) Operational use of COMSEC equipment without
completion of a required alarm-check test or
after failure of a required alarm-check test.
c. Use of any COMSEC equipment or device that has not
been approved by NSA.
d. Discussions via nonsecure telecommunications of
the details of a COMSEC equipment failure or
malfunction.
e. Any other occurrence that may jeopardize the
crypto security of a COMSEC system.
2. Personnel Incidents. Any capture, attempted
recruitment, known or suspected control by a hostile
intelligence entity, or unauthorized absence or
defection of an individual having knowledge of or access
to COMSEC information or material is a personnel
incident. Examples are the unauthorized disclosure of
COMSEC information or attempts by unauthorized persons
to effect such disclosure.
3. Physical Incidents. Any loss of control, theft,
capture, recovery by salvage, tampering, unauthorized
viewing, access, or photographing that has the potential
to jeopardize COMSEC material is a physical incident
such as the following examples:
a. Unauthorized access to COMSEC material, including
access by persons who were mistakenly believed to
have held appropriate clearances.
b. COMSEC material discovered outside of required
COMSEC accountability or physical control, such as
the following examples:
(1) COMSEC material reflected on a destruction
report as having been properly destroyed and
witnessed, but found to have not been
destroyed.
(2) COMSEC material not secured and left
unattended where unauthorized persons could
have had access.
(3) Any loss of control over a keyed common fill
device.
c. COMSEC material improperly packaged or shipped, or
received with a damaged inner wrapper.
d. Destruction of COMSEC material by other than
authorized means.
e. COMSEC material not completely destroyed and left
unattended.
f. Actual or attempted unauthorized maintenance
(including maintenance by unqualified personnel)
or the use of a maintenance procedure that
deviates from established standards.
g. Tampering with, or penetration of, a crypto
system, such as the following examples:
(1) Known or suspected tampering with, or
unauthorized modification of, COMSEC
equipment or penetration of its key or
protective technology.
(2) Discovery of a clandestine electronic
surveillance or recording device in or near a
COMSEC facility.
(3) Activation of the anti-tamper mechanism on,
or unexplained zeroization of, COMSEC
equipment when other indications of
unauthorized access or penetration are
present.
h. Unexplained removal of keying material from its
protective technology.
i. Unauthorized copying, reproduction, or
photographing of COMSEC material. (Normally the
controlling authority will authorize reproduction
of printed key settings. If controlling authority
approval cannot be obtained in time to meet
operational requirements, the Installation
Security Officer or NSA can authorize
reproduction. Manual crypto systems can be
locally reproduced as necessary to meet
operational requirements.)
j. Loss of two-person integrity or no-lone zone for
TOP SECRET keying material as required by
NTISSI 4005, except where a waiver has been
granted.
k. Deliberate falsification of COMSEC records.
l. Any other incident that may jeopardize the
physical security of COMSEC material. (Production
errors and reports of defective keying material
are not considered COMSEC incidents. These types
of discrepancies are reported to NSA, Y13, for
resolution.)
602 TYPES OF WRITTEN REPORTS
1. Initial Report. An initial report is required for each
detected COMSEC incident. If it contains all the
information required in paragraph 605, and it has been
accepted as a final report by the NSA, X71A, the initial
report may also serve as the final report. Include a
request in paragraph 6 of the initial report that the
report be accepted as a final report.
2. Amplifying Report. Whenever new, significant
information concerning a reported incident is
discovered, an amplifying report is required. If it
contains all the information required in paragraph
605.2, and it has been accepted as a final report by the
NSA, X71A, the amplifying report may also serve as the
final report. Include a request as mentioned in
paragraph 605.6 of the amplifying written report that
the report be accepted as a final report.
3. Interim Report. If a final report is not submitted
within 30 days after the initial report or the last
amplifying report, submit an interim report every 30
days until the final report is submitted. Explain in
each interim report the status of the inquiry or
investigation, or other reason for the delay of the
final report.
4. Final Report. A final report is required for each
reported COMSEC incident unless the initial or an
amplifying report served as the final report. The final
report must include a summary of the results of all
inquiries and investigations, and identify corrective
measures taken or planned to minimize the possibility of
recurrence.
603 REPORTING INCIDENTS
1. Any person who discovers an incident involving COMSEC
material may file the incident report. The COMSEC
Custodian for the material will assist with the
particulars described in this Chapter. Any incident or
violation of the security requirements specified in this
Manual must be reported to the controlling authority for
the material and the Installation Security Officer, the
agency COMSEC Incident Monitoring Activity (for NASA
this is the NASA COMSEC Manager), and the NSA, X71A
(COMSEC Insecurities Branch). After submitting an
initial COMSEC incident report, ensure that the
individual specified as the point of contact is familiar
with the details of the incident and is available to
respond rapidly to questions from the evaluating
authority. Where two-holder, point-to-point material is
involved, the Register 1 holder serves as the
controlling authority.
2. Provide all known details in the initial report, and
classify according to content (mark UNCLASSIFIED reports
"FOR OFFICIAL USE ONLY"). Transmit reports by secure
electrical means. Only where secure circuits are not
available may nonsecure electrical means be used. In
such cases, provide unclassified reports giving the
minimum essential information, but only for initial and
amplifying reports of physical incidents involving
currently effective key and future key scheduled to
become effective within 30 days. Then, follow up the
electrical report within 72 hours with a letter report,
appropriately classified and securely forwarded. When
electrical means are not available at all, initial
reports may be relayed to the NSA via telephone (see
subparagraph 3). Again, follow up the telephonic report
within 72 hours with a letter report, appropriately
classified and securely forwarded. Security
classification guidance for COMSEC information is
provided in NTISSI 4002 or specific program documents.
3. Submit an initial report within 24 hours after the
incident is discovered, assigned IMMEDIATE precedence,
when incidents involve current keying material or
material to be used within 15 days, and when incidents
involve defection, espionage, hostile cognizant agent
activity, clandestine exploitation, tampering,
penetration, sabotage, unauthorized copying,
reproduction, or photographing. Submit an initial
report within 48 hours after the incident is discovered,
assigned PRIORITY precedence, when the incident involves
keying material scheduled to become effective in more
than 15 days, or superseded, reserve, or contingency
keying material.
4. Submit reports for all other incidents within 72 hours,
assigned ROUTINE precedence. Assign higher precedence
to a report of an incident that has significant
potential impact. Assign amplifying reports the same
precedence as the initial report it references. Assign
ROUTINE precedence to interim and final reports, unless
they contain significant new information affecting
evaluation of the incident; then an appropriate higher
precedence should be assigned.
604 REPORT ADDRESSING
1. Controlling authorities evaluate physical COMSEC
incidents involving their keying material, except as
specified in subparagraphs 2 and 3. Controlling
authorities can direct additional reporting if needed to
determine if an incident resulted in an insecurity. If
an incident occurs involving material controlled by one
controlling authority, address reports for action to the
controlling authority, with information copies to the
NASA COMSEC Incident Monitoring Activity, the local
COMSEC Custodian and local security office, and the NSA,
X71A. If the controlling authority is not within NASA,
include the COMSEC Incident Monitoring Activity for the
controlling authority as another information addressee.
Contact the service COMSEC Incident Monitoring Activity
only when the violator is within that service. Contact
the NASA COMSEC Manager for message addresses for COMSEC
Incident Monitoring Activities for other departments and
agencies.
2. The NASA COMSEC Incident Monitoring Activity evaluates
physical incidents involving material controlled by more
than one NASA controlling authority, or when a
controlling authority caused an incident. The NASA
COMSEC Incident Monitoring Activity has final authority
for determining if an incident involving NASA COMSEC
material resulted in a COMSEC insecurity, and can direct
additional reporting if needed to make that
determination. If such an incident occurs, address
reports for action to the NASA COMSEC Incident
Monitoring Activity, with information copies to the
controlling authority for the material, the local COMSEC
Custodian and local security office, and the NSA, X71A.
3. The NSA evaluates all other COMSEC incidents, including
cryptographic and personnel COMSEC incidents, incidents
involving material in transit or when the controlling
authority cannot be identified, and incidents involving
controlling authorities from more than one agency or
department. If such an incident occurs, address reports
for action to the NSA, X71A, with information copies to
the controlling authority for the material, the local
COMSEC Custodian and local security office, and the NASA
COMSEC Incident Monitoring Activity.
4. During normal duty hours (0700-1600 EST), contact the
NSA, X71A, on STU-III 301/688-6010 OR -7010 (with secure
FAX), or after normal duty hours and on weekends or
holidays, contact the NSA Senior Information Systems
Security Coordinator (SISSC) on STU-III 301/688-7003
(with secure FAX). Additionally, if the incident
involves implemented protective technologies, provide
information copies to the NSA, Y265. If accountable
COMSEC material is involved, provide copies of the
reports to the NSA, Y13 (the NSA CAO).
5. The NASA COMSEC Incident Monitoring Activity or the NSA,
X71A, will notify all concerned whether the reported
incident resulted in an insecurity, and will provide any
further instructions.
605 FORMAT AND CONTENT OF WRITTEN COMSEC INCIDENT REPORTS
Each of the paragraphs indicated must be addressed in all
written incident reports. Where the reporting requirements
of a paragraph are not applicable to the incident being
reported, note "N/A" in the corresponding paragraph. Where
subsequent reports would merely duplicate information
previously reported, the information need not be repeated.
Instead, reference the previous report that contains the
information.
1. Subject. The subject of the report will consist of only
the words "COMSEC Incident."
2. References. The report must include reference(s), as
applicable, to the following:
a. The paragraph number of the operating or
maintenance instruction, NASA Management
Instruction (NMI), or this Manual, in which the
reported insecurity is listed, or the statement:
"Formal reporting requirements cannot be
identified at this time."
b. Previously forwarded, related incident reports and
other correspondence identified sufficiently to
permit location (e.g., date, time, office symbol,
etc.).
3. Paragraph 1, Material Involved. Identify the COMSEC
material involved. For keying material and documents,
include the short title and edition; MATSYM or
accounting number; register number; specific segments,
tables, pages, etc., if not a complete edition or
document; and the controlling authority for each short
title. For equipment, include the nomenclature or
system designator; modification number, if applicable;
serial number of ALC 1 and 3 material (all other by
quantity); and associated or host equipment. If the
equipment was keyed, provide the information requested
for keying material.
4. Paragraph 2, Personnel Involved. Identify the
individual(s) who caused, or was otherwise responsible
for the incident. For each individual involved, provide
citizenship, duty position, and level of security
clearance. For personnel incidents only, also provide
name and grade.
5. Paragraph 3, Location of Incident. Identify the
location of the incident, the responsible organization
or element and the address, and the COMSEC account
number.
6. Paragraph 4, Circumstances of the Incident. Identify
the circumstances surrounding the incident. Give a
chronological account of the events that led to the
discovery of the incident and, when known, sufficient
details to give a clear picture of how the incident
occurred. Include all relevant dates, times of day,
frequency of events, precise locations and
organizational elements involved, etc. If the reason
for the incident is not known, describe the events that
led to the discovery of the incident. Include a
description of the security measures in effect at the
location, and estimate the possibility of unauthorized
personnel having access to the COMSEC material involved.
Paragraph 4 of an amplifying report may also be used to
report significant new information not included in other
paragraphs of the report.
7. Paragraph 5, Additional Reporting Requirements. Include
any additional reporting that may be required for
specific incidents or items.
a. Improper Use of Keying Material or Use of
Unapproved Operating Procedures
(1) Describe the communications activity (e.g.,
on-line/off-line, simplex/half-duplex/full-
duplex, point-to-point/netted operations).
