EKMS-1E-SUPP-1 Final Version 08May2017

UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 NAVAL COMMUNICATIONS SECURITY MATERIAL SYSTEM 1560 Colorado Avenue Andrews AFB, MD 20762-6108 EKMS-1E SUPP-1 Department of the Navy Policy and Procedures for Key Management Infrastructure Operating Accounts (KOAs) 08 May 2017 UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 2250 Ser N5/ 08 May 2017 LETTER OF PROMULGATION 1. PURPOSE. EKMS-1E Supp-1 prescribes the minimum policies for issuing, accounting, handling, safeguarding, destroying and disposing of COMSEC (Communications Security) material. 2. BACKGROUND. In the Key Management Infrastructure System (KMI), COMSEC Accounts will use a KMI Client Node/ Advanced Key Processor (MGC/AKP) to automate the generation, accounting, distribution, destruction, and management of COMSEC material. As key management continues to evolve, policies and procedures will be developed to provide the necessary guidance to ensure the timely support to a global community which will enhance security, minimize costs and further enhance the secure communications capability of forward deployed elements. 3. APPLICABILITY. a. EKMS-1E Supp-1 applies to Department of the Navy activities including U.S. Coast Guard (USCG), Military Sealift Command (MSC), U.S. Marine Corps (USMC), and U.S. Navy (USN) COMSEC Accounts which have transitioned to the Key Management Infrastructure (KMI). These provisions apply to all who require access to or the use of COMSEC material within KMI. All such personnel must be aware that non-compliance or deviation from the prescribed procedures can jeopardize the security of the United States and could result in prosecution of the parties concerned under the espionage laws, Title 18. U.S.C., Sections 793, 794, and 798. b. Commands whose holdings include Two-Person Controlled (TPC) Sealed Authentication System (SAS) keying material must maintain and consult CJCSI 3260.01(series) for guidance related to handling and disposing of SAS/TPC material. Messages promulgated from the Controlling Authority (ConAuth), and not the Status of COMSEC Material (SCMR), is the authoritative source for status information related to SAS/TPC. 4. SCOPE. The policies in this manual have been derived from OPNAV, SECNAV, National-level policies and applicable Operational Security Doctrine (OSD) for KMI-related components. The guidance herein supplements, but in no way alters or amends the provisions of U.S. Navy regulations, SECNAV M5510.30 UNCLASSIFIED//FOR OFFICIAL USE ONLY 01 of 02 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 (series), SECNAV M5510.36 (series), and ICD 705(Series). 5. ACTION. EKMS-1E Supp-1 dated 08 May 2017 is effective upon receipt and supersedes EKMS-1B Supp-1A dated 06 Feb 2015. 6. REPRODUCTION. EKMS-1E Supp-1 is UNCLASSIFIED FOR OFFICIAL USE ONLY (FOUO) and may be reproduced for local use. 7. Should a conflict exist or a more stringent requirement be communicated in a revision to an Operational Security Doctrine for COMSEC equipment addressed herein, the respective doctrine for the equipment will have precedent over this manual. 8. COMMENTS. Submit comments, recommendations, and suggestions for changes to Naval Communications Security Material System (NCMS) via the respective Immediate Superior in Command (ISIC) and Type Commander (TYCOM). Digitally signed by LECOUNTE.JAME LECOUNTE.JAMES.A.106246142 6 S.A.1062461426 Date: 2017.05.16 16:27:07 -04'00' J. A. LeCOUNTE UNCLASSIFIED//FOR OFFICIAL USE ONLY 02 of 02 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 LIST OF EFFECTIVE PAGES Front Cover Letter of Promulgation List of Effective Pages Record of Amendments Record of Page Checks Manual Overview Table of Contents Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Annex A Annex B Annex C Annex D Annex E Annex F Annex G Annex H Annex I PAGE NUMBERS EFFECTIVE (Unnumbered) 01 - 02 i ii iii iv v – xii 1-1 – 1-10 2-1 – 2-33 3-1 – 3-18 4-1 – 4-20 5-1 – 5-12 6-1 – 6-7 7-1 – 7-27 8-1 – 8-16 9-1 – 9-6 10-1 – 10-7 A-1 – A-3 B-1 – B-8 C-1 D-1 E-1 – E-4 F-1 - F-2 G-1 – G-13 H-1 – H-2 I-1 – I-4 Original Original Original Original Original Original Original Original Original Original Original Original Original Original Original Original Original Original Original Original Original Original Original Original Original Original UNCLASSIFIED//FOR OFFICIAL USE ONLY i UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 RECORD OF AMENDMENTS AMEND NUMBER/ IDENTIFICATION DATE ENTERED (YYMMDD) ENTERED BY (Signature, Rank/Rate, Command Title) UNCLASSIFIED//FOR OFFICIAL USE ONLY ii UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 RECORD OF PAGE CHECKS DATE CHECKED 05/15/2017 CHECKED BY (SIGNATURE, RANK/RATE, COMMAND TITLE) PHILLIPS.MILLARD.J.III.1114056 Digitally signed by PHILLIPS.MILLARD.J.III.1114056975 975 M. J. PHILLIPS, CIV, NCMS,08:08:52 GG-13 Date: 2017.05.16 -04'00' UNCLASSIFIED//FOR OFFICIAL USE ONLY iii UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 KMI POLICY & PROCEDURES MANUAL (OVERVIEW) Chapter 1 Chapter 2 - Chapter 3 - Chapter 4 - Chapter 5 - Chapter Chapter Chapter Chapter Chapter - 6 7 8 9 10 Key Management Infrastructure (KMI) Management Client (MGC) System Overview, Security Requirements and Equipment Matters Privilege Management: Roles, Exclusions, Registration and Enrollment Account Establishment and Personnel Designation Requirements Duties and Responsibilities of Key Management Operating Account (KOA) Management Personnel Education, Training and Audits Accounting and Accounting Functions COMSEC incidents Practices Dangerous to Security (PDSs) Electronic Storage Devices ANNEXES A B C D E F G H I Abbreviations and Acronyms Definitions COMSEC Library KMI related forms Quick Reference Conducting and Verification of Page Checks and Modifications Helpful Uniform Resource Locators (URLs) Emergency Action and Emergency Destruction of COMSEC Material Sample Waiver Request for KOAM or Alternate Appointment Sample Statement of Responsibilities Information System Privileged Access Agreement and Acknowledgement of Responsibilities (Required for CPAs and CPSOs) UNCLASSIFIED//FOR OFFICIAL USE ONLY iv UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 TABLE OF CONTENTS CHAPTER 1 - KEY MANAGEMENT INFRASTRUCTURE (KMI) 101. INTRODUCTION TO THE KEY MANAGEMENT INFRASTRUCTURE (KMI) 103. KEY MANAGEMENT INFRASTRUCTURE (KMI) ROLES AND SERVICES a. b. c. d. e. f. g. h. i. j. k. l. m. n. o. p. q. r. s. 105. NATIONAL SECURITY AGENCY (NSA) a. b. 107. Central Services Node (CSN) Client Platform Administrator (CPA) Client Platform Security Officer (CPSO) Command Authority (CMD Auth) Controlling Authority (CA or CONAUTH) Device Local Type 1 Registration Authority (DLT1RA) Device Registration Manager (DRM) Eligibility Authority (EA) Eligibility Authority (EA) Proxy Enrollment Manager (EM) HP Service Manager (HPSM) KMI Operating Account Manager (KOAM) KMI Operating Account Registration Manager (KOARM) Personnel Local Type 1 Registration Authority (PLT1RA) Personnel Registration Manager (PRM) Primary Services Node (PRSN) Product Source Node (PSN) Product Requestor (PR) Type 1 Token Security Officer (TSO) United States National Distribution Authority Central Facility (CF) DEPARTMENT OF THE NAVY (DON) ORGANIZATION AND TERMS a. b. c. d. e. f. g. h. i. j. Chief of Naval Operations (CNO) Headquarters Marine Corps (HQMC C4 CY) Commander, Coast Guard C4IT Service Center (COGARD C4ITSC-BOD-IAB) Commanding Officer COMSEC Material Issuing Office (CMIO) Firefly Credentials Manager Firefly Point of Contact Immediate Superior in Command (ISIC) Key Management Entities (KMEs) KMI Operating Account (KOA) UNCLASSIFIED//FOR OFFICIAL USE ONLY v UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 k. l. m. n. o. p. q. r. s. t. KOA Agent (KOAA) COMSEC Clerk KMI Operating Account Manager (KOAM) KOAM (Alternate) COMSEC Witness Local Element (LE), LE Issuing, and LE In-Transit Naval Communications Security Material System (NCMS) Service Authority (SERVAUTH) Staff CMS Responsibility Officer (SCMSRO) Legacy Catalog Manager (LCM) CHAPTER 2 – MANAGEMENT CLIENT (MGC) SYSTEM OVERVIEW, SECURITY REQUIREMENTS (INCLUDES STORAGE AND SHIPMENT OF COMSEC MATERIAL) 201. General a. b. c. d. e. Client Host/Management Client (MGC) Client Host Only (CHO) Delivery Only Client (DOC) Advanced Key Processor (AKP) AKP and REINIT Drive Visual Inspection Log (Figure 21) Type-1 Token (KOV-29) 203. Security Controls 205. KMI Related Certificates 207. MGC/AKP Required Cryptographic Ignition Keys (CIKS) and Keying Material a. b. c. d. e. f. g. h. 209. Operational (AKP) CIKS Firefly (FF) Vector Set FF Credentials Message Signature Key (MSK) Benign Fill (BF) Firefly KG Rules Site Re-initialization AKP Recertification Label Security and Accountability of KMI-related Devices a. b. c. Classification of KMI Related Devices AKPREINIT 1 and AKPREINIT 2 Flash Drives Location of the MGC/AKP UNCLASSIFIED//FOR OFFICIAL USE ONLY vi UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 211. Field Recovery of an AKP 213. Classification and Accountability of KMI-Related Components 215. PINS/Passwords 217. Packaging, Shipping and Transportation of COMSEC Material and Equipment Shipping – Quick Reference Matrix (Figure 2-2) 219. Software Upgrades 221. Equipment Failures 223. Security and Storage of COMSEC Material a. b. c. d. e. COMSEC Facilities Security Containers Residential Storage Segregation of Material Two Person Integrity (TPI) CHAPTER 3 – PRIVILEGE MANAGEMENT: ROLES, EXCLUSIONS, REGISTRATION AND ENROLLMENT 301. Separation of Duties 303. Role Exclusions 305. KMI Role Exclusion Listing 307. KOA Registration (Overview) 309. KMI Operating Account (KOA) Registration Data 311. Human User (Personnel) Registration 313. KMI Personnel Registration Form, KMI Form 001 315. Enrollment Process – KMI Personnel Enrollment Form, KMI Form 002 317. Roles Supporting KOA Registration 319. Account Registration - COMSEC Account Data for KMI UNCLASSIFIED//FOR OFFICIAL USE ONLY vii UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Registration, KMI Form 003 321. Human (Person) User Activation 323. Device Registration Process 325. Device User Initialization 327. Device Endorsement 329. Device Activation 331. KMI Role Management 333. Access Control Managers 335. User Support Manager 337. Type 1 Token Security Officer – (TSO or SO) 339. KOA Agent (KOAA) – A non-management Role 341. Disenrollment 343. Enrollment Reverification 345. Human User Reverification CHAPTER 4 – ACCOUNT ESTABLISHMENT AND PERSONNEL DESIGNATION REQUIREMENTS 401. Requirement for a KMI Account 403. Establishing a KMI Operating Account (KOA) KOA Account Establishment Message Routing (Figure 4-1) Asymmetric (Modern) Key Validation Process (Figure 4-2) Sample KOA Establishment Request (Figure 4-3) 405. Selection of KMI Personnel 407. Manpower Requirements for KMI Operating Account (KOA) a. b. Account Composition Grade Requirements for KOAMs, Alternates, LE Issuing and Clerks UNCLASSIFIED//FOR OFFICIAL USE ONLY viii UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 409. KOA Manager (KOAM) and Alternates 411. Other KMI Related Roles KOAMs may Perform Sample KOAM Appointment Letter Figure 4-4 Sample CPA or CPSO Appointment Letter Figure 4-5 CHAPTER 5 – DUTIES AND RESPONSIBILITIES OF KEY MANAGEMENT OPERATING ACCOUNT (KOA) MANAGEMENT PERSONNEL 501. Duties and Responsibilities of; a. b. c. d. e. f. g. h. i. j. k. l. KOA Managers/Alternates Personnel Local Type 1 Registration Authority (PLT1RA) Device Local Type 1 Registration Authority (DLT1RA) Product Requestors (PR) Client Platform Administrator (CPA) Client Platform Security Officer (CPSO) Controlling Authorities (CONAUTH) Command Authorities (CMDAUTH) KOA Registration Managers (KOARM) Device Registration Manager (DRM) Enrollment Managers (EM) Legacy Catalog Manager (LCM) CHAPTER 6 – EDUCATION, TRAINING AND AUDITS 601. Training Requirements KMI Training Quick Reference Matrix (Figure 6-1) 603. KMI Management Client (MGC) Course of Instruction (COI) 605. KMI Training Locations 609. Additional KOAM/Alternate Training Requirements 611. Personnel Qualification Standards (PQS) 613. CMS COR Audits KMI Training Matrix Figure 6-1 CHAPTER 7 – ACCOUNTING AND ACCOUNT FUNCTIONS 701. Accounting (General) UNCLASSIFIED//FOR OFFICIAL USE ONLY ix UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 703. Overview of MGC Accounting Functions 705. Management of COMSEC Material in an Organization a. b. c. d. e. f. 707. Inventory Requirements a. b. 709. Receipting for COMSEC Material Issuance of COMSEC Material on a Local Custody Basis Issuing Quick Reference Matrix (Figure 7-1) Management of COMSEC Material at the User, Work Center, LE or KOAA level, as applicable (watch and non-watch environment) Loading and Usage of Keying Material Authorization and Transferring COMSEC Material Shipping Quick Reference Matrix (Figure 7-2) Use of Possession and Relief from Accountability Reports and Required Authorization Account Level Inventories Fixed-cycle Inventory Matrix (Figure 7-3) Inventory Requirement Matrix (Figure 7-4) Physically Conducting an Inventory Status Information and Destruction of COMSEC Material a. b. c. d. e. f. g. h. Status of COMSEC Material Other Status Related Terms Status Information and Responsibilities Destruction Guidance Applicable at the Account and LE Level Destruction Time Frames for COMSEC Material at the LE Level Destruction Time Frames for COMSEC Material at the Account Level Destruction Personnel Destruction Methods (Figure 7-5) CHAPTER 8 – COMSEC INCIDENTS 801. General a. b. c. d. Reporting Types of COMSEC Incident Reports Time Frames for Reporting Quick Reference Matrix (Figure 8-1) Classification UNCLASSIFIED//FOR OFFICIAL USE ONLY x UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 e. f. Required Addees for COMSEC Incident Reports PLA Quick Reference Matrix (Figure 8-2) Related Accounting Reports 803. Organizational Responsibilities 805. Types of COMSEC Incidents a. b. c. d. 807. Cryptographic Incidents Personnel Incidents Physical Incidents Sample Initial Report of COMSEC Incident (Figure (Figure (Figure (Figure 8-3) 8-4) 8-5) 8-6) COMSEC Incident Evaluation a. b. c. Assessing Compromise Probability Compromise Probability Examples Additional Information Sample Evaluating Authority (EVALAUTH) Message (Figure 8-7) CHAPTER 9 – PRACTICES DANGEROUS TO SECURITY (PDSs) 901. General a. b. c. 903. Types of PDSs PDS Documentation Reporting Time Frames PDSs by Category a. b. Non-Reportable PDSs Reportable PDSs (Figure 9-1) (Figure 9-2) 905. PDS Reports 907. PDS Documentation (Samples) Non-Reportable PDS Reportable PDS (Figure 9-3) (Figure 9-4) CHAPTER 10 – ELECTRONIC STORAGE DEVICES 1001. General 1003. Software Management UNCLASSIFIED//FOR OFFICIAL USE ONLY xi UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 1005. Classification, Accountability, Safeguarding and Access 1007. Types of Keying Material Related to Electronic Storage Device (ESD) 1009. Loading Keying Material into an ESD 1011. Visual Inspection Requirements 1013. Destruction of Electronic Keying Material 1015. Transportation and Shipment 1017. Audit Trail Review Requirements 1019. ESD Interface Flows 1021. Emergency Protection 1023. Repair and Maintenance ANNEXES ANNEX A Acronyms ANNEX B Definitions ANNEX C COMSEC Library ANNEX D KMI Forms Quick Reference ANNEX E Conducting and Verification of Page Checks and Modifications Helpful URLs ANNEX F ANNEX G Emergency Action and Emergency Destruction of COMSEC Material (recommend deleting due to EKMS 1 redundancy) ANNEX H Sample Waiver Request Message for KOAM or Alternate Appointments ANNEX I Statement of Acceptance of Responsibilities Key Management Infrastructure (KMI) Management Client (MGC), Client Host Only (CHO) or Delivery Only Client (DOC) Information System Privileged Access Agreement and Acknowledgment of Responsibilities UNCLASSIFIED//FOR OFFICIAL USE ONLY xii UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 CHAPTER 1 - KEY MANAGEMENT INFRASTRUCTURE (KMI) 101. INTRODUCTION TO THE KEY MANAGEMENT INFRASTRUCTURE (KMI). a. KMI will represent a substantial change in how keying material is; accessed, accounted for, delivered, and ordered in comparison to previous technologies and mediums used. The flexibility and scalability built into the KMI architecture has been designed to operate in a unified, network-centric approach. KMI will make use of additional and faster communications media to deliver required products to the COMSEC community; this will include the Secret Internet Router Protocol Network (SIPRNET), Non-Classified Internet Router Protocol Network (NIPRNET) and the Joint Worldwide Intelligence System (JWICS). KMI will support web-based ordering and delivery of required keying material to the war fighter; support benign fill techniques; the delivery of key to End Cryptographic Units (ECUs) and support Over the Network Key (OTNK) key delivery. b. In the KMI, certain roles require tokens (KOV-29) personalized to the holder of the role in lieu of user IDs and passwords. Role and rule-based policies will be implemented to restrict functions performed and to ensure compliance with mandated separation of duty requirements referred to herein as role exclusions. c. KMI will also introduce new internal and external roles, which will be performed by and assigned to different individuals and organizations. d. Access to KMI related systems and resources is restricted to properly cleared, trained and authorized personnel whose official duties require access and are consistent with need-toknow principles. Access controls will be in compliance with DoD, DON and National IA regulations. 103. KEY MANAGEMENT INFRASTRUCTURE (KMI) ROLES AND SERVICES. a. Central Services Node (CSN) - The CSN is the KMI core node maintained and managed at NSA and provides long-term system archive. b. Client Platform Administrator (CPA) – An individual designated in writing by the Commanding Officer CO responsible for System Administration functions involving the KMI Management UNCLASSIFIED//FOR OFFICIAL USE ONLY 1-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Client referred to herein as the MGC. Personnel appointed as a CPA with administrative privileges must be registered and enrolled in KMI, but do not require a Type 1 token. The role of the CPA role cannot be concurrently assigned to the holder of the Client Platform Security Officer (CPSO) role. If the role of the CPA is performed by the KOAM, additional training requirements discussed in Chapter 6 of this document must be satisfied. c. Client Platform Security Officer (CPSO) – An individual designated in writing by the CO responsible for security monitoring, including the review of audit data associated with the MGC. This role requires a Type 1 token and cannot be performed by a KOAM or CPA. d. Command Authority (CMD Auth) – Responsible for requesting partition codes, Department/Agency/Organization (DAO) codes and specifying partition and code ordering privileges on behalf of Product Requestors. If a CMD Auth has a requirement to order keying material, they must also be enrolled as a Product Requestor within the KMI. e. Controlling Authority (CA or CONAUTH) In the KMI architecture, the CA validates requirements for symmetric (traditional) keying material and book packaged material. f. Device Local Type 1 Registration Authority (DLT1RA) Responsible for verifying the existence and condition of KMIaware devices, approving the conversion of the device’s infrastructure seed key, and initiating a request for a Type 1 certificate for the device. Within the DON, this role will be performed by either the KOAM or an Alternate KOAM for the account. This role requires a Type 1 token and cannot be held by someone appointed as the CPSO or Device Registration Manager (DRM). g. Device Registration Manager (DRM) – Responsible for both registration and initialization of KMI-aware devices. These devices include and are not limited to; ECUs, Type 1 Tokens, and AKPs. This role requires a Type 1 token. h. Eligibility Authority (EA) – The EA role will be held by the Commanding Officer of the account, unless delegated at his/her discretion to the Command Security Manager (CSM), Assistant Command Security Manager or Special Security Officer (SSO). If other than the CO, the EA must be designated in UNCLASSIFIED//FOR OFFICIAL USE ONLY 1-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 writing by the CO. The EA conducts face-to-face verification of persons to be appointed to a position requiring registration and enrollment in KMI. The EA is also responsible for submitting requests for disenrollment to the EA Proxy when a manager transfers, retires, separates, has their access or clearance suspended or when access is no longer required. i. Eligibility Authority (EA) Proxy – The EA Proxy is responsible for final verification of KMI related forms and documentation received from DON activities prior to submission to NSA for registration and enrollment actions in the KMI. The EA proxy role will be fulfilled by NCMS. j. Enrollment Manager (EM) - A security-sensitive role in which the entity/individual will be responsible for the assignment of KMI User Identities to management roles, rulebased attributes to KMI manager identities, and privileges to a Type 1 identity issued for use in KMI. This role requires a Type 1 token and within the DON will be performed by NCMS. k. Service/Agency Help Desk Manager – A role assigned to personnel providing customer organization-specific help desk services. l. KOA Manager (KOAM) – Formerly referred to as an Electronic Key Management System (EKMS) Manager or COMSEC Custodian. Additional duties and responsibilities of the KOAM are outlined in EKMS-1(series) Art 455. The role of the KOAM requires a Type 1 token and cannot be performed by either a Client Platform Security Officer (CPSO) or a KOA Registration Manager (KOARM). As KMI-aware devices are developed, the KOAM will also be responsible for the proper maintenance of the account’s Device Distribution Profile (DDP), including the timely addition of devices to the appropriate DDP to allow delivery of key to the device. m. KOA Registration Manager (KOARM) - Responsible for maintaining registration information related to KOAs. Within the DON, NCMS will perform KOARM-related functions in KMI. n. Personnel Local Type 1 Registration Authority (PLT1RA) – The PLT1RA is the role assigned to individuals responsible for performing face-to-face verification of the identity of the user receiving the Type 1 token, initiating a certificate request, and performing the download of the Type 1 certificates onto the UNCLASSIFIED//FOR OFFICIAL USE ONLY 1-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 token. With exception to their own token, the PLT1RA is also the Type 1 Token Security Officer (TSO or SO) for tokens issued during their assignment as PLT1RA. Within the DON, this role will be performed by either the KOAM or an Alternate KOAM for the account. This role requires a Type 1 token and cannot be held by the CPSO or Personnel Registration Manager (PRM). o. Personnel Registration Manager (PRM) - Responsible for the validation of authoritative data and the registration of users within the KMI. This role requires a Type 1 token and will be performed at NSA. p. Primary Services Node (PRSN) - The PRSN maintained at NSA is referred to as the KMI Storefront, will operate on all KMI supported networks and serves as the interface between Client Nodes and other Nodal components in KMI. The operating status of the PRSN is available at www.iad.nsa.smil.mil – IA Services – KMI Program Office – Operations Infrastructure Components. q. Product Source Node (PSN) - The PSN maintained at NSA will generate and produce most of the cryptographic keying material currently produced at the Central Facility (Tier 0) and Central Office of Record (Tier 1) based on product or service orders received from the Primary Services Node (PRSN). The PSN will also produce Type 1 certificates and other forms of credentials such as Personal Identification Numbers (PINs). r. Product Requester (PR) – An external manager responsible for requesting products and services. PRs must be enrolled as managers and their privileges defined by the Product Manager, which is typically the CONAUTH or CMDAUTH. PRs who order asymmetric products perform functions previously performed by a User Representative (UR). s. Type 1 Token Security Officer (TSO) (Throughout this document, the acronym TSO or SO both refer to the same role or person occupying such) - A TSO is not a KMI role and therefore does not require registration, enrollment, or a Token for perform required duties. A KOAM can perform the duties of the TSO for another Manager’s token and vice versa; however, a KOAM cannot be the TSO for his or her own token. Any person performing the role of TSO must complete the required TSO CBT; see Annex F for the URL. If the role is fulfilled by UNCLASSIFIED//FOR OFFICIAL USE ONLY 1-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 an individual other than KOAM, he or she must be designated as the TSO in writing by the CO. The TSO must validate the Token is personalized to the requesting KOAM through comparison of the name reflected on the certificate information with the identification presented prior to resetting the KOAM’s operational password. See the OSD for the SKEY6500 Token (KOV-29) for TSO/SO specific duties, responsibilities and related periodicities for the execution of such. 105. NATIONAL SECURITY AGENCY (NSA). NSA serves as Tier 0 and is the executive agent for developing and implementing national level policy affecting the control of COMSEC material and manages and maintains the Central Services Node (CSN). NSA is also responsible for the production and distribution of most COMSEC material used to secure communications as well as for the development and production of cryptographic equipment. a. UNITED STATES NATIONAL DISTRIBUTION AUTHORITY (USNDA). USNDA serves as the consolidated COMSEC distribution facility for physical keying material. USNDA processes and automatically ships physical Reserve on Board (ROB) material required by each of the services to the DCS delivery address of record. b. CENTRAL FACILITY (CF). The CF primarily functions as a high volume key generation and distribution center. The CF provides commands with keying material currently produced by NSA that cannot be generated locally or must be generated by Tier 0. The CF will interact with commands through a variety of media, communication devices and networks, allowing for the automated ordering and distribution of asymmetric (modern) keying material. 