COMMUNICATIONS SECURITY (COMSEC)
USER REQUIREMENTS
This Air Force instruction (AFI) implements Air Force Policy Directive (AFPD) 33-2, C4 Systems Security, AFI 33-201, (C)The Communications Security (COMSEC) Program (U) (formerly Air Force Systems Security Instruction [AFSSI] 4100), and AFKAG-1, Air Force Communications Security (COMSEC) Operations. It outlines responsibilities and clarifies procedures for the communications security (COMSEC) responsible officer (CRO) and COMSEC users to properly secure COMSEC material the local COMSEC manager issued to them. Refer technical comments to Headquarters, Air Force Command, Control, Communications, and Computer Agency, C4 Systems Security Office (HQ AFC4A/SYS), 203 W. Losey Street, Room 2040, Scott AFB IL 62225-5218. Refer recommended changes and conflicts between this and other publications on an AF Form 847, Recommendation for Change of Publication, through channels, to HQ AFC4A, Policy Branch (XPXP), 203 W. Losey Street, Room 1065, Scott AFB IL 62225-5224. This instruction applies to all users who receive COMSEC material from Air Force COMSEC channels.
SUMMARY OF REVISIONS
HMinor procedural changes throughout. Clarifies and updates guidance for COMSEC users. Prescribes Air Force Communications Security (AFCOMSEC) Form 30, COMSEC Responsible Officer and User Training Checklist. A H indicates revisions from the previous edition.
Paragraph
Section A--General Instructions
- Introduction 1
- Objective 2
Section B--Management and Responsibilities for Communications Security Material
- Authorizing the Receipt and Transport of Communications Security Aids 3
- Communications Security Responsibilities 4
- Producing Communications Security Aids 5
- Requesting Communications Security Material 6
- Authorized Access 7
- Issuing to Communications Security Users 8
Section C--Administrative Security Procedures
- Communications Security Forms 9
- Records Maintenance and Disposition 10
- Standard Accounting Legend Codes 11
- Status Information 12
Section D--Physical Security Requirements for Communications Security Operations
- Physical Security Requirements 13
- Access Controls and Procedures 14
- Over-The-Counter Service 15
- Storing Computer Security Information and Material 16
- Security Checks 17
___________________________________________________________________________________________________
Supersedes AFI 33-211, 30 June 1994. Certified by: HQ USAF/SCXX (Col Leonard E. Kaplan)
OPR: HQ AFC4A/SYS (CMS James R. Hogan) Pages: 30/Distribution: F
Paragraph
Section E--Safeguarding and Controlling
- Operating Instructions 18
- Inventory and Accounting Requirements 19
- Page Checks of Classified Communications Security Publications 20
- Amending Communications Security Publications 21
- Accounting For and Disposing of Amendments 22
- Routine Destruction 23
- Routine Destruction Security 24
- Scheduling Routine Destruction 25
- Routine Destruction Methods 26
- Witnesses 27
- Destruction Records 28
Section F--Control of TOP SECRET Keying Material
- Introduction 29
- Exceptions 30
- Two-Person Integrity of TOP SECRET Keying Material 31
- Production 32
- Transportation 33
- Storing Material 34
- Use 35
- Recording Combinations 36
- Two-Person Integrity Incidents 37
- Waivers 38
Section G--Emergency Action Plans
- Introduction 39
- Emergency Protection Planning 40
- Emergency Action Plan 41
- Basic Contents of Plans 42
- Planning for Fire, Natural Disasters, and Bomb Threats 43
- Planning for Hostile Actions 44
- Precautionary Actions 45
- Emergency Destruction Priorities 46
- Combined Priority List 47
- Methods and Extent of Emergency Destruction 48
- Emergency Destruction Tools 49
- Identifying Sensitive Pages in Maintenance Manuals 50
- Emergency Destruction in Aircraft 51
- Reporting Precautionary and Total Destruction 52
Section H--Communications Security Incidents
- Communications Security Incident Reporting 53
- Reporting Procedures 54
Section I--Communications Security Inspection Program
- Communications Security Functional Review Program 55
- Communications Security Functional Reviews 56
- Functional Review Checklist 57
- Communications Security Functional Review Procedures 58
Forms Prescribed
AFCOMSEC Form 1, COMSEC Users Receipt/Destruction Certificate (PA) 8.33
HAFCOMSEC Form 30, COMSEC Responsible Officer and User Training Checklist 4.1.6
Attachments
1. Glossary of References, Abbreviations, Acronyms, and Terms 18
2. Sample Appointment Letter for COMSEC Responsible Officers and Alternates 20
3. Sample COMSEC Requirements Letter 21
4. Sample COMSEC Access List 22
H5. Sample Emergency Action Plan 23
H6. List of COMSEC Forms 30
Section A--General Instructions
1. Introduction. This AFI sets procedures for CROs and COMSEC users. It describes their COMSEC duties and the minimum requirements for safeguarding, controlling, and destroying COMSEC material routinely and during an emergency. Controls apply to accessing, using, producing, developing, moving, storing, accounting for, and disposing of COMSEC material. This AFI also describes the two-person integrity (TPI) policy and procedures for all TOP SECRET COMSEC key and TOP SECRET key-generating equipment. It contains general COMSEC information of interest to all CROs and COMSEC users who receive COMSEC aids.
2. Objective. This AFI provides CROs and COMSEC users with detailed procedures for protecting and safeguarding COMSEC material.
