4300B.200
Communications Security (COMSEC)
Version 3
February 4, 2016
DEPARTMENT OF HOMELAND SECURITY
DHS 4300B.200 Communication Security (COMSEC)
This page left intentionally blank.
v3, February 4, 2016 ii DHS 4300B.200 Communication Security (COMSEC)
Document Change History
Version Date Description 1 July 23, 2013 Initial release
2 May 5, 2014 Version 2.0 changes
3 February 4, Updated all references to CNSSI 4003 throughout directive and all Annexes. 2016 Updated Section 1.0 to add national level policy relationship to DHS COMSEC policy, and to remove supersession statement of the old Q-Series. Updated Section 1.2 terminology. Updated Section 2.0 first paragraph: added “of 2012” to DHS COR Consolidation Implementation Plan; moved second paragraph to new Section 2.2 to better address U.S. Coast Guard, and added Section 2.3 to address U.S. Secret Service. Corrected Section 2.1, 13th bullet statement to update terminology. In Section 3.0, fifth bullet statement, deleted “(STE)” following “Secure Terminal Equipment” to eliminate confusion with STE telephone, and defined acronym HAIPE. Updated Section 4.2: changed heading to read “Cryptographic Access Briefing and Debriefing”; third paragraph to add reference to COMSEC Account Manager’s absence; and deleted Section 4.3 heading, consolidating text of both Sections into Section 4.2. Deleted original Section 5.1 heading, leaving associated text under Section 5.0 heading (with subsequent sub-Sections renumbered accordingly). Corrected Section 5.2 (original Section 5.3) to delete reference to CNSSI 4001, and delete second paragraph, both of which were inappropriate to the Section context. Clarified Section 5.5 (original Section 5.6), third paragraph, to specify requirements regarding use of disposition record forms with canister keying material. Updated Section 5.6 (original Section 5.7), first paragraph, first bullet statement to clarify wording. Added bullet to Section 5.7.3 (original Section 5.8.3) addressing repair work on a combination lock. Moved Section 5.7.2 (original Section 5.8.6.2) to follow Section 5.7.6 (original Section 5.8.6), hence Section 5.7.6 is Protective Packaging of Lock Combinations, Section 5.7.6.1 is now Protective Packaging Techniques, and Section 5.7.6.2 is now Periodic Inspection of Combinations. Updated Section 5.7.6.1, second bullet statement to update Protective Technologies Branch staff code and phone number information. Updated Section 5.8 (original Section 5.9), fifth paragraph (not including Notes), deleted phrase “under TPI” as redundant. Replaced entire text of Section 5.8.2 (original Section 5.9.2) with a statement of general non-applicability of tactical situations in DHS in the context of TPI, subject to case-by-case exceptions per COR guidance. Revised Section 6.3.1 to clarify addressing of formal account establishment requests, v3, February 4, 2016 iii DHS 4300B.200 Communication Security (COMSEC)
and to remove COMSEC Account Manager and Alternate appointment criteria. Revised Section 6.3.2; removed military-rank verbiage from third main bullet statement, and removed collateral duty statement from the same; updated seventh main bullet, first two sub-bullets to change “60 days” to read “two class convening dates”; deleted final sub-bullet and its two sub-sub-bullets from seventh main bullet statement; and replaced original final paragraph (following all bullet statements) with two new paragraphs addressing collateral duty assignment and clarifying COMSEC Account personnel nomination paperwork submission requirements. Deleted original Section 6.4.1 heading, leaving the associated text under Section 6.4 heading (with subsequent sub-Sections renumbered accordingly). Modified Section 6.5 heading to add “Responsibilities of” and deleted original Section 6.5.1 heading, leaving the associated text under Section 6.5 heading (with subsequent sub-Sections renumbered accordingly). Changed Section 6.5 (original Section 6.5.1), 19th bullet, NOTE to indicate COMSEC Account Managers are responsible for training users in operation of end- equipment. Updated Section 6.5.1 (original Section 6.5.2), first paragraph, first bullet statement to change “…or equivalent civilian position of responsibility” to read “…or government contractor of equivalent position of responsibility.” Modified Section 6.5.2 (original Section 6.5.3) heading to add “Cleared”, and revised text modifying policy regarding cleared Witnesses. Revised Section 7.0 to remove reference to generated key and NAG 16 (first paragraph and three bullet statements). Revised Section 7.3 to correct the verbiage of the first paragraph, and to direct attention to CNSSI 4005, paragraph 81 for detailed information in lieu of repeating same information and to remove Sub-sections. Revised Section 7.4.2 to update terminology and to correct content. Replaced entire text of Section 7.4.2.1 with new text clarifying procedures and report submission requirements in Possession scenarios. Updated Section 7.4.3: clarified first paragraph wording; updated terminology of first bullet statement; deleted second paragraph, first bullet statement listing Key Conversion Notices (KCN); updated second paragraph, fourth main bullet statement, first sub-bullet to remove “Manager” as redundant; added new fifth and sixth bullet statements listing Account Establishment Letter and COMSEC Vault Accreditation Letter, respectfully. Updated Section 7.4.3.2 with current “Derived From:”, and appropriate “Declassify On:” prompt. Corrected Section 7.4.3.3: second main bullet to reflect two year retention requirement for Visitor Registers; fourth main bullet, first sub bullet statement to remove “COR” as unnecessary. Deleted original Section 7.5.1 heading, leaving associated text under Section 7.5 heading (with subsequent sub-Sections renumbered accordingly). Updated Section 7.5.2 (originally 7.5.3), first paragraph to update Protective Technologies Branch staff code and to cite Tamper Solutions and Inspections; and fourth paragraph, second bullet statement to update terminology. Updated Section 7.6.2 NOTE: to correct Protective Technologies Branch reference and update phone contact information. v3, February 4, 2016 iv DHS 4300B.200 Communication Security (COMSEC)
Corrected Section 7.6.5 to update terminology and procedures. Updated Section 7.7 to add new Section 7.7.1 (Hand Receipt Holder Qualifications) and Section 7.7.2 (Hand Receipt Holder Responsibilities) headings (original Section 7.7.1 renumbered to 7.7.3) Updated Section 7.8 NOTE: to update Protective Technologies Branch phone contact information. Updated Section 7.8.2 to address situations preventing timely destruction of COMSEC material through no fault of COMSEC Account personnel. Updated Section 7.8.3 to add CARDS upload. Updated Section 7.8.3.2 to remove statement regarding Key Conversion Notice (KCN). Updated Section 7.8.3.2 to remove reference to Key Conversion Notices. Updated Section 7.8.4 to replace verbiage regarding step-by-step procedures for burning COMSEC material in COMSEC Account’s SOP in first paragraph with second paragraph requiring a contingency plan for routing destruction of COMSEC material in the event of equipment failure as part of the SOP Updated 7.8.4.2, fourth bullet statement to remove reference to KSD-64s and EKMS Central Facility Finksburg. Updated Section 7.9 to add CARDS upload. Updated Section 7.9.1: third main bullet, first sub bullet to add SDNS accountability by KMID; added sixth main bullet to list requirement for semi-annual physical inventory of STEs by quantity. Corrected Section 7.9.2: first paragraph, to update terminology; first bullet statement to update Protective Technologies Branch name and phone contact information, and to clarify and update policy regarding resealing equipment container(s) with respect to inventories, including changing validation requirement from “sign” to “initial” Moved Section 7.9.3 to be a new Section 7.9.5, and updated terminology and removed obsolete information. Updated new Section 7.9.3 (original Section 7.9.4) to remove irrelevant verbiage regarding manual and automated inventories. Updated new Section 7.9.4 (original Section 7.9.5) to remove reference to depot and logistics facilities, and reconciliation. Updated new Sections 7.9.4.1 and 7.9.4.2 (old Sections 7.9.5.1 and 7.9.5.2) terminology. Updated Section 8.0 to add STE inventory documentation and clearance certification requirements, and to remove reference to LMD/KP, and to update terminology in NOTE. Changed Section 8.4 heading from “Audit Grading” to “Audit Evaluation”, and updated text accordingly. Changed Section 9.0 heading from “COMSEC EMERGENCY ACTION PROCEDURES” to “COMSEC EMERGENCY PLANNING,” added appropriate text, and updated Section 9.1 text accordingly. Updated Section 9.1, first and second paragraphs, and fifth paragraphs, first bullet statement to clarify wording. Updated Section 9.4 heading to include “and Reporting”, and deleted Section 9.4.1 v3, February 4, 2016 v DHS 4300B.200 Communication Security (COMSEC)
heading, leaving text under Section 9.4 as second paragraph. Deleted Section 9.5. Corrected Sections 10.1, 10.2, and 10.3, added DHS-specific Incident reporting requirements to Section 10.1, and deleted Section 10.1.1 and Sections 10.2.1-10.2.3 to eliminate duplication of information contained in CNSSI 4003. Deleted Section 10.4. Updated Annex A: reference k. to reflect new CNSSI 4003; reference r. to reflect new CNSSP 8; reference aa. to reflect new CNSSI 4000; reference ee. to add CNSSI 4032. Updated Annex C: to rename to Secure Telephone Devices, and to update all references to secure telephone equipment throughout the Annex to secure telephone devices; Section 3. to move appropriate text from Section 3.a. to Section 3. (previously containing no text between Section 3. heading and Section 3.a.); Section 4. to correct, update, and add references; Section 5. to add appropriate introductory text (previously contained no text); Section 5.a. to reorganize and update text between Sections 5.a., 5.a.1), and 5.a.2); Section 9. to move text of Section 9.c. to basic Section 9. (formerly containing no text), and to adjust remaining sub-Sections; Section 9.c., third paragraph, to update Protective Technologies Branch name and phone contact information; Section 9.e., second paragraph to update Protective Technologies Branch name and phone contact information; added Section 11.c. to address KOV 26 Talon Card and Associated IT Equipment; Section 13. to move text from end following all sub-Sections to under Section 13. heading (previously containing no text); Section 14., first and second bullet statements to remove reference to the COR; Section 21. to move text following Section 21.a. NOTE to under Section 21. heading (previously containing no text); Section 21.a. to update Protective Technologies Branch name and phone contact information; Section 22 to remove all references to Practices Dangerous to Security (PDS). Updated Tab 1 to Annex C to remove PDS Updated Annex D: added to Section 2, after the final bullet statement (in portion discussing Key Management Infrastructure) information addressing DHS implementation of Management Clients (MGCs); deleted Section 3. Updated Tab 1 to Annex D to update terminology. Updated Tab 2 to Annex D: corrected and updated Section 2 text; deleted original Section 3. heading, leaving text under Section 2; added new Section 3. heading and corrected information contained in the Section (original Section 3.b.); added Section 4., Electronic Key Download Policy (text removed from Annex D, Section 3 and updated). Updated Annex F: Section 3.a.(1), item 8. to update terminology; Section 3.a.(2) to remove extensive audit grading criteria and replace with clarified and simplified audit evaluation information; Section 3.c. to update signature card submission requirements. Updated Tab 1 to Annex F: Initial required data to remove Date of account establishment; item 4. of section titled ACCOUNT FILES, Files to update terminology; to remove section titled “Practices Dangerous to Security”; to delete items 4. and 5. regarding Key Conversion Notices from section titled Handling Requirements for COMSEC Material (and renumbered remaining items); to delete item 1.b. from section titled Cryptographic Access Briefing (and relettered remaining sub items); to delete item 2. (and renumbered remaining items) and update items 3.c. and 3.f. (originally 4.c. and 4.f.) in section IV SECURE TELEPHONES; to update item 1. in section titled FILL DEVICES; and to correct v3, February 4, 2016 vi DHS 4300B.200 Communication Security (COMSEC)
section titled “DESTRUCTION”, item 2.c., to reflect COMSEC Incident vice Practice Dangerous to Security. Updated Tab 2 to Annex F, Initial required data, to remove “Date of Account Establishment”. Updated Tab 3 to Annex F, section titled “COMSEC MATERIAL ACCOUNTING AND HANDLING”, item 3.g. to remove reference to Practices Dangerous to Security; to add item 4. regarding electronic storage of COMSEC related files. Updated Tab 4 to Annex F: Initial required data page to change “Date of Account Establishment” to “Scheduled Date of Account Disestablishment”; section titled “INVENTORY REQUIREMENTS FOR ACCOUNT DISESTABLISHMENT”; deleted item 1. (and renumbered remaining items); item 2. (original item 3.) and item 4. (original item 5.) to update terminology; deleted original item 6.; item 5. (original item 7.) to update terminology; section titled “DISPOSITION OF COMSEC MATERIAL”, item 1 to delete “properly and” as redundant; section titled “PREVIOUS AUDIT INFORMATION”, item 1 to delete “DHS”. Updated Annex G, Section 2., to remove reference to Tab 6. Updated Tab 2 to Annex G, Section 1., REMINDER statement with new text. Revised Tab 3 to Annex G Title, and added Mandatory Minimum Auditable Events list. Deleted Tab 6 to Annex G. Corrected various grammatical errors throughout directive and all Annexes.
v3, February 4, 2016 vii DHS 4300B.200 Communication Security (COMSEC)
Record of Amendments
Amend. Nr. Source Entry Date Signature
v3, February 4, 2016 viii DHS 4300B.200 Communication Security (COMSEC)
Contents
Document Change History ...... iii Record of Amendments ...... viii Contents ...... ix 1.0 COMMUNICATIONS SECURITY (COMSEC)...... 1 1.1 Definition ...... 1 1.2 General COMSEC Policy ...... 1 1.3 COMSEC Material Control System (CMCS) ...... 1 2.0 CENTRAL OFFICE OF RECORD (COR) ...... 1 2.1 COR Responsibilities ...... 1 2.2 U.S. Coast Guard ...... 2 2.3 U.S. Secret Service ...... 2 3.0 COMSEC FACILITIES ...... 2 3.1 Closed/Restricted Area Designation ...... 3 3.2 Access List ...... 3 3.3 Visitor Register ...... 4 3.4 Activity Security Checklist (SF-701)...... 4 3.5 Security Container Check Sheet (SF-702) ...... 4 4.0 ACCESS TO COMSEC MATERIAL (ACCESS TO CLASSIFIED COMSEC INFORMATION) ...... 5 4.1 Access to Controlled Cryptographic Items (CCI) ...... 5 4.2 Cryptographic Access Briefing and Debriefing ...... 6 5.0 PHYSICAL SECURITY OF COMSEC MATERIAL (STORAGE OF COMSEC MATERIAL, PHYSICAL SECURITY) ...... 7 5.1 Storage Requirements ...... 7 5.2 Classified COMSEC Equipment and Information ...... 7 5.3 COMSEC Keying Material Marked CRYPTO ...... 7 5.4 Procedures for Handling of COMSEC Keying Material ...... 8 5.5 Key Lists/Key Tapes ...... 8 5.6 Access to Keying Material Designated for Encryption of SCI ...... 9 5.7 Lock Combinations ...... 9 5.7.1 Selection of Combinations ...... 10 5.7.2 Changing Combinations ...... 10 5.7.3 Frequency of Combination Changes ...... 10 5.7.4 Classification of Combinations ...... 10 5.7.5 Record of Combinations ...... 10 5.7.6 Protective Packaging of Lock Combinations ...... 11 5.7.6.1 Protective Packaging Techniques ...... 11 5.7.6.2 Periodic Inspection of Combinations ...... 12 5.8 Implementation of Two Person Integrity (TPI) ...... 12 5.8.1 TPI Storage ...... 13 5.8.2 Tactical Situations ...... 13 v3, February 4, 2016 ix DHS 4300B.200 Communication Security (COMSEC)
5.9 CCI Equipment ...... 13 5.9.1 CCI Access Controls ...... 13 5.9.2 CCI Equipment ...... 14 5.9.2.1 Installed and keyed with unclassified key ...... 14 5.9.2.2 Installed and keyed with classified key – Attended ...... 14 5.9.2.3 Installed and keyed with classified key – Unattended ...... 14 6.0 COMSEC ACCOUNTS ...... 14 6.1 Requirement for a COMSEC Account ...... 14 6.2 Registration with USTRANSCOM J3/Defense Courier Division (DCD) ...... 14 6.3 Establishment of the COMSEC Account ...... 15 6.3.1 Request for Establishment of a COMSEC Account ...... 15 6.3.2 Appointment of COMSEC Account Managers ...... 15 6.3.3 Temporary Absence of the COMSEC Account Manager...... 17 6.4 Closing a COMSEC Account ...... 17 6.4.1 Conducting the Final Inventory ...... 17 6.4.2 Disposition Instructions ...... 17 6.4.3 Termination for Cause of a COMSEC Account ...... 17 6.4.4 Termination/Disposition Report ...... 17 6.5 Responsibilities of COMSEC Account Managers and Witnesses ...... 18 6.5.1 Alternate COMSEC Account Manager ...... 20 6.5.2 Cleared Witness ...... 20 6.6 COMSEC Sub Accounts ...... 21 6.6.1 Parent Account COMSEC Account Manager Responsibilities ...... 21 6.6.2 Sub Account COMSEC Personnel Responsibilities ...... 21 6.6.3 COMSEC Material Management Process for Sub Accounts ...... 21 6.6.3.1 Physical Material ...... 22 6.6.3.2 Electronic Key ...... 22 7.0 COMSEC MATERIAL ACCOUNTING ...... 22 7.1 COMSEC Accounting Systems ...... 22 7.2 Electronic Records ...... 22 7.3 Accountability Legend Codes (ALC) ...... 22 7.4 COMSEC Files and Reports ...... 23 7.4.1 Accounting Records ...... 23 7.4.2 Possession/Relief from Accountability Reports ...... 23 7.4.2.1 Possession ...... 23 7.4.2.2 Relief from Accountability ...... 24 7.4.3 COMSEC Accounting and Related Files ...... 24 7.4.3.1 Classification of COMSEC Accounting Reports and Files .....25 7.4.3.2 Marking of COMSEC Accounting Reports and Files ...... 25 7.4.3.3 Retention Periods for COMSEC Files and Related Documents ...... 25 7.5 Receipt of COMSEC Material ...... 26 7.5.1 USTRANSCOM/J3 (DCD) IMT 10 Defense Courier Account Record ....26 7.5.2 Examination of Packages ...... 26 7.5.3 Receipting for Equipment ...... 27
v3, February 4, 2016 x DHS 4300B.200 Communication Security (COMSEC)
7.5.4 Page Checking ...... 27 7.5.5 Keying Material ...... 27 7.6 Transfer of COMSEC Material ...... 28 7.6.1 Authorized Modes of Transportation ...... 28 7.6.2 Preparation for Transportation ...... 28 7.6.3 Transportation of Keying Material ...... 29 7.6.3.1 TOP SECRET and SECRET ...... 29 7.6.3.2 CONFIDENTIAL ...... 29 7.6.3.3 UNCLASSIFIED ...... 30 7.6.4 Transportation of COMSEC Equipment ...... 30 7.6.5 Preparation of Transfer Reports ...... 31 7.6.6 Receipt/Tracer Responsibility ...... 31 7.7 COMSEC Hand Receipts ...... 31 7.7.1 Hand Receipt Holder Qualifications ...... 31 7.7.2 Hand Receipt Holder Responsibilities ...... 32 7.7.3 Hand Receipt Renewals ...... 32 7.8 Destruction of COMSEC Material ...... 32 7.8.1 Procedures for Routine Destruction of COMSEC Material ...... 33 7.8.2 Time of Destruction ...... 33 7.8.3 Destruction Report ...... 35 7.8.3.1 Keying Material ...... 35 7.8.3.2 Seed Key ...... 35 7.8.3.3 All Other Material ...... 35 7.8.4 Routine Destruction Methods ...... 35 7.8.4.1 Paper COMSEC Material ...... 36 7.8.4.2 Non-paper COMSEC Material ...... 36 7.9 Inventory Requirements ...... 37 7.9.1 Conducting the Physical Inventory ...... 37 7.9.2 Inventory of Sealed or Unit-Packed Material ...... 38 7.9.3 Semi-Annual Inventory ...... 39 7.9.4 Change of Manager Inventories ...... 39 7.9.4.1 Outgoing Manager Departs Without Completing a Joint Inventory ...... 39 7.9.4.2 Unauthorized Absence or Sudden Permanent Departure of the COMSEC Manager ...... 39 7.9.5 Completing the Inventory Report ...... 40 8.0 COMSEC AUDITS ...... 40 8.1 Access ...... 40 8.2 Report of Audit ...... 40 8.3 Memorandum of Corrective Actions ...... 41 8.4 Audit Evaluation ...... 41 9.0 COMSEC EMERGENCY PLANNING ...... 41 9.1 Emergency Protection Planning ...... 41 9.1.1 Preparedness Planning for Natural Disasters/Accidental Emergencies .....42 9.1.2 Preparedness Planning for Hostile Actions ...... 42 v3, February 4, 2016 xi DHS 4300B.200 Communication Security (COMSEC)
9.2 Preparing the Emergency Plan ...... 44 9.3 Emergency Destruction Priorities ...... 44 9.4 Emergency Destruction Methods and Reporting ...... 46 10.0 COMSEC INCIDENTS ...... 47 10.1 Reporting COMSEC Incidents ...... 47 10.2 Types of COMSEC Incidents ...... 48 10.3 Types of Incident Reports ...... 48 Annex A References ...... A-1 Annex B Electronic Fill Devices ...... B-1 Annex C Secure Telephone Devices ...... C-1 Tab 1 to Annex C Abbreviations ...... C-21 Tab 2 to Annex C Secure Telephone User Briefing ...... C-24 Annex D Electronic Key Management System (EKMS) / Key Management Infrastructure (KMI) ...... D-1 Tab 1 to Annex D Local Management Device/Key Processor (LMD/KP) Management ...... D-3 Tab 2 to Annex D COMSEC Accounting, Reporting, and Distribution System (CARDS) Management ...... D-5 Annex E Cryptographic High Value Products (CHVP) ...... E-1 Annex F COMSEC Account Checklists ...... F-1 Tab 1 to Annex F COMSEC Audit Checklist ...... F-4 Tab 2 to Annex F Electronic Key Management System (EKMS) Checklist...... F-19 Tab 3 to Annex F Account Establishment Checklist ...... F-21 Tab 4 to Annex F Account Disestablishment Checklist ...... F-30 Annex G COMSEC Forms and Templates ...... G-1 Tab 1 to Annex G STE Installation / History Record ...... G-2 Tab 2 to Annex G COMSEC Personnel Nomination Letter Template and Worksheet ...... G-5 Tab 3 to Annex G Electronic Fill Device Audit Trail Review Log ...... G-6 Tab 4 to Annex G SF 700 Tamper Check Log ...... G-7 Tab 5 to Annex G Access List Template ...... G-8
v3, February 4, 2016 xii DHS 4300B.200 Communication Security (COMSEC)
1.0 COMMUNICATIONS SECURITY (COMSEC) Communications Security (COMSEC) policy for the Department of Homeland Security (DHS) is provided by this document, and by national level documents. Where the provisions of this document conflict with national level policies, the national level policies will apply except in cases where the policies in this document are more stringent than national policies.
1.1 Definition
Communications Security (COMSEC) is defined as the measures and controls taken to deny unauthorized individuals information derived from telecommunications and to ensure the authenticity of such telecommunications. COMSEC includes crypto security, transmission security, emission security, and physical security of COMSEC material.
1.2 General COMSEC Policy
Each nominating official has the ultimate responsibility for control of all COMSEC material held within the activity’s COMSEC Account.
1.3 COMSEC Material Control System (CMCS)
COMSEC material control within the U.S. Government is based on a system of centralized accounting and decentralized custody and protection. Computer applications are employed to minimize manual bookkeeping and to provide timely and accurate data essential to continuous, effective control of COMSEC material entrusted to or produced by U.S. industry for the government.
2.0 CENTRAL OFFICE OF RECORD (COR)
The Central Office of Record (COR) is responsible for maintaining records of all Communications Security (COMSEC) material received or generated by a DHS COMSEC Account (see the only two exceptions in Sections 2.2 and 2.3 below). In accordance with the DHS COR Consolidation Implementation Plan of 2012, the former DHS COR and FEMA COR have been combined to create a single COR. The DHS COR is referred to throughout this publication as the COR.
2.1 COR Responsibilities
The COR is responsible for the day-to-day management of COMSEC and the accountability of all COMSEC material received within the department. Specific responsibilities include: • Establish and close COMSEC Accounts • Maintain a record of all COMSEC material issued to COMSEC Accounts under its cognizance, and update records by conducting routine audits • Monitor receipt of in-transit COMSEC material • Establish or approve procedures for reporting receipt and transfers of COMSEC material v3, February 4, 2016 1 DHS 4300B.200 Communication Security (COMSEC)
• Establish or approve accounting procedures for accounts under its cognizance • Ensure compliance with accountability requirements for COMSEC material • Establish inventory and audit procedures for COMSEC Accounts • Ensure audits are conducted in accordance with paragraph 98 of CNSSI 4005 • Provide disposition instructions on superseded, excess, and obsolete COMSEC material • Provide account managers relief from accountability when necessary • Certify appointments of COMSEC Account Managers and Alternate COMSEC Account Managers for each COMSEC Account • Provide Cryptographic Access Briefings to the COMSEC Account Manager • Serve as the COMSEC Incident Monitoring Activity and maintain a record of COMSEC Incidents, as required by CNSSI 4003 • Provide COMSEC training and guidance to COMSEC Account Managers NOTE: The COR is not responsible to train COMSEC Account managers or users in how to operate equipment
2.2 U.S. Coast Guard
The U.S. Coast Guard’s COMSEC Program shall continue to operate under the U.S. Navy’s Central Office of Record (COR) and its governing directives. As the only military agency realigned under DHS, the Coast Guard must maintain an extensive DOD secure communications interface and interoperability, which is supported by an existing Department of the Navy (DON) COMSEC infrastructure.
2.3 U.S. Secret Service
The U.S. Secret Service’s COMSEC Program operates independently from the COR for reporting purposes. The Service maintains its own administrative controls and budget in relation to COMSEC; the COR provides only limited logistical support.
3.0 COMSEC FACILITIES
CNSSI No. 4009 (Reference c) defines a COMSEC facility to be an “Authorized and approved space used for generating, storing, repairing, or using COMSEC Material.”
For the purposes of this Instruction, a COMSEC facility is: • An area where the use of COMSEC material is the primary effort being accomplished in that area, e.g., a telecommunications hub NOTE: The COMSEC facility could be as small as a security container or closet. • An area where classified COMSEC equipment (including pre-production model classified COMSEC equipment) is produced, maintained, or repaired v3, February 4, 2016 2 DHS 4300B.200 Communication Security (COMSEC)
NOTE: Classified COMSEC equipment includes keyed equipment returned for repair due to malfunction and inability to zeroize the key or classified algorithm. • An area where unencrypted keying material is available, which requires secure storage of such keying material or electronic key fill devices (e.g., Data Transfer Device (DTD), Secure DTD2000 System (SDS), Simple Key Loader (SKL), or Really Simple Key Loader (RASKL)). If only encrypted keying material is available, then the space may be considered an office area and is not a COMSEC facility. A COMSEC facility is not: • An area where CCI or other unclassified COMSEC equipment is produced, maintained, or repaired. NOTE: Keyed CCI equipment returned for repair due to malfunction and inability to zeroize the key is classified to the level of the key or the level of the algorithm as exposed in the equipment in its current state, whichever is higher, and thus does not fall under this exception to a COMSEC facility. • A secure office area – A secure office area is where only user-level COMSEC equipment is available for individual use. Examples of an office area include, but are not limited to an area with Secure Terminal Equipment, Secure Communications Interoperability Protocol (SCIP) products, or Secure Voice Over Internet Protocol (SVOIP) products for individual secure voice conversations; a residence with a SIPRNET connection, a single TACLANE or High Assurance Internet Protocol Encryptor (HAIPE) device; or a set of cubicles in a secured office environment, each cubicle with its own user level COMSEC equipment. COMSEC material in such office areas must be protected, at a minimum, in a manner affording the protection normally provided to other high value/sensitive material, and ensuring access and accounting integrity is maintained. If classified information is being secured by the COMSEC equipment in the office area, the area must be authorized for use or storage of classified information per guidelines from the local security office.
3.1 Closed/Restricted Area Designation A COMSEC facility (except one comprised solely of a security container) must be designated as a Closed or Restricted Area. This designation must be clearly and conspicuously indicated by means of a sign posted on the outside of the door leading into the space.
3.2 Access List Personnel authorized access to a COMSEC facility (except one comprised solely of a security container) must be listed on a properly authenticated access list posted inside the facility on the door or immediately adjacent to the door. Authentication is verified by the signature of the Division or Branch Chief, facility security official (e.g., SSO), COMSEC Account Manager, or Alternate COMSEC Account Manager as appropriate for the activity. At the discretion of the authorizing official, the access list may distinguish between unescorted and escorted access to the COMSEC facility, and list the individuals so authorized accordingly. Individuals not listed on the access list may be granted access to the COMSEC facility based on valid need to know, and such access must be recorded on a visitor register (see Section 3.3 below). See Annex G Tab 5 for a sample access list.
v3, February 4, 2016 3 DHS 4300B.200 Communication Security (COMSEC)
3.3 Visitor Register A COMSEC facility (except one comprised solely of a security container) must have posted inside the entrance a visitor register on which to record the arrival and departure of individuals whose names do not appear on the access list. The visitor register must include the following information: Date and time of arrival and departure; Printed name and signature of visitor; Purpose of visit; and Signature of authorized individual admitting visitor. Do NOT include personally identifiable information (PII) on the visitor register such as SSN, dates and places of birth, etc.
3.4 Activity Security Checklist (SF-701) At COMSEC facilities (including those comprised solely of a security container) that are not 24- hour facilities, the person securing the facility at the end of each workday must conduct security checks and document these checks on the SF-701. This form must be conspicuously posted on the inside of the facility door. The form should be customized for each facility based on its particular requirements as follows: • Items 1-5 are preprinted and apply to most facilities, although in dated terminology. Activities may edit by any means they choose, or leave as is with the understanding of current-day application. • Additional lines for specific concerns are provided on the form. Important items to check should be written on these lines. Examples include ensuring coffee makers are turned off, burn bags are properly secured, etc. • Locally produced facsimiles of the form are acceptable, provided they address the essential security and safety checks that apply to the activity. Use of the SF-701 at 24-hour facilities is optional.
3.5 Security Container Check Sheet (SF-702) All combination locks within the COMSEC facility (including the lock securing the door to COMSEC facility and those securing all security containers) must be accompanied by a Security Container Check Sheet (SF-702). In cases involving an electro-mechanical lock in dual control mode, separate SF-702 forms must be posted for each combination. This document must be used to record at a minimum the date, time, and initials of the person opening and closing the lock each time it is so accessed. For locks in dual control mode, when the lock is closed the “Checked by” column on both SF-702 forms must be initialed by a second individual (NOT the individual closing the lock).
v3, February 4, 2016 4 DHS 4300B.200 Communication Security (COMSEC)
4.0 ACCESS TO COMSEC MATERIAL (ACCESS TO CLASSIFIED COMSEC INFORMATION)
Certain U.S. classified cryptographic information, the loss of which could cause serious or exceptionally grave damage to U.S. national security, requires special access controls. Accordingly, access to classified cryptographic information shall only be granted to an individual who meets the following criteria: • Is a U.S. Citizen • Is an employee of the U.S. Government, is a U.S. Government-cleared contractor or employee of such contractor, or is employed as a U.S. Government representative, including consultants of the U.S. Government • Possesses a security clearance appropriate to the classification of the COMSEC material to be accessed • Possesses a valid need to know as determined necessary to perform duties for, or on behalf of, the U.S. Government • Receives a security briefing appropriate to the COMSEC material being accessed • Acknowledges the granting of access by signing a cryptographic access certificate The security clearance of account personnel holding TOP SECRET keying material marked CRYPTO must be based on a final Single Scope Background Investigation (SSBI). Personnel who have been granted an interim TOP SECRET clearance may be granted access to COMSEC material, but only at the SECRET level and below. An Interim SECRET clearance is not valid for access to any classified COMSEC information.