107. DEPARTMENT OF THE NAVY (DON). For COMSEC purposes, DON encompasses KOAs owned/managed by the Navy, Marine Corps, Coast Guard, and Military Sealift Command (MSC). The DON system implements national policy, publishes procedures, and establishes its own KOAs with NCMS serving as a Service Authority (SERVAUTH) for COMSEC material. a. CHIEF OF NAVAL OPERATIONS (CNO). Overall authority, CNO is responsible for implementation of National COMSEC policy within the DON. The Head, Navy Information Assurance (IA) Branch is the COMSEC resource sponsor and is responsible for UNCLASSIFIED//FOR OFFICIAL USE ONLY 1-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 COMSEC programming, planning and implementation of policy and technical improvements. NOTE: Department of Navy Chief Information Officer (DON CIO), as the Executive Agent, is overall responsible for DON COMSEC policy and oversight. The Deputy Under Secretary of the Navy for Plans, Policy, Oversight and Integration (DUSN PPOI) is the DON's Security Executive responsible for DON security policy. b. HEADQUARTERS MARINE CORPS (C4 CY). HQMC C4 CY serves as COMSEC resource sponsor for the Marine Corps. The department functions as the USMC Service Authority and coordinates with CNO, COMNAVIDFOR, and NCMS to establish, promulgate, and oversee COMSEC account management matters unique to the Marine Corps. The C4/CY is the focal point for requirements and administration for all Marine Corps COMSEC accounts. c. COMMANDER, U.S. COAST GUARD C4IT SERVICE CENTER, INFORMATION ASSURANCE BRANCH (C4ITSC-BOD-IAB). C4ITSC serves as the overall authority for USCG KMI/COMSEC matters. C4ITSC serves as the USCG Service Authority, Program Manager and Principal Agent for the USCG COMSEC Program and functions as the USCG’s Evaluating Authority (EVALAUTH), Command Authority (CA) and USCG ISIC. C4ITSC promulgates USCG COMSEC Program policy, exercises service wide management of Coast Guard accounts including hardware and software allowances and acts as principal USCG liaison for KMI/COMSEC matters with the CNO, NCMS and other entities to ensure that all USCG accounts have the necessary resources to operate effectively. d. COMMANDING OFFICER (CO). The CO is overall responsible for proper administration of the command's KOA and ensuring compliance with established policy and procedures. Throughout this manual, responsibilities/duties applicable to Commanding Officers apply equally to Staff CMS Responsibility Officers (SCMSROs) and Officers-In-Charge (OIC) alike. e. COMSEC MATERIAL ISSUING OFFICE (CMIO). CMIO serves as the Physical Material Handling Segment (PMHS) for the DON; receives, stores, and ships Ready for Issue (RFI) equipment to fulfill validated requirements as well as functions jointly with NCMS as the Legacy Catalog Manager (LCM). f. FIREFLY CREDENTIALS MANAGER. A Key Management Entity (KME) responsible for removing outdated credentials from the UNCLASSIFIED//FOR OFFICIAL USE ONLY 1-6 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Directory Service. The duties of the Firefly Credentials Manager are performed by the Central Facility (CF). g. FIREFLY POINT OF CONTACT. NCMS serves as the FIREFLY POC for asymmetric (modern) key privileges with the DON. Accounts requiring replacement Firefly (FF) Vectors and/or Message Signature Key (MSKs) must order such through NCMS. h. IMMEDIATE SUPERIOR IN COMMAND (ISIC). Responsible for the administrative oversight of all KMI/COMSEC matters for their subordinate commands. Additional information related to ISIC duties and responsibilities can be found in EKMS-1(series) Articles 130, 315, and 440. i. KEY MANAGEMENT ENTITIES (KMEs). A KME is an activity, organization, or person(s) performing one or more key management–related function for an activity assigned a KOA ID. j. KEY MANAGEMENT INFRASTRUCTURE (KMI) OPERATING ACCOUNT (KOA). Formerly referred to as a CMS, COMSEC or EKMS account; a KOA is an administrative entity in which custody and control of COMSEC material is maintained. Each KOA account is assigned and identified by a six-digit KOA number. k. KOA AGENT (KOAA). A KOA Agent is not a KMI management role within the KMI; a KOAA and Product Requestor are in essence considered COMSEC users. KOAAs are not registered and enrolled like other KMI users, although any KMI Manager can be designated as a KOAA by a KOA Manager. KOA Managers are always automatically designated as KOAAs for their own KOAs. l. COMSEC CLERK. A COMSEC Clerk assists the KOAM or Alternate(s) with routine administrative account matters. Appointment of a Clerk is not mandatory, but is at the discretion of the CO. If appointed, the individual must be designated in writing by the CO. Contractors as COMSEC Clerks: Contractor personnel may be appointed as account clerks provided they meet the designation requirements of this manual for the position and are supervised by the KOAM or Alternate. Close supervision is a necessary condition of the appointment of contractors as clerks. NOTE: As stipulated in the Security Doctrine for the MGC/AKP, access to the MGC/AKP is restricted to personnel who have received formal training and are assigned as a UNCLASSIFIED//FOR OFFICIAL USE ONLY 1-7 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 KOAM or Alternate. m. KOA MANAGER (KOAM). An individual designated in writing by the CO to manage COMSEC material held by/charged to the unit’s KOA account. The KOAM is the CO's primary advisor on matters concerning the security and handling of COMSEC material and the associated records, reports, and audits. Throughout this manual the term KOAM refers to either a KOAM or Alternate, as applicable. n. KOA MANAGER (KOAM ALTERNATE). The individual(s) designated in writing by the CO responsible for assisting the KOAM in the performance of his/her duties and assuming the duties of the KOAM in his/her absence. The alternate is equally responsible for the proper management and administration of a KOA. o. COMSEC WITNESS. A properly cleared individual (includes contractor personnel) called upon to assist a Manager or Local Element in performing routine administrative tasks related to the handling of COMSEC material. A witness must meet applicable designation and security requirements set forth in this manual and Articles 175, 410, 416 and 505 to EKMS-1(series). A witness will be supervised by a KOAM or other qualified and cleared LE personnel. p. LOCAL ELEMENT, LE ISSUING, AND LE IN-TRANSIT. See EKMS1(series) Articles 165 - 166 for the definition, examples and applicable restrictions. In KMI, such refers to a known person or group, known locally registered in the MGC, who are accountable and responsible for COMSEC material issued to them. q. NAVAL COMMUNICATIONS SECURITY MATERIAL SYSTEM (NCMS). Administers the DON KMI/COMSEC program and fulfills the responsibilities of the SERVAUTH. Additional functions performed by NCMS include: (1) Drafts and publishes KMI/COMSEC policy directives, standards, and procedures pertaining to KMI/COMSEC material security, distribution, training, handling, and accounting within the DON. (2) Operates, maintains, and exercises administrative, operational, and technical control over CMIO for distribution of COMSEC equipment. UNCLASSIFIED//FOR OFFICIAL USE ONLY 1-8 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 (3) Develops procedures for and monitors compliance with proper physical storage and account management of COMSEC material. (4) Monitors compliance with national standards of the Protective Technologies Program for cryptographic keying material. (5) Reviews requests for and authorizes waivers to physical security requirements and the release of DON COMSEC material to contractors. (6) Coordinates fleet requirements for the acquisition of all COMSEC material, publications and equipment for DON activities. (7) Establishes and disestablishes DON COMSEC numbered accounts. (8) Ensures distribution of COMSEC material to Vault Distribution Logistics System (VDLS) components to ensure quantities are sufficient for COMSEC account requirements, exercises, and contingency operations. (9) Provides status information for COMSEC material to KMI accounts and planners. (10) Provides disposition instructions for DON COMSEC material. (11) Evaluates COMSEC incidents and Practices Dangerous to Security (PDSs) to determine the adequacy of existing procedures as well as overall compliance with existing policy. (12) Manages the COR Audit Teams and audit program within the DON, including the training and certification of CMS COR Auditors. (13) Liaisons with the Center for Information Dominance (CID) and acts as the Technical Advisor within the DON training community regarding the KMI course of instruction (COI). (14) Inventory Control Point (ICP) for COMSEC equipment throughout DON and manages cryptographic equipment assets for DON. UNCLASSIFIED//FOR OFFICIAL USE ONLY 1-9 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 (15) As the DON KOA Registration Authority, responsible for the registration and assignment of KMI IDs to commands for ordering required initialization keys for AKPs and for maintaining registration data on its activities/commands. (16) FIREFLY POC for asymmetric (modern) key privileges. (17) Serves as the Legacy Catalog Manager (LCM) with CMIO on KMI matters. (18) Serves as the KOA Registration Manager (KOARM) and Eligibility Authority (EA) Proxy for the DON. r. SERVICE AUTHORITY (SERVAUTH). The role of the Service Authority within each Service may be fulfilled by more than one person or agency within that Service. The Service Authority is responsible for oversight of COMSEC operations, policy, procedures, and training. Additional duties may include: - Cryptographic hardware management and distribution control, including Foreign Military Sales (FMS). - Approving account establishment and disestablishment. - Approving authority for Certification Approval Authorities (CAAs). - Implementing COMSEC Material Control System (CMCS)/Key Management Infrastructure (KMI) policy and procedures. - Direct operational support. - Final adjudication authority for determining when reported COMSEC incidents result in COMSEC insecurities. - Ensuring service compliance with COMSEC access program Requirements. - Standing membership on KMI working groups and the CT1 Joint Configuration Control Board (JCCB) s. STAFF CMS RESPONSIBILITY OFFICER (SCMSRO). A flag or general officer in command status, or the Deputy Commander or Chief of Staff, may either assume personal responsibility for routine COMSEC matters, or may designate the responsibility to a staff officer (O-4/GS-12, Pay Band 2, or above). Officers not meeting the above requirement may not designate a SCMSRO. A SCMSRO may exist at a command with an account or LE. t. LEGACY CATALOG MANAGER (LCM). The LCM is responsible for maintaining the KMI Product Catalog current with the Legacy Electronic Key Management System (EKMS). UNCLASSIFIED//FOR OFFICIAL USE ONLY 1-10 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 CHAPTER 2 – MANAGEMENT CLIENT (MGC) SYSTEM OVERVIEW, SECURITY REQUIREMENTS (INCLUDES STORAGE AND SHIPMENT OF COMSEC MATERIAL) 201. GENERAL: KMI enhances security, improves distribution to the war fighter and alleviates many time-consuming legacy functions historically performed manually. Some processes that will be enhanced through KMI include, but are not limited to: accountability through more automated accounting, delivery of key directly to a forward deployed users End Cryptographic Unit (ECU), and delivery of key to devices which are KMI-aware vice issuing all keying material for manual loading by LE personnel. KMI is comprised of three NSA-managed core nodes and user managed Client Nodes. Core nodes consist of the CSN, PSN and the PRSN. KMI will introduce the use of Type 1 Public Key Infrastructure (PKI) certificates and tokens for human users and user devices requiring access to the KMI. KMI will also provide secure integration of commercial products in tactical environments through the use of PKI certificates to ensure identification, authentication and confidentiality requirements are enforced. In the KMI, the Client Host Platform is referred to as the Management Client, Client Host or simply the “MGC. The MGC suite consists of a fully equipped MGC and related peripherals including an Advanced Key Processor (AKP), Printer, Barcode Scanner, Type 1 Token (KOV-29) a High Assurance Internet Protocol Encryptor (HAIPE) device (KG-250) and other peripheral components reflected in the OSD for the MGC. The MGC itself consists of three separate components, a Client Host, a KOK-32 Advanced Key Processor (AKP) and a KOV-29 (Token). Some of the functions available when disconnected are the local management of a KOA, which include but are not limited to, local symmetric key generation, distribution of electronic and hard copy key stored at the KOA, and all local accounting functions. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 a. Client Host/Management Client (MGC). The Client Host provides the KOAM the ability to order, account for, distribute, and manage keying material, equipment and other COMSEC materials. 1. The Client Host is approved to process and store Unclassified//FOUO encrypted keying material and data up to and including Secret. 2. The Client unencrypted key and Secret data. At no or data from a fill Host shall never process or store is not authorized to process or store Top time will a KOAM upload Top Secret Red Key device to the Client Host. 3. Policy, Procedural, Doctrine or other reference material helpful in the management of the account may be uploaded and stored in InfoCenter folder on the MGC desktop. b. Client Host Only (CHO). The CHO is a NSA approved management platform that operates without an AKP. The CHO will operate on the same Window Operating System (OS) as the Client Host where a full MGC suite is deployed. Although the CHO does not have an AKP, it is able to receive packages and communicate directly with another client node but does not support the protocols for red key fill. A CHO may be the appropriate and more cost effective solution for Controlling Authorities, Command Authorities, Registration Managers and Registration Authorities when personnel performing these roles are not KOAMs for an account where an AKP is required. Many accounting functions not related to key production and generation are available with a CHO. Should an account equipped with a MGC/AKP suite suffer an AKP failure, it is possible to manage the account as a CHO; the Client Host will detect if an AKP is available and provide the corresponding degree of service to the KMI (i.e., “full” MGC with an AKP, CHO without an AKP). An illustration of a CHO is reflected on the following page. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Client Host Only (CHO) Illustration Client Host (High Assurance Platform) Printer Barcode Scanner Type 1 Token HAIPE (KG-250) 6 UNCLASSIFIED // FOR OFFICIAL USE ONLY c. Delivery-Only Client (DOC). The DOC represents the customer end of the client-server interaction and is capable of reach-back and communications with the PRSN’s Delivery-Only interface to receive products and services. The DOC, like the CHO, does not consist of the fully integrated MGC/AKP suite. The DOC interface may use either Transport Layer Service (TLS) UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 or a user-name and password for identification and authentication. Once authenticated, KMI will permit the viewing of the Product Activity List (PAL) reflecting products and services the requestor is authorized to receive. d. Advanced Key Processor (AKP). 1. The AKP is a Type 1 cryptographic device used in KMI. It is assigned the Short Title (KOK-32), classified SECRET and will be accounted for as ALC-1 in the CMCS. 2. Although the AKP can support either Test (TestPAC) or Operational Positive Access Control (OpPAC), to change an AKP from test to operational and vice versa is prohibited; regardless of status (test or operational), the AKP must be registered in KMI. Note 1: Operational KOA – Operational Positive Access Control (OpPAC) AKP with a Type 0 FIREFLY key. Operational KMI Entity – OpPAC AKP without Type 0 FIREFLY key. Test KOA – Test Positive Access Control (TestPAC) AKP with Type 0 FIREFLY key. Test KMI Entity – TestPAC AKP without Type 0 Firefly key. Note 2: Tokens used at test KOAs/KMI Entities are not accountable in the CMCS. 3. The AKP must be recertified 7 years from the date of the last certification as indicated on the devices tag. 4. The KOAM or Alternate must, at a minimum of monthly conduct a visual inspection of the AKP to certify that no signs of damage or tamper are evident. This will be documented in the form of a locally created AKP Visual Inspection Log and will include at a minimum: the Short Title and Serial Number of the AKP, the date inspected, the printed name and signature of the individual who conducted the inspection and whether any damage or tamper was noted. The log will be closed out annually and retained for two years or the next COR Audit, the sooner of the two. A sample log for use in the conducting and documenting visual inspections of the AKP can be found below. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 COMMAND TITLE: ______________ ACCOUNT NR ______ KOK-32 SN: _____ CY-20XX AKP AND REINIT DRIVE VISUAL INSPECTION Date Inspected Inspected by (1st Person) Printed Name 1st Person Signature Inspected by (2nd Person) Printed Name 2nd Person Signature Anomalies noted Yes/No * NOTE: A visual inspection is required at a minimum of monthly in accordance with Articles 201 and 209 to this manual. Any signs of damage or tamper detected must be reported in accordance with Chapter 8. Figure 2-1 e. Type 1 Token (KOV-29). A (COTS sKey6500) is a small, portable cryptographic hardware module that provides Type 1 security services such as signing, signature verification, encryption, decryption, key establishment, and asymmetric keypair generation in KMI. 1. Certain roles in KMI require the use of a hardware token to perform assigned duties. At the account level, such roles include a KOAM, Alternates and the CPSO. 2. Hardware tokens (KOV-29s) registered in the Operational KMI, (KOV-29) are accountable in the CMCS as an ALC-1 item. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 3. Tokens registered as discussed above are UNCLASSIFIED when not inserted in the Client Host and SECRET when inserted in the Client Host. 4. Each DON account will be provided with (2) tokens per KOAM and (1) per CPSO. If additional tokens are required, the account must submit a validation request per Article 610 to EKMS-1(series). 5. Each Account Manager(s) must request a one-time pin for their contingency/backup token through submission of a KMI Form 001 to the EA Proxy at NCMS. The token must be personalized to the individual to manage the account should their primary token fail. 6. The KOV-29 is KMI Aware and holds the Type 1 PKI Identification and Authentication and Key Establishment certificates for itself and the individual to which it is personalized to. 7. Tokens are personalized to a specific individual and are not to be shared. 8. A token must not left inserted, unattended in a MGC. 9. Tokens will not be shipped or hand carried with the associated pin or password. 10. The token is unlocked through a combination of userentered Personal Identification Number (PIN) and the secure recovery of a companion value stored in the AKP or the PRSN. 11. The Type 1 Token includes active tamper protection mechanisms to protect private and secret key materials and other sensitive data and algorithm items it holds. 12. If more than one KMI Manager is enrolled with the same role, each Manager must use only his/her own KOV-29 to accomplish tasks associated with the role. 13. In an emergency such as death, emergency leave, loss or inadvertent destruction of a token, etc…, a KOAM may use the contingency/backup token personalized to the KOAM or Alternate KOAM for use in such scenarios. A contingency/backup token is not intended to replace the token personalized to the respective KOAM. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-6 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 14. Accounts must request disposition and replacement of failed tokens in accordance with EKMS-5(series). 15. Additional information for the KOV-29 can be found in the OSD located in the NSA IA Library on the SIPRNET under the doctrine tab. See Annex F for the URL. 203. SECURITY CONTROLS. a. Controlled usage is a property of the KMI that limits user activities to authorized personnel through the implementation of roles, rules and other access control mechanisms and policies. KMI limits user access to system resources based on attributes associated with resources (e.g., classification, ownership), requested function (e.g., authorizations), and association of the user identity (e.g., clearance, roles, domains, and “need-to-know”). b. User accountability refers to a process in which KMI enables the actions of an individual user and system activities to be traced uniquely to the specific user. To establish user accountability, KMI registers users and requires evidence of eligibility to access the system; identifies users uniquely; and enforces stronger forms of identification and authentication across the infrastructure. c. Administrative activities are tracked for auditing through Attack, Sensing, Warning, and Response (ASWR) systems. KMI records information that associates users with activities performed on their behalf and enables authorized managers to access and evaluate the accountability information through secure means, within a reasonable amount of time, and without undue difficulty. 205. KMI RELATED CERTIFICATES. a. Certificates stored on tokens will be used by personnel and devices. Certificates will also be used by other KMI-aware devices such as the AKP (KOK-32). b. Type 1 PKI certificates are controlled by the PSN. The AKP (KOK-32) requires several specific keys and Type 1 PKI certificates to be fully functional. Some keys are locally generated while others must be ordered and received from Tier 0 or the KMI storefront. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-7 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 c. The AKP locally generates a public and private key pair supporting IA(I) Type 1 certificate as a one-time transport key during initialization by the DRM or an operational key during endorsement by the DLT1RA. The public key included in the IA(I) Type 1 certificate received from the KMI storefront is used by the AKP for authentication purposes. d. The AKP also locally generates a public and private key pair supporting the IA(M) Type 1 certificate during the activation of the AKP by the KOAM. The public key included in the IA(M) Type 1 certificate received from the KMI storefront is used by the AKP for authentication and signature purposes. e. Type 1 IA(I) and IA(M) certificates are valid for five (5) and two (2) years respectively. To reduce the potential impact to mission readiness, both the IA(I) and IA(M) certificates will be rekeyed annually or as soon as possible thereafter when operations permit such. Failure to rekey IA(I) and IA(M) certificates as stated herein must be documented in accordance with Chapter 9 of this manual. 207. MGC/AKP REQUIRED CIKS AND KEYING MATERIAL. Procedures for performing a site initialization, reinitialization, changeover and AKP rekey will be in accordance with the MGC/AKP Operator’s Manual. A Type 0 FF Vector Set (FF), Message Signature Key (MSK), and (2) Cryptographic Ignition Keys (CIKs) are required to perform a site initialization or re-initialization of an AKP. a. Operational (AKP) CIKS. Each account with an AKP will receive two operational CIKS; one of which will be operationally affiliated with the account’s AKP by the DRM. Operational CIKS are not for logging on to the AKP. The KOAM or Alternate must create a backup of the operational CIK using the 2nd CIK provided. If additional CIKS are procured, the KOA may create one additional CIK but will not have more than three in the account. 1. Operational CIKS are UNCLASSIFIED except when inserted or in the vicinity of the AKP. When inserted or not secured away from the AKP, operational CIKS will be stored and safeguarded at the SECRET level. 2. CRYPTO. Operational CIKS are not subject to TPI or considered UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-8 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 3. Operational CIKS may be stored either in the account’s vault or a GSA-approved container, with access restricted to the KOAM or Alternates. 4. Must be protected to prevent unauthorized access by anyone except properly cleared and appointed KOAMs and Alternates. 5. present. reported be ruled the loss Must not be left inserted when no account manager is Loss of an operationally affiliated CIK must be in accordance with Chapter 8, if unauthorized use cannot out. If unauthorized access can be ruled out, document as a PDS in accordance with Chapter 9. 6. In the event an operationally affiliated CIK is damaged or lost, the KOAM must delete the corresponding split from the AKP and the damaged CIK(s) must be sent to a Service Depot for destruction. b. FF Vector Set. The FF Vector Set is required and must be loaded to enable the account to generate and exchange account credentials necessary for conducting or receiving services related to keying material. 1. All FF Vector Set key orders must be submitted in accordance with EKMS-1(series) Article 670. Paragraph 1 of the request must state the key is for a KOA. For a KOA, the only delivery option when either a FF Vector Set or MSK is required is electronic delivery. KSD-64A is not an option in delivery of these for a KOA. 2. The FF Vector Set must be stored, safeguarded and accounted for consistent with the assigned classification and ALC which is typically the HCI of the account and ALC-6. 3. For operational accounts, upon completion of loading the FF Vector Set, a backup of the MGC must be performed and the FF Vector Set used destroyed from any fill device storing such or on the MGC through the Human Machine Interface (HMI). This does not apply to test FF Vector Sets used for test AKPs at training facilities or by COR Audit Teams. 4. The loaded FF Vector Set must be recorded as Filled in End Equipment and reflected on the account’s next end-of-month destruction report. Following successful loading of the 1st copy of the FF Vector Set, should a second copy of the Vector UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-9 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Set be received but is not used, the second copy will be zeroized and recorded as destroyed since it was not used or “filled”. 5. Failure to destroy the FF Vector Sets within the time frame discussed above must be documented in accordance with Chapter 9 of this manual. 6. The FF Vector Set must be rekeyed at a minimum of annually. c. FF Credentials. 1. Generated credentials are posted by the KOAM to the EKMS Directory Server. 2. Credentials are not crypto but expire monthly or at the time of the expiration of the associated FF Vector Set. 3. Unless limited by the KOARM, the KOAM can generate and post up to twelve (12) months’ worth of credentials. 4. Failure to conduct an AKP rekey at a minimum of annually will prohibit the account from generating credentials or receiving keying material electronically. 5. Prior to performing a rekey of the FF Vector Set, any pending transactions must be processed. Failure to do so will prohibit the processing of any pending key packages, necessitate the need for resupply impacting mission readiness, and possibly result in accounting discrepancies. 6. It is highly recommended deployable units conduct an AKP rekey prior to deployment and only after ensuring there are no pending Bulk Encrypted Transactions (BETs) in the unit’s mailbox or desktop. d. Message Signature Key (MSK). The MSK is used to digitally sign messages. The MSK is classified at the HCI of the account and is assigned an ALC of 6. 1. MSKs must be requested in accordance with EKMS1(series) Article 670. Paragraph 1 of the request must state that the key is for a KOA. Only electronic delivery is available for a KOA. As stated above for FF Vector Sets, MSKs cannot be shipped to a KOA on a KSD-64A. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-10 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 NOTE: With exception to test AKPs held at training facilities and COR Audit Teams, regardless of the account’s HCI, the loading of MSK and subsequent creation of AKPREINIT 1 and AKPREINIT 2 Flash Drives at operational accounts, must be conducted by the KOAM and an Alternate or properly cleared witness adhering to Two-Person Integrity (TPI) procedures including handling and storage following creation. 2. AKPREINIT 1 and AKPREINIT 2 Flash Drives are created following the loading of the MSK. 3. KOAMs will create AKPREINIT 1 and AKPREINIT 2s on NSAapproved flash drives. As stated in the OSD for the MGC, NSA has obtained the applicable exception to the restrictions on USB flash drive usage set forth in Computer Task Order (CTO) 10-133 for KMI-only purposes. Only NSA approved USB Flash Drives procured for use as AKPREINIT keys shall be inserted into the AKP USB port. 4. For operational accounts, upon completion of loading the MSK and creation of the AKPREINIT 1 and AKPREINIT 2 flash drives, the KOAM must conduct a backup of the MGC and record the MSK loaded as destroyed using the filled in end equipment or similar function in the MGC environment. This does not apply to test MSKs used for test AKPs at training facilities and by COR Audit Teams. 5. The loaded MSK must be recorded as filled in end equipment and reflected on the account’s next end-of-month destruction report. 6. Failure to record the MSK loaded as filled in end equipment within the time frame discussed above must be documented in accordance with Chapter 9 of this manual. If a 2nd copy was requested but not required, it will be zeroized and recorded as destroyed as it was not filled. Destruction of the second copy of the MSK will be on the same end-of-the-month destruction report as the one filled or be documented as described above. 