[Directives and Handbooks]

NASA Handbook

NHB 1600.6
Effective Date: May 1, 1993
Expiration Date:


Responsible Office: JL / Security, Logistics, & Industrial Relations Division

NASA COMMUNICATIONS SECURITY (COMSEC) MANUAL


PREFACE



The NASA Communications Security (COMSEC) Manual provides basic

information for assignment of individual communications security

responsibilities within NASA.  It sets forth minimum standards,

procedures, specifications, and guidelines for safeguarding and

control of COMSEC material in NASA's possession.  It expands upon

and further specifies NASA security policy in NMI 1600.2, "NASA

Security Program."



This Manual implements the provisions concerning the National

Policy for the Security of National Security Telecommunications

and Information Systems, dated July 5, 1990, and National

Communications Security Instruction 4005, "Safeguarding and

Control of COMSEC Material," dated October 12, 1979.  This Manual

will be used by NASA COMSEC Custodians in place of the National

Security Agency Manual 90-2, "COMSEC Material Control Manual,"

dated October 1989, and will provide core guidance for NASA's

COMSEC operations.



Comments or suggestions concerning this Manual should be

addressed to the Chief, NASA Security Office, Code JIS, NASA

Headquarters, Washington, DC 20546.



This Manual is issued in loose-leaf form and will be revised by

page changes.



                              Jeffrey E. Sutton

                              Director, Security, Logistics

                              and Industrial Relations Division



DISTRIBUTION:

SDL 1 (SIQ)



TABLE OF CONTENTS



                                                             Page



CHAPTER 1:  INTRODUCTION . . . . . . . . . . . . . . . . . . .1-1

100  General . . . . . . . . . . . . . . . . . . . . . . . . .1-1

101  Purpose . . . . . . . . . . . . . . . . . . . . . . . . .1-1

102  Applicability and Scope . . . . . . . . . . . . . . . . .1-1

103  References. . . . . . . . . . . . . . . . . . . . . . . .1-2

104  Objectives. . . . . . . . . . . . . . . . . . . . . . . .1-3

105  Definitions . . . . . . . . . . . . . . . . . . . . . . .1-3

106  Revisions . . . . . . . . . . . . . . . . . . . . . . . .1-3



CHAPTER 2:  COMMUNICATIONS SECURITY (COMSEC) 

            MATERIAL CONTROL . . . . . . . . . . . . . . . . .2-1

200  General . . . . . . . . . . . . . . . . . . . . . . . . .2-1

     1.   Channels of Communication. . . . . . . . . . . . . .2-1

     2.   Responsibilities and Organization. . . . . . . . . .2-1

201  The COMSEC Account. . . . . . . . . . . . . . . . . . . .2-4

     1.   Requirement for a COMSEC Account . . . . . . . . . .2-4

     2.   Request to Establish a COMSEC Account. . . . . . . .2-4

     3.   COMSEC Account Approval. . . . . . . . . . . . . . .2-4

     4.   COMSEC Custodian and Alternate COMSEC 

          Custodian Training . . . . . . . . . . . . . . . . .2-5

     5.   Selecting a COMSEC Custodian and Alternate

          Custodian. . . . . . . . . . . . . . . . . . . . . .2-5

     6.   Duties of the COMSEC Custodian and Alternate

          Custodian. . . . . . . . . . . . . . . . . . . . . .2-5

     7.   Witness. . . . . . . . . . . . . . . . . . . . . . .2-8

     8.   Temporary Absence of the COMSEC Custodian. . . . . .2-8

     9.   Return of the COMSEC Custodian from Temporary 

          Absence. . . . . . . . . . . . . . . . . . . . . . .2-9

    10.   Change of COMSEC Custodian . . . . . . . . . . . . .2-9

    11.   Change of Alternate Custodian. . . . . . . . . . . 2-10

    12.   Sudden, Indefinite, or Permanent Departure 

          of the COMSEC Custodian. . . . . . . . . . . . . . 2-10

    13.   Sudden, Indefinite, or Permanent Departure 

          of the Alternate COMSEC Custodian. . . . . . . . . 2-11

    14.   COMSEC Officer, COMSEC/TEMPEST Point of

          Contact. . . . . . . . . . . . . . . . . . . . . . 2-11

202  COMSEC Material . . . . . . . . . . . . . . . . . . . . 2-12

     1.   Short Titles . . . . . . . . . . . . . . . . . . . 2-12

     2.   Accounting Numbers . . . . . . . . . . . . . . . . 2-13

     3.   Edition. . . . . . . . . . . . . . . . . . . . . . 2-13

     4.   CRYPTO Marking . . . . . . . . . . . . . . . . . . 2-13

     5.   Subdivisions of Equipment. . . . . . . . . . . . . 2-13

203  COMSEC Material Accountability. . . . . . . . . . . . . 2-13

     1.   COMSEC Material in the National Security Agency 

          (NSA) COMSEC Material Control System . . . . . . . 2-13

     2.   Accounting Legend Code (ALC) . . . . . . . . . . . 2-14





204  COMSEC Material Control . . . . . . . . . . . . . . . . 2-15

     1.   Forms, Reports, and Files. . . . . . . . . . . . . 2-15

     2.   COMSEC Register File . . . . . . . . . . . . . . . 2-17

     3.   Preparing COMSEC Accounting Reports. . . . . . . . 2-18

     4.   Receipt of COMSEC Material . . . . . . . . . . . . 2-19

     5.   Procedures for Handling Keying Material. . . . . . 2-23

     6.   Transferring COMSEC Material . . . . . . . . . . . 2-24

     7.   Military Department Accounting Headquarters. . . . 2-27

     8.   Packaging COMSEC Material. . . . . . . . . . . . . 2-28

     9.   Authorized Modes of Transportation . . . . . . . . 2-29

    10.   Shipping Unclassified COMSEC Material. . . . . . . 2-32

    11.   Authorized Modes of Transportation for Controlled

          Cryptographic Item (CCI) Equipment and Components

          Within CONUS, U.S. Territories and Possessions . . 2-34

    12.   Hand Receipts. . . . . . . . . . . . . . . . . . . 2-37

    13.   Possession Reports . . . . . . . . . . . . . . . . 2-39

    14.   Converted COMSEC Material. . . . . . . . . . . . . 2-39

    15.   Inventory Report . . . . . . . . . . . . . . . . . 2-40

    16.   Destruction. . . . . . . . . . . . . . . . . . . . 2-43

    17.   Accounting for and Entering Amendments to 

          COMSEC Publications. . . . . . . . . . . . . . . . 2-44

    18.   Accounting for COMSEC Material Launched into 

          Space. . . . . . . . . . . . . . . . . . . . . . . 2-45

205  Audit of COMSEC Accounts. . . . . . . . . . . . . . . . 2-46

     1.   Basis. . . . . . . . . . . . . . . . . . . . . . . 2-46

     2.   Notification . . . . . . . . . . . . . . . . . . . 2-46

     3.   Auditor Access . . . . . . . . . . . . . . . . . . 2-46

     4.   Scope of the Audit . . . . . . . . . . . . . . . . 2-46

     5.   Audit Report . . . . . . . . . . . . . . . . . . . 2-47

206  Closing a COMSEC Account. . . . . . . . . . . . . . . . 2-47



CHAPTER 3:  CONTROLLING AUTHORITIES. . . . . . . . . . . . . .3-1

300  General . . . . . . . . . . . . . . . . . . . . . . . . .3-1

301  Keying Material Source. . . . . . . . . . . . . . . . . .3-1

302  Establishing the Cryptonet and Designating the 

     Controlling Authority . . . . . . . . . . . . . . . . . .3-1

303  NASA Contractors Currently Designated as 

     Controlling Authorities . . . . . . . . . . . . . . . . .3-2

304  Controlling Authority Responsibilities. . . . . . . . . .3-2

     1.   Cryptonet Management . . . . . . . . . . . . . . . .3-2

     2.   Evaluating COMSEC Incidents. . . . . . . . . . . . .3-5

     3.   Reacting to Incidents. . . . . . . . . . . . . . . .3-8

305  Considerations When Establishing a Cryptonet. . . . . . 3-11

306  Keying Material Support Plan (KMSP) . . . . . . . . . . 3-11

307  Contents of the KMSP. . . . . . . . . . . . . . . . . . 3-12

308  Annual Reviews of the KMSP. . . . . . . . . . . . . . . 3-13

309  Defective Keying Material . . . . . . . . . . . . . . . 3-14



CHAPTER 4:  COMSEC INFORMATION ACCESS REQUIREMENTS . . . . . .4-1

400  Criteria for Access to COMSEC Information . . . . . . . .4-1

401  COMSEC Briefing Requirements. . . . . . . . . . . . . . .4-1



CHAPTER 5:  TWO-PERSON INTEGRITY/NO-LONE ZONE CONTROLS . . . .5-1

500  General . . . . . . . . . . . . . . . . . . . . . . . . .5-1

501  Procedures for Handling and Safeguarding. . . . . . . . .5-1

     TOP SECRET Keying Material. . . . . . . . . . . . . . . .5-1

     1.   Transportation . . . . . . . . . . . . . . . . . . .5-1

     2.   TPI Handling of Packages Received. . . . . . . . . .5-2

     3.   Wrapping TOP SECRET Material . . . . . . . . . . . .5-2

     4.   Storage. . . . . . . . . . . . . . . . . . . . . . .5-2

     5.   Use. . . . . . . . . . . . . . . . . . . . . . . . .5-3

     6.   Record of Combinations . . . . . . . . . . . . . . .5-3



CHAPTER 6:  COMSEC INCIDENT REPORTING REQUIREMENTS . . . . . .6-1

600  General . . . . . . . . . . . . . . . . . . . . . . . . .6-1

601  Types of COMSEC Incidents . . . . . . . . . . . . . . . .6-1

602  Types of Written Reports. . . . . . . . . . . . . . . . .6-4

603  Reporting Incidents . . . . . . . . . . . . . . . . . . .6-5

604  Report Addressing . . . . . . . . . . . . . . . . . . . .6-6

605  Format and Content of Written COMSEC Incident 

     Reports . . . . . . . . . . . . . . . . . . . . . . . . .6-7



CHAPTER 7:  ROUTINE DESTRUCTION OF COMSEC MATERIAL . . . . . .7-1

700  General . . . . . . . . . . . . . . . . . . . . . . . . .7-1

701  Training Destruction Personnel. . . . . . . . . . . . . .7-1

702  Routine Destruction Procedures for COMSEC 

     Material. . . . . . . . . . . . . . . . . . . . . . . . .7-1

703  Routine Destruction Methods and Standards . . . . . . . .7-3

704  Approved Routine Destruction Devices. . . . . . . . . . .7-3

705  Reporting Routine Destruction . . . . . . . . . . . . . .7-3



CHAPTER 8:  SECURE TELECOMMUNICATIONS FACILITIES . . . . . . .8-1

800  Physical Security Requirements for Classified 

     and Unattended Keyed CCI Equipment. . . . . . . . . . . .8-1

801  CCI Access Controls . . . . . . . . . . . . . . . . . . .8-2

802  Storage Requirements. . . . . . . . . . . . . . . . . . .8-3

803  Record of Individuals Having Knowledge of 

     Combinations to Containers Storing Classified 

     COMSEC Material . . . . . . . . . . . . . . . . . . . . .8-3



CHAPTER 9:  SECURE TELEPHONE UNIT (STU) III's. . . . . . . . .9-1

900  General . . . . . . . . . . . . . . . . . . . . . . . . .9-1

901  Responsibilities. . . . . . . . . . . . . . . . . . . . .9-1

902  STU-III Security Education. . . . . . . . . . . . . . . .9-3

903  Protecting CIK's. . . . . . . . . . . . . . . . . . . . .9-4

904  Incidents . . . . . . . . . . . . . . . . . . . . . . . .9-5

905  STU-III Terminal Keying and Rekeying. . . . . . . . . . .9-6

906  Secure Data Mode. . . . . . . . . . . . . . . . . . . . .9-6

907  Sensitive Compartmented Information 

     Facilities (SCIF's) . . . . . . . . . . . . . . . . . . .9-7

908  Installations in Residences, Hotels, or 

     Commercial Conference Facilities. . . . . . . . . . . . .9-8

909  Vehicle Installations . . . . . . . . . . . . . . . . . .9-8

910  Acoustic Security . . . . . . . . . . . . . . . . . . . .9-8



CHAPTER 10:  COMSEC EMERGENCY ACTION PROCEDURES. . . . . . . 10-1

1000 Requirements. . . . . . . . . . . . . . . . . . . . . . 10-1

1001 Preparedness. . . . . . . . . . . . . . . . . . . . . . 10-1

1002 Preparing the Emergency Plan. . . . . . . . . . . . . . 10-2

1003 Emergency Action Procedures Review. . . . . . . . . . . 10-2



APPENDIXES

APPENDIX A  Definitions. . . . . . . . . . . . . . . . . . . .A-1

APPENDIX B  Sample Communications Security (COMSEC) 

            Briefing . . . . . . . . . . . . . . . . . . . . .B-1

APPENDIX C  Sample Cryptographic Access Certification. . . . .C-1

            Cryptographic Access Termination . . . . . . . . .C-2

            Privacy Act Statement. . . . . . . . . . . . . . .C-3

            Attachment to Appendix C . . . . . . . . . . . . .C-4

            Pertinent Provisions of Title 18 of the 

            United States Codes. . . . . . . . . . . . . . . .C-4

APPENDIX D  Sample Emergency Action Plan . . . . . . . . . . .D-1

APPENDIX E  Figures. . . . . . . . . . . . . . . . . . . . . .E-1

     1      Sample Change of COMSEC Custodian 

            Inventory (SF 153) . . . . . . . . . . . . . . . .E-1

     2      Table of TSEC Nomenclature System Designators. . .E-2

     3      COMSEC Material Record (L6061) . . . . . . . . . .E-4

     4      DCS Station Addresses. . . . . . . . . . . . . . .E-5

     5      Sample Report of COMSEC Material Transferred

            to a Military Account (SF 153) . . . . . . . . . .E-6

     6      Sample Report of COMSEC Material Transferred to 

            an Account Other than Military (SF 153). . . . . .E-7

     7      Sample COMSEC Material Identification Markings . .E-8

     8      Sample COMSEC Material Hand Receipt (SF 153) . . .E-9

     9      Sample Possession Report Prepared When 

            COMSEC Material is Received Without Transfer 

            Paperwork (SF 153) . . . . . . . . . . . . . . . E-10

     10     Sample Preprinted Inventory with Supplement. . . E-11

     10a    Supplement to Preprinted Inventory (SF 153). . . E-12

     11     Sample Destruction Report (SF 153) . . . . . . . E-13

     12     COMSEC Material Destruction Standards. . . . . . E-14

APPENDIX F  Classification Guide . . . . . . . . . . . . . . .F-1







                    CHAPTER 1:  INTRODUCTION



100  GENERAL



     The United States Communications Security (COMSEC) effort is

     controlled and managed under a separate set of security

     standards and procedures from those that apply to other

     classified information.  The reasons for this are that

     COMSEC techniques and materials are used to protect other

     information, and because the loss of U.S. COMSEC information

     and materials can seriously damage the national interest. 

     Also, a significant body of information indicates that TOP

     SECRET keying material is a high-priority target for

     exploitation by hostile intelligence services and,

     therefore, must be afforded special attention.



101  PURPOSE



     This Manual contains COMSEC information and guidance

     necessary for the successful day-to-day operations of NASA's

     COMSEC Program.



102  APPLICABILITY AND SCOPE



     The provisions of this Manual apply to NASA Headquarters and

     Field Installations.  It specifically applies to all NASA

     COMSEC Custodians, security organizations, and other

     personnel using or otherwise having access to COMSEC

     materials at NASA Field Installations and NASA Headquarters.



     This Manual also supports contractors, as appropriate, under

     law and/or contract as implemented by the appropriate

     contracting officer.  Contractor COMSEC Custodians and

     Alternates of NASA COMSEC accounts come under the purview of

     this document, and the responsibilities are identical to

     civil service COMSEC Custodians and Alternates.  This Manual

     will be used in lieu of National Security Agency (NSA)

     Manual 90-2 and supersedes the NASA COMSEC Accounting Guide,

     dated January 1978.  Whenever system doctrine requirements

     conflict with procedures in this Manual, the system doctrine

     requirements take precedence.



     1.   This Manual is not site specific; it outlines minimum

          standards and is intended to be used as guidance by

          COMSEC Custodians and Chiefs of Security in formulating

          and implementing effective COMSEC operations.  Each

          site is encouraged to supplement this Manual with

          procedures, duties, and titles to tailor this guidance

          to their unique environments.



     2.   This Manual specifically addresses COMSEC Custodians

          and Alternate COMSEC Custodians of COMSEC accounts

          designated and established by NASA, and those

          custodians who fall under the purview of the NASA

          COMSEC Central Office of Record (COR).



103  REFERENCES



     1.   NCSC-1, "National Policy for Safeguard and Control of

          COMSEC Material," January 16, 1981.



     2.   NACSI 4005, "Safeguarding and Control of COMSEC

          Material," October 12, 1979.



     3.   NACSI 4007, "Management of Manual Crypto Systems."



     4.   NACSI 4008, "Safeguarding COMSEC Facilities," March 4,

          1983.



     5.   NCSC-9, "National COMSEC Glossary," September 1, 1982.



     6.   NTISSI 3013, "Operational Security Doctrine for the

          Secure Telephone Unit III (STU-III) Type 1 Terminal,"

          February 8, 1990.



     7.   NTISSI 4001, "Controlled Cryptographic Items (CCIs),"

          March 25, 1985.



     8.   NTISSI 4002, "Classification Guide for COMSEC

          Information," June 5, 1986.



     9.   NTISSI 4003, "Reporting and Evaluating COMSEC

          Incidents," December 2, 1991.



     10.  NTISSI 4004, "Routine Destruction and Emergency

          Protection of COMSEC Material," March 11, 1987.



     11.  NTISSI 4005, "Control of TOP SECRET Keying Material,"

          July 17, 1987.



     12.  NTISSI 4006, "Controlling Authorities for COMSEC

          Material," December 2, 1991.



     13.  National Policy for the Security of National Security

          Telecommunications and Information Systems, 

          July 5, 1990.



     14.  NMI 1600.2, "NASA Security Program."



     15.  DoD 5200.28M, "Department of Defense Automatic Data

          Processing Security Manual."



     16.  DoD 5220.22M, "Industrial Security Manual for          

          Safeguarding Classified Information."



     17.  NTISSP No. 3, "National Policy for Granting

          Access to U.S. Classified Cryptographic

          Information," December 19, 1988.



104  OBJECTIVES



     This Manual is intended to help attain objectives essential

     to maintaining the integrity of COMSEC material used to

     protect sensitive or classified Government communications,

     as follows:



     1.   To provide instructions for controlling accountable

          COMSEC material furnished, to or generated by, an

          activity, in order to deny access to unauthorized

          persons or organizations.



     2.   To ensure timely disposition of Government-furnished

          and contractor-generated accountable COMSEC material no

          longer required for performing a contract.



105  DEFINITIONS



     See definitions of terms used in this Manual in Appendix A.



106  REVISIONS



     This Manual will be revised as required by Executive orders,

     statutes, direction from the National Security Agency (NSA),

     and the development of new and improved security concepts. 

     Changes to this Manual are specifically prohibited unless

     officially promulgated by the NASA COMSEC Manager.  NASA

     Field Installations, NASA Headquarters security organiza-

     tions, and NASA COMSEC Custodians may request copies of the

     National Communications Security Instruction and National

     Telecommunications Information System Security Instruction

     containing policies and procedures governing cryptographic

     operations and the physical security of COMSEC material from

     the NASA COMSEC Manager.







  CHAPTER 2:  COMMUNICATIONS SECURITY (COMSEC) MATERIAL CONTROL



200  GENERAL



     This Chapter establishes minimum COMSEC accounting

     procedures to be followed by NASA COMSEC Custodians and all

     other personnel using or otherwise having access to

     accountable COMSEC material.



     1.   Channels of Communication



          a.   Because timely and accurate COMSEC accounting and

               reporting are so necessary, direct communications

               between the NASA Central Office of Record (COR)

               and NASA COMSEC accounts are authorized on all

               routine COMSEC accounting matters (e.g., inability

               to resolve inventory discrepancies, COMSEC

               incident reports, tracer actions, etc.).  Send

               direct communications to the NASA COR at the

               following address:



               NASA Headquarters

               Code JIS/NASA COMSEC Manager

               Washington, DC  20546



               Telephone:  STU-III  202/358-2455

               FAX:  secure  202/358-3237

                     nonsecure  202/358-3238



                    Message address:  RUEANAT/NASA HQ WASHINGTON

                                      DC//JACK SYMANEK/CODE JIS//



          b.   Direct communications between NASA COMSEC accounts

               and the National Security Agency (NSA) Central

               Office of Record (COR), Y131; NSA Central

               Accounting Office (CAO), Y18 (STU III key only);

               and the Insecurities, Evaluation, and Reporting

               Branch, X71A, are authorized for COMSEC accounting

               matters involving the direct shipment of COMSEC

               material.  Send direct communications to the NSA

               at the following address:



               Director, National Security Agency

               ATTN:  (appropriate office designator)

               Fort George G. Meade, MD  20755-6000



               Message address:  RUETIAA/DIRNSA FT. GEORGE G

                                 MEADE, MD//appropriate office

                                 designator//



          c.   Direct communications are authorized between NASA

               COMSEC accounts and any other COMSEC accounts

               involving direct shipment of COMSEC material.



     2.   Responsibilities and Organization.  COMSEC material

          control within the U.S. Government is based on a system

          of centralized accounting and decentralized custody and

          protection.  Timely and accurate data is essential to

          continuous, effective control of COMSEC material

          entrusted to or produced for NASA.



          a.   The NSA is responsible for the operations of the

               NSA COR; for specifying control criteria for all

               COMSEC material; for distributing and accounting

               for all accountable COMSEC material produced by or

               entrusted to the NSA until transferred; for

               receiving and processing requirements for

               accountable COMSEC material; for excluding the

               procurement of COMSEC equipment and spare parts;

               for establishing and maintaining lead-time

               schedules for distributing accountable COMSEC

               material; for providing disposition instructions

               for COMSEC material held but no longer required,

               exclusive of material for which disposition is

               provided by a superseding edition or Service

               status publication (e.g., Air Force General COMSEC

               Publication (AFKAG)), for receiving accountable

               COMSEC material; and for providing assistance to

               COMSEC Custodians regarding shipping methods and

               schedules.  The main NSA COMSEC Account is 880099,

               and its address follows:



               Middle River Facility

               Building A-W Dock 2

               2800 Eastern Boulevard

               Middle River, MD  21220



          b.   NASA/Code JIS is responsible for the following

               tasks:



               (1)  Performing as COR for NASA.



               (2)  Establishing and closing COMSEC accounts.



               (3)  Maintaining a record of NASA COMSEC accounts,

                    COMSEC Custodians, and Alternate Custodians.



               (4)  Processing requests to appoint or terminate

                    the appointments of COMSEC Custodians and

                    Alternates, and verifying their clearances.



               (5)  Verifying the inventory of each NASA

                    controlled COMSEC account semiannually.



               (6)  Maintaining master records of all NASA COMSEC

                    material entered into the NASA COMSEC

                    Material Control System.



               (7)  Maintaining the financial and property

                    accountability records for all accountable

                    COMSEC equipment owned by or entrusted to

                    NASA.



               (8)  Facilitating attendance at the formal NSA

                    COMSEC Custodian training course (CS-140) for

                    all newly appointed NASA COMSEC Custodians

                    and Alternates.  If time does not permit

                    formal training, Code JIS will provide

                    informal briefings to prospective Custodians

                    and Alternates until attendance at the NSA

                    hosted COMSEC Custodian's Training Course 

                    (CS-140) can be arranged.



               (9)  Establishing procedures for accounting for

                    COMSEC material held within NASA.



               (10) Maintaining liaison with the NSA COR, civil

                    agencies, NASA contractor COMSEC accounts and

                    the Military Services on all matters

                    pertaining to controlling accountable COMSEC

                    material.



               (11) Auditing NASA COMSEC accounts established at

                    NASA Installations at least every 24 months

                    or as deemed necessary. 



               (12) Providing guidance and assistance on all

                    procedural matters pertaining to controlling

                    accountable COMSEC material.



               (13) Preparing and distributing COMSEC Procedural

                    and Material Control Bulletins.



          c.   The Chief of each organizational element has the

               ultimate responsibility for controlling all COMSEC

               material held within the organizational element. 

               This responsibility is, by the appointment of a

               COMSEC Custodian and Alternate(s), delegated to

               individuals by name.  However, delegating this

               authority in no way relieves any individual (e.g.,

               the user, the Custodian's supervisor, and other

               organizational chiefs, etc.) from the inherent

               responsibility for controlling COMSEC material

               held within the element.  The Chief of the NASA

               element is also responsible for ensuring that

               Custodians and Alternates receive required

               training.



          d.   The COMSEC Custodian is, through organizational

               and supervisory channels, responsible to the Chief

               of the element for controlling all accountable

               COMSEC material charged to the element's account.



          e.   The individual user or holder of COMSEC material

               is personally responsible for controlling and

               safeguarding COMSEC material while it is entrusted

               to his or her care, and is not authorized to lend

               the material to another individual without a new

               hand receipt issued from the COMSEC Custodian. 

               See Chapter 4 for access requirements to COMSEC

               information.



201  THE COMSEC ACCOUNT



     1.   Requirement for a COMSEC Account.  Any element

          requiring accountable COMSEC material must obtain such

          material through a COMSEC account.  If an existing

          COMSEC account cannot adequately support the

          requirement for COMSEC material within an organization,

          a new COMSEC account will be established.



     2.   Request to Establish a COMSEC Account.  When a new

          COMSEC account must be established, submit a written

          request from the Chief of the NASA organization

          requiring the account.



          a.   Submit the request through the local security

               office to NASA/Code JIS, ATTN:  NASA COR.  Include

               the title and complete address of the element in

               which the account will be located; the purpose

               (justification) for establishing the COMSEC

               account; the specific items of COMSEC material

               required, and the desired in-place date.  The

               request must also include a statement that the

               minimum physical security standards for

               safeguarding COMSEC material can be met, and the

               names, grades, and social security numbers with

               Privacy Act Notice of the individuals to be

               appointed as the COMSEC Custodian and Alternate

               COMSEC Custodians.  Normally, a single Alternate

               Custodian is sufficient at each account. 

               Appointments of more than two Alternate Custodians

               should be coordinated with the NASA COR. 

               Subparagraphs 5a and b contain COMSEC Custodian

               selection criteria.  The request must also contain

               certified clearance information on the individuals

               nominated as the COMSEC Custodian and Alternate

               COMSEC Custodian(s).  When signature cards (Form

               N2942B) are used for clearance information

               certification, forward these cards with the

               written request.  The NASA COR will initiate

               clearance verification.



          b.   Allow a minimum of 30 days for an account to be

               established and appointments confirmed.



     3.   COMSEC Account Approval.  The NASA COR will advise the

          requesting element in writing by (sending an

          information copy to the Installation Security Office)

          when the account is established and the COMSEC

          Custodian and Alternate COMSEC Custodian(s)

          appointments are approved, and will assign an account

          number.  Reference the account number in all subsequent

          correspondence or transactions relating to the COMSEC

          account.  The NASA COR provides accounting forms and,

          when not submitted previously, signature cards (Form

          N2942B) to be completed and returned to the COR.



     4.   COMSEC Custodian and Alternate COMSEC Custodian

          Training.  A newly appointed or changed COMSEC

          Custodian or Alternate will attend the NSA COMSEC

          Custodian training course (CS-140) as soon as possible.



          This training is mandatory for all NASA COMSEC

          Custodial appointees, with the exception of those

          appointed to accounts established solely for STU-III,

          or those who have attended equivalent training within 2

          years.



     5.   Selecting a COMSEC Custodian and Alternate Custodian



          a.   Because of the sensitivity of COMSEC material and

               the rigid controls required, individuals selected

               as Custodians must:



               (1)  Be a responsible civil servant or contractor

                    qualified to assume the duties and

                    responsibilities of a COMSEC Custodian.



               (2)  Not be previously relieved of COMSEC

                    Custodian duties for reasons of negligence or

                    nonperformance of duties.



               (3)  Be in a position that will permit maximum

                    tenure (not less than 1 year) as a COMSEC

                    Custodian or Alternate COMSEC Custodian,

                    thereby reducing the possibility of frequent

                    replacement.



               (4)  Not be assigned duties that will interfere

                    with their duties as COMSEC Custodian and

                    Alternate Custodian.



               (5)  Be actually performing the custodial

                    functions on a day-to-day basis.  The COMSEC

                    Custodian position will not be assumed solely

                    to maintain administrative or management

                    control of the account functions.



          b.   Personnel nominated as COMSEC Custodian or

               Alternate will be in grade GS-7 or above, or a

               contractor at an equivalent level.  Where

               personnel at the appropriate grade level are not

               available, include full justification to support

               the appointment in the appointment request.



     6.   Duties of the COMSEC Custodian and Alternate Custodian



          a.   The COMSEC Custodian.  The COMSEC Custodian is

               responsible for ensuring that all COMSEC material

               issued to, or generated and held by, the COMSEC

               account is safeguarded in accordance with national

               requirements.  This includes but is not limited to

               the receipt, custody, issuance, safeguarding,

               accounting and, when necessary, destruction of

               COMSEC material.  The COMSEC Custodian is further

               responsible for maintaining up-to-date records and

               submitting all required accounting reports.  The

               Custodian will be thoroughly familiar with the

               procedures for handling COMSEC material outlined

               in this Manual.  The COMSEC Custodian is

               authorized and encouraged to inspect user areas on

               a regular basis (at least semiannually).  The

               COMSEC Custodian must have access to all

               accountable material held by users.  In cases

               where the material is used within a Sensitive

               Compartmented Information Facility (SCIF), and the

               COMSEC Custodian is not indoctrinated for special

               access (SI), the area must be sanitized or the

               Custodian escorted to allow the Custodian to

               fulfill his or her responsibilities.  In

               fulfilling his or her responsibilities, the

               Custodian will perform the following duties:



               (1)  Protect COMSEC material and limit access to

                    individuals with the appropriate need-to-know

                    and clearance.