Section B--Management and Responsibilities for Communications Security Material
H3. Authorizing the Receipt and Transport of Communications Security Aids. The authorizing official of each section that needs COMSEC aids appoints, by letter, a primary CRO and at least one alternate to receive material from the COMSEC account (see attachment 2). The letter includes each individual's name, rank, social security number (SSN), security clearance (including North Atlantic Treaty Organization [NATO] access), duty telephone, and locations the individuals may carry COMSEC aids to and from. The CRO and alternates carry copies of the letters when they transport COMSEC aids. The authorizing official updates this letter to reflect changes as they occur.
3.1. Persons appointed as primary CROs must have a minimum grade of staff sergeant or General Schedule (GS)-5. Alternates must have a minimum grade of sergeant or GS-4. Wage grade personnel normally do not include administrative responsibilities. When appointment is necessary, administrative responsibilities will be comparable to GS-5 for CRO or GS-4 for alternate CRO. Appoint foreign nationals as CROs, provided they hold only material that is releasable to their country. They must hold comparable grades required of United States (U.S.) personnel. The local unit commander must approve waivers for personnel with lower grades. Process waivers through the COMSEC manager.
3.2. Make sure CROs are trained by the COMSEC manager and know they are accountable for the material they receive. When a CRO transfers, make sure another CRO or alternate signs for COMSEC aids. Contact the COMSEC manager for approval to transfer COMSEC aids and to prepare new hand receipts.
H4. Communications Security Responsibilities:
4.1. COMSEC Manager. The local COMSEC manager:
4.1.1. Receives all COMSEC aids intended for issue to CROs, issues all COMSEC material on Standard Form (SF) 153, COMSEC Material Report, and instructs CROs and alternates, in writing, how to use, control, and store the material.
4.1.2. Audits and inventories user's accounting legend codes (ALC)-1 and ALC-2 COMSEC material control system (CMCS) holdings.
4.1.3. Provides guidance on setting up CRO functions.
4.1.4. Gives CROs information on effective dates, suppression dates, compromise information, and physical security requirements for operational systems before issuing COMSEC material.
4.1.5. Enters the required status information on the AFCOMSEC Form 21, Disposition Record for KI-1B/C Keytapes; AFCOMSEC Form 22A, Disposition Record for Single Copy Keytapes (Except KI-1B/C); AFCOMSEC Form 22B, Disposition Record for Multicopy Keytapes (Except KI-IB/C); or on the front covers before issuing COMSEC aids.
4.1.6. Ensures CRO and alternate CRO receive training. Use this AFI and other applicable publications to set up an effective training program. NOTE: Use AFCOMSEC Form 30, to document initial training of all CROs, alternate CROs, and users.
4.2. Commander. The commander of each unit that needs COMSEC aids:
4.2.1. Makes sure the authorizing official names, in writing, a CRO (staff sergeant, GS-5, or above) and at least one alternate (sergeant, GS-4, or above), to receive COMSEC aids.
4.2.2. Makes sure that adequate, approved security containers or facilities are available for storing COMSEC aids.
4.2.3. Takes immediate, corrective action in response to discrepancies identified during a command COMSEC functional review or a base COMSEC manager semiannual functional review. All functional review reports require the commander's action or endorsement.
4.2.4. May appoint more than one CRO in large units, depending on the number of COMSEC users and the volume of material handled.
4.2.5. Makes sure than a destruction device as listed in AFKAG-1, Annex F is readily available.
4.3. CROs:
4.3.1. Respond to new or changing requirements by asking for aids from the COMSEC account.
4.3.2. Review annually the requirement for COMSEC material, assess its validity, and give the COMSEC manager a written list of required items including an authority (that is, plan, regulation, operation order, and so forth) for each item.
4.3.3. Write a new requirements letter to the COMSEC manager whenever requirements change (see attachment 3).
4.3.4. Make sure all persons granted access to COMSEC aids have proper clearance and a valid need to know by comparing those listed on the access list to the local automated security clearance approval system (ASCAS) roster.
4.3.5. Keep an accurate list of persons with authorized access to COMSEC holdings (see attachment 4). Use Air Force (AF) Form 1109, Visitor Register Log, or Federal Aviation Administration (FAA) Form 1600-8 (for FAA accounts), to report access by persons not on the list. For COMSEC users located in controlled facilities, keep a separate visitor's log to record access to the COMSEC material. Verify monthly, by date and initials, the final clearance of all personnel on the access list.
4.3.6. Set up a comprehensive, periodic training program to make sure all personnel with authorized access know how to handle, control, and use the material. Conduct initial training and use AFCOMSEC Form 30 to document it. Complete a separate training checklist for each person with access. Provide annual refresher training to all personnel who have been granted access. Record the date, subjects covered, and persons trained. Keep training documentation from command functional review to command functional review.
4.3.7. Take responsibility for all COMSEC material they receive.
4.3.8. Take responsibility for receiving, accounting for, checking pages of, handling, using, and safeguarding all CMCS material that they or their alternate receives until it is destroyed or returned to the COMSEC account.
4.3.9. Develop a local operating instruction (OI) on handling, controlling, and protecting COMSEC assets, including inventory, TPI (if applicable), destruction, COMSEC incident reporting, and a requirement for persons who are responsible for COMSEC material to get the COMSEC manager's clearance from responsibility before leaving their current assignment. Coordinate the OI with the COMSEC manager.