7. The cryptoperiod for the Local Key Encryption Key (KEKL) associated with an AKP is 12 months. 8. A Changeover must be performed at a minimum of annually. Semi-annual changeovers are recommended in order to UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-11 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 reduce system down-time for large accounts and the potential for a COMSEC incident. 9. Due to AKPREINIT media changeover must cleared account the Two Person Integrity (TPI) requirements of in KMI, regardless of the account’s HCI, be conducted in the presence of two properly personnel (KOAM/Alternate). 10. A backup is recommended prior to performing a changeover but must be performed after a changeover is conducted. e. Benign Fill (BF) Firefly. 1. BF Firefly key if used is designed to encrypt key transferred between the AKP and BF-capable end cryptographic unit (ECU). 2. BF Firefly key is created by Tier 0 and must be accounted for, stored and safeguarded based on its assigned classification and ALC. 3. BF Firefly key must be re-keyed annually. 4. The Key Management Identification Number (KMID) of an ECU’s BF firefly key must be registered in the MGC prior to performing Benign Fill functions. f. KG Rules. 1. KG Rules enable the AKP (KOK-32) to locally produce keying material for existing and emerging COMSEC equipment. 2. KG Rules are produced and distributed electronically to KOAs by NSA. 3. KOAMs at operational accounts must load the latest version of KG Rules within 30 days of receipt; this is not applicable for test AKPs used strictly in a training environment. 4. The previous version must be destroyed NLT the 5th working day of the month following the month of loading the new version. 5. Failure to destroy previous versions of KG Rules held UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-12 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 by the account as stated above will be documented in accordance with Chapter 9 of this manual. 6. Procedures for loading the KG Rules can be found in the KMI Operation and Maintenance Manual (OMM). g. Site Re-initialization. Enables the recovery of all protected data stored on the MGC and is also performed as a result of either an AKP failure or recertification. The AKP has a recertification requirement of 7 years from the date on the equipment; not from the date of receipt. The AKPREINIT 1 and AKPREINIT 2 drives are required for use during this process. Step-by-step procedures for performing a Site Re-initialization can be found in KMI MGC Operations and Maintenance Manual (OMM) which can be found at the URL in Annex F. h. AKP Recertification Label. To enhance awareness with regards to the AKP recertification date/status, a label with AKP information (e.g., recertification date, PAC status, etc.) may be applied to the AKP. Only KMI-approved and provided labels are authorized for use. The label is to be applied only to flat surface on the AKP’s top front right-hand corner. 209. SECURITY AND ACCOUNTABILITY OF KMI RELATED DEVICES. a. Classification of KMI related devices and items. All KMI, COMSEC-accountable items, required for management of the account are reflected in the OSD for the MGC. The OSD also reflects the proper Short Titles, Classification, ALC and material type for KMI-related COMSEC material. b. AKPREINIT 1 and AKPREINIT 2 flash drives (throughout this manual the term AKPREINIT and REINIT refer to one in the same). 1. Prior to use, AKPREINIT 1 and AKPREINIT 2 flash drives are UNCLASSIFIED and not COMSEC accountable. Once used in the KMI, they are classified at the SECRET level and must be brought into CMCS accountability through submission of a possession report to the COR. 2. Regardless of classification AKPREINIT drives which have been used at an operational KMI account must be handled, safeguarded and stored under Two-Person Integrity rules in a GSA-approved security container or vault. NOTE: TestPAC AKPREINIT USB Flash Drives used at training UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-13 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 sites are classified SECRET but are not assigned an AL Code or accountable in the CMCS. 3. Only NSA-approved and provided USB flash drives are authorized to be used. 4. Under no circumstances will a single flash drive be used for creating, downloading or storing AKPREINIT 1 or AKPREINIT 2 key splits, data, etc… 5. For accounts with a HCI of Secret, as an alternative to programming the FF-L-2740/2740A locking mechanism with two combinations, which would prevent access to other mission essential keying material not subject to TPI, the account can seal the flash drives in NSA-approved tamper evident bags. 6. If the account has an HCI of Secret and the AKPREINIT flash drives are protected with NSA-approved tamper-evident bags, a daily inspection of the bag must be conducted and documented on days when the container in which they are stored is opened. 7. Additionally, the KOAM and an Alternate will conduct a monthly visual inspection of the tamper evident bag to detect any possible tampering. This visual inspection must be documented in the form of a log and the log will be closed out annually and retained for two years at the account. 8. At a minimum, the visual inspection log mentioned above will reflect the Command Title/Account number, the date of the visual inspection, the printed name of the person(s) conducting the inspection, and a remarks column for any comments, i.e. no tampering or other signs of attempted access noted. The log will be closed out at the end of each calendar year and retained for 2 years. NOTE: Figure 2-1 can be modified to accommodate both daily and/or monthly AKP and AKPREINIT visual inspections. Monthly visual inspections must reflect the signature of both the KOAM and Alternate 9. AKPREINIT flash drives must have a tag affixed to them indicating the Short Title, version number and KOA. The initial set of AKPREINIT will be version 0 and each subsequent version created during future changeovers will be incremented up one number. Following completion of the changeover, the KOAM will UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-14 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 bring the new AKPREINIT flash drives into COMSEC Material Control System accountability through submission of a report the possession to the COR and perform a backup. Prior COR (SERVAUTH) authorization is not required; the possession report be signed by the manager, a witness and the CO. 10. Each KOA will have and account for (2) sets of AKPREINIT flash drives. Each set is different and is associated with specific back up media. The creation of additional sets must be authorized by the SERVAUTH. If authorized, additional sets must be brought into proper CMCS accountability. 11. AKPREINT USB Flash Drives will not be inserted into any device except the associated AKP. Any other use or insertion of AKPREINT USB Flash Drives containing AKPREINIT data in a device other than the associated AKP is a COMSEC Incident and will be reported. 12. Reuse of AKPREINIT USB flash drives is only authorized at the same KOA account when a replacement AKP is received. 13. AKPREINIT drives must be matched with the specific backup performed after initial AKP activation or changeover, as applicable has been completed. 14. In future changeovers, if existing flash drives are overwritten (reused), the oldest set will be used. For consistency purposes, the oldest backup media associated with the overwritten drives should also be used for the backup after the changeover is performed. Ensure the labeling of both is updated and matches. 15. When AKPREINIT devices are no longer required or become corrupted, the KOAM must request disposition instructions from NCMS for the flash drives and the associated backup media. 16. It is imperative that the KOAM establish local procedures to accurately label and identify AKPREINIT drives with the corresponding back-up media to which they pertain. If the media and AKPREINIT drives do not match, any local/field recovery efforts will fail. 17. Except during emergency destruction when directed, AKPREINIT flash drives will not be disposed of or destroyed at the account level without prior authorization from NCMS. Because the drives are associated with specific backup media, UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-15 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 which is also COMSEC accountable, disposition requests for AKPREINIT flash drives must also include the backup media. 18. Destruction, if authorized must be reported to the COR in accordance with EKMS-1(series) Article 540. c. MGC/AKP Locations. 1. Shipboard: a. The location in which the MGC/AKP is installed must be designated as Restricted Area. b. The space must be approved for open storage SECRET or the MGC drives and AKP must be disconnected, removed, and stored in a GSA-approved security container when the space is not occupied by KOAM account personnel. c. The location in which the MGC/AKP is installed must be restricted to KOAMs and Alternates. Written access authorization will be granted by the CO of the account. If located in a vault or adjoining COMSEC office where an access list is required, the authorization can be annotated on the access list for the space. d. Access lists will be updated upon change of command, when personnel change, or annually whichever occurs first. 2. Submarine: a. Onboard a submarine, the MGC/AKP is rack-mounted and installed in the Radio Room where non-account personnel are assigned. b. Non-account personnel who are properly cleared will be reflected on the access list for the restricted space negating the need to remove the drives and disconnect the AKP daily while deployed or in-port and store it in a GSA approved security container. c. Written access authorization will be granted by the CO of the account. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-16 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 d. Access lists will be updated upon change of command, when personnel change, or annually whichever occurs first. 3. Fixed Site: a. The location in which the MGC/AKP is installed must be designated as Restricted Access. b. The space must be approved for open storage SECRET in accordance with SECNAV M5510.36 or the MGC drives and AKP will be disconnected, removed, and stored in a GSA-approved security container when the space is not occupied by KOAM account personnel. c. Unescorted access to the location where the MGC is installed must be limited to personnel holding a minimum SECRET clearance whose official duties require access to the space. If in installed in a COMSEC vault, unescorted access must be restricted to KOAMs and KOAM Alternates. Written access authorization will be granted by the CO of the account. If located in a GSA Secure Vault or adjoining COMSEC office where an access list is required, the authorization can be annotated on the access list for the space. d. Access lists will be updated upon change of command, when personnel change, or annually whichever occurs first. 4. KOAMs and Alternates must take additional security precautions in unique operating environments where a vault or dedicated COMSEC office does not exist such as a radio room onboard a submarine. In such instances, all personnel who access the area where the MGC/AKP is located must possess a valid SECRET or higher security clearance. 5. KOAMs and Alternates must ensure at no time are the MGC and/or AKP left logged on/unattended by account management personnel. 6. Other non-account personnel requiring access to the location of the MGC such as a CPA (if the CPA is not the KOAM or Alternate) or CPSO must be escorted and logged in/out in a visitor’s log if not on the formal access list for the space. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-17 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 7. Installation of a MGC or AKP in a mobile communications environment will be in accordance with the OSD for the MGC. 8. Neither the MGC nor AKP will be left logged on and unattended where an unauthorized or improperly cleared person could gain access or where such could result in a loss of TPI; both instances require reporting as a COMSEC incident. 9. Security reminder: Access to spaces where classified material is used and stored must be protected, restricted and limited to appropriately cleared personnel whose official duties require access, and who also possess a valid need-to-know for material they have access to. If an individual is not on an access list, the person MUST be logged in/out in the visitor’s log. If one’s clearance status is not known and verified, sanitize the space by turning over working papers, cover status boards, and turn off computer displays or other viewable classified information when the personnel are in the space. 211. FIELD RECOVERY OF AN AKP. a. Zeroization of an AKP for other than intentional purposes prior to returning the AKP to a depot-level facility must be reported as a COMSEC Incident. 1. A field-zeroization causes the AKP to zeroize and must be reported as a COMSEC incident in accordance with Chapter 8. The report must include all pertinent details and all facts related to the zeroization including the name, rank, and position of the Commanding Officer, if a field recovery is authorized as discussed below. 2. Except during an operational emergency, approval to perform a field-recovery must first be obtained from the SERVAUTH (NCMS). 3. During an operational emergency which affect real-world operations, a field-recovery may be performed when authorized by the Commanding Officer. NCMS must be notified within 48 hours of the field recovery. 4. Recovery accomplished with database backup media and AKPREINIT drives associated with that particular backup will result in the reappearance of keying material previously destroyed on the inventory requiring that it be re-destroyed. Any key received after the backup was conducted will be lost. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-18 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 The use of database backup media and AKPREINIT drives older than seven calendar days must be reported as a PDS to NCMS in accordance with Chapter 9. 5. Resurrection of key previously destroyed as a result of restoration from backup media may require previously destroyed and reported key be destroyed again. Failure to re-destroy previously destroyed key NLT the 5th day of the month following the resurrection or field-recovery actions, as applicable, must be documented in accordance with Chapter 8 of this manual. 6. NCMS will provide assistance on clearing the KOA of any resurrected or lost key. 213. CLASSIFICATION AND ACCOUNTABILITY OF KMI-RELATED COMPONENTS. a. General. Due to changes in KMI-related OSDs, the previously published listing of components has been removed from this document. A complete listing of KMI related components, including Short Titles, ALCs, classification of each and material types can be found in the Operational Security Doctrine for the MGC available in the NSA IA Library on the SIPRNet. b. AKP USB Flash Drives must be tagged and labeled in accordance with the MGC OSD. c. Device specific guidance for the MGC, the KOV-29 (Token), and the KOK-32 (AKP) can be found in the respective Operational Security Doctrine(OSD) at the URL located in Annex F. NOTE: KAR 5s are only created at a Service Level Depot facility. Any account with KAR 5s created with Spiral 1 software is required to locally destroy the media and report the destruction to the COR. No DON accounts should have a KAR 5 on the Product Inventory. d. Each account will retain a current image of the client host, backup media and one prior version of each. Versions older than the first previous version may be destroyed using approved methods outlined in the NSA Evaluated Products List (EPL). COR authorization is not required to destroy older media; the destruction must be reported to the COR. The discovery of client images or backups older than the first previous set/version will be treated as a non-reportable PDS in accordance with Chapter 9 herein. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-19 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 e. Classified material must be properly labeled, safeguarded, stored, disposed of and be addressed in the command’s Emergency Action and/or Emergency Destruction plans, as applicable. 215. PINS/PASSWORDS: a. The Client Host (MGC) requires (3) passwords; the Data At Rest (DAR) password which protects the MGC Hard Drive; a Windows User Password and the Basic Input/Output System Password (BIOS). b. Access to the DAR administrator username/password is restricted to the CPA. The DAR user password is shared by authorized users (Account Managers) at a specific account. c. Only the CPA/CPSO are authorized to have knowledge of and access to the Client Host Platform BIOS Password. d. See the OSD for the MGC for additional information related to the aforementioned passwords, related requirements and/or restrictions. e. PINS are classified at the privilege level of the holder; passwords are Secret; both will be recorded, safeguarded and stored as indicated below. 1. PINS and/or passwords will be recorded, protected, stored, safeguarded, and inventoried in accordance with EKMS1(series) Article 515.f and 520.j. The exception to the labeling discussed in EKMS-1(series) Article 520.j with regards to KMI is the user name, if different than the employee name, will be reflected in Blocks 5 and 10 of the SF-700. The top of the form will be labeled MGC/AKP Administrator or Operator PIN/Password, as applicable in lieu of LMD/KP in Block 10 of the SF-700. Part 2A will reflect the user name, the AKP PIN, and the Windows password and must be classified commensurate with the privilege afforded the employee registered. NOTE: It is highly recommended that Windows naming conventions be standardized and one adhere to a first name dot last name format, i.e. Willie.Nillie, to correlate directly to a specific and unique account manager. 2. PINS and/or passwords will be changed at a minimum of every 90 days and will always require immediate changing when a UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-20 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 compromise or suspected compromise is discovered. A backup must be performed and new SF-700s filled out in conjunction with MGC/AKP pin or password changes. NOTE: If not operationally feasible (i.e. submarines or accounts which operate with different crews (gold, blue, etc…) for a password to be changed within 90 days, it must be changed at first login thereafter. 3. Passwords required by a single person occupying more than one position/role within an account may be recorded on a single SF-700. Example: A KOAM requires a Windows password, a password for his/her own Token, a password for another token if they are the TSO/SO for other tokens and a password for the CPA account if the incumbent is performing the duties of the CPA. 4. Passwords associated with the KOV-29 may be 8 – 20 characters in length and must include uppercase, lowercase, numbers and special characters. 5. The Token SO is responsible for proper control, management and security of the SO account password for each token they manage. 6. The use of a single password is permitted for KOV-29s managed by the Token SO. 7. When a new Token SO is appointed, a new password must be created and implemented for the tokens managed by the previous Token SO. 8. In the event a KMI Manager, whose role requires a token, forgets his or her password, the Token SO can, in the presence of the KOAM, perform a password reset. The performing of a password reset requires confirmation from the KMI Manager the token has been under proper control at all times and never subjected to possible unauthorized access. 9. Token SOs are required to have a compromise recovery plan (CRP) for KOV-29s associated with the Token SO password. The CRP must include revocation procedures in the event of a lost token. The CRP must be incorporated into the command’s local COMSEC policy and must be verified and exercised annually for accuracy, awareness and feasibility purposes. 10. The MGC is configured to lock-out an account after UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-21 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 three failed logon attempts. Should this occur, contact the CPA to have the account unlocked or password reset. 217. PACKAGING, SHIPPING AND TRANSPORTATION OF COMSEC MATERIAL AND EQUIPMENT. a. Packaging, shipping and transporting of COMSEC material will be in accordance with EKMS-1(series) Articles 525 – 535. For ease in referencing purposes, a quick matrix is located on the following page. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-22 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 SHIPPING QUICK REFERENCE MATRIX Shipping Method Top Secret/ Secret material marked “crypto” or items with classified logic or algorithms Confidential material marked “crypto” Unclas material marked “crypto” TS/Secret Equipment (not designated as CCI) CCI (unclas, not keyed) (See Note 4) DCS YES YES YES YES SDCS Designated and cleared couriers Commercial Carrier (PSS/Ground) Commercial Carrier USPS (Registered Mail) USPS (Express Mail) Navy Supply System, Military Air (AMC, LOGAIR, QUICKTRANS, etc…) YES YES YES YES YES YES YES YES YES (OCONUS, when other approved methods are not available or will not meet mission requirement) YES YES NO YES YES YES YES YES (Note 5) NO NO NO YES YES (See Note 1) YES (See Note 6) NO NO YES (See Note 2) YES NO NO NO NO YES (See Note 3) NO NO NO NO NO YES NO NO Figure 2-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-23 MGC (with drives installed and KMI software on them) or MGC hard drives without the MGC but with KMI software on them; AKP, AKPREINIT Flash Drives YES YES YES NO UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 DCS = Defense Courier Service, SDCS = State Department Courier Service, PSS = Protective Security Services. United States Postal Service = USPS. Registered Mail must not pass through a foreign postal system or be subject to foreign inspection. Material shipped to APO/FPO addresses does not pass through a foreign postal system. NOTES: (1) See EKMS-1(series) Article 535 for additional information, restrictions and notification requirements. (2) See EKMS-1(series) Article 530.a.3 for additional information and restrictions. (3) The shipper must obtain assurance from U.S. Postal Service authorities that the material will receive continuous electronic or manual tracking to the point of delivery and a recipient‘s signature must be obtained. Material must be introduced into the postal system acrossthe-counter at a U.S. Postal Service Facility; the use of postal drop boxes are not authorized. (4) Equipment which makes use of CIKS, PINS, or passwords is considered unclassified when these items are removed and shipped separately from the device. Devices should always be shipped in a zeroized state however, should mission requirements necessitate loading the device prior to shipment, associated CIKS, PINS, or passwords MUST be shipped separately. If any of these items are shipped with the equipment, it must be reported in accordance with Chapter 8. FTRs are classified SECRET and must never be shipped with the associated equipment. (5) CONUS ground transportation only (6) USPS Registered Mail cannot be used to ship CCI containing lithium batteries to/from an APO/FPO address if the size, quantity or lithium content of the batteries exceed the limits in the International Mail Manual or Domestic Mail Manual (IMM/DMM). b. Courier personnel must have current, written authorization in the form of official travel orders or a DD-2501 or DHS 11000-1 from their organization. The authorization must be retained on the person at all times when performing duties of a courier. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-24 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 c. A list of commercial carriers offering PSS services may be requested from the Surface Deployment and Distribution Command (SDDC). 219. SOFTWARE UPGRADES a. Software upgrades will not be performed on COMSEC equipment by any DON accounts until the software is approved by NSA, has been tested and validated by the In-Service Engineering Activity (ISEA) and is approved for installation by NCMS or the Marine Corps Tactical Systems Support Activity (MCTSSA), for USMC accounts. b. When approved via official message from NCMS or MARFORSYSCOM (USMC accounts only), commands must ensure compliance with the upgrade and report such no later than the established compliance date. c. With exception to software distributed by NSA, including Information Assurance Vulnerability Assessment (IAVA) patches posted to the Product Availability Library (PAL), the INFOSEC web site is the only authorized source for software upgrades by DON accounts. d. When warranted due to operational requirements, Program Managers (i.e. ADNS, GCCS-M, ISNS, JWICS, etc…) may request a waiver or extension via official message to MARFORSYSCOM or COMNAVIDFOR, as applicable, with NCMS as an info addee on the request. Neither individual units nor Program Managers will submit waiver requests directly to NSA. e. Procedures which violate other IA regulations will not be used for performing software upgrades (i.e. use of personally owned computers or thumb drives) by DON accounts. f. NCMS approval is NOT required to download and install IAVA patches from the PAL. All units are responsible for compliance and proper reporting of IAVA compliance. 221. EQUIPMENT FAILURES a. Requests for assistance in troubleshooting MGC/AKP related system failures or problems will be directed to SPAWAR Systems Center Atlantic. b. Regardless of warranty status, under no circumstances UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-25 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 will a MGC with the hard drive(s) inserted or a MGC hard drive on which KMI software has been installed be shipped to a vendor or factory. c. Each DON COMSEC Account were provided four hard drives for the MGC. Two of the drives have KMI software pre-installed on them and are COMSEC accountable. The other two hard drives are spares without KMI software installed on them; without the KMI software installed the drives are unclassified and not COMSEC accountable. If required for use, as directed by the Help Desk, if KMI software is installed on a spare hard drive, the drive must be possessed and brought into CMCS accountability. COR (SERVAUTH) approval is not required to possess the hard drives but the possession must be reported to the COR. d. The MGC operates in a Redundant Array of Independent Disks (RAID) 1 configuration in which the (2) hard drives are mirrored. Failure of single hard drive will not prevent the device from operating properly. e. The failed drive should be reported to SPAWAR, NCMS and the unit’s ISIC in the form of a message requesting disposition instructions for the failed drive. The message must include the Help Desk Ticket # and date of the call or email to the Help Desk. f. Upon authorization in writing from NCMS, failed drives will be destroyed locally in accordance with the NSA EPL and Naval Technical Directive (NTD) 03-11, Disposal of Navy Computer Hard Drives or shipped to the NSA Classified Material Conversion (CMC) for destruction. When authorized, destruction of equipment must be carried out within 90 days of the authorization and must be reported to the COR. If the destruction is not carried out and reported within 90 days, document the matter as late destruction in accordance with Chapter 8. g. Defective or inoperable KOV-29s, must be disposed of in accordance with EKMS-5 (series). h. Prior to shipping, the KOV-29 must be zeroized when possible and the associated IA(I) and IA(M) certificates revoked. 223. SECURITY AND STORAGE OF COMSEC MATERIAL UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-26 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 a. COMSEC Facilities. Regardless of the type of facility, whether a fixed COMSEC facility, unattended or contingency fixed secure telecommunications facility, fixed secure subscriber facility, transportable and mobile facility, or DoD Bulk Encryption Facility, each facility must be approved to hold classified material PRIOR to its installation, use, or storage as discussed below. A complete description of each type of facility, applicable security requirements and further guidance may be found in EKMS-1(series) Articles 550 – 575. 