(2) Describe the operating mode of the
cryptographic equipment (e.g., clock start,
message indicator, traffic flow security).
(3) Estimate the amount and type of traffic
involved (e.g., intelligence, general service
(GENSER), voice, data).
b. Operational Use of Malfunctioning COMSEC Equipment
(1) Describe the symptoms of the malfunction.
(2) Estimate the likelihood that the malfunction
was deliberately induced. If so, see
subparagraph b(3).
(3) Estimate the amount and type of traffic
involved.
c. Known or Suspected Defection, Espionage, Hostile
Cognizant Agent Activity, Treason, Sabotage,
Attempted Recruitment, Capture, or Unauthorized
Absence
(1) Describe the individual's general background
in COMSEC and the extent of his or her
knowledge of cryptographic principles.
(2) List the crypto systems to which the
individual had current access and state
whether the access was to the cryptographic
logic and/or key (if to the logic, state
whether the access was to full or limited
maintenance manuals, and for key, state the
short titles and editions involved).
(3) Identify the counterintelligence organization
notified.
d. Loss of COMSEC Material
(1) Describe the actions being taken to locate
the material.
(2) Estimate the possibility the material was
accessed by unauthorized persons.
(3) Estimate the possibility the material was
removed by authorized or unauthorized
persons.
(4) Describe the methods of disposing of all
classified and unclassified waste and the
possibility of loss by those methods.
e. COMSEC Material Discovered Outside of Required
COMSEC Accountability or Physical Control
(1) Describe the action that caused physical
control or accountability to be restored.
(2) Estimate the likelihood of unauthorized
access.
(3) Estimate the length of time the material was
not secure.
f. COMSEC Material Received in a Damaged Package
(1) When the damage occurred in transit, identify
the means of transmittal. Include the
package number and point of origin.
(2) When the damage occurred in storage, describe
how the material was stored. NOTE: Ensure
that all packaging containers, wrappers,
etc., are retained until destruction is
authorized.
g. COMSEC Material Received in a Package that Shows
Evidence of Tampering, or Known or Suspected
Tampering at Any Time
(1) Describe the damage or evidence of tampering.
(2) When the suspected tampering occurred in
transit, identify the means of transmittal.
Include package number and point of origin.
(3) When the suspected tampering occurred in
storage, describe how the material was
stored.
(4) Identify the counterintelligence organization
notified, if applicable.
NOTE: When tampering is known or suspected, immediately
seal the package and/or material in a plastic (or any
other) wrapper and place it in the most secure, limited
access storage available. Handle the package and/or
material as little as possible until further
instructions are received from the NSA. Take no action
that would jeopardize potential evidence.
h. Unauthorized Copying, Reproduction, or
Photographing
(1) Include a complete identification of the
equipment or material reproduced or
photographed.
(2) Provide the reason for reproduction and how
the reproduced material was controlled.
(3) State whether espionage is indicated or
suspected. If so, see subparagraph c.
(4) Specify how detailed were the photographs of
equipment internals, keying material, or
documents.
NOTE: Include a copy of each photograph or other
reproduction with the incident report.
i. Unauthorized Modification or Maintenance of COMSEC
Equipment, or Discovery of a Clandestine
Electronic Surveillance or Recording Device In or
Near a COMSEC Facility
(1) Notify NASA Center Security Officer via STU
III for instructions and identify the
counterintelligence organization notified, if
applicable.
(2) Estimate how long the item may have been in
place.
(3) Estimate the amount, classification, and type
of traffic involved.
(4) Describe the modification or device; its
installation, symptoms, and the host
equipment involved.
NOTE: Hold information concerning these types of
incidents on a strict need-to-know basis. The equipment
or devices should not be used or otherwise disturbed
until further instructions are received from the NSA.
Where a clandestine intercept or recording device is
suspected, do not speak about it in the area of the
device. Nothing should be done that would possibly
alert the COMSEC exploiter, unless directed otherwise by
the applicable counterintelligence organization or the
NSA.
j. Material Lost in an Aircraft Crash
(1) Identify the location of the crash, including
coordinates. Specify whether the crash
occurred in friendly or hostile territory.
If the aircraft crashed at sea, also see
subparagraph k.
(2) State whether the aircraft remained largely
intact or wreckage was scattered over a large
area.
(3) Describe the security conditions at the crash
site at the time of impact.
(4) State whether the area was secured. If so,
how soon after crash and by whom.
(5) State whether the area was searched for
COMSEC material.
(6) State whether recovery efforts for COMSEC
material were made or are anticipated.
k. Material Lost at Sea
(1) Provide the coordinates, when available, or
the approximate distance and direction from
shore.
(2) Estimate the depth of the water.
(3) State whether material was in weighted
containers.
(4) State whether the material was observed to
sink.
(5) Estimate the sea state, tidal tendency, and
the most probable landfall.
(6) State whether foreign vessels were in the
immediate area and their registry, if known.
(7) Estimate the possibility of successful
salvage operations by unfriendly nations.
(8) State whether U.S. salvage efforts were made
or are anticipated.
l. Space Vehicle Accidents
(1) Provide the launch date and time.
(2) State whether the space vehicle was destroyed
or lost in space.
(3) State whether the keying material involved
was unique to the operation or is common to
other ongoing operations.
(4) Estimate the probable impact point on the
earth's surface, if applicable. If the
impact point was on land, also see
subparagraph d; if the impact point was at
sea, also see subparagraph k.
8. Paragraph 6, Possibility of Compromise. State which of
the following opinions is applicable: compromise
certain, compromise possible, compromise improbable;
include the basis for the opinion. Where an initial or
amplifying report is also to serve as the final report,
include a request in this paragraph that the report be
accepted as a final report.
9. Paragraph 7, Point of Contact. Include the name and
commercial and secure telephone numbers of the
individual who is prepared to respond to questions from
the evaluating authority.
CHAPTER 7: ROUTINE DESTRUCTION OF COMSEC MATERIAL
700 GENERAL
The security of U.S. crypto systems depends on the physical
protection afforded the associated keying material. All
keying material, current and superseded, is extremely
sensitive since all traffic encrypted with a compromised key
could be compromised as well. For this reason, keying
material (other than defective or faulty key) must be
destroyed as soon as possible after supersession.
Destroying superseded or obsolete cryptographic equipment
and supporting documentation is also essential for
maintaining a satisfactory national COMSEC posture, since
these materials may be of significant long-term benefit to
hostile interests desiring to exploit U.S. communications
for intelligence purposes.
701 TRAINING DESTRUCTION PERSONNEL
Supervisors must ensure that destruction personnel receive
proper instruction in using and handling destruction
devices and destruction procedures. Personnel involved
must also be cleared to the highest classification level of
the material to be destroyed and briefed on handling and
procedures for protecting COMSEC information.
702 ROUTINE DESTRUCTION PROCEDURES FOR COMSEC MATERIAL
Routine destruction should normally be done by the COMSEC
Custodian and the Alternate COMSEC Custodian. However, this
restriction should not be enforced at the cost of delaying
destruction. Granting additional appropriately cleared
people the authority to destroy superseded material and
certify the destruction to the COMSEC Custodian is
preferable to delaying destruction, even for a short time.
Note: In order to expedite destruction, suggest that where
an Installation has a Central Registry for the handling of
classified information, the registry may be designated as a
agent for the routine destruction of COMSEC Material.
COMSEC material must always be destroyed in the presence of
an appropriately cleared witness. Whenever system doctrine
requirements conflict with procedures in this Manual, the
system doctrine requirements take precedence.
1. In a small facility with only a few pieces of COMSEC
equipment, the COMSEC Custodian should collect used or
superseded key and other COMSEC material, replace it
with new material as necessary and, with a witness,
destroy the used or superseded material.
2. In a large facility, or in mobile situations, the COMSEC
Custodian may authorize a hand-receipt user and a
witness to destroy certain COMSEC material as soon as it
is used, replaced, or superseded. Hand-receipt users
must use an approved destruction device. The individual
destroying COMSEC material and the witness show the
material is destroyed by initialling an appropriate
record (e.g., the usage/disposition record), and
providing that record to the COMSEC Custodian at the end
of each month. Such local destruction records serve as
the basis for the COMSEC Custodian's destruction report
to the NASA COR. When approved destruction devices are
not available at the user facility, the material must be
collected by the COMSEC Custodian immediately after
supersession so that it may be destroyed within the time
specified for that material in subparagraph b.
NOTE: DO NOT DESTROY defective or faulty keying material.
The COMSEC Custodian must report such material to the NSA,
X71A, and hold for disposition instructions.
3. The COMSEC Custodian must brief hand-receipt users
authorized to destroy keying material, emphasizing
correct destruction procedures, the necessity for prompt
and complete destruction of used or superseded keying
material, and for immediately reporting any loss of
control of material before it was destroyed.
4. Scheduling Routine Destruction
a. COMSEC material is ordered destroyed by
superseding editions unless directed otherwise by
the NASA COR. Do not destroy, dismantle, or
cannibalize COMSEC material, other than superseded
material, without specific authorization from the
NASA COR.
b. Keying material designated CRYPTO must be
destroyed as soon as possible after use or
supersession, and may not be held longer than 12
hours following supersession. Where special
circumstances prevent complying with the 12-hour
standard (e.g., facility unmanned over weekend or
holiday period), an extension to a maximum of 72
hours is authorized. For other circumstances,
such as the requirement to maintain archival key,
contact the NASA COR for instructions.
c. COMSEC material involved in compromise situations
must be destroyed within 72 hours after
disposition instructions are received.
d. Complete editions of superseded keying material
designated CRYPTO that are held by a COMSEC
account must be destroyed within 5 days after
supersession.
e. Maintenance and sample keying material not
designated CRYPTO is not regularly superseded and
need only be destroyed when physically
unserviceable.
f. Superseded classified COMSEC publications that are
held by a COMSEC account must be destroyed within
15 days after supersession.
g. The residue of amendments to classified COMSEC
publications must be destroyed within 5 days after
the amendment is entered.
703 ROUTINE DESTRUCTION METHODS AND STANDARDS
Authorized methods for routinely destroying paper COMSEC
material are burning, chopping or pulverizing, crosscut
shredding, and pulping. COMSEC material that is not paper,
when authorized for routine destruction, must be destroyed
by burning, chopping or pulverizing, or chemical alteration.
The goal is to destroy the material so thoroughly that
classified information cannot be reconstructed by physical,
chemical, electrical, optical, or other means. The chart in
Figure 12 in Appendix E lists NSTISSC approved destruction
methods and minimum standards that must be met when
destroying various types of COMSEC material.
1. Do not destroy hardware keying material (i.e., proms,
permuter plugs) and associated manufacturing aids
without approval from the NASA COR.
2. Routine destruction of COMSEC equipment and components
is not authorized. Disposition instructions for
equipment that cannot be repaired or is no longer
required must be obtained from the NSA, Y132,
commercial (301) 688-6874.
704 APPROVED ROUTINE DESTRUCTION DEVICES
Any destruction devices that satisfy the destruction
criteria in Figure 12 in Appendix E may be used.
Information concerning routine destruction devices which
have been tested and approved by the NSA may be obtained
from the NASA COMSEC Manager.
705 REPORTING ROUTINE DESTRUCTION
1. COMSEC Custodians must report routine destruction of all
centrally accountable (i.e., ALC 1 and ALC 2) COMSEC
aids to the NASA COR, no later than the 16th day of each
month. No exceptions are authorized; negative reports
are not required if no keying material is held that was
authorized for destruction during the preceding month.