4.3.10. Perform inventories, per paragraph 19.
4.3.11. Verify COMSEC materials are inventoried according to their respective ALC.
4.3.12. Carry out duties the COMSEC manager requires, such as performing page checks, and so forth.
4.3.13. Issue COMSEC materials to user activities per this instruction, when applicable.
4.3.14. Give a receipt to transient personnel who turn in material for safekeeping. When the person reclaims the material, retrieve the receipt for the material from the transient personnel. Your accountability for the material ends.
4.3.15. Destroy COMSEC aids per Section E.
4.3.16. Return or destroy all material as the COMSEC manager directs.
4.3.17. Keep all records according to Air Force Manual (AFMAN) 37-139, Records Disposition-Standards.
4.3.18. Develop an emergency action plan (EAP)that consists of task cards, coordinate it with the COMSEC manager, and conduct EAP training per Section G.
4.3.19. Use a checklist to ensure completion of required security checks.
4.3.20. Provide an update report every 60 days on findings identified during functional reviews, or as the COMSEC manager directs, until they are corrected.
4.3.21. Report all known or suspected COMSEC incidents to the COMSEC manager.
4.3.22. Familiarize all personnel who are granted access with applicable Air Force publications and specialized COMSEC publications (for example, OIs, AFI 33-211, KAMs, KAOs, and so forth) semiannually.
4.2.23. Make sure users are enrolled in the cryptographic access program (CAP), if required.
4.4. COMSEC Users. COMSEC users have access to COMSEC aids and the responsibility for safeguarding them. COMSEC's ultimate success or failure rests with the material's individual users. The careless user or the user who fails to follow procedures for using, safeguarding, and destroying COMSEC material wastes all security efforts. COMSEC users must make sure that anyone who receives materials has authorization. Users must follow all security rules at all times and report to the CRO or the COMSEC manager any circumstances or intentional or inadvertent acts which could lead to disclosure of classified information, including its loss, improper use, unauthorized viewing, or any other instance that could possibly jeopardize the value of COMSEC aids. COMSEC users:
4.4.1. Safeguard COMSEC material according to this document and control the material locally until they destroy it or turn it in.
4.4.2. Return material to the CROs on request.
4.4.3. Familiarize themselves with procedures for using material they receive.
4.4.4. Report immediately any known or suspected compromise of COMSEC material to the CRO or COMSEC manager.
H5. Producing Communications Security Aids. Only the National Security Agency (NSA), the service cryptology elements, and the Air Intelligence Agency are authorized to produce nomenclature and non-nomenclature COMSEC aids. Other Air Force activities must not originate, formulate, or produce keylists, codes, ciphers, callsigns, authenticators, or any other form of COMSEC aids. Do not remove, copy, or reproduce any part of COMSEC keying material unless the authority controlling the material permits it or it's authorized in the material's handling instructions. Other activities may make extracts from general publications when authorized in the document's handling instructions.
H6. Requesting Communications Security Material. CROs tell the COMSEC manager what COMSEC aids they need to support the mission, by letter (see attachment 3).
6.1. Emergency requests (less than 30 days notice before the required in-place date) must include a fund citation from the requesting unit to cover additional Defense Courier Service costs.
6.2. Process requests for COMSEC equipment through the standard base supply system (SBSS). Send a COMSEC material requirements letter to the COMSEC manager at the same time to make sure COMSEC material is on hand when required.
7. Authorized Access. Only U.S. citizens, whose official duties require it, may access keying material and equipment, except those specifically authorized for release to allies. Certain material and equipment may require enrollment in the CAP. Contact COMSEC account personnel for details of CAP needs.
7.1. For keying material, persons must have a security clearance equal to or higher than the classification level of the keying material involved.
7.2. For keyed or unkeyed equipment, persons must have a security clearance equal to or higher than the classification level of the equipment or of the keying material, whichever classification is higher.
7.3. For TOP SECRET keying material, Section F applies.
H8. Issuing to Communications Security Users. In general, keying material must remain under the COMSEC manager's control until issued and the CRO's control until just before its effective period.
8.1. Normally issue users no more than one month's supply of material; however, if a user needs more for an active mission, the COMSEC manager issues sufficient COMSEC aids to meet the need, but not more than 120 days' worth.
8.2. Except for special circumstances, do not issue users a new month's material more than 10 duty days before its effective date.
8.3. Do not carry complete documents onto aircraft to use in flight, except those systems designed to be carried and used in flight as a completed document. Take only the necessary codes and authentication tables. You may issue complete canisters of key for use on aircraft however, all unused key must be returned to the issuing CRO upon mission completion.
8.3.1. Extended aircraft missions may require more keying material than the handling instructions permit, particularly if restocking en route is impractical. When the controlling authority or the document's handling instructions authorize it, use the following procedures for all cryptographic systems to meet occasional requirements for extended mission support.
8.3.1.1. Do not provide more material than needed simply for the user's convenience; however, issue enough extracts to support mission requirements.
8.3.1.2. Carry complete canisters of keytapes or keylists (current plus three months supply) on board. If a flight begins during the effective period of the keylist or keytape, remove and destroy superseded settings or segments so you take only the effective and future key settings or segments on board. Users must destroy each key setting within 12 hours after supersession provided destruction facilities are available. If destruction facilities are not available, hold superseded material until the aircrew arrives at a location where they are.
8.3.1.3. Carry up to a current plus three-month supply of codes, authenticators, and one-time pads aboard an aircraft, but destroy the material within 12 hours of supersession.