1. COMSEC equipment or keying material will only be installed, used or stored in containers or spaces approved up to or higher than the highest classification of material used or stored in the space/container. Such approval must be in writing by the Cognizant Security Official (CSM, Physical Security Officer, and Special Security Officer (SSO)) PRIOR to the installation and/or storage, as applicable. 2. Any facility or container must be re-inspected at a minimum of biennially, or when any modifications or repairs are conducted to the container, locking mechanism or facility, or when reoccupied after being temporarily abandoned. Additional or periodic inspections will be conducted based on geographical location of the facility (CONUS vs. OCONUS), threat, and sensitivity of the facility, materials and operational requirements and past security concerns, discrepancies or potential vulnerabilities. Unattended facilities must be physically inspected every 30 days by U.S. personnel responsible for the facility. 3. Prior to activation, in addition to the required Physical Security Inspection, a general COMSEC inspection is required. The general COMSEC inspection will review facility Standard Operating Procedures (SOPs), to ensure procedures which minimize risk to personnel and ensure the security of materials used are in place and address both routine and emergency destruction procedures. 4. Initial facility approvals for COMSEC vaults used to store keying material or SCIFs will be conducted by an Accrediting Official (AO) in accordance with ICD 705. 5. Shore-based COMSEC vaults used to store keying material that are modified or constructed after the date of promulgation of this manual will be constructed in accordance with Intelligence Community Directive (ICD) 705 adhering to the UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-27 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 criteria and associated checklist in the Intelligence Community Policy Guidance (ICPG) 705.1 or later version. 6. Existing vaults which have not been modified and vaults onboard afloat units may continue to operate under the criteria previously established in EKMS-1(series) Annex N. 7. A daily security checklist (SF-701) is required for spaces where classified material is used, whether manned 24 hours a day or not, and proper securing of materials and security containers will be verified once per watch or at the end of the work day prior to departure and reflected on the SF701 for the space. SF-701s will not be used in lieu of other inventory documents required herein and will be retained for a minimum of 30 days beyond the last date recorded. 8. Access to spaces where classified material is used and/or stored will be restricted to properly cleared personnel, whose official duties require access to the space. Such personnel, including newly reported personnel must be reflected on a formal access list for the space or logged in/out of a visitor’s register. 9. Uncleared personnel who must enter the space for official functions such as space surveys or maintenance must be escorted at all times by authorized personnel. Prior to entrance, the space will be sanitized and classified material covered or properly stored to prevent unauthorized viewing. 10. All visitors’ logs will reflect the date and time of both arrival and departure, the printed name and signature of the visitor, the purpose of the visit and the signature of the official admitting the visitor. Visitor’s logs will be reviewed periodically at the unit level for proper maintenance, and during visits and audits. Logs will be closed out annually and must be retained for one year. A new log will be implemented for each facility/space for each calendar year. b. Security Containers. COMSEC material not required for use and under the direct control of appropriately cleared and authorized personnel will be secured in a GSA-approved container or Class-5 vault door equipped with a FF-L-2740 or higher locking mechanism, which will be locked, verified and documented on a SF-702 when not in use. For TPI containers, a separate SF702 will be used for each combination. SF-702s will be retained for 30 days beyond the last date recorded. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-28 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 1. If the container or vault is protecting Top Secret keying material, the locking mechanism will be programmed with two different combinations. No single person will change or have knowledge of both combinations. Combinations associated with containers or vault doors at the account or LE Issuing level will be restricted to account or LE Issuing personnel, as applicable. 2. Combinations will be changed when a lock is initially put in use or has been taken out of service; when someone with knowledge of the combination is reassigned, transfers or separates; when suspected to have been compromised or biennially if not sooner based on the other criteria addressed herein. 3. Combinations will be stored on SF-700s and will NOT be written down on other forms or documents (wheel books, electronic devices, etc...) 4. A separate SF-700 (Record of Combination) is required for each combination programmed. SF-700s are classified based on the highest classification of material protected by the container and locking mechanism (i.e., if the container is used to store Top Secret, Secret and Confidential material, the SF700 will be classified Top Secret). 5. Completed SF-700s will be sealed in laminating paper or tamper indicating envelopes. 6. Part 1 of the SF-700 is NOT considered or to be marked as classified; it is considered Personally Identifiable Information (PII). Part 1 will still reflect the names, addresses and telephone numbers of authorized holders of the combination to contact them immediately, if discovered unsecured and will be posted inside the door (vault) or safe (as applicable) but must be sealed in an opaque envelope and labeled “Security Container Information” prior to affixing it to vault door or container. If Part 1 is unsealed, it must be resealed no later than the following working day. 7. Part 2 is used to protect Part 2A; both must be labeled with the highest classification of materials protected by the combination and will reflect “Derived from: 32 CFR 2001.80(d)(3)” and declassification instructions “Upon Change of Combination”. Part 2A will be placed inside of aluminum foil prior to storing it in Part 2. The adhesive seam on Part 2 will be signed and dated by the person sealing the envelope and UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-29 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 laminated afterwards. 8. To facilitate timely implementation of emergency action, when directed, SF-700s will be stored in a central location within the command; the container must be GSA approved and approved for storage up to the highest level of the SF700(s) stored in it. SF-700s which are properly laminated and sealed do NOT require TPI handling or storage. 9. An inventory document must be created and used to inspect SF-700s at a minimum of monthly or sooner, if a combination is changed and the SF-700 updated. The inventory will list, the Dept/Division responsible for the container, the container number, the location of the container, date the combination was last changed and the signature of the person inventorying/inspecting the SF-700s. 10. The Commanding Officer or other designated command personnel (Command Duty Officer, Security Manager, etc….) may direct the emergency opening of any container within the command. Such will be conducted in the presence of two properly cleared personnel and the personnel responsible for the materials protected by the container or vault, as applicable MUST conduct an inventory, report any material which may not be accountable, change the combinations and update the SF-700s. 11. An OF-89 must be prepared and posted in any security container used to store classified material. Any repairs to the container MUST be recorded on it. It is a permanent record to be maintained with the container. Commands acquiring new containers must ensure they are GSA-approved, equipped with the FF-L-2740 or higher locking mechanism and that an OF-89 is prepared and posted for the container. c. Residential Storage. Classified material will not be brought to or stored in a private residence without the consent of the Commanding Officer and the following approvals or compliance measures in place prior to installation or storage; 1. Approval by the appropriate level of the unit’s chain of command as set forth in Chapter 10 to SECNAV M5510.36. 2. To satisfy critical operational requirements. UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-30 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 3. The request fully complies with Article 10-10 to SECNAV M5510.36, Naval Technical Directive (NTD 03-09), DOD 5200.01 and local, ISIC or TYCOM directives. 4. A GSA-approved security container is required prior to issuance of any materials and the combination will be restricted to the individual responsible for the materials. CIKS, KSV-21 cards, TALON cards, etc… will be secured in the container when not in use, a SF-702 will be used to document openings and closings, and an OF-89 must be created and affixed inside the container. 5. If approved, keying material issued will be limited to a 30 days’ worth and will be issued to DTD, SKL or other electronic storage device. Any storage device provided is subject to annual re-initialization and monthly audit trail reviews. Failure to have the device reinitialized or make such available for audit trail reviews monthly or more frequently will be reported as a COMSEC incident. 6. Unauthorized personnel will not have access to classified material nor will CIKS, storage devices or KSV-21 cards be left out when not in use. A STE may be used occasionally by uncleared personnel, but only when the card is removed and either under the direct control of the person to whom it is issued or stored in a security container. Any instance of unauthorized access, including to a STE with the card inserted must be reported in accordance with Chapter 8. d. Segregation of Material. COMSEC material will be stored, safeguarded and handled based on the classification of the material. Other classified or unclassified non-COMSEC material will not be stored with COMSEC material. Material will be segregated based on classification and status of the material to facilitate emergency destruction, when directed. NATO material may be stored with other COMSEC material of the same classification. At the account level, in addition to segregation by classification, material will be segregated based on the status of the material, i.e. effective, reserve on board (by effective period, i.e. 1st month, 2nd month, 3rd month) and superseded (typically pending end of the month destruction). e. Two Person Integrity (TPI). UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-31 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 1. TPI handling requires that at least two persons, who are authorized access to COMSEC keying material, be in constant view of each other and the COMSEC material requiring TPI whenever that material is accessed and handled. Each individual must be capable of detecting incorrect or unauthorized security procedures with respect to the task being performed. 2. TPI storage requires the use of two approved combination locks (each with a different combination) with no one person authorized access to both combinations. 3. TPI is required for any of following materials and or scenarios: a. Top Secret keying material or designated “crypto” b. Fill devices (DTD, SKL, TKL, etc…) storing Top Secret keying material (when the associated CIK is also present or accessible) c. Equipment which generates or is loaded with Top Secret keying material which permits extraction of key d. The AKP if the account’s HCI is Top Secret, when (2) personnel with Top Secret accounts on the MGC/AKP are logged on e. AKPREINIT 1 and AKPREINIT 2 Flash Drives f. When picking up material from DCS, if the account’s HCI is Top Secret or when picking up Top Secret material moved via an account to account transfer g. When Top Secret key is passed via OTAD or OTAT h. Legacy fill devices or fill devices with CIKS (DTD, SKL, TKL, etc…) inserted or accessible in spaces where equipment which permits extraction of key is used or installed. 4. TPI is not required for any of the following: a. Handling, storage and access to SECRET COMSEC material regardless of crypto designation (with exception to AKPREINIT 1 and AKPREINIT 2 Flash Drives) b. CCI keyed with Top Secret key or CIKS associated with UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-32 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 equipment which does not permit extraction of key (this does NOT include fill devices, i.e. DTDs, SKLs, etc… storing Top Secret key when the CIK is inserted or accessible) c. Units engaged in tactical exercises, operational field exercises or in a combat environment d. Flag (CINC) communicators operationally deployed away from their primary headquarters e. The loading of CCI equipment onboard an aircraft; TPI is required up to the flight-line boundary when transporting the material. f. CRFs and training facilities (school houses) where operational keying material is not used g. A Top Secret DTD CIK when placed in an Air Crew comm box locked with TPI approved combination locks (While in flight, a Top Secret DTD CIK may be stored in a single-lock container onboard the aircraft) UNCLASSIFIED//FOR OFFICIAL USE ONLY 2-33 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 CHAPTER 3 - PRIVILEGE MANAGEMENT: SEPARATION OF DUTIES, ROLES, EXCLUSIONS, REGISTRATION, ENROLLMENT AND ACTIVATION 301. SEPARATION OF DUTIES. Within the KMI, to ensure access is limited to properly cleared and appointed personnel and in order to prevent the assignment of operators and security auditors to the same positions, role exclusions are used and apply to most, if not all, associated positions. These principles are commonly referred to as “separation of duties.” a. Separation of duties are known as exclusions and are enforced by policy and/or Rule Based Access Control/Role Based Access Control (RuBAC/RoBAC) within the KMI program. Eligibility Authorities (EAs) and Enrollment Managers (EMs) must be careful in reviewing exclusions prior to appointing and enrolling users in multiple roles. (1) RoBAC – In RoBAC, system privileges are associated with operational management roles. (2) RuBAC – The RuBAC processes constrain the actions of role-based privileges in the context of a specific session and specific resource objects. 303. ROLE EXCLUSIONS a. Role Exclusions and Types: Within KMI, there are three types of exclusions: Lifetime, Concurrent, and Limited. (1) Lifetime exclusions prevent a user who has held a specific role from ever occupying an excluded role. This includes instances in which the person is no longer enrolled to perform the previously assigned role. (2) Concurrent exclusions prohibit a user from holding two different roles simultaneously where separation of duty (role exclusion) is required. (3) Limited exclusions prohibit a user from performing functions for a singular identity related to two different roles for a specific process and will prohibit an individual from performing functions related to oneself. 305. KMI ROLE EXCLUSION LISTING UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 a. Some common KMI role exclusions include but are not limited to: 1. A CPA role cannot concurrently hold the CPSO role. 2. A CPSO cannot concurrently hold the role of a CPA, KOAM (or Alternate) and vice versa. 3. The TSO/SO cannot be the TSO/SO for their own token. NOTE: A complete listing of role exclusions can be found in the Process Security Doctrine for the Enrollment of Key Management (KMI) Managers. 307. KOA REGISTRATION (OVERVIEW) KOAs are uniquely identified in order to control their functions through attributes that are requested, approved and assigned by a KOA Registration Manager (KOARM). Account registration requires at least two registered users to provide authorization for the establishment of an account in order to ensure integrity of KMI system. 309. KOA REGISTRATION DATA. a. KOA Registration Data is the set of data values maintained by the KMI for managing a KOA. Each KOA is established through the registration process which records administrative data for the account. b. same. The registration process for a KOA and User are not the c. When a KOA is established, the system performs a replication with the EKMS account information contained in the Common Tier 1 (CT-1) database therefore, accounts must ensure their Common Account Data (CAD) is up-to-date and accurate prior to transitioning to KMI and when account management changes. d. Registration of a new KOA or a Change in Primary KOAM requires the completion, verification and submission of a KMI Form 003. Registration and enrollment of personnel requires completion, verification and submission of KMI Form 001 and 002. e. It is recommended forms requiring submission to the EA Proxy be digitally signed when possible; if not possible physical documents with a wet signature is acceptable. UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 311. HUMAN USER (PERSONNEL) REGISTRATION When a Human User is registered, the KMI must verify the identity’s authenticity in that the person has the right to claim the identity being registered and has been authorized to do so. Their eligibility is qualified and needs to be registered. Human (Personnel) Registration and Enrollment must be completed before the KOA is able to be registered. Applicants may submit KMI Forms 001,002 and, 003 all at once. 313. KMI PERSONNEL REGISTRATION FORM, KMI FORM 001 a. The applicant and EA at the command must complete Part 1 and 2 of KMI Form 001. The EA Proxy at NCMS will complete the EA Eligibility Authority’s Proxy’s Identifying Information and the Eligibility Authority’s Proxy’s Contact Information on the form. b. The KMI Form 001 is in .pdf format and must be viewed and completed online to enable full viewing and selection of options available using the drop down menus. Incomplete forms will not be accepted and will be returned to the EA for review. NOTE: The command level EA will be the Commanding Officer, Officer-in-Charge or other designated security personnel (Security Manager or SSO). They are responsible for verifying security clearance information for assigned personnel and conducting a physical review of the required two forms of identification presented. An applicant requesting registration in KMI cannot be their own EA if such personnel are performing other duties in which they have access to security clearance data. c. In addition to verification of the information filled out by the applicant contained in Part 1 of the KMI Form 001, physical verification of the identification sources presented, the EA is responsible for completing Part 2 of the KMI Form 001. d. The applicant must provide two (2) forms of personal identification documents to the EA as proof of identification and verification. e. Below you will find examples of evidence of authenticity and eligibility. UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Source U.S. Passport Certificate of U.S. Citizenship Form N560/561 Certificate of Naturalization Form N550/N570 U.S. Driver’s License or State ID (*) Military ID card (*) Identity Establishment X X Employment Eligibility X X X X X X FIGURE 3-1 Additional forms of acceptable identification for verification purposes may be found in the Process Security Doctrine [DOC-04312]. f. Contact the EA Proxy at NCMS prior to submission of any completed KMI Form containing PII and request an individual email address to send the form to for review and processing. NOTE: The KMI form contains PII and MUST BE digitally signed AND encrypted. The unencrypted passing of documents, including emails containing PII must be reported as a PII breach per DON CIO guidance. g. The EA proxy will respond within 72 hours and provide an individual email for the unit to send the completed, signed and encrypted KMI Form 001 to. h. Upon verification of the information, NCMS will submit the KMI Form 001 to the PRM at NSA for processing. i. Once the information has been entered into KMI, the PRM will: (1) Verify that the registration request came from a valid EA Proxy. (2) Submit One-Time Pin order to Site 1 for processing. (3) Site 1 will send the One-Time Pin to the users email address reflected on the KMI Form 001. UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 (4) At the completion of the personnel registration phase, notify the EA Proxy that the registration was completed and a One-Time Pin was ordered for the applicant. j. DON commands are not authorized to submit required KMI forms directly to NSA; doing so will delay registration, enrollment, account establishment or transition, as applicable. NOTE: Additional information related to Human User Registration can be found in the Registration of KMI Operating Accounts and KMI User’s Manual and the Operations and Maintenance Manual (OMM) for the KMI Client Node located at the URL in Annex F. 315. ENROLLMENT PROCESS - KMI PERSONNEL ENROLLMENT FORM, KMI FORM 002 a. The process of assigning a management role(s) to a registered human user is called Enrollment and is carried out by an Enrollment Manager (EM). Each service or agency will be a part of an Enrollment Domain and will have individual(s) enrolled as an Enrollment Manager. They in turn will associate roles and assign attributes to other managers within their domain. The Enrollment Manager function resides at NCMS. b. Human (personnel) registration must be accomplished prior to a user being enrolled in KMI. The human user must complete applicable training set forth in Chapter 6. Training requirements differ and are based on the roles the individual will fulfill. c. New applicants will fill out Part 2 - Candidate Information section of the KMI Personnel Enrollment Form (KMI Form 002) and will select the roles to be assigned. The KMI form 002 is in .pdf format, and must be viewed and completed online to enable full viewing and selection of options available using the drop down menus. d. The Eligibility Authority (EA) must fill out Part 1 – the Eligibility Authority Information section of KMI form 002 and verify the training and certification(s) required for the specific role(s) has been completed through verification of the training certificate. The Enrollment Manager (EM) cannot proceed with the enrollment process without proof of completed training as indicated in Part 2 of the KMI form 002, except as indicated in the preceding section herein; the form will be UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 returned to Eligibility Authority for review. In the event formal training cannot be accomplished prior to appointment, the EA will follow the guidelines listed below: (1) In extenuating circumstances, such as an unplanned loss, hospitalization, death, or immediate Relief for Cause of Account personnel, the unit may request a waiver from NCMS to the formal training requirement until mission tasking and quota availability permit attendance. With an approved, official waiver, the EA may complete the KMI Form 002 through citing the originator and DTG of the waiver prior to submission of the KMI Form 002. (2) Personnel appointed, registered and enrolled based on a Service Authority waiver must review and understand the TwoPerson Integrity (TPI) section of Lesson 25 "KMI MGC Operator Training Key Distribution". They will not have a Windows useraccount on the MGC and will only be permitted access to the MGC/AKP in the role of a "witness or 2nd person" for functions requiring TPI. e. Contact the Enrollment Manager at NCMS prior to submission of the completed KMI Form and request an individual email address the form may be sent to for review and processing. NOTE: The form contains PII and MUST BE digitally signed AND encrypted. The unencrypted passing of documents, including emails containing PII must be reported as a PII breach per DON CIO guidance. f. The Enrollment Manager will respond within 72 hours and provide an individual email for the unit to send the completed, signed and encrypted form to at NCMS. (1) The Enrollment Manager (EM) must re-verify the accuracy and completeness of the form prior to entering the enrollment information into KMI. (2) Upon completion of the enrollment action, the EM will notify the EA reflected on the KMI Form 002. (3) Upon receipt of the email, the user/applicant will be able to perform the roles requested in KMI (provided they have a personalized token). UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-6 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 NOTE: Users may be required to log in and out more than once or remove the tokens association from the MGC and reintroduce the token to the MGC again before the new roles become effective. g. Each account must identify and designate personnel to perform the following roles: KOAM (Primary and Alternate), Product Requestor (PR), DLT1RA, PLT1RA, DRM, CPA and an assigned CPSO. Role exclusions should be reviewed prior to role assignment. h. The roles below ill only be performed at the PRSN, CSN or PSN, and not at the unit/ Client Node level. (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) 317. ASWR Manager Audit Data Manager Security Configuration Manager Incident Response Manager Platform/Network Manager Archive Manager Backup Manager Database Administrator Accounting Data Manager Tracking Data Manager Help Desk Manager ROLES SUPPORTING KOA REGISTRATION a. To complete KOA registration, KMI supports the following roles: 1. KMI Operating Account (KOA) Sponsor – Any person in the organizational chain-of-command authorized to determine and approve the KMI registration of a KOA. 2. KMI Operating Account Registration Manager (KOARM) – The management role responsible for registration of KOAs. Within the DON, the duties of the KOARM will be performed at NCMS. 3. KOAM – The management role responsible for operating an account. 319. ACCOUNT REGISTRATION- COMSEC ACCOUNT DATA FOR KMI REGISTRATION, KMI FORM 003 UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-7 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 a. Registration of a KOA requires submission of a properly completed KMI Form 003 by the command. (1) KMI Form 003 is in .pdf format and must be viewed and completed online to enable full viewing and selection of options available using the drop down menus. (2) Upon completion and verification of the completed KMI Form 003, contact the EA Proxy at NCMS to obtain an individual email address to submit the KMI Form 003 to. (3) NCMS will respond within 3 business days and provide an individual email address for the unit to send the completed, signed and encrypted form to. The form contains PII and MUST be digitally signed AND encrypted. Failure to do so will be reported as a PII breach per DON CIO PII policy. b. The KOARM will: (1) Verify that the registration request came from a valid KOA Sponsor. (2) Retain the Sponsor-provided KMI Form 003 either electronically or in hardcopy form for a minimum of seven (7) years. (3) At the completion of the KOA registration, notify the KOA Sponsor who submitted the request. c. Accuracy of the registration data cannot be overemphasized as the primary KOAM is assigned to the account during the registration process. d. KOAMs must be registered and enrolled through completion and submission of a KMI Form 001 and KMI Form 002 before they can be assigned to the KOA and activate the Type 1 Token discussed later in this chapter. e. Establishment of an account is not related to validation and acquisition of required equipment, keying material, or manuals. The account manager and ISIC must ensure compliance with other related actions set forth in Chapter 4 of EKMS1(series), including obtaining facility approval prior to the establishment of the account and material being distributed to the account. A matrix can be found in Figure 4-1 and 4-2 illustrating organizations with cognizance in validation and UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-8 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 allowance matters. 