An individual does not necessarily have access to keyed COMSEC equipment if he or she is under escort or if a physical, technical, or procedural measure prevents them from obtaining knowledge or altering information, material, resources or components.
Where department or agency heads so direct, an individual granted access may be required to acknowledge the possibility of being subject to a non-lifestyle, counterintelligence scope polygraph examination administered in accordance with department or agency directives and applicable law.
4.1 Access to Controlled Cryptographic Items (CCI)
Access to CCI will be limited to U.S. citizens who have a need to know. Non U.S. citizens, including immigrant aliens, may be authorized access to CCI in accordance with the procedures set forth in CNSSI 4001.
When CCI equipment is keyed, individuals loading the key or otherwise operating the equipment must possess a security clearance at least equal to the classification level of any key contained within. A security clearance is not required for visual access, if properly escorted.
v3, February 4, 2016 5 DHS 4300B.200 Communication Security (COMSEC)
4.2 Cryptographic Access Briefing and Debriefing
Cryptographic Access Briefs are required for individuals who have a continuing need for access to TOP SECRET and SECRET key and authenticators that are designated CRYPTO, and to classified cryptographic media that embody, describe, or implement classified cryptographic logic to include, but not be limited to, full maintenance manuals, cryptographic descriptions, drawings of cryptographic logic, specifications describing a cryptographic logic, and cryptographic computer software. The following individuals will also receive a Cryptographic Access brief: • COMSEC Account Managers and Alternate Managers of COMSEC Accounts holding classified TOP SECRET and SECRET key marked CRYPTO. • Cryptographic maintenance or installation technicians. • Personnel requiring access to spaces where cryptographic keying materials are generated or stored. • Personnel involved in keying operations. • Personnel involved in cryptographic key destruction, including deletion of key from Electronic Fill Devices.
Individuals granted access to the classified cryptographic information described above may be required to acknowledge the possibility of being subject to a non-lifestyle, counterintelligence scope polygraph examination administered in accordance with DoD or agency requirements and applicable law.
A cryptographic access briefing is not required for individuals who operate (i.e., do not key or maintain) systems using cryptographic equipment. The cryptographic access briefing shall be administered to users by the COMSEC Account Manager or, in the Manager’s absence, the Alternate COMSEC Account Manager. The cryptographic access briefing shall be administered to the COMSEC Account Manager by the COR.
Individuals receiving a cryptographic access briefing also require a cryptographic access debriefing. Debriefings shall be administered by the COMSEC Account Manager or Alternate Manager for users, and by the COR for the COMSEC Account Manager. Upon completion of the debriefing, Section II – Termination of Access to Classified Cryptographic Information, SD Form 572, shall be completed. The COR will maintain a copy of the Cryptographic Access Certification and Termination (SD Form 572) form for all COMSEC Account Managers who have been briefed and debriefed for crypto access. The COMSEC Account Managers will maintain a copy of the Cryptographic Access Certification and Termination (SD Form 572) form for all Alternate COMSEC Account Managers and users who they have briefed and debriefed for crypto access.
v3, February 4, 2016 6 DHS 4300B.200 Communication Security (COMSEC)
5.0 PHYSICAL SECURITY OF COMSEC MATERIAL (STORAGE OF COMSEC MATERIAL, PHYSICAL SECURITY) COMSEC material may require different levels of physical security under different conditions. TOP SECRET keying material is our nation's most sensitive keying material because it is used to protect the most sensitive U.S. national security information and its loss to an adversary will jeopardize the security of all of the information protected by the key. For this reason, TOP SECRET keying material must be afforded the special protection of TPI controls. Any violation of the TPI requirements specified herein is reportable as an incident in accordance with Section 10.1, Reporting COMSEC Incidents. The required physical controls pertinent to the specific circumstances are outlined in this section. The guidelines established in CNSSI 4005, Section VII.D (Storage of COMSEC Material) must be followed.
5.1 Storage Requirements A facility/organization will not be eligible to receive or generate classified COMSEC information until adequate storage has been established. TPI storage of TOP SECRET key will require that COMSEC Accounts and all holders (hand receipt users) have TPI storage capabilities as required below.
5.2 Classified COMSEC Equipment and Information Classified COMSEC equipment and information, other than keying material marked CRYPTO, must be stored in a manner prescribed in CNSSI 4005 similar to classified material at the same classification level. It must also have a serial number to maintain continuous accountability.
5.3 COMSEC Keying Material Marked CRYPTO Keying material marked CRYPTO will be stored in a General Services Administration (GSA) approved Class V or Class VI security container to which only the COMSEC Account Manager and alternate(s) have access. When the key is issued to users, it will also be stored in a GSA- approved Class V or VI security container to which only properly cleared and Cryptographic Access briefed personnel have access, and the key must be inventoried at least once per day if the safe is opened. In addition, if the keying material is marked Top Secret, additional controls will be implemented in accordance with Section 5.0, Storage of COMSEC Material, and the requirements below. • TOP SECRET keying material (including Top Secret transfer key encryption key (TrKEK)) must be stored under TPI controls employing two different combinations, with no one person authorized access to both combinations. Top Secret key material may be stored:
o In a GSA-approved security container with dual built-in combinations locks on the control drawer, or a single lock meeting Federal Specifications FF-L-2740 on the control drawer, provided it is used in the dual combination mode; or
o In a special access control container(s) (SACC) which is stored in a GSA-approved security container; or
o In a GSA-approved security container within a vault, modular vault or Controlled/Closed Area. Procedures must be established to ensure that a single
v3, February 4, 2016 7 DHS 4300B.200 Communication Security (COMSEC)
individual who has access to the container combination is not left alone in the vault or Controlled/Closed Area. • SECRET keying material may be stored:
o In a manner approved for TOP SECRET keying material, however, TPI controls are not required; or
o In a GSA-approved security container. • CONFIDENTIAL keying material may be stored:
o In any manner approved for TOP SECRET or SECRET keying material; or o In a file cabinet having an integral automatic locking mechanism and a built-in, three position, dial type, changeable combination lock; or
o In a steel file cabinet equipped with a steel bar and a three position, dial-type, changeable combination padlock. • UNCLASSIFIED keying material (to include associated CIKs, KSV 21s and seed key encryption keys) may be stored in a manner approved for TOP SECRET, SECRET, or CONFIDENTIAL keying material or in the most secure manner available to the user. NOTE: Users must protect an associated CIK or KSV 21 card by either keeping it in their personal possession or storing it in a manner that will minimize the possibility of loss, unauthorized use, substitution, tampering, or breakage. In general, a user can send the CIK or KSV 21 card through X-ray machines or other security devices commonly used at the airports without harmful effects to the card. A KSV 21 “fill card” programmed with operational key material must be handled and stored in a manner consistent with the classification of the keying material.
5.4 Procedures for Handling of COMSEC Keying Material The proper handling of COMSEC keying material requires meticulous attention to detail, and must be accounted for in accordance with DHS and national policy from creation to destruction. Keying material must be stored in security containers approved by the General Services Administration (GSA) for the classification level of the key. Access to the container storing future editions of classified keying material marked CRYPTO, however, must be restricted to the COMSEC Account Manager and Alternate COMSEC Account Manager(s). Where this restriction cannot be applied because others must have access to the container for either current editions of keying material or other material contained therein, future editions of keying material must be stored separately in a locked strongbox which can be opened only by the COMSEC Account Manager and Alternate Manager(s). The strongbox must be kept in the security container.
5.5 Key Lists/Key Tapes Operational key lists packaged in protective technologies will not be page checked until 72 hours prior to the effective date.
v3, February 4, 2016 8 DHS 4300B.200 Communication Security (COMSEC)
Key tapes packaged in plastic protective canisters will not be removed for inventory purposes. The Manager will ensure that the first segment appears in the window. Segments shall not be removed from the canister until needed. Upon issue of this material on hand receipt, or upon extraction of segments of material NOT issued on hand receipt, the COMSEC Account Manager shall annotate a disposition record form with the short title, edition, and register number of the material. Each extracted segment shall be tracked on this form by segment/copy number as appropriate, and the form must be stored with the material until destruction. Labels will not be affixed to keying material canisters or any other protective technology. Should additional identification be necessary, a grease pencil may be used to mark the surface of the canister, or the canister may be placed in a plastic zip-lock bag and a label or tag may be affixed to the bag. Permanent markers may not be used on any type of protective technology. Barcode labels will be removed upon receipt.
5.6 Access to Keying Material Designated for Encryption of SCI Access to keying material used to encrypt SCI constitutes access to the SCI itself. Keying material is considered SCI when it is removed from its protective packaging or the protective packaging is no longer intact. Access to unencrypted keying material used to protect SCI must be restricted as follows: • Keying material designated for encryption of SCI must be issued to and used only by personnel indoctrinated for SCI. • Personnel required to enter a SCI facility (SCIF) to perform COMSEC duties and thereby have access to (i.e., the opportunity to hear or view) SCI, must be indoctrinated for SCI. Non-indoctrinated personnel may enter the SCIF, when approved by the appropriate authority, if the SCIF is sanitized or the visitor remains under escort by an indoctrinated individual to preclude inadvertent disclosures. • COMSEC Account Managers, auditors, and training personnel handling protectively packaged keying material designated for encryption of SCI are not required to be indoctrinated for SCI. However, these personnel must hold the appropriate clearance in accordance with the classification of the key. Personnel performing destruction of SCI material requiring removal of the protective packaging must be indoctrinated for SCI.
5.7 Lock Combinations The COMSEC Account Manager is responsible for classified COMSEC material stored in security containers/vaults which they control. However, once classified COMSEC material is issued on hand receipt to a user, the user becomes responsible for the material, and the container storing such material is considered to be under the user’s direct control. Combinations should be stored in a container within the COMSEC Account Manager’s organization or nearby in a DHS or other governmental facility, where they can be accessible within 24 hours. The COMSEC Account Manager is responsible for management of lock combinations, and for educating users, based on the provisions listed below:
v3, February 4, 2016 9 DHS 4300B.200 Communication Security (COMSEC)
5.7.1 Selection of Combinations Each lock must have a combination composed of randomly selected numbers. This combination will not deliberately duplicate a combination selected for another lock within the facility and will not be composed of successive numbers in a systematic sequence, nor predictable sequence (e.g., birth date, social security numbers, and phone number).
5.7.2 Changing Combinations A lock combination shall only be changed by a cleared individual having a need to know for the information safeguarded by the lock. Furthermore, combinations to containers/vaults used by the COMSEC Account Manager to store material shall only be changed by the COMSEC Account Manager or Alternate COMSEC Account Manager. The hand receipt holder, COMSEC custodial personnel, or the Security Officer (if applicable) shall change combinations used for the protection of material issued on hand receipt. Combination changes may be accomplished under the supervision of a trained locksmith, but the locksmith may not be given access to the combination(s).
5.7.3 Frequency of Combination Changes Lock combinations shall be changed on the following events: • When a lock is initially placed in use. (The manufacturer’s preset combination must not be used.); • When any person having authorized knowledge of the combination no longer requires such knowledge (e.g., through transfer, termination of employment or loss of clearance); • When the possibility exists that the combination has been subjected to compromise; • When the lock is taken out of service. Built-in locks must be set to the standard combination 50-25-50. Padlocks must be set to the standard combination 10-20-30; • When any repair work has been performed on the combination lock; and • At least once every two years or sooner as dictated by the above events.
5.7.4 Classification of Combinations Lock combinations must be classified the same as the highest classification of the information protected by the locks. For a security container, this is the highest classification of the information held in the container; for a vault door, it is the highest classification of the information held in the vault.
5.7.5 Record of Combinations To provide for ready access to secured material in emergencies, a written record of lock combinations shall be maintained and stored in a centralized container authorized for the storage of material at the highest classification of the information protected by the locks. Each combination must be recorded on a separate record card (e.g., Standard Form 700) and each card then placed in a separate envelope, properly marked, and sealed. The face of the envelope must be stamped with the highest classification of the information protected by the combination and
v3, February 4, 2016 10 DHS 4300B.200 Communication Security (COMSEC)
annotated with the identification number of the container to which it applies. The date of the combination change will also be recorded on the envelope. When a combination is changed, the record card must be updated and the date of the change annotated on the record-of-combination envelope. The record-of-combination envelopes must be secured in a central container (refer to Protective Packaging requirements below) that is approved for storage at the level of the information protected by the locks (except that protectively packaged record-of-combination envelopes for TOP SECRET containers do not require TPI controls). If a written record of the central container combination is maintained, it must be packaged as described above and secured in a separate container that is approved for storage at the level of the information protected by the locks. In those instances where individuals other than the COMSEC custodial personnel or Security Officer (if applicable) have access to the central container combination, the combination must be protectively packaged as described in the Protective Packaging Techniques paragraph below. NOTE: Records of combinations used for the protection of COMSEC material cannot be maintained in electronic form (e.g., in a computer or on computer media). Also, it is specifically prohibited for individuals to record and carry, or store insecurely for personal convenience, the combination to areas or containers in which COMSEC material is stored, to include unattended or contingency facilities.
5.7.6 Protective Packaging of Lock Combinations Lock combinations should be packaged and sealed in tamper-evident packaging, and the protective packaging should be inspected at least monthly. It is strongly recommended that when a container with two combinations is used for TPI storage that both combinations be separately protectively packaged and held at different locations. In situations where a single individual, such as the facility security officer, has no access to additional secure storage locations, the security officer may have both combinations if they are separately protectively packaged. If the combinations to a container used for TPI storage are not protectively packaged, the combinations must be stored at different locations. Each combination must be accompanied by a list of individuals authorized access to that combination. It is specifically prohibited for individuals to record and carry, or store insecurely for personal convenience, the combinations to facilities or containers where COMSEC material is stored. Records of such combinations may not be stored in electronic form in a computer without the written approval of the cognizant security officer or stored at unattended or contingency facilities.
5.7.6.1 Protective Packaging Techniques Guidance for one method (other methods may be equally acceptable) for protective packaging is as follows: • Lock combination records cards may be protectively packaged by covering the record card (e.g., SF-700 part 2A) front and back with aluminum foil. Place the record-of-combination card into part 2 or an opaque envelope. Enter on part 1 and the face of the envelope the information specified in Record of Combinations paragraph above. These entries must be made in ink to lessen the possibility of alteration.
v3, February 4, 2016 11 DHS 4300B.200 Communication Security (COMSEC)
• Place the envelope in a tamper-evident plastic bag and seal according to instructions. The tamper-evident plastic bags are available from the NSA Protective Technologies Branch, I23121, (301) 688-5861 or 688-6816.
5.7.6.2 Periodic Inspection of Combinations The protective packaging described in this section provides an added degree of protection, but is not penetration proof. Therefore, the package must be inspected monthly, and a log of the inspections must be kept with the date, container number, summary of anomalies noted (if any; if no anomalies, so indicate), and initials of the person doing the inspection. See Tab 4 to Annex G for a log template. This inspection should include a close visual examination of the entries on the face of the envelope to ensure that they are authentic and an inspection of all surfaces of the tamper-evident packaging, including the four edges of the package. This may reveal actual or attempted penetration of the protective packaging.
5.8 Implementation of Two Person Integrity (TPI) TPI operations with TOP SECRET operational keying material (TOP SECRET CRYPTO) must be accomplished with at least one individual who has a final TOP SECRET clearance. The second individual must have at least an interim TOP SECRET clearance with a minimum of a final SECRET clearance. Both individuals must be cryptographic access briefed. NOTE: While in the custody of the Defense Courier Division (DCD) or the Diplomatic Courier Service, Two-Person Integrity controls are not required for TOP SECRET keying material. Receipt of TOP SECRET keying material – Pick-up of packages from the DCS does not require TPI. However, when opening a package and the inner wrapper is found to indicate TOP SECRET, processing must stop and TPI immediately implemented, except as noted below: TOP SECRET key received by a COMSEC Account Manager from the U.S. National Distribution Authority (NSA), or other Department or Agency distribution source, and properly stored in NSA-approved sealed protective technology packaging, does not require Two-Person Integrity (TPI) controls, provided a Protective Technologies Inspection Program has been implemented per Paragraph 52 of CNSSI 4005, and account personnel have been properly trained. Prior to sealed protective packaging containing TOP SECRET key being opened in the account and the key subsequently accessed, TPI must be implemented and strictly enforced by the COMSEC Account Manager. Furthermore, all unencrypted TOP SECRET key issued by the account must be under strict TPI controls. TOP SECRET COMSEC material must be maintained under TPI controls. When such material is hand-receipted to a user, the material must be maintained by the user under TPI controls and signed for by two individuals. NOTE: Such TOP SECRET material includes COMSEC equipment containing TOP SECRET key that can be removed or extracted from the equipment in unencrypted form, and Top Secret TrKEK. When TOP SECRET key is issued or destroyed, two individuals must receipt for the key and both destruction and witnessing individuals indicated.
v3, February 4, 2016 12 DHS 4300B.200 Communication Security (COMSEC)
TPI does not apply in the following situations: • TOP SECRET PROMS at manufacturing facilities. • Cryptologistics locations (see CNSSI 4005 Paragraph 60.b). • Tactical situations (see CNSSI 4005 Paragraphs 60.d and 103.a). • Seed Key which converts to TOP SECRET key (Seed key is UNCLASSIFIED). NOTE: Other sections of this Instruction provide additional restrictions on these limitations. See CNSSI 4005 Paragraph 40 on the requirement for no-lone zones. TPI may be accomplished for most electronic fill devices by removing the CIK and placing the device in the custody of one properly cleared individual and the CIK in the custody of another. Alternatively, TPI storage may be accomplished by storing the CIK and device separately in approved security containers as long as no single individual has the combination to both containers. If the CIK is left inserted, the electronic fill device must be stored in a TPI storage container.
5.8.1 TPI Storage TPI storage requires using two separate combinations for access with no one person authorized access to both combinations. At least one of the combinations must be from a “built-in” lock, such as a GSA-approved vault door or a security container. Storage may be in a strongbox or supplemental container within a GSA-approved vault or security container that has its Federal Specification approved FF-L-2740A lock set up in the TPI, two combination mode. TOP SECRET keying material must be stored in a GSA-approved security container. NOTE: TOP SECRET keying material held within the work area for intermittent use throughout the day may be kept under one lock in a No-Lone Zone. Knowledge of the combination or access to the key used to secure the lock must be restricted to the supervisor on duty.
5.8.2 Tactical Situations Under normal circumstances, tactical situations in the context of TPI do not apply to any DHS COMSEC Account. On a case-by-case basis, should a situation arise which might be affected by TPI requirements, contact the COR for guidance.
5.9 CCI Equipment CCI equipment must never be stored in a keyed condition. Prior to placing CCI equipment in storage, all keying material must be removed, and internal key storage registers zeroized. When unkeyed, CCI equipment must be protected against unauthorized tampering, removal, or theft during storage (e.g., placed in a locked room or a room with an adequate alarm system).
5.9.1 CCI Access Controls CCI equipment is, by definition, unclassified, but controlled. Minimum controls for CCI equipment are prescribed under three different conditions; unkeyed; keyed with unclassified key; and keyed with classified key. The provisions apply to CCI equipment installed for operational use. All CCI equipment is to be protected in a manner which provides protection sufficient to
v3, February 4, 2016 13 DHS 4300B.200 Communication Security (COMSEC)
preclude theft, sabotage, tamper, or unauthorized access and maintains accountability for the material, whether installed or not. NOTE: There are no requirements for access imposed for external viewing of COMSEC equipment where no opportunity exists for unauthorized access either to the key, the COMSEC equipment, or the input and output of the COMSEC system.
5.9.2 CCI Equipment Procedures should be established to provide physical controls adequate to prevent unauthorized removal of the CCI equipment or its CCI components. Rooms containing unkeyed CCI equipment should be locked at the end of the workday.
5.9.2.1 Installed and keyed with unclassified key The COMSEC Account Manager is responsible for preventing access by unauthorized personnel through the use of adequate physical controls and/or by monitoring access with authorized personnel.
5.9.2.2 Installed and keyed with classified key – Attended CCI equipment must be under the continuous, positive control of personnel who possess a security clearance at least equal to the classification level of the keying material in use. Facilities holding TOP SECRET keying material must establish appropriate TPI controls. TPI controls shall always apply to initial keying and rekeying operations that involve TOP SECRET key marked CRYPTO.
5.9.2.3 Installed and keyed with classified key – Unattended CCI equipment must be in a Controlled Area as described in Section 3.0, COMSEC Facilities.
6.0 COMSEC ACCOUNTS COMSEC Accounts are established to support activities that are required to hold and/or produce classified COMSEC material accountable within the CMCS.
6.1 Requirement for a COMSEC Account Any DHS Component or office that requires COMSEC material must obtain such material through a COMSEC Account. If an existing COMSEC Account cannot support the requirement, a new COMSEC Account will be established. New COMSEC Accounts shall be established through the COR. When an existing COMSEC Account can adequately support the requirement for COMSEC material, the material will be provided to the user on a hand receipt basis from the existing account.
6.2 Registration with USTRANSCOM J3/Defense Courier Division (DCD) New COMSEC Accounts that require DCD services shall register with DCD in accordance with USTRANSCOM Instruction (USTCI) 10-22. The USTRANSCOM Customer Service Guide, containing information for registering your account, can be found at the DCD Web site: www.transcom.mil/dcd. Click the Customers link to access the guide.
v3, February 4, 2016 14 DHS 4300B.200 Communication Security (COMSEC)
6.3 Establishment of the COMSEC Account Upon receipt and acceptance of the request for establishment of a COMSEC Account, the COR will forward all necessary documents to be completed by the COMSEC Account Manager and the Alternate Manager. The cognizant security department will verify the clearances of appointed individuals. All completed documents will be returned to the COR. Once the account is formally established, the COR will provide the account with a formal account establishment letter which must be permanently retained in the account’s files. Additionally, the COR will assist the new account in obtaining needed COMSEC material and an initial supply of COMSEC accounting forms.
6.3.1 Request for Establishment of a COMSEC Account When a COMSEC Account must be established, the office requiring the account shall submit a formal written request addressed to the COR. The request must contain the following information: • A justification to support establishment of an account and a list of COMSEC material to be held by the account. • If Keying Material is being requested, validation from the Controlling Authority (CA) is required. • The office name and complete address where the account is to be located. • Highest security classification level of COMSEC material to be held in COMSEC Account. NOTE: If SCI cryptographic material is to be held, include this in the request. • Evidence that the minimum physical security standards set forth in CNSSI 4005 for safeguarding COMSEC material can be met. • The names, grades, social security numbers (SSN), and clearance certifications of the individuals to be appointed as COMSEC Account Manager and Alternate Manager. • A stipulation that the COMSEC Account Manager and Alternate Manager are U.S. Citizens and possess a final U.S. Government clearance equal to or greater than the classification level of the material to be held by the account. • The person designated as the COMSEC Account Manager or Alternate Manager must have successfully completed the DHS COMSEC Account Manager Course before the new account can be activated. • The COMSEC Account Manager must receive a Cryptographic Access briefing from the COR and sign a Cryptographic Access briefing certificate before assuming COMSEC duties. The lead time to establish a COMSEC Account and confirm appointments is at least 45 days.
6.3.2 Appointment of COMSEC Account Managers Upon determination of the need for a COMSEC Account, managers at appropriate levels (FSOs for contractors) will nominate to the COR a COMSEC Account Manager and at least one Alternate for each COMSEC Account under their jurisdiction. Upon verification of
v3, February 4, 2016 15 DHS 4300B.200 Communication Security (COMSEC)
qualifications, the COR will appoint these personnel. Personnel appointed as COMSEC Account Managers or KMI Operating Account (KOA) Managers must: • Be a U.S. citizen (either native-born or naturalized) • Possess a security clearance appropriate for the material to be held in the account. COMSEC Account Managers having access to TOP SECRET keying material must have a security clearance based on a final background investigation, current within five years.
o For U.S. Government employees only, interim clearances may be approved; however, for accounts holding TOP SECRET COMSEC material, interim TOP SECRET clearances may only be approved if the individual has been granted a final SECRET clearance.
o Contractors and non-federal government personnel clearances must be consistent with CNSSP No. 14 • Be a federal government grade of at least GS-7, or government contractor of equivalent position of responsibility. • Have no history of having been previously relieved of COMSEC Account Manager duties for reasons of negligence, malfeasance, or nonperformance of duties • Have maximum retainability to establish continuity and decrease the possibility of frequent replacement. Individuals with less than six (6) months remaining in their present assignment shall not be appointed as a COMSEC Account Manager. NOTE: Nothing in this Instruction precludes a COMSEC Account Manager or Alternate from being a COMSEC Account Manager or Alternate of multiple accounts. However, prior to being appointed to the second or subsequent account(s), the appointing official must attest to the COR that the individual will have time to be involved in the daily operations and properly manage all accounts. • Be authorized under the terms of a U.S. Government contract, if a contractor. Commercial contractors may appoint contractor personnel to serve as COMSEC Account Managers and alternates when authorized to establish and operate a COMSEC Account under the terms of a U.S. Government contract. The contractor must meet all training and access security requirements mandated for U.S. Government employees and must have a final security clearance prior to the appointment per CNSSP No. 14 • Be trained. o All new COMSEC Account Managers must attend formal COMSEC training provided by the COR prior to appointment or within two class convening dates of appointment.
o All returning COMSEC Account Managers following a hiatus exceeding 18 months must attend formal COMSEC training prior to appointment or within two class convening dates of reappointment.
o Formal training for EKMS and KMI accounts in the duties and responsibilities of a COMSEC Account Manager or KOA Manager is required. In addition, such individuals must be formally trained and certified at an approved training facility in the operation of
v3, February 4, 2016 16 DHS 4300B.200 Communication Security (COMSEC)
the certified and accredited automated system being used (EKMS or KMI, as applicable) before commencing duties. The individual assigned may have collateral duties, however, when COMSEC functions are required and they do not adversely impact mission requirements, those COMSEC functions take precedence over their collateral duties. Nomination letters and worksheets must be submitted using the templates available on the COR SharePoint website as specified in Tab 2 to Annex G. Additionally, for any proposed change to an existing COMSEC Account’s personnel, a new nomination letter for ALL personnel, prospective and incumbent, and worksheets for any new personnel and any due for update of clearance information, must be submitted to the COR. In cases strictly involving removal without replacement of COMSEC Account personnel, only a new nomination letter for all remaining personnel must be submitted to the COR (no worksheets unless clearance information update is due for any personnel).
6.3.3 Temporary Absence of the COMSEC Account Manager During a temporary scheduled absence of the COMSEC Account Manager, an alternate will assume all duties. An absence of the COMSEC Account Manager for a period greater than 60 days is an extended absence, and a new COMSEC Account Manager must be appointed. In the event of operational necessity, a waiver may be granted by the COR.
6.4 Closing a COMSEC Account When the need for a COMSEC Account no longer exists, the supervising official will submit a memorandum to the COR requesting the account be closed. Subsequently, the appointments of the COMSEC Account Manager and the Alternate Manager will be terminated.
6.4.1 Conducting the Final Inventory Concurrent with the request to close the account, the COMSEC Account Manager and Alternate Manager shall conduct a physical inventory of all COMSEC material charged to the account and submit the inventory report to the COR requesting disposition instructions for the material.
6.4.2 Disposition Instructions The COR will conduct a final reconciliation of the account’s holdings and furnish the COMSEC Account Manager with disposition instructions for all remaining COMSEC material. COMSEC accounting records and files pertaining to the COMSEC Account will be forwarded to the COR.
6.4.3 Termination for Cause of a COMSEC Account DHS COMSEC Accounts may be closed by the DHS CIO if two consecutive audit reports or other findings by the COR show that the account is mismanaged or presents a possible threat to national security.
6.4.4 Termination/Disposition Report Upon completion of required steps for closing a COMSEC Account, the account must submit a Termination/Disposition Report to the COR. The report must indicate that all material has been properly disposed of in accordance with instructions received from the COR, and that account
v3, February 4, 2016 17 DHS 4300B.200 Communication Security (COMSEC)
reports are up to date and correct. The report must also include points of contact and current telephone numbers of individuals with a working knowledge of the details of the account being closed/disestablished (usually the COMSEC Account Manager/Alternate).
6.5 Responsibilities of COMSEC Account Managers and Witnesses The COMSEC Account Manager is responsible for the receipt, custody, issue, safeguarding, accounting for and when necessary, destruction of COMSEC material. COMSEC Account Manager responsibilities include the following: • Ensuring all COMSEC material issued to, or generated and held by, the COMSEC Account is safeguarded and controlled in accordance with the requirements of this Instruction or the operational security doctrine for the associated COMSEC equipment/system • Maintaining the COMSEC Account files and preparing and submitting accounting reports to the COR as required • Ensuring new or additional COMSEC material is properly requisitioned or generated in accordance with department or agency directives • Conducting or supervising the inventories required by this document • Correcting any deficiencies involving procedures at the account • Ensuring amendments to COMSEC publications are posted in a timely manner and residue pages, resulting from page replacements, are destroyed • Ensuring all mandatory modifications are made to COMSEC equipment in the account • Ensuring COMSEC material is issued only to appropriately cleared or authorized individuals whose duties require it and advising them of their responsibility to properly safeguard and control COMSEC material • Maintaining records of all COMSEC material issued to users on hand receipts • Initiating organizational procedures ensuring individuals do not leave the organization without first returning or destroying COMSEC material issued to them on a hand receipt • Ensuring routine destruction of COMSEC material is accomplished in accordance with the requirements of this Instruction and CNSSI No. 4004.1, Destruction and Emergency Protection Procedures for COMSEC and Classified Material (Reference y) • Ensuring Standard Operating Procedures (SOPs), emergency protection or destruction plans are prepared in accordance with the requirements of CNSSI No. 4004.1 (Reference y), are provided to all hand receipt holders, and are present at all COMSEC facilities served by the COMSEC Account • Ensuring COMSEC material handled within the CMCS is properly packaged for transportation and all received packages are examined for evidence of tampering. (All incidents of tampering must be reported in accordance with the requirements of CNSSI 4003 (Reference k))
v3, February 4, 2016 18 DHS 4300B.200 Communication Security (COMSEC)
• Ensuring protective technologies are inspected in accordance with instructions published by the NSA Protective Technologies Division. (All incidents of tampering must be reported in accordance with the requirements of CNSSI 4003 (Reference k)) • Ensuring COMSEC material received or transferred by the account agrees with material listed on the accompanying transfer report • Ensuring COMSEC incidents are reported in accordance with the requirements of CNSSI 4003 (Reference k) • Making transportation arrangements and ensuring only authorized means are used for transporting COMSEC material, in accordance with Section XIV of CNSSI 4005, Transportation of COMSEC Material • Ensuring the COMSEC Account holds only mission essential COMSEC material. • Training users in proper procedures for safeguarding and controlling COMSEC material NOTE: The COMSEC Account Manager is responsible for training hand receipt holders in security and accounting functions, and for training users in the operation of end-equipment. • Working with COMSEC users to ensure there is a continuing requirement for specific key or, if no requirement, recommending to the Controlling Authority or Command Authority that the account be dropped from distribution of that specific key NOTE: Throughout this document, references to Controlling Authority include the role of Command Authority when using modern key • Acting as the User Representative or Product Requestor for modern key, as authorized and required • Ensuring the account is properly transferred to the newly appointed COMSEC Account Manager prior to re-assignment, separation, or retirement of the outgoing COMSEC Account Manager by properly completing a Change of COMSEC Account Manager Inventory per Paragraph 97.c of Reference dd. The outgoing COMSEC Account Manager remains responsible for all material in the COMSEC Account until reconciliation is complete per Paragraph 97.c.3) of Reference dd. WARNING: COMSEC Account Managers who leave their account prior to completing a joint inventory with the individual appointed to replace them (see Paragraph 97.c), and obtaining clearance release from the COR, are subject to recall. • Contact the COR for a cryptographic access brief upon appointment to the position of COMSEC Account Manager and sign the cryptographic access brief • Every 6 months perform a self-inspection of the account using the DHS COMSEC Audit Checklist, and maintain a copy of the self-inspection until the next DHS audit • Conduct the semiannual inventory of COMSEC material as required by the COR • Coordinate orders for COMSEC equipment or keying material with the COR. • Conduct and document required reading annually or when directed by the COR.
v3, February 4, 2016 19 DHS 4300B.200 Communication Security (COMSEC)
• Comply with all COMSEC Advisories, directives, memoranda, etc., published by the COR and NSA. • Conduct required page checks in accordance with CNSSI 4005, paragraph 94.e • Following the temporary absence of any account personnel, all changes made to the COMSEC Account will be reviewed. • Ensure all Alternate COMSEC Account Managers are equally involved in the account.