Chapter 2, paragraph 15 contains instructions for
completing and submitting destruction reports.
2. Destruction records must be maintained by the COMSEC
Custodian for 3 years and protected in the same manner
as other comparable classified COMSEC material. Local
destruction reports must be retained by the preparing
element until the next scheduled audit.
CHAPTER 8: SECURE TELECOMMUNICATIONS FACILITIES
800 PHYSICAL SECURITY REQUIREMENTS FOR CLASSIFIED AND UNATTENDED
KEYED CCI EQUIPMENT
1. Secure telecommunications facilities must be provided
positive access control and they shall be constructed of
solid, strong material to prevent unauthorized
penetration or show evidence of attempted penetration.
They must provide adequate attenuation of internal
sounds that could divulge classified information through
walls, doors, windows, ceilings, air vents, and ducts.
Maximum physical security is achieved when the
facilities are of vault-type construction. At a
minimum, construction or modification of a secure
telecommunications facility shall conform to the
requirements stated in NACSI 4008, "Safeguarding COMSEC
Facilities," dated March 4, 1983.
2. Responsibilities. The COMSEC Custodian and Alternate
Custodian need to be cognizant of the number of persons
performing cryptographic duties; the number of secure
circuits, types of COMSEC equipment, and operational
keys used in the secure telecommunications facility; the
number of days before operational key is received in the
secure telecommunications facility; restricting access
to future key until received in the secure
telecommunications facility; and waivers granted to the
secure telecommunications facility. The COMSEC
Custodian and Alternate Custodian are also responsible
for the following:
a. Establishing an access list for authorized
individuals.
b. Establishing a visitors' register.
c. Establishing and documenting a daily security
check procedure.
d. Prohibiting personally owned cameras, photographic
devices/equipment capable of receiving and
recording intelligible images; sound recording
devices/equipment, including magnetic tapes or
magnetic wire; amplifiers and speakers; radio
transmitting and receiving equipment; microphones
and television receivers from the
telecommunications facility.
e. Being knowledgeable of the capabilities and
installation of anti-intrusion devices employed by
the secure telecommunications facility to include
the number of devices, the manufacturer, type and
model number of each device, the operating
procedures, a floor plan of the alarm system, and
a response procedure.
801 CCI ACCESS CONTROLS
CCI equipment is by definition unclassified, but controlled.
Minimum controls for CCI equipment are prescribed under
three different conditions: unkeyed, keyed with
unclassified key, and keyed with classified key. The
provisions apply to CCI equipment that is installed for
operational use. All CCI equipment is to be protected in a
manner that provides protection sufficient to preclude
theft, sabotage, tamper or unauthorized access and maintains
accountability for the material, whether installed or not.
1. Installed and Unkeyed. Establish procedures to provide
physical controls adequate enough to prevent
unauthorized removal of the CCI equipment or its CCI
components. Where practical, rooms containing unkeyed
CCI equipment should be locked at the end of the work
day (e.g., rooms housing an unkeyed STU-III must be
locked).
2. Installed and Keyed with Unclassified Key
a. Attended. Establish procedures to prevent access
by unauthorized personnel using physical controls
and/or monitoring access with authorized
personnel.
b. Unattended. Establish procedures to prevent
access by unauthorized personnel using adequate
physical controls (e.g., locked rooms, alarms, or
random checks, etc.).
3. Installed and Keyed with Classified Key
a. Attended. CCI equipment must be under the
continuous positive control of personnel who
possess a security clearance at least equal to the
classification level of the keying material in use
and, if the keying material is TOP SECRET, the No-
Lone Zone (NLZ) controls must be instituted.
(1) No-Lone Zone (NLZ) is an area, room or space
to which no one person may have unaccompanied
access and which, when manned, must be
occupied by two or more appropriately cleared
individuals.
(2) Two-Person Integrity (TPI) is a system of
storage and handling designed to prohibit
access to certain COMSEC keying material by
requiring the presence of at least two
authorized persons, each capable of detecting
incorrect or unauthorized security procedures
with respect to the task being performed.
NOTE: The concept of "Two-Person Integrity" (TPI)
procedures differs from "No-Lone Zone" procedures in
that under TPI controls, two authorized persons must
directly participate in the handling and safeguarding of
the keying material (as in accessing storage containers,
transportation, keying/rekeying operations, and
destruction). No-Lone Zone controls are less
restrictive in that the two authorized persons need only
to be present physically in the common area where the
material is located. Two-Person Control refers to
Nuclear Command and Control COMSEC material while Two-
Person Integrity refers only to COMSEC keying material.
b. Unattended. CCI equipment must be in an area as
described in subparagraphs 2a and b.
802 STORAGE REQUIREMENTS
A facility/organization will not be eligible to receive or
generate classified COMSEC information until adequate
storage has been established.
1. Classified COMSEC equipment and information other than
keying material marked CRYPTO must be stored as
prescribed for other classified material at the same
classification level.
2. Keying material marked CRYPTO must be stored according
to the requirements of NACSI 4005, "Safeguarding and
Control of Communications Security Material."
3. CCI equipment must never be stored in a keyed condition.
Before placing CCI equipment in storage, all keying
material must be removed, and internal key storage
registers photocopied. When unkeyed, CCI equipment must
be protected against unauthorized removal or theft
during storage (e.g., placed in a locked room or a room
with an adequate alarm system).
803 RECORD OF INDIVIDUALS HAVING KNOWLEDGE OF COMBINATIONS TO
CONTAINERS STORING CLASSIFIED COMSEC MATERIAL
A record must be maintained of the names, organizations, and
telephone numbers of individuals who know the combinations
to containers storing classified COMSEC material. In the
event of an emergency (e.g., the container or vault is found
open after normal working hours), one of these individuals
must be notified. Normally, these containers are under the
direct control of the COMSEC Custodian and Alternate COMSEC
Custodian(s); however, where operational need necessitates,
classified COMSEC material--to include one edition of
current keying material marked CRYPTO--may be issued on hand
receipt to a user. Under these circumstances, the notified
individual must also contact either the COMSEC Custodian or
Alternate COMSEC Custodian(s). Immediately inventory the
contents of the container/vault found not secure. When the
inventory is completed, the container/vault combination must
be changed. Compare the results of the inventory against
the account's COMSEC Register File and, if any material is
determined to be missing, include information in the
incident report made according to the provisions of Chapter
6. Security containers containing COMSEC keying material
must have the combinations changed every 6 months.
Combinations must be changed annually on security containers
that contain other COMSEC material.
CHAPTER 9: SECURE TELEPHONE UNIT (STU) III's
900 GENERAL
This Chapter augments doctrine provided in NTISSI 3013,
"Operational Security Doctrine for the Secure Telephone Unit
III (STU-III) Type 1 Terminal," and highlights certain areas
of concern.
901 RESPONSIBILITIES
1. COMSEC Manager at NASA acts as the Command Authority for
NASA STU-III terminals. The Command authority registers
User Representatives, establishes Department Agency
Organization (DAO) descriptions, and monitors and
maintains User Representative information.
2. User Representatives (UR's) prepare and submit key
orders for designated users of STU-III terminals within
the classification and type limitations of their UR
privileges. UR responsibilities include the following:
a. Interacting with users to determine key
requirements.
b. Interacting with the Command Authority for DAO
administration and UR privilege changes.
c. Verifying security information with the local
security officer.
d. Preparing and submitting key orders.
e. Notifying the COMSEC Custodian that delivery of a
key order is anticipated.
f. Monitoring the status of key orders, correcting
any errors that cause rejections, and reordering
when necessary.
3. Users. Each STU-III user has a number of
responsibilities related to the security of the STU-III
and the security of the information transmitted,
outlined in the following subparagraphs a through g.
Users are encouraged to use the secure mode to protect
both classified and unclassified national security
information.
a. Monitor the display during the secure call to
determine the identification of the distant party,
the maximum security classification for the call,
and for security related messages. The security
classification will appear on the top line of the
display for the duration of the secure call and
will be the highest level shared by the two
terminals. Restrict the classification level of
the conversation to no higher than the displayed
level. The next three lines display the identity
of the distant STU-III. This information will be
scrolled through the display during secure call
setup. The classification level and the first
line of the identification information will remain
on the display for the duration of the secure
call.
b. The information displayed indicates the approved
level for the call, but does not authenticate the
person using the terminal. The need-to-know
principle is still binding. The mere connection
to another STU-III does not signify a need-to-
know.
c. The calling and the called party establish the
clearance of the other party by a means
independent of the display, either by knowledge of
the other party through voice recognition, or by
introduction by another known cleared party.
d. Since access to the STU-III with the crypto-
ignition key (CIK) installed gives anyone the
opportunity to use the STU-III in the secure mode,
restrict access to the STU-III with the CIK
installed to those people who hold a security
clearance equal to or higher than the
classification level of the key.
e. Users are responsible for the environment in which
a secure conversation is held. This includes
their own and the other party's environment. An
indication that either party is not in an
authorized location to conduct a classified
discussion should result in a termination of the
call.
f. The STU-III user is responsible for protecting his
or her CIK. CIK's should be treated as valuable
personal property. Do not leave a CIK where an
unauthorized person would have access to both it
and the associated STU-III. During the work day,
the CIK may be left in the STU-III only if
continuously attended by cleared personnel. When
not in use, or if the terminal is unattended, the
CIK must be removed from the terminal.
g. The room/area in which a STU-III is located will
be provided adequate protection at the end of the
work day or whenever authorized personnel are not
present.
4. COMSEC Custodian.
a. COMSEC Custodians holding STU-III key in their
accounts must have a clearance equal to the
operational level of the key (i.e., the level seed
key will become once converted in the terminal).
Sensitive Compartmented Information (SCI) access
is not required when the COMSEC Custodian does not
perform the conversion process. Once the
conversion process has occurred, all individuals
who use a terminal keyed with Class 6 key must
have SCI access. Additionally, when the
operational level of the key is unclassified, a
clearance is not required.
b. Type 1 operational and Type 1 seed key are ALC-1.
All test key is UNCLASSIFIED and is ALC-4.
c. Fill devices stored in the COMSEC account should
remain sealed in the plastic shipping bag. Each
fill device will have an attached card label.
Remove the card label when the key in the Key
Storage Device (KSD) is loaded into the terminal.
Maintain a local record of key material
identification numbers (KMID's) and the serial
numbers of the associated STU-III's.
d. Respond to Key Conversion Notices (KCN's)
acknowledging the conversion of seed key to
operational key. If a KCN is not received for key
that was loaded into a terminal, notify the NSA
Key Management System (KMS) and be prepared to
provide the COMSEC account number and the
conversion date.
e. Ensure terminals are rekeyed by a call to the KMS
at least annually.
f. Expired key may be returned to the NSA KMS for
disposition. Transfer the fill devices to NSA
COMSEC account 880103 using an SF 153. See
Chapter 2, paragraph 205 for shipping methods.
SF 153 destruction reports with two signatures
must be completed for fill devices photocopied
(other than during a loading procedure) at the
account.
902 STU-III SECURITY EDUCATION
1. COMSEC Custodians will educate STU-III users when they
receive their terminals, stressing the proper use of the
terminal, how to handle and protect their CIK, and the
importance of and correct procedures for reporting
incidents. Additionally, a copy of this Chapter will be
issued to STU-III users when they receive their
terminals. See Chapter 4 for any additional briefing
requirements.