               

               (2)  Receive, give a receipt for, and ensure the

                    safeguarding and accounting of all COMSEC

                    material issued to the COMSEC account.



               (3)  Maintain COMSEC accounting and related

                    records as outlined in paragraph 204.



               (4)  With a witness, conduct an inventory,

                    semiannually and when a new COMSEC Custodian

                    is appointed, by physically sighting all

                    COMSEC material charged to the account, and

                    reconciling this inventory with the COR.  The

                    COR or other competent authority may also

                    direct the conduct of an inventory.



               (5)  Perform routine destruction of COMSEC

                    material when required, or otherwise dispose

                    of material as directed by the COR or

                    controlling authority.



               (6)  Submit transfer, inventory, destruction, and

                    possession reports when required.



               (7)  Inspect the implemented protective

                    technologies upon initial receipt, during

                    each inventory, and prior to each use to

                    ensure the integrity of COMSEC material (key

                    or equipment).



               (8)  Ensure prompt and accurate entry of all

                    amendments to COMSEC publications held by the

                    account.

               

               (9)  Ensure that all accountable COMSEC material

                    shipped outside of the account's organization

                    is packaged and shipped as specified in

                    paragraph 204.6 of this Chapter.  Ensure that

                    all material received is inspected for

                    evidence of tampering and, if any is found,

                    immediately submit a report of suspected

                    physical incident according to Chapter 6 of

                    this Manual.



               (10) Be aware at all times of the location of

                    every item of accountable COMSEC material

                    held by the account and the general purpose

                    for which it is being used.



               (11) Establish procedures to ensure strict control

                    of each item of keying material whenever

                    operational requirements necessitate that

                    material be turned over from one shift to

                    another or from one individual to another.



               (12) Ensure that appropriate COMSEC material is

                    readily available to properly cleared and

                    authorized individuals whose duties require

                    its use.  If the material is classified,

                    verify that the individuals are cleared to

                    the level of the material.  Brief recipients

                    of the required protection and procedures for

                    safeguarding the material until it is

                    returned to the Custodian.



               (13) Report immediately to the Installation

                    Security Officer any known or suspected

                    COMSEC incident as defined in Chapter 6, and

                    submit a report according to Chapter 6 of

                    this Manual.



               (14) Verify the identification, clearance and

                    need-to-know of any individual requesting

                    access to the records and/or material

                    associated with the COMSEC account.



               (15) Prepare for safeguarding COMSEC material

                    during emergency situations according to

                    Chapter 10.



               (16) When COMSEC material is properly issued to   

                    users, according to paragraph 204.11, the

                    COMSEC Custodian is relieved of personal

                    responsibility for the security of the       

                    material.



          b.   The Alternate Custodian.  Individuals appointed as

               Alternate COMSEC Custodians are responsible for

               assisting the COMSEC Custodian in performing his

               or her duties and for providing continuity of

               operations in the absence of the COMSEC Custodian.



               Specific duties are as follows:



               (1)  Keeping aware of the day-to-day activity of

                    the COMSEC account in order to assume the

                    duties of the COMSEC Custodian, whenever

                    necessary, without undue interruption of

                    operations.



               (2)  Performing those duties outlined in subpara-

                    graph 201.6a during the temporary or

                    permanent absence of the COMSEC Custodian.



     7.   Witness



          a.   Inventory and Destruction by the COMSEC Custodian:



               Physical inventory or destruction of COMSEC

               material must be witnessed by an appropriately

               cleared individual.  The witness should normally

               be the Alternate Custodian, but another

               appropriately cleared and briefed individual may

               act as a witness when the Alternate Custodian is

               not available.  When an inventory or destruction

               is completed, the witness will sign the inventory

               report, keying material usage/disposition record,

               or destruction report, as appropriate, attesting

               that the COMSEC material listed has been

               inventoried or destroyed.  The witness will sign

               an inventory only after having personally sighted

               the material being inventoried.  A destruction

               report can only be signed after having personally

               witnessed the destruction of the material (refer

               to paragraph 703 for an exception to witnessing a

               material destruction by a user).

          b.   Destroying keying material that has been hand

               receipted to a user requires a witness to the

               destruction of individual key settings.  The

               witness will initial the keying material usage

               record attesting that the material has been

               destroyed.  Under no circumstances will the

               witness initial a usage record without having

               personally sighted the material being destroyed.



     8.   Temporary Absence of the COMSEC Custodian.  When the

          COMSEC Custodian is to be absent for a period not to

          exceed 60 days, the Alternate Custodian will assume the

          responsibilities and duties of the COMSEC Custodian. 

          An absence in excess of 60 days that has not been

          coordinated with the NASA COR must be treated as a

          permanent absence, and a new Custodian must be

          nominated.



     9.   Return of the COMSEC Custodian from Temporary Absence. 

          The COMSEC Custodian will be informed of all changes to

          the COMSEC account upon his or her return from a

          temporary absence.  If COMSEC material was transferred

          to the account and accepted by the Alternate Custodian

          during the absence, the COMSEC Custodian will inventory

          the COMSEC material, and sign, date, and include the

          remark "received from Alternate Custodian" on the front

          side of the COMSEC account's copy of the transfer

          report, thus relieving the Alternate Custodian of

          accountability for the material.  In those cases where

          material was transferred from the account or destroyed,

          the COMSEC Custodian should verify such actions by

          comparing the transfer and destruction reports with his

          or her Register File to assure the accuracy of the

          actions affecting the material for which he or she is

          held accountable.



     10.  Change of COMSEC Custodian.  When it becomes necessary

          to terminate the COMSEC Custodian's appointment, NASA

          elements must submit a written request through the

          local security office to the NASA COR and include

          information and clearance certification about the

          replacement nominee as prescribed in subparagraph

          201.5.  The training requirements specified in

          subparagraph 201.4 also apply.



          a.   When written confirmation is received from the

               NASA COR, the newly appointed COMSEC Custodian and

               his or her predecessor will perform the following

               duties:



               (1)  Conduct a physical (sight) inventory of all

                    COMSEC material held by the COMSEC account. 

                    (The change of Custodian will be effective

                    the date the inventory is signed.)



               (2)  Prepare an SF 153 (see Figure 1 in Appendix

                    E) listing all COMSEC material to be

                    transferred to the new Custodian.  Identify

                    the report in block 1 as a "change of

                    Custodian" and check both "received" and

                    "inventoried" in block 14.  Address the

                    report from the COMSEC account (block 2) to

                    the NASA COR (block 3).  The new Custodian

                    will sign in block 15 and the departing

                    Custodian will sign as the witness in block

                    17.  Forward the signed original copy to the

                    NASA COR and retain a signed duplicate copy

                    in the COMSEC account's file.  When an

                    account holds over 100 line items, a

                    Custodian may request a preprinted

                    inventory/transfer from the NASA COR.  The

                    request for a preprinted inventory/transfer

                    should normally be included with the

                    nomination information.



          b.   Normally, the new COMSEC Custodian will have

               received written confirmation of appointment

               before action is initiated to transfer the COMSEC

               account.  However, if the confirmation is delayed

               and the departure of his or her predecessor is

               imminent, the transfer will be accomplished prior

               to the receipt of written confirmation.



          c.   When the transfer is complete, the new Custodian

               assumes full responsibility for the material

               charged to the COMSEC account and for its

               operation.  The former COMSEC Custodian is

               relieved of responsibility for only that COMSEC

               material included on the transfer/inventory

               report.  He or she is not relieved of

               responsibility for COMSEC material that is

               involved in any unresolved discrepancy until a

               clear COMSEC Inventory Reconciliation Report has

               been received from the NASA COR.



          d.   Changes of COMSEC Custodian should be scheduled at

               least 40 days before the former COMSEC Custodian

               departs to allow for the receipt of a clear COMSEC

               Inventory Reconciliation Report.  However, the

               former COMSEC Custodian may depart prior to the

               return of the COMSEC Inventory Reconciliation

               Report provided no discrepancies or irregularities

               were evident when the inventory and transfer were

               made.  Responsibility for resolving discrepancies

               discovered after a COMSEC Custodian has departed

               rests with the Chief of the element.

     11.  Change of Alternate Custodian.  When a change in

          Alternate Custodian is necessary, NASA elements will

          submit a written request through the local security

          office to the NASA COR and will include information and

          clearance certification about the replacement nominee

          as prescribed in subparagraph 201.5.  The training

          requirements specified in subparagraph 201.4 also

          apply.  A change of Alternate Custodian should be made

          before the departure of the present Alternate Custodian

          unless impossible.



     12.  Sudden, Indefinite, or Permanent Departure of the

          COMSEC Custodian



          a.   Under emergency circumstances such as the sudden,

               indefinite or permanent departure of the COMSEC

               Custodian, the Chief of the element will nominate

               a new COMSEC Custodian (preferably the Alternate

               Custodian) in compliance with the provisions of

               subparagraph 201.5 and paragraph 200.2.  The new

               COMSEC Custodian and an appropriately cleared

               witness will immediately conduct a complete

               physical inventory of all COMSEC material held by

               the COMSEC account.  When the absence of the

               COMSEC Custodian is unauthorized, the Chief of the

               element will immediately report the circumstances

               in accordance with Chapter 6.



          b.   Upon completion of the inventory, prepare an SF

               153 Possession Report.  Annotate the Possession

               Report with the remark "Sudden, indefinite or

               permanent departure of the COMSEC Custodian" or

               "Unauthorized absence of the COMSEC Custodian," as

               appropriate.  The new COMSEC Custodian will sign

               block 15 and the witness will sign block 17. 

               Forward the signed original copy of the report to

               the NASA COR and retain a signed duplicate copy in

               the COMSEC account's file.



     13.  Sudden, Indefinite, or Permanent Departure of the

          Alternate COMSEC Custodian.  The NASA COR should be

          notified as soon as possible when an Alternate COMSEC

          Custodian must be replaced due to a sudden, indefinite,

          or permanent departure.  An unauthorized absence must

          be immediately reported in accordance with Chapter 6.



     14.  COMSEC Officer, COMSEC/TEMPEST Point of Contact. 

          Several Centers have designated a COMSEC Officer to

          address policy issues and programmatic COMSEC

          responsibilities beyond those specified for the COMSEC

          Custodian.  Although national policy does not require

          the designation of a COMSEC Officer it has been NASA

          policy to designate a civil servant to act as the

          COMSEC and TEMPEST point of contact responsible for

          ensuring oversight and implementation of NASA's COMSEC

          and TEMPEST policy.  It is important to emphasize,

          however, that the responsibilities identified for the

          COMSEC Custodian constitute minimum requirements and,

          depending on the experience level of the COMSEC

          Custodian, are balanced against each Center's

          particular needs.  These additional COMSEC/TEMPEST

          duties can be performed by the same individual. 

          Regardless whether the COMSEC Custodian, COMSEC

          Officer, or COMSEC/TEMPEST point of contact is

          designated to perform these additional functions, it

          must be stressed that NASA Installations not construe

          this requirement as justification for establishing a

          separate billet.  The duties of the COMSEC Officer, or

          COMSEC/TEMPEST point of contact, include the following:



          a.   Acting as the Installation's single focal point

               for COMSEC and TEMPEST policy issues.



          b.   Administering one-time COMSEC briefings and/or

               cryptographic access certification to civil

               servants whose duties require access to COMSEC

               material.



          c.   Ensuring that COMSEC awareness training is

               integrated as part of the Installation's security

               education program.



          d.   Providing technical assistance to Controlling

               Authorities for cryptographic keying material

               controlled by NASA and exercising oversight in

               those instances where NASA contractor COMSEC

               accounts have been established solely for the

               purpose of supporting NASA.



          e.   Assisting project offices in the acquisition of

               COMSEC material through coordination with the

               supporting COMSEC Custodian and/or the NASA COMSEC

               Manager.



          f.   Assisting the Installation's Security Office to

               establish selection criteria to screen, interview,

               and nominate candidates for the COMSEC Custodian.



          g.   Providing technical advice and assistance

               concerning the use, installation, maintenance, and

               procurement of STU-III's.



          h.   Conducting TEMPEST countermeasure determination

               and coordinating with the NASA Security Office,

               Code JIS, as required.  NOTE:  Formal training is

               not required to perform countermeasure

               determination using the NTISSI 7000, "TEMPEST

               Countermeasures for Facilities."



202  COMSEC MATERIAL



     1.   Short Titles.  For accounting purposes, COMSEC material

          may be identified by short titles derived from the

          Telecommunications Security (TSEC) nomenclature system

          (see Figure 2); or bear a designator derived from the

          Joint Electronics Type Designation System (JETDS); or a

          Federal part number; or by short titles assigned by a

          Military Department.  In many cases, the Controlled

          Crytographic Item (CCI) category may not be assigned

          any short title, instead bearing the manufacturer's

          commercial designator.  This equipment will, however,

          be marked "Controlled Cryptographic Item" or "CCI" and

          will bear a Government Serial Number (GSN) label.  The

          GSN has been developed for accounting purposes and will

          be the designator by which the COMSEC Custodian will

          identify and control the CCI.  The GSN is composed of

          three fields; for example, the label may read "GSN:

          PES-B4 192."  The first field "PES" identifies the

          manufacturer; the second field "B4" identifies the type

          of product; and the third field "192" identifies the

          serial number of the unit.  For purposes of the SF 153

          (using the above example), list the designator "PES-B4"

          in the short title block and "192" in the accounting

          number block.  NOTE:  The GSN for STU-III terminals

          will vary from the above format.



     2.   Accounting Numbers.  Most COMSEC material is assigned

          an accounting (register or serial) number at its point

          of origin to facilitate accounting.  However, COMSEC

          material may be received that does not bear an

          accounting number or for which accounting by number is

          impractical, and therefore not required.  An example of

          this type of material is a printed circuit board with a

          TSEC nomenclature, which may bear a manufacturer's

          serial number, but which is only accounted for by

          quantity and is listed in "accounting numbers" on

          accounting reports as an "N/N" (no number) item.



     3.   Edition.  COMSEC material may be further identified by

          alphabetic or numeric edition.  COMSEC material is

          superseded when the new COMSEC material becomes

          effective (effective edition).  NOTE:  Identification

          of the currently effective edition of operational

          keying material is considered "CONFIDENTIAL."  The

          general rule is that this information should not be

          disclosed over a mode of communications that is not

          secure.  However, per NTISSI 4002, A-12, under certain

          circumstances the effective edition may be transmitted

          in the clear when necessary to ensure that all holders

          are using the same key or when confusion exists about

          the effective key.



     4.   CRYPTO Marking.  COMSEC keying material that is used to

          protect or authenticate telecommunications carrying

          national security and Government-sensitive information

          is identified by the bold marking CRYPTO.  This marking

          makes such material readily identifiable from other

          material so that its dissemination can be restricted to

          personnel whose duties require access and, if the

          material is classified, to those who have been granted

          a final security clearance equal to or higher than the

          classification of the keying material involved.



     5.   Subdivisions of Equipment.  Operational COMSEC

          equipment is identified and accounted for by one short

          title rather than by individual components and/or

          subassemblies.  Classified and CCI subassemblies,

          elements, and microcircuits when not incorporated in an

          equipment will, however, be accounted for by type and

          quantity.



203  COMSEC MATERIAL ACCOUNTABILITY



     1.   COMSEC Material in the National Security Agency (NSA)

          COMSEC Material Control System



          a.   Accountable COMSEC material enters the NASA COMSEC

               Material Control System at the times indicated and

               remains in the system until destruction or other

               authorized disposition as follows:



               (1)  When material is received by a COMSEC

                    Custodian from another department, agency,

                    foreign government, international

                    organization, or other COMSEC account.



               (2)  When a possession report is completed for

                    COMSEC material that is in the possession of

                    a COMSEC Custodian but which is not charged

                    to his or her account.



          b.   Refer questions regarding whether material is

               qualified for entry into the COMSEC Material

               Control System and the method of accounting (i.e.,

               by which accounting legend code) to the NASA COR.



     2.   Accounting Legend Code (ALC)



          a.   For accounting purposes, all COMSEC material is

               identified by one of the following accounting

               legends:



               (1)  ALC-1:  Continuous accountability by

                    accounting (register or serial) number within

                    the COMSEC Material Control System.



               (2)  ALC-2:  Continuous accountability by quantity

                    within the COMSEC Material Control System.



               (3)  ALC-3:  COR notification of initial receipt

                    required.  Maintain local accountability by

                    accounting (register or serial) number

                    thereafter.



               (4)  ALC-4:  Initial receipt required; the

                    custodian will maintain local accountability;

                    issue to authorized users on hand receipt;

                    maintain COMSEC register cards until material

                    is disposed of; and if destroyed, a local

                    unnumbered (no transaction number assigned)

                    destruction report will be filed.



          b.   The ALC is assigned by the originating Government

               department or agency and represents the minimum

               accounting standard to be applied.



          c.   The ALC will appear on all accounting reports but

               not necessarily on the material.  Holders will not

               apply accounting procedures less restrictive than

               those specified by the ALC assigned unless

               specifically authorized by the COR.



          d.   Nonaccountable COMSEC material.  Material such as

               correspondence, logs, reports, etc., are excluded

               from the COMSEC Material Control System.



204  COMSEC MATERIAL CONTROL 



     This section outlines the procedures for COMSEC Custodians

     during day-to-day account operations.



     1.   Forms, Reports, and Files



          a.   Forms.  The forms used in the COMSEC Material

               Control System are limited to the multipurpose

               SF 153 ("COMSEC Material Report," rev. 9-88, 

               NSN 7540-00-935-5861), L6061 ("COMSEC Material

               Record Card"), and equivalent NASA forms.



          b.   Accounting Reports.  Prepare accounting reports on

               an SF 153 to record transfer, possession,

               inventory, and destruction of COMSEC material. 

               The required copies and distribution of accounting

               reports are covered in the paragraphs of this

               Manual, which outline the detailed preparation of

               particular reports.  The various reports and a

               brief description of their use are as follows:



               (1)  Transfer Report:  Records COMSEC material

                    transferred from one COMSEC account to

                    another.



               (2)  Destruction Report:  Reports the physical

                    destruction or other authorized expenditure

                    of COMSEC material.



               (3)  Inventory Report:  Reports the physical

                    (sight) inventory of COMSEC material.



               (4)  Possession Report:  Reports the possession of

                    COMSEC material.  Specific circumstances

                    requiring possession reports are prescribed

                    in subparagraph 204.12.



          c.   Hand Receipt.  A hand receipt records the

               acceptance of and responsibility for COMSEC

               material issued to a user.  An SF 153, or the

               reverse side of Form L6061 or a NASA equivalent

               may be used to hand receipt COMSEC material.



          d.   Sample Forms and Reports.  Samples of the forms

               and reports annotated with preparation

               instructions are contained in Appendix E.



          e.   Files.  Establish and maintain COMSEC accounting

               and related files listed as follows:



               (1)  Accounting Files:



                    (a)  Incoming transfer reports, possession

                         reports.



                    (b)  Destruction and outgoing transfer

                         reports.



                    (c)  Annual or semiannual, as appropriate,

                         inventory reports, and change of

                         custodian reports.



                    (d)  Hand receipts.



                    (e)  COMSEC Register File (L6061) or

                         comparable system approved by the 

                         NASA COR.



                    (f)  Transaction number log.  If an approved

                         automatic system is used, a transaction

                         log is not required.



               (2)  Related files:



                    (a)  Courier, mail, and package receipts.



                    (b)  Correspondence including such records as

                         COMSEC Custodian and Alternate Custodian

                         appointment confirmation letters,

                         memoranda, messages, and other

                         documentation related to COMSEC

                         accounting.



          f.   Classification of COMSEC Account Inventory and

               COMSEC Account Reports/Files.



               (1)  Prior to 1 May 1992, NSA classification

                    policy required the NSA COR to classify many

                    COMSEC account inventories CONFIDENTIAL.  NSA

                    classification authorities recently

                    determined that only certain inventories need

                    to be classified.  However, even unclassified

                    inventories reflect sensitive information

                    which is exempt from mandatory disclosure

                    under the Freedom of Information Act and must

                    be marked FOR OFFICIAL USE ONLY.  Therefore,

                    effective 1 May 1992, all unclassified

                    account inventories provided by the NSA COR,

                    as well as those provided by the Key

                    Management System (KMS), will be marked FOR

                    OFFICIAL USE ONLY and will be transmitted via

                    U.S. first-class mail or equivalent parcel

                    service.



               (2)  All NSA COR printed COMSEC account

                    inventories that are presently marked

                    CONFIDENTIAL should be declassified and

                    marked FOR OFFICIAL USE ONLY.  The following

                    statement should also be placed on the

                    inventory:  "This document has been

                    declassified and marked For Official Use Only

                    by Authority of the Deputy Director for

                    Information Systems Security (DDI), Central

                    Accounting Office (CAO), (IAW NSA COR

                    Accounting Bulletin 2-92)."



               (3)  If it is determined that a compilation of

                    records can be declassified, the combined

                    file should be marked FOR OFFICIAL USE ONLY

                    and "This file has been declassified and

                    marked For Official Use Only by Authority of

                    the DDI CAO (IAW NSA COR Accounting Bulletin

                    2-92)."



               (4)  All files/reports marked FOR OFFICIAL USE

                    ONLY should also be marked "This document

                    contains information EXEMPT FROM MANDATORY

                    DISCLOSURE UNDER THE FOIA.  Exemption 3

                    applies."  (Note: This marking is not

                    required on the Government printed and

                    supplied SF-153 form with For Official Use

                    Only preprinted at the bottom.  It is,

                    however, required for the front cover of a

                    file containing SF-153's that are FOR

                    OFFICIAL USE ONLY.)



               (5)  When in doubt about whether or not a

                    record/file may be declassified and marked

                    FOR OFFICIAL USE ONLY, please telephone the

                    NASA COR via a STU-III (if available), or

                    request NASA COR assistance by another secure

                    means of communication.



               (6)  The guidance in previous subparagraphs will

                    be implemented in handling NASA COR account

                    inventories, reports and files.  In addition,

                    exemption "High Two" of FOIA may be used for

                    COMSEC account reports, files that are

                    sensitive but not classified.  This exemption

                    protects from disclosure material that would

                    significantly risk circumvention of an Agency

                    regulation, statute, or mission.



               (7)  Appendix F is provided as a classification

                    guide.



     2.   COMSEC Register File.  All COMSEC material held by an

          account is controlled internally using a COMSEC

          Register File.  This file consists of an active section

          and an inactive section, both of which should be

          maintained in alphanumeric order.  Normally this file

          consists of L6061's (see Figure 3 in Appendix E); it

          may be maintained on a personal computer with prior

          NASA COR approval.  If the file is automated, take

          extreme care to control the data base as much as

          possible, since unauthorized persons could alter/erase

          information without the immediate knowledge of the

          Custodian.  Follow good computer security practices,

          and maintain current backups of data.



          a.   The active section of the Register File consists

               of one Form L6061 (manual file), or one line item

               (automated file), for each accountable item

               currently held in the account and must include the

               following information:



               (1)  Short title, edition, quantity, and

                    accounting number (if any).



               (2)  Classification and ALC.



               (3)  Date of receipt, from whom received (account

                    number), and incoming transaction number.



               (4)  Hand receipt information (optional).



          b.   The inactive section of the register file consists

               of one Form L6061 or one line item for each item

               that has been removed from the account, and the

               specific disposition data for the item, as

               follows:



               (1)  The type of disposition (e.g., transfer,

                    destruction, etc.) (if transferred, also

                    include receiving account number).



               (2)  Date of action.



               (3)  Outgoing transaction number.



          c.   Give special attention to keeping the Register

               File current and accurate; it is a convenient

               reference and important tool for maintaining

               strict control over all COMSEC material in the

               account.



     3.   Preparing COMSEC Accounting Reports



          a.   Include in each report the official titles and

               addresses of the elements involved; account,

               transaction, contract (if applicable) numbers;

               date of report (entered: year, month, day, e.g.,

               880107 indicates January 7, 1988); typed or

               stamped names of individuals signing reports; and

               signatures in ink.



          b.   List all short titles in alphanumeric order,

               omitting the prefix or suffix "TSEC."  For

               equipment controlled by Government Serial Number,

               omit the prefix "GSN."



          c.   Single space all line item entries on a report. 

               Follow the last line item with the remark "NOTHING

               FOLLOWS" in capital letters on the next line.



          d.   For items having accounting numbers running

               consecutively, the inclusive accounting numbers

               may be entered as a single line entry (e.g., 

               1-10) in block 11.



          e.   Enter "N/N" in block 11 for items not having an

               accounting number or for which accounting by

               number is not required (i.e., ALC-2 material).



          f.   Ensure that consecutive accounting numbers agree

               with the entries made in the "quantity" column.



          g.   Include any clarifying remarks deemed appropriate

               for the receiving COMSEC Custodian or the COR in

               Block 13 or below the "NOTHING FOLLOWS" line.  

 

          h.   Initial all deletions or corrections in ink. 



          i.   Assign each accounting report (i.e., incoming and

               outgoing transfers, possession, inventory, and

               destruction reports) a transaction number,

               starting over with "1" each calendar year.  When

               using a manual system, maintain a log to ensure

               that transaction numbers do not get duplicated. 

               NOTE:  Do not assign transaction numbers to hand

               receipts, accounting bulletins, reconciliation

               statements or inventories.



          j.   Return preprinted inventories to the COR within 10

               working days after receipt.  Submit all other

               reports within 48 hours after receipt or

               preparation, or as otherwise directed. 



          k.   Review all reports for completeness and accuracy,

               and ensure each copy is legible.



     4.   Receipt of COMSEC Material



          a.   Sources.  Accountable COMSEC material may be

               received from the NSA, military departments, other

               Government agencies, allied governments,

               international organizations, and contractors. 



          b.   DCS Form 10-R.  The Defense Courier Service (DCS)

               regulations require personnel who may be required

               to accept DCS material to complete a DCS

               Authorization Record (Form 10-R) before receipting

               for material.  DCS Form 10-R may be obtained from

               the serving DCS station.  Figure 4 lists DCS

               addresses.  Contact the NASA COR if necessary for

               proper instructions to complete DCS Form 10-R.



          c.   Receiving Packages and Examining Containers (refer

               to subparagraph g for equipment).  Packages

               receipted for by individuals other than the COMSEC

               Custodian will be delivered to the Custodian

               unopened.  When COMSEC material is delivered,

               examine the packages carefully for evidence of

               tampering or exposure of the contents.  If either

               is evident and the contents are classified, CCI,

               or marked CRYPTO, submit a COMSEC incident report

               as required by Chapter 6 of this Manual.  Do not

               open packages showing evidence of tampering until

               approval is received from the NASA COR.



               (1)  Report any discrepancy in short title,

                    accounting number, or quantity between the

                    contents of the package and the transfer

                    report to the sender and the COR.  Correct

                    the transfer report to agree with the

                    material actually received.  If the material

                    is classified, CCI, or marked CRYPTO, and the

                    discrepancy cannot be resolved with the

                    sender, submit a report of possible

                    compromise.



               (2)  When the incoming check has been completed,

                    sign and distribute the transfer report as

                    follows:



                    (a)  One copy to the NASA COR. 



                    (b)  One copy to the shipment originator.



                    (c)  One copy for file.



                    (d)  Additional copies as directed by the

                         shipment originator.



               NOTE: It may be necessary to reproduce additional

               copies of the SF 153.



               (3)  When a package is received and the package

                    inner wrap is stamped TOP SECRET CRYPTO or

                    contains TOP SECRET keying material,

                    immediately initiate two-person integrity

                    (TPI) controls, and inspect the package for

                    evidence of damage or tampering.  Both

                    individuals will then open the package and

                    compare the contents with the enclosed

                    "COMSEC Material Report" (SF 153).  If

                    classification cannot be determined before

                    opening, and when material received is

                    routinely TOP SECRET, assume that the

                    material is TOP SECRET.  If the contents are

                    TOP SECRET operational keying material, both

                    TPI participants will sign the SF 153 (Blocks

                    15 and 16) and immediately place the material

                    into TPI storage.  Submit the SF 153 to the

                    NASA COR.  If it is found that the contents

                    do not include TOP SECRET operational keying

                    material, follow standard receipting

                    procedures.



          d.   Receipting for keying material in protective

               packaging.  Certain items of COMSEC material are

               protectively packaged at production time and will

               not, in most cases, be opened until they are to be

               employed by the actual user.  To ensure the

               integrity of key, inspect all protective

               packaging.  If no special handling instructions

               are provided, though, open the keying material and

               page check as outlined in subparagraph h. 

               Protective packaging applied to individual items

               of TOP SECRET key must not be removed except under

               TPI conditions.  Inventory key tapes in canisters

               by noting the short title and accounting number on

               the leading edge of the tape segment, which

               appears through the window of the plastic

               canister.  Do not remove tape or lists from key

               tapes or key lists in protective canisters.  Do

               not open test keying material until it is to be

               used.  Report shipping discrepancies to the COR.



          e.   Receipting for Tapes (Magnetic/Paper).  Upon

               receipt of a shipment of tapes, inventory each

               reel by short title, edition, and accounting

               number.  Report discrepancies to the COR. 



          f.   Receipting for Hardware/Firmware Keying Material. 

               Upon receipt, inventory each item by short title,

               edition, and accounting number.  Report

               discrepancies to the COR. 



          g.   Receipting for Equipment 



               (1)  Equipment received in sealed shipping cartons

                    that have not been opened or do not exhibit

                    signs of tampering may be receipted for

                    without physically sighting the material

                    inside as long as the label on the carton

                    agrees with the transfer report; if it does

                    not, the contents must be physically

                    inventoried.  Inspect any implemented

                    protective technologies on the equipment. 

                    Although certain types of material do not

                    need to be opened before actual use, allow

                    time between opening and use to obtain

                    replacements for incomplete or defective

                    items.  Report shipping discrepancies to

                    the COR. 