6.5.1 Alternate COMSEC Account Manager The Alternate COMSEC Account Manager must be aware of the day-to-day operations of the COMSEC Account and must be able to perform all required duties during any absence of the COMSEC Account Manager. At least one Alternate COMSEC Account Manager will be appointed for each COMSEC Account. Additional Alternates may be appointed, as necessary, to maintain continuity of operations subject to the approval of the COR. • An Alternate COMSEC Account Manager must meet the same citizenship and security clearance requirements as the COMSEC Account Manager. Personnel appointed as Alternate COMSEC Account Managers should be experienced in the COMSEC field and must hold federal government grade of at least GS-5 or government contractor of equivalent position of responsibility. • All Alternate COMSEC Account Managers must be formally trained in their duties and responsibilities.
6.5.2 Cleared Witness While policy allows for the use of appropriately cleared Witnesses in the operation of COMSEC Accounts, they should not be relied upon as substitutes for Alternate COMSEC Account Managers. The COR has determined that Witnesses will NOT be authorized access to CARDS. In ISOLATED cases involving shortage of properly designated COMSEC Account personnel (i.e., COMSEC Account Manager and Alternate(s)), properly cleared and cryptographic briefed individuals may be used to complete time-critical COMSEC Account functions such as Destructions, Inventories, etc. In such cases, the account should complete the transaction and submit the completed COMSEC Material Accounting Report (SF-153), properly signed by the Manager or Alternate and Witness, to the COR (fax, scan and email, etc.), at which time the COR will review the report and Finalize the transaction in CARDS on behalf of the Account. Such instances must be coordinated with the COR. If an Account’s operational tempo and personnel schedules present repeated need for non- COMSEC personnel to serve as Witnesses to enable uninterrupted performance of Account functions, consideration must be given to nominating additional Alternate COMSEC Account Managers who will be required to attend the DHS COMSEC Account Manager Course of Instruction. When using cleared Witnesses to complete COMSEC Account transactions, they must witness the transaction (physical inventory, destruction, etc.) of COMSEC material. Responsibilities of the Witness include but are not limited to the following:
v3, February 4, 2016 20 DHS 4300B.200 Communication Security (COMSEC)
• Sign the inventory report, keying material usage/disposition record, or destruction report confirming that the COMSEC material listed has been inventoried or destroyed. • Under no circumstances will the witness sign an inventory without having personally sighted the material being inventoried, nor sign a destruction report without having personally witnessed the destruction of the material.
6.6 COMSEC Sub Accounts To further streamline operations among certain COMSEC Accounts that coordinate with a larger, better staffed account, sub accounts may be established within the group in lieu of full accounts. Criteria include but are not limited to geographic proximity or functional relationship. Establishment of sub accounts under a parent account will necessarily place greater responsibility on the COMSEC Account manager of the parent account. Sub Accounts function essentially as full COMSEC Accounts, however are not assigned NSA recognized six digit account numbers. They operate under the auspices of the parent account, and directly interact only with that account. Requirements for establishment of sub accounts and assignment of COMSEC personnel to sub accounts are identical to those of full COMSEC Accounts. Sub account COMSEC personnel are subject to the same qualification requirements as full COMSEC Accounts including COMSEC training at a DHS COMSEC Account Manager course of instruction. Sub accounts may use cleared Witnesses as needed in the same manner as specified in Section 6.5.2.
6.6.1 Parent Account COMSEC Account Manager Responsibilities The COMSEC Account manager exercises primary oversight of sub accounts. This oversight includes the following responsibilities: • Ensuring semi-annual self-inspections and inventories of COMSEC material held by the sub account are conducted • Conducting audits of the of the sub account on an aperiodic, event driven basis at intervals not to exceed every 36 months. • Providing COMSEC materials as required.
6.6.2 Sub Account COMSEC Personnel Responsibilities Sub account personnel shall be designated in the same manner as for full COMSEC Accounts. Each sub account shall have a COMSEC Account Manager and at least one Alternate. Responsibilities shall be the same as for full COMSEC Accounts.
6.6.3 COMSEC Material Management Process for Sub Accounts Sub accounts will acquire all their COMSEC material exclusively from their respective parent accounts. Keying material orders, cryptographic equipment requisitions, etc., shall be coordinated through the parent account, which will in turn process key orders and requisitions. Accounting reports between the parent account and sub account will incorporate a unique sequence of transaction numbers. These transactions are not reportable to the COR.
v3, February 4, 2016 21 DHS 4300B.200 Communication Security (COMSEC)
6.6.3.1 Physical Material Physical COMSEC material from external (national) accounts intended for a sub account must be transferred to the parent account, which will in turn transfer the material to the sub account. There are no exceptions to this policy.
6.6.3.2 Electronic Key Sub accounts will submit key orders to the parent account, which will forward to the COR for ordering from the Cryptographic Assurance Operations (CAO) Office. Upon receipt from the CAO Office, the COR will upload the key to the COMSEC Accounting, Reporting, and Distribution System (CARDS) for transfer to the parent COMSEC Account, which must process and acknowledge this transfer. The parent account will in turn transfer the key to the sub account in CARDS, thereby making the key available to the sub account for download (see Tab 2 to Annex D).
7.0 COMSEC MATERIAL ACCOUNTING NSA-approved electronic accounting systems shall be used by the COMSEC Account Manager to maintain disposition records and support reporting requirements for all classes of material. After delivery of any COMSEC material to an account, a signed receipt must be transmitted to the sender (and COR as applicable) not later than three business days after receipt.
7.1 COMSEC Accounting Systems Accountability of COMSEC material and equipment is essential to the security of the DHS COMSEC program. The COR has several approved systems to account for COMSEC material and equipment. Two of these systems are Distributed INFOSEC Accounting System (DIAS) and COMSEC Accounting, Reporting, and Distribution System (CARDS). DIAS or CARDS is provided at no cost to COMSEC Accounts and its use will enable COMSEC Account Managers to provide reports in an electronic format to other COMSEC Accounts. See Annex D for detailed information.
7.2 Electronic Records Electronic records are vulnerable to loss or destruction; therefore it is necessary to maintain paper copies of all COMSEC transactions for a minimum of three years. Managers must also backup their electronic data every 30 days or more frequently if a large volume of transactions have occurred (if using DIAS).
7.3 Accountability Legend Codes (ALC) Accountable COMSEC material within the COMSEC Material Control System (CMCS) is assigned an accounting legend code (ALC) to indicate the minimum accounting controls required for that material. • ALCs 1, 2, and 4 are assigned to material that must be physically inventoried by the COMSEC Account Manager. • ALCs 6 and 7 are assigned to material in electronic form that cannot be physically inventoried but must be electronically inventoried.
v3, February 4, 2016 22 DHS 4300B.200 Communication Security (COMSEC)
• Departments and agencies may not reassign material a different ALC without prior approval from NSA, except when such reassignment is an intrinsic part of an electronic key distribution process performed by EKMS or KMI. NOTE: For further information regarding ALCs, including proper accounting for Reg 0 Key, see Reference(dd), paragraph 81.
7.4 COMSEC Files and Reports Each COMSEC Account Manager will establish and maintain COMSEC accounting and related files. Accounts using approved electronic accounting programs need not keep a paper transaction log and may use the electronic log.
7.4.1 Accounting Records Accounting Reports are prepared on an SF-153 and are used to record the transfer, possession, inventory, and destruction of COMSEC material. The following reports will be prepared electronically using DHS approved COMSEC material accounting software: • Transfer Report. Used to report the transfer of COMSEC material from one COMSEC Account to another. • Destruction Report. Used to report the physical destruction of COMSEC material or zeroization of electronic key. • Inventory Report. Used to report the physical (sight) and/or virtual inventory of COMSEC material. • Possession Report. Used to report the possession of COMSEC material. • Hand Receipt. Used to document the issue of COMSEC material to authorized users for operational use.
7.4.2 Possession/Relief from Accountability Reports Whenever COMSEC material is found outside of accountability or lost, a COMSEC Incident Report is required, followed in most cases by a Possession or Relief of Accountability report, as appropriate. The Possession or Relief of Accountability report must be accompanied by a case number issued by the National COMSEC Incident Reporting System (NCIRS) (except as noted in below).
7.4.2.1 Possession
When COMSEC material is found outside of accountability, whether or not the material is secured within the COMSEC facility or other secure space, a COMSEC Incident must be reported in accordance with Section 10.1, Reporting COMSEC Incidents. The CIMA will conduct an investigation in coordination with the NSA and attempt to determine if the material is on charge to any COMSEC Account. In the event that accountability for the material cannot be determined, the CIMA will instruct the reporting account to complete a Possession report. The Possession report shall not be completed prior to this determination and instruction.
v3, February 4, 2016 23 DHS 4300B.200 Communication Security (COMSEC)
In the event that material (i.e., CCI) is received from other agencies that do not account for this material in their CMCS, no COMSEC Incident report is required, however a Possession report must be completed. No instruction from the CIMA is required for completion of a Possession report in this case.
7.4.2.2 Relief from Accountability In the event of loss of COMSEC material, a COMSEC Incident must be reported in accordance with Section 10.1, Reporting COMSEC Incidents. The cognizant adjudicative entity must evaluate the Incident and instruct the COMSEC Account to complete a Relief from Accountability report to remove the material from the account’s inventory.
7.4.3 COMSEC Accounting and Related Files Each COMSEC Account Manager will establish and maintain appropriate files containing the following COMSEC accounting reports: • Incoming/Outgoing transfer reports, possession reports, and Change of COMSEC Account Manager inventory reports • Destruction reports • Inventory reports • Hand receipts • Transaction number log. (If a DHS approved automated Register File is used, a physical transaction log is not required.) In addition to the COMSEC accounting files, the COMSEC Account Manager will keep the following COMSEC related Files: • Status Messages obtained from each Controlling Authority for Keying Material • Courier, mail, and package receipts • Manager and Alternate appointment documents o Nomination and appointment letters o Cryptographic Briefing Certificates o Signature Card (DHS Form 580) o Annual COMSEC Required Reading • Copies of Courier Letters or Courier Cards for all COMSEC Account personnel • Account Establishment Letter • COMSEC Vault Accreditation Letter • Correspondence pertaining to the account • COMSEC Incident Reports • Audit Reports
v3, February 4, 2016 24 DHS 4300B.200 Communication Security (COMSEC)
• Memoranda of Corrective Actions • Telephone numbers of all issued Secure Telephones • Manufacturer and User PINs for secure cell phones, wireline terminals, and Iridium phones, maintained by the Manager and stored at the appropriate classification level
7.4.3.1 Classification of COMSEC Accounting Reports and Files Classification of COMSEC accounting reports and files is the responsibility of the account Manager. COMSEC accounting reports and files are typically Unclassified//For Official Use Only and marked in accordance with NSA guidelines. When classified information is included, the file MUST be marked according to the highest classification level contained in the file.
7.4.3.2 Marking of COMSEC Accounting Reports and Files Each COMSEC file or report that contains classified information will also bear, in addition to the classification, the following statement: Classified By: [Name of COMSEC Manager] Derived From: NSA/CSSM 1-52 Dated 30 September 2013 Declassify On: [25 years from document date] COMSEC files or reports that contain UNCLASSIFIED//FOUO shall be marked and controlled in the same manner as propriety information.
7.4.3.3 Retention Periods for COMSEC Files and Related Documents All COMSEC files and related documents will be retained for a period of three years with the following exceptions: • 90 Days o SF-701 o SF-702 • 2 Years
o Visitor Register • 5 Years o COMSEC Incident Reports and Related Documents • Permanent o Account Establishment Letter o Physical Security Certification NOTE: Must be recertified when physical changes to the room or facility are made.
v3, February 4, 2016 25 DHS 4300B.200 Communication Security (COMSEC)
7.5 Receipt of COMSEC Material COMSEC material may be received from a variety of sources via registered mail or courier services. The COMSEC Account Manager will provide the mail handling facility procedures required for COMSEC material received at the account. Mail handling facilities shall be notified that packages addressed to the COMSEC Manager will be delivered unopened. The remote delivery site for DHS can open the outer wrapping. Each shipment will contain an SF-153 transfer report of the contents of the package. Managers are to verify the contents of the package against the SF-153 provided. Any discrepancies are to be reported to the sender and the COR.
7.5.1 USTRANSCOM/J3 (DCD) IMT 10 Defense Courier Account Record DCD requires personnel who are entering shipments into or accepting shipments from DCD complete a USTRANSCOM IMT 10 Defense Courier Account Record prior to entering or receipting for material. NOTE: Additional information on DCD may be found at: www.transcom.mil/dcd.
7.5.2 Examination of Packages Upon receipt of COMSEC material, packages will be examined for evidence of tampering or exposure of the contents. If either is evident and the contents are classified, or marked CCI or CRYPTO, an Incident report will be submitted in accordance with Section 10.1, Reporting COMSEC Incidents. Packages showing evidence of tampering must not be opened until further instructions are received from the COR, or the NSA Protective Technologies Division, (I23121), Tamper Solutions and Inspections. If the package contains TOP SECRET keying material, the receiving COMSEC Account Manager must immediately initiate TPI controls. Both TPI participants must carefully inspect the protective packaging for evidence of damage or tampering, and place the TOP SECRET key in TPI storage. When the packages are opened, the COMSEC material or unit package labels will be inventoried against the enclosed SF-153 transfer report. Any discrepancy in short title, serial number, or quantity will be reported to the shipper and the COR. Corrected copies of the SF-153 transfer report must be generated by the shipment originator and forwarded to the COR and the receiving account with appropriate remarks identifying corrections. If the material is classified and the discrepancy cannot be resolved between shipper and receiver, a COMSEC Incident will be submitted by the intended recipient. After verifying the COMSEC material, the transfer report will be signed and distributed as follows: • Return original to the shipping account • One copy to the COR (upload to CARDS) • Retain one copy for the file.
v3, February 4, 2016 26 DHS 4300B.200 Communication Security (COMSEC)
7.5.3 Receipting for Equipment Equipment received in sealed shipping cartons that have not been opened or do not exhibit signs of tampering may be receipted for without physically sighting the material on the inside as long as the label on the carton agrees with the transfer report (it is the COMSEC Account Manager’s decision whether or not to open these shipping cartons). If there are any discrepancies, the contents must be physically inventoried.
7.5.4 Page Checking COMSEC material will be page checked in accordance with its handling instructions. Users are encouraged to periodically ensure pages of technical manuals are intact. The following page checks shall be conducted: • When the COMSEC material is received at the COMSEC Account; NOTE: If multiple copies of a document are received, the COMSEC Account Manager may elect to defer the page check and complete it later jointly with the hand receipt holder when the document is being issued. • Upon return from hand-receipt; • After an amendment is posted; • Upon a change of COMSEC Account Manager; • Prior to transfer or destruction; and • Annually after last dated page check, if no other requirements apply. Sealed physical COMSEC material shall not be opened until ready for use. Sealed physical COMSEC material is not page-checked until the seal is broken.
7.5.5 Keying Material Certain items of COMSEC material are protectively packaged at the time of production and will not, in most cases, be opened until they are to be employed by the actual user. To ensure the integrity of key, an inspection of all implemented protective technologies will be completed upon initial receipt, during inventory and prior to each use. Protective packaging applied to individual items of TOP SECRET key must not be removed except under TPI conditions. Specific procedures for the inventory of protectively packaged material are outlined below: • Keying material that is shipped in sealed transparent plastic wraps will not be opened until 72 hours before the effective date for inventory/page check purposes. Therefore, a page check upon receipt of the material is not authorized. Test keying material will not be opened until it is to be used. Inventory upon receipt will be by short title, edition, and register number. When the protective packaging is removed from the keying material in preparation for use of the material, a page check will be conducted at that time. • Key tapes in protective canisters are inventoried upon receipt by noting the short title, edition, and register number on the leading edge of the tape segment that appears in the window of the plastic canister. Key tapes will not be removed from the canisters for inventory or page check purposes. The tape will be removed only by the users of the
v3, February 4, 2016 27 DHS 4300B.200 Communication Security (COMSEC)
material on the effective date. Key tape may be removed and loaded onto an electronic fill device 30 days at a time. When loaded onto an electronic fill device, the canister and key tape segments extracted from the canister shall be secured to the level of classification of the key until the segment or canister is superseded, at which time they shall be destroyed, and the destruction of the key tape will be recorded on a destruction report. NOTE: The loading of 30 days at a time in the electronic fill device is permitted with the understanding that the Controlling Authority accepts the risk of having to supersede an entire edition of keying material if a compromise occurs. • Barcode labels applied to key tape canisters are UNCLASSIFIED. Once a canister has been received, the barcode label must be removed prior to use. The area beneath the removed label must be inspected for evidence of tampering. The removed label should be applied to a piece of plain paper and destroyed by an approved method. Each COMSEC Account Manager is responsible for maintaining status information (effective and supersession dates) for all keying material in their account. This information is available from the Controlling Authority of the keying material, and not from the COR.
7.6 Transfer of COMSEC Material The Manager shipping the COMSEC material must verify the receiving agency’s official address, COMSEC Account number, and authorization to hold the material being shipped. When the validity of a shipping address or authority for shipment is in question, the COMSEC Account Manager must contact the COR before making the shipment. COMSEC material, regardless of the accounting legend code assigned, will not be shipped unless a COMSEC Account number is provided with the shipping address. Keying material will not be transferred between COMSEC Accounts without the controlling authority’s approval. Additionally, the shipping Manager is responsible for page checking or inventory of the COMSEC material prior to shipment, proper packaging of the material, and ensuring that classified COMSEC material is shipped only by authorized modes of transportation. The Manager must ensure that all COMSEC materials shipped outside of a COMSEC facility are packaged and shipped in accordance with Section XIV of Reference dd.
7.6.1 Authorized Modes of Transportation Throughout this Instruction the term (or variation of the term) “transportation” is used when no distinction is made as to the method of conveyance. “Shipment” is used to denote a method of conveyance that does not allow personal custody or control of the material while in transit. “Courier” and “carry” are used interchangeably to denote a method of conveyance allowing personal custody or control of the material while in transit (e.g., DCD, State Department Courier Service, U.S. Postal Service, Protective Security Service (see Paragraph 130.b.3 of Reference dd)).
7.6.2 Preparation for Transportation All physical keying material and other classified physical COMSEC material must be double- wrapped or otherwise encased in two opaque containers and securely sealed prior to transportation. Material used for packaging must be strong and durable enough to provide protection while in transit, prevent items from breaking through the container, and facilitate the
v3, February 4, 2016 28 DHS 4300B.200 Communication Security (COMSEC)
detection of any tampering with the container. The outer wrapper must not provide any indication the package contains classified material or keying material. NOTE: Tamper evident tape for the inner wrapper is available (free in reasonable quantities) from the NSA Protective Technologies Branch, (301) 688-5861 or 688-6816. Unclassified COMSEC material other than key should be appropriately wrapped to detect tampering or penetration and protect against damage. For CCI refer to CNSSI No. 4001 (Reference h) and Department or Agency regulations. When material is carried, a briefcase, pouch, or box is an appropriate outer wrapper. If the classified material is internal to a piece of equipment, the equipment shell or body may be considered as the inner wrapper. Specialized shipping containers for equipment may be considered the outer wrapper or cover; however, any classification or COMSEC markings must be taped over.
7.6.3 Transportation of Keying Material Operational keying material shall not be shipped in the same container with its associated equipment unless the physical configuration of the equipment makes segregation of the keying material impossible; however, unclassified maintenance key may be shipped in the same container as the associated equipment. Uncleared commercial carrier services will not be used to ship classified keying material marked CRYPTO.
7.6.3.1 TOP SECRET and SECRET All TOP SECRET and SECRET keying material marked CRYPTO must be transported by one of the following methods: • USTRANSCOM/J3 (DCD); • State Department Courier Service; • Formally designated and appropriately cleared department, agency, or contractor couriers. NOTE: Whenever local couriers transport TOP SECRET keying material from one COMSEC Account to another or to a hand receipt holder location, TPI controls shall be applied in accordance with Reference dd Section VII.C, Implementation of Two- Person Integrity (TPI).
7.6.3.2 CONFIDENTIAL CONFIDENTIAL keying material marked CRYPTO must be transported by one of the following methods: • Any method approved for TOP SECRET or SECRET keying material; • U.S. Postal Service Registered Mail, including U.S. Forces APO and FPO locations, provided the material does not pass through a foreign postal system or any foreign inspection.
v3, February 4, 2016 29 DHS 4300B.200 Communication Security (COMSEC)
7.6.3.3 UNCLASSIFIED UNCLASSIFIED keying material marked CRYPTO must be transported by one of the following methods: • Any method approved for TOP SECRET, SECRET, or CONFIDENTIAL keying material; • For shipments within the limits of the U.S., its territories and possessions, an uncleared carrier, providing that the carrier meets the following criteria;
o Must be a firm incorporated in the U.S.; o Must provide continuous accountability of shipments equivalent to the tracking available through the U.S. Postal Service Registered Mail; and
o A distant-end signature receipt is provided. 7.6.4 Transportation of COMSEC Equipment COMSEC equipment may not be shipped in a keyed condition unless the physical configuration of the equipment makes segregation of the keying material impossible; however, authorized couriers may hand carry keyed COMSEC equipment. See Paragraphs 137 and 138 of Reference dd. NOTE: Most new COMSEC equipment is software defined. Such equipment requires battery backup during transportation and storage. Removal of the batteries (loss of both prime and battery power) makes the equipment inoperable. Refer to the applicable maintenance/operator procedures and the operational security doctrine for each device for details. SECRET COMSEC equipment and all key production equipment must be transported by one of the following methods: • USTRANSCOM/J3 (DCD); • State Department Courier Service; • Formally designated and appropriately cleared couriers who are government employees or government contractors. CONFIDENTIAL COMSEC equipment (except key production equipment) may be transported by one of the following methods: • Any method approved for SECRET COMSEC equipment; • U.S. military or military-contractor air service (e.g., Air Force Mobility Command (AMC), LOGAIR, QUICKTRANS); • U.S. Postal Service Registered Mail, including U.S. Forces APO and FPO locations, provided the material does not pass through a foreign postal system or any foreign inspection. Requirements for transporting CCI are set forth in CNSSI No. 4001 (Reference h). UNCLASSIFIED COMSEC equipment other than CCI may be transported by any method approved for the shipment of other equivalent high value/sensitive material.
v3, February 4, 2016 30 DHS 4300B.200 Communication Security (COMSEC)
7.6.5 Preparation of Transfer Reports The shipping COMSEC Account Manager will prepare the SF-153 and enclose the original and two copies with the shipment. A copy will be retained by the shipping COMSEC Account until such time as the signed receipt is returned. A copy of the signed receipt will then be uploaded to the COR via CARDS.
7.6.6 Receipt/Tracer Responsibility The shipping COMSEC Account Manager is responsible for verifying the intended recipient receives shipped material in a timely manner. The shipping Manager shall establish a suspense date not to exceed 45 days, after which tracer action must be initiated. This action may be in any written form appropriate for the activity (e.g., formal letterhead correspondence, e-mail, etc.), provided the material in question and the transaction number/date of report are clearly identified. If tracer actions fail (no response within two weeks following the tracer, or response indicating non-receipt of the material), the Manager must submit a COMSEC Incident report for physical loss of material.
7.7 COMSEC Hand Receipts A hand receipt is used to record the acceptance of and responsibility for COMSEC material issued to a user by a COMSEC Account Manager. COMSEC Account Managers may issue COMSEC material via a hand receipt to properly cleared personnel ONLY. When CCI equipment is returned to a vender for repair, a hand receipt will be used. The vender will sign the hand receipt and return a copy to the COMSEC Account. The hand receipts must be maintained by both shipping and receiving accounts and are not sent to the COR. If the item cannot be repaired, the vender should request a transfer of the item. When issuing TOP SECRET key marked CRYPTO, the COMSEC Account Manager must ensure that TPI is maintained at all times by requiring two properly authorized and trained individuals sign for the material. Only complete editions of COMSEC keying material marked CRYPTO in canisters will be issued to users. Individual segments should never be issued to users, or transferred to another COMSEC Account, without written permission of the Controlling Authority. The COMSEC Account Manager will use the SF-153 to issue COMSEC material to users on hand receipt. The COMSEC Account Manager will verify continued possession every six months during the semi-annual inventory process, by physically sighting the material and maintaining a written record thereof. Existing hand receipts need not be updated for material physically sighted during a semi-annual inventory provided that the contents of the hand receipts have not changed. Electronic keying material may be issued to a hand receipt holder using an electronic fill device. The fill device will record the use of the electronic key and the loading and destruction of the electronic key when it is transferred or loaded onto a cryptographic device.
7.7.1 Hand Receipt Holder Qualifications Prior to issuing COMSEC material to a user, the COMSEC Account Manager will verify that the user:
v3, February 4, 2016 31 DHS 4300B.200 Communication Security (COMSEC)
• Has a need to know by having an authorization letter on file prior to issue and, if the material is classified, possesses the required clearance equal to or greater than the material being issued. • Will be the actual user of the material (clerical or other personnel who are not the users will not sign the hand receipt). • Has received the appropriate briefing and, if necessary, user training. • Will be fully responsible for the material; and knows the physical security measures necessary to protect the material and the possible consequences of compromise. • Has the necessary physical security means for storage and use commensurate with the classification of the item.
7.7.2 Hand Receipt Holder Responsibilities The COMSEC Account Manager must advise the user of the following: • COMSEC material issued on hand receipt shall be signed for and controlled by the actual user until returned to the COMSEC Account Manager. Hand receipt users are not authorized to reissue COMSEC material. If another user needs the material, the material must be returned to the COMSEC Account Manager for reissue. • Physical security measures necessary to protect the material, and the possible consequences of compromise. Any possible compromise, access by unauthorized persons, or violations of security regulations affecting the material must be immediately reported to the COMSEC Account Manager. • Users who need to transport COMSEC material on hand receipt outside their facilities must have prior concurrence of the COMSEC Account Manager. • A user will be relieved of responsibility for material received on a hand receipt only when the material has been returned to the COMSEC Account Manager. The COMSEC Account Manager will immediately complete a hand receipt return/close and provide a copy to the user. • Any COMSEC item issued on hand receipt will be returned to the COMSEC Account Manager prior to transfer, reassignment, or any absence exceeding 30 days.
7.7.3 Hand Receipt Renewals Hand receipts that have not changed (i.e., the COMSEC material listed on the hand receipt) need not be reissued on a semi-annual basis, provided the material is physically sighted by the COMSEC Account Manager during semi-annual inventories. Otherwise, the COMSEC Account Manager will initiate, on a semi-annual basis or as required, a new hand receipt for signature by the hand receipt holder. A copy of the hand receipt must be retained by the COMSEC Account Manager.
7.8 Destruction of COMSEC Material National standards for the destruction of COMSEC and classified material are necessary to ensure that sensitive data cannot be recovered from the residue of this material after destruction.
v3, February 4, 2016 32 DHS 4300B.200 Communication Security (COMSEC)
Keying material (other than defective or faulty key) must be destroyed as soon as possible after it has been superseded or has otherwise served its intended purpose. Destruction of superseded or obsolete crypto equipment and supporting documentation is also essential to the maintenance of a satisfactory national COMSEC posture, since these materials may be of significant long term benefit to hostile interests desiring to exploit U.S. Communications for intelligence purposes. Prior to the destruction of Keying Material, the Manager must check all status messages for the supersession date of such material. COMSEC Account Managers must ensure that destruction personnel have been properly trained. NOTE: DO NOT DESTROY defective or faulty keying material. Such material should be reported to the COR and the NSA Protective Technologies Branch (301) 688-5861 or 688-6816 and held for disposition instructions.
7.8.1 Procedures for Routine Destruction of COMSEC Material Except as authorized by Section 9.0 (COMSEC Emergency Action Procedures), routine destruction of COMSEC material will typically be performed by the COMSEC Account Manager or the Alternate Manager in their absence and witnessed by an appropriately cleared individual. The short title, edition, and accounting number, if any, of each item shall be verified immediately prior to destruction. Equipment verification and page checking provisions will be accomplished prior to destruction. The SF-153 destruction report may be used as a check list during destruction. The following procedures must be followed: • Hand receipt holders may complete destruction of keying material and record destruction on a disposition record. This record must be provided to the COMSEC Account Manager for consolidation. • The COMSEC Account Manager may personally collect expired and/or superseded keying material, replace it with new material, and effect timely destruction of expired and/or superseded material in the presence of a cleared witness. • In mobile situations, routine destruction may be accomplished by the user and an appropriately cleared witness. Verbal notification must be followed up with a disposition record form signed, dated and initiated by the user and appropriately cleared witness to the destruction as soon as possible. Upon receipt of written confirmation the COMSEC Account Manager will consider the material destroyed.
7.8.2 Time of Destruction COMSEC material will be destroyed only when directed by appropriate authority or as indicated below: • COMSEC material ordered destroyed by new editions will be destroyed on receipt of the new edition, unless otherwise directed by appropriate authority. • COMSEC keying material designated CRYPTO, both regularly and irregularly superseded, which has been issued for use, must be destroyed within 12 hours following the expiration of individual key segments and/or supersession. However, where special circumstances prevent compliance with the 12-hour standard (e.g., facility unmanned over weekend or holiday period), the destruction may be extended to a maximum of 72 hours. Keying material, both
v3, February 4, 2016 33 DHS 4300B.200 Communication Security (COMSEC)
regularly and irregularly superseded, should be destroyed immediately after use when more than one copy of the key segment is available, or as soon as possible after supersession, and may not be held longer than 12 hours following supersession. COMSEC material involved in compromised situations must be destroyed within 72 hours after disposition instructions are received from the appropriate authority. For circumstances not covered above, contact the COR. • Excess, obsolete, and unserviceable COMSEC equipment, devices, and other items will be disposed of as directed by the COR. • Complete editions of superseded keying material designated CRYPTO that are held by a COMSEC Account must be destroyed within 5 days after supersession. • Maintenance and sample keying material not designated CRYPTO is not regularly superseded and need be destroyed only when physically unserviceable. • Superseded classified COMSEC publications that are held in a COMSEC Account must be destroyed within 15 days after supersession. • The residue of entered amendments to classified COMSEC publications must be destroyed within 5 days after entry of the amendment. Situations may emerge that prevent the timely destruction of COMSEC material through no fault of the COMSEC Account personnel (i.e., circumstances in which authorization to work is withdrawn such as Department or government shutdown due to lapsed funding, etc.). In these situations, the following policies shall apply: • In the event of work stoppage affecting COMSEC Account personnel, COMSEC Accounts holding keying material that will become superseded during the shutdown (or other event in which authorization to work is withdrawn) shall secure such material in a GSA approved security container.
o Under no circumstance short of an emergency destruction scenario shall such material be destroyed prior to supersession (i.e., preemptively). Any material so destroyed shall be subject to COMSEC Incident reporting for destruction without Controlling/Command Authority authorization.
o Upon resumption of normal operations, superseded material shall be destroyed immediately. If such destruction takes place beyond normal time limits identified in this Section, a COMSEC Incident report for late destruction shall be submitted to the DHS CIMA, the Controlling/Command Authority as appropriate, and NSA (I3132). The statement of circumstances shall indicate that destruction was delayed due to the department shutdown (and/or other factors that may apply, if any). • Accounts whose COMSEC Account personnel are deemed essential and are authorized to work during the shutdown are expected to complete destruction of superseded material on schedule.
v3, February 4, 2016 34 DHS 4300B.200 Communication Security (COMSEC)
7.8.3 Destruction Report To report the destruction of COMSEC material, the Manager will prepare an SF-153. The signed original will be retained for file purposes and a copy forwarded to the COR (uploaded to CARDS).