2. Each user will sign a briefing statement acknowledging
understanding of the responsibilities. The briefing
statement will be maintained in the official security
records of the individual.
3. Reportable incidents specific to STU-III's are listed in
paragraph 904.1. Insecure practices that should be
reported to the COMSEC Custodian but do not need to be
reported according to Chapter 6 are described in
paragraph 904.2.
903 PROTECTING CIK's
1. COMSEC Custodians must maintain local records of CIK's,
to which terminal(s) they are associated, and to which
user(s) they are assigned.
2. CIK's should normally be retained by authorized persons,
who should protect them as valuable personal property.
Multiple CIK's may be created for each terminal. Any
person who is permitted unrestricted access to a keyed
terminal can retain the CIK in his or her personal
possession. Interoperable CIK's may be created to work
in more than one terminal. It is recommended that an
interoperable CIK remain at all times in the personal
possession of a single individual who is assigned
responsibility for its use. If a CIK must be stored in
the same room as the terminal, protect it according to
the classification of the keyed terminal. When
terminals are installed in residences, the user must be
sure to remove the CIK from the terminal following each
use and keep it in his or her personal possession, or
store it in a security container approved for the
classification level of the key in the terminal.
3. Master CIK's are used to create other CIK's for the same
terminal, so greater controls should be exercised.
Maintain master CIK's in locked storage commensurate
with the classification level of the key it protects,
except when being used to create other CIK's, and keep
under the personal control of an authorized person who
has been briefed on its sensitivity and the requirements
for its control. Master CIK's should not be used on a
day-to-day basis with the STU-III.
4. Report lost CIK's immediately to the COMSEC Custodian so
that he or she can delete that CIK from all terminals
with which it was associated. Deleting a CIK does not
affect the usability of other CIK's created for that
terminal. Once a CIK has been disassociated from a
terminal, it no longer needs to be controlled and can be
reused.
5. Use of a CIK by other than personnel for whom the
authentication information appearing on the terminal
display applies, may only be permitted if the intended
user is verifiably cleared to the level that the key is
classified and the CIK is under continuous control and
supervision by the authorized person. To place such a
call, the authorized person must first make voice
contact with the distant end identifying the intended
user and indicating the intended user's clearance level
before allowing access to the terminal.
904 INCIDENTS
1. The following incidents apply specifically to the
Type 1 STU-III and are reportable in accordance with
Chapter 6:
a. Failure of the COMSEC Custodian to notify the KMS
that a seed key listed on the conversion notice
still exists in the COMSEC account;
b. Any instance where the authentication information
displayed during a secure call is not
representative of the distant terminal;
c. Failure to adequately protect or erase a CIK that
is associated with a lost terminal;
d. Any instance where the display indicates that the
distant terminal contains compromised key.
(Example: "Hang Up - Far Key Compromised" on the
terminal display, indicating an unauthorized user
may be at the distant end.);
e. Leaving a CIK in a STU-III when access to the
STU-III is uncontrolled, unless area is approved
for open storage for classified material
(NTISSI 4003);
NOTE: Reports of COMSEC incidents involving key must
include the assigned KMID, whether or not any CIK's were
involved, and whether or not the CIK's were protected
when the incident occurred.
2. The following incidents need not be reported in
accordance with Chapter 6, but must be reported to the
Installation Security Officer and/or COMSEC Custodian:
a. CIK failure. If a CIK that had operated properly
fails, the failure could be attributed to a
malfunction in the CIK itself or in the terminal.
It could also be an indication that the CIK has
been copied and the copy used in the terminal. To
preclude the possibility of further use in the
event the CIK was copied, the failed CIK should be
promptly deleted from the terminal (deleting the
CIK does not affect the usability of other CIK's
created for that terminal).
b. Loss of a CIK. Once reported, the CIK should be
deleted from the system.
c. Initial discovery of loss or unauthorized
relocation of a STU-III. If a STU-III is
discovered missing, secure all associated CIK's
until other instructions are received. After a
reasonable amount of time, if the missing STU-III
cannot be accounted for, the incident is
reportable in accordance with Chapter 6.
d. Transmission of classified information using a
terminal with a failed display. If the display
fails, terminate the call immediately. Should an
unauthorized user receive the call, the incident
is reportable in accordance with Chapter 6.
e. Failure to rekey a terminal within 2 months after
the end of the cryptoperiod. The Electronic Key
Management System (EKMS) will zeroize terminals
automatically at the end of the 2-month period.
f. "Security Failure" on the terminal display when a
CIK is removed. This display is accompanied by a
continuous audible tone to notify the user that an
emergency condition exists and that prompt action
is required. Protect the terminal as classified
until further instructions are received.
g. "CIK Not Updated" on the terminal display,
requiring action by the COMSEC Custodian.
905 STU-III TERMINAL KEYING AND REKEYING
1. Electronic keying of a Type 1 STU-III is accomplished by
loading a seed key (which includes authentication
information for the terminal display) into the STU-III
from the KSD followed by immediately creating at least
one CIK, and calling the KMS. During the call, the KMS
electronically provides an operational key (at the
classification level ordered) to replace the seed key in
the terminal. Once this process called "conversion" is
complete, the terminals may be used in the secure mode
to call other STU-III terminals.
2. During the rekey call to the KMS, it is the key in the
terminal that is being rekeyed, not the CIK. Therefore,
only one call is necessary; rekey calls are not required
for each of the multiple CIK's associated with one
terminal. It is not necessary to use the master CIK.
906 SECURE DATA MODE
The STU-III is designed to prevent disclosure of information
in transit only, and the end system is still responsible for
determining and properly reacting to the accreditation range
of the system to which it will communicate, the identity of
the user of the distant end system, and the STU-III-
negotiated classification level of the connection. When
appropriate, computer security safeguards must also be
employed to prevent improper and/or unauthorized access to
information.
1. Data Installations
a. STU-III terminals may be used to secure
communications between classified computer
systems, provided the key in the terminal matches
the classification of the information to be
transmitted.
b. Authorization from the Installation Security
Officer and, or the Designated Approval Authority
is required before data processing equipment may
be installed and operated with a STU-III terminal.
2. Facsimile (FAX) Installations
a. STU-III terminals may be used with FAX machines to
transmit classified information provided the key
in the terminal matches the classification of the
information to be transmitted.
b. Authorization from the Installation Security
Officer is required before FAX equipment may be
installed and operated with a STU-III terminal.
c. FAX machines used to transmit classified
information will be protected in the same manner
as the associated STU-III terminal.
d. Secure voice contact must be established before
switching to data mode and transmitting the
material. Classified material receipting
regulations apply when transmitting classified
information between NASA Installations or to other
addresses. The sending operator will remain at
the terminal until the transmission is complete
and return to secure voice mode to verify receipt.
907 SENSITIVE COMPARTMENTED INFORMATION FACILITIES (SCIF's)
1. Use only SCI level key.
2. The CIK(s) associated with the terminal may not be
removed from the SCIF.
3. STU-III terminals will not be removed from the SCIF
except for maintenance.
908 INSTALLATIONS IN RESIDENCES, HOTELS, OR COMMERCIAL
CONFERENCE FACILITIES
Installations in residences, hotels, or commercial
conference facilities require the express written permission
of the Installation Security Office. Requests for
permission to install a STU-III terminal in a residence,
hotel, or commercial conference facility need to include a
statement of need.
909 VEHICLE INSTALLATIONS
1. Installations of STU-III secure cellular terminals in
vehicles require the express written permission of the
Installation Security Office.
2. The CCI portion of a STU-III cellular terminal is
normally installed in the trunk of the vehicle. When
the vehicle is to be unattended, remove the CIK and
terminal mounting mechanism key, and lock the vehicle.
When the vehicle will be unattended for an extended
period or will be parked in an area where there is a
high threat of theft or tampering, or if the vehicle
will be turned over for commercial repair, first remove
the CCI portion of the terminal, the message center, and
the handset.
910 ACOUSTIC SECURITY
1. Acoustical isolation must be sufficient to prevent
classified conversation from being overheard, without
the aid of electronic equipment in adjacent uncleared
areas. Acoustical separation can be achieved by
implementing adequate separation, physical barriers,
area access controls, or some combination thereof.
Acoustic isolation must be sufficient to prevent
classified conversations from being overheard at non-
secure telephones.
2. Measures to implement the requirements outlined above
will include the following or a combination thereof:
a. Individual offices, where the structure provides
the needed isolation.
b. Sound absorbent office partitions between
individual work areas in open plan offices.
c. Other protective measures specified by a NASA TSCM
specialist.
CHAPTER 10: COMSEC EMERGENCY ACTION PROCEDURES
1000 REQUIREMENTS
All organizations holding classified or CCI COMSEC material
must prepare a plan to protect the material during natural
disasters and accidental emergencies (such as fire, flood,
tornado, and earthquake). Planning and actions should
emphasize maintaining security control over the material
without endangering life until order is restored.
Incorporate the requirements of this Chapter into the
emergency action procedures established for the entire
facility. Additionally, structure normal operating
routines to minimize the number and complexity of actions
to be taken to protect COMSEC material during emergencies.
For example, hold only the minimum amount of COMSEC
material at any time; that is, conduct routine destruction
frequently and dispose of excess COMSEC material according
to disposition instructions.
1001 PREPAREDNESS
Planning for natural disasters and accidental emergencies
must provide for the following:
1. Fire reporting and initial fire fighting by assigned
personnel. Note: The Emergency Plan must be
coordinated with the appropriate security and
fire/safety personnel.
2. Assigning on-the-scene responsibility to ensure COMSEC
material is protected.
3. Securing or removing classified COMSEC material and
evacuating the area(s).
4. Protecting material when outside fire fighters, etc.,
must be admitted into the secure area(s).
5. Assessing and reporting probable exposure of classified
COMSEC material to unauthorized persons during the
emergency.
6. Post-emergency inventorying classified and CCI COMSEC
material and reporting any losses or unauthorized
exposures to appropriate authority.
7. Destruction of COMSEC Material. While destruction of
COMSEC material is usually not considered in a CONUS
location's Emergency Action Plan, the possibility of
destruction prior to evacuation in the case of other
natural disasters/emergencies will be discussed with
the NASA Central Office of Record (COR), Code JIS, and
will only occur at the direction of that office.
1002 PREPARING THE EMERGENCY PLAN
Preparing the COMSEC material emergency plan is the COMSEC
Custodian's responsibility. A sample emergency plan is
included as Appendix D. The plan should be coordinated
with appropriate security and fire/safety personnel. The
plan must be realistic and workable, and it must accomplish
the goals for which it is prepared. Contributing factors
to this are as follows:
1. All duties under the plan must be described clearly and
concisely.
2. All authorized personnel at the facility should be
aware of the existence of the plan. Each individual
who has duties assigned under the plan should receive
detailed instructions on how to carry out these duties
when the plan becomes effective. Personnel involved
should be familiar with all duties so that assignment
changes may be made, if necessary. Periodically
rotating the emergency duties of all personnel can
achieve this.
3. Conduct training exercises periodically to ensure that
all personnel, especially those newly assigned, who
might have to take part in an actual emergency, will be
able to carry out their duties. As necessary, change
the plan based on the experience of the training
exercises.
1003 EMERGENCY ACTION PROCEDURES REVIEW
COMSEC emergency procedures developed under these
guidelines will be made available for review upon the
request of the NASA COR.