 

               (2)  Since the CCI category of COMSEC equipment

                    was introduced, much existing/new stand-alone

                    cryptographic equipment, telecommunications

                    and information handling equipment with

                    embedded cryptography, and associated

                    ancillary equipment, may now be controlled

                    outside of traditional COMSEC control

                    channels.  When CCI equipment is received via

                    other than traditional COMSEC control

                    channels, sign the accompanying paperwork,

                    and return a copy to the shipper.  Initiate

                    an SF 153 possession report for the receipted

                    material as prescribed in paragraph 204.12

                    and submit a copy to the COR. 



          h.   Page Checking.  Conduct page checks of unsealed

               material to ensure the presence of all required

               pages.  Where the COMSEC account is so large that

               the COMSEC Custodian cannot personally perform

               page checks or post amendments, other

               appropriately cleared individuals who have been

               properly instructed by the COMSEC Custodian may

               perform these actions.  To conduct the page check,

               verify the presence of each page against the "List

               of Effective Pages" or the "Handling Instruc-

               tions," as appropriate.  Sign and date the "Record

               of Page Checks" page; or, if the publication has

               no "Record of Page Checks" page, place the

               notation on the "Record of Amendment" page or the

               cover.



               (1)  Key cards and/or key lists in sealed

                    transparent plastic wrap, and authenticators

                    shipped in envelopes, should not be opened

                    until 72 hours before the effective date;

                    therefore, do not page check until ready to

                    use.  Do not open test keying material until

                    it is to be used.  When preparing for actual

                    use, open and page check keying material

                    according to the handling instructions

                    provided with the material.  If no special

                    handling instructions are provided, open and

                    page check the keying material.  Do not

                    remove key tapes or key lists from 

                    protective canisters for inventory or check

                    purposes. 



               (2)  Other Material.  Classified COMSEC

                    publications must be page checked according

                    to the handling instructions provided with

                    the material.  If no special handling

                    instructions are provided, page check upon

                    initial receipt, when entering an amendment

                    that requires removing and/or inserting

                    pages, before destroying, before shipping to

                    another COMSEC account, and upon return from

                    an authorized hand receipt user.



               (3)  If any pages are missing upon initial

                    receipt, Y13 should be notified of a possible

                    production error.  When page checking before

                    destroying, before shipping to another COMSEC

                    account, upon return from an authorized hand

                    receipt user or when entering an amendment,

                    annotate the "Record of Page Checks" page. 

                    If the publication is classified, submit a

                    COMSEC incident report as outlined in 

                    Chapter 6 of this Manual.  Submit requests

                    for disposition instructions and a

                    replacement publication to the NASA COR.



               (4)  In the case of duplicate pages, remove and

                    destroy the duplicate page(s).  Prepare one

                    copy of a destruction report citing the page

                    number and the accounting number of the basic

                    publication (e.g., duplicate page number 72

                    removed from KAM-130A, Number 813).  No

                    notification to the NASA COR is required and

                    do not assign a COMSEC account transaction

                    number to this locally retained destruction

                    report.  In addition, note the duplicate page

                    and the resultant destruction on the "Record

                    of Page Checks" page.



               (5)  When a change of COMSEC Custodian has

                    occurred, the incoming COMSEC Custodian must

                    perform a page check of all unsealed material

                    after the change of Custodian takes place. 

                    Where the COMSEC account has a prohibitive

                    number of documents requiring page checks,

                    the incoming COMSEC Custodian must submit a

                    request for an extension to the NASA COR to

                    allow more time to complete all page checks.

                    It is recommended that the outgoing COMSEC

                    Custodian complete page checks before

                    transferring control of the COMSEC account to

                    the incoming COMSEC Custodian.



     5.   Procedures for Handling Keying Material.  All keying

          material must be stored in GSA-approved security

          containers.  Restrict access to the container storing

          future editions of classified keying material marked

          CRYPTO to the COMSEC Custodian and Alternate

          Custodian(s).  Where this restriction cannot be applied

          because others must have access to the container for

          either current editions of keying material or other

          material in the container, store future editions of

          keying material separately in a locked strongbox that

          can be opened only by the COMSEC Custodian and

          Alternate Custodian(s).  Keep the strongbox in the

          security container.  Exceptions may be made in

          operational areas to allow shift supervisors access to

          the next edition of keying material, but not to later

          editions.  Routine destruction of keying material is

          addressed in Chapter 7. 



          a.   Key Lists/Key Tapes



               (1)  When it is necessary to relinquish physical

                    control of operational key lists to a user,

                    do so on a hand receipt.  If issuing

                    individual settings is warranted, the hand

                    receipt user's signature or initials and the

                    date in the "ISSUED TO" column on the

                    "DISPOSITION RECORD" on the inside front

                    cover serves in lieu of a hand receipt. 



               (2)  Key lists/key tapes packaged in protective

                    canisters will not be page checked.  Annotate

                    the record of use card with the short title,

                    edition, and register number of the material.



                    Issue the entire canister to a user on a hand

                    receipt.  The hand receipt user, however,

                    must not remove more tape segments from the

                    canister than are required for current use.

                    As each segment is removed, have the hand

                    receipt user sign or initial and date the

                    "USED" column of the "USAGE RECORD" card

                    applicable to the material.



          NOTE:  Do not affix labels to keying material

          canisters or any other implemented protective

          technology since it may hamper laboratory

          inspections.  Should additional identification of

          the classification be necessary beyond that

          visible through the window of the canister itself,

          the preferred means is to mark or affix a label or

          tag to a zip-lock bag, if available, or mark the

          classification on the plastic canister using a

          grease pencil.  Zip-lock containers are available

          through the Federal Stock System - Stock Number

          8105-00-837-7754 (1000 per box). 



     6.   Transferring COMSEC Material 



          a.   General.  COMSEC material may be transferred from

               one COMSEC account to another only as prescribed

               by the procedures in this Manual.  Before

               transferring accountable COMSEC material, verify

               the receiving activity's official address, COMSEC

               account number, and authorization to hold the

               material being shipped.  When the validity of a

               shipping address or authority for shipment is in

               question, contact the NASA COR before making the

               shipment.  Ensure that shipping is only by one of

               the authorized modes of transportation prescribed

               in this Manual.



               (1)  Do not ship accountable COMSEC material,

                    regardless of the accounting legend code

                    (ALC) assigned, unless a COMSEC account

                    number is provided with the shipping address.



                    CCI equipment may, however, be transferred to

                    a Military Department standard logistics

                    system account.  Verify account numbers and

                    shipping addresses by contacting the

                    appropriate Military Department's Accounting

                    Headquarters.  Use an SF 153 for such

                    transfers, just as with any other outgoing

                    transaction of COMSEC material.  Ensure that

                    equipment and page checking provisions

                    outlined in subparagraphs g and h are

                    accomplished before packing COMSEC material

                    for transfer, and that shipping is only by

                    authorized modes.  Conduct page and equipment

                    checks no earlier than 48 hours before

                    packing. 



               (2)  When transferring Government-furnished

                    equipment (GFE) to a contractor COMSEC

                    account, annotate the SF 153 in block 13 to

                    identify those items as GFE, and identify the

                    contract number on the form.



          NOTE:  Transfer of material to external

          organizations (e.g., civil agencies, contractors,

          etc.) is authorized to expedite delivery of

          material and eliminate unnecessary handling of the

          material between locations.  The shipping COMSEC

          Custodian assumes full responsibility for all

          aspects of the shipment.  When transfers are made

          to an organization external to NASA, include the

          following information in the "Remarks" portion of

          the transfer report:  ownership of the equipment,

          purpose of the transfer, contract numbers, project

          name, and instructions for the receiving

          Custodian.  Prepare and forward copies of the SF

          153 as outlined below, as appropriate:



                    (a)  Transferring COMSEC Material to the U.S.

                         Military Departments.  Prepare five

                         copies of the SF 153 and enclose the

                         original and one copy with the shipment

                         (see Figure 5 in Appendix E).  Put the

                         notation "ADVANCE COPY" on two copies,

                         and immediately forward one to the NASA

                         COR and one to the appropriate Military

                         Department Accounting Headquarters. 

                         Retain the final copy for file.  Include

                         the following notations, as appropriate,

                         on all copies of transfer reports going

                         to the U.S. military departments: 

                         equipment owner (NASA, Air Force, etc.);

                         purpose of the transfer/loan; length of

                         loan; repayment of loan; transfer of

                         ownership and authority for the

                         transfer; and the contract

                         number/project name (if appropriate). 

                         Place the following statement on all 

                         SF 153s reporting the transfer of COMSEC

                         material:



          "Custodian:



               Sign all copies and distribute as prescribed by

          the accounting instructions of your service.  This

          shipment consists of ________ containers."



                    (b)  Transferring of COMSEC Material to All

                         Other Activities.  Prepare four copies

                         of the SF l53 (see Figure 6) and enclose

                         the original and one copy with the

                         shipment.  Note "ADVANCE COPY" on the

                         third copy and forward it to the NASA

                         COR.  Retain the fourth copy for file. 

                         Put the following notation on all copies

                         of transfer reports going to activities

                         other than the U.S. Military

                         Departments:

 

          "Custodian:

 

               Sign all copies.  Return original copy to:

               

               National Aeronautics and Space Administration

               NASA Security Office

               Code: JIS/COMSEC Manager

               Washington, DC  20546



               Dispose of remaining copies as prescribed by the

          accounting instructions of your organization.  This

          shipment consists of ________ containers." 



                    (c)  Transfer of Material Between NASA

                         Accounts.  Prepare four copies of the 

                         SF 153 and enclose the original and one

                         copy with the shipment.  Note "ADVANCE

                         COPY" on the third copy and forward it

                         immediately to the NASA COR.  Retain the

                         fourth copy for file.  The material may

                         be transferred through internal mail

                         channels provided it is properly

                         packaged, handled as controlled mail,

                         and the package is covered by a

                         transmittal receipt. 



          b.   Receipt/Transfer Responsibility.  When COMSEC

               material is shipped to a military activity, the

               NASA COR and the Military Department Accounting

               Headquarters, when appropriate, are responsible

               for ensuring that the material is received by the

               intended recipient on a timely basis.  When an

               "ADVANCE COPY" of an SF 153 is received, a receipt

               suspense date is established by the NASA COR and

               the Military Department Accounting Headquarters,

               who take any subsequent tracer action required. 

               Tracer actions for shipments to military

               department standard logistics accounts are handled

               solely with the appropriate Military Service

               Accounting Headquarters.  The shipping Custodian

               is not responsible for ensuring that the material

               reaches the intended recipient, provided

               packaging, addressing, and shipping instructions

               are correct.  This procedure in no way relieves

               the shipping Custodian of responsibility for

               errors that normally can be detected only when the

               recipient opens the package (e.g., shipping the

               wrong item, incorrect nameplate, etc.).  In lieu

               of a signed copy of the transfer report, recorded

               proof of shipment is the file copy of the transfer

               report combined with a signed transmittal form,

               Government Bill of Lading (SF 1103), U.S.

               Registered Mail receipt, or other shipping

               document.  The NASA COR will not initiate tracer

               actions for material shipped from other

               agencies/departments unless requested to do so.  



               NOTE:  In order to avoid tracer action, COMSEC

               Custodians of NASA COMSEC accounts will: upon

               receipt of COMSEC material shipped from a

               contractor COMSEC account send a copy of the 

               SF 153 to NSA (Y-131) as well as to the NASA COR.



          c.   Nonroutine Disposition of COMSEC Material.  Remove

               accountable COMSEC material that is lost,

               compromised, or inadvertently destroyed, from a

               COMSEC account only with the specific written

               approval of the NASA COR.



     7.   Military Department Accounting Headquarters



          a.   Army Accounting Headquarters:



               Commander

               U.S. Army Communications Electronics Command

               Communications Security Logistics Activity

               ATTN: SELCL-NICP-OR

               Fort Huachuca, AZ  85613



          b.   Navy, Marine, and Coast Guard Accounting

               Headquarters:



               Director

               COMSEC Material System

               3801 Nebraska Avenue, NW

               Washington, DC  20390



          c.   Air Force Accounting Headquarters:



               Headquarters

               U.S. Air Force Cryptologic Support Center

               ATTN: MMIA

               San Antonio, TX  78243



               Verify Air Force standard logistics system account

               numbers and shipping addresses by calling

               (512) 925-2771.

 

     8.   Packaging COMSEC Material



          a.   Securely package classified COMSEC material for

               shipping in two opaque wrappers with no indication

               of the classification on the outside wrapper.  Use

               packaging material strong and durable enough to

               provide secure protection while in transit,

               prevent items from breaking through the container,

               and facilitate detecting tampering with the

               container.  Mark each wrapper with the "TO" and

               "FROM" addresses.  The outer wrapper must never

               carry identification of the contents that directly

               discloses a cryptographic or COMSEC association

               (e.g., a system indicator, the acronym "TSEC,"

               etc.).  Instead, label the crate or outer wrapper

               with the short title of the equipment, less the

               "TSEC" designation, followed by the accounting

               number (e.g., KW-59/101) to identify the contents.



               Identify assemblies, ancillary devices, elements,

               and subassemblies shipped individually by short

               titles, accounting numbers, and the short titles

               of the equipment in which the items are to be

               used.  Identify items not accountable by

               accounting number by short title and quantity. 

               Figure 7 provides examples of COMSEC material

               identification markings.  Ensure that the markings

               on the crate or outer wrapper identifying the

               COMSEC material within agree with the accompanying

               "COMSEC Material Report" (SF 153).  When material

               is to be hand-carried, a briefcase, pouch, or box

               is an appropriate outer wrapper.  Specialized

               shipping containers for COMSEC equipment, such as

               locked and twice-banded repair kits, may be

               considered the outer wrapper.

 

          b.   Mark the inside wrapper of classified

               cryptographic material with the designator

               "CRYPTO" and the classification.  If the shipment

               contains keying material designated for "U.S. Use

               Only," mark the inner wrapper with the remark

               "SPECIAL HANDLING REQUIRED, NOT RELEASABLE TO

               FOREIGN NATIONALS."  If the shipment contains

               keying material that is releasable, mark the inner

               wrapper with the remark "SPECIAL HANDLING

               REQUIRED, FOR U.S. AND SPECIFIED ALLIES ONLY." 

               Mark the inside wrapper of all accountable COMSEC

               material with the notation "TO BE OPENED ONLY BY

               THE COMSEC CUSTODIAN."  If the classified material

               is an internal component of an unclassified

               packable equipment, the outside equipment shell

               may be considered as the component's inner

               wrapper; that is, only one additional wrapper is

               required.

 

          c.   Mark all transfer reports and other forms covering

               an individual DCS shipment with the individual

               shipment control number; affix the reports to the

               inner wrapper of the package.  NOTE:  Do not place

               the transfer report inside the sealed container

               with the COMSEC material because this defeats the

               purpose of marking the short title and accounting

               numbers on the outside of the container.  For

               multiple package shipments, number each container

               beginning with package Number 1, followed by a

               slash and the total number of packages making up

               the shipment (e.g., for a shipment consisting of

               three packages, the first box would be marked 1/3;

               the second one marked 2/3; and the third (last)

               one marked 3/3).  Affix the shipping document (SF

               153) to the inner wrapper of the first package of

               multiple package shipments.  Do not annotate the

               serial package number(s) and transaction number in

               the immediate vicinity of DCS control numbers. 



          d.   Package keying material separately from its

               associated cryptographic equipment, unless the

               application or design of the equipment is such

               that the corresponding keying material cannot be

               physically separated from it. 



          e.   Securely package CCI equipment in a way that

               reveals tampering and guards against damage in

               transit.  Annotate the equipment designator on the

               package.  The "CCI" marking may be placed on the

               exterior of the package if so requested.  Place

               the accompanying paperwork in an envelope securely

               fastened to the outside of the package and mark

               the envelope with the "TO" and "FROM" addresses,

               including the account number, without the word

               "COMSEC."

 

          f.   Wrap unclassified COMSEC material, except keying

               material marked CRYPTO, as any other unclassified

               material according to packaging requirements of

               the agency or activity.



     9.   Authorized Modes of Transportation.  An appropriately

          cleared individual may move COMSEC material locally

          (e.g., within an Installation).  Various modes of

          transportation are authorized for COMSEC material.  The

          authorized mode for each specific type of COMSEC

          material is as follows:



          a.   Shipping Classified Keying Material and Classified

               COMSEC Equipment.  In time-critical situations, on

               a case-by-case basis, the NASA COR, in conjunction

               with the appropriate NASA Installation Security

               Officer, may approve using commercial passenger

               aircraft within the United States to transport

               current or superseded keying material as long as

               the material is hand-carried by an appropriately

               cleared individual and provided that departmental

               and Federal Aviation Authority procedures are

               followed.  This policy does not apply to the use

               of NASA-owned and -operated aircraft, which may be

               used to transport material within the continental

               United States with approval from the Installation

               Security Officer.  When commercial passenger

               aircraft must be used, written courier

               authorization is required.



               (1)  Classified Keying Material.  When practical,

                    limit individual shipments to not more than

                    three editions or 3 months' supply of a

                    particular item of keying material (whichever

                    is the greater amount).  This restriction

                    does not apply to packaged irregularly

                    superseded materials.  The NASA COR may waive

                    this restriction when material is issued to a

                    newly established account or in cases where

                    supply is difficult and the number of

                    shipments is limited.  The NASA COR may

                    authorize using U.S. Registered Mail to ship

                    individual editions of CONFIDENTIAL keying

                    material, provided the material does not at

                    any time pass out of U.S. citizen control,

                    and does not pass through a foreign postal

                    system or any foreign inspection.  Do not

                    send keying material classified SECRET or

                    higher through the mail without prior

                    approval of the NASA COR.  Except when using

                    systems specifically designed for electronic

                    rekeying, transmit operational keying

                    variables electrically only under emergency

                    conditions and only when the communications

                    system provides end-to-end encryption equal

                    to the classification of the transmitted key

                    setting, and the key setting does not appear

                    in plain text anywhere in the communications

                    path.  Under normal conditions, ship

                    classified keying material only by one of the

                    following means:

 

                    (a)  Defense Courier Service (DCS).



                    (b)  Appropriately cleared Government

                         personnel who have been designated in

                         writing to act as couriers for

                         cryptographic material.

 

                    (c)  U.S. Diplomatic Courier Service.

 

                    (d)  Appropriately cleared and briefed

                         contractor personnel who have been

                         designated in writing by competent

                         authority to act as couriers, provided

                         the material is classified no higher

                         than SECRET.  For TOP SECRET keying

                         material, courier authorization must be

                         obtained from the appropriate NASA

                         Installation Security Officer on a

                         case-by-case basis.



               NOTE:  Two-person integrity (TPI) controls

               must be applied whenever local couriers

               transport TOP SECRET keying material from one

               location to another.  See Chapter 5.

 

               (2)  Classified COMSEC Equipment and Components. 

                    Do not ship classified COMSEC equipment and

                    components in a keyed condition unless the

                    physical configuration of the equipment makes

                    segregating the keying material impossible. 

                    For equipment using a Crypto-Ignition Key

                    (CIK), removing the CIK permits the equipment

                    to be treated as unkeyed.  Ship the CIK

                    separately from the equipment.  Transport

                    COMSEC equipment and components classified

                    higher than CONFIDENTIAL by any of the means

                    identified for keying material, or by a

                    cleared commercial carrier under Protective

                    Security Service (PSS).  Transport COMSEC

                    equipment and components classified

                    CONFIDENTIAL by any of the means specified

                    above, or any of the following: 



                    (a)  U.S. Registered Mail, provided it does

                         not at any time pass out of U.S. control

                         and does not pass through a foreign

                         postal system or any foreign inspection.



                    (b)  Commercial carriers (or U.S. military or

                         military contractor air service)

                         provided a continuous chain of

                         accountability and custody for the

                         material is maintained while it is in

                         transit.



                    (c)  U.S. military or military-contractor air

                         service (e.g., MAC, LOGAIR, QUICKTRANS),

                         provided the requirements for DoD CSS

                         are observed. 



          b.   Other Classified COMSEC Material.  Transport

               classified material, other than keying material

               and COMSEC equipment, as follows: 



               (1)  Use one of the methods below to transport

                    media that embodies, describes, or implements

                    a classified cryptographic logic, such as

                    full maintenance manuals, cryptographic logic

                    descriptions, drawings of cryptographic

                    logics, specifications describing a

                    cryptographic logic, cryptographic computer

                    software, and operating manuals.  These items

                    may not be transported through any postal

                    system.

 

                    (a)  Defense Courier Service (DCS). 



                    (b)  Appropriately cleared and briefed U.S.

                         Government, contractor or military

                         personnel who have been designated in

                         writing by proper authority to act as

                         courier for the material. 



               (2)  Use any of the means below to transport media

                    that does not embody, describe, implement, or

                    contain a classified cryptographic logic. 

                    NOTE: Using Standard First Class Mail service

                    is not acceptable for transporting any

                    classified COMSEC material.



                    (a)  Any of the means authorized in

                         subparagraph 9a. 



                    (b)  U.S. Registered Mail or by a cleared

                         commercial carrier using PSS for media

                         classified SECRET. 



                    (c)  U.S. Registered Mail or U.S. Postal

                         Service Certified Mail for media

                         classified CONFIDENTIAL.



     10.  Shipping Unclassified COMSEC Material 



          a.   Unclassified Keying Material Marked CRYPTO. 

               Within CONUS, transport unclassified material

               marked CRYPTO by U.S. Registered Mail or

               authorized U.S. Government, contractor, or

               military personnel.  Outside CONUS, use authorized

               department, agency, or contractor couriers; U.S.

               Diplomatic Courier Service; or the Defense Courier

               Service.  Where practical, limit shipments of

               unclassified keying material marked CRYPTO

               transported by courier to no more than three

               editions; when shipped by U.S. Registered Mail, no

               more than one edition. 



          b.   Shipping Controlled Cryptographic Item (CCI)

               Material.  Do not transport CCI material in a

               keyed condition, unless the equipment is designed

               to operate with a permanently installed hard-wired

               key.  Ship CCI material by the following means:



               (1)  Within CONUS:



                    (a)  Authorized department, agency, or

                         contractor courier. 



                    (b)  U.S. Registered Mail. 



                    (c)  Authorized U.S. Government courier

                         service (e.g., Diplomatic Courier

                         Service). 



                    (d)  Commercial carrier providing DoD

                         Constant Surveillance Service (CSS). 

                         Coordinate the shipment with the

                         Transportation Officer.

 

               (2)  Outside CONUS.  CCI equipment may be sent by

                    U.S. Registered Mail if the package will

                    remain in U.S. mail channels (e.g., mailed to

                    an APO or FPO address) or be carried by an

                    individual who has been briefed as a courier.



                    The courier must be briefed on proper

                    security procedures and be aware of all

                    requirements for access and the physical

                    security of the equipment or materials. 

                    Transportation may be by any means that

                    permits the courier to maintain continuous

                    accountability and provide protection against

                    loss and unauthorized access while in

                    transit.  Where transportation is by

                    commercial aircraft, the CCI equipment should

                    be stowed in the cabin where the courier can

                    maintain constant surveillance.  If equipment

                    bulk will not permit cabin storage or creates

                    an excessive burden for the courier, CCI

                    circuit boards may be removed for cabin

                    storage, and the remainder of the equipment

                    may be checked as hold baggage.  CCI

                    equipment must not be transported through

                    countries other than those authorized to

                    receive the equipment.  All incidents of

                    impoundment, seizure, or loss of CCI

                    equipment while it is being couriered must be

                    reported in accordance with Chapter 6 of this

                    Manual.

 

          c.   All other unclassified COMSEC material may be

               shipped by any means that will reasonably assure

               safe and undamaged arrival at the destination. 

               Ship unclassified COMSEC items as classified

               COMSEC material when an operational need exists to

               provide both types of material together.



     11.  Authorized Modes of Transportation for Controlled

          Cryptographic Item (CCI) Equipment and Components

          Within CONUS, U.S. Territories and Possessions

 

          a.   NSA has noticed an increasing number of reported

               incidents (within the COMSEC community) involving

               CCI equipment and components being shipped by

               improper means.  The majority of these incidents

               involve either material improperly shipped through

               the United States Postal Service (USPS), or

               material improperly transported via commercial

               carrier within CONUS.  They believe this has been

               caused by a general lack of understanding of the

               proper procedures to be followed.  Although

               unkeyed CCI equipment and components are not

               classified, they do require controls while in

               transit.  These controls must ensure continuous

               accountability of the material.



          b.   When CCI equipment and components are shipped by

               the USPS, Registered Mail must be used.  Items

               shipped by USPS Registered Mail must not at any

               time pass out of U.S. control nor pass through any

               foreign postal system.  There are, however,

               certain restrictions governing the size and weight

               of packages that can be shipped via USPS

               Registered Mail.  These restrictions may preclude

               using this service.  It is suggested that the

               responsible individual check with USPS authorities

               to determine whether the package material

               qualifies.  USPS First Class Mail, Fourth Class

               Mail, Parcel Post, Certified Mail, Insured Mail,

               and Express Mail are not authorized for shipping

               CCI equipment/components.



          c.   When using commercial carriers to transport CCI

               equipment and components, an adequate degree of

               physical control and accountability for the

               material must be maintained while it is in

               transit.  However, the small number of commercial

               carriers that provide an approved constant

               surveillance service (CSS) has greatly restricted

               the ability of shipping activities to move CCI

               material.  Therefore, the existing requirement

               that commercial carriers must provide approved CSS

               is being modified to allow shipping activities to

               use commercial carriers that can satisfy the

               requirements set forth below.  This change only

               applies to shipments within CONUS, U.S.

               territories and possessions. 



               (1)  CCI equipment and components may be

                    transported by any commercial carrier that

                    warrants in writing to the shipping activity

                    that it can satisfy all of the following

                    requirements.  The carrier must:



                    (a)  Be a firm incorporated in the United

                         States that provides door-to-door

                         service;



                    (b)  Guarantee delivery within a reasonable

                         number of days based on the distance to

                         be traveled;



                    (c)  Have a means of tracking individual

                         packages within its system to the extent

                         that should a package become lost, the

                         carrier can, within 24 hours following

                         notification, provide information

                         regarding the package's last known

                         location;



                    (d)  Guarantee the integrity of the vehicle's

                         contents at all times (e.g., while a

                         driver is making pickup/delivery stops,

                         the vehicle must be locked); and



                    (e)  Guarantee that the package will be

                         stored in a security cage should it

                         become necessary for the carrier to make

                         a prolonged stop at a carrier terminal.



               (2)  In addition to satisfying the above

                    requirements, the carrier must either:



                    (a)  Use a signature/tally record that

                         accurately reflects a continuous chain

                         of accountability and custody by each

                         individual who assumes responsibility

                         for the package/shipment while it is in

                         transit (the carrier may either provide

                         its own signature/tally record form or

                         agree to use the DD Form 1907 or Form

                         AC-10); or



                    (b)  Use an electronic tracking system that

                         reflects a chain of accountability and

                         custody similar to that provided by a

                         manually prepared signature/tally

                         record.  Positive identification of the

                         actual recipient of the material at the

                         final destination must be indicated.  A

                         hard-copy printout shall be provided as

                         proof of service and the printout must

                         reflect those points, during transit,

                         where electronic tracking of the

                         package/shipment occurred.



          d.   Regardless of the method of transportation

               selected, the NASA activity shipping CCI

               equipment/components shall provide the receiving

               custodian with timely notification of a scheduled

               shipment.  Preferably, notification should be

               provided at least 24 hours prior to the estimated

               delivery date.  This procedure will help to

               readily identify any shipment that might unduly

               delayed or lost enroute.  It is emphasized that

               CCI equipment/components may only be shipped to

               authorized activities/contractors and shall be

               labeled in a way that will ensure delivery to an

               individual who is designated to accept custody of

               the material at the contractor facility/activity. 

               Do not use the individual's name on the delivery

               label; rather, use functional designators such as

               office symbols or mail station codes.  If using a

               commercial carrier, the accompanying shipping

               documents will provide an emergency telephone

               number(s) of an individual(s) authorized to

               receipt for the material in the event the carrier

               attempts to make delivery during other than normal

               duty/work hours.



          e.   If a shipment of CCI equipment/components has not

               been received by the intended recipient within

               five working days following the expected delivery

               date, the originating shipper's custodian will be

               contacted immediately.  Unless there is a valid

               explanation for the delay, tracer action shall be

               initiated on the shipment by the shipping

               custodian.  If its location cannot be determined,

               the CCI equipment/components shall be assumed to

               be lost in transit and reported in accordance with

               the guidelines provided below.



          f.   The following types of incidents involving CCI

               shipments shall be reported to NSA, ATTN: X71

               (COMSEC Incidents), for evaluation.  An

               information copy shall be forwarded to NASA

               Headquarters, Code JIS.



               (1)  When tracer actions have determined that a

                    CCI equipment/components is lost in transit;

                    and



               (2)  Shipments that are received that show

                    evidence of possible tampering, or

                    unauthorized access to the CCI

                    equipment/components.



          g.   All other incidents involving improper shipment or

               handling of CCI equipment/components (e.g., CCI

               shipped via certified mail; shipping activity

               failed to request signature/tally service; etc.)

               shall be considered administrative in nature and

               reported in accordance with the guidelines set

               forth below.  If a commercial carrier is involved,

               the name(s) of the carrier(s) shall be included in

               the report.



               (1)  NASA Installations shall report such

                    incidents to the originator of the shipment

                    who shall be responsible for any corrective

                    action.  A copy of the report shall also be

                    provided to NASA Headquarters, Code JIS and

                    NSA, ATTN: X722, for information purposes

                    only.



               (2)  If a NASA contract/memorandum of

                    understanding is involved, such incidents

                    will be reported to the originator of the

                    shipment who shall be responsible for any

                    corrective action.  A copy of the report

                    shall also be provided to NASA Headquarters,

                    Code JIS and NSA, ATTN: X722 for information

                    purposes. 



     12.  Hand Receipts.  Formal SF 153 transfers are required

          for issuing COMSEC material between COMSEC accounts

          unless other special arrangements have been approved by

          the NASA COR.  Issue material for internal temporary

          use via a hand receipt to only properly cleared

          personnel. 

 

          a.   An SF 153 (see Figure 8), the reverse side of Form

               L6061 (Figure 3), or equivalent NASA form may

               serve as a hand receipt.  Before issuing material,

               determine that the proposed recipient: 



               (1)  Has the need-to-know, has a COMSEC briefing

                    as applicable, and has the appropriate

                    clearance.  Clearance or rank does not, in

                    itself, entitle any individual to have access

                    to keying material.  Each person having

                    access to keying material must need the

                    material in the performance of duties and be

                    familiar with his or her responsibilities for

                    its protection, use, and disposition.



