Category: SSIC 02000 Telecommunications
Updated: 06/24/96
Number: MCO 2250.1
Subj: OP COMSEC POL AMS

DEPARTMENT OF THE NAVY
HEADQUARTERS UNITED STATES MARINE CORPS
WASHINGTON, DC 20380-0001
MCO 2250 .1
C4-CCT-635
17 Jan 90

MARINE CORPS ORDER 2250.1

From: Commandant of the Marine Corps
To: Distribution List

Subj: OPERATIONAL COMSEC POLICY FOR THE AUTOMANUAL SYSTEM
(AMS)

Encl: (1) Operational COMSEC Policy for the Automanual System

1. Purpose. To provide security policy and operational procedures
for the AMS devices and keying material.

2. Information. The enclosure presents generic AMS operational

information for specific AMS equipment. The Preferred Products
List (PPL) referenced in this Order is contained within the
"Information Systems Security Products and Services Catalogue"
prepared by the National Security Agency on a quarterly basis.
Subscriptions may be ordered from the Government Printing Office
(GPO) at a cost of $34.00 for a yearly subscription (four issues).
Subscription rates are subject to change. Requests for
subscriptions should be addressed to the Superintendent of
Documents, U.S. Government Printing Office, Washington, DC 20402.

3. Policy. AMS use is encouraged in lieu of off-line paper codes.
Marine Corps controlling authorities who determine that AMS can
operationally replace their paper codes should request cessation of
production in accordance with CMS-4.





4. Reserve Applicability. This Order is applicable to the
Marine Corps Reserve.



G. L. McKay
Director, Command, Control,
Communications and Computer
(C4) Division

DISTRIBUTION: PCN 10202841000

Copy to: 7000110 (5)
8145004, 005 (2)
7000114/8145001/JCS (J6)/CNO (OP-941J)/
COMSPARWARSYSCOM (PMW-151)/COMNAVSECGRU (T-30) (1)

FOR OFFICIAL USE ONLY
Designation is canceled upon
removal of the enclosure.


OPERATIONAL COMSEC POLICY FOR THE
AUTOMANUAL SYSTEM (AMS) (U)


PURPOSE I
REFERENCES II
DEFINITIONS III
CLASSIFICATION GUIDANCE IV
SYSTEM DESCRIPTION V
KEYING VI
PHYSICAL SECURITY VII
EMERGENCY PROCEDURES VIII
REPORTABLE INSECURITIES IX

SECTION I - PURPOSE

1. This Order provides security policy for the secure operational
use of AMS devices and associated COMSEC material. Specific
requirements for individual AMS devices are contained in annexes of
this Order. The provisions of this Order apply to all users of AMS
devices, unless application-specific policy has been approved by
the Director, NSA through the Commandant of the Marine Corps (CCT).

SECTION II - REFERENCES

1. Reference Listing:

a. NTISSI No. 3001, "Operational COMSEC Doctrine for
the Automanual System (AMS)" dated 14 August 1986.

b. NTISSI No. 4001, "Controlled Cryptographic Items" dated
25 March 1985.

c. NTISSI No. 4002, "Classification Guidelines for COMSEC
Information" dated 5 June 1986.

d. NTISSI No. 4006, "Controlling Authorities for COMSEC
Keying Material" dated 2 May 1989.

e. NACSI No. 4005, "Safeguarding and Control of Communications
Security Material" dated 12 October 1979.



ENCLOSURE (1)
1

FOR OFFICIAL USE ONLY


f. NTISSI No. 4003, "Reporting COMSEC Insecurities"
dated 3 November 1986.

g. NTISSI No. 4004, "Routine Destruction and
Emergency Protection of COMSEC Material" dated 11 March 1987.

h. NCSC-9, "National Communications Security (COMSEC)
Glossary" dated 1 September 1982.

2. The following references incorporate the guidance
established within the documents of paragraph 1 above, and are
applicable to the United States Marine Corps:

a. CSP-1, "Cryptographic Security Policy and
Procedures" dated 20 February 1985.

b. CMS-4, "Communications Security Material Systems
(CMS) Manual" dated 31 March 1987.

c. CMS-5, "Communications Security Material System (CMS)
Cryptographic Equipment Information/Guidance Manual" dated
13 November 1987.