7.8.3.1 Keying Material When all key segments contained within a particular type of keying material are used or superseded and have been destroyed, the COMSEC Account Manager must prepare a destruction report and submit it to the COR. Keying material destroyed during operational use, whether by hand receipt holders or COMSEC Account Manager/Alternate COMSEC Account Manager, must be documented on a disposition record. The disposition record must have two signature certifying destruction of segments. The destruction report must include the following statement below the NOTHING FOLLOWS line: “The official records in my possession indicate that the above-listed item(s) has/have been properly destroyed by duly authorized individuals.” In this case, only one signature is required on the destruction report. When key that has not been issued for use is destroyed by the COMSEC Account Manager and a witness, the destruction report must be signed by the Manager and witness and forwarded to the COR.
7.8.3.2 Seed Key When seed key is loaded into a device and converted to operational key, the Manager must complete the destruction process within accounting system. NOTE: Does NOT apply to STE key.
7.8.3.3 All Other Material Upon destruction of all other COMSEC material, the COMSEC Account Manager and witness must complete and sign a destruction report and submit it to the COR.
7.8.4 Routine Destruction Methods Methods for routinely destroying paper COMSEC material will be burning, disintegration, or high security crosscut shredding. Cryptographic key tapes must be “terminally” destroyed (terminally destroyed denotes destroying material to the point at which it cannot be reconstructed), using only NSA approved devices listed on the Evaluated Products List (EPL) for Punched Tape Destruction Devices. Paper COMSEC material and other classified material by disintegrating or cross cut shredders, only NSA approved devices shall be used, as listed in the EPL. EPLs can be found at URL: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml (the shredder and degausser EPLs can also be found at this URL). COMSEC Accounts must have a contingency plan for routine destruction of COMSEC material (e.g., burning outdoors in a coffee can by two authorized personnel) as part of their COMSEC Standard Operating Procedures (SOP) in the event of equipment malfunction or failure. The
v3, February 4, 2016 35 DHS 4300B.200 Communication Security (COMSEC)
contingency plan must meet the requirements of CNSSI 4004.1, and shall include step-by-step procedures for carrying out the destruction.
7.8.4.1 Paper COMSEC Material The criteria given below apply to classified COMSEC keying material and media, which embody, describe, or implement a classified cryptographic logic. Such media include full maintenance manuals, cryptographic descriptions, drawings of cryptographic logics, specifications describing a cryptographic logic, and cryptographic software. NOTE: These criteria DO NOT apply to key tape, which is composed of paper-Mylar-paper. See Non-paper COMSEC Material below. • When destroying paper COMSEC material by burning, the combustion must be complete so that all material is reduced to white ash and contained so that no unburned pieces escape. Ashes must be inspected and, if necessary, broken up or reduced to sludge. • When destroying paper COMSEC and paper classified material by pulping, the material must be completely broken down to non-legible fiber residue. • When high security crosscut shredders are used to destroy paper COMSEC material (e.g., codebooks, authenticators, and certain classified COMSEC publications) a crosscut shredder listed on the NSA EPL for High-Security Crosscut Paper Shredders must be used.
7.8.4.2 Non-paper COMSEC Material The authorized methods for routinely destroying non-paper COMSEC material are burning, melting, disintegrating, and chemical alteration. • COMSEC key tape shall be destroyed either by disintegration or burning. Only NSA- approved disintegrators shall be employed to perform destruction of COMSEC key tape. Again, users may destroy the key tapes by burning segments outdoors in a coffee can with two cleared witnesses. NOTE: DO NOT PULP paper-Mylar-paper key tape or high wet strength paper and durable-medium paper substitute (e.g., TYVEC olefin, polyethylene fiber). These materials will not reduce to pulp and must be destroyed by burning or disintegration. • Microforms (microfilm, microfiche, or other reduced-image photo negatives) may be destroyed by burning or by chemical means, such as immersing in household bleach (for silver film masters), or acetone or methylene chloride (for diazo reproduction) for approximately five minutes. When destroyed by chemical means, film sheets must be separated and roll film must be unrolled. NOTE: Caution should be exercised to prevent potential hazards when using chemical means for destruction. OSHA standards must be met. • Magnetic or electronic storage or recording media are handled on an individual basis. Magnetic tapes may be destroyed by disintegration or incineration. Magnetic cores may be destroyed by incineration or smelting. Magnetic disc, disc packs, and drums may be
v3, February 4, 2016 36 DHS 4300B.200 Communication Security (COMSEC)
destroyed by removal of the entire recording surface by means of an emery wheel, disc sander, or by incineration. WARNING DO NOT INCINERATE MAGNETIC TAPE ON ALUMINUM REELS AS THIS MAY CAUSE AN EXPLOSION • COMSEC keying material stored on COMSEC electronic fill devices shall be routinely purged by zeroization or as directed in specific Operational Security Doctrine. • Plastic Key Tape Canisters. The objective in destroying plastic canisters is to disfigure the two large flat surfaces (sides) of the canister. This can be accomplished by inserting the canister inside a zip-lock bag or similar sealable bag and either puncturing or smashing the entire canister. Holding the bag by the edges, inspect the inside of the canister through the plastic bag to ensure that all key tape has been removed. Dispose of the entire bag and canister as UNCLASSIFIED trash or by locally prescribed regulations. NOTE: COMSEC Account Managers should be aware that an empty tape canister will shatter if smashed with a blunt instrument. • COMSEC Equipment and components. Routine destruction of COMSEC equipment and components by users is NOT AUTHORIZED. Only the COMSEC Account Manager and the Alternate Manager are authorized to dispose of or destroy COMSEC equipment. Disposition instructions for equipment which is unserviceable and cannot be repaired or which is no longer required must be obtained from the COR.
7.9 Inventory Requirements All DHS accounts are required to complete 100 percent inventories on a semi-annual basis. The COR will coordinate with accounts to provide necessary documentation to complete semi-annual inventories. Inventories should be completed and returned to the COR (uploaded to CARDS) no later than 20 working days after receipt.
7.9.1 Conducting the Physical Inventory A physical (sight) inventory of all COMSEC material within the CMCS will be conducted by the COMSEC Account Manager and an appropriately cleared witness. Once an inventory begins, if either of the two individuals is not able to complete the entire process, the inventory process must start over. The following procedures apply when conducting the physical inventory: • COMSEC Keying material will be accounted for by register number. • Equipment is accountable by serial number. • ALC 6 and 7 material is accountable by short title, edition, and quantity o SDNS key is accountable by Key Management Identifier (KMID) o All Reg 0 key is accountable per its ALC o An account is responsible to the COR for only one copy of a particular Reg 0 key, although multiple copies may be made for use within the account.
v3, February 4, 2016 37 DHS 4300B.200 Communication Security (COMSEC)
o If a Reg 0 key is issued within the account, COR inventory holdings will not be changed. The account’s local inventory will be incremented to indicate the number of copies of the Reg 0 key issued. • Equipment that remains in factory-sealed shipping cartons will be inventoried against the marking on the cartons or crates identifying the contents therein. Each container will be inspected for evidence of tampering. • Accountable COMSEC publications (KAOs, KAMs, etc.) must be page checked annually if no other requirements apply. • STEs are required to be physically inventoried by quantity on a semi-annual basis.
7.9.2 Inventory of Sealed or Unit-Packed Material Certain items of COMSEC material are sealed or unit packaged at the time of production and will not, in most cases, be opened until they are to be employed by the actual user. The COMSEC Account Manager must bear in mind that, although the opening of certain types of material need not take place before actual usage, time must be allowed between opening and usage to obtain replacements for incomplete or defective items. It is also the COMSEC Account Manager’s responsibility to report all shipment discrepancies to the COR as soon as they are discovered. Specific procedures for the inventory of sealed or unit-packed material are outlined below:
• Outer containers of COMSEC equipment may be marked with the short title(s) and serial number(s) of the contents. Equipment containers, when so marked, need not be opened solely for inventory purposes if received in original contractor packaging. In cases involving packages which have been opened, the COMSEC Account Manager and an Alternate may verify the contents against the package label for accuracy, then reseal the packages using ONLY appropriate logo tape obtained from NSA Protective Technologies Branch, (301) 688-5861 or 688-6816 (NO duct tape, packing tape, etc.). The Manager and Alternate must initial the resealed package label validating the accuracy of the short title(s) and serial number(s) indicated. In either case, inventory will henceforth be accomplished by inspecting the package for tampering and verifying the short title(s) and serial number(s) on the container label against the inventory.
• Key tapes in protective canisters are inventoried by noting the short title, edition, register number, and segment number on the leading edge of the tape segment that appears in the canister nomenclature window. Key tapes in protective canisters should not be removed except by the user on the effective date. Segments removed should be annotated on the associated disposition record. • Each unit package will be inspected for evidence of tampering. • COMSEC publications need not be page checked, except when received or transferred, upon entering a publication page change, or during a Change of Manager inventory.
v3, February 4, 2016 38 DHS 4300B.200 Communication Security (COMSEC)
7.9.3 Semi-Annual Inventory All COMSEC material must be inventoried by the COMSEC Account Manager semi-annually. This inventory must be conducted with an appropriately cleared individual, preferably the Alternate COMSEC Account Manager or the hand receipt holder who signed for the COMSEC material, serving as witness. Material hand-receipted to users at remote sites need not be physically sighted by the COMSEC Account Manager; instead, the COMSEC Account Manager may direct the hand-receipt holder to inventory the material. The hand-receipt holder will then sign a new hand-receipt to verify his holdings and send it to the COMSEC Account Manager. The information in the COMSEC Account Registration Package must be validated to the COR along with every semi-annual/annual inventory. NOTE: If the Change of COMSEC Account Manager Inventory in Section 7.9.4, or the audit required in Section 8.0 below, includes a completed 100% inventory, the next semi- annual inventory may be scheduled six months following that inventory/audit at the discretion of the COR.
7.9.4 Change of Manager Inventories An inventory of all COMSEC material (including ALC 4 and 7 material) must be taken at each account prior to changing COMSEC Account Managers. This inventory must be conducted jointly by the outgoing COMSEC Account Manager and the incoming. The outgoing COMSEC Account Manager remains responsible for all material on the COMSEC Account until the new COMSEC Account Manager is formally appointed by the COR.
7.9.4.1 Outgoing Manager Departs Without Completing a Joint Inventory In the event an outgoing COMSEC Account Manager departs without completing a joint inventory and obtaining official clearance from the COR, the nominating official shall immediately suspend account operations and take action as stipulated in Reference dd Paragraph 97.e. (See Reference dd Paragraph 76.v regarding recall of a former COMSEC Account Manager.)
7.9.4.2 Unauthorized Absence or Sudden Permanent Departure of the COMSEC Manager An inventory of all COMSEC material must immediately be conducted upon the unauthorized absence (as determined by department or agency directives) or sudden permanent departure of the COMSEC Account Manager. The alternate COMSEC Account Manager, with an appropriately cleared witness, will conduct this inventory and will report the results to the COR. The report must be annotated to reflect the circumstances involved and will be signed by both the alternate COMSEC Account Manager and the witness. A new COMSEC Account Manager will then be formally appointed. If either the witness or the alternate COMSEC Account Manager is subsequently appointed COMSEC Account Manager, the COR may delete the requirement for a Change of COMSEC Account Manager Inventory, provided the inventory has been successfully processed. Cryptographic, Personnel, and Physical COMSEC incidents detected during an inventory must be reported as outlined in CNSSI 4003 (Reference k).
v3, February 4, 2016 39 DHS 4300B.200 Communication Security (COMSEC)
7.9.5 Completing the Inventory Report The physical inventory may be conducted using an unofficial inventory report, which will serve as a working copy for the official inventory. The inventory will reflect an account’s holdings as of the date on the inventory. Upon completion of the inventory, the Official Inventory Report will be generated, and the Manager and the witness will sign the certification blocks on the first and last pages at a minimum, and may initial all other pages in lieu of signing. The original copy of the official inventory will be retained by the COMSEC Account Manager, and must scanned and uploaded to CARDS. Additionally, all working copies and papers used in performing the physical inventory will be retained by the Manager for his/her files. These working copies must be readily available to auditors for review.
8.0 COMSEC AUDITS The COR shall conduct audits on an aperiodic event-driven basis not to exceed a three (3) year period between audits. Such audits shall be conducted to ensure COMSEC Accounts are complying with applicable requirements governing accountability, handling, and safeguarding of COMSEC material. The COR shall ensure the audit frequency is based on sound risk management principles. Accounts at sites that have substantial technical threats or are particularly vulnerable (e.g., overseas sites) may require yearly audits at the discretion of the COR. Audits may occur at any time, announced or unannounced. More frequent audits may be warranted if an account repeatedly shows discrepancies in its accounting, handling, or control procedures. The audit must include an administrative review of procedures and a 100 percent sighting of all COMSEC material (both physical and electronic), including verification that all hand receipts are valid (updated within the last 6 months if material not physically sighted by the COMSEC Account Manager). The COMSEC Account must also provide documentation of their inventory of STE phones (by quantity), and of current clearance certification for COMSEC Account Personnel. NOTE: While auditors do not reconcile ALC 4 or 7 material, every effort should be made to ensure local accountability of ALC 4 and ALC 7 material is taking place.
8.1 Access Representatives of the COR when acting in their official capacity as auditors may gain access to COMSEC Accounts, provided appropriate credentials are presented upon arrival. The auditor/inspector must present proper identification prior to gaining access to the COMSEC Account.
8.2 Report of Audit Upon completion of the audit, any situation requiring immediate action will be brought to the attention of the COMSEC Account Manager. An exit briefing will be conducted with management. The condition of the account, to include items corrected during the audit, items that require correction, and actions for improvement, shall be discussed during the exit briefing. A formal audit report outlining findings, the condition of the COMSEC Account, and the
v3, February 4, 2016 40 DHS 4300B.200 Communication Security (COMSEC)
recommendations for improvement will be forwarded to management and to the COMSEC Account Manager. This report shall be retained in account records.
8.3 Memorandum of Corrective Actions All discrepancies identified in the Report of Audit must be corrected by the account. The corrective actions shall be identified in a Memorandum of Corrective Actions, which shall be submitted to the COR as directed in the formal Report of Audit. This memorandum shall be retained in account records.
8.4 Audit Evaluation The degree of management proficiency of a COMSEC Account is determined during the COMSEC audit based on an established checklist. Assignment of rating categories to reflect audit results will provide a set of measurable data used to evaluate the COMSEC Account. See Annex F for further information.
9.0 COMSEC EMERGENCY PLANNING All COMSEC Accounts must maintain a current, written Emergency Plan for the protection of COMSEC material during emergencies. The Emergency Plan must be part of the required COMSEC Standard Operating Procedures (SOP).
9.1 Emergency Protection Planning Outside the Continental United States (OCONUS), the Emergency Plan must consider both natural disasters and hostile actions (such as enemy or terrorist attack, mob action, or civil uprising). Emergency Plans at OCONUS entities must include Emergency Destruction Procedures (EDP). Inside the Continental United States, the Emergency Plan will focus on the protection of COMSEC material appropriate for natural disasters likely to occur in their location (e.g., hurricanes in the South, tornados or floods in the mid-West, wild fires in the West, etc.). In addition, all CONUS entities shall conduct an initial written risk determination to assess the potential for hostile actions against their facilities (such as enemy or terrorist attack, mob action, or civil uprising). Based on the sensitivity of the operations or the facility, the Security Officer shall either certify (in writing) that the review has determined no need for the Emergency Plan to consider hostile actions, or, if it is determined that potential risks exist, develop EDP for inclusion in the Emergency Plan. Department Heads may, at their discretion, direct any facility to create an Emergency Plan that considers hostile action, regardless of the local risk. Emergency protection of COMSEC material applies to all DHS or Component facilities that produce or hold COMSEC material and any other facilities that are designated to provide a backup COMSEC capability. The operating routines at COMSEC facilities should be structured to minimize the number and complexity of actions that must be taken during emergencies to protect COMSEC material. For example:
v3, February 4, 2016 41 DHS 4300B.200 Communication Security (COMSEC)
• Only the minimum amount of COMSEC material should be held at any one time; i.e., routine destruction must be conducted promptly when so authorized, and excess COMSEC material must be disposed of in accordance with DHS directives. COMSEC requirements shall be reviewed at least annually to validate need for material on hand. • COMSEC material should be stored in ways that will facilitate emergency evacuation or destruction. All Emergency Plans shall be developed in accordance with the procedures specified in this section, and shall be reviewed annually and updated as necessary, or whenever changes in the local environment so dictate.
9.1.1 Preparedness Planning for Natural Disasters/Accidental Emergencies Planning for natural disasters should be directed toward maintaining security control over the material until the situation stabilizes, taking into account the possible loss of the normal physical security protection that might occur during and after a natural disaster. This planning shall include: • Procedures for receiving first responders, such as local police, fire fighters, paramedics, and hazardous material (HAZMAT) crews. • Fire reporting and initial firefighting by assigned personnel. • Assignment of on-the-scene responsibilities for ensuring protection of the COMSEC material held. • Securing or removal of classified COMSEC material and evacuation of the area(s). • Protection of material when admission of first responders into the secure area(s) is necessary. • Assessment and reporting of probable exposure of classified COMSEC material to unauthorized persons during the emergency. • Post-emergency inventory of classified and CCI COMSEC material and the reporting of any losses or unauthorized exposures to the NSA IA Insecurities (I31132), and the COR.
9.1.2 Preparedness Planning for Hostile Actions Planning for hostile actions must concentrate on procedures to safely evacuate or securely destroy COMSEC material, to include providing for the proper type and a sufficient number of destruction devices to carry out emergency destruction, and conducting the necessary training for all individuals who might perform the needed destruction. Such planning must provide: • Assessment of the threat of various types of hostile actions at the particular activity, and the threat which these potential emergencies pose to the COMSEC material held. • Availability and adequacy of physical security protection capabilities, (e.g., perimeter controls, guard forces, and physical defenses at the individual buildings and other locations in which COMSEC material is held). • Facilities for implementing emergency evacuation of COMSEC material under emergency conditions, including an assessment of the probable risks associated with evacuation.
v3, February 4, 2016 42 DHS 4300B.200 Communication Security (COMSEC)
• Facilities and procedures for effective secure emergency destruction of COMSEC material held, including adequate supplies of destruction devices, availability of electrical power, secure nearby storage facilities, adequately protected destruction areas, personnel assignments, and responsibilities for implementing emergency destruction. • Precautionary destruction of COMSEC material, particularly maintenance manuals and keying material, which is not operationally required to ensure continuity of operations during the emergency. In a deteriorating situation, all full maintenance manuals (i.e., those containing cryptographic logic information), which are not absolutely essential to continue the mission, should be destroyed. When there is insufficient time under emergency conditions to completely destroy such manuals, every reasonable effort must be made to remove and destroy their sensitive pages (i.e., those containing cryptographic logic). Sensitive pages in U.S.-produced KAMs are found on the Lists of Effective Pages. Additionally, some KAMs further identify their sensitive pages by means of gray or black diagonal or rectangular markings at the upper portion of the binding edge. To prepare for possible emergency destruction of sensitive pages from COMSEC maintenance manuals during situations, or in areas where capture by hostile forces is possible, the following is suggested: 1. Apply distinctive markings (e.g., red stripes) to the binder edge and covers of all KAMs containing identified sensitive pages. 2. Remove the screw posts or binders rings, or open the multi-ring binder, whichever is applicable. 3. Remove each sensitive page from the KAM and cut off the upper left hand corner of the page so that the first binder hole is removed. Care must be taken not to delete any text or diagram. 4. Reassemble the document and conduct a page check. Should it become necessary to implement emergency destruction, the sensitive KAM pages may be removed as follows: 1. Remove the screw posts or binder rings, or open the multi-ring binder and remove all pages from the KAM. 2. Insert a thin metal rod (e.g., wire or screwdriver) through the remaining top left hand holes of the document. 3. Grasp the rod in both hands and shake the document vigorously; the sensitive pages should fall out freely. External communications during emergency situations should be limited to contact with a single remote point. This point will act as a distribution center for outgoing message traffic, and as a filter for incoming queries and guidance, thus relieving site personnel and facilities from multiple actions during emergency situations. When there is warning of hostile intent and physical security protection is inadequate to prevent overrun of the facility, secure communications should be discontinued in time to allow for thorough destruction of all classified and CCI COMSEC material, including classified and CCI elements of COMSEC equipment.
v3, February 4, 2016 43 DHS 4300B.200 Communication Security (COMSEC)
9.2 Preparing the Emergency Plan Preparation of the emergency plan is the responsibility of the COMSEC Account Manager. The plan must be coordinated with appropriate security and fire/safety personnel. If the plan calls for destroying COMSEC material, all destruction material, devices, and facilities must be readily available and in good working order. The plan must be realistic; it must be workable, and it must accomplish the goals for which it is prepared. All duties under the plan must be clearly and concisely described. All authorized personnel at the facility must be aware of the existence of the plan, and the plan must be conspicuously posted for ready access. Each individual who has duties assigned under the plan must receive detailed instructions on how to carry out these duties when the plan becomes effective. All personnel must be familiar with all duties so that changes in assignment may be made, if necessary. This may be accomplished by periodically rotating the emergency duties of all personnel. Training exercises must be conducted periodically (quarterly exercises are recommended) to ensure that everyone, especially newly assigned personnel who might have to take part in an actual emergency, will be able to carry out their duties. If necessary, the plan should be changed based on the experience of the training exercises. The three options available in a hostile action emergency are securing the material, removing it from the scene of the emergency, or destroying it. Planners must consider which of these may be applicable to their facilities, either singly or in a combination. Which one to choose in various situations should be clearly stated in the plan. For example, if it appears that a civil uprising is to be short lived, and the COMSEC facility is to be only temporarily abandoned, the actions to take could be: • Ensure that all superseded keying material has been destroyed. • Gather up the current and future keying material and take it along if adequate security protection is provided. Otherwise, store this material in an approved security container. • Zeroize the cryptographic equipment which cannot be evacuated. • Secure the facility door(s) and leave. • Upon return, conduct a careful and complete inventory of all COMSEC material. • Or, if it appears that the facility is likely to be overrun, the emergency destruction procedures should be put into effect.
9.3 Emergency Destruction Priorities Three broad categories of COMSEC material, which may require destruction in hostile action emergencies, are keying material, other COMSEC Aids (e.g., maintenance manuals, operating instructions, and general doctrinal publications), and COMSEC equipment. Depending upon the availability of sufficient personnel and destruction facilities, the following priorities must be followed: • Destruction Priorities within Categories of COMSEC Material. When sufficient personnel and destruction facilities are available, different individuals should be made responsible for
v3, February 4, 2016 44 DHS 4300B.200 Communication Security (COMSEC)
destroying the material in each category, by means of separate destruction facilities, as set forth in the following subparagraphs: Keying Material. Emergency destruction priorities for keying material are as follows: 1. Superseded keying material designated CRYPTO. 2. Currently effective keying material designated CRYPTO (to include zeroization of keying variables stored electrically in crypto equipment and fill devices). 3. Future editions of TOP SECRET keying material designated CRYPTO. 4. Future editions of SECRET and CONFIDENTIAL keying material designated CRYPTO. 5. Training, maintenance, and sample key. Other COMSEC Aids. Emergency destruction priorities for classified COMSEC aids other than keying material are as follows: 1. Complete crypto maintenance manuals or sensitive pages, thereof. 2. Status documents showing the effective dates for COMSEC keying material. 3. Keying material holder lists and directories. 4. Remaining classified pages of crypto maintenance manuals. 5. Cryptographic and non-cryptographic operational general publications (KAGs or NAGs). 6. Cryptographic Operating Instructions (KAOs). 7. Remaining classified COMSEC documents. 8. National, department, agency, and service general doctrinal guidance publications. COMSEC Equipment. Reasonable efforts should be made under deteriorating situations to evacuate COMSEC equipment. In an actual emergency, the immediate goal is to render COMSEC equipment unusable and irreparable. When there is warning of hostile intent, secure communications should be discontinued in advance to allow for thorough destruction of COMSEC equipment. Emergency destruction priorities for COMSEC equipment are as follows: 1. Zeroize the equipment if the keying element cannot be physically withdrawn. 2. Remove and destroy printed circuit boards labeled CCI or Classified (note: a red label may also indicate that the PCB is CCI or Classified). 3. Destroy remaining classified and CCI elements. NOTE: Hulks of equipment and unclassified elements not marked CCI need not be destroyed. Maintenance manuals for COMSEC equipment contain component listings which identify classified and CCI elements. • Destruction Priorities for Combined Categories of COMSEC Material. When personnel and/or destruction facilities are limited, the three categories of COMSEC material will be
v3, February 4, 2016 45 DHS 4300B.200 Communication Security (COMSEC)
combined, and destruction will be carried out in accordance with the following priority listing: 1. All keying material designated CRYPTO, in the following order: superseded key, currently effective key, and future key; 2. Sensitive pages from classified maintenance manuals, or the entire manual (if sensitive pages are not separately identified).Classified and CCI elements of classified and CCI COMSEC equipment; 3. Any remaining classified COMSEC or related material. NOTE: Hulks of equipment, unclassified elements not marked CCI, and unclassified portions of maintenance manuals, operating instructions, etc., need not be destroyed.
9.4 Emergency Destruction Methods and Reporting Any of the methods approved for routine destruction of classified COMSEC material may be used for emergency destruction. Guidance on the emergency destruction of particular categories of COMSEC material and on the conduct of emergency-destruction in specific operational situations is presented below. • Paper COMSEC Material. Paper COMSEC material, such as publications and codebooks, must be destroyed beyond reconstruction. Any of the paper destruction devices listed in the Shredder or Disintegrator EPLs will accomplish terminal destruction of paper COMSEC material. Destruction of classified paper COMSEC material may also be accomplished by burning. Burning may be accomplished in braziers constructed by removing the top end of a metal drum and piercing holes in the side of the drum near the bottom. A wire netting should be shaped to fit the top of the brazier; a metal rod or pipe can be used to stir the ashes. • Non-paper COMSEC Keying Material. Non-paper COMSEC keying material, such as key tape, must be destroyed beyond reconstruction. Any of the destruction devices listed in the Disintegrator EPL will accomplish terminal destruction of non-paper COMSEC keying material. Destruction of non-paper COMSEC keying material may also be accomplished by burning. Burning may be accomplished in braziers constructed by removing the top end of a metal drum and piercing holes in the side of the drum near the bottom. A wire netting should be shaped to fit the top of the brazier; a metal rod or pipe can be used to stir the ashes. • Electronic Storage Devices. COMSEC data contained within electronic storage devices shall be purged by means of zeroization per the equipment instructions. Electronic storage devices, such as the KSD-64A, which in some instances cannot be zeroized, shall be destroyed by the most readily available mean of disintegrating, hammering, or smelting. • COMSEC Equipment. In an actual hostile emergency, classified COMSEC equipment and those designated as CCI should be destroyed as thoroughly as time and circumstances permit. When there is warning of hostile intent, secure communications should be disconnected last but in time to allow for thorough destruction of COMSEC equipment. During destruction, CCI equipment and components should be given the same priority as classified equipment and components. The classified and CCI components of the equipment should first be removed and destroyed.
v3, February 4, 2016 46 DHS 4300B.200 Communication Security (COMSEC)
• Emergency Destruction in Aircraft and Ships. When facing imminent loss, capture, or compromise of an aircraft or ship, zeroize all COMSEC equipment and destroy or jettison all keying material. If conditions permit, jettison COMSEC material, portable COMSEC equipment and devices, information storage media, etc. Accurate information relative to the extent of an emergency destruction is absolutely essential to the effective evaluation of the security impact of the occurrence and is second in importance only to the conduct of thorough destruction. The COMSEC Account Manager or official responsible for safeguarding COMSEC material that has been subjected to emergency destruction is responsible for reporting the attendant facts to the appropriate department or agency by the most expeditious means available, to DIRNSA, ATTN: I3132 (IA Insecurities Branch), and to the COR. Reports should clearly indicate the material destroyed, the method(s) of destruction, and the extent of destruction. They must also identify any items which were not thoroughly destroyed and which may be presumed to be compromised. In all cases of emergency destruction, a COMSEC Incident report shall be submitted in accordance with CNSSI 4003.
10.0 COMSEC INCIDENTS It is essential to immediately report any incident that may have subjected COMSEC material and/or Controlled Cryptographic Item (CCI) equipment to compromise. To be effective, the national COMSEC incident reporting system must receive prompt and clear information relating to the circumstances surrounding an incident. In most cases, timely reporting will minimize the impact of the violation or loss of the material and equipment. The longer the delay in reporting incidents, the more difficult it becomes to determine and minimize the impact on national security. Incident reports also serve as the basis for identifying trends in incident occurrences and for developing procedural and doctrinal measures to prevent recurrence of similar incidents. Users of COMSEC material, to include CCI, are encouraged to report COMSEC incidents promptly.
10.1 Reporting COMSEC Incidents
The COMSEC Account Manager must report COMSEC incidents as prescribed in this section and CNSSI 4003. Incident reports must be submitted promptly and must not be delayed in administrative channels for any reason beyond basic fact gathering. Refer to CNSSI 4003, paragraphs 30. through 32. for reporting timelines.
The following procedures shall be followed in COMSEC Incident reporting:
• Make an immediate phone call to the COR Hotline (540-542-2737) • All COMSEC Accounts are required to send COMSEC Incident reports via HSDN only to the following email address: [email protected]. This address represents a central public folder in HSDN Outlook established for the express purpose of submitting COMSEC Incident reports to the CIMA. It is accessible to all CIMA members within the COR; it is therefore unnecessary and undesirable to send Incident reports to any individual. The requirement to submit reports via HSDN does NOT suggest that reports must be classified
v3, February 4, 2016 47 DHS 4300B.200 Communication Security (COMSEC)
(classification of COMSEC Incident reports is based solely on the content of those reports). Complete and submit the written report in accordance with Annex C to Reference (k) within required timelines. Do not delay submission of this initial report for extensive fact-gathering. Report all pertinent known facts; submit Amplifying reports as needed. The responsibility for notification of ConAuths/CmdAuths as applicable lies with the reporting COMSEC Account. Address the written reports to ConAuths/CmdAuths along with the CIMA if possible. Notify by telephone at a minimum.
Individuals should not be discouraged from reporting a COMSEC incident for fear of retribution. However, disciplinary action will be taken against the perpetrator or perpetrators of grossly negligent or willful acts that jeopardize the security of COMSEC material. Individuals should not be disciplined for reporting a COMSEC incident unless:
• It has been determined that they caused the infraction through a deliberate disregard of security requirements or gross negligence, or
• The incident involved was not deliberate in nature but reflects a pattern of negligence or carelessness (e.g., numerous violations in a 12 month period), or
• The willful or negligent disclosure to unauthorized persons of any classified cryptographic information.
10.2 Types of COMSEC Incidents There are three types of incidents: cryptographic, personnel, and physical. Refer to CNSSI 4003, SECTION VIII, for further information and examples of each type.