               (2)  Will be the actual user of the material

                    (clerical or other personnel who are not the

                    user may not sign hand receipts).



               (3)  Knows the physical security measures

                    necessary to protect the material, and the

                    possible consequences of compromise. 



               (4)  Has the physical means to secure and use the

                    material, commensurate with the

                    classification of the item.  The file safe

                    should be located in the user's immediate

                    work area. 



          b.   Advise the proposed recipient:



               (1)  That COMSEC material issued on hand receipt

                    shall be signed for and controlled by the

                    actual user, and he or she is accountable

                    until the material is returned to the issuing

                    COMSEC account.  Under no circumstances will

                    the recipient reissue the material to another

                    individual without the consent of the COMSEC

                    Custodian/Manager.  If the material is needed

                    by another individual outside the immediate

                    office of the original recipient, the

                    material must be returned to the issuing

                    COMSEC account for reissuance. 



               (2)  Of the physical security measures necessary

                    to protect the material, and the possible

                    consequences of compromise.



               (3)  That the file safe must be located in the

                    recipient's immediate work area.

 

               (4)  That pages are not to be removed from basic

                    documents.  Reproduction authorization of a

                    document in whole or in part is contained in

                    the handling instructions (usually the front

                    cover) of each document produced.  

 

               (5)  That a user is relieved of responsibility for

                    material received on a hand receipt when the

                    material has been returned to the issuing

                    COMSEC Custodian and the original copy of the

                    hand receipt (SF l53) is given to the user,

                    or when the Custodian initials and dates the

                    reverse side of Form L6061 or an equivalent

                    form, as appropriate. 



               (6)  That any accountable COMSEC item issued on a

                    hand receipt must be returned to the issuing

                    COMSEC Custodian before the individual is

                    transferred, reassigned, or absent for more

                    than 30 days. 

  

               (7)  That any possible compromise, access by

                    unauthorized persons, or violation of

                    security regulations affecting the material

                    (user cannot locate or suspects document was

                    borrowed) must be reported to the issuing

                    COMSEC Custodian immediately. 





               (8)  That the recipient's signature on the hand

                    receipt certifies his or her understanding of

                    the above handling requirements. 



          c.   Semiannually review hand receipts for accuracy and

               update as necessary.



     13.  Possession Reports



          a.   Prepare possession reports under the following

               circumstances:



               (1)  When COMSEC material is received without

                    accompanying transfer reports. 



               (2)  When reporting conversion of COMSEC material.

                    (See subparagraph 204.14.)



               (3)  When COMSEC material was previously lost or

                    removed from accountability, but subsequently

                    recovered. 



               (4)  When a new COMSEC Custodian is appointed

                    because of the sudden permanent departure or

                    unauthorized absence of the COMSEC Custodian.



                    When the holdings of the COMSEC account are

                    large, a preprinted inventory may be

                    requested from the NASA COR for this purpose,

                    and the properly completed inventory with a

                    notation explaining the circumstances may

                    serve as the possession report.



               (5)  When a document with a TSEC nomenclature that

                    requires control in the COMSEC Material

                    Control System is originated or reproduced.



          b.   To submit a possession report, prepare an SF l53

               (see Figure 9) and enter appropriate remarks below

               the "NOTHING FOLLOWS" line, citing the reason for

               the report.  Forward the signed original copy to

               the NASA COR and retain a signed duplicate copy

               for file.  When COMSEC material is received

               without an accompanying transfer report, forward a

               signed copy of the possession report to the

               shipping COMSEC account, if known, and to the

               Military Department Accounting Headquarters, if

               applicable. 



     14.  Converted COMSEC Material.  When it is necessary to

          convert the short title and/or accounting number of an

          item of COMSEC material, report the conversion to the

          NASA COR so that accounting records may be properly

          adjusted.  A conversion can result from major

          modification of an equipment requiring the equipment to

          be redesignated (e.g., TSEC/KL-60, redesignated as

          TSEC/KL-60A).  Report a conversion by simultaneously

          submitting a possession report and a destruction report

          prepared on SF 153's.  On the possession report, list

          the item by its new short title and accounting number,

          and include a remark referencing the associated

          destruction report.  On the destruction report, list

          the previous short title and accounting number, and

          include a remark that the destruction is for record

          purposes only and reference the associated possession

          report.  Forward one signed copy of each report to the

          NASA COR, and retain one signed copy of each report for

          file.



     15.  Inventory Report



          a.   Preprinted inventories are issued semiannually by

               the NASA COR and reflect all accountable COMSEC

               material charged to the account as of the date the

               report was printed.  Conduct 100 percent physical

               (sight) inventories and return inventory reports

               to the NASA COR no later than 10 days after

               receipt.  Hold inventories forwarded in

               preparation for an audit at the account until the

               auditor arrives.  Upon arrival, the auditor and

               COMSEC Custodian will jointly conduct the

               inventory.



          b.   Conducting the Physical Inventory.  Conduct a

               physical (sight) inventory of all accountable

               COMSEC material held by the account, and all

               material issued on hand receipts, with the

               Alternate Custodian or another properly cleared

               witness.  The following additional procedures

               apply when conducting the semiannual physical

               inventory: 



               (1)  Assume COMSEC equipment in use to contain all

                    the required subassemblies and elements, so

                    it need not be opened for semiannual

                    inventory purposes. 



               (2)  Check implemented protective technology for

                    possible signs of tampering before the

                    equipment will be used operationally. 

                    Inventory equipment that remains in sealed

                    shipping cartons against the marking on the

                    outer wrapper or crate identifying the

                    contents, and inspect each carton for

                    evidence of tampering.



               (3)  Inventory COMSEC material that is unit packed

                    by the label affixed to the exterior of the

                    package.  Inspect each unit package for

                    evidence of tampering.



               (4)  COMSEC publications need not be page checked

                    at the time of the semiannual inventory.

 

               (5)  Do not use the preprinted inventory as a

                    checklist when conducting the inventory. 



          c.   Completing the Inventory.  Compare the results of

               the physical (sight) inventory against the

               preprinted inventory.  Resolve any discrepancies

               that exist by comparing the preprinted inventory

               against the COMSEC Register File.  Give particular

               attention to additions to, or deletions from, the

               account made close to the date of the report,

               since these transactions may not be reflected in

               the inventory.  Update the report by deleting an

               item or supplementing the report with an SF 153. 



               (1)  Line out in ink each item to be deleted from

                    the inventory (erasures are not authorized). 

                    Provide complete details to support the

                    deletion in the "remarks" column opposite the

                    item.  If the item was transferred, include

                    the receiving account number, the outgoing

                    transfer number, the transfer report date and

                    the Custodian's initials.  If the item was

                    destroyed, provide the date, transaction

                    number, and initial the entry.  Attach a copy

                    of the referenced SF l53 reports to the

                    inventory report. 



               (2)  Items listed on the preprinted inventory, but

                    not physically sighted will be lined out and

                    the appropriate paperwork attached (i.e., 

                    Transfer or Destruction Reports).

 

               (3)  When material held is not listed on the

                    inventory, list the material on an SF l53,

                    appropriately classified, signed by the same

                    individuals signing the inventory, and attach

                    as a supplement to the preprinted report. 

                    Annotate the SF 153 below the "NOTHING

                    FOLLOWS" line to indicate for each item the

                    name and account number of the sender; the

                    incoming transaction number and date; and/or

                    details, as appropriate, to support the

                    supplement.  Assign the same transaction

                    number to the supplement to the preprinted

                    inventory as that given to the inventory

                    report (see Figure 10a in Appendix E).  When

                    all the material to be put on the supplement

                    is from a complete shipment received on an

                    individual SF 153, do not list the material

                    on the supplemental SF 153.  Instead, enclose

                    the supporting SF 153 with the report,

                    annotate the supplemental SF 153 report "See

                    attached SF l53," and list the transaction

                    number and date of receipt. 



               (4)  During the course of updating the preprinted

                    inventory, review each item on the inventory

                    to determine if the material is still

                    required.  If any material is found to be no

                    longer needed, place a remark to that effect

                    in the "Remarks" column opposite each item.



               (5)  When the preprinted inventory has been

                    reconciled to agree with the account's actual

                    holdings, the Custodian and witness will sign

                    and date the certification on the preprinted

                    inventory and any supplemental SF 153s. 

                    Indicate the number of supplemental forms in

                    the space provided in the Custodian's

                    certification block; if no supplement was

                    created, mark "NONE."  Then make a final

                    review of the inventory ensuring that any

                    deletions or additions are fully documented,

                    that the certification blocks are signed and

                    dated.  Forward the original preprinted

                    inventory, along with any supplemental SF

                    153's, to the NASA COR, and retain a copy of

                    these, along with all working papers used in

                    performing the physical inventory, for file.



          d.   When the certified inventory is received by the

               NASA COR, it will be reconciled with the COR

               records.  The COR will respond only if

               discrepancies are noted.  If the account is cited

               with any discrepancy, take corrective action

               within 48 hours of being notified, advise the NASA

               COR of the action taken, and submit to the COR any

               substantiating reports required.



          e.   Change of COMSEC Custodian Inventory.  Accomplish

               the inventory required upon change of COMSEC

               Custodian as prescribed in paragraph 201.10. 

               Complete this inventory before the outgoing

               Custodian departs, and account for all

               transactions so that the completed inventory

               reflects that material actually held by the

               account on the date of the changeover.



          f.   Special Inventories.  Conduct a special inventory

               when directed by the NASA COR or other competent

               authority or if loss of COMSEC material is

               suspected or frequent deviation from accounting

               procedures are found.  Record special inventories

               on an SF 153.  Do not forward the report to the

               NASA COR unless requested by the NASA COR or

               unless the authority directing the special

               inventory desires that the NASA COR verify its

               accuracy.

 

          g.   Negative Inventories.  When a COMSEC account does

               not hold accountable COMSEC material, the COMSEC

               Custodian and a witness (usually the Alternate

               COMSEC Custodian) should sign the negative

               inventory, certifying that the account does not

               hold accountable COMSEC material.  COMSEC accounts

               will continue to receive semiannual inventories

               until a requirement for the COMSEC account no

               longer exists, and the COMSEC account is formally

               closed.  If the COMSEC account has received or

               still holds accountable COMSEC material when a

               negative preprinted inventory is received,

               supplement the inventory to reflect the

               accountable COMSEC material held by the COMSEC

               account. 



     16.  Destruction.  Chapter 7 contains routine destruction

          procedures and requirements, as well as destruction

          methods and minimum standards that ensure that COMSEC

          material is adequately destroyed.



          a.   Except as authorized by Chapter 7, COMSEC material

               is routinely destroyed by the COMSEC Custodian and

               witnessed by the Alternate COMSEC Custodian. 

               Verify the short title, edition designation, and

               accounting number, if any, of each item

               immediately before destruction.  Verify equipment

               and complete page checks according to paragraph

               204.4h, no earlier than 48 hours prior to

               scheduled destruction.



          b.   Because destroying the wrong item can result in a

               possible compromise, take extreme care to ensure

               that the correct COMSEC material is destroyed and

               that the destruction report is completely accurate

               (preparing the destruction report SF l53 before

               destruction and using it as a check list will

               help). 



          c.   Prepare a destruction report (see Figure 11 in

               Appendix E) for both classified and unclassified

               accountable COMSEC material.  Review completed

               use/disposition records to ensure that all

               settings were used and properly recorded.  Then

               prepare the destruction report and forward one

               copy to the NASA COR.  Enter the authority for

               destruction in the "Remarks" column or below the

               "NOTHING FOLLOWS" line (e.g., Superseded by KAM-

               220B; residue of Amend 2 of KAM-212; letter from

               controlling authority, dated January 1, 1982). 

               Place the following remark below the "NOTHING

               FOLLOWS" line on the SF 153 only when the material

               was actually destroyed by an individual other than

               the COMSEC Custodian (or in his or her absence,

               the Alternate):  "The official records in my

               possession indicate that the above listed item(s)

               have been properly destroyed by duly authorized

               individuals."  Forward the signed and properly

               witnessed original copy of the destruction report

               to the NASA COR no later than the 16th of each

               month (no exceptions are authorized) and retain

               the signed duplicate copy for file (see Chapter

               7).  However, if used or superseded material is

               not held, negative reports are not required.

 

     17.  Accounting for and Entering Amendments to COMSEC

          Publications



          a.   Message Amendments.  A message amendment is used

               to announce information that must be immediately

               entered in a COMSEC publication.  After posting

               the amendment and noting the entry on the "Record

               of Amendments" page, destroy classified message

               amendments.  Do not report the destruction of

               message amendments to the NASA COR.

 

          b.   Printed Amendments.  Account for printed

               amendments as COMSEC publications until they have

               been posted, the residue destroyed, and the

               destruction reported to the NASA COR.  Since

               printed amendments (ALC-l through ALC-3) are

               accountable, and will reflect on inventories,

               provide an SF 153 Destruction Report to the NASA

               COR to remove them from the account after they

               have been posted to the basic documents.  Take

               care when preparing the SF 153 to report the short

               title, edition, and accounting number of the

               amendment, and not that of the basic document.

 

          c.   Posting the Amendment.  Post amendments as soon as

               possible after receipt or effective date to keep

               the basic publication current.  The following

               guidance is to help avoid errors that commonly

               occur when posting amendments: 



               (1)  Untrained personnel will not post amendments.

                    

               (2)  Read and understand the specific instructions

                    contained in the letter of promulgation or

                    handling instructions before posting.  Post

                    the entire amendment at one time; do not

                    extend over a period of time.



               (3)  If replacement pages are included in the

                    amendment, page check both the basic

                    publication and the residue of the amendment

                    before destroying the residue.  Inadvertently

                    destroying effective portions of documents

                    together with residue from amendments is a

                    major cause of COMSEC material security

                    violations. 



               (4)  Note the amendment was posted on the "Record

                    of Amendments" page, and, if pages were added

                    to or removed from the publication, date and

                    sign the "Record of Page Checks" page.



               (5)  If the amendment is posted by an individual

                    other than the COMSEC Custodian, return all

                    residue of the amendment, including any pages

                    removed from the basic publication, to the

                    COMSEC Custodian for destruction.



               (6)  To preclude loss, place any residue of an

                    amendment that is being held pending

                    destruction in a sealed envelope marked with

                    the short title, accounting number, and

                    classification of the amendment.  Destroy the

                    residue within 5 days after entering the

                    amendment.



     18.  Accounting for COMSEC Material Launched into Space. 

          Accountable COMSEC material launched into space aboard

          expendable vehicles or in shuttle deployed payloads is

          normally considered unrecoverable.  COMSEC equipment

          installed aboard shuttle vehicles does not fall into

          this category.  Take the following steps to remove

          unrecoverable COMSEC material from accountability

          records at the NASA COR:



          a.   Prior to launch:  Strip TSEC nomenclature

               nameplates and any other markings from

               cryptographic equipment and keying elements at the

               time equipment is installed in a payload. 

               Unclassified photographs that show COMSEC

               equipment installation in the payload will be

               made.  Keep nomenclature nameplates and

               photographs with COMSEC accounting paperwork until

               after launch or certain destruction of the space

               vehicle.



          b.   Following the launch:  Complete a destruction

               report as described in subparagraph 204.15c. 

               Below the "NOTHING FOLLOWS" line include the date

               of launch, identify the launch vehicle, briefly

               explain events, and request that COR account-

               ability be dropped because of launch.  Attach

               equipment nomenclature nameplates and forward the

               report to the NASA COR.  The COMSEC Custodian will

               retain a copy of nomenclature nameplates and

               photographs with COMSEC accounting paperwork as

               part of official records.  Classify any

               correspondence associating COMSEC equipment use

               aboard space vehicles, except shuttle vehicles, at

               the minimum level of CONFIDENTIAL.



          c.   With today's technology, recovery from space is

               possible.  When COMSEC materials are recovered

               from space, the receiving COMSEC Custodian will

               file a Possession Report in accordance with

               subparagraph 204.12.  Because nomenclature

               nameplates will not be attached to recovered

               cryptographic equipment, the Possession Report

               must identify the spacecraft from which the

               equipment was recovered and must reference the

               Destruction Report that removed the material from

               accountability following launch.  The receiving

               COMSEC Custodian may be required to coordinate

               this action with the losing Custodian if the

               spacecraft was launched from a location other than

               the receiving Custodian's.  This information will

               allow the NASA COR to positively identify and

               properly track recovered COMSEC materials.



205  AUDIT OF COMSEC ACCOUNTS



     1.   Basis.  NASA COMSEC accounts will be audited by the

          NASA COR at least every 24 months on an announced basis

          and/or as deemed necessary based on the following

          factors:



          a.   Size of the COMSEC account and volume of

               transactions.



          b.   Frequency of COMSEC Custodian changes.



          c.   Classification and sensitivity of the COMSEC

               material held.



          d.   Frequency of deviation from COMSEC accounting

               procedures.



     2.   Notification.  Prior notice may or may not be provided

          when a COMSEC account has been selected for an audit

          other than the regularly scheduled audit.



     3.   Auditor Access.  The auditor will have access to all

          accountable COMSEC material held by the NASA COMSEC

          Account.  The auditor will present proper

          identification prior to gaining access to the COMSEC

          account.



     4.   Scope of the Audit.  The audit of a COMSEC account will

          include the following actions:

       

          a.   Verifying the completeness and accuracy of COMSEC

               accounting reports and files.



          b.   Determining the COMSEC Custodian and Alternate

               COMSEC Custodian's knowledge of and adherence to

               the provisions of this Manual.



          c.   A review of all procedures related to the control

               and safeguarding of COMSEC material.

          d.   Physically sighting all accountable COMSEC

               material.



          e.   Verifying compliance with packaging, marking, and

               shipping procedures.



          f.   Soliciting any problems encountered by the COMSEC

               Custodian in maintaining the account. 

      

          g.   Recommendations for improving local COMSEC

               accounting and control procedures.



          h.   A cursory inspection of implemented protective

               technologies.



          i.   Verification of current COMSEC briefings for

               contractor personnel who have access to COMSEC    

               material.



     5.   Audit Report.  After completing the audit, the auditor

          will notify the COMSEC Custodian and consult with the

          Installation Security Officer regarding any situation

          requiring immediate action and will conduct an exit

          interview with the Custodian's supervisor.  A formal

          report of audit outlining any discrepancies noted

          during the audit, the condition of the COMSEC account,

          and any recommendations for improvement will be

          included as an appendix to the Functional Management

          Review Report.  When serious deficiencies are found, a

          Certificate of Action Statement will be submitted

          independently to the COMSEC Custodian.  All actions

          required in the report must be completed within 10

          working days after the report is received.



206  CLOSING A COMSEC ACCOUNT



     When it has been determined that a COMSEC Account should    

     be closed because it no longer is required and all COMSEC

     material has been properly disposed of and no discrepancies

     exist, submit a formal written request to the NASA COR.  The

     NASA COR will notify the element/activity in writing that

     the COMSEC account has been closed and the appointments of

     the COMSEC Custodian and Alternate(s) have been terminated. 

     Dispose of COMSEC accounting records and files according to

     paragraph 204.15.







               CHAPTER 3:  CONTROLLING AUTHORITIES



300  GENERAL



     This Chapter applies to organizations within NASA that own,

     hold, or use classified or CCI equipment, and it only

     addresses "hard copy" keys (i.e., physical keying material

     such as printed key lists, punched key tapes, etc.).  "Soft

     keys" in electronic form are often employed in newer

     cryptographic equipment for key updating and similar

     functions, and are addressed in the operating instructions

     for the particular equipment.



301  KEYING MATERIAL SOURCE



     Keying material is produced and provided by the NSA.   

     Equipment operating in a cryptonet must have compatible

     keying material to be able to correctly encrypt and decrypt

     communications.  To manage establishing a cryptonet, and to

     ensure the correct keying materials are provided to each

     member of the cryptonet, a controlling authority is

     designated to manage the operation of the cryptonet and the

     associated keying material.



302  ESTABLISHING THE CRYPTONET AND DESIGNATING THE CONTROLLING

     AUTHORITY



     Whenever a new cryptonet is established, a controlling

     authority must be designated to oversee and manage the

     operational use and control of keying material.



     1.   The lead NASA Government element (e.g., project office

          or circuit demander) is responsible for initiating the

          request to establish a cryptonet and performing

          controlling authority functions, and coordinates with

          the local security office and COMSEC Custodian to

          submit a brief written proposal to the NASA COR.



     2.   When no lead Government office is identified, contact

          your Installation Security Office or the NASA COR for

          technical advice.  For electronically generated key,

          the element that directed the key generation performs

          the controlling authority functions unless those

          functions are specifically delegated to another

          organization.



     3.   Include controlling authority designation by name in

          the proposal.



     4.   A controlling authority must be a member of the

          cryptonet and as controlling authority have authority

          over the other members; i.e., all net members,

          including net members from other agencies or

          departments, must abide by any direction given to the

          net by the controlling authority.  The controlling

          authority must have the expertise to perform essential

          management functions described in this Chapter, and

          must have the means to communicate securely with

          cryptonet members (preferably redundant means) and must

          be in a position to monitor the status of the

          cryptonet; i.e., to identify problems or receive

          adequate information about net problems.



     5.   Controlling authority designation must be made early in

          the process of establishing a cryptonet, since this is

          the first step in obtaining the keying material

          necessary for net operations.



     6.   All cryptonet proposals and controlling authority

          designations are subject to review and validation by

          the NASA COR.



     7.   All cryptonet members, appropriate distribution

          authorities, the NASA COR, and the NSA must be notified

          of all controlling authority designations and changes.



303  NASA CONTRACTORS CURRENTLY DESIGNATED AS CONTROLLING

     AUTHORITIES



     Where contractors currently perform this function, the

     lead Government office in coordination with the local

     security office will designate a U.S. Government Civil

     Servant to ensure that controlling authority functions

     of the contractor are being performed adequately.  



304  CONTROLLING AUTHORITY RESPONSIBILITIES



     The controlling authority for a cryptonet has

     responsibilities in three broad categories:  cryptonet

     management, evaluating COMSEC incidents, and reacting to

     keying material compromises or suspected compromises.

     

     1.   Cryptonet Management.  To manage the cryptonet

          effectively, maintain accurate records in sufficient

          detail to assess the impact of, and to recover from, a

          compromise.  Direct communication with cryptonet

          members is authorized.  Cryptonet management includes:



          a.   Designating and maintaining a record of cryptonet

               members and the quantity of key each is authorized

               to hold.  Know the identity of all cryptonet

               members, the problems users may be experiencing

               with the keying material, the distribution

               authorities that support the holders of the

               material, and the most expeditious ways of

               promulgating supersession and other emergency

               information to all holders of the keying material.



          b.   Coordinating the establishment of a cryptonet and

               the logistic support for the net, by advising

               appropriate distribution authorities, the NASA

               COR, and the NSA, Y13, of the COMSEC accounts that

               will be issued keying material and the number of

               copies to be issued.



          c.   Coordinating with distribution authorities to

               ensure timely resupply of keying material.



               (1)  When user accounts have only a 2-month supply

                    of key remaining, promptly ascertain the

                    status of follow-on material; and



               (2)  If user accounts cannot be ensured of

                    resupply before the remaining key is

                    expended, direct users to implement the

                    longest authorized cryptoperiod extension for

                    each remaining key setting (see subparagraph

                    e, immediately following).  If the extension

                    is insufficient, report by initiating a

                    message at the IMMEDIATE precedence to the

                    NASA COR and the NSA, X72 and Y13, so that

                    contingent arrangements can be made.  Include

                    in the message the short title and number of

                    net members; describe the type of operations

                    (i.e., full- or part-time, etc.); and explain

                    the necessity for the cryptoperiod extension.



          NOTE:  When time is of the essence, controlling

          authorities may verbally request emergency cryptoperiod

          extensions from the NSA, X72.  When authorization is

          given verbally, take immediate action; do not wait for

          message documentation.  Net members must abide by all

          verbal instructions relayed by the controlling

          authority.



          d.   Whenever necessary, authorizing cryptoperiod

               extensions of manual crypto systems up to 72 hours

               and auto-manual and machine crypto systems up to 1

               week, unless the specific crypto system doctrine

               prohibits such extension or authorizes a longer

               cryptoperiod extension.  In cases of conflict,

               crypto system doctrine takes precedence. 

               Controlling authorities must inform the NASA COR,

               but are not required to report these extensions to

               the NSA.



          e.   Net members can extend crypto periods up to 2

               hours to complete a transmission or conversation

               in progress at key change (HJ) time.  Controlling

               authority approval is not required and net members

               are not required to report these extensions.



          f.   Specifying the date the first edition of keying

               material becomes effective and the effective dates

               of remaining material, designating contingency

               editions, and informing cryptonet members,

               appropriate distribution authorities, the NASA

               COR, and the NSA, Y13.  The controlling authority

               sends an activation message when material is in

               place throughout the new cryptonet.  NOTE:  For

               classified keying material, the effective dates

               are classified CONFIDENTIAL.



          NOTE:  Supersession rates are established by the NSA,

          based on security, operational need, and

          production/resupply constraints.  Except in

          emergencies, controlling authorities cannot change

          supersession rates.



          g.   Knowing the operations and operational

               requirements supported by the cryptonet, proper

               use of the key, and being familiar with the

               operation and capabilities of the associated

               equipment.



          h.   Specifying key change time for the cryptonet when

               the time is not prescribed in the keying material.



               The time selected for key change must be

               consistent throughout the cryptonet and be chosen

               to have the least operational impact.



          i.   Notifying all net members, appropriate

               distribution authorities, the NASA COR, and the

               NSA, Y13, of any changes in net configuration, or

               keying material status.



          j.   Authorizing electronic generation and distribution

               of key (except that key encryption key (KEK) must

               be physically distributed), physical transfer of

               key in a common fill device, or local reproduction

               of key in situations where established channels

               cannot supply the material in time to meet urgent,

               unprogrammed,  operational requirements.  Ensure

               that reproduced material is kept to the minimum

               amount essential, and is properly classified,

               controlled, and destroyed in the same manner as

               the original keying material.  If reproduction of

               the same material is authorized routinely,

               increase the copy count of that material instead.



          k.   Approving the number of extracts of keying

               material that may be issued to a user at any one

               time, except where specified in the material.



          NOTE:  Issuing extracts of protectively packaged keying

          material defeats the purpose of protective packaging,

          and increases the vulnerability of the key.  Always

          issue protectively packaged keying material as entire

          editions, except where operational necessity precludes

          such issue.



          l.   Reporting COMSEC incidents according to Chapter 6

               of this Manual.



          m.   Ensuring that COMSEC incident reporting

               instructions (Chapter 6) are disseminated to all

               cryptonet members (with special emphasis on how

               and where to send incident reports).



          n.   Establishing procedures to ensure that all holders

               of the cryptonet key can be contacted with minimum

               delay in an emergency (i.e., maintain a current

               list of all holders with up-to-date telephone

               numbers and correct message addresses).



          o.   Reporting defective keying material according to

               paragraph 309.



          p.   Ensuring that COMSEC accounts supporting cryptonet

               members have enough material on hand for regular

               and emergency supersession, but not too much

               material, which negatively affects security,

               storage, bookkeeping, etc.



               (1)  User COMSEC account inventories should

                    generally not exceed 4 months' supply of

                    monthly superseded material, including

                    effective material.



               (2)  A minimum of one backup edition of keying

                    material must be held at the user COMSEC

                    account regardless of the normal cryptoperiod

                    length.



          q.   Conducting annual reviews to confirm that the

               requirement for the cryptonet keying material

               continues, and verifying the quantity, quality,

               and operational effectiveness of that material. 

               This review will normally be conducted as an

               annual update of the Keying Material Support Plan

               (see paragraph 305).



     2.   Evaluating COMSEC Incidents.  Controlling authorities

          must ensure that COMSEC incidents involving the keying

          material under their control are reported properly and

          evaluated rapidly.  As stated in Chapter 6 of this

          Manual, the controlling authority must sometimes

          determine if a COMSEC incident has resulted in an

          insecurity, and the appropriate recovery measures to

          take.  Each incident is different, so each case must be

          evaluated independently.  COMSEC incident evaluation is

          often a subjective process, even when all pertinent

          facts are available.  While it is not possible to

          discuss all types of COMSEC incidents that controlling

          authorities may be called upon to assess, the following

          guidance will enable controlling authorities to

          effectively evaluate the most commonly encountered

          incidents.  Controlling authorities may contact the

          NASA COMSEC Manager for assistance with evaluating

          incidents.



          a.   The following steps are involved in making an

               evaluation:



               (1)  Be familiar with requirements of Chapter 6.



               (2)  Gather the facts.



               (3)  Determine the probability of compromise or

                    loss of the cryptographic system, keying

                    material, etc.



               (4)  Determine the type and amount of information

                    that may have been compromised because of the

                    incident, and ensure that appropriate

                    officials are notified so they can take

                    action to limit the damage caused by actual

                    or potential loss of the information.



               (5)  Consider the various options for actions to

                    avoid or reduce damage caused by the COMSEC

                    incident (e.g., superseding key).



               (6)  Direct corrective action implementation.



          b.   When an incident report is received for

               evaluation, if the facts reported are not

               adequate, request additional information from the

               reporting organization.  Specify as much as

               possible the additional information required.



          c.   Keying material discovered to be lost or

               temporarily out of prescribed control, or found in

               an unauthorized location, are considered

               compromised.  For instance, keying material that

               was lost but later recovered, but continuous

               secure handling cannot be verified, is considered

               compromised.



          d.   Unauthorized access to keying material is

               considered a compromise.



               (1)  Keying material exposed to casual view by

                    unauthorized U.S. personnel under

                    circumstances where copying, photographing,

                    or memorizing would be difficult is

                    considered compromise improbable.



               (2)  Keying material accessed by unauthorized U.S.

                    personnel under circumstances where a

                    reasonable opportunity existed to copy,

                    photograph, or memorize key is considered a

                    compromise.