SECTION III - DEFINITIONS

1. For this document the definitions of the National
COMSEC Glossary (NCSC-9) apply. An additional definition
follows: Traffic Encryption Keys (TEK) - A key used to encrypt
plain text and/or previously encrypted cipher text.

SECTION IV - CLASSIFICATION GUIDANCE

1. AMS devices are unclassified, Controlled Cryptographic
Items (CCI), as defined in NTISSI No. 4001, and identified by
the marking "CCI." NTISSI No. 4002 provides guidelines for the
classification of information relative to the AMS.




ENCLOSURE (1)
2

FOR OFFICIAL USE ONLY


SECTION V - SYSTEM DESCRIPTION

1. The AMS is composed of devices which are commercial
grade, electronic, off-line cryptodevices designed to replace
selected manual cryptosystems and fulfill new off-line
requirements. Procedures for specific AMS equipments will be
issued as annexes to this Order.

SECTION VI - KEYING

1. AMS keying material is produced in printed,
nonperforated, eight-level tape form (white). Specific handling
instructions (i.e., cryptoperiod, classification, key count, etc.)
are printed on the leader of the tapes. AMS keys are packaged in
plastic canisters or "pill boxes" containing 31 separate segments.
Canisters containing 62 segments of key are candidates
for production for the AMS systems.

a. Operational key tapes (USKAK) and traffic encryption
keys (TEKs) are classified on the basis of the classification of
the traffic they are intended to protect. They are either
regularly or irregularly superseded, depending on the system
application, packaged in plastic canisters, marked "CRYPTONOFORN"
and are serial number accountable (ALC-1).

b. Exercise key tapes (USKXK) are classified
CONFIDENTIAL. These TEK's are periodically superseded and packaged
in plastic canisters, marked "CRYPTONOFORN" and are serial number
accountable and locally controlled (ALC-3).

c. Maintenance key tapes (KMK) are classified
CONFIDENTIAL and not marked "CRYPTO." Maintenance key tapes
are designed for back-to-back bench testing only and are not to be
used for over-the-air transmissions. The maintenance key tapes are
packaged in clear plastic "pill boxes" and segments may be reused
until they become unusable and are ALC-3.

d. Training key tapes (KTK) are UNCLASSIFIED (FOR
OFFICIAL USE ONLY), not marked "CRYPTO" packaged in "pillbox"
containers, and may be reused until unusable. Training keys must
not be used for over-the-air transmissions.

2. Cryptoperiods relative to specific AMS devices are
included in the respective annexes of this Order.


ENCLOSURE (1)
3

FOR OFFICIAL USE ONLY


3. Cryptonets will be kept as small as is operationally
feasible. As the number of copies of a key grows, the
vulnerability of that key to compromise increases. Compromise of
the key at one terminal potentially compromises the traffic of all
users of that key during that cryptoperiod. Prescribed cryptonet
sizes for specific AMS devices are included in respective annexes
of this Order.

4. Longer cryptoperiods and larger cryptonet sizes which divert
from specific AMS policy must be approved on a case-by-case basis
by the Commandant of the Marine Corps (CCT).

SECTION VII - PHYSICAL SECURITY

1. AMS devices are designated CCI and will be protected per
the general provisions of NTISSI No. 4001. In addition,
control requirements for unkeyed and keyed AMS devices are as
follows:

a. Because it is small and portable, an AMS device shall be
afforded particular attention to ensure that access and accounting
integrity is maintained.

b. Storage in a secure area for unkeyed AMS devices
is encouraged; otherwise, the best protection available shall
be provided. Examples of protective storage include use of
an approved security container, or of a key-locked desk or
cabinet within an area secured by a door with key-locked dead bolt.

c. During travel, the unkeyed AMS device will be kept in the
personal possession of authorized users; otherwise, the unkeyed
device will be given the best protection available. A common sense
approach must prevail, and the level of protection should be
commensurate with that afforded any high-dollar item of equipment.
The device will be carried in the personal possession of an
authorized user aboard public transportation and not checked with
baggage, unless more than one device is involved and stored baggage
will be last on and first off. At airports, the attended AMS
device may be inspected and X-rayed without compromise or damage to
the embedded software. AMS devices will not be left unattended in
hotel/motel or other berthing facilities during travel.