10.3 Types of Incident Reports There are three types if incident reports: Initial, Amplifying, and Final. Refer to CNSSI 4003, Annex C, for further guidance and the COMSEC incident report form.
v3, February 4, 2016 48 Annex A to DHS 4300B.200 Communication Security (COMSEC)
Annex A
References
The requirements of the referenced publications apply to this Instruction and their successor documents to the extent specified. a. National Security Directive 42, National Policy for the Security of National Security Telecommunications and Information Systems, dated July 5, 1990 b. CNSS Policy No. 1, National Policy for Safeguarding and Control of COMSEC Materials, dated September 2004 c. CNSS Instruction No. 4009, National Information Assurance (IA) Glossary, dated 6 April 2015 d. CNSS Directive No. 502, National Directive on Security of National Security Systems, dated 16 December, 2004 e. AMSG-773, Policy and Procedures for Handling and Control of Two-Person Controlled (TPC) NATO Sealed Authentication System (SAS), dated January 1993 f. SDIP-293, NATO Cryptographic Instructions, dated May 2007, Rev. 1 dated January 2009. g. CJCS Instruction 3260.01B, Joint Policy Covering Positive Control Material and Devices, dated February 2006 h. CNSS Instruction No. 4001, Controlled Cryptographic Items, dated 7 May 2013 i. Intelligence Community Directive (ICD) No. 705, Sensitive Compartmented Information Facilities, dated 26 May 2010 j. Federal Specification FF-P-110J, Padlock, Changeable Combination (Resistant to Opening by Manipulation and Surreptitious Attack), dated February 1997, as amended 20 January 2004 k. CNSS Instruction No. 4003, Reporting and Evaluating Communications Security (COMSEC) Incidents, dated May 27, 2014 l. Federal Specification FF-L-2890A (Type III), Lock Extension (Pedestrian Door, Deadbolt), dated 1 April 2004 m. Federal Specification FF-L-2740A, Locks, Combination, dated January 1997, as amended 25 May 2001 n. CNSS Instruction No. 7000, TEMPEST Countermeasures for Facilities, dated May 2004 o. DoD Instruction 5240.05, Technical Surveillance Countermeasures (TSCM) Program, dated 22 February 2006 p. CNSS Policy No. 3, National Policy for Granting Access to U.S. Classified Cryptographic Information, dated October 2007
v3, February 4, 2016 A-1 Annex A to DHS 4300B.200 Communication Security (COMSEC)
q. CNSS Policy No. 14, National Policy Governing the Release of INFOSEC Products or Associated INFOSEC Information to Authorized U.S. Activities That Are Not a Part of the Federal Government, dated 1 November, 2002 r. CNSS Policy No. 8, Release and Transfer of US Government Cryptologic National Security Systems Technical Security Material, Information, and Techniques to Foreign Governments, dated 1 Aug, 2012 s. DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM), dated February 28, 2006 t. DoD Instruction 8500.2, Information Assurance (IA) Implementation, dated February 6, 2003 u. Intelligence Community Standard Number 500-16, Password Management, Effective 16 March 2011 v. Federal Specification FF-L-2937, Combination Lock, Mechanical, dated January 21, 2005, as amended 1 February 2007 w. Federal Standard 809A, Neutralization and Repair of GSA- Approved Containers, dated 10 May 2005 x. Office of Management and Budget Memorandum M-05-24, Subject: Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors, dated 5 August 2005 y. CNSS Instruction No. 4004.1, Destruction and Emergency Protection Procedures for COMSEC and Classified Material, with ANNEX B as amended 24 October 2008 z. CNSS Instruction No. 4006, Controlling Authorities for Traditional Communications Security (COMSEC) Material, dated April 17, 2012 aa. CNSS Instruction No. 4000, Maintenance of Communications Security (COMSEC) Equipment, dated 12 October, 2012 bb. CJCS Instruction 6510.06B, Communication Security Releases to Foreign Nations, dated 31 March 2011 cc. CNSS Instruction No. 1002, Management of Combined Secure Interoperability Requirements, dated August 2007 dd. CNSS Instruction No. 4005, Safeguarding Communications Security (COMSEC) Facilities and Materials, dated 22 August, 2011 ee. CNSS Instruction No. 4032, Management and Use of Secure Data Network Systems (SDNS) Firefly Keying Material and Related Equipment, dated 22 June, 2015
v3, February 4, 2016 A-2 Annex B to DHS 4300B.200 Communication Security (COMSEC)
Annex B
Electronic Fill Devices
1. General Electronic fill devices (e.g., Data Transfer Device (DTD), Secure DTD2000 System (SDS), Simple Key Loader (SKL), or Really Simple Key Loader (RASKL)) are handheld devices designated to securely store, transport, and transfer COMSEC keying material electronically between other fill devices and associated COMSEC equipment. Internally, it has a host side and a COMSEC side. The host side is a small computer used to control the functions of the fill device or run unclassified user application software (UAS) for special functions. The COMSEC side performs the cryptographic functions and is an approved storage device for keying material. 2. Accounting and Control All electronic fill devices are Controlled Cryptographic Items (CCI) and must be accounted for by serial number within the CMCS as ALC-1 material. With crypto ignition key (CIK) inserted or PIN activated and classified key onboard, the fill device must be protected commensurate with the highest classification of the key it contains. With the CIK removed and secured in a GSA approved security container, the fill device may be stored in any manner that will prevent loss or damage. 3. Handling Requirements Operational electronic fill devices must be properly set up in accordance with the procedures for each. At a minimum, the correct date and time must be set to ensure the integrity of the audit trail, and battery install date entered to ensure reliable storage of the key. The COMSEC Manager or Alternate must review the audit trail of operational fill devices at least every 30 days; sooner if the audit trail reaches 80 percent full. This review must be documented indicating the date of the review, the short title and serial number of the fill device, and a summary of any anomalies noted. A sample of an audit trail review form can be found in Annex G. Following this review, the audit trail must be reset. In the event that anomalies are discovered during audit trail reviews, the data must be preserved in support of local and/or external investigation (e.g., NSA/COR, etc.) and treated as classified at a minimum of Secret pending investigation and resolution/outcome. Any operational electronic fill device containing keying material must be accompanied by an EKMS Disposition Record Form. There are no exceptions to this requirement. Additionally, key stored on operational electronic fill devices must be inventoried on a semi-annual basis along with all other COMSEC material in the account. 4. Keying Material Destruction Destruction of key contained on electronic fill devices must be performed by two appropriately cleared and cryptographic briefed individuals. Destruction must be documented on the EKMS Disposition Record Form, with full signatures of each individual (initials are not permitted).
v3, February 4, 2016 B-1 Annex B to DHS 4300B.200 Communication Security (COMSEC)
Timelines for key destruction are the same as for physical key (i.e., 12 hours after supersession or up to 72 hours after supersession over weekends or holidays). If any key destruction or zeroization procedure fails, remove the batteries and the CIK and handle the fill device as classified. Keep fill device and CIK separated at this point until it can be turned into a COMSEC Service Depot and repaired. 5. North Atlantic Treaty Organization (NATO) Key Handling Imported or electronically distributed NATO keys shall be handled by the fill device in the same manner as U.S. keys while being distributed in EKMS. Fill device operators must check the short titles to ensure proper handling because these keys will not carry NATO classifications while in the fill device, only U.S. equivalent classifications. This is especially important when both NATO and U.S. keys are in the fill device at the same time.
v3, February 4, 2016 B-2 Annex C to DHS 4300B.200 Secure Telephone Devices
Annex C
Secure Telephone Devices
1. Purpose The fundamental purpose of all secure telephone devices is to provide a readily available, easy- to-use, secure telephone capability for all authorized and cleared personnel who have a need to discuss and/or transmit classified or sensitive information. All users should be aware that incorrect use of any secure telephone device and its components may introduce security breaches that could affect not only their own communications, but the communications integrity of other users. This annex contains minimum security standards for the handling and control of all secure wired and wireless telephones, secure wireline terminals and associated equipment in use within DHS, as well as Personal Identification Numbers (PINs) and Passwords associated with these devices. This annex also provides Communications Security (COMSEC) policy doctrine which COMSEC Managers and users must follow to ensure the confidentiality, integrity, and availability of information being processed through the system. More restrictive security policies may exist within a specific agency, organization or office provided the regulations are not contrary to those described within DHS COMSEC and NSA COMSEC guidance. 2. Scope This document is DHS’s guide for users of secure telephone devices, wired or wireless, and includes specific user responsibilities and procedures for administering control of secure telephone devices and their associated keying material. Whenever conflicting COMSEC implementing directives are encountered between NSA’s national level COMSEC policy and DHS’s departmental COMSEC policy, national COMSEC policy takes precedence. Whenever conflicting COMSEC implementing directives are encountered between DHS’s departmental COMSEC policy and a DHS Component’s COMSEC policy, DHS COMSEC policy will take precedence. The provisions of specific operational security doctrine for individual equipment take precedence over NSA, DHS, and Component general doctrine. 3. Applicability This annex applies to all personnel within DHS and its Components, and to State, Local, Tribal, and Private Sector (SLTPS) entities using Type 1 secure telephone devices as follows. a. Department of Homeland Security Type 1 devices or systems are certified by the National Security Agency (NSA) for use in cryptographically securing classified U.S. Government information. NSA certified cryptographic equipment (including the SME- PED, Sectera GSM phone, etc.,) may be introduced into a COMSEC facility if used in accordance with the applicable operational security doctrine and approved by the cognizant security officer.
v3, February 4, 2016 C-1 Annex C to DHS 4300B.200 Secure Telephone Devices
b. State, Local, Tribal, and Private Sector (SLTPS) Additional guidance for Secure Communication Deployments to State, Local, Tribal and Private Sector (SLTPS) Entities: • DHS sponsors SLTPS entities for access to and possession of classified national security information in order to prevent and deter terrorist attacks, protect against and respond to all threats and hazards, coordinate the national response to acts of terrorism, natural disasters, or other emergencies, and to ensure safe and secure borders. • Access to classified information provided to individuals or agencies outside the Executive Branch is permitted after a determination has been made that access to the information is necessary for performance of a function in support of national security and the protection of the homeland and that such release is not prohibited by an originating department or agency. • When the granting of a security clearance is appropriate, the number of clearances granted must be kept to the minimum necessary in support of homeland security or other U.S. government activities where the participation of SLTPS personnel advances the cause of and is beneficial to national security. • Clearances may not exceed the SECRET level and the classified capabilities sponsored for SLTPS entities will be no higher than the SECRET level, unless granted an exception on a case-by-case basis. • SLTPS personnel and/or entities granted access to classified information or secure equipment or other classified capabilities must be sponsored by a DHS activity which has a mission requirement to directly share classified information with the SLTPS entity using the sponsored equipment. • The sponsoring office or activity must affirm the individual’s need to know. The DHS sponsoring office or activity must have a mission requirement to share classified information directly with the specific facilities and personnel utilizing the sponsored equipment. • Secure equipment and other classified capabilities must meet or exceed the minimum security standards associated with the specific classified capability. • Approval for the deployment is dependent upon completion of appropriate documentation verifying the facility meets the minimum security standards required for the specific sponsored capability. • COMSEC material may only be hand receipted to and used by personnel with a need to know and a final security clearance granted by DHS or an authorized federal agency. The clearance must be equal to or greater than the classification level of the material. • Hand receipt holders must receive a security briefing appropriate to the COMSEC material being accessed and sign a secure telephone user certificate.
v3, February 4, 2016 C-2 Annex C to DHS 4300B.200 Secure Telephone Devices
4. References Operational Security Doctrine for the General Dynamics C4 Systems Sectéra® vIPer™ Telephone, DOC-023-11, dated October 2011 Operational Security Doctrine for the Enhanced Cryptographic Card (ECC) and Associated Secure Terminal Equipment (STE), DOC-007-07, dated 05 October 2007 Amendment to Operational Security Doctrine for the Enhanced Cryptographic Card (ECC) and Associated Secure Terminal Equipment (STE), DOC-007-07, dated June 2010 Secure Telephone Devices Used in Non-Secure Environments, IAA-001-02, dated February 2002 Interim Operational Systems Security Doctrine for the Iridium Security Module (ISM) Operation with the Iridium 9505/9505A Satellite Handset, IDOC-005-06, dated June 2006 Operational Security Doctrine for the QSec–2700 Code Division Multiple Access (CDMA) Secure Cellular Phone, DOC-017-08, dated November 2008 Operational Systems Security Doctrine for the Sectéra® Global System Mobile Secure Module (SGSM) Operation with the Motorola Timeport™ 280 Series Cellular Telephone, DOC-009-08, dated October 2008 Operational Systems Security Doctrine for the Sectéra® Wireline Terminal (SWT), DOC-008- 08, dated September 2008 Interim Operational Systems Security Doctrine for the OMNI Terminal, IDOC-008-05, dated April 2005 Operational Security Doctrine for Sectéra® Edge™ Secure Mobile Environment (SME) Portable Electronic Device (PED) Type 1 Equipment, SMBT, DOC-138-10, dated August 2010 Operational Security Doctrine for L-3 Communications Secure Mobile Environment (SME) Portable Electronic Device (PED), DOC-158-10, dated January 2011 Operational Security Doctrine for the TALON Cryptographic Token, DOC-016-07, dated Jan 2008 Operational Security Doctrine for the TALON2 Lite Small Form Factor Cryptographic (SFFC) Token, DOC-022-13, dated November 2013 Federal Specification FF-L-2740B, Locks, Combination, Electromechanical dated June 15, 2011 CNSS Policy No. 1, National Policy for Safeguarding and Control of COMSEC Materials, dated September 2004 CNSSI 4001, Controlled Cryptographic Items, dated 2 May 2013 CNSSI 4003, Reporting and Evaluating COMSEC Incidents, dated 27 May, 2014 CNSSI 4005, Safeguarding Communications Security (COMSEC) Facilities and Materials, dated 22 August 2011 CNSS Instruction No. 4009, Committee on National Security Systems (CNSS) Glossary, dated 6 April, 2015
v3, February 4, 2016 C-3 Annex C to DHS 4300B.200 Secure Telephone Devices
5. Equipment/System Description/Level of Use This Section describes all the wired and wireless secure telephone devices in use within DHS. Further information may be found in manufacturers’ instruction manuals and in associated Operational Security Doctrines. a. Secure Terminal Equipment (STE) The STE is the current generation of secure voice and data equipment designed for use on advanced digital communications networks, such as the Integrated Services Digital Network (ISDN). In addition, the STE offers advanced features such as secure voice conferencing and fast auto-secure negotiation with other STEs on ISDN services. The STE consists of a host terminal and a removable security core. 1) Host Terminal. The host terminal provides the application hardware and software. When the cryptographic card is removed, the STE can still function similarly to a commercial desk telephone and provide non-secure communication services. A tactical version of the STE provides connectivity to tactical communication systems such as the Mobile Subscriber System (MSS) or Tri-Service Tactical Communications System (TRI-TAC) switches. With the addition of the Secure Communications Interoperability Protocol (SCIP) (formerly Future Narrow Band Digital Transmission (FNBDT)), the STE is able to negotiate secure sessions with future digital wireless handsets and other SCIP products. 2) Enhanced Cryptographic Card (ECC). The security core is the Enhanced Cryptographic Card (ECC) family that provides all of the security services. The ECC is a high grade security token with built-in U.S. Government-owned encryption algorithms and public key exchange protocols. With appropriate cryptographic keying material in the ECC, the combination of the ECC and STE has been approved to protect U.S. Government information up to and including TOP SECRET/Sensitive Compartmented Information (TS/SCI). Moreover, the STE is approved for installation in Sensitive Compartmented Information Facilities (SCIFs). The ECC is Electronic Key Management System (EKMS) and Key Management Infrastructure (KMI) compatible, and features downloadable and programmable firmware. The internal lithium battery has a 5-year minimum shelf life. • KSV 21. The KSV 21 is the U.S.-only version of the ECC family. Appropriate key must be ordered for this device to enable compatibility with other key versions. • KSV 22. The KSV 22 is the Canadian National version of the ECC family. • KSV 30. The KSV 30 is the Combined Communications Electronics Board (CCEB) version of the ECC family. • KSV 40. The KSV 40 is the NATO/NATO Nations version of the ECC family. • SSV 50. The SSV 50 is the Coalition Partners version of the ECC family. a) Fill Card. Before the ECC can be used, the cryptographic keys must be programmed and stored in the card by the Electronic Key Management System (EKMS). The ECC is built with many anti-tamper technologies, one of which v3, February 4, 2016 C-4 Annex C to DHS 4300B.200 Secure Telephone Devices
is the Crypto Ignition Key (CIK). Initially, the ECC is programmed with a complete CIK. While in this state, the ECC is known as a fill card. b) User Card. During the card association with a STE, the CIK is split and a component of the CIK is transferred to the STE for storage. This process converts the fill card into a user card. Subsequently, each time a correct user card is inserted in the STE, the CIK component in the STE is transferred back to the card and restores the CIK, which enables the card security services. The CIK is updated each time the card is inserted and removed from the STE to prevent the CIK from being duplicated. c) Terminal Privilege Authority (TPA) Card. When the first ECC is inserted into a zeroized STE, whether it is a Fill Card or blank ECC, the STE will prompt the user create the TPA card. Should the user select “No” at this prompt, no further action will occur. A TPA card MUST be created. A single ECC can be the TPA card for an infinite number of STEs. The COMSEC Manager may opt to create separate TPA cards for select STEs based on criteria that address the needs of the activity (e.g., specific buildings or floors of buildings, geographic locations, etc.) using different ECCs for each criterion. In any case, TPA passwords should be set for each TPA card created (this password should be recorded on form SF-700 and sealed). This password will enable the transfer of the TPA card function from a lost or failed TPA card to another ECC without the need to zeroize the STE. Failure to set a TPA password will result in inability to change security settings of the STE should the TPA card fail. The STE must be zeroized so that a new TPA card can be created, then reloaded with new key. b. Sectéra vIPer™ Universal Secure Telephone The vIPer is a Type 1, SCIP compatible secure telephone operating over Internet Protocol (IP) networks (IPv4; upgradable to IPv6) and Public Switched Telephone Network (PSTN) (requires separate interface). The vIPer supports multiple keysets providing U.S. government sponsored interoperability (e.g., NATO and coalition), and is certified to protect information classified TOP SECRET/SCI and below. Access control features include Controlled and Restricted operation; Controlled permits a maximum of 30 User IDs with PINs, each having the same privileges and access to security features; Restricted permits a maximum of one Master User ID and PIN and 29 User IDs with PINs (the Master User has access to some security features that are blocked from the regular users). c. Iridium Secure Module (ISM) The ISM is Type 1 only equipment, and is designated for use with the Motorola 9505 (Laguna) Iridium satellite telephone. The ISM/Iridium 9505 satellite telephone is a SCIP compatible device designed to provide users worldwide secure voice connectivity in mobile environments as well as secure voice connectivity to desktop STE telephone and compatible SCIP equipment. The user activates the secure voice compatibility of the ISM by entering a user-assigned PIN. Appropriately keyed ISMs are approved to protect information of all classifications and categories. d. QSec-2700 The QSec–2700 cellular telephone is a SCIP compatible secure cellular telephone operating on 800/1900 MHz CDMA wireless telecommunications services. v3, February 4, 2016 C-5 Annex C to DHS 4300B.200 Secure Telephone Devices
The QSec–2700 cellular telephone is a software upgradeable platform that will allow future additions of enhanced capabilities as they are developed. In addition to the standard commercial features of a cellular telephone, the QSec–2700 cellular telephone supports a variety of secure modes, including end-to-end secure voice and data. The QSec–2700 cellular telephone is configurable to operate over a variety of data services, including CDMA Circuit Switched (IS-707.4), Packet (IS-707.5) data services, and CDMA 2000, each of which offer different performance parameters. The User Privilege Vector (UPV), which is configured by the Terminal Administrator, controls the security functions. The UPV can be configured to enable or disable clear and secure capabilities at different classification levels. The QSec–2700 cellular telephone is capable of containing multiple security/algorithm suites supporting Type 1, as well as other capabilities (e.g. commercial Type 4) within the same telephone. e. Sectéra® Secure Wireless Global System for Mobile Communications Telephone Security Module (SGSM) The Sectéra® GSM Security Module (SGSM) is designed for use with Motorola Timeport 280 series cellular telephones, and physically clips into an interface on the Timeport 280 cellular telephone. The Motorola Timeport 280 series is a commercial tri-band (900/1800/1900 MHz) GSM cellular telephone. This tri- frequency capability allows use of the telephone on almost all GSM networks around the world. The SGSM is a SCIP compatible device designed to provide users secure voice and data connectivity when connected to a Timeport 280 series cellular telephone, as well as secure voice and data connectivity to any wired or wireless SCIP compatible equipment. The user activates the secure voice and data capability of the SGSM by entering their individually assigned user PIN. Appropriately keyed Sectéra® GSM Security Modules are approved to protect information of all classifications and categories. f. Sectéra Wireline Terminal (SWT) The SWT is a Type 1 only, SCIP compatible device designed to provide users secure data connectivity with all wired or wireless SCIP compatible equipment when connected to a host telephone. The user activates the secure voice capability of the SWT by entering their individually assigned user PIN. Appropriately keyed, the SWT is approved to protect information of all classifications and categories. g. OMNI Secure Wireline Terminal The OMNI Secure Wireline Terminal is a Type 1 only, SCIP compatible device designed to provide users secure data connectivity with all wired or wireless SCIP compatible equipment when connected to a host telephone. The user activates the secure voice capability of the OMNI by entering their individually assigned user PIN. Appropriately keyed, the OMNI is approved to protect information of all classifications and categories. h. Secure Mobile Environment Portable Electronic Device (SME PED) The SME PED has been developed to be a secure PED/Smart telephone with both Type 1 and Non- Type 1 voice and e-mail (data) functionality, utilizing commercially available technology to the maximum extent possible, while only adding custom hardware and software to create the desired secure product. The SME PED is a wireless hand-held mobile device that is SCIP and High Assurance Internet Protocol Encryption (HAIPE) compatible, and is designed to provide users with secure voice, secure e-mail, and secure data communications. v3, February 4, 2016 C-6 Annex C to DHS 4300B.200 Secure Telephone Devices
1) Sectéra® Edge™. The Edge running Software Version 2.3 or higher is approved to protect voice and data communications up to TOP SECRET/SCI. Control of secure modes is provided using the Secure User Secure Password or a Crypto Ignition Key (CIK). TOP SECRET data operation requires the Secure Password and CIK. 2) L-3 Guardian™. The Guardian running Software Version 1.1 or higher is approved to protect voice and data communications classified up to SECRET for data and TOP SECRET voice. Control of secure modes is provided using the Secure User Password. i. Talon® Cryptographic Token The Talon® Cryptographic Token is a Type 1 Inline Network Encryptor (INE) that supports Internet Protocol (IP) operation for standard commercial networks, and is High Assurance Internet Protocol Encryptor (HAIPE) compatible. It is intended to secure data in transit between a user’s remote workstation and one or more secure enclaves. It provides message confidentiality and access control security services to protect TOP SECRET (TS) Sensitive Compartmented Information (SCI) and below data. The maximum throughput of the Talon® is up to an aggregate of 5 Megabit per second (Mbps). The Talon® can accommodate up to 15 user accounts ranging from one user on 15 laptops to 15 users on one laptop, and three Site Security Officer (SSO) accounts. 6. Administrative Responsibility The COMSEC Manager will determine the need for a COMSEC Facility Approval (CFA) for a facility where secure telephone device hand receipt holders are located, based on the definition of a COMSEC facility as stated in CNSSI 4005. Such COMSEC facilities do not require formal approval from any agency or department security offices (as a COMSEC Account does). However hand receipt holders must adhere to the procedures outlined in this user guide. As defined in CNSSI 4005, a COMSEC facility may be as small as a GSA approved security container. Security containers used as COMSEC facilities to store classified COMSEC material must be locked when unattended and must be located in areas not accessible to general traffic. COMSEC facility inspections DO NOT include inspections of security containers used as COMSEC facilities. Procedures for COMSEC facilities where a security container located within a room is the COMSEC facility are addressed in CNSSI 4005 Section VII.D, Storage of COMSEC Material. A COMSEC facility is NOT: A secure office area – A secure office area is where only user-level COMSEC equipment is available for individual use. Examples of an office area include, but are not limited to an area where Secure Terminal Equipment (STE), Secure Communications Interoperability Protocol (SCIP) products, or Secure Voice Over Internet Protocol (SVoIP) products are installed for individual secure voice conversations; or a set of cubicles in a secured office environment, each cubicle with its own user level COMSEC equipment. COMSEC material in such office areas must be protected, at a minimum, in a manner affording the protection normally provided to other high value/sensitive material, and ensuring access and accounting integrity is maintained.
v3, February 4, 2016 C-7 Annex C to DHS 4300B.200 Secure Telephone Devices
Secure telephone device users must have a final security clearance equal to or greater than the classification level of the secure telephone device(s) and keys to which they have access. Each secure telephone device user MUST COMPLETE AND SIGN the Secure Telephone User Responsibility Certificate (Tab 3 to Annex C) indicating that they have read this document and will adhere to the operating procedures and physical security controls prescribed herein. Each secure telephone device user is responsible for ensuring they are aware of any additional security procedures and usage limitations specific to their situation. Applicable NSA Information Assurance Directorate (IAD) operational security documents are required to be maintained by the issuing COMSEC Manager and must be made available to an authorized user of the equipment upon request. The COMSEC Manager may contact the COR if they need assistance obtaining copies of the required documents. The Department/Agency/Organization Code (DAO Code) is a six-digit number associated with a unique user description which identifies the caller to the far-end user during a secure session and is mandatory for voice or SCIP products. Each secure telephone device user must coordinate with their local COMSEC Manager to identify their specific security level and DAO Code requirements. Each secure telephone device user is required to sign a hand receipt for all individually issued secure telephone device(s) and keying material. At the local COMSEC Manager’s discretion and/or for inventory accountability purposes, a new hand receipt may be periodically forwarded to the user for the purpose of confirming their continued possession of the issued items. Each secure telephone device user must inform their local COMSEC Manager prior to moving a desktop secure telephone or a secure wireline terminal from its original installation location. The local COMSEC Manager must be included in employee out-processing procedures. Each secure telephone device user must return to the local COMSEC Manager all material issued to them prior to their transfer or departure. Personnel departing without a signed return hand receipt issued by the local COMSEC Manager will remain personally responsible (and held liable) for their issued device(s), even if no longer in their physical custody (e.g. they gave it to a coworker or supervisor the day they left). 7. Classification Guidance With the exception of the STE, all secure telephone devices are Controlled Cryptographic Items (CCI). All secure telephone devices (including the STE) must be protected as a sensitive high value item, and are UNCLASSIFIED when unkeyed (see 8.a.). When any secure telephone device is keyed (see 8.b.), the device must be afforded protection commensurate with the classification of the key it contains. 8. Physical Security Only security containers conforming to federal specifications are approved for the protection of classified COMSEC material and classified COMSEC related information. Security containers used to store or control access to classified COMSEC material, including classified equipment, must be equipped with a combination lock approved under Federal Specification FF-L-2740B. All classified COMSEC security containers must have the GSA label on the outside. If the GSA label is missing, the security container must be inspected and re-certified by authorized
v3, February 4, 2016 C-8 Annex C to DHS 4300B.200 Secure Telephone Devices
technicians registered in the DOD Lock Program. The DOD Lock Program provides this service to all U.S. government departments and agencies. Call 1-800-290-7607 for technical assistance. More stringent (but not less stringent) security policies may exist within a specific agency, organization or office. Users are responsible for ensuring they are aware of any additional security procedures and/or secure telephone device usage limitations. Provided the regulations are not contrary to minimum requirements prescribed by DHS COMSEC and NSA COMSEC guidance, users must comply with all additional security requirements published by their agency, organization or office. a. Unkeyed Secure Telephone Devices Unkeyed secure telephone devices must be afforded protection at least equal to that normally provided other high value/sensitive material. The Secure Terminal Equipment (STE) is considered unkeyed when the ECC card is removed from a STE and properly stored (see 8.3.2), or the PIN/Password has not been entered or associated with the secure telephone device. Unkeyed secure telephone devices must be stored and protected in a manner that is sufficient to preclude any reasonable chance of loss, unauthorized use, substitution, tampering, or breakage. b. Keyed Secure Telephone Devices When the ECC card is inserted into a STE, or a secure PIN/Password has been entered or associated with its device, the device is considered keyed and must be protected to the classification level of the key it contains. When uncleared personnel or personnel with clearances lower than the security level of the keyed device are present, the device must be kept under the direct operational control and within view of an authorized user cleared to the level of the key. Additional handling guidance for the SME PED is outlined in the matrix below:
SME PED EQUIPMENT CLASSIFICATION MATRIX Type of Key Device Status Classification Loaded Device Turned Off (Unkeyed) SDNS* U//CCI
Device Turned On without Key Material N/A U//CCI (Unkeyed)
Device Turned On with Key Material, User Not SDNS U//CCI Authenticated to SME PED (Unkeyed)
Classified to the Level Device Turned On with Key Material, User SDNS of Key in the SME Authenticated to SME PED (Keyed) PED *Secure Data Network Systems 9. Accountability All CCI secure telephone devices are assigned Accounting Legend Code 1 (ALC-1) and are accountable by serial number within the DHS COMSEC Material Control System (CMCS).
v3, February 4, 2016 C-9 Annex C to DHS 4300B.200 Secure Telephone Devices
a. COMSEC Manager The local COMSEC Manager is required to verify semiannually that all hand receipt holders continue to have their assigned secure telephone device(s) in their possession. Verification will be achieved either through direct sighting of the material by the COMSEC Manager, or through the issue of a new hand receipt which must be dated, signed by the hand receipt holder and returned to the COMSEC Manager. If verification is accomplished via a renewed hand receipt, the signed receipt must be returned to the COMSEC Manager prior to completion of the inventory cycle. b. User A user must protect the secure telephone device(s) assigned to them as valuable personal property. A user must either keep it in their personal possession or store it in a manner that will minimize the possibility of loss, unauthorized use, substitution, tampering, or breakage. When an ECC is stored in the same room as its associated STE, it must be afforded protection commensurate with the classification of the keyed terminal (i.e. the room must be certified for open storage to the level of the key or it must be stored in a GSA approved Class V or VI security container). The ECC may be stored in a locked cabinet or locked desk provided it is located in a separate room from the terminal and the possibility of loss, unauthorized use, substitution, tampering, or breakage is unlikely. When an ECC is inserted in its associated STE, the equipment must be protected to the highest security level that the system can achieve. A user may insert the ECC into a STE at the beginning of the day and leave the card in place as long as an authorized user is present to observe the STE and prevent access by a person not having an appropriate clearance. When a user enables the secure telephone device’s security functions by entering a PIN or Password, the user is responsible for protecting that device to the classification level of the key it contains. When not in use, the user must log out of the device and protect it by keeping it in their personal possession or storing it in a manner that will minimize the possibility of loss, unauthorized use, substitution, tampering, or breakage. A user who accepts responsibility for a secure telephone device is solely responsible for safeguarding it and cannot further transfer responsibility without the approval of the COMSEC Manager. Each secure telephone device user must return to the local COMSEC Manager all material issued to them prior to their transfer or departure. Personnel departing without a signed return hand receipt issued by the local COMSEC Manager will remain personally responsible (and held liable) for their issued device(s), even if it is no longer in their physical custody (e.g. they gave it to a coworker or supervisor the day they left). c. Personal Identification Numbers (PIN) There are two types of PINs: the Terminal Administrator (TA) PIN, which comes with the equipment and is used to key and set up the secure telephone device, and the User PIN, which is assigned by the TA. COMSEC Managers must maintain a record of all TA and User PINs associated with their account’s secure telephone devices. The PINs must be stored in accordance with their assigned classification levels. They MAY NOT be written on, transported with, attached to, or stored with their associated devices.
v3, February 4, 2016 C-10 Annex C to DHS 4300B.200 Secure Telephone Devices
A user must memorize the PIN(s) assigned to their secure telephone device(s). PINs MAY NOT be written on, transported with, attached to, or stored with their associated devices. A user may record their PIN on a properly completed and sealed SF-700 for access during an emergency or in the event they forget the PIN. The SF-700 must be protected by appropriate tamper-evident measures (e.g. placed in tamper evident plastic bag available from NSA Protective Technologies Branch, (301) 688-5861 or 688-6816, or sealed in heat- applied laminating film). The SF-700 must be stored in accordance with the highest classification level of the key loaded in the device and inspected monthly for signs of tampering. No other written record is permitted at the user level (e.g. no database record, note in a PDA, etc.). d. Enhance Cryptographic Card (ECC) The keying material loaded on the card is not separately accountable. An ECC programmed with keying material may only be issued to a properly cleared user who possesses a clearance level equal to or greater than the keying material on the card. e. SME PED Secure User Password Users must memorize the Password assigned to their secure telephone device(s). Passwords may not be written on, transported with, attached to, or stored with the SME PED. A user may record their Password on a properly completed and sealed SF-700 for access during an emergency or in the event they forget the Password. The SF-700 must be protected by appropriate tamper-evident measures (e.g. placed in tamper evident plastic bag available from NSA Protective Technologies Branch, (301) 688-5861 or 688-6816, or sealed in heat- applied laminating film). The SF-700 must be stored in accordance with the highest classification level of the key loaded in the SME PED and inspected monthly for signs of tampering. No other written record is permitted at the user level (e.g. no database record, note in a PDA, etc.). 10. After-Hours Protection When appropriately cleared users are not present, only secure telephone devices located in an area approved for open storage of COMSEC material at the classification level of the key they contain may be left in a keyed condition (e.g. ECC card inserted, wireline terminal PIN is active, etc). Secure telephone devices that are in an unkeyed condition must be protected as a high value items and be stored in a manner that will minimize the possibility of loss, theft, unauthorized use, substitution, tampering, or breakage (e.g. in a locked room, locked drawer, etc.). Additionally, unless the room is approved for open storage at the classification level of the ECC’s key, if an ECC and its associated STE are located in the same room (regardless of whether the ECC has been removed from the STE), the ECC must be stored in a GSA approved Class V or VI security container. An ECC stored in an area physically apart from its associated STE must be protected as a high value item and be stored in a manner that will minimize the possibility of loss, theft, unauthorized use, substitution, tampering, or breakage (e.g. in a locked room, locked drawer, etc.).