               (3)  Keying material exposed to view by

                    unauthorized foreign personnel is considered

                    a compromise unless substantial evidence

                    suggests no compromise occurred (i.e., the

                    circumstances effectively precluded the

                    possibility the keying material was copied,

                    photographed, or memorized).



          e.   Unauthorized absence of personnel who have access

               to keying material is considered compromise

               improbable unless evidence suggests defection,

               theft, or loss of keying material.  When someone

               who has had access to keying material is

               officially reported as absent without

               authorization, all cryptographic equipment, key

               and other materials to which the person could have

               had access must be inventoried.  If evidence

               suggests theft or loss of keying material, or

               defection of personnel, consider the material

               compromised and initiate emergency supersession at

               the earliest practical time.



          f.   Controlling authorities should be conservative

               when evaluating incident reports involving keying

               material.  Key may be stolen, copied,

               photographed, changed, or substituted in a very

               short period if material is not under proper

               control.



          g.   Time Limits for Evaluating COMSEC Incidents. 

               COMSEC incident reports must be evaluated within

               the time limits specified below.  Time limits

               begin when the initial report, or amplifying

               report if the initial report does not contain

               sufficient information to permit an evaluation, is

               received.  Solicit any additional information

               required to make an evaluation.



               (1)  If the initial report is sent at IMMEDIATE

                    precedence, the action official must provide

                    a response/evaluation within 24 hours. 

                    Report and evaluate the following types of

                    COMSEC incidents at IMMEDIATE precedence:



                    (a)  Currently effective keying material or

                         keying material scheduled to become

                         effective within 15 days.



                    (b)  Defection, espionage, hostile cognizant

                         agent activity, clandestine

                         exploitation, tampering, sabotage, or

                         unauthorized copying, reproduction, or

                         photography.



               (2)  If the initial report is sent at PRIORITY

                    precedence, the action official must provide

                    a response/evaluation within 48 hours. 

                    Report and evaluate the following types of

                    COMSEC incidents at PRIORITY precedence:



                    (a)  Future keying material scheduled to

                         become effective beyond the next 15

                         days.



                    (b)  Superseded, reserve, or contingency

                         keying material.



               (3)  If the initial report is sent at ROUTINE

                    precedence, the action official must provide

                    a response/evaluation within 72 hours. 

                    Assign ROUTINE precedence to an initial

                    report of any COMSEC incident not covered

                    above.



     3.   Reacting to Incidents.  Cryptographic equipment is

          designed so that security depends primarily on the

          changing keys used to encrypt and decrypt information. 

          When evaluating incidents then, corrective actions fall

          into different categories, one for equipment and other

          materials that do not change, and another for keying

          materials.



          a.   Incidents involving cryptographic equipment and

               related materials other than keying material

               require corrective followup actions focused on

               preventing a recurrence of the incident, although

               certain cases, such as suspected tampering with a

               cryptographic device, may merit special actions

               (e.g., notifying the NSA so that a technical

               evaluation may be made).  The evaluation response

               should center on informing appropriate

               organizations (e.g., for lost CCI equipment,

               ensure that the accountability requirements to a

               COR are addressed), and correcting the problems

               that allowed or caused the incident to happen.



          b.   Where substantial evidence suggests that keying

               material has been compromised, take immediate

               action.  Ideally, announce precautionary

               supersession and direct early implementation of

               uncompromised future material.  Report

               supersession immediately to the appropriate

               distribution authorities and the NASA COR so that

               resupply action may be taken, replacement material

               produced, and status documents corrected.



               (1)  If superseded or effective keying material

                    has been compromised, then by extension,

                    assume that all information encrypted using

                    that keying material has been compromised. 

                    Direct reviews of record traffic encrypted

                    with the compromised keying material when

                    warranted.  Notify appropriate officials so

                    they may take action to minimize damage

                    caused by actual or possible disclosure of

                    information.

               (2)  If future keying material (not yet used) has

                    been compromised, then take steps to avoid

                    its use and replace it with keying material

                    that has not been compromised.



               (3)  The decision to supersede a current or future

                    edition of keying material in an emergency

                    must take into account the time required to

                    notify all cryptonet members, the number of

                    editions held at cryptonet member COMSEC

                    accounts, the ability to acquire replacement

                    editions, and the time required for members

                    to implement the new key.  Coordinate all

                    emergency supersession actions with the NSA,

                    Y1, so replacement materials may be produced

                    and shipped.



          c.   Direct the net to implement emergency or spare key

               settings when keying materials provide such spare

               settings.



          d.   Direct early implementation of uncompromised

               future editions of keying material.



          e.   The following options are available to controlling

               authorities when supersession is warranted, but

               not all net members hold replacement key.  In

               order of preference:



               (1)  Key may be electronically generated and

                    transmitted to net members via an

                    uncompromised crypto system approved for

                    over-the-air key transfer.



               (2)  Printed key settings may be transmitted by a

                    crypto system that provides end-to-end

                    encryption equal to the classification of the

                    transmitted key (e.g., the Automatic Digital

                    Network (AUTODIN) system, secure facsimile,

                    or secure telephone).  Printed key settings

                    can also be encrypted by auto-manual or one-

                    time pad system and transmitted over a system

                    that is secured at a lower level than the

                    encrypted key.



               (3)  Printed key settings may be reproduced and

                    physically transferred to net members. 

                    Punched tape will not be reproduced without

                    the authorization of NSA, X72.  Converting

                    hard copy keying material to electronic form

                    for equipment fill is not considered

                    reproduction.



               (4)  Key may be physically transferred to net

                    members in a common fill device or other

                    approved transfer device.   When keyed, the

                    common fill device must be protected at the

                    same level as the key it contains.



          f.   When supersession is warranted but not feasible,

               the following options are available in order of

               preference:



               (1)  Extend the cryptoperiod of uncompromised

                    keying material in accordance with doctrinal

                    constraints.



               (2)  Exclude from net operations those members who

                    do not hold or cannot be furnished

                    replacement material. 



               (3)  Suspend cryptonet operations until key can be

                    resupplied.



               (4)  As a last resort, continue to use the

                    compromised key when:



                    (a)  Normal supersession of the compromised

                         material will take place before

                         emergency supersession can be

                         accomplished;



                    (b)  Keying material changes would have a

                         serious detrimental effect on essential

                         operations; or, 



                    (c)  No replacement keying material is

                         available by any means.



                    (d)  In such a case, the controlling

                         authority must alert all cryptonet

                         members (by some secure means other than

                         the compromised system) that a

                         compromise has occurred and that

                         transmissions with the compromised key

                         may also be compromised and so should be

                         minimized. (Use this option only when

                         continued cryptonet operation is

                         absolutely essential to the mission.)



305  CONSIDERATIONS WHEN ESTABLISHING A CRYPTONET



     A controlling authority requires accurate information on all

     aspects of the cryptonet in order to properly manage the

     net.  In particular, the controlling authority should be

     familiar with all aspects of handling keying material in the

     net, and with the most expeditious ways to promulgate

     supersession and other emergency information to all holders

     of the keying material.  Some specific items to consider

     include the following:



     1.   Effective key change times should be as convenient as

          possible for all members of the net.  Knowing the net

          operations at members locations, across different time

          zones, is helpful when picking an optimum key change

          time.  Key change should occur during a period of low

          traffic volume.  For systems that are superseded more

          than once a day, the time for key change should bisect

          the period of maximum use as nearly as is practical.



     2.   The date and time of key changes must be uniform

          throughout the cryptonet.



     3.   Cryptonets should be kept as small as operationally

          feasible.  Generally, small cryptonets narrow the

          exposure of individual editions of keying material,

          limit the consequences of keying material compromises

          in terms of vulnerable communications, and lessen the

          problems associated with resupply.



     4.   Crypto logistics need to be considered carefully, i.e.,

          how keying material will get to each member of the

          cryptonet, if new COMSEC accounts or subaccounts should

          be established, or if existing accounts can be closed.



     5.   To perform responsibilities properly, the controlling

          authority must know the current status of the

          cryptonet.  Determine what net operations information

          is available and how it will reach the controlling

          authority.



     6.   Operational interoperability requirements may dictate

          certain cryptographic netting and subnetting schemes.



     7.   The classification of the keying material for the net

          is determined by the quantity, sensitivity, and

          classification of the information to be transmitted

          over the cryptonet.



306  KEYING MATERIAL SUPPORT PLAN (KMSP)



     The controlling authority must prepare a KMSP, which

     establishes how keying material will be provided to the

     cryptonet during its operational lifetime.  Prepare the KMSP

     as outlined in paragraph 308, and submit to the NASA COR,

     who will review and forward the KMSP to the NSA.  Allow

     sufficient time when filing the KMSP with the NSA for

     producing and distributing the keying material.  For

     planning purposes, a minimum of 120 days is required by the

     NSA from the time an order is received until it is produced

     and shipped.



307  CONTENTS OF THE KMSP

     

     The KMSP must contain adequately detailed information about

     the cryptonet so that the NSA can produce and provide the

     correct types and amounts of keying materials to the right

     places at the right times.  Enough information must be

     included so that the NSA can be satisfied that security

     concerns are addressed (e.g., ensuring that no SECRET keying

     material is sent to an account authorized to hold only

     CONFIDENTIAL material).  Address each of the following

     specifically in the KMSP:



     1.   Operational Need.  Briefly state the need for the

          cryptonet (i.e., the Government contracts and types of

          information involved).  Specify the classification

          and/or sensitivity of the information to be

          transmitted.



     2.   Operational Concept.  State the operational structure

          of the net; days/times of operation; identification of

          net control and alternates, and subnetting.



     3.   Controlling Authority.  Identify the cryptonet

          controlling authority, including names of points of

          contact, complete address information, and telephone

          numbers.



     4.   Contracting Office(s).  Identify the Government

          contracting office or offices served by or associated

          with the cryptonet; include names, addresses, and

          telephone numbers of contracting officers.



     5.   Keying Material Specification  



          a.   Identify the cryptographic equipment and fill

               devices that will use the keying material;



          b.   Specify the use of the keying material: 

               operational, maintenance, training;



          c.   Identify the quantity required (copy counts). 

               Also identify editions if circumstances warrant;



          d.   Specify the date initial operational capability is

               required;



          e.   List classification (or specify UNCLASSIFIED).



     6.   Distribution Plan.  Describe shipping of the keying

          materials, identifying the originator (normally the

          NSA) and the receivers.  Include a block diagram of the

          shipping paths from the originator to the final

          destinations of the material (only the major points of

          accounting transfers need be shown).  Provide complete

          COMSEC account information for each of the major modes

          in the distribution plan.  Identify any primary COMSEC

          accounts that will receive materials in bulk shipments,

          and any subaccounts that will be serviced by other than

          their primary accounts.  Address how the keying

          materials will be distributed from the COMSEC accounts

          to the actual users.

     7.   Other Information.  Include any additional information

          that is significant or unique to the particular

          cryptonet or keying material.



308  ANNUAL REVIEWS OF THE KMSP



     Review the adequacy and currency of the KMSP annually, and

     provide any changes in writing to the NASA COR and the NSA,

     Y1, no later than July 1 of each year.  Written negative

     reports (indicating no changes are necessary to the current

     KMSP) are required when applicable.



     1.   Confirm cryptonet structure, quantities, and adequacy

          of key to meet operational requirements and continuing

          requirement for the key.  Deactivate the cryptonet if

          it is no longer needed.  During the review, identify

          any crypto systems that should be put into contingency

          status (see subparagraph 4e.)



     2.   Review manual crypto system keying material and

          participate in surveys and reviews according to 

          NACSI 4007.



     3.   Recommend changes in keying material content, format,

          or classification to the NSA, Y13, and in the case of

          manual crypto systems, V27.



     4.   Include the following particular points to be addressed

          in the report:



          a.   Changes in cryptonet membership;



          b.   Changes in addresses, names of contacts, and

               telephone numbers;



          c.   Changes in the classification or sensitivity of

               the information being communicated on the net;



          d.   Any changes in the quantity of materials

               distributed;



          e.   Any planned changes or cancellations of

               requirements.



     5.   Designating Contingency Keying Material.  When large

          amounts of cryptographic materials are provided for

          regular consumption, and are destroyed unused, consider

          placing the material into contingency status. 

          Contingency keying material is that slated for a

          specific, yet irregularly occurring, requirement.  The

          material is not activated until needed for the specific

          requirement, and is not destroyed until after use. 

          Substantial savings in production, distribution,

          accounting, and destruction are realized when

          contingency materials are used instead of regularly

          superseded effective key.  Coordinate actions to

          establish a contingency cryptonet with the NASA COR,

          appropriate distribution authorities, and the NSA, Y13.



309  DEFECTIVE KEYING MATERIAL



     When keying material is found to be defective, direct that  

     the defective material and all associated packaging

     materials be retained pending disposition instructions. 

     Address reports to the NSA, Y13 and X712, with information

     to the NASA COR.  The NSA will provide disposition

     instructions for defective key and packaging materials by

     message and, if the material is to be recalled, will provide

     specific instructions for its return.  Return recalled

     keying material via the Defense Courier Service, Department

     of State Courier System, or cleared agency or contractor

     courier.  In the transfer report, state the reason for

     return, refer to the recall message, and include any other

     remarks requested in the recall message.







       CHAPTER 4:  COMSEC INFORMATION ACCESS REQUIREMENTS



400  CRITERIA FOR ACCESS TO COMSEC INFORMATION



     U.S. classified COMSEC information, the loss of which could

     cause serious or exceptionally grave damage to U.S. national

     security, requires special access controls.  Accordingly,

     access to U.S. classified cryptographic information shall

     only be granted to individuals who satisfy the following

     criteria:



     1.  Is a U.S. citizen.



     2.  Is an employee of the U.S. Government, is a U.S.

         Government-cleared contractor, or is employed as a U.S.

         Government representative (including consultants of the

         U.S. Government).



     3.  Has been granted a security clearance by the U.S.

         Government appropriate to the classification of the

         cryptographic information to be accessed.  The security

         clearances of personnel occupying the positions of

         COMSEC Custodian and Alternate COMSEC Custodian of NASA

         COMSEC accounts must be based on a background

         investigation (BI) current within 5 years.  Other

         employees who require access to COMSEC information that

         is classified SECRET or below do not require a security

         clearance based on a BI.



     4.  Possesses a valid need-to-know as determined necessary

         to perform duties for, or on behalf of, the U.S.

         Government.



     5.  Receives a security briefing appropriate to the U.S.

         classified cryptographic information to be accessed.



     6.  Acknowledges access by signing a cryptographic access

         certificate (sample in Appendix B).



401  COMSEC BRIEFING REQUIREMENTS



     1.  A member of the Installation Security Office, COMSEC

         Custodian, Alternate COMSEC Custodian, or member of the

         NASA Security Office will administer a COMSEC briefing

         to all employees whose duties require accessing COMSEC

         materials and maintaining associated records.  For U.S.

         Government personnel, this is a one-time briefing that

         remains in effect during the time the employee has

         uninterrupted access.  NASA contractor personnel who

         have a continuing need for access to classified COMSEC

         information must be rebriefed periodically, at least

         annually.  Personnel whose access is strictly limited to

         unclassified COMSEC keying material and/or CCI equipment

         require only an initial briefing.  A COMSEC briefing is

         not required for individuals who only need access to a

         STU-III, unclassified CRYPTO, or to unclassified

         NACSEM's, NACSI's, NTISSI's, etc.  Local security

         requirements may augment these minimum briefing

         requirements.



     2.  As a result of the briefing, employees shall understand

         their individual responsibilities in handling and

         safeguarding procedures for classified COMSEC material. 

         A sample briefing is included as Appendix B.



     3.  Complete Section One of the cryptographic access

         certificate after the COMSEC briefing is received, and

         before access is granted to U.S. classified COMSEC

         information.  Execute Section Two of this form when the

         individual no longer requires such access.  Make the

         signed certificate (original) a permanent part of the

         official security records of the individual.







     CHAPTER 5:  TWO-PERSON INTEGRITY/NO-LONE ZONE CONTROLS



500  GENERAL



     TOP SECRET keying material is our nation's most sensitive

     keying material, since it is used to protect the most

     sensitive U.S. national security information and its loss to

     an adversary could compromise all information protected by

     the key.  Also, a significant body of information indicates

     that TOP SECRET keying material is a high-priority target

     for exploitation by hostile intelligence services.  For

     these reasons, TOP SECRET keying material is afforded the

     special protection of two-person integrity (TPI) and no-lone

     zone (NLZ) controls.



     1.  Waivers to requirements in this Chapter may be

         requested; however, maintaining a strong national COMSEC

         posture dictates that waivers be granted on a case-by-

         case basis only when a genuine hardship exists.  Direct

         written requests for waivers, containing justification,

         through the COMSEC Custodian and Installation Security

         Officer to the NASA COMSEC Manager.  When the

         controlling authority for the material is not within

         NASA, the requester must notify that controlling

         authority of the waiver as soon as it is received.



     2.  Any violation of the TPI/NLZ requirements in this

         Chapter is reportable as a COMSEC incident in accordance

         with Chapter 6, paragraph 601.3j.



501  PROCEDURES FOR HANDLING AND SAFEGUARDING TOP SECRET KEYING

     MATERIAL



     TPI control of TOP SECRET key requires that COMSEC accounts

     and all local holders (hand receipt users) have TPI storage

     capabilities and procedures to ensure that lone individuals

     will not have access to TOP SECRET keying material and key

     generators.  Procedures in this Chapter do not apply to key

     locally generated for immediate use, but they do apply to

     locally generated key that is held in physical or electronic

     form for future use.  TPI controls must be maintained for

     TOP SECRET materials at all times, except as specified

     below:



     1.  Transportation.  TPI controls apply whenever local

         couriers transport TOP SECRET keying material from one

         location to another.  Receipts for this material must be

         signed by two individuals who are cleared for TOP SECRET

         and authorized to receive the material.  TPI controls

         are not required for TOP SECRET keying material while it

         is in the custody of the Defense Courier Service or the

         Diplomatic Courier Service.



     2.  TPI Handling of Packages Received



         a.    It is a requirement that upon initial receipt of

               TOP SECRET operational keying material by the

               COMSEC Custodian, TPI controls shall be

               implemented immediately.  For those accounts who

               are authorized to receive TOP SECRET operational  



               material, keep the following in mind: When a

               package is received and the classification cannot

               be determined by the COMSEC Custodian prior to

               opening, assume that the material is TOP SECRET. 

               The COMSEC Custodian and a TOP SECRET cleared TPI

               participant will then inspect the package for

               evidence of damage or tampering.  Both individuals

               will then open the package and compare the

               contents with the enclosed COMSEC Material Report

               (SF-153).  If the material is TOP SECRET

               operational keying material, both TPI participants

               will sign the SF-153 (Blocks 15 and 16) and

               immediately place the material into TPI storage. 

               A copy of the SF-153 will then be submitted to the

               NASA COR.  (If the material is not TOP SECRET

               operational key, standard procedures for the

               receipt of COMSEC material is specified in

               paragraph 204 of this manual.)



         b.    The above procedure provide a written record that

               reflects TPI controls were implemented upon

               initial receipt by the COMSEC Custodian.  The SF-

               153's reflecting receipt of TOP SECRET operational

               keying material will be reviewed by NASA auditors

               during audits to ensure compliance with the two

               signature requirement.  



     3.  Wrapping TOP SECRET Material



         a.    On Installations, enclose material in a sealed

               package or within a locked briefcase or other

               closed bag or container.



         b.    Off Installations, place material in sealed inner

               and outer wrappers.  Wrappers can be paper, canvas

               or briefcases.  Briefcases must be locked, with

               built-in combination locks or padlocks that are

               key or combination operated.  Mark the inner

               wrapper with the highest classification of the

               material inside, and with the "To" and "From"

               addresses.



     4.  Storage.  TPI storage for TOP SECRET keying material

         requires two different approved combination locks (see

         Annex E to NACSI 4005 for criteria for approved

         combination locks), with no one person authorized access

         to both combinations.  TPI storage can be in a strongbox

         within a security container, in a security container

         within a vault, or in a security container with two

         combination locks.  At least one of the locks must be

         built into the vault/container.



     5.  Use.  Establish NLZ wherever COMSEC equipment contains

         TOP SECRET key in hard copy form or in a mechanical

         permuter installed in a piece of equipment.  User

         locations where equipment holds TOP SECRET key in key

         card form or has key set on mechanical permuters will be

         operated as no-lone zones (i.e., space in which at least

         two appropriately cleared individuals must be present). 

         NLZ controls are not required when the key is resident

         in the cryptographic equipment in electronic form or

         where the cryptographic equipment has been modified to

         preclude access by a single individual to the hard copy

         key inside.  However, TPI controls always apply to

         initial keying and rekeying operations.



         NOTE:  Whenever possible, persons designated as TPI team

         members should have previous COMSEC experience.  If this

         is not possible, then the COMSEC Custodian should ensure

         that team members become familiar with those aspects of

         COMSEC operations i.e., key loading procedures,

         necessary in fully understanding TOP procedures.



     6.  Record of Combinations.  So that TPI secured materials

         may be accessed in emergencies, maintain a central

         record of combinations to the containers.  Record and

         protectively package each lock combination separately to

         prevent unauthorized access to the combinations.  Store

         the record of combinations as TOP SECRET material.  One

         method that may be used to protectively package records

         of lock combinations is contained in NACSI 4008, 

         Annex F.







       CHAPTER 6:  COMSEC INCIDENT REPORTING REQUIREMENTS



600  GENERAL



     COMSEC incident reports provide the information necessary

     for responsible officials to determine if a COMSEC incident

     results in a COMSEC insecurity.  Adhering to the following

     guidelines will ensure that all detected incidents involving

     COMSEC material are reported and evaluated promptly so that

     responsible officials can initiate action to minimize

     adverse impacts on security, take recovery measures, and

     prevent similar incidents from occurring.  Incidents

     involving unkeyed CCI equipment are now exempt from the

     reporting requirements of other COMSEC material.  The NTISSI

     4001 reporting requirements must be followed for unkeyed CCI

     equipment.  Joint Staff positive control material and

     devices and Data Encryption Standard (DES) keying material

     are no longer exempt.



     1.  Every person who uses, handles, or has access to COMSEC

         material must be aware of reportable COMSEC incidents

         and understand the responsibility to immediately report

         them, with no delay for any reason beyond the basic fact

         gathering.



     2.  Individuals will not be disciplined for reporting a

         COMSEC incident.  Corrective measures are most

         productive when aimed at the national doctrine or the

         organizational policy or procedure that allowed or

         contributed to the incident.  Disciplinary action should

         be considered for individuals who, through either gross

         negligence or willful acts, jeopardize the security of

         COMSEC material.



601  TYPES OF COMSEC INCIDENTS



     COMSEC incidents fall into three categories.  Included under

     each category are representative types of reportable

     incidents.  Additional reportable incidents that are

     peculiar to a given crypto system are listed in the

     operational security doctrine, operating instructions, and

     maintenance manual(s) for that crypto system.



     1.  Cryptographic Incidents



         a.    Cryptographic Incidents include the use of a

               COMSEC key which is compromised, superseded,

               defective, previously used and not authorized for

               reuse, or in any way incorrect for the

               cryptoperiod or application in which it is used.

               See the following examples: 



               (1)  Use of keying material that was produced

                    without the authorization of NSA (e.g.,

                    homemade maintenance or DES key, or homemade

                    codes).

               (2)  Use, without the authorization of NSA, of any

                    keying material for other than its intended

                    purpose (e.g., use of a test key for

                    operational purposes or use of a key on more

                    than one type of equipment).



               (3)  Unauthorized extension of a cryptoperiod.



         b.    Use of COMSEC equipment having defective

               cryptographic logic circuitry, or use of an

               unapproved operating procedure, such as the

               following examples:



               (1)  Plain text transmission resulting from COMSEC

                    equipment failure or malfunction.



               (2)  Any transmission during a failure, or after

                    an uncorrected failure that may cause

                    improper operation of COMSEC equipment.



               (3)  Operational use of COMSEC equipment without

                    completion of a required alarm-check test or

                    after failure of a required alarm-check test.



         c.    Use of any COMSEC equipment or device that has not

               been approved by NSA.



         d.    Discussions via nonsecure telecommunications of

               the details of a COMSEC equipment failure or

               malfunction.



         e.    Any other occurrence that may jeopardize the

               crypto security of a COMSEC system.



     2.  Personnel Incidents.  Any capture, attempted

         recruitment, known or suspected control by a hostile

         intelligence entity, or unauthorized absence or

         defection of an individual having knowledge of or access

         to COMSEC information or material is a personnel

         incident.  Examples are the unauthorized disclosure of

         COMSEC information or attempts by unauthorized persons

         to effect such disclosure.



     3.  Physical Incidents.  Any loss of control, theft,

         capture, recovery by salvage, tampering, unauthorized

         viewing, access, or photographing that has the potential

         to jeopardize COMSEC material is a physical incident

         such as the following examples:



         a.    Unauthorized access to COMSEC material, including

               access by persons who were mistakenly believed to

               have held appropriate clearances.



         b.    COMSEC material discovered outside of required

               COMSEC accountability or physical control, such as

               the following examples:

               (1)  COMSEC material reflected on a destruction

                    report as having been properly destroyed and

                    witnessed, but found to have not been

                    destroyed.



               (2)  COMSEC material not secured and left

                    unattended where unauthorized persons could

                    have had access.



               (3)  Any loss of control over a keyed common fill

                    device.

               

         c.    COMSEC material improperly packaged or shipped, or

               received with a damaged inner wrapper.



         d.    Destruction of COMSEC material by other than

               authorized means.



         e.    COMSEC material not completely destroyed and left

               unattended.



         f.    Actual or attempted unauthorized maintenance

               (including maintenance by unqualified personnel)

               or the use of a maintenance procedure that

               deviates from established standards.



         g.    Tampering with, or penetration of, a crypto

               system, such as the following examples:



               (1)  Known or suspected tampering with, or

                    unauthorized modification of, COMSEC

                    equipment or penetration of its key or

                    protective technology.



               (2)  Discovery of a clandestine electronic

                    surveillance or recording device in or near a

                    COMSEC facility.



               (3)  Activation of the anti-tamper mechanism on,

                    or unexplained zeroization of, COMSEC

                    equipment when other indications of

                    unauthorized access or penetration are

                    present.



         h.    Unexplained removal of keying material from its

               protective technology.



         i.    Unauthorized copying, reproduction, or

               photographing of COMSEC material.  (Normally the

               controlling authority will authorize reproduction

               of printed key settings.  If controlling authority

               approval cannot be obtained in time to meet

               operational requirements, the Installation

               Security Officer or NSA can authorize

               reproduction.  Manual crypto systems can be

               locally reproduced as necessary to meet

               operational requirements.)



         j.    Loss of two-person integrity or no-lone zone for

               TOP SECRET keying material as required by 

               NTISSI 4005, except where a waiver has been

               granted.



         k.    Deliberate falsification of COMSEC records.



         l.    Any other incident that may jeopardize the

               physical security of COMSEC material.  (Production

               errors and reports of defective keying material

               are not considered COMSEC incidents.  These types

               of discrepancies are reported to NSA, Y13, for

               resolution.)



602  TYPES OF WRITTEN REPORTS



     1.  Initial Report.  An initial report is required for each

         detected COMSEC incident.  If it contains all the

         information required in paragraph 605, and it has been

         accepted as a final report by the NSA, X71A, the initial

         report may also serve as the final report.  Include a

         request in paragraph 6 of the initial report that the

         report be accepted as a final report.



     2.  Amplifying Report.  Whenever new, significant

         information concerning a reported incident is

         discovered, an amplifying report is required.  If it

         contains all the information required in paragraph

         605.2, and it has been accepted as a final report by the

         NSA, X71A, the amplifying report may also serve as the

         final report.  Include a request as mentioned in

         paragraph 605.6 of the amplifying written report that

         the report be accepted as a final report.



     3.  Interim Report.  If a final report is not submitted

         within 30 days after the initial report or the last

         amplifying report, submit an interim report every 30

         days until the final report is submitted.  Explain in

         each interim report the status of the inquiry or

         investigation, or other reason for the delay of the

         final report.



     4.  Final Report.  A final report is required for each

         reported COMSEC incident unless the initial or an

         amplifying report served as the final report.  The final

         report must include a summary of the results of all

         inquiries and investigations, and identify corrective

         measures taken or planned to minimize the possibility of

         recurrence.



603  REPORTING INCIDENTS



     1.  Any person who discovers an incident involving COMSEC

         material may file the incident report.  The COMSEC

         Custodian for the material will assist with the

         particulars described in this Chapter.  Any incident or

         violation of the security requirements specified in this

         Manual must be reported to the controlling authority for

         the material and the Installation Security Officer, the

         agency COMSEC Incident Monitoring Activity (for NASA

         this is the NASA COMSEC Manager), and the NSA, X71A

         (COMSEC Insecurities Branch).  After submitting an

         initial COMSEC incident report, ensure that the

         individual specified as the point of contact is familiar

         with the details of the incident and is available to

         respond rapidly to questions from the evaluating

         authority.  Where two-holder, point-to-point material is

         involved, the Register 1 holder serves as the

         controlling authority.



     2.  Provide all known details in the initial report, and

         classify according to content (mark UNCLASSIFIED reports

         "FOR OFFICIAL USE ONLY").  Transmit reports by secure

         electrical means.  Only where secure circuits are not

         available may nonsecure electrical means be used.  In

         such cases, provide unclassified reports giving the

         minimum essential information, but only for initial and

         amplifying reports of physical incidents involving

         currently effective key and future key scheduled to

         become effective within 30 days.  Then, follow up the

         electrical report within 72 hours with a letter report,

         appropriately classified and securely forwarded.  When

         electrical means are not available at all, initial

         reports may be relayed to the NSA via telephone (see

         subparagraph 3).  Again, follow up the telephonic report

         within 72 hours with a letter report, appropriately

         classified and securely forwarded.  Security

         classification guidance for COMSEC information is

         provided in NTISSI 4002 or specific program documents.



     3.  Submit an initial report within 24 hours after the

         incident is discovered, assigned IMMEDIATE precedence,

         when incidents involve current keying material or

         material to be used within 15 days, and when incidents

         involve defection, espionage, hostile cognizant agent

         activity, clandestine exploitation, tampering,

         penetration, sabotage, unauthorized copying,

         reproduction, or photographing.   Submit an initial

         report within 48 hours after the incident is discovered,

         assigned PRIORITY precedence, when the incident involves

         keying material scheduled to become effective in more

         than 15 days, or superseded, reserve, or contingency

         keying material.



     4.  Submit reports for all other incidents within 72 hours,

         assigned ROUTINE precedence.  Assign higher precedence

         to a report of an incident that has significant

         potential impact.  Assign amplifying reports the same

         precedence as the initial report it references.  Assign

         ROUTINE precedence to interim and final reports, unless

         they contain significant new information affecting

         evaluation of the incident; then an appropriate higher

         precedence should be assigned.