8.3.1.4. Before releasing the material, the issuing authority should determine the feasibility of resupply en route and issue material accordingly.
8.3.2. When using the preceding procedures, the CRO must make sure users maintain strict accountability and destroy superseded keys within established time frames. When issuing ALC-1 COMSEC aids directly to transient or special purpose aircraft aircrews whose mission makes it probable they will not return the material, disposition record, or destruction certificates to the issuing office, annotate the receipt (SF 153 or AFCOMSEC Form 1, COMSEC Users Receipt/Destruction Certificate [PA]) with the statement: I FULLY UNDERSTAND THE RULES FOR THE PROTECTION AND PROPER DESTRUCTION OF THE ABOVE MATERIAL INDICATED ON THIS HAND RECEIPT, ACCORDING TO AFI 33-211. The CRO files and keeps the properly completed receipt with the destruction certificates. This is a procedure commonly referred to as "presumed destruction" and pertains only to transient and special purpose aircraft. The Air Force still expects transient and special purpose aircraft aircrews to properly handle, protect, and destroy COMSEC aids even though they do not tell the issuer how they disposed of them. NOTE: Deploying aircrews who receive COMSEC material from their CRO must provide disposition and destruction records along with any unused COMSEC material to their CRO upon return to home station.
8.3.3. Aircrews must make every effort to destroy and record destruction of obsolete material during intermediate stops. If destruction facilities are not available, hold superseded material until the aircrew arrives at a location where they are. Destruction facilities are normally available at secure storage facilities such as base operations, base communications centers, and command posts.
Section C--Administrative Security Procedures
9. Communications Security Forms. Air Force Index 9, Numerical Index of Departmental Forms, lists forms used to satisfy COMSEC needs. Contact the local Publications Distribution Office (PDO) for forms. See attachment 7 for a list of forms and their uses. Use of computer generated AFCOMSEC forms is acceptable.
H10. Records Maintenance and Disposition.
10.1. Do not mix COMSEC aids with administrative correspondence or other non-COMSEC documents. As a minimum, use a file folder as a divider between these types of documents.
10.2. Dispose of all records per AFMAN 37-139. This requirement does not permit administrative or security personnel to inspect any COMSEC or COMSEC users' records.
10.3. Limit access to these records and files to those persons who manage, administer, operate, and maintain COMSEC aids and equipment.
10.4. Do not use correction fluid ("whiteout") or correction tape on COMSEC records that affect control and accountability of material.
10.5. During records maintenance and administrative staff assistance visits and program management reviews, reviewers may only check the AF Form 80, Files Maintenance and Disposition Plan. Reviewers will not be granted access to COMSEC materials, records, or files.
H11. Standard Accounting Legend Codes. The originating agency assigns ALC numbers to COMSEC material to identify the minimum accounting controls the material requires.
11.1. ALC-1 material is continuously accountable by accounting number within the CMCS. When removed from an authorized security container, the material must be under the personal control of a cleared person. Do not release this material to any person or organization without the COMSEC manager's consent. Handle unclassified keying material marked CRYPTO like other ALC-1, except store it in the most secure place available (that is, in an approved safe, locked file cabinet, locked desk, locked container, and so forth). Always store classified ALC-1 keying material in a locked container.
11.1.1. Use AFCOMSEC Form 16, COMSEC Account Daily-Shift Inventory, to make a sight inventory by short title, edition, accounting control number (ACN), and quantity, per paragraph 19.
11.1.2. Return material when the COMSEC manager asks and destroy it only in an emergency or as the COMSEC manager directs, except for issues to transient or deploying aircrews.
11.1.3. Ask the COMSEC manager, in writing, for additional copies of the material per paragraph 8. NOTE: Safeguard and account for controlled cryptographic item (CCI) equipment when you receive it from the CMCS with code ALC-1 per AFSAL 4001 policy (Defense Logistics Agency and FAA only). Inventory this CCI equipment received from the SBSS per AFMAN 23-110, USAF Supply Manual (formerly AFM 67-1).
11.2. ALC-2 material is continuously accountable by quantity within the CMCS. Control this material like ALC-1, except inventory by quantity rather than ACN.
11.3. Unless directed by the base COMSEC manager, ALC-4 material does not need to be inventoried. Protect ALC-4 material marked FOR OFFICIAL USE ONLY against unauthorized access, use, or possession. Classified ALC-4 material is protected commensurate with its classification level. Give only persons with a need to know access. When ALC-4 material is no longer needed, notify the COMSEC manager in writing.
H12. Status Information. A COMSEC key's short title, alphabetical edition designator with its effective date is classified per AFMAN 33-272, (S) Classifying Communications Security and TEMPEST Information(U). Never reveal it in unclassified correspondence.
Section D--Physical Security Requirements for Communications Security Operations
H13. Physical Security Requirements. The Air Force does not prescribe construction of special areas for storing and using COMSEC material. However, areas where COMSEC is used must meet the storage and other physical security requirements for the particular classification level of the COMSEC material (see AFI 31-401, Managing the Information Security Program). All activities that use COMSEC materials must practice good operations security.
H14. Access Controls and Procedures. CROs must only give persons with appropriate clearance and the need to know access to COMSEC material.
14.1. Set up controls to deny unauthorized persons access. Facilities with the locked-door system must challenge and identify persons before they enter. If guards are assigned, station them immediately outside the entrance. Regardless of the control system, entry procedures must identify persons seeking entry so they cannot view COMSEC activities before entering.