ENCLOSURE (1)
4

FOR OFFICIAL USE ONLY


d. Keyed AMS devices assume the same classification as the
key and must be protected, like any hardcopy keying material,
proportionate to the classification level of that key.

2. AMS keying material must be controlled per the provisions
of reference (b). In addition:

a. During travel away from controlled areas and where
appropriate storage facilities are unavailable, the key must
be protected in the personal custody of the user.

b. AMS device key storage positions will be used to
participate in multiple nets, where required, and will not be
used to store future keys unless such application is approved
for special-mission purpose, by the responsible controlling
authority.

c. It is understood that AMS devices will be used in various
situations with only one-person control. Under these
circumstances, key tapes may be destroyed without a witness of
destruction signature on the user/destruction cards. This does not
constitute a security violation or an insecurity report. This
scenario can be followed as an operational necessity (designated by
the cognizant operational commander) and not as a user convenience.

SECTION VIII - EMERGENCY PROCEDURES

1. Refer to reference (b) for destruction and emergency protection
requirements.

SECTION IX - REPORTABLE INSECURITIES

1. Reportable insecurities are addressed in reference (b).

Encl: Appendix A, TSEC/KL-42 Automanual Equipment
Appendix B, TSEC/KL-43 Automanual Equipment





ENCLOSURE (1)
5

FOR OFFICIAL USE ONLY


APPENDIX A

TSEC/KL-42 AUTOMANUAL EQUIPMENT

SECTION I - SYSTEM DESCRIPTION

1. The TSEC/KL-42 is a portable, electronic, off-line or on-line
crypto-equipment for encryption/decryption of alphanumeric
information of all categories and classifications. It
has a built-in keyboard for information input, a liquid crystal
display (LCD), a built-in modem and a telephone handset coupler
for transmission/receipt of encrypted/decrypted data over
standard telephone lines, and printer connection capability. The
KL-42 is not a ruggedized device.

SECTION II - POLICY AND PROCEDURES

1. The KL-42 without printer, or with an approved printer, is
authorized for unrestricted use for classifications up to
and including TOP SECRET. Approved printers compatible with
the KL-42 are included in the Preferred Products List (PPL).
Other compatible printers and restrictions on their use are
included in a separate list available from the Commanding Officer,
Naval Electronic Systems Security Engineering Center (Code 04)
or Commander, Naval Investigative Service Command
(COMNISCOM (Code 26T)).

2. Since KL-42 printers do not automatically mark printed messages
with the classification level, a statement of classification shall
be included in printed messages processed by the KL-42.

3. If knowledge of the time a message is sent is critical to
proper interpretation of the message, that message shall include a
date/time/message count feature in the plain texts.

4. KL-42 encrypted messages may be transmitted via any
medium (Morse Code, verbal, modem, etc.).



Appendix A to
ENCLOSURE (1)
A-1

FOR OFFICIAL USE ONLY


SECTION III - KEYING

1. KL-42 Traffic Encryption Keys (TEKs) are operational keys (KAK)
or Exercise Keys (KXK) having a 24-hour cryptoperiod. Each 31
segment TEK canister is superseded monthly. A used TEK tape
segment may be retained up to 72 hours after its supersession to
accommodate delayed messages; however, the key must be protected to
preclude traffic compromise through loss or espionage until its
destruction. KL-42 training keys (KTK) and maintenance keys (KMK)
have no cryptoperiod and each key segment may be reused until
unusable. Training keys and maintenance keys will not be used for
over-the-air transmissions.

2. Cryptonets should be kept as small as the operation permits to
reduce the possibility of compromise but some KL-42 nets are by
necessity large. In such cases, KL-42 cryptonets are limited to
200 members when traffic is TOP SECRET and up to 1000 members when
traffic is SECRET and lower. Controlling authorities requiring
larger nets must request approval from the CMC (CCT).