604  REPORT ADDRESSING



     1.  Controlling authorities evaluate physical COMSEC

         incidents involving their keying material, except as

         specified in subparagraphs 2 and 3.  Controlling

         authorities can direct additional reporting if needed to

         determine if an incident resulted in an insecurity.  If

         an incident occurs involving material controlled by one

         controlling authority, address reports for action to the

         controlling authority, with information copies to the

         NASA COMSEC Incident Monitoring Activity, the local

         COMSEC Custodian and local security office, and the NSA,

         X71A.  If the controlling authority is not within NASA,

         include the COMSEC Incident Monitoring Activity for the

         controlling authority as another information addressee. 

         Contact the service COMSEC Incident Monitoring Activity

         only when the violator is within that service.  Contact

         the NASA COMSEC Manager for message addresses for COMSEC

         Incident Monitoring Activities for other departments and

         agencies.



     2.  The NASA COMSEC Incident Monitoring Activity evaluates

         physical incidents involving material controlled by more

         than one NASA controlling authority, or when a

         controlling authority caused an incident.  The NASA

         COMSEC Incident Monitoring Activity has final authority

         for determining if an incident involving NASA COMSEC

         material resulted in a COMSEC insecurity, and can direct

         additional reporting if needed to make that

         determination.  If such an incident occurs, address

         reports for action to the NASA COMSEC Incident

         Monitoring Activity, with information copies to the

         controlling authority for the material, the local COMSEC

         Custodian and local security office, and the NSA, X71A.



     3.  The NSA evaluates all other COMSEC incidents, including

         cryptographic and personnel COMSEC incidents, incidents

         involving material in transit or when the controlling

         authority cannot be identified, and incidents involving

         controlling authorities from more than one agency or

         department.  If such an incident occurs, address reports

         for action to the NSA, X71A, with information copies to

         the controlling authority for the material, the local

         COMSEC Custodian and local security office, and the NASA

         COMSEC Incident Monitoring Activity.



     4.  During normal duty hours (0700-1600 EST), contact the

         NSA, X71A, on STU-III 301/688-6010 OR -7010 (with secure

         FAX), or after normal duty hours and on weekends or

         holidays, contact the NSA Senior Information Systems

         Security Coordinator (SISSC) on STU-III 301/688-7003

         (with secure FAX).  Additionally, if the incident

         involves implemented protective technologies, provide

         information copies to the NSA, Y265.  If accountable

         COMSEC material is involved, provide copies of the

         reports to the NSA, Y13 (the NSA CAO).



     5.  The NASA COMSEC Incident Monitoring Activity or the NSA,

         X71A, will notify all concerned whether the reported

         incident resulted in an insecurity, and will provide any

         further instructions.



605  FORMAT AND CONTENT OF WRITTEN COMSEC INCIDENT REPORTS



     Each of the paragraphs indicated must be addressed in all

     written incident reports.  Where the reporting requirements

     of a paragraph are not applicable to the incident being

     reported, note "N/A" in the corresponding paragraph.  Where

     subsequent reports would merely duplicate information

     previously reported, the information need not be repeated. 

     Instead, reference the previous report that contains the

     information.



     1.  Subject.  The subject of the report will consist of only

         the words "COMSEC Incident."



     2.  References.  The report must include reference(s), as

         applicable, to the following:



         a.    The paragraph number of the operating or

               maintenance instruction, NASA Management

               Instruction (NMI), or this Manual, in which the

               reported insecurity is listed, or the statement: 

               "Formal reporting requirements cannot be

               identified at this time."



         b.    Previously forwarded, related incident reports and

               other correspondence identified sufficiently to

               permit location (e.g., date, time, office symbol,

               etc.).



     3.  Paragraph 1, Material Involved.  Identify the COMSEC

         material involved.  For keying material and documents,

         include the short title and edition; MATSYM or

         accounting number; register number; specific segments,

         tables, pages, etc., if not a complete edition or

         document; and the controlling authority for each short

         title.  For equipment, include the nomenclature or

         system designator; modification number, if applicable;

         serial number of ALC 1 and 3 material (all other by

         quantity); and associated or host equipment.  If the

         equipment was keyed, provide the information requested

         for keying material.



     4.  Paragraph 2, Personnel Involved.  Identify the

         individual(s) who caused, or was otherwise responsible

         for the incident.  For each individual involved, provide

         citizenship, duty position, and level of security

         clearance.  For personnel incidents only, also provide

         name and grade.



     5.  Paragraph 3, Location of Incident.  Identify the

         location of the incident, the responsible organization

         or element and the address, and the COMSEC account

         number.



     6.  Paragraph 4, Circumstances of the Incident.  Identify

         the circumstances surrounding the incident.  Give a

         chronological account of the events that led to the

         discovery of the incident and, when known, sufficient

         details to give a clear picture of how the incident

         occurred.  Include all relevant dates, times of day,

         frequency of events, precise locations and

         organizational elements involved, etc.  If the reason

         for the incident is not known, describe the events that

         led to the discovery of the incident.  Include a

         description of the security measures in effect at the

         location, and estimate the possibility of unauthorized

         personnel having access to the COMSEC material involved.



         Paragraph 4 of an amplifying report may also be used to

         report significant new information not included in other

         paragraphs of the report.



     7.  Paragraph 5, Additional Reporting Requirements.  Include

         any additional reporting that may be required for

         specific incidents or items.



         a.    Improper Use of Keying Material or Use of

               Unapproved Operating Procedures



               (1)  Describe the communications activity (e.g.,

                    on-line/off-line, simplex/half-duplex/full-

                    duplex, point-to-point/netted operations).



               (2)  Describe the operating mode of the

                    cryptographic equipment (e.g., clock start,

                    message indicator, traffic flow security).



               (3)  Estimate the amount and type of traffic

                    involved (e.g., intelligence, general service

                    (GENSER), voice, data).



         b.    Operational Use of Malfunctioning COMSEC Equipment



               (1)  Describe the symptoms of the malfunction.

        

               (2)  Estimate the likelihood that the malfunction

                    was deliberately induced.  If so, see

                    subparagraph b(3).



               (3)  Estimate the amount and type of traffic

                    involved.

         c.    Known or Suspected Defection, Espionage, Hostile

               Cognizant Agent Activity, Treason, Sabotage,

               Attempted Recruitment, Capture, or Unauthorized

               Absence



               (1)  Describe the individual's general background

                    in COMSEC and the extent of his or her

                    knowledge of cryptographic principles.



               (2)  List the crypto systems to which the

                    individual had current access and state

                    whether the access was to the cryptographic

                    logic and/or key (if to the logic, state

                    whether the access was to full or limited

                    maintenance manuals, and for key, state the

                    short titles and editions involved).



               (3)  Identify the counterintelligence organization

                    notified.



         d.    Loss of COMSEC Material



               (1)  Describe the actions being taken to locate

                    the material.



               (2)  Estimate the possibility the material was

                    accessed by unauthorized persons.



               (3)  Estimate the possibility the material was

                    removed by authorized or unauthorized

                    persons.



               (4)  Describe the methods of disposing of all

                    classified and unclassified waste and the

                    possibility of loss by those methods. 



         e.    COMSEC Material Discovered Outside of Required

               COMSEC Accountability or Physical Control



               (1)  Describe the action that caused physical

                    control or accountability to be restored.



               (2)  Estimate the likelihood of unauthorized

                    access.



               (3)  Estimate the length of time the material was

                    not secure.



         f.    COMSEC Material Received in a Damaged Package



               (1)  When the damage occurred in transit, identify

                    the means of transmittal.  Include the

                    package number and point of origin.



               (2)  When the damage occurred in storage, describe

                    how the material was stored.  NOTE:  Ensure

                    that all packaging containers, wrappers,

                    etc., are retained until destruction is

                    authorized.



         g.    COMSEC Material Received in a Package that Shows

               Evidence of Tampering, or Known or Suspected

               Tampering at Any Time



               (1)  Describe the damage or evidence of tampering.



               (2)  When the suspected tampering occurred in

                    transit, identify the means of transmittal. 

                    Include package number and point of origin.



               (3)  When the suspected tampering occurred in

                    storage, describe how the material was

                    stored.



               (4)  Identify the counterintelligence organization

                    notified, if applicable.



         NOTE:  When tampering is known or suspected, immediately

         seal the package and/or material in a plastic (or any

         other) wrapper and place it in the most secure, limited

         access storage available.  Handle the package and/or

         material as little as possible until further

         instructions are received from the NSA.  Take no action

         that would jeopardize potential evidence.



         h.    Unauthorized Copying, Reproduction, or

               Photographing



               (1)  Include a complete identification of the  

                    equipment or material reproduced or

                    photographed.



               (2)  Provide the reason for reproduction and how

                    the reproduced material was controlled.



               (3)  State whether espionage is indicated or

                    suspected.  If so, see subparagraph c. 

 

               (4)  Specify how detailed were the photographs of

                    equipment internals, keying material, or

                    documents.

         NOTE:  Include a copy of each photograph or other

         reproduction with the incident report.



         i.    Unauthorized Modification or Maintenance of COMSEC

               Equipment, or Discovery of a Clandestine

               Electronic Surveillance or Recording Device In or

               Near a COMSEC Facility



               (1)  Notify NASA Center Security Officer via STU

                    III for instructions and identify the

                    counterintelligence organization notified, if

                    applicable.



               (2)  Estimate how long the item may have been in

                    place.



               (3)  Estimate the amount, classification, and type

                    of traffic involved.



               (4)  Describe the modification or device; its

                    installation, symptoms, and the host

                    equipment involved.



         NOTE:  Hold information concerning these types of

         incidents on a strict need-to-know basis.  The equipment

         or devices should not be used or otherwise disturbed

         until further instructions are received from the NSA. 

         Where a clandestine intercept or recording device is

         suspected, do not speak about it in the area of the

         device.  Nothing should be done that would possibly

         alert the COMSEC exploiter, unless directed otherwise by

         the applicable counterintelligence organization or the

         NSA.



         j.    Material Lost in an Aircraft Crash



               (1)  Identify the location of the crash, including

                    coordinates.  Specify whether the crash

                    occurred in friendly or hostile territory. 

                    If the aircraft crashed at sea, also see

                    subparagraph k.



               (2)  State whether the aircraft remained largely

                    intact or wreckage was scattered over a large

                    area.



               (3)  Describe the security conditions at the crash

                    site at the time of impact.



               (4)  State whether the area was secured.  If so,

                    how soon after crash and by whom.



               (5)  State whether the area was searched for

                    COMSEC material.



               (6)  State whether recovery efforts for COMSEC

                    material were made or are anticipated.



         k.    Material Lost at Sea



               (1)  Provide the coordinates, when available, or

                    the approximate distance and direction from

                    shore.



               (2)  Estimate the depth of the water.



               (3)  State whether material was in weighted

                    containers.



               (4)  State whether the material was observed to

                    sink.



               (5)  Estimate the sea state, tidal tendency, and

                    the most probable landfall.



               (6)  State whether foreign vessels were in the

                    immediate area and their registry, if known.



               (7)  Estimate the possibility of successful

                    salvage operations by unfriendly nations.



               (8)  State whether U.S. salvage efforts were made

                    or are anticipated.



         l.    Space Vehicle Accidents



               (1)  Provide the launch date and time.



               (2)  State whether the space vehicle was destroyed

                    or lost in space.



               (3)  State whether the keying material involved

                    was unique to the operation or is common to

                    other ongoing operations.



               (4)  Estimate the probable impact point on the

                    earth's surface, if applicable.  If the

                    impact point was on land, also see

                    subparagraph d; if the impact point was at

                    sea, also see subparagraph k.



     8.  Paragraph 6, Possibility of Compromise.  State which of

         the following opinions is applicable:  compromise

         certain, compromise possible, compromise improbable;

         include the basis for the opinion.  Where an initial or

         amplifying report is also to serve as the final report,

         include a request in this paragraph that the report be

         accepted as a final report.



     9.  Paragraph 7, Point of Contact.  Include the name and

         commercial and secure telephone numbers of the

         individual who is prepared to respond to questions from

         the evaluating authority.







       CHAPTER 7:  ROUTINE DESTRUCTION OF COMSEC MATERIAL



700  GENERAL



     The security of U.S. crypto systems depends on the physical

     protection afforded the associated keying material.  All    

     keying material, current and superseded, is extremely

     sensitive since all traffic encrypted with a compromised key

     could be compromised as well.  For this reason, keying

     material (other than defective or faulty key) must be

     destroyed as soon as possible after supersession. 

     Destroying superseded or obsolete cryptographic equipment

     and supporting documentation is also essential for

     maintaining a satisfactory national COMSEC posture, since

     these materials may be of significant long-term benefit to

     hostile interests desiring to exploit U.S. communications

     for intelligence purposes. 



701  TRAINING DESTRUCTION PERSONNEL



     Supervisors must ensure that destruction personnel receive  

     proper instruction in using and handling destruction   

     devices and destruction procedures.  Personnel involved     

     must also be cleared to the highest classification level of

     the material to be destroyed and briefed on handling and

     procedures for protecting COMSEC information.



702  ROUTINE DESTRUCTION PROCEDURES FOR COMSEC MATERIAL



     Routine destruction should normally be done by the COMSEC

     Custodian and the Alternate COMSEC Custodian.  However, this

     restriction should not be enforced at the cost of delaying

     destruction.  Granting additional appropriately cleared

     people the authority to destroy superseded material and

     certify the destruction to the COMSEC Custodian is

     preferable to delaying destruction, even for a short time.  

     Note:  In order to expedite destruction, suggest that where

     an Installation has a Central Registry for the handling of

     classified information, the registry may be designated as a

     agent for the routine destruction of COMSEC Material. 

     COMSEC material must always be destroyed in the presence of

     an appropriately cleared witness.  Whenever system doctrine

     requirements conflict with procedures in this Manual, the

     system doctrine requirements take precedence.



     1.  In a small facility with only a few pieces of COMSEC

         equipment, the COMSEC Custodian should collect used or

         superseded key and other COMSEC material, replace it

         with new material as necessary and, with a witness,

         destroy the used or superseded material.



     2.  In a large facility, or in mobile situations, the COMSEC

         Custodian may authorize a hand-receipt user and a

         witness to destroy certain COMSEC material as soon as it

         is used, replaced, or superseded.  Hand-receipt users

         must use an approved destruction device.  The individual

         destroying COMSEC material and the witness show the

         material is destroyed by initialling an appropriate

         record (e.g., the usage/disposition record), and

         providing that record to the COMSEC Custodian at the end

         of each month.  Such local destruction records serve as

         the basis for the COMSEC Custodian's destruction report

         to the NASA COR.  When approved destruction devices are

         not available at the user facility, the material must be

         collected by the COMSEC Custodian immediately after

         supersession so that it may be destroyed within the time

         specified for that material in subparagraph b.



     NOTE:  DO NOT DESTROY defective or faulty keying material. 

     The COMSEC Custodian must report such material to the NSA,

     X71A, and hold for disposition instructions. 



     3.  The COMSEC Custodian must brief hand-receipt users

         authorized to destroy keying material, emphasizing

         correct destruction procedures, the necessity for prompt

         and complete destruction of used or superseded keying

         material, and for immediately reporting any loss of

         control of material before it was destroyed.



     4.  Scheduling Routine Destruction



         a.    COMSEC material is ordered destroyed by

               superseding editions unless directed otherwise by

               the NASA COR.  Do not destroy, dismantle, or

               cannibalize COMSEC material, other than superseded

               material, without specific authorization from the

               NASA COR.



         b.    Keying material designated CRYPTO must be

               destroyed as soon as possible after use or

               supersession, and may not be held longer than 12

               hours following supersession.  Where special

               circumstances prevent complying with the 12-hour

               standard (e.g., facility unmanned over weekend or

               holiday period), an extension to a maximum of 72

               hours is authorized.  For other circumstances,

               such as the requirement to maintain archival key,

               contact the NASA COR for instructions.  



         c.    COMSEC material involved in compromise situations

               must be destroyed within 72 hours after

               disposition instructions are received.



         d.    Complete editions of superseded keying material

               designated CRYPTO that are held by a COMSEC

               account must be destroyed within 5 days after

               supersession.



         e.    Maintenance and sample keying material not

               designated CRYPTO is not regularly superseded and

               need only be destroyed when physically

               unserviceable.



         f.    Superseded classified COMSEC publications that are

               held by a COMSEC account must be destroyed within

               15 days after supersession.

         g.    The residue of amendments to classified COMSEC

               publications must be destroyed within 5 days after

               the amendment is entered.



703  ROUTINE DESTRUCTION METHODS AND STANDARDS



     Authorized methods for routinely destroying paper COMSEC

     material are burning, chopping or pulverizing, crosscut

     shredding, and pulping.  COMSEC material that is not paper,

     when authorized for routine destruction, must be destroyed

     by burning, chopping or pulverizing, or chemical alteration.



     The goal is to destroy the material so thoroughly that

     classified information cannot be reconstructed by physical,

     chemical, electrical, optical, or other means.  The chart in

     Figure 12 in Appendix E lists NSTISSC approved destruction

     methods and minimum standards that must be met when

     destroying various types of COMSEC material.

     

     1.  Do not destroy hardware keying material (i.e., proms,

         permuter plugs) and associated manufacturing aids

         without approval from the NASA COR.



     2.  Routine destruction of COMSEC equipment and components

         is not authorized.  Disposition instructions for

         equipment that cannot be repaired or is no longer

         required must be obtained from the NSA, Y132, 

         commercial (301) 688-6874.



704  APPROVED ROUTINE DESTRUCTION DEVICES



     Any destruction devices that satisfy the destruction

     criteria in Figure 12 in Appendix E may be used. 

     Information concerning routine destruction devices which

     have been tested and approved by the NSA may be obtained

     from the NASA COMSEC Manager.



705  REPORTING ROUTINE DESTRUCTION  



     1.  COMSEC Custodians must report routine destruction of all

         centrally accountable (i.e., ALC 1 and ALC 2)  COMSEC

         aids to the NASA COR, no later than the 16th day of each

         month.  No exceptions are authorized; negative reports

         are not required if no keying material is held that was

         authorized for destruction during the preceding month. 

         Chapter 2, paragraph 15 contains instructions for

         completing and submitting destruction reports.



     2.  Destruction records must be maintained by the COMSEC

         Custodian for 3 years and protected in the same manner

         as other comparable classified COMSEC material.  Local

         destruction reports must be retained by the preparing

         element until the next scheduled audit.







        CHAPTER 8:  SECURE TELECOMMUNICATIONS FACILITIES



800  PHYSICAL SECURITY REQUIREMENTS FOR CLASSIFIED AND UNATTENDED

     KEYED CCI EQUIPMENT



     1.  Secure telecommunications facilities must be provided

         positive access control and they shall be constructed of

         solid, strong material to prevent unauthorized

         penetration or show evidence of attempted penetration. 

         They must provide adequate attenuation of internal

         sounds that could divulge classified information through

         walls, doors, windows, ceilings, air vents, and ducts. 

         Maximum physical security is achieved when the

         facilities are of vault-type construction.  At a

         minimum, construction or modification of a secure

         telecommunications facility shall conform to the

         requirements stated in NACSI 4008, "Safeguarding COMSEC

         Facilities," dated March 4, 1983.



     2.  Responsibilities.  The COMSEC Custodian and Alternate

         Custodian need to be cognizant of the number of persons

         performing cryptographic duties; the number of secure

         circuits, types of COMSEC equipment, and operational

         keys used in the secure telecommunications facility; the

         number of days before operational key is received in the

         secure telecommunications facility; restricting access

         to future key until received in the secure

         telecommunications facility; and waivers granted to the

         secure telecommunications facility.  The COMSEC

         Custodian and Alternate Custodian are also responsible

         for the following:



         a.    Establishing an access list for authorized

               individuals.



         b.    Establishing a visitors' register.



         c.    Establishing and documenting a daily security

               check procedure.



         d.    Prohibiting personally owned cameras, photographic

               devices/equipment capable of receiving and

               recording intelligible images; sound recording

               devices/equipment, including magnetic tapes or

               magnetic wire; amplifiers and speakers; radio

               transmitting and receiving equipment; microphones

               and television receivers from the

               telecommunications facility.



         e.    Being knowledgeable of the capabilities and

               installation of anti-intrusion devices employed by

               the secure telecommunications facility to include

               the number of devices, the manufacturer, type and

               model number of each device, the operating

               procedures, a floor plan of the alarm system, and

               a response procedure.



801  CCI ACCESS CONTROLS



     CCI equipment is by definition unclassified, but controlled.



     Minimum controls for CCI equipment are prescribed under

     three different conditions:  unkeyed, keyed with

     unclassified key, and keyed with classified key.  The

     provisions apply to CCI equipment that is installed for

     operational use.  All CCI equipment is to be protected in a

     manner that provides protection sufficient to preclude

     theft, sabotage, tamper or unauthorized access and maintains

     accountability for the material, whether installed or not.



     1.  Installed and Unkeyed.  Establish procedures to provide

         physical controls adequate enough to prevent

         unauthorized removal of the CCI equipment or its CCI

         components.  Where practical, rooms containing unkeyed

         CCI equipment should be locked at the end of the work

         day (e.g., rooms housing an unkeyed STU-III must be

         locked).



     2.  Installed and Keyed with Unclassified Key



         a.    Attended.  Establish procedures to prevent access

               by unauthorized personnel using physical controls

               and/or monitoring access with authorized

               personnel.



         b.    Unattended.  Establish procedures to prevent

               access by unauthorized personnel using adequate

               physical controls (e.g., locked rooms, alarms, or

               random checks, etc.).



     3.  Installed and Keyed with Classified Key



         a.    Attended.  CCI equipment must be under the

               continuous positive control of personnel who

               possess a security clearance at least equal to the

               classification level of the keying material in use

               and, if the keying material is TOP SECRET, the No-

               Lone Zone (NLZ) controls must be instituted.



               (1)  No-Lone Zone (NLZ) is an area, room or space

                    to which no one person may have unaccompanied

                    access and which, when manned, must be

                    occupied by two or more appropriately cleared

                    individuals.   



               (2)  Two-Person Integrity (TPI) is a system of

                    storage and handling designed to prohibit

                    access to certain COMSEC keying material by

                    requiring the presence of at least two

                    authorized persons, each capable of detecting

                    incorrect or unauthorized security procedures

                    with respect to the task being performed.



         NOTE:  The concept of "Two-Person Integrity" (TPI)

         procedures differs from "No-Lone Zone" procedures in

         that under TPI controls, two authorized persons must

         directly participate in the handling and safeguarding of

         the keying material (as in accessing storage containers,

         transportation, keying/rekeying operations, and

         destruction).  No-Lone Zone controls are less

         restrictive in that the two authorized persons need only

         to be present physically in the common area where the

         material is located.  Two-Person Control refers to

         Nuclear Command and Control COMSEC material while Two-

         Person Integrity refers only to COMSEC keying material.



         b.    Unattended.  CCI equipment must be in an area as

               described in subparagraphs 2a and b.



802  STORAGE REQUIREMENTS



     A facility/organization will not be eligible to receive or

     generate classified COMSEC information until adequate

     storage has been established.



     1.  Classified COMSEC equipment and information other than

         keying material marked CRYPTO must be stored as

         prescribed for other classified material at the same

         classification level.



     2.  Keying material marked CRYPTO must be stored according

         to the requirements of NACSI 4005, "Safeguarding and

         Control of Communications Security Material."  



     3.  CCI equipment must never be stored in a keyed condition.



         Before placing CCI equipment in storage, all keying

         material must be removed, and internal key storage

         registers photocopied.  When unkeyed, CCI equipment must

         be protected against unauthorized removal or theft

         during storage (e.g., placed in a locked room or a room

         with an adequate alarm system). 



803  RECORD OF INDIVIDUALS HAVING KNOWLEDGE OF COMBINATIONS TO

     CONTAINERS STORING CLASSIFIED COMSEC MATERIAL



     A record must be maintained of the names, organizations, and

     telephone numbers of individuals who know the combinations

     to containers storing classified COMSEC material.  In the

     event of an emergency (e.g., the container or vault is found

     open after normal working hours), one of these individuals

     must be notified.  Normally, these containers are under the

     direct control of the COMSEC Custodian and Alternate COMSEC

     Custodian(s); however, where operational need necessitates,

     classified COMSEC material--to include one edition of

     current keying material marked CRYPTO--may be issued on hand

     receipt to a user.  Under these circumstances, the notified

     individual must also contact either the COMSEC Custodian or

     Alternate COMSEC Custodian(s).  Immediately inventory the

     contents of the container/vault found not secure.  When the

     inventory is completed, the container/vault combination must

     be changed.  Compare the results of the inventory against

     the account's COMSEC Register File and, if any material is

     determined to be missing, include information in the

     incident report made according to the provisions of Chapter

     6.  Security containers containing COMSEC keying material

     must have the combinations changed every 6 months. 

     Combinations must be changed annually on security containers

     that contain other COMSEC material. 







CHAPTER 9:  SECURE TELEPHONE UNIT (STU) III's



900  GENERAL



     This Chapter augments doctrine provided in NTISSI 3013,

     "Operational Security Doctrine for the Secure Telephone Unit

     III (STU-III) Type 1 Terminal," and highlights certain areas

     of concern.



901  RESPONSIBILITIES

 

     1.  COMSEC Manager at NASA acts as the Command Authority for

         NASA STU-III terminals.  The Command authority registers

         User Representatives, establishes Department Agency

         Organization (DAO) descriptions, and monitors and

         maintains User Representative information.



     2.  User Representatives (UR's) prepare and submit key

         orders for designated users of STU-III terminals within

         the classification and type limitations of their UR

         privileges.  UR responsibilities include the following:



         a.    Interacting with users to determine key

               requirements.



         b.    Interacting with the Command Authority for DAO

               administration and UR privilege changes.



         c.    Verifying security information with the local

               security officer.



         d.    Preparing and submitting key orders.



         e.    Notifying the COMSEC Custodian that delivery of a

               key order is anticipated.



         f.    Monitoring the status of key orders, correcting

               any errors that cause rejections, and reordering

               when necessary.



     3.  Users.  Each STU-III user has a number of

         responsibilities related to the security of the STU-III

         and the security of the information transmitted,

         outlined in the following subparagraphs a through g. 

         Users are encouraged to use the secure mode to protect

         both classified and unclassified national security

         information.



         a.    Monitor the display during the secure call to

               determine the identification of the distant party,

               the maximum security classification for the call,

               and for security related messages.  The security

               classification will appear on the top line of the

               display for the duration of the secure call and

               will be the highest level shared by the two

               terminals.  Restrict the classification level of

               the conversation to no higher than the displayed

               level.  The next three lines display the identity

               of the distant STU-III.  This information will be

               scrolled through the display during secure call

               setup.  The classification level and the first

               line of the identification information will remain

               on the display for the duration of the secure

               call.



         b.    The information displayed indicates the approved

               level for the call, but does not authenticate the

               person using the terminal.  The need-to-know

               principle is still binding.  The mere connection

               to another STU-III does not signify a need-to-

               know.



         c.    The calling and the called party establish the

               clearance of the other party by a means

               independent of the display, either by knowledge of

               the other party through voice recognition, or by

               introduction by another known cleared party.



         d.    Since access to the STU-III with the crypto-

               ignition key (CIK) installed gives anyone the

               opportunity to use the STU-III in the secure mode,

               restrict access to the STU-III with the CIK

               installed to those people who hold a security

               clearance equal to or higher than the

               classification level of the key.



         e.    Users are responsible for the environment in which

               a secure conversation is held.  This includes

               their own and the other party's environment.  An

               indication that either party is not in an

               authorized location to conduct a classified

               discussion should result in a termination of the

               call.



         f.    The STU-III user is responsible for protecting his

               or her CIK.  CIK's should be treated as valuable

               personal property.  Do not leave a CIK where an

               unauthorized person would have access to both it

               and the associated STU-III.  During the work day,

               the CIK may be left in the STU-III only if

               continuously attended by cleared personnel.  When

               not in use, or if the terminal is unattended, the

               CIK must be removed from the terminal.



         g.    The room/area in which a STU-III is located will

               be provided adequate protection at the end of the

               work day or whenever authorized personnel are not

               present.



     4.  COMSEC Custodian.



         a.    COMSEC Custodians holding STU-III key in their

               accounts must have a clearance equal to the

               operational level of the key (i.e., the level seed

               key will become once converted in the terminal). 

               Sensitive Compartmented Information (SCI) access

               is not required when the COMSEC Custodian does not

               perform the conversion process.  Once the

               conversion process has occurred, all individuals

               who use a terminal keyed with Class 6 key must

               have SCI access.  Additionally, when the

               operational level of the key is unclassified, a

               clearance is not required.



         b.    Type 1 operational and Type 1 seed key are ALC-1. 

               All test key is UNCLASSIFIED and is ALC-4.



         c.    Fill devices stored in the COMSEC account should

               remain sealed in the plastic shipping bag.  Each

               fill device will have an attached card label. 

               Remove the card label when the key in the Key

               Storage Device (KSD) is loaded into the terminal. 

               Maintain a local record of key material

               identification numbers (KMID's) and the serial

               numbers of the associated STU-III's.



         d.    Respond to Key Conversion Notices (KCN's)

               acknowledging the conversion of seed key to

               operational key.  If a KCN is not received for key

               that was loaded into a terminal, notify the NSA

               Key Management System (KMS) and be prepared to

               provide the COMSEC account number and the

               conversion date.



         e.    Ensure terminals are rekeyed by a call to the KMS

               at least annually.



         f.    Expired key may be returned to the NSA KMS for

               disposition.  Transfer the fill devices to NSA

               COMSEC account 880103 using an SF 153.  See

               Chapter 2, paragraph 205 for shipping methods.  

               SF 153 destruction reports with two signatures

               must be completed for fill devices photocopied

               (other than during a loading procedure) at the

               account.



902  STU-III SECURITY EDUCATION



     1.  COMSEC Custodians will educate STU-III users when they

         receive their terminals, stressing the proper use of the

         terminal, how to handle and protect their CIK, and the

         importance of and correct procedures for reporting

         incidents.  Additionally, a copy of this Chapter will be

         issued to STU-III users when they receive their

         terminals.  See Chapter 4 for any additional briefing

         requirements.