14.2. Limit unrestricted access to COMSEC material in a user facility to persons named on an officially published access list (see attachment 4). The list must contain the names and clearance levels of all persons who have COMSEC responsibilities in the facility, and should include the unit commander and supervisors. All personnel on the list must have a clearance equal to or higher than the COMSEC information to which they have access. Refer to AFI 31-501, Personnel Security Program Management, for processing of security clearances.
14.3. Verify personal clearance status from the ASCAS roster, and that the person's need to know exists. CROs must review the authorized access list monthly to ensure its accuracy and then mark the review date and their initials on the list. NOTE: The authorizing official (for FAA, Facility Manager) or CRO sign the authorized access list. Get security clearance information for civilian personnel (including Department of Defense and civil agency contractors) from the base security police office or other knowledgeable security offices.
14.4. Identify persons on the authorized access list who may authorize access to persons not on the list. Keep the number of persons authorized to admit others to a minimum.
14.5. Record the arrival and departure of all persons not named on the authorized access list, using AF Form 1109 or FAA Form 1600-8, (for FAA use only). For COMSEC users in controlled areas, keep an additional separate visitor register to record access to COMSEC material. Keep the current plus the previous 3-months of AF Form 1109 or FAA Form 1600-8 (for FAA use only) on file.
H15. Over-The-Counter Service. COMSEC accounts provide only over-the-counter service. They neither deliver nor permanently store materials for which users have established valid requirements. Users must have their own adequate storage facilities (for example, approved security container, vault, and so forth) and take responsibility for storing and accounting for material not later than one duty day before COMSEC aids' effective date.
H16. Storing Communications Security Information and Material. "Storage" as used here means using security containers, vaults, alarms, guards, and so forth, to protect classified COMSEC information and material during non-working hours or when authorized personnel do not directly and continuously control it. Storage does not mean filing in containers within a facility where personnel are always present. Some security containers or vaults may have been drilled open and then repaired. You may use containers that have been repaired and inspected for safeguarding capabilities (Technical Order 00-20F-2) to store COMSEC material.
16.1. COMSEC Material. All users who have classified COMSEC material must have immediate access to an authorized storage container to secure the material in case of area evacuation. Store COMSEC material as follows:
16.1.1. TOP SECRET:
16.1.1.1. A General Services Administration (GSA)-approved, Class 6 and above, steel security container from the Federal Supply Schedule.
16.1.1.2. A Class A vault.
16.1.1.3. An area under continuous surveillance by guards.
16.1.2. SECRET:
16.1.2.1. Same as paragraph 16.1.1.
16.1.2.2. In a Class B vault.
16.1.3. CONFIDENTIAL:
16.1.3.1. Same as paragraphs 16.1.1 or 16.1.2.
16.1.3.2. In a secure room.
16.1.3.3. Minimally, in a standard field safe.
16.1.4. UNCLASSIFIED CRYPTO:
16.1.4.1. Same as paragraphs 16.1.1, 16.1.2, or 16.1.3.
16.1.4.2. In the most secure place available (that is, locked cabinet, locked desk, and so forth).
16.2. Cryptographic Equipment and Components. When classified equipment and components are not installed in an operational configuration, store them in the most secure storage available. As a minimum, store it as required for non-COMSEC material of the same classification (see AFI 31-401). When no authorized person keeps or continuously watches unclassified cryptographic equipment, protect it by:
16.2.1. Storing unclassified equipment to prevent any reasonable chance of theft, sabotage, tampering, or unauthorized access.
16.2.2. Not storing cryptographic equipment or fill devices (KYK-13s or KYX-15s) in a keyed condition. When necessary to store it in a keyed condition, protect it at the same level as the key it contains and place it on the COMSEC inventory. See AFSSI 3021, (FOUO) Interim Operational Security Doctrine for the AN/CYZ-10/A Data Transfer Device (DTD)(U), and AFKAO-10 for DTD instructions.
16.2.3. Protect unkeyed CCI equipment that is not in a secured facility so, in the unit commander's judgment, there is no reasonable chance of theft, sabotage, tampering, or unauthorized access. When keyed, protect such equipment to prevent its unauthorized use or extraction of its key.
16.3. Other COMSEC Material. Safeguard material other than those that paragraphs 16.1 and 16.2 identify (that is, KAMs, KAOs, SAMs, crypto ancillary material), like other national security information of the same classification. Allow access to those who need to know. WARNING: Do not store funds, weapons, controlled substances (drugs), precious metals, or safe combinations and duplicate keys to containers that store these items, in any storage container with classified COMSEC material. Because these items are targets for theft, COMSEC material would be at increased risk.
16.4. Lock Combinations:
16.4.1. Change the lock combinations of security containers used for classified COMSEC material storage:
16.4.1.1. At least once a year (every 6 months for NATO, International Pact Organization, and Joint Publication 1-04, (S) Policy and Procedures Governing JCS Positive Control Material and Devices (U) material).
16.4.1.2. When a person who knows combinations no longer has access to the containers for any reason other than death.
16.4.1.3. When a container certified as locked is found open.
16.4.1.4. When and if the combination is compromised.
16.4.2. Classify the safe combination equal to the highest level of classified material you are authorized to store in it.