v3, February 4, 2016 C-11 Annex C to DHS 4300B.200 Secure Telephone Devices
11. Transportation Secure telephone devices may not be transported in a keyed condition. With the exception of movement inherent to the authorized use of mobile secure telephone devices, secure telephone devices may not be relocated or transported without the explicit consent of the issuing COMSEC Manager. Unkeyed secure telephone devices which the COMSEC Manager has approved for shipping must be packaged in a manner that will provide sufficient protection from damage as well as provide evidence of any attempt to penetrate the package while in transit. Unkeyed secure telephone devices may only be shipped through U.S.-controlled channels using a mode of transportation that provides both continuous accountability and reasonable protection against tampering, theft or loss of the material while in transit. At no time may the equipment pass out of U.S. control. Shipping secure telephone devices by means of certified, first class, fourth class, parcel post or insured mail is prohibited. These services do not provide continuous tracking and accountability. The sending or receiving of secure telephone devices via these means must be reported to the local COMSEC Manager. Refer to CNSSI 4001 for additional transportation guidance regarding packaging requirements, commercial carrier selection, and courier responsibilities. OCONUS – Secure telephone devices may not be transported outside the United States without prior written approval from the COR. In no case will U.S. COMSEC material be entered into foreign distribution channels or subjected to foreign customs inspection unless it has been authorized by the NSA Foreign Affairs Directorate, IAD Operations Group. a. Secure Terminal Equipment (STE) and ECC STEs may not be relocated or transported without the explicit consent of the issuing COMSEC Manager. Prior to shipping and upon receipt, the tamper seals located on the STE’s chassis must be examined for damage or signs of tampering. Any discrepancies must be reported immediately to the COMSEC Manager. 1) Separation. A STE and its associated ECC must be transported separately. Separately is defined as on a different day or on the same day but using different carriers/couriers. If a STE and its associated ECC cannot be separated, they must be packaged and transported as classified material in a manner consistent with the classification of the keying material loaded on the card. Classified shipping and classified courier requirements are provided in CNSSI 4005. 2) Personal Possession. If required in the performance of official duties, a user may keep their personally issued ECC user card in their possession while traveling. The ECC must remain concealed throughout transport; a briefcase, purse, pouch, or similar item provides appropriate concealment. The user may pass the ECC through X-ray machines or other security screening devices commonly used at airports and federal buildings without harmful effect to the ECC. The user remains responsible for the physical control (and loss) of the ECC during screening procedures. The user must ensure all inspections are conducted in their presence and only by
v3, February 4, 2016 C-12 Annex C to DHS 4300B.200 Secure Telephone Devices
authorized personnel. Physical inspections are limited to external viewing of the equipment only. While unattended, the ECC must be stored and protected in a manner that is sufficient to preclude any reasonable chance of loss, theft, unauthorized use, substitution, tampering, or breakage. The ECC may not be placed in checked baggage or left in the care of a concierge service or other such attendants. 3) Executive Vehicle Transport. STEs installed for use in executive vehicles require the implementation of additional security measures. The user must remove the ECC when the system is not in use. The ECC may not be left in an unattended vehicle with its associated STE nor may it be left in the care of a valet or other such attendants. Unless operational security concerns dictate otherwise, locking the vehicle after removing and retaining the ECC a nd the terminal mounting mechanism key provides adequate security when the vehicle is unattended. b. Secure Cellular Telephones, SWT, and SME PED Movement is understood to be inherent to the authorized use of secure cellular telephone devices and SME PEDs; however, although portable, secure wireline terminals are typically installed for use in a single location. Secure wireline terminals may not be transported to another location without the explicit consent of the issuing COMSEC Manager. 1) Personal Possession. When unkeyed (e.g. PIN/Password not active) secure cellular telephones, secure wireline terminals or SME PEDs are being transported in the custody of an authorized user for their own use as required by their official duties (e.g. TDY from their usual location), the equipment must remain concealed from public view and under their physical control at all times. A briefcase, purse, pouch, or similar item provides appropriate concealment. The user may pass the equipment through X-ray machines or other security screening devices commonly used at airports and federal buildings without harmful effect to the device. The user remains responsible for the physical control (and loss) of the equipment during screening procedures. The user must ensure all inspections are conducted in their presence and only by authorized personnel. Physical inspections are limited to external viewing of the equipment only. Unkeyed secure telephone devices may not be placed in checked baggage or left in the care of a concierge service or other such attendants. While unattended, unkeyed secure telephone devices must be stored and protected in a manner that is sufficient to preclude any reasonable chance of loss, theft, unauthorized use, substitution, tampering, or breakage. 2) PINs/Passwords. Regardless of the transportation method, PINs/Passwords must not be written on, transported with, attached to, or stored with their associated devices.
c. KOV 26 Talon Card and Associated IT Equipment The following measures shall apply to shipping KOV 26 and associated IT equipment. Additionally, it is the responsibility of each COMSEC Account Manager to advise users to whom equipment is shipped to return it in accordance with these instructions. v3, February 4, 2016 C-13 Annex C to DHS 4300B.200 Secure Telephone Devices
1) KOV 26. The KOV 26 is a CCI device and must be shipped in accordance with CNSSI 4001 and this instruction via traceable means.
2) IT Equipment. IT equipment must be treated as high value equipment and shipped via traceable means. If the equipment has classified information stored on it, it must be shipped in accordance with local IT security measures.
3) Passwords. Passwords must be shipped via separate packaging and on a different day as the equipment, or may be passed over secure electronic means. They must be considered classified to the level of the key loaded on the KOV 26 and handled accordingly, including sealing in SF-700s. Under no circumstances shall the password be shipped with its associated equipment (KOV 26 or the IT equipment). If a password is shipped with the associated KOV 26 and/or IT equipment, it must be reported as a COMSEC Incident, or as an IT Security incident, or both (as appropriate).
4) Protective Packaging. Sealed passwords shall be placed in tamper-evident bags for shipping. Additionally, it is highly recommended that IT equipment also be shipped in tamper-evident bags or with other tamper-indicating measures applied. 12. Secure Telephone Devices Used by Other Personnel A user may allow others to use their secure telephone device as long as the person is cleared to the security level of the key loaded in the device and they are assigned to the same DAO depicted on the device’s display. When operationally required, authorized users may permit personnel not normally authorized to use the keyed terminal (e.g. personnel not assigned to the DAO identified in the display or personnel whose clearances do not meet the level indicated on the display) to use the keyed terminal under the following conditions: • An authorized person places the call; and • After reaching the called party, the authorized caller identifies the party on whose behalf the call is being made, indicating the level of his/her clearance. 13. Maintenance Users may not attempt to open any secure telephone device. Unauthorized attempts to open any secure telephone device may constitute a COMSEC incident. a. STE Users requiring maintenance for their STE should contact their supporting COMSEC Manager. b. ISM The ISM contains no user replaceable parts. c. QSec–2700 The QSec–2700 contains no user replaceable parts except the battery. d. Sectéra® SGSM The Sectéra® SGSM contains no user replaceable parts except the battery. e. Sectéra® SWT The Sectéra® SWT contains no user replaceable parts. f. OMNI The OMNI contains no user replaceable parts.
v3, February 4, 2016 C-14 Annex C to DHS 4300B.200 Secure Telephone Devices
g. SME PED The SME PED contains no user replaceable parts except the battery and CIK (if used). h. Talon® Cryptographic Token The Talon® Cryptographic Token contains no user replaceable parts. 14. Secure Telephone Devices in a Private Residence The following are the minimum requirements that must be met before any secure telephone devices will be approved for installation in a private residence. More stringent (but not less stringent) security policies may exist within a specific agency, organization or office. Users are responsible for ensuring they are aware of any additional security procedures and/or secure telephone devices usage limitations. Provided the regulations are not contrary to those described within DHS COMSEC and NSA COMSEC guidance, users must comply with all additional requirements mandated by their agency, organization or office policies. • The requesting party must justify the need, in writing, to the appropriate Office of Security. • Approval from the CISO to key Secure Telephone Devices at the TOP SECRET level. • The security clearance of the individual using the secure telephone must be verified by the DHS or appropriate Component Personnel Security Office. • A Physical Security Evaluation (PSE) to certify minimum security standards prior to installation. Secure telephone devices installed in a private residence may only be used by the person for whom it is installed. When not in use, the secure telephone devices must remain in an unkeyed state (ECC removed, PIN/Password logged out, etc.). Applicable security precautions must be taken to prevent unauthorized access to the secure telephone devices and to classified or sensitive but unclassified (SBU) U.S. Government information. When the terminal is used in the data mode, classified information that is viewed on the screen must be cleared from the display as soon as possible, and may not be printed nor may the user record classified notes unless there is a GSA Class V or VI security container available at the residence to store the classified document. The residence security container must be physically secured to the building structure. a. STE Unless an official physical security assessment has been completed by a qualified inspector and a classified certification has been granted by the DHS or Component’s Office of Security, an ECC intended for use in a residence may only be keyed to the UNCLASSIFIED level. The ECC for a STE installed in a residence must contain the correct class 6 code so that the display properly reflects “RESIDENCE” while in the secure mode. The ECC must be removed from the terminal following each use and kept in the personal possession of the user, or stored in a GSA approved security container. For further classified conversation guidance, physical security requirements, and handling/storage instructions, refer to IAA-002-01 and CNSSI 4005. b. Sectéra® vIPer™ Universal Secure Telephone For information regarding residential installation of the Sectera vIPer VoIP telephone, the user must contact their COMSEC Manager and Office of Security for specific guidance applicable to their organization.
v3, February 4, 2016 C-15 Annex C to DHS 4300B.200 Secure Telephone Devices
DHS users may contact the DHS Office of Security via e-mail for Sectera vIPer VoIP telephone guidance. Contact [email protected] for administrative issues or [email protected] for technical issues. 15. Acoustic Security Introduction of secure telephone devices into an area should not change those requirements normally implemented in areas processing classified or sensitive information. Ideally, all personnel assigned to an area where classified work is carried out would have the same clearance. Where this is not possible, local procedures must be implemented to prevent classified information from being discussed in an area where unauthorized personnel may overhear the conversation. Utilizing a cellular telephone in the speaker mode during a secure call is prohibited. Regardless of whether all personnel in the area possess the appropriate clearance and need to know, speaker capabilities on secure cellular telephones must be disabled. Utilizing the speaker function on any other types of secure telephone devices is strongly discouraged as well. The secure telephone user’s Office of Security must grant approval in writing prior to a user or COMSEC Manager enabling a device’s speaker capability. Some voice terminals, two-way radios, speakerphones, intercoms, and telephones which employ electronic audio amplifiers are capable of transmitting audio signals even when on-hook (idle). Due to the potential for a serious security liability, audio amplified devices may not be placed in close proximity to secure telephone devices. COMSEC users may consult their Certified Tempest Technical Authority (CTTA) for additional tempest guidance. 16. Observing the Terminal’s Display (Voice or Data) Each secure telephone user is responsible for ensuring proper authentication when conducting secure communication with a distant end. Users must not exceed the classification level indicated on the telephone display (See 9.1 for the lone exception). When a user calls another secure telephone device, the terminals communicate with each other during the secure mode setup. Each terminal automatically displays the authentication information of the distant terminal. Although the information displayed indicates the organization reached (the DAO) and the approved clearance level for that call, it does not authenticate the person using the terminal. Therefore, users must use sound judgment in determining need to know when communicating any classified information. The user must always verify the telephone is in the secure mode prior to beginning classified conversations. The security classification of the call will be displayed on the top (first) line of the terminal’s display for the duration of the secure call. This security classification will be the highest common level shared by the two terminals for this call. The terminal user must restrict the classification level of the conversation (or data traffic) to no higher than the displayed level. Classified information MUST NOT be transmitted when the following conditions exist: • If there is a question as to the validity of the authentication information in the display, even though voice recognition may be possible. Authentication information must be representative of the organization in which the distant terminal is located. • When the display indicates that the distant terminal’s key has expired and the period exceeds a reasonable period of time (e.g. two months).
v3, February 4, 2016 C-16 Annex C to DHS 4300B.200 Secure Telephone Devices
• When the display indicates the distant terminal contains a compromised key. This is a reportable COMSEC incident. Contact the local COMSEC Manager immediately. • If the display fails. Check the contrast settings to verify it is not set too light or dark. Attempt to call another terminal to verify whether the condition persists. 17. Secure Data Mode During data transmissions, each STE or wireline terminal must remain under direct operational control of an appropriately cleared and authorized user. The data may be sent only after the sending and receiving parties have verified the terminal displays the correct DAO information, the classification of the data does not exceed the classification level shown on the terminal’s display, and the recipient has a valid need to know. 18. Terminal Access Control Since access to keyed secure telephone devices (e.g. ECC inserted, PIN/Password protected security functions activated) enables use of the device in the secure mode, access must be restricted to authorized users only. Discovery of an unattended keyed device in an area not authorized for open storage to the classification level of the key contained in the device must be reported to the local COMSEC Manager. When a secure telephone device is in an unkeyed state (e.g. ECC removed, PIN/Password logged out, etc.), the user is responsible for maintaining physical control of their device and/or ensuring it is stored in a manner that minimizes the possibility of loss, theft, unauthorized use, substitution, tampering, or breakage. The discovery of unattended and unprotected secure telephone devices must be reported to the local COMSEC Manager. 19. Procedures to Minimize Risk Although the secure telephone device can secure a telephone conversation, it cannot secure the surroundings. When talking at a classified/sensitive level or entering a PIN/Password, each user must be aware of their surroundings, including the proximity of uncleared individuals and/or individuals without a need to know. Regardless of whether a device is located in a secure area or not, when not being actively used it is highly recommended that the secure communication functions be disabled (i.e. ECC card removed, PIN/Password logged out). Prior to evacuation due to an emergency situation, (e.g. fire, bomb threat, etc.) the user should remove and take with them any ECCs or wireless secure telephone devices that are immediately accessible. The user must NOT attempt to remove wired secure telephone devices or unnecessarily endanger their personal safety by delaying their departure in an attempt to secure COMSEC items. The COMSEC Manager or an authorized user must conduct a post-emergency inventory of all COMSEC equipment located within the office affected by the emergency and report the results as indicated by local COMSEC emergency action procedures. 20. Electronic Rekeying Secure telephone device users are responsible for performing electronic rekeying at least annually or before the expiration date of the key installed in their device (whichever comes first). Quarterly rekeying is recommended. The user can view the key expiration date on the device’s
v3, February 4, 2016 C-17 Annex C to DHS 4300B.200 Secure Telephone Devices
display; refer to the device user manual for instructions on how to view the expiration date of the key. The local COMSEC Manager will provide instructions on how to make a rekey call. The Iridium Secure Module (ISM) is not capable of electronic rekeying. For this reason, the ISM must be returned to the COMSEC Manager prior to the key’s expiration date so that it may be loaded with a new key. 21. PIN/Password Information User PINs/Passwords must be changed at least annually (local security policy may impose stricter requirements) or if compromised. Refer to the user’s manual for information on changing user PINs. Users must report compromised PINs/Passwords to the local COMSEC Manager. a. Protection Written records of PINs that enable activation of a device’s secure communication functions may be recorded on an SF-700, properly completed and sealed, with appropriate tamper-evident measures applied (e.g. placed in tamper evident plastic bags available from NSA Protective Technologies Branch, (301) 688-5861 or 688-6816, or sealed in heat-applied laminating film). The sealed SF-700 must be stored in accordance with its classification in a GSA approved security container. The SF-700 must be inspected monthly for signs of tampering.
Alternately, COMSEC Account Managers may maintain PINs electronically using an application (e.g., Excel spreadsheet, Access database, etc.) residing on a secure Information System (IS) classified at a minimum of the highest classification of the key loaded on the secure telephone devices to which the PINs pertain. These electronic files MUST be accessible ONLY to the COMSEC Account Manager and Alternate(s).
NOTE: This technique is NOT AUTHORIZED for recording of lock combinations under any circumstances. Additionally, electronic storage of PINs/Passwords for secure telephone devices by users is NOT AUTHORIZED.
b. Automatic Disabling Secure telephone devices are protected against surreptitious attacks intended to breach user PINs through automated or manual sequential attempts. This protection is affected through tight limits on failed attempts and consequences for exceeding these limits, as specified below for each device in use in DHS: 1) Sectéra® vIPer™ Universal Secure Telephone. The user has four (4) attempts to enter the UserID and PIN correctly. On the fourth consecutive failed attempt, the UserID and PIN are deleted. If this is the last UserID, all keys will also be deleted. The UserID and PIN and the keys must then be reloaded into the device by the COMSEC Manager. 2) Iridium Secure Module (ISM). The user has four (4) attempts to enter the PIN correctly. If the PIN is entered 4 times incorrectly, the keying material will be zeroized automatically. The keying material must then be reloaded into the device by the COMSEC Manager. 3) QSec-2700. The user has three (3) consecutive attempts to successfully log into the telephone, after which the USER Account will be automatically disabled. The
v3, February 4, 2016 C-18 Annex C to DHS 4300B.200 Secure Telephone Devices
telephone must be returned to the COMSEC Manager who serves as the Terminal Administrator (TA) for User Account restoration. 4) Sectéra® Secure Wireless Global System for Mobile Communications Telephone Security Module (SGSM). The user has four (4) consecutive opportunities to enter the SGSM PIN correctly. If the SGSM PIN is entered four consecutive times incorrectly, the SGSM automatically deletes the PIN associated with the User ID being entered and zeroizes all encryption keys. The keying material must then be reloaded into the SGSM by the COMSEC Manager using the Type 1 Default Software (T1DSW) PIN provided by the manufacturer. 5) Sectéra® Wireline Terminal (SWT). The user has four (4) opportunities to enter the PIN correctly. If the PIN is entered four times incorrectly, the keying material will be zeroized. The keying material must then be reloaded into the terminal by the COMSEC Manager using the T1DSW PIN provided by the manufacturer. 6) OMNI Secure Wireline Terminal. The user has four (4) consecutive attempts to unlock the terminal with the PIN. Powering down the OMNI between attempts does not affect the number of failed attempts. If four attempts are exceeded, the OMNI terminal becomes disabled and will not allow secure operations. The OMNI terminal must be returned to the COMSEC Manager to create a new user PIN. The COMSEC Manager maintains and creates User PINs. 7) Secure Mobile Environment Personal Electronic Device (SME PED). The user has five (5) consecutive attempts to successfully log into the device. After the fifth consecutive failed attempt, the user account will be automatically disabled. To reactivate the device the SME PED must be returned to the TA for user account restoration. 8) Talon® Cryptographic Token. The user has four (4) consecutive attempts to long into the device. After the fourth consecutive failed attempt, the user account will be automatically disabled. The account must be re-established by the SSO. 22. Reportable COMSEC Incidents This section does not contain an all-inclusive list of potential insecurities. Should a question arise as to whether or not an insecurity has actually occurred, users must contact their COMSEC Manager and/or COR for further guidance. The following reportable COMSEC Incidents must be reported to the DHS COMSEC Central Office of Record for evaluation or investigation: • Questionable validity of the authentication information in the display, even though voice recognition may be possible. Authentication information should be representative of the organization at which the distant terminal is located. • Display indication that the distant terminal contains a compromised key. • Failure to adequately protect a secure telephone device and assign a new PIN/Password after the discovery of a compromised PIN/Password. • Failure to adequately protect or zeroize an ECC that is associated with a lost terminal.
v3, February 4, 2016 C-19 Annex C to DHS 4300B.200 Secure Telephone Devices
• Failure to disassociate a lost or stolen ECC from its associated STE. • Loss of a STE and its associated ECC. • Loss of an ECC fill card. • Loss of a user card and its associated carry card. • Known or suspected tampering with, or unauthorized access to any secure telephone device. • Unattended keyed secure telephone device (e.g. ECC inserted, PIN/Password logged in, etc.) discovered in an area not authorized for open storage to the classification level of the key contained in the device. • Theft of any secure telephone device. 23. Compliance This annex contains minimum security standards for the handling and control of all secure wired and wireless telephones, secure wireline terminals and associated equipment in use within DHS, as well as Personal Identification Numbers (PINs) and Passwords associated with these devices. The provisions of specific operational security doctrine for individual devices take precedence over general policy doctrine. More stringent (but not less stringent) security policies may exist within a specific agency, organization or office. Supplementation or substantial re-writing of this user guide that would create policies and procedures unique, and possibly unacceptable to the DHS COMSEC community as a whole, is expressly prohibited. Provided the regulations are not contrary to those described within DHS COMSEC and NSA COMSEC guidance, users must comply with all additional requirements mandated by their agency, organization or office policies. This manual represents implementation of national level COMSEC regulations. If the requirements or terms of this user guide appear to substantially conflict with the requirements or terms of any national-level issuance, such conflicts will be identified and guidance requested, through organizational channels, from the DHS COMSEC COR Manager. The DHS COMSEC COR Manager will contact the National Manager, Committee on National Security Systems (CNSS) (Director, National Security Agency, ATTN: CNSS Secretariat) for clarification and final determination. Any suspected or actual violations of the security requirements described within this document must be reported to the local COMSEC Manager. As required by CNSSI 4003, Reporting and Evaluating COMSEC Incidents, the COMSEC Manager must forward all information regarding a suspected or actual COMSEC insecurity to the DHS COMSEC COR for further investigation and/or evaluation.
v3, February 4, 2016 C-20 Annex C to DHS 4300B.200 Secure Telephone Devices
Tab 1 to Annex C
Abbreviations
ALC – Accounting Legend Code CAO – Cryptographic Assurance Office CCI – Controlled Cryptographic Item CDMA – Carrier Demand Multiple Access CF – Central Facility CIK – Crypto Ignition Key CMCS – COMSEC Material Control System CNSSI – Committee on National Security Systems Instruction COMSEC – Communication Security COR – Central Office of Record CTTA – Certified TEMPEST Technical Authority DAO – Department/Agency/Organization DCD – Defense Courier Division DCS – Defense Courier Service DHS – Department of Homeland Security DIAS – Distributed INFOSEC Accounting System DOD – Department of Defense DoDAAC – Department of Defense Activity Address Code DSS – Defense Security Service DTD – Data Transfer Device ECC – Enhanced Cryptographic Card EKMS CF – Electronic Key Management System Central Facility FAQ – Frequently Asked Question(s) FCL – Facility Clearance Level FSO – Facility Security Officer GSA – General Services Administration GSM – Global System for Mobile Communications HAIPE – High Assurance Internet Protocol Encryption
v3, February 4, 2016 C-21 Annex C to DHS 4300B.200 Secure Telephone Devices
IA – Information Assurance IAD – Information Assurance Directorate INFOSEC – Information Systems Security IPv4 – Internet Protocol, version 4 IPv6 – Internet Protocol, version 6 ISDN – Integrated Services Digital Network ISM – Iridium Secure Module KMI – Key Management Infrastructure KMID – Key Management Identification MSS – Mobile Subscriber Service NATO – North Atlantic Treaty Organization NSA – National Security Agency NSTISSI – National Security Telecommunications and Information Systems Security Instruction OCONUS – Outside the Continental United States PCMCIA – Personal Computer Memory Card International Association PDA – Portable Data Assistant PIN – Personal Identification Number PSTN – Public Switched Telephone Network SBU – Sensitive but Unclassified SCI – Sensitive Compartmented Information SCIF – Sensitive Compartmented Information Facility SCIP – Secure Communications Interoperability Protocol (Formerly FNBDT) SDNS – Secure Data Network System SGSM – Secure Global System for Mobile Communications SME PED – Secure Mobile Environment Portable Electronic Device STE – Secure Terminal Equipment SVoIP – Secure Voice over Internet Protocol T1DSW – Type 1 Default Software TA – Terminal Administrator TPA – Terminal Privilege Authority TRI/TAC – Tri-Service Tactical Communications System TS/SCI – TOP SECRET Sensitive Compartmented Information
v3, February 4, 2016 C-22 Annex C to DHS 4300B.200 Secure Telephone Devices
UPV – User Privilege Vector VoIP – Voice over Internet Protocol
v3, February 4, 2016 C-23 Annex C to DHS 4300B.200 Secure Telephone Devices
Tab 2 to Annex C
Secure Telephone User Briefing
You have been selected to perform duties which will require access to sensitive COMSEC information. It is, therefore, essential that you are made fully aware of certain facts relative to the protection of this information before access is granted. This briefing will provide you with a description of the types of COMSEC information you may have access to, the reasons why special safeguards are necessary for protecting this information, the directives and rules which prescribe those safeguards, and the penalties which you will incur for willful disclosure of this information to unauthorized persons. COMSEC equipment and keying material are especially sensitive because they are used to protect other sensitive information against unauthorized access during the process of communicating that information from one point to another. Any particular piece of COMSEC equipment, keying material, or other cryptographic material may be the critical element which protects large amounts of sensitive information from interception, analysis, and exploitation. If the integrity of the COMSEC system is weakened at any point, all the sensitive information protected by that system may be compromised; even more damaging, this loss of sensitive information may never be detected. The procedural safeguards placed on physical security, covering every phase of their existence from creation through disposition, are designed to reduce or eliminate the possibility of such compromise. Communications Security (COMSEC) is the general term used for all steps taken to protect information of value when it is being communicated. COMSEC is usually considered to have four main components: transmission security, physical security, emission security, and cryptographic security. Transmission security is that component of COMSEC which is designed to protect transmissions from unauthorized intercept, traffic analysis, imitative deception and disruption. Physical security is that component of COMSEC which results from all physical measures to safeguard cryptographic materials, information, documents, and equipment from access by unauthorized persons. Emission security is that component of COMSEC which results from all measures taken to prevent compromising emanations from cryptographic equipment or telecommunications systems. Finally, cryptographic security is that component of COMSEC which results from the provisions of technically sound cryptosystems, and from their proper use. To ensure that telecommunications are secure, all four of these components must be considered. Part of the physical security protection given to COMSEC equipment and materials is afforded by the special handling it receives from distribution and accounting. There are two separate channels used for handling of such equipment and materials: “COMSEC channels” and “administrative channels”. The COMSEC channel, called the COMSEC Material Control System (CMCS) is used to distribute accountable COMSEC items such as keying material, maintenance manuals, and classified and CCI equipment. The CMCS channel is comprised of a series of COMSEC Accounts, each of which has an appointed COMSEC Manager who is personally responsible and accountable for all COMSEC material charged to the account. The COMSEC Manager assumes responsibility for the material upon receipt, and then controls its dissemination to authorized individuals on a need-to-know basis. The administrative
v3, February 4, 2016 C-24 Annex C to DHS 4300B.200 Secure Telephone Devices
channel is used to distribute COMSEC information and material other than that which is accountable in the CMCS. Particularly important to the protection of COMSEC equipment and material is an understanding of all security regulations and the timely reporting of any compromise, suspected compromise, or other security problem involving these materials. If a COMSEC system is compromised but the compromise is not reported, the continued use of the system, under the incorrect assumption that it is secure, can result in the loss of all information that was ever protected by that system. If the compromise is reported, steps can be taken to change the system, replace the keying material, etc., to reduce the damage done. In short, it is your individual responsibility to know and to put into practice all the provisions of the appropriate publications which relate to the protection of the COMSEC equipment and material to which you will have access. Public disclosure of any COMSEC information is not permitted without the specific approval of your Government contracting office representative or the National Security Agency (NSA). This applies to both classified and unclassified COMSEC information, and means that you may not prepare newspaper articles, speeches, technical papers, or make any other “release” of COMSEC information without the specific Government approval. The best personal policy is to avoid any discussions which reveal your knowledge of or access to COMSEC information and thus avoid making yourself of interest to those who would seek the information you possess. Finally, you must know that should you willfully disclose or give to any unauthorized persons any of the classified or CCI COMSEC equipment, associated keying material, or other classified COMSEC information to which you have access, you will be subjected to prosecution under the criminal laws of the United States. The laws which apply are contained in Title 18, United States Code, sections 641, 793, 794, 798, and 952. If your duties include access to classified COMSEC information, in addition to the above, you should avoid travel to any countries which are adversaries of the United States, or to their establishments/facilities within the U.S. Should such travel become necessary; however, your security office must be notified sufficiently in advance so that you may receive a defense security briefing. Any attempt to elicit the classified COMSEC information you have, either through friendship, favors, or coercion must be reported immediately to your security office.
v3, February 4, 2016 C-25 Annex C to DHS 4300B.200 Secure Telephone Devices
Secure Telephone User Responsibility Certificate I, the undersigned, certify that I have read the DHS 4300B Annex C, Secure Telephone Devices, and Tab 2 to Annex C, Secure Telephone User Briefing, and am familiar with my responsibilities as an authorized user of any secure telephone device assigned to me. I will retain this document for future reference. I also certify that I will follow the specific procedures for using and protecting the secure telephone device and any associated PINs or ECCs that have been issued to me on hand receipt.