     2.  Each user will sign a briefing statement acknowledging

         understanding of the responsibilities.  The briefing

         statement will be maintained in the official security

         records of the individual.



     3.  Reportable incidents specific to STU-III's are listed in

         paragraph 904.1.  Insecure practices that should be

         reported to the COMSEC Custodian but do not need to be

         reported according to Chapter 6 are described in

         paragraph 904.2.



903  PROTECTING CIK's



     1.  COMSEC Custodians must maintain local records of CIK's,

         to which terminal(s) they are associated, and to which

         user(s) they are assigned.



     2.  CIK's should normally be retained by authorized persons,

         who should protect them as valuable personal property. 

         Multiple CIK's may be created for each terminal.  Any

         person who is permitted unrestricted access to a keyed

         terminal can retain the CIK in his or her personal

         possession.  Interoperable CIK's may be created to work

         in more than one terminal.  It is recommended that an

         interoperable CIK remain at all times in the personal

         possession of a single individual who is assigned

         responsibility for its use.  If a CIK must be stored in

         the same room as the terminal, protect it according to

         the classification of the keyed terminal.  When

         terminals are installed in residences, the user must be

         sure to remove the CIK from the terminal following each

         use and keep it in his or her personal possession, or

         store it in a security container approved for the

         classification level of the key in the terminal.



     3.  Master CIK's are used to create other CIK's for the same

         terminal, so greater controls should be exercised. 

         Maintain master CIK's in locked storage commensurate

         with the classification level of the key it protects,

         except when being used to create other CIK's, and keep

         under the personal control of an authorized person who

         has been briefed on its sensitivity and the requirements

         for its control.  Master CIK's should not be used on a

         day-to-day basis with the STU-III.



     4.  Report lost CIK's immediately to the COMSEC Custodian so

         that he or she can delete that CIK from all terminals

         with which it was associated.  Deleting a CIK does not

         affect the usability of other CIK's created for that

         terminal.  Once a CIK has been disassociated from a

         terminal, it no longer needs to be controlled and can be

         reused.



     5.  Use of a CIK by other than personnel for whom the

         authentication information appearing on the terminal

         display applies, may only be permitted if the intended

         user is verifiably cleared to the level that the key is

         classified and the CIK is under continuous control and

         supervision by the authorized person.  To place such a

         call, the authorized person must first make voice

         contact with the distant end identifying the intended

         user and indicating the intended user's clearance level

         before allowing access to the terminal.     



904  INCIDENTS



     1.  The following incidents apply specifically to the

         Type 1 STU-III and are reportable in accordance with

         Chapter 6:



         a.    Failure of the COMSEC Custodian to notify the KMS

               that a seed key listed on the conversion notice

               still exists in the COMSEC account;



         b.    Any instance where the authentication information

               displayed during a secure call is not

               representative of the distant terminal;



         c.    Failure to adequately protect or erase a CIK that

               is associated with a lost terminal; 



         d.    Any instance where the display indicates that the

               distant terminal contains compromised key. 

               (Example:  "Hang Up - Far Key Compromised" on the

               terminal display, indicating an unauthorized user

               may be at the distant end.);



         e.    Leaving a CIK in a STU-III when access to the 

               STU-III is uncontrolled, unless area is approved

               for open storage for classified material 

               (NTISSI 4003);



         NOTE:  Reports of COMSEC incidents involving key must

         include the assigned KMID, whether or not any CIK's were

         involved, and whether or not the CIK's were protected

         when the incident occurred.



     2.  The following incidents need not be reported in

         accordance with Chapter 6, but must be reported to the

         Installation Security Officer and/or COMSEC Custodian:



         a.    CIK failure.  If a CIK that had operated properly

               fails, the failure could be attributed to a

               malfunction in the CIK itself or in the terminal. 

               It could also be an indication that the CIK has

               been copied and the copy used in the terminal.  To

               preclude the possibility of further use in the

               event the CIK was copied, the failed CIK should be

               promptly deleted from the terminal (deleting the

               CIK does not affect the usability of other CIK's

               created for that terminal).



         b.    Loss of a CIK.  Once reported, the CIK should be

               deleted from the system.



         c.    Initial discovery of loss or unauthorized

               relocation of a STU-III.  If a STU-III is

               discovered missing, secure all associated CIK's

               until other instructions are received.  After a

               reasonable amount of time, if the missing STU-III

               cannot be accounted for, the incident is

               reportable in accordance with Chapter 6.

 

         d.    Transmission of classified information using a

               terminal with a failed display.  If the display

               fails, terminate the call immediately.  Should an

               unauthorized user receive the call, the incident

               is reportable in accordance with Chapter 6.   



         e.    Failure to rekey a terminal within 2 months after

               the end of the cryptoperiod.  The Electronic Key

               Management System (EKMS) will zeroize terminals

               automatically at the end of the 2-month period. 



         f.    "Security Failure" on the terminal display when a

               CIK is removed.  This display is accompanied by a

               continuous audible tone to notify the user that an

               emergency condition exists and that prompt action

               is required.  Protect the terminal as classified

               until further instructions are received.



         g.    "CIK Not Updated" on the terminal display,

               requiring action by the COMSEC Custodian.



905  STU-III TERMINAL KEYING AND REKEYING



     1.  Electronic keying of a Type 1 STU-III is accomplished by

         loading a seed key (which includes authentication

         information for the terminal display) into the STU-III

         from the KSD followed by immediately creating at least

         one CIK, and calling the KMS.  During the call, the KMS

         electronically provides an operational key (at the

         classification level ordered) to replace the seed key in

         the terminal.  Once this process called "conversion" is

         complete, the terminals may be used in the secure mode

         to call other STU-III terminals.



     2.  During the rekey call to the KMS, it is the key in the

         terminal that is being rekeyed, not the CIK.  Therefore,

         only one call is necessary; rekey calls are not required

         for each of the multiple CIK's associated with one

         terminal.  It is not necessary to use the master CIK.



906  SECURE DATA MODE



     The STU-III is designed to prevent disclosure of information

     in transit only, and the end system is still responsible for

     determining and properly reacting to the accreditation range

     of the system to which it will communicate, the identity of

     the user of the distant end system, and the STU-III-

     negotiated classification level of the connection.  When

     appropriate, computer security safeguards must also be

     employed to prevent improper and/or unauthorized access to

     information.



     1.  Data Installations



         a.    STU-III terminals may be used to secure

               communications between classified computer

               systems, provided the key in the terminal matches

               the classification of the information to be

               transmitted.



         b.    Authorization from the Installation Security

               Officer and, or the Designated Approval Authority

               is required before data processing equipment may

               be installed and operated with a STU-III terminal.



     2.  Facsimile (FAX) Installations



         a.    STU-III terminals may be used with FAX machines to

               transmit classified information provided the key

               in the terminal matches the classification of the

               information to be transmitted.



         b.    Authorization from the Installation Security

               Officer is required before FAX equipment may be

               installed and operated with a STU-III terminal.



         c.    FAX machines used to transmit classified

               information will be protected in the same manner

               as the associated STU-III terminal.



         d.    Secure voice contact must be established before

               switching to data mode and transmitting the

               material.  Classified material receipting

               regulations apply when transmitting classified

               information between NASA Installations or to other

               addresses.  The sending operator will remain at

               the terminal until the transmission is complete

               and return to secure voice mode to verify receipt.



907  SENSITIVE COMPARTMENTED INFORMATION FACILITIES (SCIF's)



     1.  Use only SCI level key.



     2.  The CIK(s) associated with the terminal may not be

         removed from the SCIF.



     3.  STU-III terminals will not be removed from the SCIF

         except for maintenance.



908  INSTALLATIONS IN RESIDENCES, HOTELS, OR COMMERCIAL

     CONFERENCE FACILITIES



     Installations in residences, hotels, or commercial

     conference facilities require the express written permission

     of the Installation Security Office.  Requests for

     permission to install a STU-III terminal in a residence,

     hotel, or commercial conference facility need to include a

     statement of need.



909  VEHICLE INSTALLATIONS



     1.  Installations of STU-III secure cellular terminals in

         vehicles require the express written permission of the

         Installation Security Office.



     2.  The CCI portion of a STU-III cellular terminal is

         normally installed in the trunk of the vehicle.  When

         the vehicle is to be unattended, remove the CIK and

         terminal mounting mechanism key, and lock the vehicle. 

         When the vehicle will be unattended for an extended

         period or will be parked in an area where there is a

         high threat of theft or tampering, or if the vehicle

         will be turned over for commercial repair, first remove

         the CCI portion of the terminal, the message center, and

         the handset.



910  ACOUSTIC SECURITY



     1.  Acoustical isolation must be sufficient to prevent

         classified conversation from being overheard, without

         the aid of electronic equipment in adjacent uncleared

         areas.  Acoustical separation can be achieved by

         implementing adequate separation, physical barriers,

         area access controls, or some combination thereof.  

         Acoustic isolation must be sufficient to prevent

         classified conversations from being overheard at non-

         secure telephones.



     2.  Measures to implement the requirements outlined above

         will include the following or a combination thereof:



         a.    Individual offices, where the structure provides

               the needed isolation.



         b.    Sound absorbent office partitions between

               individual work areas in open plan offices.



         c.    Other protective measures specified by a NASA TSCM

               specialist.







         CHAPTER 10:  COMSEC EMERGENCY ACTION PROCEDURES



1000  REQUIREMENTS



      All organizations holding classified or CCI COMSEC material

      must prepare a plan to protect the material during natural

      disasters and accidental emergencies (such as fire, flood,

      tornado, and earthquake).  Planning and actions should

      emphasize maintaining security control over the material

      without endangering life until order is restored. 

      Incorporate the requirements of this Chapter into the

      emergency action procedures established for the entire

      facility.  Additionally, structure normal operating

      routines to minimize the number and complexity of actions

      to be taken to protect COMSEC material during emergencies. 

      For example, hold only the minimum amount of COMSEC

      material at any time; that is, conduct routine destruction

      frequently and dispose of excess COMSEC material according

      to disposition instructions.  

 

1001  PREPAREDNESS



      Planning for natural disasters and accidental emergencies

      must provide for the following:



      1.  Fire reporting and initial fire fighting by assigned

          personnel.  Note:  The Emergency Plan must be

          coordinated with the appropriate security and

          fire/safety personnel.

 

      2.  Assigning on-the-scene responsibility to ensure COMSEC

          material is protected.

 

      3.  Securing or removing classified COMSEC material and

          evacuating the area(s).



      4.  Protecting material when outside fire fighters, etc.,

          must be admitted into the secure area(s).



      5.  Assessing and reporting probable exposure of classified

          COMSEC material to unauthorized persons during the

          emergency.



      6.  Post-emergency inventorying classified and CCI COMSEC

          material and reporting any losses or unauthorized

          exposures to appropriate authority.



      7.  Destruction of COMSEC Material.  While destruction of

          COMSEC material is usually not considered in a CONUS

          location's Emergency Action Plan, the possibility of

          destruction prior to evacuation in the case of other

          natural disasters/emergencies will be discussed with

          the NASA Central Office of Record (COR), Code JIS, and

          will only occur at the direction of that office.



1002  PREPARING THE EMERGENCY PLAN



      Preparing the COMSEC material emergency plan is the COMSEC

      Custodian's responsibility.  A sample emergency plan is

      included as Appendix D.  The plan should be coordinated

      with appropriate security and fire/safety personnel.  The

      plan must be realistic and workable, and it must accomplish

      the goals for which it is prepared.  Contributing factors

      to this are as follows:



      1.  All duties under the plan must be described clearly and

          concisely.  



      2.  All authorized personnel at the facility should be

          aware of the existence of the plan.  Each individual

          who has duties assigned under the plan should receive

          detailed instructions on how to carry out these duties

          when the plan becomes effective.  Personnel involved

          should be familiar with all duties so that assignment

          changes may be made, if necessary.  Periodically

          rotating the emergency duties of all personnel can

          achieve this.



      3.  Conduct training exercises periodically to ensure that

          all personnel, especially those newly assigned, who

          might have to take part in an actual emergency, will be

          able to carry out their duties.  As necessary, change

          the plan based on the experience of the training

          exercises.



1003  EMERGENCY ACTION PROCEDURES REVIEW



      COMSEC emergency procedures developed under these

      guidelines will be made available for review upon the

      request of the NASA COR.







                           APPENDIX A



Definitions.  For the purposes of this Manual, the following

definitions apply:



      1.  Accountable COMSEC Material:  All COMSEC aids,

          equipment and components, and devices, identifiable by

          the Telecommunications Security (TSEC) nomenclature

          system, a Government Serial Number (GSN) or a similar

          system of a U.S. Department or Agency, foreign

          government, or international organization.  Accountable

          COMSEC material is hereafter referred to as COMSEC

          material.



      2.  Accounting Legend Code (ALC):  Numeric code indicating

          the minimum accounting controls required for COMSEC

          material.  ALC categories are specified in Chapter 2.



      3.  Accounting Number:  Number assigned to an individual

          item of COMSEC material to facilitate handling and

          accounting (also referred to as register or serial

          number).



      4.  Alternate COMSEC Custodian:  Individual designated to

          perform the duties of the COMSEC Custodian during the

          temporary absence of the COMSEC Custodian.



      5.  Amendment:  Correction or change to a COMSEC

          publication.



      6.  Assembly:  Group of parts, elements, subassemblies, and

          circuits assembled as a separate item removable from a

          piece of COMSEC equipment.



      7.  Central Office of Record (COR):  Central office which

          keeps records of all COMSEC material received by

          elements subject to its oversight.  COR duties include

          establishing and closing COMSEC accounts, maintaining

          records of COMSEC Custodian and Alternate COMSEC

          Custodian appointments, performing COMSEC inventories,

          and responding to queries concerning account

          management.



      8.  Communications Security (COMSEC):  Measures taken to

          deny unauthorized persons information derived from

          telecommunications of the U.S. Government, and to

          ensure the authenticity of such telecommunications. 

          (COMSEC includes cryptographic security, emission

          security, transmission security, and physical security

          of COMSEC material and information.)



      9.  COMSEC Account:  Administrative entity, identified by

          an account number, responsible for maintaining custody

          and control of accountable COMSEC material.



      10. COMSEC Account Audit:  Examination of the holdings,

          records, and procedures of an account to ensure that

          accountable COMSEC material is safeguarded properly.



      11. COMSEC Accounting:  Procedures that document the

          control of accountable COMSEC material from time of

          origin through destruction or final disposition.



      12. COMSEC Aids:  All COMSEC materials, other than

          equipment or devices, which assist in securing

          telecommunications and/or is required in the

          production, operation, and maintenance of COMSEC

          systems and their components (e.g., operating and

          maintenance manuals).



      13. COMSEC Custodian:  Individual designated by proper

          authority to be responsible for receipting,

          transferring, safeguarding, destroying, and the

          accountability of COMSEC material assigned to a COMSEC

          account.



      14. COMSEC Equipment:  Equipment designed to provide

          security to telecommunications by converting

          information to a form unintelligible to an unauthorized

          interceptor, and by reconverting such information to

          its original form for authorized recipients.  Also

          equipment designed specifically to aid in, or as an

          essential element of, the information conversion

          process.  COMSEC equipment includes cryptographic

          equipment, crypto-ancillary equipment, and

          authentication equipment.



      15. COMSEC Facility:  Space employed primarily for the

          purpose of generating, storing, repairing, or using

          COMSEC material.



      16. COMSEC Incident:  Any occurrence that potentially

          jeopardizes the security of COMSEC material or the

          secure electrical transmission of Government

          information.



      17. COMSEC Insecurity:  COMSEC incident that has been

          investigated, evaluated, and determined to jeopardize

          the security of COMSEC material or the secure

          transmission of information.



      18. COMSEC Inventory Reconciliation Report:  Certificate

          issued by the COR that compares the semiannual

          inventory of a COMSEC account with the COR's records

          and identifies any discrepancies noted.



      19. COMSEC Material:  COMSEC aids and equipment that secure

          telecommunications or ensure the authenticity of such

          communications.



      20. COMSEC Material Control System (CMCS):  Logistics

          system through which COMSEC material is distributed,

          controlled, and safeguarded.  (Note:  The CMCS consists

          of all COMSEC CORs, cryptologistic depots, and COMSEC

          accounts/subaccounts.)



      21. COMSEC Modification:  Any change to the electrical,

          mechanical, or software of NSA-approved COMSEC

          equipment.  Types of COMSEC modifications are

          mandatory, optional, special mission, and repair

          actions.



      22. COMSEC Register File:  Accounting file containing a

          record of each COMSEC item accountable to a COMSEC

          account.



      23. Contingency Key:  Keying material held for use on a

          cryptonet under specific operational conditions or in

          support of specific contingency plans.



      24. Controlled Cryptographic Item (CCI):  Secure

          telecommunications or information handling device, or

          associated cryptographic component, which is

          unclassified but controlled.  Equipment and components

          so designated bear the designator CCI.



      25. Controlling Authority:  Designated official responsible

          for directing the operation of a cryptonet and for

          managing the operational use and control of keying

          material assigned to that cryptonet.



      26. CRYPTO:  Marking or designator identifying all

          operational and on-the-air COMSEC keying material.



      27. Crypto-Ancillary Equipment:  Equipment designed

          specifically to facilitate efficient or reliable

          operation of cryptographic equipment, but which does

          not itself perform cryptographic functions.



      28. Crypto-Equipment:  Equipment that embodies a

          cryptographic logic.



      29. Cryptographic Component:  Hardware or firmware

          embodiment of the cryptographic logic in a secure

          telecommunications or automated information processing

          system.  A cryptographic component may be modular

          assembly, a printed wiring assembly (PWA), a

          microcircuit, or a combination of these items.



      30. Cryptographic Incident:  Any equipment malfunction, or

          operator or custodian error, that adversely affects the

          cryptographic security of a machine, auto-manual, or

          manual cryptosystem.



      31. Crypto-Ignition Key (CIK):  Device or electronic key

          used to electronically lock or unlock the secure mode

          of a piece of cryptographic equipment.



      32. Cryptographic Logic:  Well-defined procedure or

          sequence of steps used to produce cipher text from

          plain text, and vice versa, or to produce a key stream,

          plus delays, alarms, and checks essential to

          effectively performing the cryptographic process.



      33. Cryptonet:  Stations that share use of a specific key.



      34. Cryptoperiod:  Time span during which each key setting

          (i.e., a key segment) remains in effect.



      35. Data Encryption Standard (DES).  Algorithm used for the

          encryption of unclassified but sensitive Government

          information.



      36. Date Stamp:  Year, month, date (YYMMDD) stamp

          indicating the date a protective technology was applied

          to a COMSEC product.



      37. Element:  Subdivision of a COMSEC device, an assembly,

          or a subassembly, consisting of a single piece or group

          of replaceable parts.  An element is a removable item

          necessary to equipment operation, but it does not

          necessarily perform a complete function in itself. 

          (Elements are usually in the form of printed circuit

          boards and are identified by an "E" to indicate the

          item is an element, followed by a hyphen and

          alphabetical trigraph, e.g., E-ABC.)



      38. Exercise Key:  Key intended to safeguard transmissions

          associated with exercises.



      39. Field Inspection:  Process of examining protective

          technologies at a Field Site to detect possible signs

          of tampering and/or substitutions.



      40. Fill Device:  COMSEC item used to transfer or store key

          in electronic form or to insert key into cryptographic

          equipment.  Common Fill Devices refers to the KOI-18,

          KYK-13, and KYX-15.



      41. Hand Receipt:  Document used to record local or

          temporary issue of COMSEC material from a COMSEC

          Custodian to a user and acceptance by the user of the

          responsibility to properly store and control the COMSEC

          material.



      42. Hard-Copy Key:  Physical keying material such as

          printed key cards/lists, punched key tapes, or

          programmable read-only memories (PROMs).



      43. Hard-Wired Key:  Key that is permanently installed in a

          piece of COMSEC equipment.



      44. Interoperable CIK:  A CIK created to work in more than

          one STU-III terminal.



      45. Intrusion Detection System (IDS):  System designed to

          detect and signal unauthorized entry into a controlled

          area (e.g., security alarms, sensor systems, video

          systems).



      46. Inventory:  1.  Physical verification of the presence

          of each item of COMSEC material charged to a COMSEC

          account.  2.  Listing of each item of COMSEC material

          charged to a COMSEC account.



      47. Inventory Report:  Report of items of material that

          were physically sighted in accordance with inventory

          procedures.



      48. Irregularly Superseded Keying Material:  Keying

          material used on an "as needed" basis, rather than

          during a specified period of time.



      49. Key:  Information (usually a sequence of random binary

          digits) used to initially set up and periodically

          change the operations performed in cryptographic

          equipment for encrypting or decrypting electronic

          signals, for determining electronic countermeasure

          (ECCM) patterns (frequency hopping or spread spectrum),

          or for producing other keys.  The term "key" has

          replaced the terms "variable," "key variable," and

          "cryptovariable."



      50. Key Distribution Center (KDC):  COMSEC facility that

          generates and distributes key in electronic form.



      51. Key Encryption Key:  Key used for encrypting and

          decrypting other keys during transmission or storage.



      52. Key List:  Printed series of key settings for a

          specific cryptonet.  Produced in list, pad, or printed

          tape format.



      53. Key Management:  Process by which key is generated,

          stored, protected, transferred, loaded, used, and

          destroyed.



      54. Keyed:  Condition of containing key.  In applications

          employing a CIK, cryptographic equipment is considered

          unkeyed when the CIK is removed.



      55. Keying:  All keying-related changes to cryptographic

          equipment, such as loading electronic key, inserting

          the CIK, and updating or photocopying key.



      56. Keying Material:  Type of COMSEC aid that supplies

          either encoding means for manual and auto-manual

          cryptosystems or key for machine cryptosystems.



      57. Keying Material Support Plan (KMSP):  Detailed

          description of the operational needs of a proposed

          cryptonet including the structure, keying material

          specifications, and distribution plan.



      58. Key Storage Device:  The name given to the physical

          device that can be used as a fill device and also as a

          CIK for all STU-III terminals.  It is a small device

          shaped like a physical key and contains passive memory.



          When it is used to carry key to terminals, it is termed

          a fill device; when it is used to protect key that has

          been loaded into terminals, it is termed a CIK.



      59. L6061:  COMSEC Material Record Form that documents

          possession, location, and current user of specific

          equipment or device.



      60. Limited Access Area:  Area in which uncontrolled

          movement of personnel would allow access to classified

          information, but in which such access is prevented by

          escort or other internal restrictions or controls.



      61. Long Title:  Descriptive title of an item of COMSEC

          material (e.g., General Purpose Encryption Device).



      62. Maintenance Key:  Key intended only for off-the-air,

          in-shop, use.



      63. Mandatory Modification:  Change to a COMSEC equipment

          that the NSA requires to be completed and reported by a

          specified time-compliance date.



      64. Master CIK:  The first CIK created for a terminal,

          which has been designated to allow the holder to create

          additional CIKs whenever they are required, up to the

          terminal's maximum.



      65. Microcircuit:  Single monolithic semiconductor

          substrate on which all of the active and passive

          elements of an electronic microcircuit (such as a key

          generator) have been fabricated utilizing semiconductor

          technology.  A microcircuit is not ready for use until

          it is packaged and provided with terminals for

          connection to other system components.



      66. Modification:  Any change to the electrical,

          mechanical, or software characteristics of COMSEC

          equipment, an assembly, or a device.



      67. National Security Information:  Information related to

          the national defense or foreign relations of the United

          States that was determined to be classified pursuant to

          Executive Order 12356 or any predecessor order.



      68. Negative Inventory:  Semiannual, preprinted inventory

          sent to a COMSEC account that does not currently hold

          COMSEC material.



      69. Net Mode:  Mode of operation in which all net members

          have the same key.



      70. Net Key:  Key held in common by all members of a given

          cryptonet.



      71. No-Lone Zone:  Area, room, or space to which no one

          person may have unaccompanied access and which, when

          manned, must be occupied by two or more appropriately

          cleared individuals.



      72. Operational Key:  Key intended for use on-the-air for

          protection of operational information or for the

          production of secure electrical transmission of key

          streams.



      73. Page Check:  Verification of the presence of each

          required page in a publication.



      74. Personnel Incident:  Capture, unauthorized absence,

          defection, or control by a hostile intelligence entity

          of an individual having knowledge of, or access to,

          classified or sensitive COMSEC information or material.



      75. Physical Incident:  Any occurrence (e.g., loss of

          control; theft; capture; recovery by salvage,

          tampering; unauthorized viewing, access, or

          photographing) which results in jeopardy to COMSEC

          material.



      76. Protected Distribution System:  Wireline or fiber-optic

          telecommunications system that includes terminals and

          adequate acoustic, electrical, electromagnetic, and

          physical safeguards to permit its use for the

          unencrypted transmission of classified information.



      77. Protective Packaging:  Packaging techniques for keying

          material, which discourage penetration and/or which

          reveal that a penetration has occurred or which inhibit

          viewing or copying of keying material prior to the time

          it is exposed for use.



      78. Protective Technologies:  Special tamper-evident

          features and materials employed for the purpose of

          detecting tampering and deterring attempts to

          compromise, modify, penetrate, extract, or substitute

          equipment and keying material.



      79. Regularly Superseded Keying Material:  Keying material

          that is superseded on a regular, established schedule.



      80. Remote Rekeying:  Secure electrical distribution of a

          key by radio or wire/fiber optic line.



      81. Reserve Keying Material:  Key held to satisfy unplanned

          needs.

      82. Self-authentication:  Implicit authentication of all

          transmissions on a secure system (such as PDS) or

          cryptonet to a predetermined level.



      83. Sensitive Compartmented Information (SCI):  All 

          information and material that requires special controls

          for restricted handling within compartmented

          intelligence systems and for which compartmentation is

          established.



      84. Sensitive, Unclassified Information:  Any information,

          the loss, misuse, or unauthorized access to, or

          modification of, which could adversely affect the

          national interest or conduct of Federal programs, or

          the privacy to which individuals are entitled under

          Section 552a of Title 5, United States Code (the

          Privacy Act), but which has not been specifically

          authorized under criteria established by an executive

          order or an act of Congress to be kept secret in the

          interest of national defense or foreign policy.



      85. Short Title:  Identifying combination of letters and

          numbers assigned to COMSEC material for the purpose of

          brevity (e.g., KAM-1211A/TSEC, TSEC/KW-76).  Each item

          of accountable COMSEC material is assigned a short

          title to facilitate handling, accounting, and control. 

          (See Figure 2 in Appendix E for the table of

          designators for COMSEC aids and COMSEC equipment.)



      86. STU-III Key Management System (KMS):  The STU-III

          system that provides all keying services to the user

          community.



      87. Subassembly:  Major subdivision of an assembly, which

          consists of a package of parts, elements, and circuits

          that perform a specific function (such as an

          oscillator, amplifier, powerpack, etc.).  Usually the

          subassembly is a removable package.  Subassemblies are

          identified by a "Z" followed by a dash and alphabetic

          trigraph, e.g., Z-ABE.



      88. Supersession:  Scheduled or unscheduled replacement of

          a COMSEC aid with different editions.



      89. Telecommunications:  Preparation, transmission,

          communication, or related processing of information

          (writing, images, sounds, or other data) by electrical,

          electromagnetic, electro-mechanical, or electro-optical

          or electronic means.



      90. Test Key:  Key intended only for on-the-air testing of

          COMSEC equipment or systems.



      91. Traffic Encryption Key:  Key used to encrypt and

          decrypt information for transmission.



      92. Training Key:  Cryptographic key intended only for on-

          the-air or off-the-air training of users.



      93. Transfer of Accountability:  Process of transferring

          accountability for COMSEC material from the COMSEC

          account of the shipping organization to the COMSEC

          account of the receiving organization.



      94. TSEC Nomenclature:  System for identifying the type and

          purpose of items of COMSEC material over which the NSA

          exercises configuration control.  NOTE:  "TSEC" is an

          abbreviation for "telecommunications security."



      95. Two-Person Control:  Continuous surveillance and

          control of COMSEC material at all times by a minimum of

          two authorized individuals, each capable of detecting

          incorrect and unauthorized procedures with respect to

          the task being performed, and each familiar with

          established security and safety requirements.



      96. Two-Person Integrity:  System of storage and handling

          designed to limit access to certain COMSEC keying

          material by requiring the presence of at least two

          authorized persons, each capable of detecting incorrect

          or unauthorized security procedures with respect to the

          task being performed.  Two-Person Control refers to

          Nuclear Command and Control COMSEC material while Two-

          Person Integrity refers only to COMSEC keying material.



          NOTE:  Two-person integrity (TPI) procedures differ

          from no-lone zone procedures in that under TPI

          controls, two authorized persons must directly

          participate in handling and safeguarding the keying

          material (as in accessing storage containers,

          transportation, keying/rekeying operations, and

          destruction).  No-lone zone controls only require the

          two authorized persons to be physically present in the

          common area where the material is located.



      97. Type 1 Product:  Classified or CCI equipment,

          assemblies, or components endorsed by the NSA for use

          in telecommunications and automated information systems

          for securing classified or sensitive U.S. Government

          information, when appropriately keyed.  NOTE:  Refers

          only to products, and not to information, key,

          services, or controls.  Type 1 products contain

          classified NSA algorithms.  They are available to U.S.

          Government users and their contractors, and are subject

          to export restrictions in accordance with International

          Traffic in Arms Regulation.



      98. Type 2 Product:  Unclassified cryptographic equipment,

          assemblies, or components endorsed by the NSA for use

          in telecommunications and automated information systems

          for protecting information covered by the Warner

          Amendment.  NOTE:  Refers only to products, not to

          information, key, services, or control.  Type 2

          products may not be used for classified information,

          but do contain classified NSA algorithms, which

          distinguishes them from products containing the

          unclassified data encryption standard (DES) algorithm. 

          Type 2 COMSEC products are available to U.S. Government

          departments and agencies, and to elements of State and

          local governments, contractors, and private sector

          entities, when sponsored by the U.S. Government.  Type

          2 COMSEC products are subject to export restrictions in

          accordance with International Traffic in Arms

          Regulation.



      99. User Representative:  Person authorized by an

          organization to order COMSEC keying material and to

          interface with the CMCS to provide key ordering

          information to key users.