16.4.3. Store and file safe combinations by:
16.4.3.1. Completing SF 700, Security Container Information per the instructions.
16.4.3.2. Choosing a location that allows ready access in an emergency but is restricted to persons with proper clearance and the need to know. You need not record combinations with administrative TOP SECRET control since they are controlled within COMSEC channels. Do not store lock combinations in contingency communications facilities.
16.4.4. For each vault or container used to store classified material:
16.4.4.1. Designate the level of classified material authorized for storage (use Air Force Technical Order Form 36, Maintenance Record for Security Type Equipment) but keep this designation private.
16.4.4.2. Assign an identification number or symbol. Clearly label the vault or container with the number or symbol.
16.4.4.3. Attach an SF 700 to the inside of the locking drawer of each GSA-approved container or vault.
16.5. Entry Control Devices (Cipher Locks). Use this device only for convenience. It offers no protection from forced entry or surreptitious manipulation. Give the combination only to persons with regular duties in the area. Change cipher lock combinations used to limit access to COMSEC material at least monthly.
H17. Security Checks. A required security check at the end of each workday (or beginning of each shift for 24-hour operations) ensures proper storage and safety of all classified COMSEC material. COMSEC users must keep a list of items to be checked or tasks to be done during security checks. During the required security checks, make sure:
17.1. All COMSEC material is properly safeguarded.
17.2. Physical security systems or devices (for example, door locks, vent covers, and so forth) work.
17.3. Safes, locking devices, outer doors, windows, and so forth, are locked.
17.4. Alarms are set to:
17.5. Perform daily security checks in areas containing:
17.5.1. Classified installed or stored COMSEC equipment.
17.5.2. Continuously keyed COMSEC equipment not continuously manned (except part-time stations using over-the-air rekeying).
17.5.3. Material from COMSEC accounts in high risk environments (see AFKAG-1).
17.5.4. Contingency communications facilities do not need daily checking; however, inspect them every 30 days to confirm their integrity and to remove superseded or extraneous material.
17.6. Record the security check on SF 701, Activity Security Checklist; DD Form 1753, Master Station Log; or use an AF Form 2519, All Purpose Checklist.
Section E--Safeguarding and Controlling
H18. Operating Instructions. Each CRO must write a COMSEC OI and coordinate it with the COMSEC manager. The OI contains provisions for securely conducting COMSEC operations and for safeguarding COMSEC material. The procedures and instructions in the OI are specific to the user's activity. They should include procedures for cryptographic operations, local accountability for COMSEC material, COMSEC maintenance support, access restriction, storage, routine and emergency destruction, incident reporting, and procedures for relieving people who have received COMSEC material from accountability when they are reassigned.
H19. Inventory and Accounting Requirements.
19.1. All user activities with ALC-1 and ALC-2 material must conduct daily or shift inventories per ALC requirements. (See paragraph 11 for detailed explanation of ALCs.) At the very least, inventory accountable material before closing its GSA-approved container.
19.2. Inventory unclassified ALC-1 material before closing its container for the day.
19.3. Account for all items from date of receipt until date of destruction or return to the COMSEC account.
19.3.1. Only blue or black ink will be used to make entries on the inventory (AFCOMSEC Form 16, COMSEC Account Daily - Shift Inventory). Do not use "whiteout", correction tape, or erasures. Neatly line through, initial, and date errors. Record explanatory remarks on the back of the form..
19.4. Use AFCOMSEC Form 16 to record daily, shift, or other local inventories. Record the short title, edition, quantity, and ACN of each accountable COMSEC item.
19.5. Inventory the items listed and indicate on the form that the inventory is complete. The inventory includes accounting for individual segments, tapes, tables, and so forth, by checking the material on hand against disposition and destruction records.
19.6. Include disposition records on daily or shift inventories until you return the material to the COMSEC manager or transcribe the information on a local destruction report. Keep the current and the previous 6-months of inventory records on file according to AFMAN 37-139.
19.7. For daily operations, inventory COMSEC material in locked or sealed containers on days when you open the containers. Prepare a separate inventory for each COMSEC container. List the material stored in the container on AFCOMSEC Form 16 and inventory the material just before you lock the container for the final time that day. In this way, you account for all COMSEC material when the containers are locked.
19.8. For facilities where security containers remain open around the clock, the oncoming shift conducts an inventory before relieving the shift on duty. List the material required on a shift-to-shift basis on a separate inventory from material required daily. Prepare as many separate inventories as necessary and divide the inventories by operational and functional areas. Part-time facilities perform an inventory on opened safes upon opening and before closing the facility.
19.9. Sealed packages containing COMSEC aids must also contain an AFCOMSEC Form 16 identifying each item (locked boxes, such as tool boxes, tackle boxes, and so forth, are not sealed packages). Write the short title and edition of the contents on the outside of the package, number the package, and record it on AFCOMSEC FormWrite the CRO's initials over the package's seal in such a way that tampering will be obvious.
19.10. On an AFCOMSEC Form 16, inventory classified and, or certified (for example, KG/KT-83, KOK-13) COMSEC equipment received from the COMSEC account through the CMCS. On a daily or shift-to-shift basis, account for operational cryptographic equipment (rack-mounted in the operating area) that contains accountable components or items as one complete unit without viewing the interior.
19.11. Inventory proms (crypto material in the form of chips) any time the locking bars or seals are removed from the equipment.
19.12. The CRO must review inventories monthly to make sure they are accomplished correctly.
19.13. Do not open material in protective packaging (that is, aids sealed in plastic or keytapes in canisters) or contained in edge-sealed, one-time pads for page checking or inventory of contents.