321. HUMAN (Person) USER ACTIVATION. Registration of a human user who will authenticate with a U.S. Type 1 PKI is not completed until a Registration Authority (e.g. PLT1RA) completes the activation process. Human User Activation, also known as Token Personalization, requires examination and verification of authenticity and eligibility, based on a face-to-face meeting of the User being registered with the PLT1RA, and the production of an identifier credential loaded as mission material onto a Type 1 Token. The activation phase personalizes the Type 1 Token by cryptographically associating it with a specific Human User. a. Each human identity for which the U.S. Government Type 1 PKI is the authentication method is independently verified in a face to face meeting between the PLT1RA and the user. b. To personalize a token for a Human User, a PLT1RA assigns a KMI-unique identifier for that token user, requests Type 1 PKI authentication material for the identifier, and directs that the material be loaded into the token as IA(M) Type 1 Certificates and keying material. The PLT1RA must enter the Token SO password before requesting the establishment of Type 1 Authentication Material (i.e. Type 1 private key) on a Type 1 Token, and the generation and loading of an associated Type 1 Identifier Credential (i.e. Type 1 public key certificate) for an existing specific User Identifier of a currently registered Human User who is to be the Token Holder. NOTE: A Token Holder is an individual Human User who is accountable for the use of a specific token, including use of the Authentication Material and other security-sensitive material that is carried by the token. c. The Human User must appear in person with the PLT1RA and present the same 2 forms of identification originally presented to the EA as proof of identification as well as present the PLT1RA with a hard copy of the one-time-pin showing issuance of their identity and a completed KMI Users Agreement KMI Form 004 that is maintained at the KOA. d. The PLT1RA must review, compare, and visually inspect the user provided ID documents in the presence of the Human User presenting them to ensure the person is who he/she claims to be UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-9 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 and authenticate the identity documents and sources as genuine and unaltered. The PLT1RA must also: (1) Match the User-provided ID documents against the Evidence Information recorded by the PRM to further ensure that the person is who he/she claims to be. (2) Match the user provided ID documents against the name printed on the one-time PIN document. (3) Save an electronic image of the User-provided ID documents and the KMI Form 004 to the KMI Management Client (MGC) for retention for a minimum of seven (7) years. (4) Only personalize a Token that shows no signs of tamper or damage. (5) Only personalize a Token intended for KMI use and provided through KMI channels. (6) Change the Token SO Password. (7) Report any discrepancies or failures to the EA identified for the Human User. 323. DEVICE REGISTRATION PROCESS During the registration process, the User Identity is initialized in the KMI for a System Entity authorized to access the KMI. The process associates a User Identifier with the identity and provides the User with the required Authentication Material associated with the Identifier Credential. Registration is designed to register and make operational both users and devices in KMI. This is the device portion and involves a three-step process: (a) Initialization – Records identities and identifiers in the system for both humans and devices to establish both the identifier and authentication method. (b) Endorsement – Independently verifies Device Identities and provides devices with certificates and keying material needed to interact with KMI. (c) Activation – Makes devices operationally ready by loading UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-10 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 them with certificates and keying material needed to perform their mission. 325. DEVICE USER INITIALIZATION a. KMI-Aware devices will be registered to have only one global identity. The device initialization can be separated into two logical steps that are performed sequentially. The first step establishes the Device’s Identity and Identifier in the KMI system and the second step loads a Transport IA(I) Type 1 certificate based on the Identity of the Device. b. Roles required to register a Device: (1) (2) (3) (4) EA DRM Device Sponsor DLT1RA NOTES 1: The Device Sponsor must be an active primary KOAM and have submitted a completed Device Sponsor Agreement, KMI Form 007, to the DRM. If the Device Sponsor is performing other roles/functions, additional training and documentation requirements may be required. 2: With a signed KMI Form 007 from another unit’s KOAM and acceptance of the transferred sponsorship, the Primary KOAM can transfer the DRM sponsorship of a device. Pending establishment of an in-band process where electronic acceptance of responsibilities as the DRM for a device in which sponsorship is transferred, the transferring unit may use the KMI Form 007 (Acceptance and Acknowledgement of Responsibilities) form to document sponsorship transfers. c. To establish a Device’s User Identity/Identifier in KMI, the EA must submit a completed KMI Device Registration Form, KMI Form 006, attesting to the Device’s eligibility for KMI registration for review and submission to the DRM. d. The DRM will then perform the following: (1) Verify the authenticity and eligibility of the identity, i.e., the User has the right to claim; the identity being registered; the User has been authorized to be registered; the identity is qualified to be registered; and the identity UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-11 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 needs to be registered. (2) Verify the registration request came from a valid EA. Due to the limited role exclusions set forth in KMI related doctrine, the DRM and EA cannot be the same person for the action requested in the KMI Form 006 submitted. (3) Retain the EA-provided KMI Form 006 electronically or in hardcopy form for a minimum of seven (7) years. (4) Verify the device identity (serial number). (5) Personally examine (i.e. face-to-device) the physical security integrity of the Device. (6) Accurately enter the KMI-required registration information into the KMI system: (a) Device Manufacturer (b) Device Short Title (c) Device Serial Number (d) Information identifying the organization with operational control of the device: 1. 2. 3. Organization Name Organizational Affiliation Controlling Country (e) Evidence (Usually the EA-provided KMI Form 006) 1. 2. Community of Interest Maximum Classification (f) Accurately enter the KMI-required information related to the EA into the KMI system: 1. Organization 2. Title 3. First and Last Name 4. Commercial Phone Number 5. Email address 6. Physical Mailing Address 7. Select the authentication method to be used for the User Identifier. (7) Request and load the Transport IA (I) Type 1 UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-12 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 certificate on the Device. (8) Ensure the Device has a valid established Identity/Identifier in the KMI system. (9) Retain the KMI Form 007 for a minimum of seven (7) years either electronically or in hardcopy form. (10) Ensure the Device Sponsor has been properly identified in the KMI system for the device. (11) Set the Device User’s Identity Registration State and Identifier Registration State to Active. (12) Set the Security Officer (SO) Password for the Type-1 Token (KOV-29). NOTE: Changes to a Device User’s Identity or Identifier Registration State will only be performed if the request is from an authorized EA, EA Proxy or Device Sponsor. The reason for the change, whether routine or for cause must be annotated at the time the action is taken. (13) At the completion of the initialization phase of identity registration, notify the EA or EA Proxy, as applicable who requested the registration. NOTE: Additional information related to Device Registration can be found in the Registration of KMI Operating Accounts and KMI Users and the OMM for the KMI Client Node located at the URL in Annex F. 327. DEVICE ENDORSEMENT a. The Endorsement phase is to provide authentication material to KMI-aware devices. Only devices authenticating with U.S. Type 1 PKI authentication material go through the device endorsement phase as part of registration. During the Endorsement phase, the DLT1RA will direct the conversion of a Transport IA(I) Type 1 certificate and the loading of an Operational IA(I) Type 1 certificate. b. The EA must review all required information is reflected in Part 2 to KMI Form 006, complete Part 1 of the form, sign/date the document, and return it to the DLT1RA. This is done to attest to the Device’s eligibility for endorsement in KMI. UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-13 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 c. The DLT1RA will perform the following: (1) Verify that the endorsement request has been signed and dated by the EA, and the DLT1RA is not performing the duties of the EA for the request being performed. (2) Retain the EA-provided KMI Form 006 for a minimum of seven (7) years either electronically or in hardcopy form. (3) Verify the device identity (Serial Number) (4) Verify that the Device has a properly registered User Identity with an authorized KMI-Unique User Identifier. (5) Verify that the Device has an authorized User Device Sponsor that is currently a Primary KOAM. (6) Set the Device User’s Identity and Identifier Registration state to Active. (7) Only change the Device User’s Identity or Identifier Registration State (i.e., Active to Inactive or Inactive to Active) if the request is from an authorized EA or Device Sponsor. (8) When changing the Device User’s Identity or Identifier state, record the reason for the change and designate the reason as either “routine” or “for cause”. (9) Personally (i.e. face-to-device) examine the physical security integrity of the Device. (10) At the completion of the endorsement phase of the device registration, notify the EA who requested the endorsement. 329. DEVICE ACTIVATION A user device other than a Token is activated upon direction by the KOAM, through the loading of the required mission certificates and keying material. The exact types of material required depends on the type of device and supported key fill methods. 331. KMI ROLE MANAGEMENT. UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-14 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 a. A role is a job title in the KMI system that has a specified set of functional responsibilities within the system, can be granted one or more privileges, and can have one or more Users assigned to it. b. KMI supports two categories of roles, one for operational management and one for administrative functions. Operational management roles directly involve the ordering, management, distribution of products and services or supervision of those functions. Operational managers use U.S. Government Type 1 PKI authentication material and identifier credentials to authenticate their identity to the system, and they obtain authorizations for their actions through KMI’s role-based, rulebased, and approval-based access control mechanisms. c. Administrative management roles do not directly involve products and services, but these roles involve housekeeping tasks that need to be done to support operational managers and other authorized users. Examples of administrative functions are installing and maintaining software, configuring accounts, security auditing, and performing backup and recovery actions. Many administrative functions are common to all computing and communication platforms. d. KMI Operational Management Roles can be categorized as either internal or external. Internal Management Roles are performed by people who are members of the central organization that control the KMI. External management roles are performed by people who are typically members of KMI customer organizations. For operational management roles, KMI implements a procedurally rigorous enrollment process that results in the assignment of a user to one or more KMI roles. The assignment to a role grants the user the system privileges associated with the role. 333. ACCESS CONTROL MANAGERS. Contact the SSC LANT Information Technology Assistance Center (ITAC) for KMI assistance. The ITAC personnel will open an initial ticket and assign it to the Navy KMI Help Desk for assistance/support. It is important that accounts contact the ITAC to ensure that trouble tickets are being tracked accurately. The ITAC point of contact phone numbers are as follows: Commercial: 1-877-477-2927 or 1-800-304-4636, DSN: 312588-5550/5426. You can also send an email to ITAC personnel at: NIPR: itac@infosec.navy.mil, SIPR: UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-15 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 iscservicedesk.fct@navy.smil.mil. ITAC personnel are available 24 hours a day, seven days a week for assistance. 335. USER SUPPORT MANAGER. a. In Capability Increment 2 (CI-2), the only user support manager role is the HP Service Manager/Agency Help Desk Manager. b. Help desk support for KMI users will be provided by both service-specific and KMI-wide help desk personnel. The Service/ Agency Help Desk Manager will provide organization-specific support to customers and can be reached at: (Comm): 1-843-2183430/4662 or (DSN): 312-588-3430/4662 or via email at: SSCLANT_NAVKMI.FCM@NAVY.MIL. 337. TYPE 1 TOKEN SECURITY OFFICER – (TSO or SO) The SO role is used in the Initialization, Endorsement and Personalization processes. SOs are authorized to clear token Audit Logs and change PINS. a. The SO account will be created by the DRM who also will set the SO pin. After initialization, the DRM will provide the initialized token and SO pin to a DLT1RA. b. The DLT1RA will log into the token during the endorsement process as the SO. After endorsement, the DLT1RA transfers the endorsed token and SO PIN to a PLT1RA. c. The PLT1RA will log into the token during personalization as the SO and change the SO PIN. d. The user selects a user-unique PIN during the personalization process. 339. KOA AGENT (KOAA) – A NON-MANAGEMENT ROLE. a. As part of KOAA registration, the KOAMs specify the credential(s) the KOAA will use to authenticate in KMI. The PRSN enforces that the new KOAA credential be unique and authorized for use with KMI. KOAAs can then authenticate to KMI using these credentials, to include username and password, KMI authorized non-Type 1 PKI credentials or Type 1 PKI credentials. b. KOAA registration is done within the Delivery-Only interface at the PRSN to access KMI Products and Services for UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-16 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 the devices they support. c. KOAAs access PRSN PDEs for the purpose of retrieving products. A KOAA is not a KMI management role and are “designated” by KOAMs. This process creates an Access Control List (ACL) for the KOA that the KOAM oversees. The ACL contains a list of all the entities that can retrieve KMI products from the particular KOA. In this regard, KOAAs are not registered or enrolled like other KMI users, although any KMI Manager can be designated as a KOAA by a KOAM. KOAMs are automatically designated as KOAAs for their own KOA. 341. DISENROLLMENT: a. KMI enables an Enrollment Manager (EM) to withdraw an existing assignment of a management role to a User Identity (i.e. “disenrollment” of a manager). The disenrollment action can be taken regardless of which EM originally made the assignment. Reasons for disenrollment fall into but are not limited to two primary areas: (1) Eligibility Authority request (2) Identity re-verification b. An EA shall resubmit a KMI Form 002 to request the disenrollment. Reasons for disenrollment include when: a manager leaves an organization, there is loss or suspension of security clearance or a manager no longer needs the KMI Management privileges. After executing the disenrollment, the EM must notify the EA. 343. ENROLLMENT REVERIFICATION. a. For each existing assignment of a User Identity to a Management Role in an Enrollment Domain, KMI will periodically (typically annually) prompt the EM at the Service Authority level in that Enrollment Domain to review and reconfirm the below items. (1) (2) (3) The need for, and organizational source of authority for the assignment. The associated RuBAC Access Set, if that Role has one. The associated RuBAC Conferral Set, if the Role has one. If not performed within five business days, the user state will UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-17 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 be reflected as “inactive” and the incumbent will not be able to perform functions within the KMI. b. The re-verification process requires the cognizant EA reauthorize assignment of the role. An EM re-verifies each User Identity assigned to a Manager Role on an annual basis. 345. HUMAN USER REVERIFICATION. a. Upon notification by the Personnel Registration Manager (PRM) at NSA, NCMS will notify DON personnel due for reverification if a discrepancy preventing such exists. b. For annual enrollment reverification, the KOAM can contact the EM at NCMS for any enrollment related concerns or discrepancies which cannot be resolved at the unit level. c. If updates are required, an updated KMI form 001 and/or KMI form 002 may be required. UNCLASSIFIED//FOR OFFICIAL USE ONLY 3-18 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 CHAPTER 4 – ACCOUNT ESTABLISHMENT AND PERSONNEL DESIGNATION REQUIREMENTS 401. REQUIREMENT FOR A KMI ACCOUNT. a. An organization that requires COMSEC material must obtain such material through a Key Management Infrastructure (KMI) Operating Account (KOA) managed by a designated KMI Operating Account Manager (KOAM). When it is not possible to draw needed COMSEC material from an existing KOA either within the organization or from an existing KOA located in close proximity, the requirement to establish a new KOA must be submitted by the requiring organization and validated by the organization’s Immediate Supervisor in Command (ISIC). b. For commands with a COMSEC account transitioning from EKMS to KMI, they must: 1. Complete the KMI Form 005 (EKMS to KMI account checklist) 2. Complete and submit the required KMI Forms 001, 002, 003 and 004 to the applicable reviewer/approving official as discussed in Chapter 3 to this manual. 3. The KMI Form 004 can be completed online but must be printed and signed and retained at the command level. 4. Each of the forms mentioned above are available from the Uniform Resource Locator (URL) located in Annex F. 5. Forms submitted as attachments must be digitally signed and encrypted with a Medium Assurance PKI token. The subject of any emails containing KMI registration or enrollment data must state “This email contains information subject to the Privacy Act”. c. A Quick Reference Matrix for KMI related forms can be found in Annex D. 403. a. ESTABLISHING A KMI OPERATING ACCOUNT (KOA). The steps required to establish a KOA are outlined below: 1. The organization requiring a KOA must first have an UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 account established with the COR (NCMS) in Tier 1. This is accomplished through submission of an official message (Figure 4-3) to the ISIC for review and approval in accordance with this manual. 2. The ISIC must validate the requirement for the account and notify the proper approval authorities. 3. The ISIC must certify the requesting command is compliant with applicable physical security safeguards, including space approval for the storage of COMSEC material. NOTE: Shore-based vaults used to store keying material constructed or structurally modified after 01 Jan 2013, must meet the construction requirements set forth in ICD705. 4. The ISIC, working with the KOAM, will determine the required COMSEC material. 5. Controlling Authority approval must be obtained for symmetric (traditional) keying material prior to the account being validated and the account’s KOA ID added to the distribution profile. (See Figure 4-2). 6. To acquire asymmetric (modern) key ordering privileges, i.e. TACLANE, HAIPE, Secure Data Network System (SDNS), Secure Telephone Equipment (STE), the activity must have a Department, Agency, Organization (DAO) code and personnel managing the account must be authorized ordering privileges. 7. The CO will appoint in writing a KOA Manager (KOAM) and a minimum of (1) Alternate KOAM(s), who meet the designation requirements set forth in Articles 405 - 409 herein. If the account HCI is TS, it is recommended a total of (3) alternates be appointed. A sample Letter of Appointment can be found in Figure 4-5. A separate appointment letter is not required for the KOAM or Alternate if he or she is also fulfilling the role of the Client Platform Administrator (CPA). This can be indicated by checking the applicable box or boxes for any additional roles the KOAM or Alternate are performing. CPAs or CPSOs must complete the Statement of Acceptance of Responsibilities form reflected in Annex I. 8. The KOAM must prepare and submit the applicable documentation outlined in the Defense Courier Service (DCS) UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 customer service manual and provide such information to their headquarters and the Registration Authority (RA). The KOAM must also ensure the Common Account Data (CAD) is up-to-date in Tier1. The DCS customer service manual is available from the U.S. Transportation Command (USTRANSCOM) web site at the URL in Annex F. 9. To pick-up or deliver material to/from CMIO, the KOAM must prepare and submit a CMS Form-1. This form must be signed by the current CO, OIC, SCMSRO or other official “Acting” in such capacity. Forms signed “By Direction” will NOT be accepted. Changes in account personnel or change of command require a new form be completed, signed and submitted via official command letterhead or naval message. The CMS Form-1 can be found in EKMS-1(series) and must be updated at a minimum of annually or more frequently, as required. 10. Once the account is registered by the KOARM in Tier 1, the KOARM will send a digitally signed email to the InService Engineering Activity (ISEA). 11. The organization must complete and submit the following Central Facility (CF) forms available from the Key Support portal; CF-1202, CF-1206, and CF-1207. See Annex F for the URL. NOTE: For additional information and guidance related to ordering closed partition modern key and short titles managed by CPF, JCMO, CENTCOM, etc… please see Annex AE to EKMS-1 (series). 12. Upon establishment of the account, SSC LANT will ship the MGC and related peripheral equipment to the KOA address listed in the establishment message. 13. Following establishment of the account, and CNO validation for the AKP, CMIO will ship the AKP via DCS to the KOA. If the KOAM does not have a DCS address, CMIO will not ship either the AKP or required tokens to the account. 14. Upon establishment of the required ordering privileges, submission of key order forms or validation of the request from the unit, as applicable, Tier 0 will send the required certificates and keys (MSK, FF) to the KOA account. 15. Following registration and installation of the UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 MGC/AKP and related peripheral devices by SSC LANT personnel, the KOA account must review and sign the applicable System Operational Verification Test (SOVT) paperwork. Any functions not demonstrated or successfully performed, required by the SOVT must be documented and reflected on the SOVT package. NOTE: See Article 209 for guidance regarding the location of the MGC/AKP installation. UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 KOA ACCOUNT ESTABLISHMENT MESSAGE ROUTING ACTION/INFO NCMS WASHINGTON DC//N3// CMC WASHINGTON DC//C4/CY// CNO WASHINGTON DC COGARD C4ITSC ALEXANDRIA VA//BOD-IAB// COMLANTAREA COGARD OR COMPACAREA COGARD (AS APPLICABLE) COMMARCORSYSCOM QUANTICO VA//CINS// ISIC COMNAVRESFOR NORFOLK VA//01A2// ADMIN COC COMSPAWARSYSCOM SAN DIEGO CA//PMW161// SPAWARSYSCEN ATLANTIC CHARLESTON SC//80P/526CS/721SR// CMIO NORFOLK VA//N3// CONTROLLING AUTHORITIES DIRNSA FT GEORGE G MEADE MD//IE3/IE31// DIR TIER1 FT HUACHUCA AZ DIR TIER1 SAN ANTONIO TX SERVICING COR AUDIT TEAM USN/MSC A NA A NA USNR A NA I NA USCG A NA I A NA NA I NA NA NA NA I I NA I I I NA I NA I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I A = Action, I = Info, NA = Not Applicable FIGURE 4-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-5 USMC A I I NA UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 ASYMMETRIC (MODERN) KEY VALIDATION PROCESS (ALL SERVICES) 1. Asymmetric (modern) key is not automatically distributed based on an established profile and must be ordered by the account. Personnel ordering such must be privileged to order the item(s). 2. Privileges are established through the completion, submission and approval by the Command Authority of the User Registration form (CF 1206). 3. The KOAM and a minimum of (1) alternate must have ordering privileges. For redundancy purposes, it is recommended that each alternate have ordering privileges. 4. See EKMS-1(series) Article 672 and Annex U, if required. VALIDATION PROCESS (TRADITIONAL KEYING MATERIAL) MSC USCG USMC USN (Shore) USN (Sea) COMSC ISIC ISIC ISIC CONAUTH COGARD C4ITSC CONAUTH For JCMO Material: (See Note 3) CONAUTH TYCOM (i.e. COMMARFORPAC, COMMARFORLANT, COMMARFORRES) CONAUTH For JCMO Material: (See Note 3) For JCMO Material: (See Note 3) For JCMO Material: (See Note 3) ISIC (See Note 1) TYCOM FLT CDR CONAUTH (See Note 1) For JCMO material (See Note 3) FIGURE 4-2 NOTES (1) The ISIC obtains Controlling Authority validation via the TYCOM and Fleet Commander. (2) USN surface, sub-surface, and USCG surface units do not require CONAUTH validation for COMSEC material contained in the standard fleet allowance instructions such as CLF/CPF/CNE C2282.1 and COMPACAREAINST C2282.1. (3) Requests for Joint Staff ICP Material are validated by the theater Combatant Commander after UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-6 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 validation by the Fleet Commander, MEF, or COGARD C4ITSC. SAMPLE KEY MANAGEMENT INFRASTRUCTURE ACCOUNT (KOA) ESTABLISHMENT REQUEST (EDIT AS REQUIRED) R 101830Z AUG 13 ZYB FM PRECOMUNIT RANGER TO CNO WASHINGTON DC COMPACFLT PEARL HARBOR HI INFO NCMS WASHINGTON DC COMNAVAIRPAC SAN DIEGO CA DIR TIER1 HUACHUCA AZ DIR TIER1 SAN ANTONIO TX CMIO NORFOLK VA DIRNSA FT GEORGE G MEADE MD SPAWARSYSCEN ATLANTIC CHARLESTON SC BT UNCLAS//N02280// MSGID/GENADMIN/PCU RANGER/-/AUG// SUBJ/KEY MANAGEMENT INFRASTRUCTURE OPERATING ACCOUNT (KOA) ACCOUNT ESTABLISHMENT// REF/A/DOC/NCMS/-// REF/B/LTR/COMNAVAIRPAC N321/1MAY09// REF/C/DOC/CLF/CPF/CINCUSNAVEURINST C2282.1/-// REF/D/GENADMIN/DIRNSA/050403ZAUG09// NARR/REF A IS EKMS-1(SERIES) SUPP-1. REF B CERTIFIES STORAGE REQUIREMENTS AND APPROVES ACCOUNT ESTABLISHMENT. REF C IS CLF/CPF/CNE STANDARD SHIPBOARD ALLOWANCE PUBLICATION. REF D IS CONTROLLING AUTHORITY VALIDATION.