APPENDIX A
Definitions. For the purposes of this Manual, the following
definitions apply:
1. Accountable COMSEC Material: All COMSEC aids,
equipment and components, and devices, identifiable by
the Telecommunications Security (TSEC) nomenclature
system, a Government Serial Number (GSN) or a similar
system of a U.S. Department or Agency, foreign
government, or international organization. Accountable
COMSEC material is hereafter referred to as COMSEC
material.
2. Accounting Legend Code (ALC): Numeric code indicating
the minimum accounting controls required for COMSEC
material. ALC categories are specified in Chapter 2.
3. Accounting Number: Number assigned to an individual
item of COMSEC material to facilitate handling and
accounting (also referred to as register or serial
number).
4. Alternate COMSEC Custodian: Individual designated to
perform the duties of the COMSEC Custodian during the
temporary absence of the COMSEC Custodian.
5. Amendment: Correction or change to a COMSEC
publication.
6. Assembly: Group of parts, elements, subassemblies, and
circuits assembled as a separate item removable from a
piece of COMSEC equipment.
7. Central Office of Record (COR): Central office which
keeps records of all COMSEC material received by
elements subject to its oversight. COR duties include
establishing and closing COMSEC accounts, maintaining
records of COMSEC Custodian and Alternate COMSEC
Custodian appointments, performing COMSEC inventories,
and responding to queries concerning account
management.
8. Communications Security (COMSEC): Measures taken to
deny unauthorized persons information derived from
telecommunications of the U.S. Government, and to
ensure the authenticity of such telecommunications.
(COMSEC includes cryptographic security, emission
security, transmission security, and physical security
of COMSEC material and information.)
9. COMSEC Account: Administrative entity, identified by
an account number, responsible for maintaining custody
and control of accountable COMSEC material.
10. COMSEC Account Audit: Examination of the holdings,
records, and procedures of an account to ensure that
accountable COMSEC material is safeguarded properly.
11. COMSEC Accounting: Procedures that document the
control of accountable COMSEC material from time of
origin through destruction or final disposition.
12. COMSEC Aids: All COMSEC materials, other than
equipment or devices, which assist in securing
telecommunications and/or is required in the
production, operation, and maintenance of COMSEC
systems and their components (e.g., operating and
maintenance manuals).
13. COMSEC Custodian: Individual designated by proper
authority to be responsible for receipting,
transferring, safeguarding, destroying, and the
accountability of COMSEC material assigned to a COMSEC
account.
14. COMSEC Equipment: Equipment designed to provide
security to telecommunications by converting
information to a form unintelligible to an unauthorized
interceptor, and by reconverting such information to
its original form for authorized recipients. Also
equipment designed specifically to aid in, or as an
essential element of, the information conversion
process. COMSEC equipment includes cryptographic
equipment, crypto-ancillary equipment, and
authentication equipment.
15. COMSEC Facility: Space employed primarily for the
purpose of generating, storing, repairing, or using
COMSEC material.
16. COMSEC Incident: Any occurrence that potentially
jeopardizes the security of COMSEC material or the
secure electrical transmission of Government
information.
17. COMSEC Insecurity: COMSEC incident that has been
investigated, evaluated, and determined to jeopardize
the security of COMSEC material or the secure
transmission of information.
18. COMSEC Inventory Reconciliation Report: Certificate
issued by the COR that compares the semiannual
inventory of a COMSEC account with the COR's records
and identifies any discrepancies noted.
19. COMSEC Material: COMSEC aids and equipment that secure
telecommunications or ensure the authenticity of such
communications.
20. COMSEC Material Control System (CMCS): Logistics
system through which COMSEC material is distributed,
controlled, and safeguarded. (Note: The CMCS consists
of all COMSEC CORs, cryptologistic depots, and COMSEC
accounts/subaccounts.)
21. COMSEC Modification: Any change to the electrical,
mechanical, or software of NSA-approved COMSEC
equipment. Types of COMSEC modifications are
mandatory, optional, special mission, and repair
actions.
22. COMSEC Register File: Accounting file containing a
record of each COMSEC item accountable to a COMSEC
account.
23. Contingency Key: Keying material held for use on a
cryptonet under specific operational conditions or in
support of specific contingency plans.
24. Controlled Cryptographic Item (CCI): Secure
telecommunications or information handling device, or
associated cryptographic component, which is
unclassified but controlled. Equipment and components
so designated bear the designator CCI.
25. Controlling Authority: Designated official responsible
for directing the operation of a cryptonet and for
managing the operational use and control of keying
material assigned to that cryptonet.
26. CRYPTO: Marking or designator identifying all
operational and on-the-air COMSEC keying material.
27. Crypto-Ancillary Equipment: Equipment designed
specifically to facilitate efficient or reliable
operation of cryptographic equipment, but which does
not itself perform cryptographic functions.
28. Crypto-Equipment: Equipment that embodies a
cryptographic logic.
29. Cryptographic Component: Hardware or firmware
embodiment of the cryptographic logic in a secure
telecommunications or automated information processing
system. A cryptographic component may be modular
assembly, a printed wiring assembly (PWA), a
microcircuit, or a combination of these items.
30. Cryptographic Incident: Any equipment malfunction, or
operator or custodian error, that adversely affects the
cryptographic security of a machine, auto-manual, or
manual cryptosystem.
31. Crypto-Ignition Key (CIK): Device or electronic key
used to electronically lock or unlock the secure mode
of a piece of cryptographic equipment.
32. Cryptographic Logic: Well-defined procedure or
sequence of steps used to produce cipher text from
plain text, and vice versa, or to produce a key stream,
plus delays, alarms, and checks essential to
effectively performing the cryptographic process.
33. Cryptonet: Stations that share use of a specific key.
34. Cryptoperiod: Time span during which each key setting
(i.e., a key segment) remains in effect.
35. Data Encryption Standard (DES). Algorithm used for the
encryption of unclassified but sensitive Government
information.
36. Date Stamp: Year, month, date (YYMMDD) stamp
indicating the date a protective technology was applied
to a COMSEC product.
37. Element: Subdivision of a COMSEC device, an assembly,
or a subassembly, consisting of a single piece or group
of replaceable parts. An element is a removable item
necessary to equipment operation, but it does not
necessarily perform a complete function in itself.
(Elements are usually in the form of printed circuit
boards and are identified by an "E" to indicate the
item is an element, followed by a hyphen and
alphabetical trigraph, e.g., E-ABC.)
38. Exercise Key: Key intended to safeguard transmissions
associated with exercises.
39. Field Inspection: Process of examining protective
technologies at a Field Site to detect possible signs
of tampering and/or substitutions.
40. Fill Device: COMSEC item used to transfer or store key
in electronic form or to insert key into cryptographic
equipment. Common Fill Devices refers to the KOI-18,
KYK-13, and KYX-15.
41. Hand Receipt: Document used to record local or
temporary issue of COMSEC material from a COMSEC
Custodian to a user and acceptance by the user of the
responsibility to properly store and control the COMSEC
material.
42. Hard-Copy Key: Physical keying material such as
printed key cards/lists, punched key tapes, or
programmable read-only memories (PROMs).
43. Hard-Wired Key: Key that is permanently installed in a
piece of COMSEC equipment.
44. Interoperable CIK: A CIK created to work in more than
one STU-III terminal.
45. Intrusion Detection System (IDS): System designed to
detect and signal unauthorized entry into a controlled
area (e.g., security alarms, sensor systems, video
systems).
46. Inventory: 1. Physical verification of the presence
of each item of COMSEC material charged to a COMSEC
account. 2. Listing of each item of COMSEC material
charged to a COMSEC account.
47. Inventory Report: Report of items of material that
were physically sighted in accordance with inventory
procedures.
48. Irregularly Superseded Keying Material: Keying
material used on an "as needed" basis, rather than
during a specified period of time.
49. Key: Information (usually a sequence of random binary
digits) used to initially set up and periodically
change the operations performed in cryptographic
equipment for encrypting or decrypting electronic
signals, for determining electronic countermeasure
(ECCM) patterns (frequency hopping or spread spectrum),
or for producing other keys. The term "key" has
replaced the terms "variable," "key variable," and
"cryptovariable."
50. Key Distribution Center (KDC): COMSEC facility that
generates and distributes key in electronic form.
51. Key Encryption Key: Key used for encrypting and
decrypting other keys during transmission or storage.
52. Key List: Printed series of key settings for a
specific cryptonet. Produced in list, pad, or printed
tape format.
53. Key Management: Process by which key is generated,
stored, protected, transferred, loaded, used, and
destroyed.
54. Keyed: Condition of containing key. In applications
employing a CIK, cryptographic equipment is considered
unkeyed when the CIK is removed.
55. Keying: All keying-related changes to cryptographic
equipment, such as loading electronic key, inserting
the CIK, and updating or photocopying key.
56. Keying Material: Type of COMSEC aid that supplies
either encoding means for manual and auto-manual
cryptosystems or key for machine cryptosystems.
57. Keying Material Support Plan (KMSP): Detailed
description of the operational needs of a proposed
cryptonet including the structure, keying material
specifications, and distribution plan.
58. Key Storage Device: The name given to the physical
device that can be used as a fill device and also as a
CIK for all STU-III terminals. It is a small device
shaped like a physical key and contains passive memory.
When it is used to carry key to terminals, it is termed
a fill device; when it is used to protect key that has
been loaded into terminals, it is termed a CIK.
59. L6061: COMSEC Material Record Form that documents
possession, location, and current user of specific
equipment or device.
60. Limited Access Area: Area in which uncontrolled
movement of personnel would allow access to classified
information, but in which such access is prevented by
escort or other internal restrictions or controls.
61. Long Title: Descriptive title of an item of COMSEC
material (e.g., General Purpose Encryption Device).
62. Maintenance Key: Key intended only for off-the-air,
in-shop, use.
63. Mandatory Modification: Change to a COMSEC equipment
that the NSA requires to be completed and reported by a
specified time-compliance date.
64. Master CIK: The first CIK created for a terminal,
which has been designated to allow the holder to create
additional CIKs whenever they are required, up to the
terminal's maximum.
65. Microcircuit: Single monolithic semiconductor
substrate on which all of the active and passive
elements of an electronic microcircuit (such as a key
generator) have been fabricated utilizing semiconductor
technology. A microcircuit is not ready for use until
it is packaged and provided with terminals for
connection to other system components.
66. Modification: Any change to the electrical,
mechanical, or software characteristics of COMSEC
equipment, an assembly, or a device.
67. National Security Information: Information related to
the national defense or foreign relations of the United
States that was determined to be classified pursuant to
Executive Order 12356 or any predecessor order.
68. Negative Inventory: Semiannual, preprinted inventory
sent to a COMSEC account that does not currently hold
COMSEC material.
69. Net Mode: Mode of operation in which all net members
have the same key.
70. Net Key: Key held in common by all members of a given
cryptonet.
71. No-Lone Zone: Area, room, or space to which no one
person may have unaccompanied access and which, when
manned, must be occupied by two or more appropriately
cleared individuals.
72. Operational Key: Key intended for use on-the-air for
protection of operational information or for the
production of secure electrical transmission of key
streams.
73. Page Check: Verification of the presence of each
required page in a publication.
74. Personnel Incident: Capture, unauthorized absence,
defection, or control by a hostile intelligence entity
of an individual having knowledge of, or access to,
classified or sensitive COMSEC information or material.
75. Physical Incident: Any occurrence (e.g., loss of
control; theft; capture; recovery by salvage,
tampering; unauthorized viewing, access, or
photographing) which results in jeopardy to COMSEC
material.