User Name:
User Signature:
Witness Signature:
Office:
Telephone:
Date:
Return this form to your local COMSEC Manager
v3, February 4, 2016 C-26 Annex D to DHS 4300B.200 EKMS and KMI
Annex D
Electronic Key Management System (EKMS) / Key Management Infrastructure (KMI)
1. Purpose This annex discusses Electronic Key Management System (EKMS) and Key Management Infrastructure (KMI) in general. Specific discussions of the Local Management Device/Key Processor (LMD/KP) and the COMSEC Accounting, Reporting, and Distribution System (CARDS) are contained in Tabs 1 and 2 respectively. 2. Discussion EKMS is a key management, COMSEC material distribution, and logistics support system consisting of interoperable military and civil agency key management systems. NSA established the EKMS program to meet multiple objectives, which include supplying electronic key to COMSEC devices in a secure and timely manner and providing COMSEC managers with an automated system capable of ordering, generation, destruction, production, distribution, storage, security, accounting, and access control. Other features of EKMS include automated auditing capabilities to monitor and record security-relevant events, account registration, and extensive system and operator privilege management techniques that will provide flexible access control to sensitive key, data, and functions within the system. The common EKMS components and standards will facilitate interoperability and commonality among government agencies. EKMS is a total COMSEC management system that encompasses all aspects of the government’s COMSEC key management architecture and meets the following NSA requirements: • Enhanced security through encrypted electronic key distribution • Increased responsiveness to operational requirements • Joint interoperability • Automation and simplification of COMSEC material control • Elimination of physical key distribution and management of paper products Key Management Infrastructure (KMI) is the next generation of net-centric key management and distribution. KMI will replace EKMS when fully deployed. Electronic distribution of security products will be vastly enhanced through Over-the-Network Keying (OTNK). OTNK: • Allows end cryptographic units (ECU) to receive their own wrapped key products and services
o Direct from the infrastructure, or; o On their behalf by an intermediary • Cryptographically protects products and services at generation for specific ECU • Distributes Electronic Key with minimal or no human involvement
v3, February 4, 2016 D-1 Annex D to DHS 4300B.200 EKMS and KMI
DHS will implement the use of the Management Clients (MGCs) to transition from EKMS to KMI. The use of the MGCs in KMI will provide DHS with equal or greater capability for security product management as the EKMS. The OTNK capability of KMI will be supported within DHS as technological capabilities evolve and are accredited and enabled on DHS networks.
v3, February 4, 2016 D-2 Annex D to DHS 4300B.200 EKMS and KMI
Tab 1 to Annex D
Local Management Device/Key Processor (LMD/KP) Management
1. Purpose The Local Management Device/Key Processor (LMD/KP) supports the functions performed by the COMSEC Account Manager at the COMSEC Account level of the EKMS structure. The LMD/KP automates and computerizes many of the COMSEC procedures that have traditionally been performed manually. It also introduces some entirely new functions related to electronic key material. These functions will initially be unfamiliar even to personnel with considerable COMSEC experience. 2. Discussion The EMKS 704C is the LMD/KP Operator’s Manual, and should be referred to for complete operating instructions. 3. Responsibilities Those COMSEC Accounts that have the LMD/KP suite must meet certain criteria and maintain the system to ensure its security and integrity. a. Classification and Control The LMD/KP suite must be located in an area approved for material classified at least SECRET. A minimum of two system administrators possessing final SECRET clearances are required. 1) PINs/Passwords. PINs/Passwords must be recorded on SF 700, and shall be classified SECRET and safeguarded accordingly. PINs/Passwords must be changed every six months. 2) LCMS/KP Operator IDs. System Administrators and all Operators must have unique LCMS/KP Operator IDs. 3) KP REINIT1 and REINIT2 Keys. REINIT1 and REINIT2 keys must be appropriately classified and safeguarded at the level of the account highest classification indicator (HCI). a) REINIT1 CIKS are accounted for as ALC-1 material. b) REINIT2 CIKS are accounted for as ALC-4 material. 4) CIK ID and PIN Logs. Up-to-date logs must be maintained identifying creation dates of CIKs and PINs, and their respective holders. b. Training All operators must receive formal EKMS training. Access to the LMD/KP suite must be restricted to personnel so trained. c. System Maintenance The COMSEC Manager must perform the following routine maintenance functions: • Database backups o Performed daily or when changes to account holdings occur
v3, February 4, 2016 D-3 Annex D to DHS 4300B.200 EKMS and KMI
o Backup media must be marked SECRET and dated • SCO/Unix “Root”, “/u/usr”, and LCMS backups o Performed monthly o Backup media must be marked SECRET and dated • KP changeover at least every three months to update the encryption key used by the KP • KP rekey on an annual basis • Data archive
v3, February 4, 2016 D-4 Annex D to DHS 4300B.200 EKMS and KMI
Tab 2 to Annex D
COMSEC Accounting, Reporting, and Distribution System (CARDS) Management
1. Purpose CARDS is now the primary approved accounting system for COMSEC Accounts within DHS. As KMI approaches, COMSEC accounting will become entirely net-centric. CARDS provides an appropriate interface to KMI. This Tab provides key requirements for CARDS management at each account to ensure consistency. 2. Discussion The capabilities of CARDS provide enhanced options for electronic storage of COMSEC records. Additional capabilities will emerge as new developments occur, including digitally signing of reports (currently, digital signatures are authorized on hand receipts and cryptographic access briefings), etc. It is anticipated that, eventually, all COMSEC records may be retained entirely in electronic format, eliminating the need to retain paper copies of reports. Policies enacted now will position COMSEC accounts in DHS to transition easily and seamlessly to paperless accounting. Accounting reports (signed SF-153 Transfer, Destruction, etc. reports) must be scanned and uploaded to CARDS for electronic storage. This process will satisfy the requirement for providing these reports to the COR. a. Those COMSEC Accounts with scanning capability on their HSDN suites will scan and upload completed accounting reports to the CARDS server. Retention requirements of these reports in paper form remain in accordance with Section 7.4.3.3. of this instruction. See the current version of the CARDS Ready Reference Guide (RRG) for step-by-step procedures for document upload procedures. b. Those COMSEC Accounts without scanning capability on their HDSN suites must submit accounting reports and TR Log reports to the COR. The COR will scan and upload these reports to the CARDS server on behalf of the account. Options for accounting report submission are: Facsimile Scan and e-mail via non-secure system Postal mail c. When a scanning operation for document upload to CARDS is complete, CARDS will display a window in which to enter a file name and navigate to a save location. To ensure consistency, file naming conventions will apply as follows: Destruction report – DEST Report of Possession – ROP Relief of Accountability – ROA
v3, February 4, 2016 D-5 Annex D to DHS 4300B.200 EKMS and KMI
Inventory – INV Transfer – XFER Date format: yyyymmdd [This date is date of transaction, not the date of report] TR number format: TN0001 Account number format: CA835000 Example: DEST 20130601 TN0001 CA835000 3. Password Management CARDS passwords must be changed every 90 days. CARDS will force the user to change an expired password on login. CARDS allows up to five attempts to log in with the correct password; if an incorrect password is entered six consecutive times, the user will be locked out. In such cases, the password must be reset by the COR. 4. Electronic Key Download Policy Modern electronic key is intended for one device only. For this reason, key transferred via CARDS is limited to a single operation, i.e. downloaded to the receiving account one time only. In the event that subsequent download is required, the key must be reset in CARDS. CARDS does not distinguish between modern and traditional (Reg Zero) electronic key in this respect. The ability to reset electronic key is intended to serve as a fail-safe option only. It is not intended for the convenience of the receiving account. To enforce this limitation, the following policies apply: a. In situations involving equipment failure or network interruptions occurring during download operations resulting in lost or corrupted keys, accounts shall submit written requests to the COR for key reset specifying the circumstances. 1) For isolated instances, the COR will reset this key upon request. 2) If key is lost or corrupted repeatedly because of network or equipment issues, these issues must be resolved prior to approval of a reset request. b. Once any key (modern or traditional) is successfully downloaded to an account’s electronic fill device, the account is responsible for proper handling of that key. If it becomes lost due to improper operation of the fill device or other operator error (including battery failure), loss of this key must be reported as a COMSEC Incident. 1) Traditional (Reg Zero) key may be reset in CARDS at any time during its effective period, however the COMSEC Incident report must be submitted before a reset request is approved. In such cases, a new Disposition Record Form must be completed, and care must be taken to immediately destroy superseded segments. 2) Modern (SDNS) key that is subject to COMSEC Incident reporting in this context may be placed on the Compromised Key List (CKL), depending on the circumstances. a) Should the loss of modern key occur due to battery failure of a fill device, and no evidence of compromise of the key exists, such key will NOT be placed on the CKL, and the key may be reset in CARDS for retrieval by the account. v3, February 4, 2016 D-6 Annex D to DHS 4300B.200 EKMS and KMI
b) In situations involving key lost due to mishandling of the fill device that has the potential to subject the key to compromise, or unexplained zeroization of the fill device, the key WILL be placed on the CKL, and may not be reset in CARDS. New key must be ordered. Once modern key is loaded on an end cryptographic device and used operationally, this key cannot be reused under any circumstances, and should have already been deleted from the fill device and from CARDS and so reported. Hence, key lost from an end cryptographic device must be reordered. Note that unexplained zeroization of an end cryptographic device may require reporting as a COMSEC Incident in accordance with Section 10.1 of this instruction and CNSSI 4003. See the Operational Security Doctrine for the device in question.
v3, February 4, 2016 D-7 Annex E to DHS 4300B.200 Cryptographic High Value Products (CHVP)
Annex E
Cryptographic High Value Products (CHVP)
1. Purpose and Discussion CNSSI 4031, “Cryptographic High Value Products,” establishes the category of Cryptographic High Value Product (CHVP) as designated by NSA to secure SECRET and below National Security Systems (NSS). This annex provides guidance for handling and safeguarding of CHVPs. National Security Agency (NSA)-approved cryptography is required to protect NSS, over which classified and sensitive information is transmitted among federal government departments, agencies, and other U.S. and foreign entities. A CHVP enables the use of public standards for cryptography protocols and algorithm interoperability. 2. Scope This annex applies to all DHS activities that operate, use, or manage NSS that employ CHVPs. 3. Handling and Control Requirements CHVPs require less administrative burden and control than the existing categories of Controlled Cryptographic Items (CCI) and classified products. Handling and control requirements are as follows: a. Keying Material Keying material for CHVPs may be classified up to SECRET. CHVPs are not approved to protect TOP SECRET and must not be filled with TOP SECRET keying material. If TOP SECRET key is inadvertently loaded, the equipment must be zeroized immediately and a COMSEC incident report filed in accordance with CNSSI 4003. b. Unkeyed CHVPs Unkeyed CHVPs are unclassified and must be controlled in a manner no less stringent than that required for high dollar value/sensitive material. In addition, protective measures must reasonably protect against attempts by individuals to gain unauthorized access to CHVPs. When key is loaded in a CHVP configured with a CIK or PIN, and the CIK is removed or the PIN is not entered and the equipment is in a locked state, the CHVP is considered unkeyed. c. Keyed CHVPs Keyed CHVPs must be protected at the same level as the keying material it contains. If a keyed CHVP becomes inoperable and cannot be zeroized (zeroization cannot be confirmed), it must be treated as keyed. d. Shipping 1) Unkeyed. When shipping unkeyed CHVPs, they must be packaged in any manner that is approved for the transport of similar high dollar value items, and that provides evidence of tampering. CIKs/PINs must be shipped separately from CHVPs that contain key. 2) Keyed. When shipping keyed CHVPs, they must be packaged and shipped in accordance with the classification of the keying material contained.
v3, February 4, 2016 E-1 Annex E to DHS 4300B.200 Cryptographic High Value Products (CHVP)
e. Control CHVPs may be inventoried, controlled, and tracked in property control systems or COMSEC accounting systems. Keying material must be controlled and safeguarded in accordance with operational security doctrine. Accountable property or COMSEC accounting systems must be kept current and reflect current status, location, and condition of the asset until authorized disposition of the property occurs. 4. Incidents Incidents involving CHVPs must be handled as follows: • DIRNSA, the responsible key management authority, the appropriate cognizant security authority, and the COMSEC Incident Monitoring Activity (CIMA) must notified of those incidents where:
o A keyed CHVP was shipped in a manner that did not meet the requirements paragraph 3 above in accordance with the classification of the key.
o A keyed CHVP is lost. o There is evidence or proof of theft, tampering, or sabotage of keyed CHVPs, or unauthorized access to keying material. • DIRNSA and the appropriate cognizant security authority must be notified of those incidents when there is evidence or proof of theft, tampering, sabotage of unkeyed CHVPs. • The responsible security authority shall be notified of the following CHVP incidents for appropriate administrative action:
o An unkeyed CHVP is lost. o There is evidence of possible tampering with, or unauthorized access to or modification of an unkeyed CHVP.
o There are indications of known or suspected theft of an unkeyed CHVP.
v3, February 4, 2016 E-2 Annex F to DHS 4300B.200 COMSEC Account Checklists
Annex F
COMSEC Account Checklists
1. Introduction This document provides official Checklists to enable COMSEC Managers to properly manage COMSEC Accounts, and COR auditors to enforce current requirements, in accordance with the DHS 4300B.200 National Security Systems Communications Security (COMSEC) Directive and national policy directives. 2. Purpose and Scope The Checklists are to be used by auditor personnel for formal audits and by COMSEC Managers for required self-inspections. 3. Uses Each checklist is contained in its own Tab, intended for selective printing depending on the requirement. a. Audit/Inspection The COR will audit/inspect COMSEC Accounts on an aperiodic, event driven basis to ensure that safeguards employed are adequate for the protection of COMSEC material. The audit/inspection shall include a satisfactory reconciliation of the account’s inventory, with emphasis placed on a 100 percent sighting of all COMSEC material held. However, if this is not possible, a 100 percent sighting of all key marked CRYPTO, as well as a review of all COMSEC accounting reports and disposition records for accuracy and completeness will be completed. See Tab 1 for the Audit Checklist. (1) Audit Criteria. The audit/inspection of a COMSEC Account will include the following: 1. Verification of COMSEC accounting reports and files 2. Verification that Account personnel are in compliance with DHS and national policy documents. 3. Physical sighting of all COMSEC material held by the account. However, if this is not possible, a 100 percent sighting of all keying material marked CRYPTO shall occur 4. Adherence to packaging, shipping and marking instructions 5. Solicitation of any problems encountered by the Manager in relation to the accounting and control of COMSEC material 6. Recommendations for the improvement of local COMSEC accounting and control procedures. 7. Cursory inspection of implemented protective technologies, if appropriate.
v3, February 4, 2016 F-1 Annex F to DHS 4300B.200 COMSEC Account Checklists
8. A review of all procedures (e.g., SOP/EP) related to the control and safeguarding of COMSEC material.
(2) Audit Evaluation Assignment of rating categories to reflect results provides a set of measurable data used to assess the overall grade of the COMSEC Account. An audited COMSEC Account will be assigned a rating from one of the following categories:
• EXCELLENT
• SATISFACTORY
• UNSATISFACTORY
The audit evaluation will be provided via the formal Audit Report from the COR. Accounts receiving a rating of UNSATISFACTORY will be re-audited within 90 days of the initial audit. The audit schedule for the account will remain in place based on the original audit date. b. Electronic Key Management System (EKMS) All LMD/KPs shall be audited by the COR on an 18 month basis. The EKMS Checklist is used in conjunction with the Audit Checklist to cover LMD/KP specific items. Tab 2 contains the EKMS Checklist. c. Account Establishment Upon receipt and acceptance of a request for establishment of a COMSEC Account, the prospective Account shall download signature cards (DHS Form 580) from the COR SharePoint portal to be completed by the COMSEC Account Manager and the Alternate Manager. Completed signature cards (original signed copies preferred, however reproduced/faxed copies are acceptable) will be returned to the COR. Once the account is formally established, the COR will assist the new account in obtaining needed COMSEC material and an initial supply of COMSEC accounting forms, and will conduct an initial audit to ensure proper accounting procedures are established in the new account. Additionally, the security officer will verify the level of clearance held by the appointed individuals. COMSEC Manager personnel of new accounts must bear in mind that the initial account establishment checklist is strictly an aid. Completion of this checklist does not constitute a formal audit. Tab 3 contains the Account Establishment Checklist. d. Account Disestablishment When the need for a COMSEC Account no longer exists, the head of the office will submit a memorandum to the COR requesting the account be closed and requesting the termination of the appointments of the COMSEC Manager and the Alternate Manager. Concurrent with the request to close the account, the COMSEC Manager and Alternate Manager shall conduct a physical inventory of all COMSEC material charged to the account and submit the inventory report to the COR and request disposition instructions for the material. The COR will conduct a final reconciliation of the account’s holdings and furnish the COMSEC Manager with disposition instructions for all remaining COMSEC material. COMSEC accounting records and files pertaining to the COMSEC Account will be forwarded to the COR where they will be retained for a minimum of 3 years at which time they may be v3, February 4, 2016 F-2 Annex F to DHS 4300B.200 COMSEC Account Checklists
destroyed. When all material has been disposed of, the COR will close the COMSEC Account and terminate the appointments of the COMSEC Manager and alternate(s). After final disposition has been completed, the records of the account shall be audited and transferred to the COR for storage. Tab 4 contains the Account Disestablishment Checklist.
v3, February 4, 2016 F-3 Annex F to DHS 4300B.200 COMSEC Account Checklists
Tab 1 to Annex F
COMSEC Audit Checklist
Department of Homeland Security COMSEC Central Office of Record (COR) COMSEC AUDIT CHECKLIST Initial required data:
COMSEC Account number:
Date of audit:
Date of last audit:
Date of last assist visit:
Physical address:
Total Line Items in Account:
Total Line Items Issued on Hand Receipt:
Total Number of Hand Receipt Holders:
Highest Classification Indicator (HCI) of the account:
Telephone No: Fax No:
Secure Phone No: Secure Fax No:
v3, February 4, 2016 F-4 Annex F to DHS 4300B.200 COMSEC Account Checklists
Supervisor:
COR account Manager: Phone:
COMSEC Account Personnel
Manager: Alternate:
Alternate: Alternate:
v3, February 4, 2016 F-5 Annex F to DHS 4300B.200 COMSEC Account Checklists
COMSEC PERSONNEL INFORMATION NAME [Print a copy of this page for each COMSEC Account Manager/Alternate.] 1. Are the COMSEC Account Manager and Alternate(s) properly appointed in writing by the COR? [CNSSI 4005, Section X, para 75] ...... Yes _____ No _____ N/A _____ 2. Have the COMSEC Account Manager and Alternate(s) received formal training at a DHS Course of Instruction? [DHS 4300B.200, Section 6.3] ...... Yes _____ No _____ N/A _____ Date: 3. Are the following forms/documents on file for the Manager and Alternate(s)? a. Cryptographic briefing certificate ...... Yes _____ No _____ N/A _____ Date: b. Signature Card (DHS Form 580)...... Yes _____ No _____ N/A _____ Date: c. COMSEC Required Reading ...... Yes _____ No _____ N/A _____ Date: d. Copy of Courier Letter/Courier Card ...... Yes _____ No _____ N/A _____ Date: Remarks:
v3, February 4, 2016 F-6 Annex F to DHS 4300B.200 COMSEC Account Checklists
ACCOUNT FILES Files 1. Does the account have a formal account establishment letter from the COR on file? [DHS 4300B.200, Section 6.3] ...... Yes _____ No _____ N/A _____ 2. Are Account Files/Reports marked according to classification and special handling requirements (e.g., FOUO, Confidential, etc.)? [DHS 4300B.200, Section 7.4.3.1; 7.4.3.2] ...... Yes _____ No _____ N/A _____ 3. Is there a copy of the latest Semi-Annual Inventory on file? [DHS 4300B.200, Section 7.9.4] ...... Yes _____ No _____ N/A _____ 4. Was the inventory completed and uploaded to CARDS within 20 working days of receipt? [DHS 4300B.200, Section 7.9] ...... Yes _____ No _____ N/A _____ 5. Is there a copy of the latest self-inspection completed and provided to DHS auditors for reference during the current audit? [DHS 4300B.200, Section 6.5.1] ...... Yes _____ No _____ N/A _____ 6. Does the account have a USTRANSCOM/J3 Defense Courier Division (DCD) account? [DHS 4300B.200, Section 6.2] ...... Yes _____ No _____ N/A _____ a. Date DCD IMT 10 Defense Courier Account Record signed by DCD: b. Are the security clearances for those personnel listed on the DCD IMT 10 commensurate with the classification level of the material in the account? .... Yes _____ No _____ N/A _____ 7. Is there a copy of the Courier letter or Courier card on file for those personnel who transport classified and/or COMSEC material? [DHS 4300B.200, Section 7.4.3] ...... Yes _____ No _____ N/A _____ 8. Are printed or electronic copies of all effective DHS COR COMSEC Advisories on file? [DHS 4300B.200, Section 6.5.1] ...... Yes _____ No _____ N/A _____ 9. Are all COMSEC related files and reports retained for a minimum of 3 years? [DHS 4300B.200, Section 7.4.3.3] ...... Yes _____ No _____ N/A _____
v3, February 4, 2016 F-7 Annex F to DHS 4300B.200 COMSEC Account Checklists
Standard Operating Procedures (SOP) 1. Does the account have a COMSEC SOP? [CNSSI 4004.1, Section VII, para 17; DHS 4300B.200, Section 6.5.1] ...... Yes _____ No _____ N/A _____ 2. Does the COMSEC SOP include Emergency Plan (EP)? [CNSSI 4004.1, Section VII, para 17; DHS 4300B.200, Section 9.1] ...... Yes _____ No _____ N/A _____ Emergency Plan (EP) 1. Is the EP posted? [DHS 4300B.200, Section 9.2] ...... Yes _____ No _____ N/A _____ 2. Are all concerned personnel familiar with the implementation of the EP? [CNSSI 4004.1, Section VII, para 21b; DHS 4300B.200, Section 9.2] ...... Yes _____ No _____ N/A _____ 3. Are periodic (quarterly recommended) Emergency Plan training exercises being conducted and documented? [CNSSI 4004.1, Section VII, para 21c.; DHS 4300B.200, Section 9.2] ...... Yes _____ No _____ N/A _____ 4. Is COMSEC and classified material stored in ways to facilitate emergency evacuation or destruction, including Destruction Priority? [CNSSI 4004.1, para 17.c.(2), CNSSI 4004.1, Annex E, para 3; DHS 4300B.200, Section 9.3] ...... Yes _____ No _____ N/A _____ Emergency Destruction Procedures (EDP) [CNSSI 4004.1, Section VII, para 17; DHS 4300B.200, Section 9.0] 1. Has an initial risk assessment of the potential for hostile actions against the facility been conducted? ...... Yes _____ No _____ N/A _____ 2. Based on the results of the risk assessment, does the account have Emergency Destruction Procedures as part of the EP (required for OCONUS Accounts)? ...... Yes _____ No _____ N/A _____ 3. Has the Cognizant Security Official certified in writing that there is no need to consider hostile actions? ...... Yes _____ No _____ N/A _____ 4. Does account maintain emergency destruction tools? [CNSSI 4004.1, Annex E] ...... Yes _____ No _____ N/A _____ COMSEC Incident Reports: 1. Upon discovery of a COMSEC Incident, was the initial report filed promptly?
v3, February 4, 2016 F-8 Annex F to DHS 4300B.200 COMSEC Account Checklists
[CNSSI 4003, Section V; DHS 4300B.200, Section 10.1] ...... Yes _____ No _____ N/A _____ 2. Was the COMSEC Incident report submitted in accordance with CNSSI 4003? ...... Yes _____ No _____ N/A _____ 3. Does the account have a copy of the final disposition from NSA/COR on file? [DHS 4300B.200, Section 7.4.3.3] ...... Yes _____ No _____ N/A _____ COMSEC MATERIAL ACCOUNTING AND HANDLING COMSEC Account Management 1. If the Account Manager changed within the last 3 years, did the incoming manager do a turnover inventory with the outgoing manager? [DHS 4300B.200, Section 7.9.5] ...... Yes _____ No _____ N/A _____ 2. Did the manager do a self-inspection on the account every 6 months? [DHS 4300B.200, Section 6.5.1] ...... Yes _____ No _____ N/A _____ Distributed INFOSEC Accounting System (DIAS) [DHS 4300B.200, Sections 7.1; 7.2] 1. Is account using DIAS? ...... Yes _____ No _____ N/A _____ Version: 2. Does the Manager/Alternate Manager perform DIAS data file backups every 30 days at a minimum or more frequently depending on volume of transactions? ...... Yes _____ No _____ N/A _____ Hand Receipts [CNSSI 4005, Section XII, para 112; DHS 4300B.200, Section 7.7] 1. Is all issued COMSEC material documented on SF-153 hand receipt? ...... Yes _____ No _____ N/A _____ 2. Are the SF 153 Hand receipts current? [DHS 4300B.200, Section 7.7.1] a. Has material on hand receipt been sighted by the COMSEC Account Manager during semi-annual inventories? ...... Yes _____ No _____ N/A _____ b. Are hand receipts updated semi-annually if the manager does not physically sight the material during a semi-annual inventory? ...... Yes _____ No _____ N/A _____ 3. Is COMSEC material issued to the actual user of the material, except for Emergency Operations Centers?...... Yes _____ No _____ N/A _____
v3, February 4, 2016 F-9 Annex F to DHS 4300B.200 COMSEC Account Checklists
4. Is all COMSEC material that is issued for contingency locations or Emergency Operations Centers issued to a properly cleared individual who is responsible for the maintenance of the site? ...... Yes _____ No _____ N/A _____ 5. Is Top Secret key hand receipted to two properly authorized and trained individuals? ...... Yes _____ No _____ N/A _____ 6. Does the Manager maintain a record of issued secure telephone device phone numbers (either annotated on hand receipt or via separate listing)? [DHS 4300B.200, Section 7.4.3] ...... Yes _____ No _____ N/A _____ 7. Is COMSEC training being conducted and documented with hand receipt holders? ...... Yes _____ No _____ N/A _____ 8. Has the account’s local organization initiated procedures ensuring individuals do not leave the organization without first returning or destroying COMSEC material issued to them on a hand receipt? [CNSSI 4005, Section X, para 76j; DHS 4300B.200, Section 6.5.1] ...... Yes _____ No _____ N/A _____ Handling Requirements for COMSEC Material 1. Does the Manager understand the correct procedures for receipt of COMSEC material into the account? [DHS 4300B.200, Section 7.5] ...... Yes _____ No _____ N/A _____ 2. Does the Manager forward signed copies of the transfer report to the originator and to the COR? [DHS 4300B.200, Section 7.6.5] ...... Yes _____ No _____ N/A _____ 3. Is Protective Packaging (e.g., canisters, marbleized wrapping, logo tape) free of any type of labels, including bar code labels? [CNSSI 4005, Section XV, para 142a] ...... Yes _____ No _____ N/A _____ 4. Are the users performing an electronic rekey at least annually before the expiration date of the key that is installed in the terminal? [DHS 4300B.200, Annex C, para 20.] ...... Yes _____ No _____ N/A _____ 5. Has the Manager contacted the Controlling Authority to initiate action to reduce, suspend, or cancel distribution of unneeded keying material to the account? [CNSSI 4006, section XI, para 34; DHS 4300B.200, Section 6.5.1] ...... Yes _____ No _____ N/A _____ 6. Is the account authorized to hold Top Secret COMSEC Material? (Refer to HCI)...... Yes _____ No _____ N/A _____
v3, February 4, 2016 F-10 Annex F to DHS 4300B.200 COMSEC Account Checklists
a. If yes, are Two Person Integrity (TPI) procedures established? [CNSSI 4005, Section VII.C] ...... Yes _____ No _____ N/A _____ BRIEFINGS [CNSSP 3; DHS 4300B.200, Section 4.2] CRYPTOGRAPHIC Briefings are required for COMSEC Managers and Alternates, crypto installation technicians, and individuals involved in keying operations or key destruction, including deletions from Fill Devices. Secure Telephone User Briefings are required for individuals using wired and wireless telephone devices (see SECURE TELEPHONES). Cryptographic Access Briefing 1. Is there a Cryptographic Access Briefing on a SD Form 572, Section I, on file for the following individuals? a. Manager and Alternates of COMSEC Accounts holding classified TOP SECRET and SECRET key marked CRYPTO...... Yes _____ No _____ N/A _____ b. Personnel requiring access to spaces where cryptographic keying materials are generated or stored...... Yes _____ No _____ N/A _____ c. Personnel involved in crypto keying operations or performing crypto destruction, including deletion from any Fill Device...... Yes _____ No _____ N/A _____ 2. Are individuals who have received cryptographic access briefings and no longer require access debriefed using SD Form 572, Section II?...... Yes _____ No _____ N/A _____ SECURE TELEPHONES 1. Does the account file contain a copy of the Secure Telephone User’s Responsibility Certificate for all users? [DHS 4300B.200, Annex C para 3.b.] ...... Yes _____ No _____ N/A _____ 2. Is the COMSEC Manager notified when a Secure Telephone Device is physically moved from its original installation site? [DHS 4300B.200, Annex C, para 11.] ...... Yes _____ No _____ N/A _____ 3. When a Secure Telephone Device installation in a private residence is authorized, are the following requirements met? [DHS 4300B.200, Annex C, para 14.]