// POC/SAILOR/CTOC/DSN:123-4567/EMAIL:SAILOR(AT)CVN79.NAVY.MIL// RMKS/1. IAW REF A, REQUEST ESTABLISHMENT OF A KOA ID TO SUPPORT OPERATIONAL REQUIREMENTS. THE FOLLOWING IS PROVIDED, AS REQUIRED: A. COMMAND TITLE: USS RANGER (CVN-79) B. COMMAND UIC: 12345 C. MAILING ADDRESS: USS RANGER (CVN-79) COMM DEPT FPO AP 96631 D. COMMAND PLA: PCU RANGER//OFFICE CODE// E. ISIC AND VALIDATION REF: COMNAVAIRPAC; REF B GERMANE. F. HCI: TOP SECRET. G. COMMAND MEETS STORAGE/PHYSICAL SECURITY REQUIREMENTS FOR STORING TOP SECRET MATERIAL AS VALIDATED BY REF B. H. KEY MANAGEMENT INFRASTRUCTURE OPERATING ACCOUNT MANAGER (KOAM) INFORMATION: FIGURE 4-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-7 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 1. NAME (LAST NAME, FIRST NAME, MI): 2. RANK/GRADE: 3. SECURITY CLEARANCE, BASIS, AND DATE OF INVESTIGATION: 4. PHONE NUMBER COMM/DSN: 5. EMAIL ADDRESS: 6. DATE OF COMPLETION OF FORMAL KMI TRAINING: 7. DATE OF COMPLETION OF THE NSA TOKEN SECURITY OFFICER (TSO) COMPUTER-BASED TRAINING: NOTE: PARAGRAPH H.8 THRU H.10 IS ONLY APPLICABLE IF THE KOAM WILL ALSO SERVE AS THE CLIENT PLATFORM ADMINISTRATOR (CPA) FOR THE ACCOUNTS MANAGEMENT CLIENT (MGC), OTHERWISE INDICATE N/A. 8. DATE OF COMPLETION OF INFORMATION ASSURANCE TECHNICIAN (IAT) LEVEL I CERTIFICATION: 9. DATE OF COMPLETION OF THE NSA CPA COMPUTER-BASED TRAINING (CBT): 10. DATE OF EXECUTION OF THE INFORMATION SYSTEM PRIVILEGED ACCESS AGREEMENT AND ACKNOWLEDGEMENT OF RESPONSIBILITIES: I. KEY MANAGEMENT INFRASTRUCTURE OPERATING ACCOUNT ALTERNATE (ALT. KOAM) INFORMATION: 1. NAME (LAST NAME, FIRST NAME, MI): 2. RANK/GRADE: 3. SECURITY CLEARANCE, BASIS, AND DATE OF INVESTIGATION: 4. PHONE NUMBER COMM/DSN: 5. EMAIL ADDRESS: 6. DATE OF COMPLETION OF FORMAL KMI TRAINING: 7. DATE OF COMPLETION OF THE NSA TOKEN SECURITY OFFICER (TSO) COMPUTER-BASED TRAINING: NOTE: PARAGRAPH I.8 THRU I.10 IS ONLY APPLICABLE IF THE KOAM WILL ALSO SERVE AS THE CPA FOR THE ACCOUNT’S MGC, OTHERWISE INDICATE N/A. 8. DATE OF COMPLETION OF INFORMATION ASSURANCE TECHNICIAN (IAT) LEVEL I CERTIFICATION: 9. DATE OF COMPLETION OF THE NSA CPA COMPUTER-BASED TRAINING (CBT): 10. DATE OF EXECUTION OF THE INFORMATION SYSTEM PRIVILEGED ACCESS AGREEMENT AND ACKNOWLEDGEMENT OF RESPONSIBILITIES: J. CLIENT PLATFORM SECURITY OFFICER (CPSO): FIGURE 4-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-8 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 1. NAME (LAST NAME, FIRST NAME, MI): 2. RANK/GRADE: 3. SECURITY CLEARANCE, BASIS, AND DATE OF INVESTIGATION: 4. PHONE NUMBER COMM/DSN: 5. EMAIL ADDRESS: 6. DATE OF COMPLETION OF INFORMATION ASSURANCE TECHNICIAN (IAT) LEVEL I OR CERTIFICATION (IAM LEVEL I FOR USMC ACCOUNTS): 7. DATE OF COMPLETION OF THE NSA CPSO COMPUTER-BASED TRAINING (CBT): 8. DATE OF EXECUTION OF THE INFORMATION SYSTEM PRIVILEGED ACCESS AGREEMENT AND ACKNOWLEDGEMENT OF RESPONSIBILITIES: K. CLIENT PLATFORM ADMINISTRATOR (CPA): 1. NAME (LAST NAME, FIRST NAME, MI): 2. RANK/GRADE: 3. SECURITY CLEARANCE, BASIS, AND DATE OF INVESTIGATION: 4. PHONE NUMBER COMM/DSN: 5. EMAIL ADDRESS: 6. DATE OF COMPLETION OF INFORMATION ASSURANCE TECHNICIAN (IAT) LEVEL I OR CERTIFICATION (IAM LEVEL I FOR USMC ACCOUNTS): 7. DATE OF COMPLETION OF THE NSA CPSO COMPUTER-BASED TRAINING (CBT): 8. DATE OF EXECUTION OF THE INFORMATION SYSTEM PRIVILEGED ACCESS AGREEMENT AND ACKNOWLEDGEMENT OF RESPONSIBILITIES: 2. REQUIRED MATERIAL: A. KEYING MATERIAL: (1) AFLOAT UNITS SUBMIT REQUESTS FOR MATERIAL IAW REF C. (2) ASHORE UNITS CONTACT ISIC, CONAUTH AND CMDAUTH, AS APPLICABLE. B. MANUALS/EQUIP/RELATED DEVICES: (1) AFLOAT UNITS SUBMIT REQUESTS FOR MATERIAL IAW REF C. (2) ASHORE UNITS CONTACT ISIC AND/OR CONAUTH, AS APPLICABLE. C. VALIDATION AUTHORITY/JUSTIFICATION: REF D GERMANE. 3. DMR: 100424 A. DURATION: PERMANENT OR TEMPORARY (IF TEMPORARY, INCLUDE DURATION) B. SHIPPING INSTRUCTIONS: BT FIGURE 4-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-9 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 405. SELECTION OF KMI PERSONNEL. Individuals selected must: a. Meet the existing requirements of EKMS-1(series) Articles 410, 412 and 505 with exception of completion of the EKMS Manager COI (Art 412.f). b. In addition to the requirements stated above, personnel serving as either a CPA or CPSO must also complete the training requirements and additional documentation set forth in Article 411 herein. c. Contractor personnel will not be appointed as a KOAM or Alternate without prior approval from NCMS. d. For specific positions requiring appointment or designation, i.e. KOAM, Alternate, CPA, CPSO, etc… a sample appointment letter is contained in Figures 4-4 and 4-5. 407. a. MANPOWER REQUIREMENTS FOR KMI OPERATING ACCOUNT (KOA). Account Composition. 1. The CO of each numbered account must appoint in writing a KOA Manager, a minimum of one Alternate, one CPA and one CPSO. It is highly recommended (2) additional alternates be appointed for redundancy during periods of leave, TAD, etc… for accounts with a HCI of TS to ensure compliance with National policy, which mandates a minimum of (2) formally trained personnel be assigned to the account at all times except as discussed in Chapter 6. 2. A KOAM or Alternate who is IAT Level 1 or higher certified per DoDM 8570.01 can fulfill the role of the Client Platform Administrator (CPA). If a KOAM is not fulfilling the CPA role, the DoDM 8570.01 requirement is not applicable to a KOAM or Alternate. 3. To maximize existing personnel and ensure separate oversight of security related functions requiring separation of duties, it is recommended commands leverage use of the ISSM/IAM or ISSO/IAO to fulfill the duties and responsibilities of the CPSO. Personnel appointed as an ISSM or IAM are required to be certified in accordance with DoD 8570.01M and have a SSBI per SECNAV M5510.30. Due to role exclusions set at the National UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-10 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 level, a KOAM, Alternate or CPA cannot occupy the CPSO role. b. Grade Requirements for KOAMs, Alternates, LE Issuing and Clerks. 1. Grade, length of service, and other criteria for appointment to any of the aforementioned positions is outlined in EKMS-1(series) Articles 412 - 416. 2. Appointment letters will be signed by the current CO and will be updated within 60 days following a change of command. The use of By Direction is not authorized for appointing personnel or signing accounting reports requiring the CO’s signature. The only acceptable alternative is for such correspondence to be signed as “Acting” by the person acting in the absence of the CO. 409. KOA MANAGER (KOAM) AND ALTERNATES. a. KMI Operating Account Manager (KOAM) & Alternate KOAM(s). In addition to the requirements of EKMS-1(series) articles 410, 412 and 505, personnel identified to be a KOAM or Alternate must: 1. Successfully complete the KMI COI prior to appointment. Personnel currently appointed who have attended previous COMSEC Manager training must attend and successfully complete the formal KMI training. See Chapter 6 for guidance when training cannot be completed due to extenuating circumstances prior to appointment. 2. Execute a SD Form 572 and maintain such on file at the KOA for a minimum of ninety days from the date relieved. See Annex K of EKMS-1(Series) for form. 3. Execute the required KMI Form 004 and retain it on file with any appointment letter for the same duration as the appointment letter. See Annex F for the URL where KMI-related forms are available from. 4. If a KOAM or Alternate is also performing the duties of the CPA in addition to the above training requirement, such personnel must complete the training and documentation requirements set forth in Article 411 herein. 411. OTHER KMI RELATED ROLES. UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-11 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 a. Personnel Local Type 1 Registration Authority (PLT1RA) The PLT1RA is required to conduct face to face verification of all users requiring registration in the KMI, perform annual reverification of active Human Users and personalize tokens. b. Device Local Type 1 Registration Authority (DLT1RA) The DLT1RA is responsible for the physical viewing and reviewing of all new devices being endorsed in KMI; this includes both the endorsement and provisioning of KMI-aware devices. It is recommended the appointed KOAM or Alternate performs the duties of the PLT1RA and DLT1RA to reduce manpower requirements. In addition to basic access requirements, personnel appointed as the PLT1RA or DLT1RA must possess a security clearance equal to/higher than the Highest Classification Indicator (HCI) of the KOA account. c. Type-1 Token Security Officer (TSO/SO). 1. This role will be performed by the KOAM and each Alternate. An individual cannot be their own TSO; however, a KOAM can be the TSO for an alternate and vice versa. 2. TSO specific duties, responsibilities and periodicities for functions the TSO is responsible for can be found in the SKEY6500 (KOV-29) OSD. d. Product Requester (If other than the KOAM/Alternate). 1. Must have a security clearance equal to/higher than the highest classification of material required or authorized to request. An interim Top Secret clearance may be granted if required provided the incumbent has been granted a final secret clearance that is within scope. 2. Be an E-5/GS-5 or above. 3. Successfully complete the applicable portion(s) of the KMI Management Client (MGC) COI. e. Client Platform Administrator (CPA). The CPA is responsible for administration of computer platforms and client nodes, including the creation of user accounts for platform operators, setting platform operator privileges, and performing system maintenance functions. Personnel appointed as a CPA must: UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-12 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 1. Have a minimum Secret security clearance. If performed by the KOAM or an Alternate, the clearance must be equal to/higher than the HCI of the account. In addition to the training required of a KOAM, such personnel must also complete the required CPA training and attain IAT Level 1 certification in accordance with DoD 8570.01(Series) within 180 days of appointment. 2. If performed by other than the KOAM/Alternate, such personnel may be military, civil service or contractor personnel employed by the U.S. government. Regardless of affiliation i.e. military, civil service, or contractor, personnel with privileged access to a DoD computer or network must be certified in accordance with DoD 8570.01(Series). 3. Waivers related to IA certification requirements are not to be submitted to NCMS and must be handled in accordance with DoD 8570.01(Series) and applicable service-specific guidelines. NCMS will not respond to waivers of this nature. 4. Successfully complete the application portion of the MGC training or CBT, as applicable. 5. Complete, execute and have on file the required Information Systems Privileged Access Agreement and Acknowledgement of Responsibilities form required by DoD 8570.01(Series). A sample can be found in Annex I. f. Eligibility Authority (EA). The EA performs the required face-to-face verification on behalf of either a human or device to ascertain that either is qualified and eligible to be registered in KMI and that personnel requiring registration have an official duty requiring registration for the roles requested. To ensure no disqualifying information exists and the requesting person has an up-to-date security clearance within scope, this role will be performed at the unit level by the Commanding Officer or he/she can designate the Security Manager, Special Security Officer (SSO), or other qualified personnel to perform the role. Minimum requirements for appointment as the EA are: 1. Meet applicable grade and security requirements outlined in SECNAV M5510.30 of Articles 2-3 or 2-9, as applicable. 2. Complete classroom or CBT training, as applicable when UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-13 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 developed. NOTE: Civil Service employees and military personnel fulfilling the positions noted in subparagraph g - j below must have a minimum of six months of government service. This may include time served as enlisted personnel for commissioned officers. g. Controlling Authority (CONAUTH) Designation Requirements. 1. Due to the inherent responsibilities, required decision making abilities and level of maturity expected of someone serving in the role of a Controlling Authority, such personnel must be U.S. government personnel E-7/GS-7 or selectee (as applicable) or a Commissioned Officer. 2. Contractor personnel will not perform Controlling Authority functions without an official waiver from NCMS. If requested and approved by NCMS, the scope of authority would generally be limited to ALC-7 key locally generated by the account being managed. 3. Complete the applicable Controlling Authority training via formal classroom instruction or CBT, as applicable. h. Command Authority (CA) Designation Requirements. 1. Must have a minimum Secret security clearance within scope. If a Command Authority is also serving in any other capacity such as a KOAM, they must meet the security, grade, training and other requirements for that position as well. 2. Must be a U.S. government employee (military or civil service) in the grades E-7/GS-7 or selectee (as applicable) or a Commissioned Officer. 3. Should have experience as a network planner and be knowledgeable in the establishment of DAO and partition codes, asymmetric key supporting crypto nets, monitoring key usage and be able to recommend or direct appropriate actions in the event of a suspected or actual compromise. 4. Successfully complete the required portion of the KMI Management Client (MGC) training or CBT, as applicable. i. Client Platform Security Officer (CPSO). The CPSO is responsible for administering and monitoring the security of UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-14 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 client node platforms and performing audits and/or archives of security logs. Role exclusions prohibit a KOAM or Alternate from serving simultaneously as the CPSO. To reduce manpower requirements, it is recommended the command’s ISSM or ISSO perform the duties of the CPSO since such personnel are already required to be certified in accordance with DoD 8570.01(Series) and have a SSBI within scope per SECNAV M5510.30. 1. Personnel appointed as a CPSO with administrative privileges require a KOV-29 (token) and must possess a security clearance equal to or higher than the Highest Classification Indicator (HCI) of the account. An Interim Top Secret may be granted provided the incumbent has a final Secret clearance within scope. 2. Be in the minimum rank/grade of E-5/GS-5 (or selectee) or a commissioned officer with experience as an ISSM, ISSO, etc…. The incumbent must also be knowledgeable in establishing a crypto net, monitoring the key usage and determining the required actions during a compromise as well as be familiar with other Information Assurance (IA) security related functions and responsibilities. 3. Successfully complete the CPSO CBT, as applicable. 4. Complete and have on file the required Information Systems Privileged Access Agreement and Acknowledgement of Responsibilities form required by DoD 8570.01(Series). A sample can be found in Annex I. 5. Complete, sign and submit the KMI Form 004 (KMI Certificate of Acceptance and Acknowledgement of Responsibilities). 6. If not already attained, personnel appointed must meet DoD 8570.01(Series) requirements within 180 days of appointment. Certifications previously attained must be current with the vendor’s recertification requirements and be registered in the service-specific database use to manage and track IA certifications. Do not submit waiver requests for IA certifications to NCMS. NCMS is not the approval authority for such and will not respond to waivers of this nature. j. KOA Registration Manager (KOARM). UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-15 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 1. A KOARM is responsible for maintaining registration information about KOAs. 2. The KOARM must meet the grade, security and training requirements set forth in the Process Security Doctrine (DOC 042-12). NOTE: The EKMS Registration Authority is located at Tier 1; the person(s) performing that function should be enrolled as KOA Registration Manager and provided with an MGC and manager credentials so they can perform both functions. k. Device Registration Manager (DRM). 1. The DRM is responsible for the ensuring devices have a valid, established identifier in the KMI, physical verification of the device integrity and changing the status of devices from active to inactive and vice versa upon request from an EA or Device Sponsor. Existing role exclusions prohibit a DRM from also concurrently serving as a DLT1RA. 2. Personnel appointed to serve as a DRM must meet grade, security and training requirements set forth in DOC 042-12. UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-16 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 (SAMPLE) KEY MANAGEMENT INFRASTRUCTURE OPERATING ACCOUNT MANAGER (KOAM) APPOINTMENT LETTER ________ (DDMMYY) From: To: Commanding Officer (Rank/Rate/Grade, Name, and DOD ID) Subj: APPOINTMENT AS THE KEY MANAGEMENT INFRASTRUCTURE OPERATING ACCOUNT MANAGER (KOAM) OR ALTERNATE (AS APPLICABLE) Ref: (a) (b) (c) (d) (e) (f) (g) Encl: (1) (2) (3) (4) (5) EKMS 1(series) Supp-1 DoDM 8570.01(series) Management Client (MGC) Operational Security Doctrine (OSD) Enrollment of KMI Managers Doctrine Registration of KOAs and KMI Users Doctrine Operational Security Doctrine (OSD) for the SKey6500 DoDI 1000.30 KMI MGC Course of Instruction Completion Certificate Token Security Officer CBT Certificate CPA CBT Certificate (Note 1) Information Assurance Technician (IAT) Level 1 Certificate (Note 1) Information System Privileged Access Agreement and Acknowledgement of Responsibilities Form (Note 1) 1. In accordance with reference (a), you are hereby appointed as the KOAM or Alternate KOAM for this command. 2. KOA account number: ____________. 3. Date and location of completion of the KMI formal course of instruction or Date-Time-Group (DTG) of the NCMS waiver approval if not previously completed (See Note 2): ____________. 4. Security clearance data: a. Clearance level: ____________. b. SCI eligible and date: (See Note 3) ______. c. Date and type of the most investigation: ____________. 5. Additional KMI roles, not prohibited by policy held by the appointee. (Check each that applies) Figure 4-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-17 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Subj: APPOINTMENT AS THE KEY MANAGEMENT INFRASTRUCTURE OPERATING ACCOUNT MANAGER (KOAM) OR ALTERNATE (AS APPLICABLE) CPA (Notes 1,4) DLT1RA DRM PLT1RA TSO (Note 6) 6. You will familiarize yourself with references (a) – (f) to ensure compliance in your execution of duties for the roles appointed to. _________________________________ (Signature of Commanding Officer) NOTES: (1) Enclosures (3) – (5) are only required if the KOAM or Alternate, as applicable are fulfilling the role of the CPA. (2) Appointment prior to completing formal training requires a waiver from NCMS. See Articles 409, 601 and Annex H of this manual if operational requirements and extenuating circumstances prevent completion prior to appointment. (3) If the account is validated for SCI/SI material, the KOAM/Alternate must be SCI eligible otherwise insert “NA”. (4) See Article 409.a above for additional training and documentation requirements if a KOAM or Alternate is fulfilling the role of the CPA. (5) Role exclusions set forth at the National level prohibit a KOAM, Alternate or CPA from serving concurrently as the CPSO. (6) Each KOAM/Alternate will be a TSO but cannot be the SO/TSO for the token held by/issued to them self. Figure 4-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-18 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 (SAMPLE) KEY MANAGEMENT INFRASTRUCTURE (KMI) OPERATING ACCOUNT (KOA) CLIENT PLATFORM ADMINISTRATOR (CPA) OR CLIENT PLATFORM SECURITY OFFICER (CPSO) APPOINTMENT LETTER ________ (DDMMYY) From: Commanding Officer To: (Rank/Rate/Grade, Name, and DOD ID) Subj: APPOINTMENT AS THE KEY MANAGEMENT INFRASTRUCTURE OPERATING CPA OR CPSO (AS APPLICABLE) Ref: (a) (b) (c) (d) (e) (f) (g) Encl: (1) (2) (3) EKMS 1(series) Supp-1 DoDM 8570.01(series) Management Client (MGC) Operational Security Doctrine Enrollment of KMI Managers Doctrine Registration of KOAs and KMI Users Doctrine Operational Security Doctrine (OSD) for the SKey6500 DoDI 1000.30 CPA or CPSO Computer-Based Training (CBT) Certificate (as applicable) Information Assurance Technician (IAT) Level 1 Certificate Information System Privileged Access Agreement and Acknowledgement of Responsibilities Form 1. In accordance with references (a) and (b) and based on verification of enclosures (1) – (3), you are hereby appointed as the CPA or CPSO, as applicable for this command. 2. KOA account number: ____________. 3. Date and source of training in which IAT Level 1 certification was attained: 4. ____________. Security clearance data: a. Clearance level: ____________. b. Date and type of security investigation: ____________. 5. You will familiarize yourself with references (a) – (f) to ensure compliance in your execution of duties. Figure 4-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-19 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 ________________________________ (Signature of Commanding Officer) Figure 4-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY 4-20 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 CHAPTER 5 - DUTIES AND RESPONSIBILITIES OF THE KEY MANAGEMENT INFRASTRUCTURE OPERATING ACCOUNT (KOA) MANAGEMENT PERSONNEL 501. KOA MANAGEMENT PERSONNEL. a. KOA Managers/Alternates will: 1. Generate, manage and distribute local symmetric products, and maintain KOA administrative information in KMI with exception to centrally managed data elements such as the account’s Highest Classification Indicator (HCI). 2. Request the cognizant KOA Registration Manager add or remove KOA Managers from the list of KOA mangers for the KOA. 3. Add, modify, or remove KOA Agents from the list of authorized KOA Agents (LE) for the KOA. 4. Add, modify, or remove KMI-aware End Cryptographic Units (ECUs) from the KOA’s Device Distribution Profile (DDP). 5. Add, modify, or remove KMI-aware ECUs/fill devices from the locally maintained fill groups. 6. Add, modify, or remove key products to ECUs/fill devices in the locally maintained fill groups. 7. Activate ECUs for seed key conversion. 8. Upload new credentials for seed key conversion. 9. Associate short title(s) with Over-The-Network-Keying (OTNK) ECUs for ECU-initiated key retrievals. 10. Cancel short title/ECU associations, when required. 11. Upload encrypted keying material for fill devices and ECUs to the PRSN for retrieval by authorized KOA Agents. 12. Manage encrypted keying material held at the PRSN for download by KOA Agents and KMI-aware ECUs. 13. Associate short titles with a benign fill/encrypted fill ECU for automated encrypting of routinely superseded key. 14. Download encrypted key into a fill device for an UNCLASSIFIED//FOR OFFICIAL USE ONLY 5-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 authorized KOA Agent. 15. Review reports related to tracked and accountable events associated with the KOA. 16. Review Device Distribution Profiles (DDPs) through comparison of the assignment of ECUs to key products. 17. Conduct periodic reviews of the tailored Product Ordering Catalog, as required. 18. Report any compromise or potential compromise involving KMI products. 19. Perform required accounting transactions to effectively manage the KOA and ensure proper accountability of material. 20. Verify and maintain status information on KMI products held, used or responsible for. 21. Conduct and document a visual inspection of the AKPREINIT Flash Drives (or NSA tamper evident bags), AKP and KVM Switch (if installed) for any signs of damage or tamper as discussed in Chapter 2 herein. 22. Review the account’s Transaction Status Log weekly and report any anomalies or unexplained activity to the CPSO. 23. Backups must be created and offloaded at a minimum of weekly for large accounts and monthly for small accounts. 24. Archive accounting data every six (6) months, or as often as necessary for an active MGC. Retain archived accounting data for 2 years or until the next COR Audit, the sooner of the two. 25. Send, out of band, an exact copy of archived accounting data on a CD or DVD to the CSN within 30 days of the archive. The media must be labeled with a red SF-707 (SECRET) label, shipped via a method approved for SECRET collateral information and include; the KOA ID, beginning and ending dates of the accounting data and the name of the KOAM who archived and offloaded the accounting data. Archived records must not be modified or deleted during the retention period or when duplicated for shipment to the Configuration Manager. The UNCLASSIFIED//FOR OFFICIAL USE ONLY 5-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 inner/outer mailing address for archived accounting data is: DIRNSA Suite 6298 Configuration Manager, Y2D4222 9800 Savage Road Ft. Meade, MD 20755 26. Connect to the KMI Storefront and obtain an updated Certificate Revocation List (CRL) at a minimum of every six (6) months. 27. Ensure the KOAM turnover checklist is completed by the outgoing Manager, witnessed by the incoming manager and retained on file per Annex M to EKMS-1(series). 28. Additional duties and responsibilities can be found in the OSD for the MGC, the KMI Enrollment Policy, and EKMS1(series) Article 455. b. will: 1. Personnel Local Type 1 Registration Authorities (PLT1RA) Perform personalization of Type 1 Tokens. 2. Initiate certificate requests and download Type 1 Certificates onto a token. 3. Record evidence used in the face-to-face verification of the identity of a Type 1 Human Subscriber and perform annual re-verification of Human Users in an active state through examination and verification of current evidence based upon the original evidence resubmitted by the EA in accordance with the Type 1 Certificate Policy (Type 1 CP), the KMI Enrollment Policy, or the Operational Security Doctrine, as required. 4. Review and maintain the Registration Data of Human Identities associated with Type 1 Certificates at a minimum of annually or more frequently, as required. 5. Report any compromise or potential compromise involving KMI products. 6. Perform revocation actions for Type 1 Certificates. 7. Change the Token SO Password. UNCLASSIFIED//FOR OFFICIAL USE ONLY 5-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 8. Verify and maintain status information on KMI products. 9. Be familiar with and adhere to the applicable Operational Security Doctrine for the MGC, the sKey6500 Token (KOV-29), and KMI Enrollment Policies. c. will: Device Local Type 1 Registration Authorities (DLT1RA) 1. Perform endorsement of KMI-aware devices. 2. Authorize conversions of IA(I) and Key Encryption Infrastructure (KE(I)) certificates. 3. Record evidence of verification of the existence and condition of KMI-aware devices. 4. Record and maintain evidence of initial and periodic re-verification of endorsed devices. 5. Report any compromise or potential compromise involving KMI products. 6. Perform revocation actions for Type 1 certificates. 7. Verify and maintain status information on KMI products. 8. Be familiar with and adhere to the applicable Operational Security Doctrine for the MGC, the sKey6500 Token (KOV-29), and KMI Enrollment Policies. d. Product Requesters will: 1. Ensure timely submission of orders for asymmetric products specifying DAO, partition codes and delivery instructions for accounts to meet operational requirements. 2. Specify and modify production and delivery priorities for standing orders. 3. Modify the ADP associated with product orders, when validated. 4. Review, cancel and manage, as applicable product orders, tracking information related to KMI products, tailored product ordering catalog data, and partition or DAO code data UNCLASSIFIED//FOR OFFICIAL USE ONLY 5-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 and descriptions. 5. Report any compromise or potential compromise involving KMI products. 6. Request the PRSN and PSN, as applicable; temporarily or permanently cease distribution of products under their cognizance. 7. Review, update and manage status information for KMI products. 8. Perform duties as a Command Authority, Controlling Authority or both, as required as discussed in Articles 103, 501, 709 and Chapters 4, 9 and 10 of this manual. 9. Additional duties and responsibilities may be further defined in both the KMI Enrollment Policy for Managers and the Operational Security Doctrine for the MGC. e. Client Platform Administrators will: 1. Perform software installations and upgrades. 2. Establish and maintain Microsoft Windows user-accounts and configure accounts and privileges on the Client Host. 3. Assign database privileges to the KOAM and Alternates. 