76. Protected Distribution System: Wireline or fiber-optic
telecommunications system that includes terminals and
adequate acoustic, electrical, electromagnetic, and
physical safeguards to permit its use for the
unencrypted transmission of classified information.
77. Protective Packaging: Packaging techniques for keying
material, which discourage penetration and/or which
reveal that a penetration has occurred or which inhibit
viewing or copying of keying material prior to the time
it is exposed for use.
78. Protective Technologies: Special tamper-evident
features and materials employed for the purpose of
detecting tampering and deterring attempts to
compromise, modify, penetrate, extract, or substitute
equipment and keying material.
79. Regularly Superseded Keying Material: Keying material
that is superseded on a regular, established schedule.
80. Remote Rekeying: Secure electrical distribution of a
key by radio or wire/fiber optic line.
81. Reserve Keying Material: Key held to satisfy unplanned
needs.
82. Self-authentication: Implicit authentication of all
transmissions on a secure system (such as PDS) or
cryptonet to a predetermined level.
83. Sensitive Compartmented Information (SCI): All
information and material that requires special controls
for restricted handling within compartmented
intelligence systems and for which compartmentation is
established.
84. Sensitive, Unclassified Information: Any information,
the loss, misuse, or unauthorized access to, or
modification of, which could adversely affect the
national interest or conduct of Federal programs, or
the privacy to which individuals are entitled under
Section 552a of Title 5, United States Code (the
Privacy Act), but which has not been specifically
authorized under criteria established by an executive
order or an act of Congress to be kept secret in the
interest of national defense or foreign policy.
85. Short Title: Identifying combination of letters and
numbers assigned to COMSEC material for the purpose of
brevity (e.g., KAM-1211A/TSEC, TSEC/KW-76). Each item
of accountable COMSEC material is assigned a short
title to facilitate handling, accounting, and control.
(See Figure 2 in Appendix E for the table of
designators for COMSEC aids and COMSEC equipment.)
86. STU-III Key Management System (KMS): The STU-III
system that provides all keying services to the user
community.
87. Subassembly: Major subdivision of an assembly, which
consists of a package of parts, elements, and circuits
that perform a specific function (such as an
oscillator, amplifier, powerpack, etc.). Usually the
subassembly is a removable package. Subassemblies are
identified by a "Z" followed by a dash and alphabetic
trigraph, e.g., Z-ABE.
88. Supersession: Scheduled or unscheduled replacement of
a COMSEC aid with different editions.
89. Telecommunications: Preparation, transmission,
communication, or related processing of information
(writing, images, sounds, or other data) by electrical,
electromagnetic, electro-mechanical, or electro-optical
or electronic means.
90. Test Key: Key intended only for on-the-air testing of
COMSEC equipment or systems.
91. Traffic Encryption Key: Key used to encrypt and
decrypt information for transmission.
92. Training Key: Cryptographic key intended only for on-
the-air or off-the-air training of users.
93. Transfer of Accountability: Process of transferring
accountability for COMSEC material from the COMSEC
account of the shipping organization to the COMSEC
account of the receiving organization.
94. TSEC Nomenclature: System for identifying the type and
purpose of items of COMSEC material over which the NSA
exercises configuration control. NOTE: "TSEC" is an
abbreviation for "telecommunications security."
95. Two-Person Control: Continuous surveillance and
control of COMSEC material at all times by a minimum of
two authorized individuals, each capable of detecting
incorrect and unauthorized procedures with respect to
the task being performed, and each familiar with
established security and safety requirements.
96. Two-Person Integrity: System of storage and handling
designed to limit access to certain COMSEC keying
material by requiring the presence of at least two
authorized persons, each capable of detecting incorrect
or unauthorized security procedures with respect to the
task being performed. Two-Person Control refers to
Nuclear Command and Control COMSEC material while Two-
Person Integrity refers only to COMSEC keying material.
NOTE: Two-person integrity (TPI) procedures differ
from no-lone zone procedures in that under TPI
controls, two authorized persons must directly
participate in handling and safeguarding the keying
material (as in accessing storage containers,
transportation, keying/rekeying operations, and
destruction). No-lone zone controls only require the
two authorized persons to be physically present in the
common area where the material is located.
97. Type 1 Product: Classified or CCI equipment,
assemblies, or components endorsed by the NSA for use
in telecommunications and automated information systems
for securing classified or sensitive U.S. Government
information, when appropriately keyed. NOTE: Refers
only to products, and not to information, key,
services, or controls. Type 1 products contain
classified NSA algorithms. They are available to U.S.
Government users and their contractors, and are subject
to export restrictions in accordance with International
Traffic in Arms Regulation.
98. Type 2 Product: Unclassified cryptographic equipment,
assemblies, or components endorsed by the NSA for use
in telecommunications and automated information systems
for protecting information covered by the Warner
Amendment. NOTE: Refers only to products, not to
information, key, services, or control. Type 2
products may not be used for classified information,
but do contain classified NSA algorithms, which
distinguishes them from products containing the
unclassified data encryption standard (DES) algorithm.
Type 2 COMSEC products are available to U.S. Government
departments and agencies, and to elements of State and
local governments, contractors, and private sector
entities, when sponsored by the U.S. Government. Type
2 COMSEC products are subject to export restrictions in
accordance with International Traffic in Arms
Regulation.
99. User Representative: Person authorized by an
organization to order COMSEC keying material and to
interface with the CMCS to provide key ordering
information to key users.
100. Unkeyed: Containing no key or containing key that has
been protected from unauthorized use by removing the
CIK.
101. Update: Cryptographic process that is performed to
irreversibly modify key to protect back traffic.
102. User: Individual required to use COMSEC material in
the performance of his or her official duties and who
is responsible for safeguarding that COMSEC material.
103. User Representative: Person formally designated to
order key for STU-III terminals.
104. Warner Amendment Information: Unclassified Government
or Government-derived information, of departments,
agencies and their contractors, involving intelligence
activities, cryptologic activities related to national
security, the command and control of military forces,
equipment that is integral to a weapon or weapons
system, or critical to the direct fulfillment of
military or intelligence missions (10 U.S.C.,
Section 2315).
105. Witness: Appropriately cleared and designated
individual, other than the COMSEC Custodian, who
witnesses the destruction or inventory of COMSEC
material.
106. Zeroize: To remove or eliminate key from cryptographic
equipment or fill devices.
APPENDIX B
SAMPLE COMMUNICATIONS SECURITY (COMSEC) BRIEFING
a. You have been selected to perform duties requiring
access to U.S. classified COMSEC information. It is
essential, that you become fully aware of facts
relating to protecting this information before access
is granted. This briefing will give you a description
of the types of COMSEC information to which you may
have access, the reasons why special safeguards are
necessary for protecting this information, the
directives and rules that prescribe such safeguards,
and the penalties you may incur for the unauthorized
disclosure, unauthorized retention, or negligent
handling of U.S. classified COMSEC information.
Failing to properly safeguard this information could
cause serious or exceptionally grave damage, or
irreparable injury, to the national security of the
United States, or could be used to a foreign nation's
advantage.
b. COMSEC is the general term used for all steps taken to
deny unauthorized persons information derived from the
telecommunications of the U.S. Government, and to
ensure the authenticity of those communications.
COMSEC has four main components: transmission
security, physical security, emission security, and
cryptographic security. Transmission security is
methods and techniques applied to protect information
while in transmission from unauthorized intercept,
traffic analysis, imitative deception, and disruption.
Physical security is those barriers put in place to
prevent access by an unauthorized person to materials,
information, documents, and equipment. Emission
security is measures taken to prevent compromising
signals from emanating from equipment or
telecommunications systems. Cryptographic security is
rules applied to alter information, making it
unintelligible to unauthorized people during
communications. To ensure that telecommunications are
secure, all four of these components must be
considered.
c. COMSEC equipment and keying material are especially
sensitive because they are used to protect other
classified information while that information is
communicated from one point to another. Any particular
piece of COMSEC equipment, keying material, or other
cryptographic material may be the critical element that
protects large amounts of classified information from
interception, analysis, and exploitation. If the
integrity of the COMSEC system is weakened at any
point, all information protected by the system could be
compromised; even more damaging is if this loss of
classified information goes undetected. The procedural
safeguards placed on COMSEC equipment and materials,
covering every phase of their existence from creation
through disposition, are designed to reduce or
eliminate the possibility of such loss.
d. COMSEC equipment and materials receive special handling
for distribution and accounting as part of physical
security protection. Two separate channels are used
for handling such equipment and materials: COMSEC
channels and administrative channels. The COMSEC
channel, or COMSEC Material Control System (CMCS) is
used to distribute accountable COMSEC such as keying
material, maintenance manuals for cryptographic, and
classified and CCI equipment. The CMCS channel is
composed of a series of COMSEC accounts, each of which
is appointed a COMSEC Custodian who is personally
responsible and accountable for all COMSEC materials in
the account. The COMSEC Custodian assumes
responsibility for the material from the time it is
received, and controls its dissemination to authorized
users on a need-to-know basis. The administrative
channel is used to distribute COMSEC information and
materials other than that accountable in the CMCS.
e. To adequately protect COMSEC equipment and materials,
you must understand all the pertinent security
regulations and the importance of reporting any
compromise, suspected compromise, or other security
problem involving these materials. If a COMSEC system
is compromised but the compromise is not reported, all
information that was ever protected by that system may
be lost as a result. If the compromise is reported,
steps can be taken to change the system, replace the
keying material, etc., to reduce the damage done. In
short, it is your individual responsibility to know and
to put into practice all the provisions of the
appropriate publications relating to properly using and
protecting the COMSEC equipment and materials to which
you will have access.
f. Because access to U.S. classified cryptologic
information is granted on a strict need-to-know basis,
you will be given access to only that cryptographic
information necessary for you to perform your duties.
g. You may not disclose any COMSEC information without the
specific approval of the NASA COMSEC Manager or the
National Security Agency (NSA). This applies to both
classified and unclassified COMSEC information, and
means that you may not prepare newspaper articles,
speeches, technical papers, or make any other "release"
of COMSEC information without specific Government
approval. The best personal policy is to avoid any
discussions that reveal your knowledge of or access to
COMSEC information and thus avoid making yourself
interesting to those who seek the information you
possess.
h. When your duties include access to classified COMSEC
information, in addition to the above, you should avoid
travel to any countries that are adversaries of the
United States, or to their establishments/facilities
within the United States. Should such travel become
necessary, your security office must be notified in
advance, allowing sufficient time for you to receive a
defensive security briefing. Any attempt to elicit the
classified COMSEC information you have, either through
friendship, favors, or coercion, must be reported
immediately to your security office.
i. Finally, you must know that if you willfully disclose
or give any of the classified COMSEC information,
equipment (including CCI), or associated keying
materials to which you have access to any unauthorized
persons, you will be subject to prosecution under the
criminal laws of the United States. The laws which
apply are contained in Title 18, United States Code,
Sections 641, 793, 794, 798, and 952.
_____________________________ ________ ____________________
SIGNATURE OF EMPLOYEE BRIEFED DATE SIGNATURE OF BRIEFER
APPENDIX C
SAMPLE
CRYPTOGRAPHIC ACCESS CERTIFICATION
CRYPTOGRAPHIC ACCESS TERMINATION
PRIVACY ACT STATEMENT
INSTRUCTION
Section One of this certification must be executed before an
individual may be granted access to U.S. classified cryptographic
information. Section Two will be executed when the individual no
longer requires such access. The signed certificate (original)
will be made a permanent part of the official security records of
the individual concerned.