19.14. When containers are opened, inventory these items daily or at every shift.
19.14.1. ALC-1 COMSEC aids and COMSEC equipment received from the COMSEC account through the CMCS.
19.14.2. ALC-2 COMSEC material.
H20. Page Checks of Classified Communications Security Publications.
20.1. To protect the integrity of COMSEC aids, you must check pages of classified COMSEC publications:
20.1.1. Before initial issue to any aircrew.
20.1.2. When you receive single copies of editions of material from the COMSEC account and users cannot get a replacement copy sufficiently before the effective period (for example, aircrews, remote sites, and so forth). Check that the document does not have printing or production errors. Report errors to the COMSEC manager.
20.1.3. After a change adds, deletes, or replaces pages or affects page numbers. NOTE: A person other than the one making he change must do the page check.
20.1.4. Prior to destruction, though the page check need not be recorded.
20.2. The COMSEC manager and CRO must ensure completed page checks of COMSEC publications. You do not need to check pages of PDO publications. COMSEC managers have the right to do or require additional page checks as needed. Unclassified documents do not require page checks unless page change value amendments are made to them.
20.3. Make page checks by:
20.3.1. Consulting the list of pages or the document cover.
20.3.2. Checking that each page is exactly as described.
20.3.3. Recording the check on the record of page checks page, or, if the publication has no record of page checks page, on the record of amendments page or front cover.
20.3.4. Annotate the date, signature, and command of the person making the check.
21. Amending Communications Security Publications. Take care not to lose individual pages when you amend COMSEC documents. In many cases, valid pages are inadvertently destroyed along with obsolete pages.
21.1. To eliminate carelessness, persons who make changes must follow these basic rules:
21.1.1. One person adds the new pages and also:
21.1.1.1. Checks the removed pages against the amendment instructions to make sure that only the obsolete pages were removed.
21.1.1.2. Records the change on the record of amendments page in the basic document.
21.1.2. A second person:
21.1.2.1. Checks the pages of the basic document against the current list of effective pages. Normally, you insert a new page in the basic document. Check the page number and the edition (that is, Original, Amend 1, Amend 2, and so forth). A document can be numbered correctly even though it contains old pages that should have been replaced by new pages.
21.1.2.2. Records the change on the record of page checks page in the basic document.
21.2. Users amend publications they have received. COMSEC account personnel make amendments to publications held by the COMSEC account.
22. Accounting For and Disposing of Amendments.
22.1. Do not file handling instruction pages or write changes in the back of the basic document.
22.2. The COMSEC manager either directs you to destroy ALC-1 obsolete pages, complete a destruction certificate (SF 153) and send a copy to the COMSEC account, or return the obsolete pages to the COMSEC account for destruction.
22.3. The agency entering an ALC-4 amendment destroys the pages per paragraphs 25 through 28 after the second person checks pages.
23. Routine Destruction. To safeguard encrypted traffic and U.S. COMSEC operations, destroy superseded or obsolete COMSEC aids as soon as possible after the aids have served their purpose so it is impossible to reconstruct them. Superseded keying material is extremely sensitive because its compromise potentially compromises all traffic encrypted with it as well. Be very careful not to accidentally destroy COMSEC aids.
24. Routine Destruction Security. Make facilities available for routinely destroying superseded keying material and other COMSEC material either within the facility or nearby so you can complete it without delay and without losing or compromising material being transported to the destruction facility. After destroying the material, check the destruction remains, the destruction equipment, and the surrounding area to make sure that destruction is complete and that you left no pieces behind.
H25. Scheduling Routine Destruction.
25.1. Do not destroy COMSEC material before its suppression date unless you receive proper disposition instructions.
25.2. Destroy used keying material designated CRYPTO as soon as possible, but by 12 hours after suppression. Under special circumstances (destruction device not operational, and so forth), local commanders or authorizing officials can grant an extension of up to 24 hours. NOTE: Offices using COMSEC material that do not normally operate during weekends (normal or extended) must destroy superseded material on the first duty day after the weekend.
25.2.1. Keep used or superseded keying material or extracts carried aboard special-purpose aircraft (for example, airborne command posts, long-haul military flights, very important people transports) in secure storage until you reach secure destruction facilities; then destroy them as soon as possible. You do not need a waiver request under these circumstances.
25.2.2. Do not remove keytape segments stored in canisters until just before using or destroying them. Keep unused keytape segments in the keytape canister until the canister's effective period ends. If you take out any keytape segments, destroy all superseded keytape segments immediately. All other keytape segments in the keytape canister can stay there until needed or until the canister's effective period ends. Use AFCOMSEC Form 21, AFCOMSEC Form 22A, or AFCOMSEC Form 22B to record the individual keytape segments destroyed. NOTES: (1) If additional copies of the same key segment remain in the canister, destroy the used segment immediately after keying the equipment. Keep the last copy of the key segment until it is superseded and then destroy it within 12 hours after suppression. If the canister contains only one copy of the key segment, destroy the current keytape segment when its cryptographic period ends. (2) If single-copy key is used, destroy key segments immediately after equipment rekeying if the circuit is very reliable. For unreliable circuits, single-copy segments may be kept for rekeying, but not longer than 12 hours after suppression. (3) Disposition records used for unclassified ALC-1 keying material are UNCLASSIFIED FOR OFFICIAL USE ONLY when filled in.