4. Configure and maintain the Client Host in accordance with applicable configuration management and security guidelines. 5. Perform required maintenance actions on the Client Host, including offloading of backups to removable media. 6. Properly label, safeguard and store backup media when offloaded from the MGC to prevent loss or unauthorized access. NOTE: Full system backups created locally and stored on media must be brought into CMCS accountability by the KOAM through generation and submission of a possession report. 7. Perform system recovery actions, when required. The use of any database backups and AKPREINIT drives older than 7 UNCLASSIFIED//FOR OFFICIAL USE ONLY 5-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 calendar days old must be reported as a Practice Dangerous to Security (PDS) in accordance with Chapter 9. 8. Install, document and report Information Assurance Vulnerability Advisory (IAVA) compliance to the ISSM or CPSO, as applicable. Authorization to install IAVA patches posted by NSA to the Product Availability Library (PAL) does not require NCMS or SSC approval. 9. Install antivirus software and configure the client for virus definition updates in accordance with applicable configuration guidance. 10. Run periodic health tests on the MGC, when required. 11. Be familiar with and adhere to the guidance contained herein and in the Operational Security Doctrine for the MGC. 12. Complete, execute and have on file the required Information Systems Privileged Access Agreement and Acknowledgement of Responsibilities form required by DoD 8570.01M. A sample can be found in Annex I. f. Client Platform Security Officers will: 1. Conduct audit data reviews, archives and retain archived audit data for 2 years or until the next COR Audit, the sooner of the two. 2. Perform security monitoring of the Client Host. 3. Perform security administration of the Client Host to include audit review of the Client Host audit data, the AKP audit data, and Public Key Infrastructure (PKI) audit data. 4. Verify IAVA compliance at a minimum of semi-annually in conjunction with the Client Host audit and report compliance via NIPRNet email which includes the KOA number and IAVA status (Month/Year) to: KMI_Compliance@nsa.gov. 5. Ensure proper labeling, safeguarding and storage of audit data backups to prevent unauthorized access. UNCLASSIFIED//FOR OFFICIAL USE ONLY 5-6 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 6. Offload, label and safeguard optical media storing audit data and deletion of all previously archived audit logs, as required. The logs must be verified to have been successfully written to optical media prior to clearing the logs. 7. Send an exact copy of the archived audit data to the Central Services Node (CSN) within 30 days of archiving via an approved method for SECRET collateral information in accordance with SECNAV M5510.36. The media used must be labeled with a red (SF-707) SECRET label and identify; the MGC KOA ID, the beginning and ending dates of the audit data and the name of the CPSO who archived and offloaded the data. The mailing address for the CSN is: DIRNSA Suite 6298 Configuration Manager, Y2D422 9800 Savage Road Fort George G. Meade, MD 20755 8. Be responsible for verification and continuity of security audit data, 9. Provide oversight regarding the control and configuration of security resources and settings for the Client Host. 10. Export the AKP diagnostic history log (DHL) at a minimum of every six months or when notified by the system the log is 80% full. 11. Review the DHL within 10 working day of exporting the DHL to the Client Host and clearing of the log afterwards. 12. Verify the BIOS password each time an audit archive is performed. 13. Perform health tests on the AKP, as required. UNCLASSIFIED//FOR OFFICIAL USE ONLY 5-7 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 14. Perform additional duties and responsibilities outlined in the Operational Security Doctrine for the MGC and the Type 1 Certificate Policy (CP) as applicable. g. Controlling Authorities will: 1. Request the creation or deletion of short-titles for symmetric key products. 2. Define the intended application or use of keying material under their purview. 3. Promulgate effective and supersession dates for keying material under their purview and disseminate such information to all validated KOAs. 4. Designate short-title orders as either standing or a periodic. 5. Approve, disapprove and maintain a listing of Product Requesters authorized to order a specific product. 6. Verify and maintain KOA registration data and credentials. 7. Perform an annual review of short titles under their cognizance to determine if the material is still required and if accounts validated for the material are accurate and up-to-date. 8. Specify secondary approval for a product, when required. 9. Approve symmetric key orders when submitted by authorized Product Requesters. 10. Evaluate COMSEC Incidents for products under their cognizance. This includes initiating compromise recovery actions, determining when an Emergency Supersession is warranted and notifying all KOAs validated for the material involved. 11. Approve and disapprove product requests to transfer products under their cognizance, as well as cancel orders no longer required. 12. Order future editions of symmetric products (aperiodic orders). UNCLASSIFIED//FOR OFFICIAL USE ONLY 5-8 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 13. Create, modify and manage Account Distribution Profiles (ADPs) for symmetric products. 14. Specify and modify the requested production and delivery priorities for standing orders. 15. Direct the PRSN and PSN, as applicable to temporarily or permanently cease distribution of products under their cognizance. 16. Additional duties and responsibilities of a Controlling Authority may be found in Annex C to EKMS-1(series). h. Command Authorities will: 1. Request assignment and/or removal of Department Agency Organization (DAO) and Partition codes, as applicable. 2. Approve, disapprove and maintain a listing of Product Requesters authorized to order asymmetric products for Partition and DAO codes under their cognizance. 3. Perform an annual review of Product Requestors authorized to place orders for DAO or Partition codes under their cognizance to validate both the requirement and personnel authorized to place orders. 4. Review and maintain partition code data and DAO codes and descriptions. 5. Additional duties and responsibilities can be found in the KMI Enrollment Policy for Managers and Annex U to EKMS1(series). i. KOA Registration Managers (KOARM) will: 1. Ensure the proper and timely registration of the KOA. 2. Ensure the User Sponsor submits a request for a KOA and the equipment required by the KOA. 3. Connect to the PRSN and establish the KOA within the KMI by translating the KOA to the previously established EKMS account number, unless the account is new and did not have an EKMS account previously. UNCLASSIFIED//FOR OFFICIAL USE ONLY 5-9 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 4. Add, modify or maintain accurate KOA registration data. 5. Associate the AKP with a KOA and a respective KOAM with the KOA. 6. Assign KOAMs to a KOA. 7. Add, assign or remove RuBAC access sets to KOAs and RuBAC attribute values in a RuBAC access set. 8. Review/verify KOA registration data and credentials. 9. Replace a KOA’s Primary KOAM with another KOAM. 10. Query and manage status information, as required. 11. Review, be familiar and comply with the KMI Enrollment Policy for Managers. NOTE: Additional duties and responsibilities of the KOARM are outlined in the Operational Security Doctrine for the MGC, the sKey 6500 (Token) and the KMI Registration and Enrollment Policies. j. Device Registration Managers will: 1. Register a User Identity for a respective User Device. 2. Establish new Device User identities in an active or inactive state, as required. 3. Initialize KMI-aware ECUs and User Devices. 4. Request initial seed keying material for KMI-aware ECUs/devices. 5. Request non-KMI Unique User Identifiers. 6. Register a User Identity for a User Set consisting entirely of User Devices. 7. Record and maintain evidence of identity eligibility and authenticity. 8. View, add or modify, as applicable Device User registration data UNCLASSIFIED//FOR OFFICIAL USE ONLY 5-10 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 9. Add, assign or remove RuBAC Access sets to KOAs and RuBAC attribute values in a RuBAC access set. 10. Report any compromise or potential compromise involving KMI products. 11. Verify and maintain status information on KMI products. 12. Review, be familiar and comply with the applicable Operational Security Doctrine for the MGC, the sKey 6500 (KOV29), and KMI Enrollment Policies. k. Enrollment Managers will: 1. Create enrollment sub domains. 2. Enroll and disenroll KOAMs. 3. Assign the singular identity of a human user to a Manager role. 4. Assign either a group or shared identity, as applicable of a user set of human users to a Manager role. 5. Record evidence of identity eligibility and authenticity, as well as reverification, when required. 6. Assign RuBAC access and Conferral sets to KMI Managers (e.g. EM, DRM and KOARM). 7. Add or remove an attribute value in both RuBAC Access and Conferral sets, as required. 8. Review, manage and maintain registration and enrollment data, as applicable. 9. Verify and maintain status information on KMI products. 10. Review, be familiar and comply with the applicable Operational Security Doctrine for the MGC, the sKey 6500 (KOV29), and KMI Registration and Enrollment Policies. l. Legacy Catalog Manager (LCM): The LCM will: UNCLASSIFIED//FOR OFFICIAL USE ONLY 5-11 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 1. Ensure timely updating of the KMI product ordering data based on CONAUTH and CMDAUTH direction. 2. Keep the KMI Product Ordering Catalog current with the legacy Electronic Key Management System (EKMS) for all Traditional (Symmetric) Key Short Titles and Distribution Management. UNCLASSIFIED//FOR OFFICIAL USE ONLY 5-12 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 CHAPTER 6 - EDUCATION, TRAINING, AND CMS COR AUDITS 601. TRAINING REQUIREMENTS. a. Personnel assigned as a KOAM or Alternate must successfully complete formal training prior to appointment and assumption of duties to be enrolled in KMI. The incumbent must be enrolled to obtain the KOV-29 (token) required for the role. The EA completing and submitting the form on behalf of the member is responsible for verifying completion of the training prior to submission of the form. b. When attendance at training is not possible due to extenuating circumstances such as hospitalization, unplanned loss, death, or immediate Relief for Cause of Account personnel, etc., the EA is permitted to still complete the KMI Form 002, if an official waiver to the formal training requirement has been granted by the Service Authority (NCMS). Waivers of this nature must be submitted to NCMS via record message and must include the unit’s ISIC, TYCOM and servicing COR Audit Team. A sample waiver request can be found in Annex H. NCMS may authorize a waiver of up to 90 days for a KOAM and 180 days for an Alternate to complete formal training. If granted, the EA will annotate on the KMI Form 002, the originator and DTG of the Service Authority waiver and will submit a copy with the KMI Form 002. c. The above flexibility set forth at the National level is not intended to accommodate administrative matters such as regular leave, stand downs, etc… when training is otherwise available. Commands must ensure reviews are conducted of manning documents prior to personnel transferring or separating to enable early identification of a replacement and ensure the prospective KOAM or Alternate meets designation requirements for the position including completion of formal training. d. Personnel appointed, registered and enrolled based on a Service Authority waiver will not have a Windows user-account on the MGC and will only be permitted access to the MGC/AKP in the role of a "witness" for TPI purposes. Personnel appointed under a Service Authority granted waiver must also review and understand the Two-Person Integrity (TPI) section of Lesson 25 "KMI MGC Operator Training Key Distribution". e. A KOAM or Alternate performing the duties of the Client Platform Administrator (CPA) must be Level 1 Information UNCLASSIFIED//FOR OFFICIAL USE ONLY 6-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Assurance Technician (IAT) certified within 180 days of assignment to IA duties in accordance with DOD 8570.01M. f. In organizations where the roles and duties of the CPA are performed by other appointed, cleared and certified personnel, the KOAM or Alternate are not required to be Level 1 IAT certified. g. IAT Level 1 certification can be attained through successful passing of the COMPTIA A+, COMPTIA Network+, or the ISC2 System Security Certified Practitioner (SSCP) examination. See Appendix 3 to DoD 8570.01(Series) for additional information. h. The command or service Designated Approval Authority or Authorizing Official (DAA/AO), not NCMS, may grant IA certification waivers consistent with the criteria and time limitations set forth in DoD 8570.01M. NCMS will take no action on IA certification waivers received. i. The KMI-Interactive Courseware (ICW) is a prerequisite for attendance in the formal KMI Manager COI. It is available on the Total Workforce Management System (TWMS), the My Navy portal, the Navy Information Application Product Suite (NIAPS) server for afloat units and the Navy E-Learning (NEL) ashore and afloat. Completion of the COI on the NEL must be on the side (ashore or afloat) the ICW is started on. A minimum score of 80% or better is required to successfully complete the ICW. All COR Auditor personnel are also required to complete the ICW prior to appointment. The course must be successfully completed every 3 years for active COMSEC Account Managers and COR Auditor personnel. The course can be completed via government computer or personal computer with a valid CAC card and reader. Minimum hardware and software requirements: Windows 7 or higher, IE 11, Adobe Flash Player, Adobe PDF Player and Active Card reader for the CAC card reader. j. A quick reference matrix reflecting training requirements can be found in Figure 6-1. 603. KEY MANAGEMENT INFRASTRUCTURE (KMI) MANAGEMENT CLIENT (MGC) COURSE OF INSTRUCTION (COI). UNCLASSIFIED//FOR OFFICIAL USE ONLY 6-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 GENERAL. All automated accounts must have a minimum of two formally trained MGC operators at all times. Should unforeseen circumstances result in the absence of all trained operators, the account must discontinue processing automated transactions immediately and report that fact to NCMS. In such a scenario, the account must revert to back to manual accounting operations until a minimum of two formally trained personnel are available and appointed in writing unless a waiver has been requested from and is granted by NCMS as discussed above. a. KMI Operating Account Manager (KOAM) Course of Instruction (COI). The KOAM COI is 15 days and is intended to train KOAMs, Alternates and COR Auditors on use of the MGC suite to perform basic account management functions including; distribution, destruction, issuance, and transfer of COMSEC material. This training also addresses how to register, initialize, endorse, activate, and enroll both users and KMIAware devices in the KMI system. The target audience for the COI is those whose official duties in the following roles require access and use of the MGC/AKP including: (1) (2) (3) (4) (5) (6) (7) (8) (9) KOA Managers Controlling Authority (CONAUTH) Command Authority (CMDAUTH) Product Requester (PR) Device Registration Manager (DRM) Device Local Type 1 Registration Authority (DLT1RA) Personnel Local Type 1 Registration Authority (PLT1RA) Token Security Officer (TSO) Legacy Catalog Manager (LCM) It is highly recommended that KOAMs scheduled to attend training have prior experience in most, if not all of the following areas prior to attendance: (1) Experience as a COMSEC Account Manager and knowledge of DON COMSEC policy. (2) Proficiency and understanding of Microsoft WindowsBased operating system. (3) Familiarity with the use of ancillary fill devices, i.e. SKLs, TKLs, etc… UNCLASSIFIED//FOR OFFICIAL USE ONLY 6-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 (4) Knowledge, experience and understanding of the use of Public Key Infrastructure tokens/certificates for managing access to DoD systems. (5) Knowledge and experience configuring and/or maintaining a High Assurance Internet Protocol Encryptor (HAIPE) device. NOTE: With exception to unforeseen circumstances, i.e. death, extended TDY, relief for cause, etc... to negate unnecessary expenditure of funding for required training, including attainment of applicable 8570.01 certification and to promote continuity in account management, it is not recommended that individuals with less than six (6) months remaining in their present assignment be appointed as a KOAM. 605. KMI TRAINING LOCATIONS. a. The formal KMI training is available in each of the fleet concentrated areas and Marine Expeditionary Force (MEF) locations reflected in Article 305 to EKMS-1(series). b. Attendance criteria: Attendance at the KOAM COI is restricted to personnel who meet the same grade, security and length of service requirements outlined in EKMS-1(series) Article 305. Additionally, prospective students must be appointed to positions requiring attendance. This training is not for LE personnel, KOA Agents (unless the incumbent is also a KOAM), CPAs or CPSOs. 609. ADDITIONAL KOAM TRAINING REQUIREMENTS. a. If a KOAM or Alternate is also performing the duties of the Client Platform System Administrator (CPA), such personnel must also: 1. Be certified at a minimum as an Information Assurance Technician (IAT) Level 1 in accordance with DOD 8570.01M. 2. Complete the CPA computer-based training. for the URL. See Annex F 3. Complete the required Information System Privileged Access Agreement and Acknowledgement of Responsibilities form required by DoD 8570.01M. A sample can be found in Annex I. UNCLASSIFIED//FOR OFFICIAL USE ONLY 6-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 b. In organizations where the roles and duties of the CPA are performed by other appointed and properly trained and cleared personnel, the KOAM or Alternate is not required to be IAT Level 1 certified. c. Personnel appointed as a CPA with administrative privileges are performing those duties within the computer environment and must meet Information Assurance Technical (IAT) Level 1 training or higher. d. Personnel performing IA functions must obtain one of the certifications required for the IAT position assigned to. IAT Level 1 certification baseline requirements can be obtained by successful completion of any one of the following: (1) (2) (3) Comp TIA A+ Comp TIA Network + (ISC) 2 System Security Certified Practitioner (SSCP) e. Personnel performing duties as the TSO must complete the computer-based training reflected in Annex F. 611. PERSONNEL QUALIFICATION STANDARDS (PQS). a. All military personnel except those assigned to USCG and USMC accounts appointed or designated as KOA Managers, Alternates, KOA Agents/LEs Issuing and LE Using, must complete the applicable portions of the latest version of NAVEDTRA 43462 (EKMS or KMI, as applicable) PQS for the position they are fulfilling. The PQS can be obtained from the Navy Knowledge Online (NKO) Portal. b. Although PQS is not required for civil service employees, due to the outsourcing of COMSEC account management duties at many shore commands, Commanding Officers may, at their own discretion require all personnel with access to COMSEC material, including civil service employees and contractors complete PQS for the respective position appointed, i.e. Manager, LE Issuing or LE Using, as applicable. If required for civil service employees, the requirement should be documented in the employees Position Description (PD) and Performance Appraisals and also written into the commands local COMSEC policy and any related LOAs/MOUs for external LEs supported, as applicable. 613. CMS COR AUDITS. UNCLASSIFIED//FOR OFFICIAL USE ONLY 6-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 a. CMS COR Audits will be conducted on a biennial basis by the COR Audit Teams or other CMS COR Auditors certified by NCMS. b. CMS COR Auditors must meet the criteria set forth in EKMS-3(series) c. The criteria related to incidents, PDSs and administrative discrepancies found in EKMS-3(series) will remain in place in assessing the health and management of the account. UNCLASSIFIED//FOR OFFICIAL USE ONLY 6-6 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 KMI TRAINING MATRIX ICW Command Authority Controlling Authority Formal Training Required NA CBT for Role PQS Yes No NA NA ** CPA CPSO DLT1RA No No No NA NA Yes KOAA/LE Personnel No NA NA When developed for KMI Yes Yes CPA & TSO CBT if serving as either NA NAVEDTRA 43462-2 (304 section) NA KOAM CPA * CPSO NA NA NA NA DoD 8570.01 (IAT Level 1) Yes, only if also serving as a KOAM serving as a CPA. No, if serving as a KOAM but the CPA role is fulfilled by other cleared and certified personnel Yes Yes Yes, only if also serving as a KOAM serving as a CPA. No, unless performing as a CPA, CPSO or other non-KMI related position with privileged access requiring such. Yes, only if performing as a CPA Remarks The CPA, CPSO and any other non-KMI duty requiring privileged access requires a Privileged Access Agreement be executed by the incumbent (See Annex I) Yes, only if also serving as a KOAM serving as a CPA. TSO No NA TSO NA No, unless performing as a CPA or other non-KMI related position with privileged access requiring such. COR Auditor Yes Yes Yes Yes Yes, only if Personnel performing a role requiring certification “R” indicates recommended; not mandated. Not included herein are external roles performed by CMIO, NCMS and SPAWAR. ** Personnel performing duties as a Controlling Authority must also complete the NSA Controlling Authority CBT. PLT1RA No Yes Figure 6-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY 6-7 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 CHAPTER 7 – ACCOUNTING AND ACCOUNTING FUNCTIONS 701. a. ACCOUNTING (GENERAL). All COMSEC material is accountable. b. COMSEC material is accountable based on its assigned Accountability Legend Code (ALC). c. ALC-1, 2, and 6 material is accountable to the Central Office of Record (COR). ALC-4 and 7 material is locally accountable after initial receipt. Regardless of ALC, all COMSEC accountable material will be accounted for and managed within the MGC. In addition to CHVP products, other non-COMSEC accountable items cannot be accounted for in the MGC Product Inventory and if discovered must be documented in accordance with Chapter 9 of this manual. d. With exception to CIKS or other locally accountable materials that do not possess a CMCS/KMI-wide recognizable Short Title, the movement of all COMSEC material into, within and outside an account, is the responsibility of the KOAM and Alternates and will be documented with appropriate documentation produced from the account’s MGC. e. Manual accounting is only permitted for (a) items that cannot be accounted for in the MGC environment (as discussed above); (b) at the LE Issuing level; or (c) when operationally necessary to issue physical material when the account’s MGC is not operational due to a system casualty or when the account must revert to manual accounting due to non-availability of formally trained account management personnel. f. If during any inventories a classified COMSEC accountable item or Controlled Cryptographic Item (CCI) is discovered that is not being accounted for or an item cannot be found, a COMSEC incident report is required in accordance with Chapter 8. The loss or finding of unclassified material not marked or designated CRYPTO or not CCI must be documented and reported in accordance with Chapter 9. g. Found or missing material MUST be brought into proper accountability or relieved from accountability through the use of a Possession or Relief from Accountability Report, as applicable. These reports will NOT be used without written prior approval to do so from NCMS when related to a COMSEC UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 incident or Reportable PDS. h. All destruction, generation, possession, relief from accountability and transfers involving ALC-1, 2, and 6 material must be reported to the COR, Tier-1 or PRSN, as applicable. i. Transaction logs will be printed, closed out annually and retained for the current and previous (2) years. j. Cryptographic High Value Products (CHVP) products are not COMSEC accountable and cannot be accounted for in the MGC Product Inventory. If acquired, they must be locally accounted for as high-value government property. When keyed, they must be safeguarded based on the level of the key loaded but are unclassified if the CIK is removed and stored separately, if the device makes use of CIKS. See CNSSI 4031 for additional information on CHVP products. 703. OVERVIEW OF MGC ACCOUNTING FUNCTIONS. KMI provides accountability and tracking services compatible to those used to manage and account for COMSEC material in the COMSEC Material Control System (CMCS) using previous automated systems but with additional enhancements. KMI will improve accountability and security as well as reduce manpower requirements associated with inventory requirements by tracking products directly delivered to ECUs and not to an account for issuing to LE personnel. a. The MGC will provide for automated accounting for both physical and electronic COMSEC material, including keying material, authenticators, operating and maintenance manuals (KAOs/KAMs), Controlled Cryptographic Items (CCI) and other COMSEC items requiring accountability within the KMI. Some of the accounting functions, features or processes provided by the MGC include an Accountable Item Summary, Transaction Status Log, Inventory Reports, Reconciliation, Material Issues, Transfers, Destruction, Generation, Tracer Notifications, Conversion Reports, Possession and Relief from Accountability Reports. b. DON entities will continue to operate with Tier 1 performing COR-related functions including the processing of transactions reported. UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 705. a. MANAGEMENT OF COMSEC MATERIAL IN AN ORGANIZATION. Receipting for COMSEC Material. 1. Personnel receipting for COMSEC material must be authorized access to COMSEC material, have a security clearance equal to or higher than the HCI of the account, be SCI eligible (if the account is validated for SCI/SI material), be properly trained, be appointed in writing, complete a SD Form 572, be on the CMS Form-1 or USTC Form-10 for the account, as applicable, and have written authorization (Official command letter or Courier Card). 2. If the account HCI is TS, two personnel will conduct all material pickups from DCS, regardless of whether the account gets little, if any, physical TS material. NCMS will not waive this and if the account has no requirement for TS material, the KOAM should consult with their chain of command and NCMS to consider changing the HCI of the account to Secret. 3. COMSEC material picked up/dropped off must be transported directly to/from the command and be properly safeguarded at all times until properly stored or signed for when material is turned in. Delays or stops except for emergencies are strictly prohibited. 4. Use of a POV is highly discouraged and to the fullest extent possible government vehicles should be used. 5. Physical material including keying material, code books, authenticators, and CCI equipment will be visually inspected upon receipt, page checked (unsealed books and/or amendments) and the accounting information will be verified against the related transfer documentation. See Annex E for page check requirements. 6. Discrepancies with accounting reports must be corrected and reported to the originator or the shipment within 24 hours. Hard copy documentation must be manually corrected by the recipient and the use of the “select exceptions” or similar function in the MGC must be used in processing electronic receipts to prevent receipting for material either not received or not as reflected on the associated accounting reports. 