v3, February 4, 2016 F-11 Annex F to DHS 4300B.200 COMSEC Account Checklists
a. A Physical Security Evaluation (PSE) to certify minimum security standards prior to installation. [NSTISSI 3013(STU III) Annex A, para 2.b; NSTISSI 3030, Section XIII, para 33] ...... Yes _____ No _____ N/A _____ b. A copy of the Physical Security Evaluation (PSE) maintained on file by the COMSEC Manager...... Yes _____ No _____ N/A _____ c. Approval from the CISO for Secure Telephone Devices keyed Top Secret ...... Yes _____ No _____ N/A _____ d. Keyed only with RESIDENCE key ...... Yes _____ No _____ N/A _____ e. The security clearance of the user verified by the DHS personnel security office ...... Yes _____ No _____ N/A _____ f. Written documentation of need approved by the appropriate agency physical security office with a copy on file with the COMSEC Account Manager...... Yes _____ No _____ N/A _____ g. User briefed on the security and use of the equipment and signed the briefing stipulating that they understand their responsibilities...... Yes _____ No _____ N/A _____ 4. Does the COMSEC Manager ensure that all authorized secure cell phone users understand and are aware of their responsibilities for PIN control requirements, and for proper storage, handling, and usage of their secure cell phones to minimize risk? [DHS 4300B.200, Annex C] ...... Yes _____ No _____ N/A _____ Enhanced Crypto Card (KSV 21) Management [DHS 4200B.200, Section 5.4; IAD DOC-007-07] 1. Is all STE Keying Material ordered and handled appropriately (i.e., Seed or Operational)? ...... Yes _____ No _____ N/A _____ 2. Are all TPA cards controlled by the COMSEC Manager? [DHS 4300B.200 Annex C para 5.a.1)c) ...... Yes _____ No _____ N/A _____ 3. Is a TPA password set for all STEs? [DHS 4300B.200 Annex C para 5.a.1)c) ...... Yes _____ No _____ N/A _____ FILL DEVICES 1. During initialization are all electronic fill devices (DTD/SKL/SDS/RASKL) being set up with the correct information? [CNSSI 3021, section VII, para 21d; DOC 127-10] ...... Yes _____ No _____ N/A _____ a. Date and Time ...... Yes _____ No _____ N/A _____
v3, February 4, 2016 F-12 Annex F to DHS 4300B.200 COMSEC Account Checklists
b. DTD Serial Number ...... Yes _____ No _____ N/A _____ c. Home Address ...... Yes _____ No _____ N/A _____ d. Auto shut off time ...... Yes _____ No _____ N/A _____ e. Light auto shut off time ...... Yes _____ No _____ N/A _____ f. Change Battery Date/Time ...... Yes _____ No _____ N/A _____ 2. Are all fill devices containing key handled/stored properly? [CNSSI 3021, Section VII] ...... Yes _____ No _____ N/A _____ 3. Does the Manager review the audit trail for anomalies at least every 30 days? [DHS 4300B.200, Annex B, para 3.] ...... Yes _____ No _____ N/A _____ 4. In the event of discovery of audit trail anomalies, are anomalous data preserved in support of local and/or external investigation (e.g., NSA/COR, etc.) and treated as classified at a minimum of Secret pending investigation and resolution/outcome? [DOC 127-10, para 16.g.] ...... Yes _____ No _____ N/A _____ 5. When electronic key is received by the account, is a disposition record form (DRF) completed immediately to record load and/or deletion of the key? [DHS 4300B.200, Annex B, para 3.] ...... Yes _____ No _____ N/A _____ COMSEC MATERIAL STORAGE REQUIREMENTS 1. Is COMSEC Material properly stored when not being used or under the direct control of authorized personnel? [DHS 4300B.200, Section 5.0] ...... Yes _____ No _____ N/A _____ 2. Is Reserve on Board (ROB) COMSEC Keying material marked CRYPTO stored in a GSA approved Class V or Class VI security container to which only the COMSEC Manager and Alternate(s) have access? [DHS 4300B.200, Section 5.4] ...... Yes _____ No _____ N/A _____ 3. Is COMSEC Keying material marked CRYPTO issued to users stored in a GSA approved Class V or Class VI security container? [DHS 4300B.200, Section 5.2; 5.4] ...... Yes _____ No _____ N/A _____ 4. Is CCI Equipment stored in an unkeyed condition? [DHS 4300B.200, Section 5.10] ...... Yes _____ No _____ N/A _____
v3, February 4, 2016 F-13 Annex F to DHS 4300B.200 COMSEC Account Checklists
DESTRUCTION [CNSSI 4006] 1. Does the Manager attain appropriate authorization (status information) from the controlling authority prior to destroying regularly and irregularly superseded keying material? [DHS 4300B.200, Section 7.4.3; 7.5.6] ...... Yes _____ No _____ N/A _____ 2. Are routine destructions being completed within prescribed time limits as follows? [DHS 4300B.200, Section 7.3.2] a. Within 12 hours of supersession if extracted from protective packaging for operational use? ...... Yes _____ No _____ N/A _____ b. Within 5 days of supersession if unissued and in the control of the COMSEC Manager? ...... Yes _____ No _____ N/A _____ c. If no, has a COMSEC Incident report been submitted? [DHS 4300B.200, Section 10.0; Section 10.1; Section 10.2.3] ...... Yes _____ No _____ N/A _____ 3. Was COMSEC material involved in a compromised situation destroyed within 72 hours after receipt of disposition instructions? [DHS 4300B.200, Section 7.8.2] ...... Yes _____ No _____ N/A _____ 4. Are the signatures of the Manager, or Alternate in the Manager’s absence, and properly cleared witness on the Destruction Report SF 153? [DHS 4300B.200, Section 7.8.3.1; 7.8.3.3] ...... Yes _____ No _____ N/A _____ 5. Was a copy of the Destruction Report forwarded to the COR? [DHS 4300B.200, Section 7.8.3.1; 7.8.3.3] ...... Yes _____ No _____ N/A _____ 6. Is a copy of the signed Destruction Report retained in the account files? [DHS 4300B.200, Section 7.4.3] ...... Yes _____ No _____ N/A _____ 7. Is the account using an approved COMSEC destruction device? (Refer to NSA EPL) [DHS 4300B.200, Section 7.8.4; 9.4] ...... Yes _____ No _____ N/A _____ Manufacturer: Model: 8. When keying material (physical or electronic (modern or traditional)) is issued to an authorized user, does the Manager provide a Disposition Record Form (DRF)? [DHS 4300B.200, Section 5.6; 7.0; 7.8.3.1; Annex B, para 4.] ...... Yes _____ No _____ N/A _____
v3, February 4, 2016 F-14 Annex F to DHS 4300B.200 COMSEC Account Checklists
9. Does the user return the DRF to the Manager when the destruction of the COMSEC Material is completed? [DHS 4300B.200, Section 7.3; 7.8.1] ...... Yes _____ No _____ N/A _____ 10. Is required information properly recorded on the DRF? [DHS 4300B.200, Section 5.6] ...... Yes _____ No _____ N/A _____ COMSEC FACILITY SECURITY 1. Was a Security Inspection conducted on the COMSEC facility before it was authorized to hold classified COMSEC material? [CNSSI 4005 Section VI.B, para 28] ...... Yes _____ No _____ N/A _____ Date of facility inspection: 2. Has the facility received approval in writing by the Department Physical Security Officer to hold COMSEC Material? [CNSSI 4005, Section VI.B, para 28.b.] ...... Yes _____ No _____ N/A _____ Date of latest facility approval: 3. Was the facility reinspected? [CNSSI 4005, Section VI.B, para 28] ...... Yes _____ No _____ N/A _____ Date of reinspection (If applicable): 4. Does the door leading to the COMSEC area have a sign posted on the outside designating it as a Closed/Restricted Area? [DHS 4300B.200, Section 3.1] ...... Yes _____ No _____ N/A _____ 5. Is an Access List displayed conspicuously on the inside of the entrance of the Closed/Restricted Area? [DHS 4300B.200, Section 3.2] ...... Yes _____ No _____ N/A _____ 6. Is the Access List authenticated by the Facility Security Officer, COMSEC Manager or Alternate? [DHS 4300B.200, Section 3.2] ...... Yes _____ No _____ N/A _____ 7. Is a Visitor Register maintained at the facility entrance area? [CNSSI 4005, Section VI.B, para 32; DHS 4300B.200, Section 3.3] ...... Yes _____ No _____ N/A _____ 8. Is the COMSEC facility a 24 hour operation? ...... Yes _____ No _____ N/A _____ 9. If yes, is accountability maintained whenever cryptographic material is turned over from shift to shift? [CNSSI 4005, Section XI, para 94a&94b] ...... Yes _____ No _____ N/A _____
v3, February 4, 2016 F-15 Annex F to DHS 4300B.200 COMSEC Account Checklists
Security Container 1. Is the COMSEC safe/container GSA approved Class V or VI? [CNSSI 4005, Section VII.D, para 61&62] ...... Yes _____ No _____ N/A _____ 2. Does the lock on the Security Container meet the minimum requirements in FF-L-2740 (e.g. X08, X09)? [CNSSI 4005, Section VII.D, para 62.e] ...... Yes _____ No _____ N/A _____ 3. Does each Security Container lock possess its own combination? [CNSSI 4005, Section VII.A, para 49] ...... Yes _____ No _____ N/A _____ Security Container Information Form (SF 700) 1. Is a Security Container Information Form (SF 700) maintained for each lock combination? [CNSSI 4005, Section VII.A, para 50; DHS 4300B.200, Section 5.8.1] ...... Yes _____ No _____ N/A _____ 2. Is the Security Container Information Form (SF 700) filled out properly? [SF 700 instructions 1-5] ...... Yes _____ No _____ N/A _____ 3. Is Part 1 of the SF 700 placed inside each COMSEC security container or secure space? [SF 700 instructions 1-5] ...... Yes _____ No _____ N/A _____ 4. Is Part 2 of the SF 700 retained in a central location in case of an emergency? [CNSSI 4005, Section VII.A, para 50] ...... Yes _____ No _____ N/A _____ 5. Is the combination to the Security Container/Space changed: [CNSSI 4005, Section VII.A, para 46; DHS 4300B.200, Section 5.8] a. Whenever there is a change/reassignment of COMSEC Manager, Alternate, or individuals who have access? ...... Yes _____ No _____ N/A _____ b. When the possibility exists that the combination has been subjected to compromise? ...... Yes _____ No _____ N/A _____ c. At least once every two years? ...... Yes _____ No _____ N/A _____ 6. Is the SF 700 inspected at least monthly for any sign of tampering? [CNSSI 4005, Section VII.A, para 50] ...... Yes _____ No _____ N/A _____ Security Activity Checklist (SF 701) 1. Is a Security Activity Checklist (SF 701) maintained inside the COMSEC Facility?
v3, February 4, 2016 F-16 Annex F to DHS 4300B.200 COMSEC Account Checklists
[CNSSI 4005, Section VI.B, para 31.a.4); DHS 4300B.200, Section 3.4] ...... Yes _____ No _____ N/A _____ 2. Is the SF 701 updated to accurately reflect the material/equipment contained in the COMSEC Facility? [DHS 4300B.200, Section 3.4] ...... Yes _____ No _____ N/A _____ Security Container Check Sheet (SF 702) [DHS 4300B.200, Section 3.5] 1. Is a Security Container Check Sheet (SF 702) maintained for each lock combination of a COMSEC container? ...... Yes _____ No _____ N/A _____ 2. Is the SF 702 posted on the outside of the door/container? ...... Yes _____ No _____ N/A _____ 3. Is the SF 702 checked daily or when office is occupied? ...... Yes _____ No _____ N/A _____ 4. In a 24 hour facility, is a security check conducted once per shift? [CNSSI 4005, para 33] ...... Yes _____ No _____ N/A _____ Debrief/Signature Page 1. Check physical security of building & space where COMSEC safe is kept (e.g., security guards, security cameras, alarms, doors, locks, windows, traffic, personnel access, physical alteration of the space since the last audit, etc.).
2. Are there any problems currently affecting the efficiency or operation of this account?
v3, February 4, 2016 F-17 Annex F to DHS 4300B.200 COMSEC Account Checklists
3. Auditor’s comment/conclusions:
4. Out-brief conducted with:
5. Director/Manager’s comments:
Signature of Auditor(s):
Date/Time In: Date/Time Out:
v3, February 4, 2016 F-18 Annex F to DHS 4300B.200 COMSEC Account Checklists
Tab 2 to Annex F
Electronic Key Management System (EKMS) Checklist
Initial required data:
COMSEC Account number:
Date of Audit:
Date of Last Audit:
Physical address:
Highest Classification Indicator (HCI) of the account:
Telephone No: Fax No:
Secure Phone No: Secure Fax No:
Supervisor:
COR account Manager:
v3, February 4, 2016 F-19 Annex F to DHS 4300B.200 COMSEC Account Checklists
1. Is the LMD or LMD/KP as appropriate located in an area where it/they will receive at least SECRET level protection during operation? ...... Yes _____ No _____ 2. Have all operators of the EKMS suite received formal EKMS training? ...... Yes _____ No _____ 3. Is access to the LMD or LMD/KP restricted to trained operators and COMSEC personnel? ...... Yes _____ No _____ 4. When not in use, is the KP stored in a room approved for open storage of SECRET material or in a GSA approved Class V or Class VI container? ...... Yes _____ No _____ 5. Is there a minimum of two system administrators? ...... Yes _____ No _____ 6. Are the clearances of the System Administrators and Operators equivalent to the classification of the account or at least at the SECRET level? ...... Yes _____ No _____ 6. Do the System Administrators and Operators have their own unique LCMS/KP Operator IDs? ...... Yes _____ No _____ 7. Are the PINS and PASSWORDS for each System Administrator and Operator recorded on an SF 700 and properly safeguarded? ...... Yes _____ No _____ 8. Are the PINS and PASSWORDS changed at least every 6 months? 9. Is a KP CIK ID and PIN log kept and updated accordingly? ...... Yes _____ No _____ 10. Are database backups performed daily or whenever changes are made to the account holdings? ...... Yes _____ No _____ 11. Are the KP REINIT 1 AND 2 keys appropriately classified and safeguarded at the level of the account HCI? ...... Yes _____ No _____ a. Are REINIT1 CIKS accounted for as Accountability Legend Code 1 (ALC-1) material? ...... Yes _____ No _____ b. Are REINIT2 CIKS accounted for as Accountability Legend Code 4 (ALC-4) material? ...... Yes _____ No _____ 12. Does the COMSEC Manager ensure that the following routine maintenance functions are performed? a. SCO/Unix “ROOT”, “/u/usr” and LCMS backups ...... Yes _____ No _____ b. KP Changeover at least every 3 months to update the encryption key used by the KP ...... Yes _____ No _____ c. KP rekey on an annual basis ...... Yes _____ No _____ d. Data archive ...... Yes _____ No _____ 13. Is magnetic media (tape, floppy diskettes) used for backups classified SECRET and clearly labeled with date the backup was performed? ...... Yes _____ No _____
v3, February 4, 2016 F-20 Annex F to DHS 4300B.200 COMSEC Account Checklists
Tab 3 to Annex F
Account Establishment Checklist Initial required data:
COMSEC Account number:
Date of Audit:
Date of Account Establishment:
Physical address:
Highest Classification Indicator (HCI) of the account:
Telephone No: Fax No:
Secure Phone No: Secure Fax No:
Supervisor:
COR account Manager:
v3, February 4, 2016 F-21 Annex F to DHS 4300B.200 COMSEC Account Checklists
COMSEC PERSONNEL INFORMATION NAME [Print a copy of this page for each COMSEC Account Manager/Alternate.] 1. Are the COMSEC Account Manager and Alternate(s) properly appointed in writing by the COR? [CNSSI 4005, Section X, para 75] ...... Yes _____ No _____ N/A _____ 2. Does the prospective COMSEC Manager understand that the Alternate COMSEC Manager(s) is/are equally responsible to the account as they are? [DHS 4300B.200, Section 6.5.1] ...... Yes _____ No _____ N/A _____ 3. Has the prospective Manager received formal training at a DHS Course of Instruction? [DHS 4300B.200, Section 6.3.2] ...... Yes _____ No _____ N/A _____ Date: 4. If the prospective Manager has not yet received formal training at a DHS Course of Instruction, has a Quota been requested? ...... Yes _____ No _____ N/A _____ Date: 5. Are the following forms/documents on file for the Manager? [DHS 4300B.200, Section 7.4.3] a. Cryptographic briefing certificate? ...... Yes _____ No _____ N/A _____ Date: b. Signature Card (DHS Form 580) ...... Yes _____ No _____ N/A _____ Date: c. Annual COMSEC Required Reading? ...... Yes _____ No _____ N/A _____ Date: d. Copy of Courier Letter/Courier Card ...... Yes _____ No _____ N/A _____ Date:
v3, February 4, 2016 F-22 Annex F to DHS 4300B.200 COMSEC Account Checklists
ACCOUNT FILES Files 1. Has the prospective account submitted a formal request to the COR to establish a COMSEC Account? [DHS 4300B.200, Section 6.3.1] ...... Yes _____ No _____ N/A _____ 2. Did the account receive a Formal Account Establishment Letter from the COR? [DHS 4300B.200, Section 6.3] ...... Yes _____ No _____ N/A _____ 3. Has the prospective account requested the appropriate COMSEC material to support their requirements? ...... Yes _____ No _____ N/A _____ 4. Has the prospective account established a USTRANSCOM/J3 Defense Courier Division (DCD) account? [DHS 4300B.200, Section 6.2] ...... Yes _____ No _____ N/A _____ a. Date DCD IMT 10 Defense Courier Account Record signed by DCD: b. Are the security clearances for those personnel listed on the DCD IMT 10 commensurate with the classification level of the material to be held in the account? ...... Yes _____ No _____ N/A _____ 5. Is there a copy of the Courier letter or Courier card on file for those personnel who transport classified and/or COMSEC material? [DHS 4300B.200, Section 7.4.3] ...... Yes _____ No _____ N/A _____ Standard Operating Procedures (SOP) [CNSSI 4004.1, Section VII] 1. Has the prospective account written a COMSEC SOP? [DHS 4300B.200, Section 6.5.1; 7.8.4] ...... Yes _____ No _____ N/A _____ 2. Does the COMSEC SOP include an Emergency Plan (EP)? [DHS 4300B.200, Section 9.0] ...... Yes _____ No _____ N/A _____ 3. Is the EP posted and all concerned personnel familiar with the implementation of the EP? [DHS 4300B.200, Section 9.2] ...... Yes _____ No _____ N/A _____ 4. Does the account have Emergency Destruction Procedures as part of the EP? [DHS 4300B.200, Section 9.1] ...... Yes _____ No _____ N/A _____
v3, February 4, 2016 F-23 Annex F to DHS 4300B.200 COMSEC Account Checklists
5. If not, has an initial risk assessment of the potential for hostile actions against the facility been conducted? [DHS 4300B.200, Section 9.1] ...... Yes _____ No _____ N/A _____ 6. Has the Cognizant Security Official certified in writing that there is no need to consider hostile actions? [DHS 4300B.200, Section 9.1] ...... Yes _____ No _____ N/A _____ 7. Has the prospective account obtained Emergency Destruction Tools? [CNSSI 4004.1, Annex E, para 6.; DHS 4300B.200, Section 9.1.2] ...... Yes _____ No _____ N/A _____ COMSEC MATERIAL ACCOUNTING AND HANDLING 1. Has the prospective COMSEC Manager established COMSEC training for users? [DHS 4300B.200, Section 6.5.1] ...... Yes _____ No _____ N/A _____ 2. Have all COMSEC related files been established as follows? [DHS 4300B.200, Section 7.4] a. Transactions (i.e., Transfer, Destruction, Inventory, Possession, Hand Receipt) ...... Yes _____ No _____ N/A _____ b. COMSEC Advisories ...... Yes _____ No _____ N/A _____ c. General Correspondence ...... Yes _____ No _____ N/A _____ d. Courier, Mail, Package Receipts ...... Yes _____ No _____ N/A _____ e. COMSEC Material Status Information ...... Yes _____ No _____ N/A _____ f. Manager Appointment Documentation ...... Yes _____ No _____ N/A _____ g. COMSEC Incidents ...... Yes _____ No _____ N/A _____ 3. Are COMSEC related files marked appropriately based on content? [DHS 4300B.200, 7.4.3.2] ...... Yes _____ No _____ N/A _____ BRIEFINGS [CNSSP 3; DHS 4300B.200, Section 4.2] CRYPTOGRAPHIC Briefings are required for COMSEC Managers and Alternates, crypto installation technicians, and individuals involved in keying operations or key destruction, including deletions from Fill Devices. Secure Telephone User Briefings are required for individuals using wired and wireless telephone devices (see SECURE TELEPHONES). 1. Is there a Cryptographic Access Briefing on a SD Form 572, Section I, on file for the following individuals?
v3, February 4, 2016 F-24 Annex F to DHS 4300B.200 COMSEC Account Checklists
a. Manager and Alternates of COMSEC Accounts holding classified TOP SECRET and SECRET key marked CRYPTO...... Yes _____ No _____ N/A _____ b. Cryptographic installation technicians...... Yes _____ No _____ N/A _____ c. Personnel requiring access to spaces where cryptographic keying materials are generated or stored...... Yes _____ No _____ N/A _____ d. Personnel involved in crypto keying operations or performing crypto destruction, including deletion from any Fill Device...... Yes _____ No _____ N/A _____ 2. Does the account file contain a copy of the Secure Telephone User’s Responsibility Certificate for all users? [DHS 4300B.200, Annex C para 3.b.] ...... Yes _____ No _____ N/A _____ COMSEC MATERIAL STORAGE REQUIREMENTS 1. Is proper storage available for COMSEC Material when not being used or under the direct control of authorized personnel? [DHS 4300B.200, Section 5.0] ...... Yes _____ No _____ N/A _____ 2. Do storage spaces and containers satisfy Two-Person Integrity requirements for keying material classified TOP SECRET marked CRYPTO? [DHS 4300B.200, Section 5.9] ...... Yes _____ No _____ N/A _____ COMSEC FACILITY/SECURITY COMSEC Facility 1. Has a Security Inspection been conducted on the COMSEC facility? [CNSSI 4005 Section VI.B, para 28] ...... Yes _____ No _____ N/A _____ Date: 2. Has the facility received approval in writing by the Department Physical Security Officer to hold COMSEC Material? [CNSSI 4005, Section VI.B, para 28.b.] ...... Yes _____ No _____ N/A _____ 3. Does the door leading to the COMSEC area have a sign posted on the outside designating it as a Closed/Restricted Area? [DHS 4300B.200, Section 3.1] ...... Yes _____ No _____ N/A _____ 4. Has the prospective account posted an Access List conspicuously inside the entrance of the
v3, February 4, 2016 F-25 Annex F to DHS 4300B.200 COMSEC Account Checklists
Closed/Restricted Area? [DHS 4300B.200, Section 3.2] ...... Yes _____ No _____ N/A _____ 5. Is the Access List authenticated by the Facility Security Officer, COMSEC Manager, or Alternate Manager? [DHS 4300B.200, Section 3.2] ...... Yes _____ No _____ N/A _____ 6. Is a Visitor Register maintained at the facility entrance area? [CNSSI 4005, Section VI.B, para 32; DHS 4300B.200, Section 3.3] ...... Yes _____ No _____ N/A _____ 7. Is the facility a 24 hour operation? ...... Yes _____ No _____ N/A _____ 8. If yes, is accountability been established whenever cryptographic material is turned over from shift to shift? [CNSSI 4005, Section XI, para 94a&94b] ...... Yes _____ No _____ N/A _____ 9. Has an authorized destruction device been obtained? (Refer to NSA EPL) [DHS 4300B.200, Section 7.8.4] ...... Yes _____ No _____ N/A _____ Security Container 1. Has a GSA approved Class 5 or 6 Security Container been obtained? [CNSSI 4005, Section VII.D, para 61&62] ...... Yes _____ No _____ N/A _____ 2. Does the lock on the Security Container meet the minimum requirements in FF-L-2740? [CNSSI 4005, Section VII.D, para 62.e] ...... Yes _____ No _____ N/A _____ 3. Does each Security Container lock possess its own combination? [CNSSI 4005, Section VII.A, para 49] ...... Yes _____ No _____ N/A _____ Security Container Information Form (SF 700) 1. Has a Security Container Information Form (SF 700) been completed for each lock combination? [NSTISSI 4005, Section XV, para. 101] ...... Yes _____ No _____ N/A _____ 2. Is the Security Container Information Form (SF 700) filled out properly? [SF 700 instructions 1-5] ...... Yes _____ No _____ N/A _____ 3. Is Part 1 of the SF 700 placed inside each COMSEC security container? [SF 700 instructions 1-5] ...... Yes _____ No _____ N/A _____ 4. Is Part 2 of the SF 700 retained in a central location in case of an emergency? [CNSSI 4005, Section VII.A, para 50] ...... Yes _____ No _____ N/A _____
v3, February 4, 2016 F-26 Annex F to DHS 4300B.200 COMSEC Account Checklists
5. Will the account be authorized to hold Top Secret COMSEC Material? (Refer to HCI) ...... Yes _____ No _____ N/A _____ a. If yes, is Two Person Integrity (TPI) implemented? [CNSSI 4005, Section VII.C] ...... Yes _____ No _____ N/A _____ b. Is there a SF 700 maintained for each combination set for the container? [CNSSI 4005, Section VII.A, para 50; DHS 4300B.200, Section 5.8.1] ...... Yes _____ No _____ N/A _____ 6. Have all Security Container combinations been changed from the shipping/storage to proper combinations? [DHS 4300B.200, Section 5.8.3] ...... Yes _____ No _____ N/A _____ Security Activity Checklist (SF 701) [DHS 4300B.200, Section 3.4] 1. Has a Security Activity Check Sheet (SF 701) been posted inside the COMSEC Facility? ...... Yes _____ No _____ N/A _____ 2. Is the SF 701 updated to accurately reflect the material/equipment contained in the COMSEC Facility? ...... Yes _____ No _____ N/A _____ Security Container Check Sheet (SF 702) [DHS 4300B.200, Section 3.5] 1. Has a Security Container Check Sheet (SF 702) been established for each lock of a COMSEC container? [NSTISSI 4005, Section VIII] ...... Yes _____ No _____ N/A _____ 2. Is the SF 702 posted on the outside of the door/container? ...... Yes _____ No _____ N/A _____ 3. Is the SF 702 checked daily or when office is occupied? [NSTISSI 4005, Section VIII, para 31] ...... Yes _____ No _____ N/A _____ 4. In a 24 hour facility, is a security check conducted once per shift? [NSTISSI 4005, para 31a] ...... Yes _____ No _____ N/A _____
v3, February 4, 2016 F-27 Annex F to DHS 4300B.200 COMSEC Account Checklists
Debrief/Signature Page 1. Check physical security of building & space where COMSEC safe is kept (e.g., security guards, security cameras, alarms, doors, locks, windows, traffic, personnel access, physical alteration of the space since the last audit, etc.).
2. Are there any problems currently affecting the efficiency or operation of this account?
3. Auditor’s comment/conclusions:
4. Out-brief conducted with:
5. Director/Manager’s comments:
v3, February 4, 2016 F-28 Annex F to DHS 4300B.200 COMSEC Account Checklists
Signature of Auditor(s):
Date/Time In: Date/Time Out:
v3, February 4, 2016 F-29 Annex F to DHS 4300B.200 COMSEC Account Checklists
Tab 4 to Annex F
Account Disestablishment Checklist
Initial required data:
COMSEC Account number:
Date of Audit:
Date of Last Audit:
Scheduled Date of Account Disestablishment:
Physical address:
Highest Classification Indicator (HCI) of the account:
Telephone No: Fax No:
Secure Phone No: Secure Fax No:
Supervisor:
COR account Manager:
v3, February 4, 2016 F-30 Annex F to DHS 4300B.200 COMSEC Account Checklists
REQUEST TO CLOSE/DISESTABLISH AN ACCOUNT [DHS 4300B.200, Section 6.4.1] 1. Has the COR been notified via official Memorandum at least 60 days prior to the desired date for the account to be closed/disestablished and also requesting the termination of the appointments of the COMSEC Manager and Alternate Manager(s)? ...... Yes _____ No _____ N/A _____ Date: 2. Has the COR approved the request? ...... Yes _____ No _____ N/A _____ Date: 3. Has the account requested termination of their USTRANSCOM/J3 Defense Courier Division (DCD) account? ...... Yes _____ No _____ N/A _____ Date: INVENTORY REQUIREMENTS FOR ACCOUNT DISESTABLISHMENT [DHS 4300B.200, Section 6.4.2] 1. Concurrent with the request to close/disestablish the account, did the COMSEC Manager and Alternate Manager(s) conduct a physical inventory of all COMSEC material charged to the account? ...... Yes _____ No _____ N/A _____ 2. Was the completed (or Negative) inventory uploaded to CARDS within 10 days of receiving the inventory? .... Yes _____ No _____ N/A _____ 3. Has the account requested disposition instructions for all COMSEC material charged to the account? ...... Yes _____ No _____ N/A _____ 4. Where discrepancies exist between the inventory and actual holdings, has the Manager taken steps to resolve the discrepancies and report them to the COR? ...... Yes _____ No _____ N/A _____ 5. Has all COMSEC material on charge to Hand Receipt holders properly returned to the account? ...... Yes _____ No _____ N/A _____ DISPOSITION OF COMSEC MATERIAL 1. Has all COMSEC material (both physical and electronic / current and previously held) been disposed of in accordance with instructions provided by the COR? [DHS 4300B.200, Section 6.4.3] ...... Yes _____ No _____ N/A _____ 2. Have page checks been performed on all unsealed and resealed COMSEC keying material and operating
v3, February 4, 2016 F-31 Annex F to DHS 4300B.200 COMSEC Account Checklists
manuals prior to transfer or destruction? [DHS 4300B.200, Section 7.5.5] ...... Yes _____ No _____ N/A _____ 3. Does the COMSEC Manager understand that all the completed account records within the last 3 years (e.g., Transfer, Destruction reports, DIAS backup, etc.) must be forwarded to the COR? [DHS 4300B.200, Section 7.4.3.3] ...... Yes _____ No _____ N/A _____ PREVIOUS AUDIT INFORMATION [DHS 4300B.200, Section 8.0] 1. Does the account have a copy of the last COMSEC Audit on file? ...... Yes _____ No _____ N/A _____ Date: 2. Have previous Audit Discrepancies been corrected? ...... Yes _____ No _____ N/A _____ 3. Did the account forward a copy of the Memorandum of Corrective Action to the COR? ...... Yes _____ No _____ N/A _____ 4. Did the account maintain a copy of the Memorandum of Corrective Action in the account files? ...... Yes _____ No _____ N/A _____ TERMINATION/DISESTABLISHMENT REPORT [DHS 4300B.200, Section 6.4.5] 1. Has a Final Disestablishment Report been sent by the account to the COR? ...... Yes _____ No _____ N/A _____ 2. Does the report indicate that all COMSEC material was properly disposed of in accordance with directions received from the COR and that account reports are up to date and correct? ...... Yes _____ No _____ N/A _____ 3. Does the report list points of contact and current telephone numbers of individuals who have a working knowledge of the details of the account being closed/disestablished (this should be the Manager and/or Alternate.)? ...... Yes _____ No _____ N/A _____
v3, February 4, 2016 F-32 Annex F to DHS 4300B.200 COMSEC Account Checklists
Debrief/Signature Page 1. Conduct an inventory (using the attached inventory sheet). Discrepancies/problems:
2. Obtain copies of any documents/forms identified in Pre-Audit that were not sent to the COR.
3. Auditor’s comment/conclusions:
4. Out-brief conducted with:
5. Director/Manager’s comments:
Signature of Auditor(s):
Date/Time In: Date/Time Out:
v3, February 4, 2016 F-33 Annex G to DHS 4300B.200 COMSE Forms and Templates
Annex G
COMSEC Forms and Templates
1. The forms and templates in this Annex are provided for COMSEC Managers to use within their accounts as needed. Locally produced versions are acceptable for STE tracking (if desired), electronic fill device audit trail reviews, and SF 700 tamper inspections. The templates for COMSEC Account personnel nominations and COMSEC Incident reporting should be used as contained in this Annex. In either case, forms used in this Annex are subject to the retention requirements as specified in this instruction. 2. The following forms and templates are included in this Annex: Tab 1: STE Installation History Record - (Optional) Tab 2: COMSEC Personnel Nomination Letter Template and Worksheet Tab 3: Electronic Fill Device Audit Trail Log Tab 4: SF 700 Tamper Check Log Tab 5: Access List Template
v3, February 4, 2016 G-1 Annex G to DHS 4300B.200 COMSE Forms and Templates
Tab 1 to Annex G
STE Installation / History Record
STE Information
SN: STEA30
Tamper Seal Nrs: and
Owner / User’s Name:
STE Location / Room Number:
COMSEC Manager
Name:
Office & Phone Number: / Account Number:
TPA KSV 21
SN: Ver: Keyed w/Short Title: USFAU 55555
Classification Lvl: TS S C U / CAVEAT: SCI NOFORN
Holder: Phone:
User KSV 21
SN: Ver: Keyed w/Short Title: USFAU 55555
Classification Lvl: TS S C U / CAVEAT: SCI NOFORN
Holder: Phone:
User KSV 21
SN: Ver: Keyed w/Short Title: USFAU 55555
Classification Lvl: TS S C U / CAVEAT: SCI NOFORN
Holder: Phone:
v3, February 4, 2016 G-2 Annex G to DHS 4300B.200 COMSE Forms and Templates
Network Information
Active Network: ISDN / Tri-Tac / PSTN
Switch Type: NI1 / NI2 Other:
Feature Code Settings: Transfer (61) / Conference (60) / Drop (062)
Service Profile Identifier (SPID) Information
SPID 1: Directory Number 1:
SPID 2: Directory Number 2:
Speaker Phone
Non-Secure: Enabled / Disabled Secure: Enabled / Disabled
Secure Access Control System (SACS) settings:
Speed Dial Numbers: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Unusual problems noted:
v3, February 4, 2016 G-3 Annex G to DHS 4300B.200 COMSE Forms and Templates
Old Serial Number if replaced: STEA30
Serial Number / Type of DTE (if attached):
Work Order / Trouble Ticket Number:
Installed / Inventoried by: Date:
STE software upgrade(s) / Date accomplished: / / /
/ / /
/ / /
If the STE is transferred to another COMSEC Acct. within the DHS COMSEC area of responsibility, provide a copy of this document with the SF 153 Transfer Report.
v3, February 4, 2016 G-4 Annex G to DHS 4300B.200 COMSE Forms and Templates
Tab 2 to Annex G
COMSEC Personnel Nomination Letter Template and Worksheet
1. COMSEC Account Managers must use the COMSEC Personnel Nomination Letter Template and Worksheet located on the DHS COMSEC SharePoint Home page. REMINDER – Nomination letters and worksheets must be submitted with all changes in COMSEC Account personnel in accordance with DHS 4300B.200 Section 6.3.2. 2. The template is located at the following URL: http://mgmt-ocio-sp.dhs.gov/itso/rmd/comsec/SitePages/Home.aspx See the Shared Documents library. Do not attempt to complete the forms on the SharePoint portal; they must be downloaded to the desired local host or shared drive.
v3, February 4, 2016 G-5 Annex G to DHS 4300B.200 COMSE Forms and Templates
Tab 3 to Annex G
Electronic Fill Device Audit Trail Review Log
COMSEC Account Number: ______
Date Short/Title S/N Anomalies Noted Reset (Y/N) Initials
Mandatory Minimum Auditable Events that shall be reviewed:
Alarm event entry Data or stored key Key transmitted Audit trail full Date change Key zeroized (destroyed) Audit trail initialization Information/Data transfers KOV-21 zeroized Audit upload Key file received Login/Login failure attempts CIK initialization Key file transferred Time change Connection to a fill device Key received
v3, February 4, 2016 G-6 Annex G to DHS 4300B.200 COMSE Forms and Templates
Tab 4 to Annex G
SF 700 Tamper Check Log
COMSEC Account Number: ______
Date Container Number Anomalies Noted Initials
v3, February 4, 2016 G-7 Annex G to DHS 4300B.200 COMSE Forms and Templates
Tab 5 to Annex G
Access List Template
MEMORANDUM FOR: Distribution FROM: John Doe COMSEC Manager, CA XXXXXX SUBJECT: Access List, COMSEC Facility Located in Building [xxx], Room [xxx] 1. The following individuals are authorized unescorted access to this facility: [name] [name] [name] [name] 2. The following individuals are authorized escorted access to this facility: [name] [name] [name] 3. Individuals whose names do not appear on this list may be admitted to this facility based on need to know, and must record entry on the Visitor Register located inside the facility. These persons must be continuously escorted by an individual authorized unescorted access.
Distribution: [as required]
v3, February 4, 2016 G-8