25.2.3. Keep pages, tables, and day sheets from codes and authenticators, if not removed, in the document until the document's effective period ends. If you remove any pages, immediately destroy all superseded pages. Record the destruction of individual pages, tables, day sheets, and so forth, from codes and authenticators on the destruction record page in the document (if provided), an SFan AFCOMSEC Form 1, or an AFCOMSEC Form 11, Disposition Record for Codes and Authenticators.
25.3. Destroy irregularly superseded maintenance and test keying material when it is no longer serviceable.
25.4. Destroy superseded general COMSEC documents (that is, AFKAGs, KAOs, KAMs, and so forth) within 15 days.
25.5. Destroy the remains of amendments you have made to classified COMSEC publications within five days.
25.6. Destroy compromised material and associated disposition forms (for example, AFCOMSEC Form 21, 22A, or 22B) within 12 hours after you receive disposition instructions or upon receipt of case closure from NSA or AFC4A.
25.7. Destroy pages from one-time pads as they are used and record the destruction on the destruction record page in the document (if provided), an SF 153, an AFCOMSEC Form 1, or an AFCOMSEC Form 11.
25.8. Destroy correspondence about superseded documents when it is no longer valuable.
H26. Routine Destruction Methods. The authorized methods for routinely destroying paper COMSEC aids are burning, pulverizing or chopping, crosscut shredding, and pulping. Destroy non-paper COMSEC aids authorized for routine destruction by burning, chopping or pulverizing, or chemically altering them. Consult the COMSEC manager for a list of NSA-approved paper destruction devices.
26.1. Paper COMSEC Aids. The following applies to classified COMSEC keying material and media that hold, describe, or implement a classified cryptographic logic. Such media include full maintenance manuals, cryptographic descriptions, drawings or cryptographic logic, specifications of cryptographic logic, and cryptographic software. Use the same methods to destroy all other paper COMSEC aids.
26.1.1. When burning paper COMSEC aids, the fire must reduce all material to white ash. Be sure no burned pieces escape, inspect ashes and, if necessary, break up or reduce them to sludge.
26.1.2. When pulping, pulverizing, or chopping paper COMSEC aids, break the material into bits no larger than five millimeters. NOTE: Do not pulp paper-Mylar-paper keytape, high wet strength paper (map stock), and durable-medium paper substitute (for example, TYVEX olefin, polyethylene fiber); burn, chop or crosscut shred them.
26.1.3. Do not place keying material in burn bags for destruction along with other classified waste.
26.1.4. Destruction devices must be listed in AFKAG-1, Annex F, or approved by either NSA, through AFC4A prior to using for destruction of COMSEC material.
26.2. Non-Paper COMSEC Aids. Destroy the material so that no one can reconstruct it by physical, chemical, electrical, optical, or other means. The authorized methods of routinely destroying non-paper COMSEC aids are burning, melting, chopping, pulverizing, and chemical alteration.
26.2.1. Consult the COMSEC manager for a list of NSA-approved non-paper destruction devices and methods, including methods for destroying microforms and magnetic or electrical storage or recording media containing CRYPTO information.
26.3. Plastic Canisters. The goal of destroying empty plastic canisters is disfiguring their sides. The Kanister Krusher II (plans available from HQ AFC4A/SYS) is recommended and safe. An alternative is crushing the sides with a hammer or blunt instrument. Take safety precautions to prevent injuries caused by the shattering canister.
26.4. COMSEC Equipment and Components. Routine destruction of COMSEC equipment and components below depot level is NOT authorized. Handle serviceable, unserviceable, or unneeded equipment per procedures supplied by HQ AFC4A/SYS (see AFMAN 23-110 or AFKAG-2, Air Force COMSEC Accounting Manual).
27. Witnesses. A destruction official must actually destroy COMSEC material. The destruction official and a witnessing official must sign destruction reports, subject to the following rules:
27.1. The destruction official is an appropriately cleared, responsible individual. NOTE: Since there is no formal grade requirement, CROs must be sure officials are trustworthy and knowledgeable.
27.2. The witnessing official must have a clearance consistent with the material being destroyed. In tactical, mobile, or emergency conditions, the destruction official may waive clearance requirement of the witnessing official and limit the witnessing official's examination to the front cover of the material.
27.3. The destruction official and the witnessing official must not sign destruction reports until destruction is complete and they have checked the destruction machine and area.
H28. Destruction Records. COMSEC user agencies are accountable for issued COMSEC material until they return it to the COMSEC account or destroy it. Before listing complete editions of COMSEC aids on destruction certificates (SF 153), make sure all individual segments, pages, tables, and so forth, are actually destroyed.
28.1. Disposal of ALC-1 Material:
28.1.1. Use the destruction certification form provided to record destruction of each key setting. Destroy unused, excess key settings with the last key setting, page, table, or day sheet, and so forth, with the last key setting used or within 12 hours after suppression.
28.1.2. Provide a copy of all completed ALC-1 disposition or destruction records to the COMSEC account not later than the first duty day after material suppression.
28.1.3. Maintain the original completed disposition or destruction record on file for two years according to AFMAN 37-139.
28.1.4. For items issued to transient or deploying aircrews not returning to your location, file a copy of the signed, annotated receipt with destruction certificates and keep it for two years after the yearly cutoff. Returning aircrews must immediately give unused material and destruction records to their CRO.
28.2. 
Air Force