SECTION ONE
AUTHORIZATION FOR ACCESS TO U.S. CLASSIFIED CRYPTOGRAPHIC
INFORMATION
a. I understand that I am being granted access to U.S.
classified cryptographic information. I understand
that my being granted access to this information
involves me in a position of special trust and
confidence concerning matters of national security. I
hereby acknowledge that I have been briefed concerning
my obligations with respect to such access.
b. I understand that safeguarding U.S. classified
cryptographic information is of the utmost importance
and that the loss or compromise of such information
could cause serious or exceptionally grave damage to
the national security of the United States. I
understand that I am obligated to protect U.S.
classified cryptographic information and I have been
instructed in the special nature of this information
and the reasons for the protection of such information.
I agree to comply with any special instructions issued
by my installation or agency regarding unofficial
foreign travel or contacts with foreign nationals.
c. I fully understand the information presented during the
briefing I received. I have read this certificate and
my questions, if any, have been satisfactorily
answered. I acknowledge that the briefing officer has
made available to me the provisions of Title 18, United
States Code, Sections 641, 793, 794, 798, and 952 (see
Attached). I understand that, if I willingly disclose
to any unauthorized person any of the U.S. classified
cryptographic information to which I might have access,
I am be subject to prosecution under the criminal laws
of the United States, as appropriate. I understand and
accept that unless I am released in writing by an
authorized representative of the NASA Security Office,
the terms of this certificate and my obligation to
protect all U.S. classified cryptographic information
to which I may have access apply during the time of my
access and at all times afterward.
ACCESS GRANTED THIS DAY OF 19
___________________________________ ___________________________
SIGNATURE NAME/GRADE/SSN
___________________________________ ____________________________
SIGNATURE OF ADMINISTERING OFFICIAL NAME/GRADE/OFFICIAL POSITION
SECTION TWO
TERMINATION OF ACCESS TO U.S. CLASSIFIED CRYPTOGRAPHIC
INFORMATION
I am aware that my authorization for access to U.S. classified
cryptographic information is being withdrawn. I fully appreciate
and understand that the preservation of the security of this
information is of vital importance to the welfare and defense of
the United States. I certify that I will never divulge any U.S.
classified cryptographic information I acquired, nor discuss with
any person any of the U.S. classified cryptographic information
to which I have had access, unless and until freed from this
obligation by unmistakable notice from proper authority. I have
read this agreement carefully and my questions, if any, have been
answered to my satisfaction. I acknowledge that the briefing
officer has made available to me Title 18, United States Code,
Sections 641, 793, 794, 798, and 952.
ACCESS WITHDRAWN THIS DAY OF 19
___________________________________ ____________________________
SIGNATURE NAME/GRADE/SSN
___________________________________ ____________________________
SIGNATURE OF ADMINISTERING OFFICIAL NAME/GRADE/OFFICIAL POSITION
PRIVACY ACT STATEMENT
Authority to request Social Security Number (SSN) is Executive
Order 9397. Routine and sole use of the SSN is to identify the
individual precisely, when necessary, to certify access to U.S.
classified and/or unclassified cryptographic information. While
disclosure of your SSN is voluntary, failure to do so could delay
certification and, in some cases, prevent original access to U.S.
classified and/or unclassified cryptographic information.
__________________________________ __________________________
SIGNATURE DATE
ATTACHMENT
TO
APPENDIX C
PERTINENT PROVISIONS OF TITLE 18 OF THE UNITED STATES CODE
U.S.C. 18 - 641. Public money, property or records
Whoever embezzles, steals, purloins, or knowingly converts
to this use or the use of another or, without authority, sells,
conveys, or disposes of any records, voucher, money, or thing of
value of the United States or any department or agency thereof,
or any property made or being made under contract for the United
States or any department or agency thereof or;
Whoever receives, conceals, or retains the same with intent
to convert it to his or her gain, knowing it to have been
embezzled, stolen, purloined, or converted--
Shall be fined not more than $10,000 or imprisoned not more
than 10 years, or both; but if the value of such property does
not exceed the sum of $100, he shall be fined not more than
$1,000 or imprisoned not more than 1 year, or both.
The word "value" means face, par, or market value, or cost
price, either wholesale or retail, whichever is greater.
U.S.C. 18 - 793. Gathering, transmitting, or losing defense
information
(a) Whoever, for the purpose of obtaining information
respecting the national defense with intent or reason to believe
that the information is to be used to the injury of the United
States, or to the advantage of any foreign nation, goes upon,
enters, flies over, or otherwise obtains information concerning
any vessel, aircraft, work of defense, navy yard, naval station,
submarine base, fueling station, fort, battery, torpedo station,
dockyard, canal, railroad, arsenal, camp, factory, mine,
telegraph, telephone, wireless, or connected with the national
defense owned or constructed, or in progress of construction by
the United States or under the control of the United States, or
of any of its officers, departments, or agencies, or within the
exclusive jurisdiction of the United States, or any place in
which any vessel, aircraft, arms, munitions, or other materials
or instruments for use in time of war are being made, prepared,
repaired, stored, or are the subject of research or development,
under any contract or agreement with the United States or any
department or agency thereof, or with any person on behalf of the
United States or any prohibited place so designated by the
President by proclamation in time of war or in case of national
emergency in which anything for the use of the Army, Navy, or Air
Force is being prepared or constructed or stored, information
about which prohibited place the President has determined would
be prejudicial to the national defense; or
(b) Whoever, for the purpose aforesaid, and with like
intent or reason to believe, copies, takes, makes, or obtains, or
attempts to copy, take, make, or obtain, any sketch, photograph,
photographic negative, blueprint, plan, map, model, instrument,
appliance, document, writing, or note of anything connected with
the national defense; or
(c) Whoever, for the purpose aforesaid, receives or
obtains or agrees or attempts to receive or obtain from any
person, or from any source whatever, any document, writing, code
book, signal book, sketch, photograph, photographic negative,
blueprint, plan, map, model, instrument, appliance, or note or
anything connected with the national defense, knowing or having
reason to believe, at the time he or she receives or obtains, or
agrees or attempts to receive or obtain it, that it has been or
will be obtained, taken, made, or disposed of by any person
contrary to the provisions of this Chapter; or
(d) Whoever, lawfully having possession of, access to,
control over, or being entrusted with any document, writing, code
book, signal book, sketch, photograph, photographic negative,
blueprint, plan, map, model, instrument, appliance, or note
relating to the national defense, or information relating to the
national defense which information the possessor has reason to
believe could be used to the injury of the United States or to
the advantage of any foreign nation, willfully communicates,
delivers, transmits, or causes to be communicated, delivered or
transmitted or attempts to communicate, deliver, transmit, or
cause to be communicated, delivered, or transmitted the same to
any person not entitled to receive it, or willfully retains the
same and fails to deliver it on demand to the officer or employee
of the United States entitled to receive it; or
(e) Whoever, having unauthorized possession of, access to,
or control over any document, writing, code book, signal book,
sketch, photograph, photographic negative, blueprint, plan, map,
model, instrument, appliance, or note relating to the national
defense, or information relating to the national defense which
information the possessor has reason to believe could be used to
the injury of the United States or to the advantage of any
foreign nation, willfully communicates, delivers, transmits, or
causes to be communicated, delivered, or transmitted, or attempts
to communicate, deliver, transmit, or cause to be communicated,
delivered, or transmitted the same to any person not entitled to
receive it, or willfully retains the same and fails to deliver it
to the officer or employee of the United States entitled to
receive it; or
(f) Whoever, being entrusted with or having lawful
possession or control of any document, writing, code book, signal
book, sketch, photograph, photographic negative, blueprint, plan,
map, model, instrument, appliance, note, or information, relating
to the national defense, (1) through gross negligence permits the
same to be removed from its proper place of custody or delivered
to anyone in violation of his or her trust, or to be lost,
stolen, abstracted, or destroyed, or (2) having knowledge that
the same has been illegally removed from its proper place of
custody or delivered to anyone in violation of his trust, or
lost, or stolen, abstracted, or destroyed, and fails to make
prompt report of such loss, theft, abstraction, or destruction to
his superior officer--
Shall be fined not more than $10,000 or imprisoned not more
than 10 years, or both.
(g) If two or more persons conspire to violate any of the
foregoing provisions of this Section, and one or more of such
persons do any act to effect the object of the conspiracy, each
of the parties to such conspiracy shall be subject to the
punishment provided for the offense that is the object of such
conspiracy.
(h)(1) Any person convicted of a violation of this Section
shall forfeit to the United States, irrespective of any provision
of State law, any property constituting, or derived from, any
proceeds the person obtained, directly or indirectly, from any
foreign government, or any faction or party or military or naval
force within a foreign country, whether recognized or
unrecognized by the United States, as the result of such
violation.
(2) The court, in imposing sentence on a defendant for
a conviction of a violation of this Section, shall order that the
defendant forfeit to the United States all property described in
paragraph (1) of this subsection.
(3) The provisions of subsections (b),(c), and (e)
through (o) of section 413 of the Comprehensive Drug Abuse
Prevention and Control Act of 1970 (21 U.S.C. 853(b), (c), and
(e)-(o) shall apply to --
(A) property subject to forfeiture under this
subsection;
(B) any seizure or disposition of such property;
and
(C) any administrative or judicial proceeding in
relation to such property, if not inconsistent
with this subsection.
(4) Notwithstanding section 524(c) of Title 28, there
shall be deposited in the Crime Victims Fund in the Treasury all
amounts from the forfeiture of property under this subsection
remaining after the payment of expenses for forfeiture and sale
authorized by law.
U.S.C. 18 - 794. Gathering or delivering defense information to
aid foreign governments
(a) Whoever, with intent or reason to believe that it is
to be used to the injury of the United States or to the advantage
of a foreign nation, communicates, delivers, or transmits, or
attempts to communicate, deliver, or transmit, to any foreign
government, or to any faction or party or military or naval force
within a foreign country, whether recognized or unrecognized by
the United States, or to any representative, officer, agent,
employee, subject, or citizen thereof, either directly or
indirectly, or any document, writing, code book, signal book,
sketch, photograph, photographic negative, blueprint, plan, map,
model, note, instrument, appliance, or information relating to
the national defense, shall be punished by death or by
imprisonment for any term of years or for life.
(b) Whoever, in time of war, with intent that the same
shall be communicated to the enemy, collects, records, publishes,
or communicates, or attempts to elicit any information with
respect to the movement, numbers, description, condition, or
disposition of any of the Armed Forces, ships, aircraft, or war
material of the United States, or with respect to the plans or
conduct, or supposed plans or conduct of any naval or military
operations, or with respect to any works or measures undertaken
for or connected with, or intended for the fortification of
defense of any place, or any other information relating to the
public defense, which might be useful to the enemy, shall be
punished by death or by imprisonment for any term of years or for
life.
(c) If two or more persons conspire to violate this
Section, and one or more of such persons do any act to effect the
object of the conspiracy, each of the parties to such conspiracy
shall be subject to the punishment provided for the offense that
is the object of such conspiracy.
(d)(1) Any person convicted of a violation of this Section
shall forfeit to the United States irrespective of any provision
of State law--
(A) any property constituting, or derived from,
any proceeds the person obtained directly or
indirectly, as the result of such violation,
and
(B) any of the person's property used, or intended
to be used in any manner or part, to commit,
or to facilitate the commission of, such
violation.
(d)(2) The court, in imposing sentence on a defendant for
a conviction of a violation of this Section, shall order that the
defendant forfeit to the United States all property described in
paragraph (1) of this subsection.