     100. Unkeyed:  Containing no key or containing key that has

          been protected from unauthorized use by removing the

          CIK.



     101. Update:  Cryptographic process that is performed to

          irreversibly modify key to protect back traffic.



     102. User:  Individual required to use COMSEC material in

          the performance of his or her official duties and who

          is responsible for safeguarding that COMSEC material.



     103. User Representative:  Person formally designated to

          order key for STU-III terminals.



     104. Warner Amendment Information:  Unclassified Government

          or Government-derived information, of departments,

          agencies and their contractors, involving intelligence

          activities, cryptologic activities related to national

          security, the command and control of military forces,

          equipment that is integral to a weapon or weapons

          system, or critical to the direct fulfillment of

          military or intelligence missions (10 U.S.C., 

          Section 2315).



     105. Witness:  Appropriately cleared and designated

          individual, other than the COMSEC Custodian, who

          witnesses the destruction or inventory of COMSEC

          material.



     106. Zeroize:  To remove or eliminate key from cryptographic

          equipment or fill devices.







                           APPENDIX B



        SAMPLE COMMUNICATIONS SECURITY (COMSEC) BRIEFING



      a.  You have been selected to perform duties requiring

          access to U.S. classified COMSEC information.  It is

          essential, that you become fully aware of facts

          relating to protecting this information before access

          is granted.  This briefing will give you a description

          of the types of COMSEC information to which you may

          have access, the reasons why special safeguards are

          necessary for protecting this information, the

          directives and rules that prescribe such safeguards,

          and the penalties you may incur for the unauthorized

          disclosure, unauthorized retention, or negligent

          handling of U.S. classified COMSEC information. 

          Failing to properly safeguard this information could

          cause serious or exceptionally grave damage, or

          irreparable injury, to the national security of the

          United States, or could be used to a foreign nation's

          advantage.



      b.  COMSEC is the general term used for all steps taken to

          deny unauthorized persons information derived from the

          telecommunications of the U.S. Government, and to

          ensure the authenticity of those communications. 

          COMSEC has four main components:  transmission

          security, physical security, emission security, and

          cryptographic security.  Transmission security is

          methods and techniques applied to protect information

          while in transmission from unauthorized intercept,

          traffic analysis, imitative deception, and disruption. 

          Physical security is those barriers put in place to

          prevent access by an unauthorized person to materials,

          information, documents, and equipment.  Emission

          security is measures taken to prevent compromising

          signals from emanating from equipment or

          telecommunications systems.  Cryptographic security is

          rules applied to alter information, making it

          unintelligible to unauthorized people during

          communications.  To ensure that telecommunications are

          secure, all four of these components must be

          considered.



      c.  COMSEC equipment and keying material are especially

          sensitive because they are used to protect other

          classified information while that information is

          communicated from one point to another.  Any particular

          piece of COMSEC equipment, keying material, or other

          cryptographic material may be the critical element that

          protects large amounts of classified information from

          interception, analysis, and exploitation.  If the

          integrity of the COMSEC system is weakened at any

          point, all information protected by the system could be

          compromised; even more damaging is if this loss of

          classified information goes undetected.  The procedural

          safeguards placed on COMSEC equipment and materials,

          covering every phase of their existence from creation

          through disposition, are designed to reduce or

          eliminate the possibility of such loss.



      d.  COMSEC equipment and materials receive special handling

          for distribution and accounting as part of physical

          security protection.  Two separate channels are used

          for handling such equipment and materials:  COMSEC

          channels and administrative channels.  The COMSEC

          channel, or COMSEC Material Control System (CMCS) is

          used to distribute accountable COMSEC such as keying

          material, maintenance manuals for cryptographic, and

          classified and CCI equipment.  The CMCS channel is

          composed of a series of COMSEC accounts, each of which

          is appointed a COMSEC Custodian who is personally

          responsible and accountable for all COMSEC materials in

          the account.  The COMSEC Custodian assumes

          responsibility for the material from the time it is

          received, and controls its dissemination to authorized

          users on a need-to-know basis.  The administrative

          channel is used to distribute COMSEC information and

          materials other than that accountable in the CMCS.  



      e.  To adequately protect COMSEC equipment and materials,

          you must understand all the pertinent security

          regulations and the importance of reporting any

          compromise, suspected compromise, or other security

          problem involving these materials.  If a COMSEC system

          is compromised but the compromise is not reported, all

          information that was ever protected by that system may

          be lost as a result.  If the compromise is reported,

          steps can be taken to change the system, replace the

          keying material, etc., to reduce the damage done.  In

          short, it is your individual responsibility to know and

          to put into practice all the provisions of the

          appropriate publications relating to properly using and

          protecting the COMSEC equipment and materials to which

          you will have access.  



      f.  Because access to U.S. classified cryptologic

          information is granted on a strict need-to-know basis,

          you will be given access to only that cryptographic

          information necessary for you to perform your duties.  



      g.  You may not disclose any COMSEC information without the

          specific approval of the NASA COMSEC Manager or the

          National Security Agency (NSA).  This applies to both

          classified and unclassified COMSEC information, and

          means that you may not prepare newspaper articles,

          speeches, technical papers, or make any other "release"

          of COMSEC information without specific Government

          approval.  The best personal policy is to avoid any

          discussions that reveal your knowledge of or access to

          COMSEC information and thus avoid making yourself

          interesting to those who seek the information you

          possess.  



      h.  When your duties include access to classified COMSEC

          information, in addition to the above, you should avoid

          travel to any countries that are adversaries of the

          United States, or to their establishments/facilities

          within the United States.  Should such travel become

          necessary, your security office must be notified in

          advance, allowing sufficient time for you to receive a

          defensive security briefing.  Any attempt to elicit the

          classified COMSEC information you have, either through

          friendship, favors, or coercion, must be reported

          immediately to your security office.



      i.  Finally, you must know that if you willfully disclose

          or give any of the classified COMSEC information,

          equipment (including CCI), or associated keying

          materials to which you have access to any unauthorized

          persons, you will be subject to prosecution under the

          criminal laws of the United States.  The laws which

          apply are contained in Title 18, United States Code,

          Sections 641, 793, 794, 798, and 952.



_____________________________    ________    ____________________

SIGNATURE OF EMPLOYEE BRIEFED      DATE      SIGNATURE OF BRIEFER







                           APPENDIX C



                             SAMPLE

                CRYPTOGRAPHIC ACCESS CERTIFICATION

                 CRYPTOGRAPHIC ACCESS TERMINATION

                      PRIVACY ACT STATEMENT



INSTRUCTION



Section One of this certification must be executed before an

individual may be granted access to U.S. classified cryptographic

information.  Section Two will be executed when the individual no

longer requires such access.  The signed certificate (original)

will be made a permanent part of the official security records of

the individual concerned.



SECTION ONE



AUTHORIZATION FOR ACCESS TO U.S. CLASSIFIED CRYPTOGRAPHIC

INFORMATION



      a.  I understand that I am being granted access to U.S.

          classified cryptographic information.  I understand

          that my being granted access to this information

          involves me in a position of special trust and

          confidence concerning matters of national security.  I

          hereby acknowledge that I have been briefed concerning

          my obligations with respect to such access.



      b.  I understand that safeguarding U.S. classified

          cryptographic information is of the utmost importance

          and that the loss or compromise of such information

          could cause serious or exceptionally grave damage to

          the national security of the United States.  I

          understand that I am obligated to protect U.S.

          classified cryptographic information and I have been

          instructed in the special nature of this information

          and the reasons for the protection of such information.



          I agree to comply with any special instructions issued

          by my installation or agency regarding unofficial

          foreign travel or contacts with foreign nationals.



      c.  I fully understand the information presented during the

          briefing I received.  I have read this certificate and

          my questions, if any, have been satisfactorily

          answered.  I acknowledge that the briefing officer has

          made available to me the provisions of Title 18, United

          States Code, Sections 641, 793, 794, 798, and 952 (see

          Attached).  I understand that, if I willingly disclose

          to any unauthorized person any of the U.S. classified

          cryptographic information to which I might have access,

          I am be subject to prosecution under the criminal laws

          of the United States, as appropriate.  I understand and

          accept that unless I am released in writing by an

          authorized representative of the NASA Security Office,

          the terms of this certificate and my obligation to

          protect all U.S. classified cryptographic information

          to which I may have access apply during the time of my

          access and at all times afterward.



ACCESS GRANTED THIS                  DAY OF                19



___________________________________  ___________________________

SIGNATURE                            NAME/GRADE/SSN



___________________________________  ____________________________

SIGNATURE OF ADMINISTERING OFFICIAL  NAME/GRADE/OFFICIAL POSITION



SECTION TWO



TERMINATION OF ACCESS TO U.S. CLASSIFIED CRYPTOGRAPHIC

INFORMATION



I am aware that my authorization for access to U.S. classified

cryptographic information is being withdrawn.  I fully appreciate

and understand that the preservation of the security of this

information is of vital importance to the welfare and defense of

the United States.  I certify that I will never divulge any U.S.

classified cryptographic information I acquired, nor discuss with

any person any of the U.S. classified cryptographic information

to which I have had access, unless and until freed from this

obligation by unmistakable notice from proper authority.  I have

read this agreement carefully and my questions, if any, have been

answered to my satisfaction.  I acknowledge that the briefing

officer has made available to me Title 18, United States Code,

Sections 641, 793, 794, 798, and 952.



ACCESS WITHDRAWN THIS                DAY OF               19



___________________________________  ____________________________

SIGNATURE                            NAME/GRADE/SSN



___________________________________  ____________________________

SIGNATURE OF ADMINISTERING OFFICIAL  NAME/GRADE/OFFICIAL POSITION







                      PRIVACY ACT STATEMENT



Authority to request Social Security Number (SSN) is Executive



Order 9397.  Routine and sole use of the SSN is to identify the



individual precisely, when necessary, to certify access to U.S.



classified and/or unclassified cryptographic information.  While



disclosure of your SSN is voluntary, failure to do so could delay



certification and, in some cases, prevent original access to U.S.



classified and/or unclassified cryptographic information.



__________________________________     __________________________

SIGNATURE                              DATE







                           ATTACHMENT

                               TO

                           APPENDIX C



PERTINENT PROVISIONS OF TITLE 18 OF THE UNITED STATES CODE



U.S.C. 18 - 641.  Public money, property or records



      Whoever embezzles, steals, purloins, or knowingly converts

to this use or the use of another or, without authority, sells,

conveys, or disposes of any records, voucher, money, or thing of

value of the United States or any department or agency thereof,

or any property made or being made under contract for the United

States or any department or agency thereof or;



      Whoever receives, conceals, or retains the same with intent

to convert it to his or her gain, knowing it to have been

embezzled, stolen, purloined, or converted--



      Shall be fined not more than $10,000 or imprisoned not more

than 10 years, or both; but if the value of such property does

not exceed the sum of $100, he shall be fined not more than

$1,000 or imprisoned not more than 1 year, or both.



      The word "value" means face, par, or market value, or cost

price, either wholesale or retail, whichever is greater.



U.S.C. 18 - 793.  Gathering, transmitting, or losing defense

information



      (a)  Whoever, for the purpose of obtaining information

respecting the national defense with intent or reason to believe

that the information is to be used to the injury of the United

States, or to the advantage of any foreign nation, goes upon,

enters, flies over, or otherwise obtains information concerning

any vessel, aircraft, work of defense, navy yard, naval station,

submarine base, fueling station, fort, battery, torpedo station,

dockyard, canal, railroad, arsenal, camp, factory, mine,

telegraph, telephone, wireless, or connected with the national

defense owned or constructed, or in progress of construction by

the United States or under the control of the United States, or

of any of its officers, departments, or agencies, or within the

exclusive jurisdiction of the United States, or any place in

which any vessel, aircraft, arms, munitions, or other materials

or instruments for use in time of war are being made, prepared,

repaired, stored, or are the subject of research or development,

under any contract or agreement with the United States or any

department or agency thereof, or with any person on behalf of the

United States or any prohibited place so designated by the

President by proclamation in time of war or in case of national

emergency in which anything for the use of the Army, Navy, or Air

Force is being prepared or constructed or stored, information

about which prohibited place the President has determined would

be prejudicial to the national defense; or



      (b)  Whoever, for the purpose aforesaid, and with like

intent or reason to believe, copies, takes, makes, or obtains, or

attempts to copy, take, make, or obtain, any sketch, photograph,

photographic negative, blueprint, plan, map, model, instrument,

appliance, document, writing, or note of anything connected with

the national defense; or



      (c)  Whoever, for the purpose aforesaid, receives or

obtains or agrees or attempts to receive or obtain from any

person, or from any source whatever, any document, writing, code

book, signal book, sketch, photograph, photographic negative,

blueprint, plan, map, model, instrument, appliance, or note or

anything connected with the national defense, knowing or having

reason to believe, at the time he or she receives or obtains, or

agrees or attempts to receive or obtain it, that it has been or

will be obtained, taken, made, or disposed of by any person

contrary to the provisions of this Chapter; or



      (d)  Whoever, lawfully having possession of, access to,

control over, or being entrusted with any document, writing, code

book, signal book, sketch, photograph, photographic negative,

blueprint, plan, map, model, instrument, appliance, or note

relating to the national defense, or information relating to the

national defense which information the possessor has reason to

believe could be used to the injury of the United States or to

the advantage of any foreign nation, willfully communicates,

delivers, transmits, or causes to be communicated, delivered or

transmitted or attempts to communicate, deliver, transmit, or

cause to be communicated, delivered, or transmitted the same to

any person not entitled to receive it, or willfully retains the

same and fails to deliver it on demand to the officer or employee

of the United States entitled to receive it; or 



      (e)  Whoever, having unauthorized possession of, access to,

or control over any document, writing, code book, signal book,

sketch, photograph, photographic negative, blueprint, plan, map,

model, instrument, appliance, or note relating to the national

defense, or information relating to the national defense which

information the possessor has reason to believe could be used to

the injury of the United States or to the advantage of any

foreign nation, willfully communicates, delivers, transmits, or

causes to be communicated, delivered, or transmitted, or attempts

to communicate, deliver, transmit, or cause to be communicated,

delivered, or transmitted the same to any person not entitled to

receive it, or willfully retains the same and fails to deliver it

to the officer or employee of the United States entitled to

receive it; or



      (f)  Whoever, being entrusted with or having lawful

possession or control of any document, writing, code book, signal

book, sketch, photograph, photographic negative, blueprint, plan,

map, model, instrument, appliance, note, or information, relating

to the national defense, (1) through gross negligence permits the

same to be removed from its proper place of custody or delivered

to anyone in violation of his or her trust, or to be lost,

stolen, abstracted, or destroyed, or (2) having knowledge that

the same has been illegally removed from its proper place of

custody or delivered to anyone in violation of his trust, or

lost, or stolen, abstracted, or destroyed, and fails to make

prompt report of such loss, theft, abstraction, or destruction to

his superior officer--

      

      Shall be fined not more than $10,000 or imprisoned not more

than 10 years, or both.



      (g)  If two or more persons conspire to violate any of the

foregoing provisions of this Section, and one or more of such

persons do any act to effect the object of the conspiracy, each

of the parties to such conspiracy shall be subject to the

punishment provided for the offense that is the object of such

conspiracy.



      (h)(1)  Any person convicted of a violation of this Section

shall forfeit to the United States, irrespective of any provision

of State law, any property constituting, or derived from, any

proceeds the person obtained, directly or indirectly, from any

foreign government, or any faction or party or military or naval

force within a foreign country, whether recognized or

unrecognized by the United States, as the result of such

violation.  

          

         (2)  The court, in imposing sentence on a defendant for

a conviction of a violation of this Section, shall order that the

defendant forfeit to the United States all property described in

paragraph (1) of this subsection.



         (3)  The provisions of subsections (b),(c), and (e)

through (o) of section 413 of the Comprehensive Drug Abuse

Prevention and Control Act of 1970 (21 U.S.C. 853(b), (c), and

(e)-(o) shall apply to --



             (A)   property subject to forfeiture under this

                   subsection;



             (B)   any seizure or disposition of such property;

                   and



             (C)   any administrative or judicial proceeding in  



                   relation to such property, if not inconsistent

                   with this subsection.



        (4)  Notwithstanding section 524(c) of Title 28, there

shall be deposited in the Crime Victims Fund in the Treasury all

amounts from the forfeiture of property under this subsection

remaining after the payment of expenses for forfeiture and sale

authorized by law.



U.S.C. 18 - 794.  Gathering or delivering defense information to

aid foreign governments



      (a)  Whoever, with intent or reason to believe that it is

to be used to the injury of the United States or to the advantage

of a foreign nation, communicates, delivers, or transmits, or

attempts to communicate, deliver, or transmit, to any foreign

government, or to any faction or party or military or naval force

within a foreign country, whether recognized or unrecognized by

the United States, or to any representative, officer, agent,

employee, subject, or citizen thereof, either directly or

indirectly, or any document, writing, code book, signal book,

sketch, photograph, photographic negative, blueprint, plan, map,

model, note, instrument, appliance, or information relating to

the national defense, shall be punished by death or by

imprisonment for any term of years or for life.



      (b)  Whoever, in time of war, with intent that the same

shall be communicated to the enemy, collects, records, publishes,

or communicates, or attempts to elicit any information with

respect to the movement, numbers, description, condition, or

disposition of any of the Armed Forces, ships, aircraft, or war

material of the United States, or with respect to the plans or

conduct, or supposed plans or conduct of any naval or military

operations, or with respect to any works or measures undertaken

for or connected with, or intended for the fortification of

defense of any place, or any other information relating to the

public defense, which might be useful to the enemy, shall be

punished by death or by imprisonment for any term of years or for

life.



      (c)  If two or more persons conspire to violate this

Section, and one or more of such persons do any act to effect the

object of the conspiracy, each of the parties to such conspiracy

shall be subject to the punishment provided for the offense that

is the object of such conspiracy.



      (d)(1)  Any person convicted of a violation of this Section

shall forfeit to the United States irrespective of any provision

of State law--



             (A)   any property constituting, or derived from,

                   any proceeds the person obtained directly or

                   indirectly, as the result of such violation,

                   and



             (B)   any of the person's property used, or intended

                   to be used in any manner or part, to commit,

                   or to facilitate the commission of, such

                   violation.



      (d)(2)  The court, in imposing sentence on a defendant for

a conviction of a violation of this Section, shall order that the

defendant forfeit to the United States all property described in

paragraph (1) of this subsection.



      (d)(3)  The provisions of subsections (b)(c) and (e)

through (o) of section 413 of the Comprehensive Drug Abuse

Prevention and Control Act of 1970 (21 U.S.C. 853(b) (c) and (e)-

(o) shall apply to--



             (A)   property subject to forfeiture under this

                   subsection;



             (B)   any seizure or disposition of such property;

                   and



             (C)   any administrative or judicial proceeding in

                   relation to such property, if not inconsistent

                   with this subsection.



      (d)(4)  Notwithstanding Section 524(c) of Title 28, there

shall be deposited in the Crime Victims Fund in the Treasury all

amounts from the forfeiture of property under this subsection

remaining after the payment of expenses for forfeiture and sale

authorized by law. 



U.S.C. 18 - 798.  Disclosure of classified information



      (a)  Whoever knowingly and willfully communicates,

furnishes, transmits, or otherwise makes available to an

unauthorized person, or publishes, or uses in any manner

prejudicial to the safety or interest of the United States or for

the benefit of any foreign government to the detriment of the

United States any classified information--



          (1)  concerning the nature, preparation, or use of any

code, cipher, or cryptographic system of the United States or any

foreign government; or



          (2)  concerning the design, construction, use,

maintenance, or repair of any device, apparatus, or appliance

used or prepared or planned for use by the United States or any

foreign government for cryptographic or communication

intelligence purposes; or 



          (3)  concerning the communication intelligence

activities of the United States or any foreign government; or



          (4)  obtained by the processes of communication

intelligence from the communications of any foreign government,

knowing the same to have been obtained by such processes--



      Shall be fined not more than $10,000 or imprisoned not more

than 10 years, or both.



      (b)  As used in subsection (a) of this section--



      The term "classified information" means information which,

at the time of a violation of this Section, is, for reasons of

national security, specifically designated by a United States

Government Agency for limited or restricted dissemination of

distribution;



      The terms "code," "cipher," and "cryptographic system"

include in their meanings, in addition to their usual meanings,

any method of secret writing and any mechanical or electrical

device or method used for the purpose of disguising or concealing

the contents, significance, or meanings of communications; 

 

      The term "foreign government" includes in its meaning any

person or persons acting or purporting to act for, or on behalf

of, any faction, party, department, agency, bureau, or military

force of or within a foreign country, or for, or on behalf of,

any government or any person or persons purporting to act as a

government within a foreign country, whether or not such

government is recognized by the United States;



      The term "communication intelligence" means all procedures

and methods used in the interception of communications and the

obtaining of information from such communications by other than

the intended recipients;



      The term "unauthorized person" means any person who, or

agency which, is not authorized to receive information of the

categories set forth in subsection (a) of this Section, by the

President, or by the head of a department or agency of the United

States Government which is expressly designated by the President

to engage in communication intelligence activities of the United

States.



      (c)  Nothing in this Section shall prohibit the furnishing,

upon lawful demand, of information to any regularly constituted

committee of the Senate or House of Representatives of the United

States of America, or joint committee thereof.



 952. Diplomatic codes and correspondence

      Whoever, by virtue of his employment by the United States,

obtains from another or has or has had custody of or access to,

any official diplomatic code or any matter prepared in any such

code, or which purports to have been prepared in any such code,

and without authorization or competent authority, willfully

publishes or furnishes to another any such code or matter, or any

matter which was obtained while in the process of transmission

between any foreign government and its diplomatic mission in the

United States, shall be fined not more than $10,000 or imprisoned

not more than 10 years, or both.







                           APPENDIX D





                  SAMPLE EMERGENCY ACTION PLAN





1.    Purpose.  To protect and minimize the risk of compromise of

Communications Security (COMSEC) material during emergency

situations.



2.    Discussion.  National COMSEC policy requires that all

organizations holding classified or Controlled Cryptographic

Items (CCI) COMSEC material have an Emergency Action Plan with

procedures for the protection of such material during natural

disasters and accidental emergencies (such as fire, flood,

tornado, and earthquake).  The actions contained within this Plan

provide for the security to the material without endangering the

lives or safety of personnel implementing the Plan. 

Specifically, the Plan provides for:



      a.  Fire reporting.



      b.  Assignment of on-the-scene responsibility for ensuring

protection of the COMSEC material held.



      c.  Securing of classified COMSEC material and evacuation

of the area.



      d.  Protection of material when admission of outside fire-

fighters into the secure area is necessary.



      e.  Assessment and reporting of probable exposure of

classified COMSEC material to unauthorized persons during the

emergency.



      f.  Post-emergency inventory of classified and CCI COMSEC

material and the reporting of any losses or unauthorized

exposures to appropriate authority.



3.    Implementation.  The Lead Communicator may direct the

stowage of COMSEC material in the event of an occurring or

predicated emergency situation.  In the absence of the Lead

Communicator, the COMSEC Custodian will take the action outlined

in subsequent paragraphs to safeguard the COMSEC material.  The

actions are directed toward maintaining positive control over the

material while not endangering the health or safety of personnel.



4.    Action



      a.  Fire reporting.  In the event a fire is discovered

within the Message Processing Center, the following actions will

be taken, as the situation permits:



          (1) The person discovering the fire should immediately

alert all others in the vicinity by loudly shouting "Fire!", then

sound the alarm by pulling the alarm located inside the Message

Processing Center (MPC), to the right of the main door.



          (2) The person discovering the fire should immediately

telephone the Headquarters Safety Officer on 358-1440.  State his

or her name, and report the location of the fire by building

number, floor number, and room number.  The MPC is located in

Building HQ, Room 1C-42.



          (3) If possible, without endangering the safety of MPC

personnel, attempt to extinguish the fire using the CO2

extinguisher located inside the MPC, to the right of the main

door.



          (4) Carry out the actions regarding the evacuation of

the spaces outlined in paragraph 4(c) of this Plan.



      b.  Responsibility for safeguarding COMSEC material.  All

personnel assigned to the MPC are responsible for safeguarding

COMSEC material.  In the event of an emergency situation, the

COMSEC Custodian has primary on-scene responsibility for ensuring

the protection of the material.  In the absence of the Custodian,

the Alternate Custodian assumes this responsibility.  In the

unlikely event that both of these individuals are absent, the

remaining MPC personnel will assume responsibility for carrying

out the actions contained in this Plan.



      c.  Securing of classified material and evacuation



          (1) If the situation permits, open the safe and stow

all COMSEC material that may have been removed from the safe

(KAM's, KAO's, etc.).  Stow all 5.25" AUTODIN disks.  Secure the

safe.



          (2) Remove the COMSEC Register files for Account 800121

from the file box located on the COMSEC Custodian's desk and

place in an envelope.  This envelope will be taken by MPC

personnel when evacuation occurs.



          (3) Remove the three inventory folders located inside

the vault door, and to the right of the door, and prepare to

evacuate the spaces with these three folders and the COMSEC

Register file envelope.



          (4) Send a QRT (Stop sending message traffic) notice on

AUTODIN to the Pentagon.



          (5) Lock the vault door.  Evacuate the spaces, taking

the COMSEC Register file envelope and three inventory folders. 

Set the alarm as you exit, and secure the door to the MPC. 

Follow the directions of the floor wardens and proceed to the

designated evacuation area, remaining well clear of the building.



          (6) If the situation does not allow for stowage of

material, evacuate immediately.  Take the three inventory folders

if possible, but not if it will endanger lives.



      d.  Protection of material when admission of outside

firefighters is necessary.  In the event that it becomes

necessary to admit firefighters or other emergency personnel, the

following protective measures are to be followed:



          (1) If the situation permits, open the safe and stow

any COMSEC material that may have been removed.  Secure the safe.



          (2) If unable to stow the material in the safe, take

whatever actions are necessary to minimize fire team exposure to

COMSEC material without hindering firefighting efforts.  For

example, cover or stow the material in a desk drawer.



      e.  Assessment and reporting of probable exposure of

classified COMSEC material to unauthorized persons during

emergency situations.  In the event that probable exposure of

classified COMSEC material occurs, the following actions are to

be taken:



          (1) If possible, obtain the name, citizenship, and

clearance level (if any), of the unauthorized persons.



          (2) Make a complete list of the COMSEC material

involved.



          (3) Using a STU-III telephone, notify the NASA Central

Office of Record (COR) of the details of the incident.  The NASA

COR may direct additional reporting.



      f.  Post-emergency inventory of classified and CCI COMSEC

material.  Upon resolution of the emergency situation, the

following actions will be taken:



          (1) Conduct a complete inventory of all classified and

CCI COMSEC material.



          (2) Report any discrepancies/losses to the NASA COR

immediately.



      g.  Other natural disasters/emergencies.  Other natural

disasters, such as floods, earthquakes, or hurricanes, may

require the evacuation of the Message Processing Center.  Follow

the procedures in paragraphs 4 (c), (d), (e), and (f) of this

Appendix D.



5.    Destruction of COMSEC Material.  While destruction of

COMSEC material is usually not considered in a CONUS location's

Emergency Action Plan, the possibility of destruction prior to

evacuation in the case of other natural disasters/emergencies

will be discussed with the NASA Central Office of Record (COR),

Code JIS, and will only occur at the direction of that office.



This NTISSI is being updated--at that time, some minor changes

will need to be made to this text.







                           APPENDIX E



                    (Figure 1--See hardcopy)



                    (Figure 2--See hardcopy)



                    (Figure 2a--See hardcopy)



                    (Figure 3--See hardcopy)

                                



1.   ANCHORAGE                10.  MCCORD

     Building 31-260               Building 1410

     Elmendorf AFB, Alaska         McCord AFB

                                   Tacoma, WA

2.   BOSTON                        Comm:  (206)984-5908/2426

     Building 225

     Naval Air Station        11.  MCGUIRE

     South Weymouth, MA            Building 17-02

     Comm:  (617)786-2780/         Air Freight Warehouse

     2781/2857/2958/2558           McGuire AFB, NJ

                                   FTS:  484-4534

3.   CHARLESTON                    Comm:  (609)723-7937

     Air Freight Bldg (S-178)      

     Charleston AFB, SC       12.  NORFOLK

     Comm:  (803)554-2191/         Building LP-82

     3603/2401                     Naval Air Station

                                   Norfolk, VA

4.   DENVER                        Comm:  (804)444-3471/72/73

     Building 612

     Rocky Mountain Arsenal   13.  OFFUTT

     Commerce City, CO             MOD "B"

     Comm:  (303)289-0289/0294     Offutt AFB, NE

                                   Comm:  (402)294-5354/55/56

5.   DOVER

     Building 506             14.  SAN DIEGO

     Dover AFB, DE                 Building 1

     Comm:  (302)678-6063/64       937 North Harbor Drive

                                   San Diego, CA

6.   HONOLULU                      Comm:  (714)235-3381/82

     Building 4069 

     Air Freight Building     15.  TRAVIS

     Hickam AFB, HI                Building 934

     Comm:  (808)449-1130          Travis AFB

                                   Fairfield, CA

7.   JACKSONVILLE                  Comm:  (707)438-2641/42

     Building 934

     Box 32, Naval Air Station 16. WASHINGTON

     Jacksonville, FL 32212/0032   7455 "A" New Ridge Road

     Comm:  (904)772-2784          Linthicum, MD

     FAX:  (904)772-5032           Comm:  (301)677-2144/45



8.   KELLY                    17.  WRIGHT-PATTERSON

     Building 1470                 Building 829, Area A

     Kelly AFB, TX                 Wright-Patterson AFB, OH

     Comm:  (512)925-3704          Comm:  (513)257-3121/6130



9.   LOS ANGELES                   

     Building 205

     Los Angeles AF Station

     El Segundo, CA

     Comm:  (213)643-1878/79



                FIGURE 4:  DCS Station Addresses





                    (Figure 5--See hardcopy)



                    (Figure 6--See hardcopy)



                    (Figure 6--See hardcopy)



                    (Figure 8--See hardcopy)



                    (Figure 9--See hardcopy)



                    (Figure 10--See hardcopy)



                    (Figure 11--See hardcopy)



                    (Figure 12--See hardcopy)



                   (Appendix F--See hardcopy)