Appendix A to
ENCLOSURE (1)
A-2

FOR OFFICIAL USE ONLY


APPENDIX B

TSEC/KL-43 AUTOMANUAL EQUIPMENT

SECTION I - SYSTEM DESCRIPTION

1. The TSEC/KL-43 is a portable, electronic, off-line
crypto-equipment for encryption/decryption of alphanumeric
information of all categories and classifications. It
has a built-in keyboard for information input, a liquid crystal
display (LCD), a built-in modem and a telephone handset coupler
for transmission/receipt of encrypted/decrypted data over
standard telephone lines, and printer connection capability. The
KL-43 has a built-in special application keyboard for daily
key updating. In this annex, KL-43 equipment indicates
any crypto-equipment in the KL-43 family, including the KL-43,
KL-43A, KL-43C ruggedized device and KL-43D. The KL-43 system
is not interoperable with the KL-42 system; however, the keys
used for the KL-43 are the same keys used with the KL-42. The
KL-43 and KL-43A models are not interoperable with other KL-43
models (e.g., KL-43C and KL-43D) when the update feature is used.
They are interoperable in all other modes. Holders of the KL-43
and KL-43A who require use of the update feature must have
prior approval of the CMC (CCT).


SECTION II - PROCEDURES

1. The KL-43 without printer, or with an approved printer, is
approved for use for classifications up to and including TOP
SECRET. Approved printers compatible with the KL-43 are included
in the Preferred Products List (PPL). Other compatible printers
and restrictions on their use are included in a separate list
available from the Commanding Officer, Naval Electronic
Systems Security Engineering Center (Code 04) or Commander,
Naval Investigative Service Command (COMNISCOM (Code 26T)).

2. Since KL-43 printers do not automatically mark printed messages
with the classification level, a statement of classification shall
be included in printed messages processed by the KL-43.



Appendix B to
ENCLOSURE (1)
B-1

FOR OFFICIAL USE ONLY


3. If knowledge of the time a message is sent is critical to
proper interpretation of the message, that message shall include a
date/time/message count feature in the plain text.

4. KL-43 encrypted messages may be transmitted via any medium
(Morse Code, verbal, modem, etc.).


SECTION III - KEYING

1. KL-43 traffic encryption keys (TEK) are operational keys (KAK)
or exercise keys (KXK) having either a 24-hour cryptoperiod or
weekly cryptoperiod when using the daily key update feature. Each
31 segment TEK canister is superseded monthly when using the
24-hour cryptoperiod or superseded every 6 months when using the
daily key update feature with the weekly cryptoperiod. A used TEK
tape segment may be retained up to 72 hours after its supersession
to accommodate delayed messages; however, the key must be protected
to preclude traffic compromise through loss or espionage until its
destruction. KL-43 training keys (KTK) and maintenance keys (KMK)
have no cryptoperiod and each key segment may be reused until
unusable. Training keys and maintenance keys will not be used for
over-the-air transmissions. All KL-43 and KL-42 key tapes are
compatible even though the equipment is not.

2. Cryptonets should be kept as small as the operation permits to
reduce the possibility of compromise, but some KL-43 nets are by
necessity large. KL-43 cryptonets employing a 24-hour cryptoperiod
shall be kept to 200 users for TOP SECRET and 1000 users for SECRET
and lower. If the daily key update feature is used, the
cryptoperiod is weekly (7 days), and cryptonets shall be kept to
30 users for TOP SECRET and 150 users for SECRET and lower.
Controlling authorities requiring larger nets and/or longer
cryptoperiods must request approval from the CMC (CCT).



Appendix B to
ENCLOSURE (1)
6-2

FOR OFFICIAL USE ONLY


3. All KL-43 equipment has a capability of updating 35 times
before a new key (TEK) must be applied. Under some mission
scenarios, updating is required after each message is processed.
This procedure will place added security to message protection but
is determined by the users' controlling authority. The users have
the following options:

a. Keying every 24 hours with no updates.

b. Updating after every message for 35 updates within
the 24-hour cryptoperiod.

c. A 7-day cryptoperiod with daily updates.

4. If an equipment malfunction in the encryption or
decryption process occurs, change KL-43 equipment, rekey that
equipment with the TEK tape for that cryptoperiod, and update to
the appropriate day (if updating). Malfunction is defined as a
function that will not clear in the encryptor, or failure of the
decryptor to achieve cryptosynchronization.





Appendix B to
ENCLOSURE (1)
B-3

FOR OFFICIAL USE ONLY