(d)(3) The provisions of subsections (b)(c) and (e)
through (o) of section 413 of the Comprehensive Drug Abuse
Prevention and Control Act of 1970 (21 U.S.C. 853(b) (c) and (e)-
(o) shall apply to--
(A) property subject to forfeiture under this
subsection;
(B) any seizure or disposition of such property;
and
(C) any administrative or judicial proceeding in
relation to such property, if not inconsistent
with this subsection.
(d)(4) Notwithstanding Section 524(c) of Title 28, there
shall be deposited in the Crime Victims Fund in the Treasury all
amounts from the forfeiture of property under this subsection
remaining after the payment of expenses for forfeiture and sale
authorized by law.
U.S.C. 18 - 798. Disclosure of classified information
(a) Whoever knowingly and willfully communicates,
furnishes, transmits, or otherwise makes available to an
unauthorized person, or publishes, or uses in any manner
prejudicial to the safety or interest of the United States or for
the benefit of any foreign government to the detriment of the
United States any classified information--
(1) concerning the nature, preparation, or use of any
code, cipher, or cryptographic system of the United States or any
foreign government; or
(2) concerning the design, construction, use,
maintenance, or repair of any device, apparatus, or appliance
used or prepared or planned for use by the United States or any
foreign government for cryptographic or communication
intelligence purposes; or
(3) concerning the communication intelligence
activities of the United States or any foreign government; or
(4) obtained by the processes of communication
intelligence from the communications of any foreign government,
knowing the same to have been obtained by such processes--
Shall be fined not more than $10,000 or imprisoned not more
than 10 years, or both.
(b) As used in subsection (a) of this section--
The term "classified information" means information which,
at the time of a violation of this Section, is, for reasons of
national security, specifically designated by a United States
Government Agency for limited or restricted dissemination of
distribution;
The terms "code," "cipher," and "cryptographic system"
include in their meanings, in addition to their usual meanings,
any method of secret writing and any mechanical or electrical
device or method used for the purpose of disguising or concealing
the contents, significance, or meanings of communications;
The term "foreign government" includes in its meaning any
person or persons acting or purporting to act for, or on behalf
of, any faction, party, department, agency, bureau, or military
force of or within a foreign country, or for, or on behalf of,
any government or any person or persons purporting to act as a
government within a foreign country, whether or not such
government is recognized by the United States;
The term "communication intelligence" means all procedures
and methods used in the interception of communications and the
obtaining of information from such communications by other than
the intended recipients;
The term "unauthorized person" means any person who, or
agency which, is not authorized to receive information of the
categories set forth in subsection (a) of this Section, by the
President, or by the head of a department or agency of the United
States Government which is expressly designated by the President
to engage in communication intelligence activities of the United
States.
(c) Nothing in this Section shall prohibit the furnishing,
upon lawful demand, of information to any regularly constituted
committee of the Senate or House of Representatives of the United
States of America, or joint committee thereof.
� 952. Diplomatic codes and correspondence
Whoever, by virtue of his employment by the United States,
obtains from another or has or has had custody of or access to,
any official diplomatic code or any matter prepared in any such
code, or which purports to have been prepared in any such code,
and without authorization or competent authority, willfully
publishes or furnishes to another any such code or matter, or any
matter which was obtained while in the process of transmission
between any foreign government and its diplomatic mission in the
United States, shall be fined not more than $10,000 or imprisoned
not more than 10 years, or both.
APPENDIX D
SAMPLE EMERGENCY ACTION PLAN
1. Purpose. To protect and minimize the risk of compromise of
Communications Security (COMSEC) material during emergency
situations.
2. Discussion. National COMSEC policy requires that all
organizations holding classified or Controlled Cryptographic
Items (CCI) COMSEC material have an Emergency Action Plan with
procedures for the protection of such material during natural
disasters and accidental emergencies (such as fire, flood,
tornado, and earthquake). The actions contained within this Plan
provide for the security to the material without endangering the
lives or safety of personnel implementing the Plan.
Specifically, the Plan provides for:
a. Fire reporting.
b. Assignment of on-the-scene responsibility for ensuring
protection of the COMSEC material held.
c. Securing of classified COMSEC material and evacuation
of the area.
d. Protection of material when admission of outside fire-
fighters into the secure area is necessary.
e. Assessment and reporting of probable exposure of
classified COMSEC material to unauthorized persons during the
emergency.
f. Post-emergency inventory of classified and CCI COMSEC
material and the reporting of any losses or unauthorized
exposures to appropriate authority.
3. Implementation. The Lead Communicator may direct the
stowage of COMSEC material in the event of an occurring or
predicated emergency situation. In the absence of the Lead
Communicator, the COMSEC Custodian will take the action outlined
in subsequent paragraphs to safeguard the COMSEC material. The
actions are directed toward maintaining positive control over the
material while not endangering the health or safety of personnel.
4. Action
a. Fire reporting. In the event a fire is discovered
within the Message Processing Center, the following actions will
be taken, as the situation permits:
(1) The person discovering the fire should immediately
alert all others in the vicinity by loudly shouting "Fire!", then
sound the alarm by pulling the alarm located inside the Message
Processing Center (MPC), to the right of the main door.
(2) The person discovering the fire should immediately
telephone the Headquarters Safety Officer on 358-1440. State his
or her name, and report the location of the fire by building
number, floor number, and room number. The MPC is located in
Building HQ, Room 1C-42.
(3) If possible, without endangering the safety of MPC
personnel, attempt to extinguish the fire using the CO2
extinguisher located inside the MPC, to the right of the main
door.
(4) Carry out the actions regarding the evacuation of
the spaces outlined in paragraph 4(c) of this Plan.
b. Responsibility for safeguarding COMSEC material. All
personnel assigned to the MPC are responsible for safeguarding
COMSEC material. In the event of an emergency situation, the
COMSEC Custodian has primary on-scene responsibility for ensuring
the protection of the material. In the absence of the Custodian,
the Alternate Custodian assumes this responsibility. In the
unlikely event that both of these individuals are absent, the
remaining MPC personnel will assume responsibility for carrying
out the actions contained in this Plan.
c. Securing of classified material and evacuation
(1) If the situation permits, open the safe and stow
all COMSEC material that may have been removed from the safe
(KAM's, KAO's, etc.). Stow all 5.25" AUTODIN disks. Secure the
safe.
(2) Remove the COMSEC Register files for Account 800121
from the file box located on the COMSEC Custodian's desk and
place in an envelope. This envelope will be taken by MPC
personnel when evacuation occurs.
(3) Remove the three inventory folders located inside
the vault door, and to the right of the door, and prepare to
evacuate the spaces with these three folders and the COMSEC
Register file envelope.
(4) Send a QRT (Stop sending message traffic) notice on
AUTODIN to the Pentagon.
(5) Lock the vault door. Evacuate the spaces, taking
the COMSEC Register file envelope and three inventory folders.
Set the alarm as you exit, and secure the door to the MPC.
Follow the directions of the floor wardens and proceed to the
designated evacuation area, remaining well clear of the building.
(6) If the situation does not allow for stowage of
material, evacuate immediately. Take the three inventory folders
if possible, but not if it will endanger lives.
d. Protection of material when admission of outside
firefighters is necessary. In the event that it becomes
necessary to admit firefighters or other emergency personnel, the
following protective measures are to be followed:
(1) If the situation permits, open the safe and stow
any COMSEC material that may have been removed. Secure the safe.
(2) If unable to stow the material in the safe, take
whatever actions are necessary to minimize fire team exposure to
COMSEC material without hindering firefighting efforts. For
example, cover or stow the material in a desk drawer.
e. Assessment and reporting of probable exposure of
classified COMSEC material to unauthorized persons during
emergency situations. In the event that probable exposure of
classified COMSEC material occurs, the following actions are to
be taken:
(1) If possible, obtain the name, citizenship, and
clearance level (if any), of the unauthorized persons.
(2) Make a complete list of the COMSEC material
involved.
(3) Using a STU-III telephone, notify the NASA Central
Office of Record (COR) of the details of the incident. The NASA
COR may direct additional reporting.
f. Post-emergency inventory of classified and CCI COMSEC
material. Upon resolution of the emergency situation, the
following actions will be taken:
(1) Conduct a complete inventory of all classified and
CCI COMSEC material.
(2) Report any discrepancies/losses to the NASA COR
immediately.
g. Other natural disasters/emergencies. Other natural
disasters, such as floods, earthquakes, or hurricanes, may
require the evacuation of the Message Processing Center. Follow
the procedures in paragraphs 4 (c), (d), (e), and (f) of this
Appendix D.
5. Destruction of COMSEC Material. While destruction of
COMSEC material is usually not considered in a CONUS location's
Emergency Action Plan, the possibility of destruction prior to
evacuation in the case of other natural disasters/emergencies
will be discussed with the NASA Central Office of Record (COR),
Code JIS, and will only occur at the direction of that office.
This NTISSI is being updated--at that time, some minor changes
will need to be made to this text.
APPENDIX E
(Figure 1--See hardcopy)
(Figure 2--See hardcopy)
(Figure 2a--See hardcopy)
(Figure 3--See hardcopy)
1. ANCHORAGE 10. MCCORD
Building 31-260 Building 1410
Elmendorf AFB, Alaska McCord AFB
Tacoma, WA
2. BOSTON Comm: (206)984-5908/2426
Building 225
Naval Air Station 11. MCGUIRE
South Weymouth, MA Building 17-02
Comm: (617)786-2780/ Air Freight Warehouse
2781/2857/2958/2558 McGuire AFB, NJ
FTS: 484-4534
3. CHARLESTON Comm: (609)723-7937
Air Freight Bldg (S-178)
Charleston AFB, SC 12. NORFOLK
Comm: (803)554-2191/ Building LP-82
3603/2401 Naval Air Station
Norfolk, VA
4. DENVER Comm: (804)444-3471/72/73
Building 612
Rocky Mountain Arsenal 13. OFFUTT
Commerce City, CO MOD "B"
Comm: (303)289-0289/0294 Offutt AFB, NE
Comm: (402)294-5354/55/56
5. DOVER
Building 506 14. SAN DIEGO
Dover AFB, DE Building 1
Comm: (302)678-6063/64 937 North Harbor Drive
San Diego, CA
6. HONOLULU Comm: (714)235-3381/82
Building 4069
Air Freight Building 15. TRAVIS
Hickam AFB, HI Building 934
Comm: (808)449-1130 Travis AFB
Fairfield, CA
7. JACKSONVILLE Comm: (707)438-2641/42
Building 934
Box 32, Naval Air Station 16. WASHINGTON
Jacksonville, FL 32212/0032 7455 "A" New Ridge Road
Comm: (904)772-2784 Linthicum, MD
FAX: (904)772-5032 Comm: (301)677-2144/45
8. KELLY 17. WRIGHT-PATTERSON
Building 1470 Building 829, Area A
Kelly AFB, TX Wright-Patterson AFB, OH
Comm: (512)925-3704 Comm: (513)257-3121/6130
9. LOS ANGELES
Building 205
Los Angeles AF Station
El Segundo, CA
Comm: (213)643-1878/79
FIGURE 4: DCS Station Addresses
(Figure 5--See hardcopy)
(Figure 6--See hardcopy)
(Figure 6--See hardcopy)
(Figure 8--See hardcopy)
(Figure 9--See hardcopy)
(Figure 10--See hardcopy)
(Figure 11--See hardcopy)
(Figure 12--See hardcopy)
(Appendix F--See hardcopy)