7. Receipts for material or the reporting of corrupt Bulk Encrypted Transactions (BETs) must be reported to the COR and UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 originator of the transfer within 3 business days of receipt of the material or downloading of BET. Non-compliance with the 96 hour time frame must be documented in accordance with Chapter 9. 8. Material received with a damaged outer wrapper will be documented in accordance with Chapter 9. Material received in which the inner wrapper, box or material itself is damaged or could have been tampered with must be reported in accordance with Chapter 8. b. Issuance of COMSEC Material on a Local Custody Basis. 1. All COMSEC material not physically held or reflected as “on hand” at the account level must be documented with a local custody document. When such occurs outside an automated environment, a manual SF-153 will be used. 2. Issuances of material outside the MGC/AKP environment will not be conducted except by a LE-issuing or for physical material issues when the account has experienced a MGC failure. 3. It is the responsibility of the KOAM, Alternate or LE Issuing entity to verify personnel signing local custody documentation meet all of the below requirements PRIOR to issuing material to the personnel. See (Figure 7-1) below. Requirement (Narrative) Be authorized access to COMSEC material either on an access list for the space/work center in which assigned or in the form of an individual appointment or designation letter signed by the current CO/OIC. Have a security clearance within scope and equal to or higher than the material to be issued. Be SCI eligible and indoctrinated (if being issued keying material used to protect SCI/SI information. Remarks Access list must be less than 12 months old. Access lists, appointment or designation letters must be updated and signed by the new CO within 60 days of a Change of Command. Recommend the KOAM consult with the Security Manager to ensure clearance data on access lists and designation letters is consistent with that reflected in the Joint Personnel Adjudication System (JPAS) or other security-related database. This should be verified by the Security Manager and/or Special Security Officer (SSO) at the time of appointment, designation or when access lists for spaces where these personnel are assigned is updated. UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Be properly trained. Complete a SD Form 572 (only required if access to keying material or equipment which permits extraction of key is require; not for end users of CCI without access to keying material) Letter of Agreement/Memorandum of Understanding (LOA/MOU) If military, with exception to USCG and USMC, PQS is not optional, it is required for KOAMs, Alternates, Clerks, LEs or Users. KOAM must have on file. Required when providing support to personnel of other commands than the one owning the account. If the above has not been verified, consult the appropriate personnel prior to issuing COMSEC material to the individual(s). Figure 7-1 NOTE: For one-time support to embarked personnel including Special Forces, squadron personnel in transit, etc… the KOAM must have written documentation that the recipients are appropriately cleared, authorized access to COMSEC material and authorized to hold the material by the Controlling Authority. If the Controlling Authority cannot be contacted, the Commanding Officer may authorize the issuance but the Controlling Authority must be notified via phone, email or record message within 24 hours and provided the recipients unit information to ensure notifications related to emergency supersession or crypto period changes are sent to the unit. For these unique, often time-sensitive mission critical functions, a LOA/MOU is not required. The written authorization submitted by the requesting unit authorizing their personnel access to COMSEC material infers that the requesting command bears full responsibility for compliance with the other requirements noted above (clearance within scope, PQS, CRYPTO briefing requirement) and not the issuing KOAM or Alternate. Just because a LE draws support in the above scenarios does not imply it is for further issue (as a LE Issuing). When issued in electronic form, the recipient personnel may very well all be Users. 4. Due to differing retention periods, it is highly recommended keying material or code books not be issued on the same local custody SF-153 with CCI equipment. UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 5. Keying material issued will be limited to that which is required by the work center. Most accounts typically issue material on a monthly basis for supported work centers. NOTE: Policy prohibits issuing red (unencrypted) keying material marked or designated as crypto prior to 30 days before its effective date; however, this refers to the edition not individual segments. Accounts may issue keying material or book-packaged material (in the canister or electronically) up to 30 days before the edition is effective. 6. If the keying material required is only available in physical canister form, up to (3) segments may be issued or the entire canister must be issued. When issued extracted segments, the supporting KOAM will create and provide a local destruction record (CMS-25) for the segments issued and will provide the most recent status information message to the recipient. 7. Up to a maximum of 120 days’ worth of keying material may be issued to a fill device (i.e. electronic storage device; DTD, SKL, TKL) to support real-world operational or contingency missions without a waiver from NCMS. To mitigate or reduce risk, KOAMs must realize the amount permitted for issuance in these scenarios may exceed what is operationally required and should consider the operational location, re-supply methods, risk to the materials and the impact to all holders of the key to limit the amount to that required for the mission. 8. The timeframes and limits discussed above are not applicable to Black Key packages. With the concurrence of the Controlling Authority, both current and future editions may be issued in a black key package without authorization from NCMS provided the KEK is withheld by the KOAM or LE Issuing and not made available to the end user prior to 30 days before the effective period of the keying material with which it is associated. 9. For units in a combat environment, keying material will be issued in electronic form. If the material is only available at the supporting account in physical (canister form), it will be extracted prematurely at the account level and issued in an electronic fill device (DTD, SKL, TKL). The KOAM will create a CMS-25 for the extracted material and annotate the material was prematurely extracted for loading in support of operational requirements (two personnel at the account level will sign and UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-6 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 date the CMS-25 and reseal the segments extracted). This is NOT a PDS; however, if the segments are not resealed and the premature extraction not explained and documented on a CMS-25, it must be reported as a COMSEC incident, in accordance with Chapter 8 herein. 10. One edition of When-Directed (WHENDI) material may be issued to LE personnel operating in areas where resupply is not possible or could impede operational mission requirements. 11. The KOAM will retain the original, signed and dated local custody document for a period of 90 days after the material has either: (a) been superseded and destroyed; or (b) returned and signed for by the KOAM or Alternate. The KOAM must provide a copy to the recipient of the material and will also provide a copy of an up-to-date status message for the material issued. c. Management of COMSEC Material at the User, Work Center, LE or KOAA Level, as applicable (Watch and non-watch environment) 1. In a watch environment, where a shift in responsibility occurs from supervisor to supervisor per shift, or a non-watch environment, all COMSEC material including CIKS for equipment issued will be reflected and accounted for on a watch to watch inventory. 2. The provisions of this section are not applicable to individuals issued only KSV-21 cards for secure voice communications, however, these and other similar COMSEC accountable items will be issued using proper local custody procedures and the immediate reporting of a loss or compromise of a card, or other COMSEC accountable product to the KOAM is the direct responsibility of the holder. NOTE: This change (related to a non-watch inventory) is because policy has and will continue to require an inventory be conducted in a non-watch environment when a security container storing COMSEC material is opened. Use of a LCI document in lieu of a watch to watch inventory created for and previously used to receipt for the material, does not permit for additional signatures when an inventory is required. 3. The inventory will reflect, the Short Title, Edition UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-7 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 and Register/Serial Number for all ALC-1 and ALC-6 material issued. ALC-2, 4 and 7 materials may be listed by Short Title, Edition (if applicable) and Quantity. 4. Equipment, regardless of ALC, may be reflected as a single line item on watch to watch inventories. The quantity must match the quantity of like items held when more than one and must be adjusted if an increase or decrease occurs as result of an additional like item being issued or returned to the custody of the KOAM. 5. All COMSEC material requiring page checks will be page checked during watch-to-watch inventories or when a security container is opened if in a non-watch environment. This includes book packaged (unsealed) material, segmented keying material removed from its protective packaging, maintenance manuals, operating manuals (KAMs/KAOs) and repair (Q-kits), if issued. Any discrepancies will be brought to the attention of the watch supervisor immediately while all watch personnel are present. Unresolved discrepancies will be reported immediately to the KOAM or Alternate. 6. In a space which is not a watch environment but the space is shared or accessible by other cleared personnel, installed or spare equipment not requiring storage in a security container will be inventoried daily when the space is occupied. For this reason, it is highly recommended the inventory be segregated into (2) parts keying material, books, fill devices stored in a safe and installed equipment not stored in a safe. This is not applicable to individuals issued KSV-21 cards. 7. The inventory will be signed by (2) properly cleared, trained and authorized personnel however the responsibility itself remains that of the supervisor or person in charge of the work center. 8. Any adjustments to a watch to watch inventory will be done in black ink, and initialed by the person making the change and verified and initialed by a second person. Example: the inventory reflects AKAC 1553 Edition 34 Reg Number 72. This item is turned in to the vault when the ship pulls in or the material is no longer required. The watch personnel will lineout the remaining calendar days on the watch-to-watch inventory, annotate the line item entry on the inventory to reflect the material as turned in to the KOAM and (2) personnel. Two personnel will date and initial line-outs or additions to UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-8 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 inventory documents. 9. The KOAM or Alternate, as applicable, will return in the MGC any material returned to the account and will prepare and sign for the material(s) returned providing a copy of the custody document to the work center returning the material. 10. At both the work center and account level, local custody documents will be retained for 90 days from the date the material is turned in, destroyed, or upon submission of the next completed LE inventory, as applicable. 11. Local custody files will have (2) sides to them; an active side for custody documents for material still issued and an in-active side for documents related to materials turned in or destroyed. The corresponding local custody issuing document used to issue the material will be annotated as returned or destroyed, destroy on or after (90 days from the date turned-in or destroyed), as applicable and placed on the inactive side of the local custody file. The same can be applied upon receipt of a Manager provided, LE conducted inventory. If other materials were issued using the same local custody document, the material returned or destroyed will be lined-out and initialed by account and LE personnel, as applicable and the local custody document will remain on the active side of the local custody file until the remaining materials reflected are destroyed or turned in to the account. 12. All inactive files will have the authorized date of destruction reflected/annotated on them, which will be 90 days from the material turn-in date. 13. Watch-to-watch inventories will be retained on file for a minimum of 30 days beyond the last date recorded. 14. If during a training visit or CMS COR Audit, it is discovered the LE is accounting for the material on a watch-towatch inventory but the LE does not have the local custody document on file, as required, have the LE report to the KOAM or an Alternate, obtain a copy from the account files and file it in the work center’s local custody file. This is not to be assessed as an incident when the material is being accounted for on a watch-to-watch inventory and the KOAM has the original local custody file. However, training should be conducted on UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-9 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 the spot to educate work center personnel on the purpose, importance and retention period for local custody documents. 15. Failure to adhere to proper local custody procedures (issuing material without such) must be reported in accordance with Chapter 8. d. Loading and Usage of Keying Material. 1. Keying material will be used in accordance with the effective and supersession guidance promulgated by the Controlling Authority of the material. 2. Premature usage (does not require successful establishment of communications) involves the loading of key prior to its effective date when the circuit is either online or an on-the-air attempt to establish communications has occurred. Premature usage requires reporting to the Controlling Authority in accordance with Chapter 8. 3. For Have Quick radios, operational requirements and logistical constraints will dictate whether more than two daily keys (current and future) up to a maximum of 6 segments may be loaded in the Have Quick Radio at the discretion of the Operational Commander or Commanding Officer, as applicable. 4. During normal operations, two segments of weekly key or one segment of annual key may be issued and loaded into the TAMPS. Up to a maximum of six weekly segments may be loaded when operational requirements warrant doing so, but this should be operationally and not convenience driven. 5. With the consent of the Controlling Authority, up to 31 daily segments (single edition) of Link-16 Traffic Encryption Key (TEK) may be loaded by squadron personnel in the Multifunctional Information Distribution System Joint Tactical Radio System (MIDS-JTRS). 6. Keying material used in systems employing off-line encryption such as the KL-51, AN/PYQ-20, etc… may be retained and used for up to 72 hours from the time of supersession. 7. Key Encryption Key (KEK) and Traffic Encryption Key (TEK) usage and destruction for KG-84/KIV-7 point to point applications will be in accordance with NAG-53(series). It should be noted herein that NAG-53(series) continues to strictly UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-10 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 prohibit retention of KEK used in point to point applications and requires that segments used be destroyed within 12 hours of loading. Failure to comply with this is a COMSEC incident in accordance with Chapter 8. NOTE: On a circuit supported via OTAR or during OTAD or OTAT operations, the KEK used must be equal to or higher in classification than the TEK encrypted/decrypted. Except in a communications emergency, use of a KEK classified lower than the TEK is a COMSEC incident and must be reported in accordance with Chapter 8. This includes OTAD operations when the key loaded on the KSV-21 is classified lower than the key passed electronically. 8. The loading of Pre-Placed Key (PPK), Authenticated PrePlaced Key (APPK), FF Vector Sets (FFVS) and Enhanced Firefly Vector Sets (EFFVS) will be in accordance with the Operational Security Doctrine (OSD) for the device. EKMS Managers must review, train on and provide a copy of OSDs to LE personnel. e. Authorization and Transferring COMSEC Material. 1. COMSEC material will not be transferred without prior authorization except as indicated in the matrix on the following page (Figure 7-2). Transfer documentation must reflect the source of the authorization. UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-11 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Proper Authorization Command Authority (CMDAUTH) Commanding Officer Keying CCI Material, Code Books, Authentication Tables NA No Asymmetric (Modern) Key Remarks Yes Yes Yes Yes Controlling Authority (CONAUTH) Yes No NCMS (Service Authority/ COR) TYCOM/FLTCDR No Yes Yes No (Unless they are the CONAUTH of the material) Yes Yes (If they are the CMDAUTH) NA Emergency transfers only. Report to CMDAUTH, CONAUTH and COR via message after the fact. If the material is ALC-6 or ALC-7 and the account conducting the transfer is the CONAUTH, other authorization is not required. If ALC-6 material is involved, it must be reported to the COR. Only for partitions and key managed See EKMS-5A Art. 401, if required. Figure 7-2 2. COMSEC material will not be transferred (permanently or temporarily) to a contractor/vendor account without prior NCMS approval. With exception to device failures in which the equipment is under warranty, these matters are handled on a temp loan basis and NCMS is responsible to issuing temp-loan numbers to ensure that DON funded assets are properly returned to the issuing DON account. 3. COMSEC equipment, including CCI, will NOT be transferred or issued to any foreign government/country. These matters require prior approval from NSA (DP22) and are typically UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-12 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 conducted under the Foreign Military Sales (FMS) program. 4. U.S. only keying material will not be transferred, issued to or loaded by non-U.S. personnel without express permission from the Controlling Authority, except as indicated in National Doctrine. 5. COMSEC equipment transferred or issued requiring shipment to a geographically detached entity will NOT be shipped with any associated CIKS or PINS included in the same shipment. Such will be shipped physically separate and not in one box placed inside the same box as the associated equipment. 6. Electronic transfer documentation may be used but a printed hard copy must be included with the shipment and maintained on file by the originating account pending receipt of an electronic receipt from the recipient. 7. If the recipient used the “select exceptions feature” to indicate the material received did not match the documentation, a local investigation must be conducted to determine if the material reflected on the transfer documentation was reflected but not actually shipped. If the item reflected was not received and cannot be accounted for at the account which originated the transfer, a COMSEC incident must be submitted in accordance with Chapter 8. 8. If no discrepancies exist and the recipient receipts to the COR and originator of the shipment with an electronic receipt, the originator of the shipment may discard the unsigned paper SF-153 used to document the transfer. 9. Recipients of physical shipments may reconcile for the material with an electronic SF-153, if provided by the originator but will complete, sign and retain the SF-153 enclosed with the material in accordance with Annex T to EKMS1(series). 10. Originators of physical shipments are required to notify the intended recipient within 24 hours of entering the material into shipment and provide the recipient with the article number, the method of delivery (DCS, Registered Mail, FEDEX, etc…) and date of the shipment. If a receipt is not received within 30 days, the originator must contact the intended recipient and if not received initiate tracer action. If within five working days of initiating tracer action, the UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-13 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 location of the item(s) cannot be ascertained, the originator will submit a COMSEC incident report in accordance with Chapter 8 based on the potential that the material is lost. 11. CCI equipment will not be installed on foreign ships for exercises or other purposes without properly cleared and authorized personnel being present at all times from the time the equipment is brought onboard until it is removed and returned by the U.S. personnel to the supporting account. These functions require prior submission and approval of a Ship Rider Request (SRR) as discussed in CJSCI 6510.06B which is available in the Information Assurance (IA) Library on NSA’s SIPRNET site. f. Use of Possession and Relief from Accountability Reports and Required Authorization. Possession and Relief from Accountability reports are considered special accounting reports and although not always, are generally related to found or missing material associated with a COMSEC incident. 1. Except under the scenarios outlined in subparagraphs f.2 – f.3 below, prior authorization from NCMS in writing is required to generate, prepare or make use of Possession and Relief from Accountability reports. 2. Prior authorization from NCMS to use a Possession Report is not required to bring items into accountability under the following scenarios: a. Material received via an inter-service transfer conducted with a DD-1149. b. Reproduced copies of book packaged material, when the Handling Instruction for the publication permits such. c. AKPREINIT Flash Drives when an AKP is site initialized or subsequent changeover is conducted. d. New backup media for use in conducting backups or creating images on the MGC. e. To bring into accountability COMSEC material removed from a host system. 3. Prior authorization from NCMS is not required to perform a Relief from Accountability when required to conduct and document an inter-service transfer or when a UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-14 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 separately accountable Lowest Repairable Unit (LRU) is installed in a host which is already accounted for in the CMCS. 4. Possession and Relief from Accountability reports involving ALC-1, 2, and 6 materials must be submitted electronically to NCMS (COR) within 3 business days or when the CO signs the end of the month destruction report for the account, whichever occurs first. 5. Do not submit possession and Relief from Accountability reports to the COR for ALC-4 or 7 materials. 6. All possession reports require three signatures; KOAM, Alternate (or properly cleared witness) and the Commanding Officer. In the absence of the CO, another official may sign as “Acting”. The use of By-Direction is strictly prohibited for COMSEC accounting reports. 7. Both Possession and Relief from Accountability reports require three signatures: the KOAM, Alternate (or properly cleared witness), and the Commanding Officer. 707. INVENTORY REQUIREMENTS a. Account Level Inventories. COMSEC material, including keying material, code books, and authenticators and CCI equipment will be inventoried at a minimum of semi-annually or as indicated in the below matrices (Figures 7-3 or 7-4). Beginning Account Number Ending Account Number 100000 158501 200000 258101 300000 358201 158500 199999 258100 299999 358200 399999 1st semi-annual (fixed-cycle) month Jan Feb Mar Apr May Jun 2nd semi-annual (fixed-cycle) month Jul Aug Sep Oct Nov Dec Figure 7-3 Occasion Fixed-Cycle Inv. When Conducted /Witnessed by Semi-annually (SAIR) based on account number KOAM and Alternate or other properly cleared and authorized person serving Remarks Failure to conduct, and retain inventory documentation must be UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-15 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 as a witness. Change of Command Change of Account Manager or LE Issuing entity Consolidated Inv. Combined Inv Hull Swaps Crew Swaps Change of Account Location (COAL), if available in the MGC Discovery of an unsecured vault or container reported in accordance with Chapter 8. Required by this manual and Chapter 8 to Navy Regulations. In conjunction with Change of Command or Change of OIC at the account or external LE level. When the KOAM or LE Issuing (as applicable) is to be replaced or has been removed. Is intended to be used to document a simultaneous Change of Command and Change of KOAM. Occasionally used to satisfy the both a SAIR and change of command or KOAM requirement together Whenever (2) ships are conducting a hull swap. KOAM and Alternate or other properly cleared and authorized person serving as a witness. The outgoing CO will sign Block 17. The incoming CO can initial, if desired Will be conducted by the outgoing person and witnessed by their relief. When a crew swap is conducted on a submarine or MCM ship. Monthly The off-going crew manager; witnessed by the on-coming crew manager. KOAM or Alternate. Does not require a physical inventory but does require resolution within 30 days of IRST errors. Used to ensure proper submission of documentation to minimize accounting discrepancies. Circumstantial The person responsible for the vault or container and witnessed by a 2nd person. The discovery requires a COMSEC incident report in accordance with Chapter 8. Until the account is reconciled, the outgoing KOAM is responsible. Conducted by the outgoing EKMS Manager, witnessed by the incoming. The Outgoing CO signs Block 17. There is no requirement for the incoming CO to sign when used with a SAIR and Change of Command. Conducted by the outgoing EKMS Manager, witnessed by the incoming. The Outgoing CO signs Block 17. There is no requirement for the incoming CO to sign when used for a SAIR and Change of Command. The Manager from both units as discussed in the remarks column. Requires (2) inventories. One conducted by the Manager on unit “A” and witnessed by the Manager from unit “B” and a second conducted by the Manager on unit “B” and witnessed by the Manager of unit “A”. UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-16 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Emergency opening of a vault or container, when directed by the CO. Circumstantial The person responsible for the vault or container and witnessed by a 2nd person. Any material not accounted for must be reported with a COMSEC incident report in accordance with Chapter 8. Figure 7-4 b. Physically Conducting an Inventory. All physical material must be physically sighted and page-checked during inventories. This includes the use of corresponding CMS-25 (local destruction records) when inventorying segmented material or ALC-1 book-packaged material with daily extractable pages. Electronic keying material is inventoried through verification of the account inventory on the MGC and verification of electronic storage devices storing the key. 1. ALC-1 and ALC-6 material will be accounted for by the Short Title, Edition, Serial Number and Quantity. ALC-2, 4, and 7 material will be accounted for by Short Title, Edition (if applicable) and quantity. On-hand ALC-6/7 material is inventoried electronically by the MGC/AKP which is a trusted and certified component. ALC-6/7 material on the MGC Product Inventory is verified during inventories by a KOAM and like destruction of electronic key in EKMS or KMI does not require a witness to carry out the function. 2. CIKS for equipment in-use or issued must be locally accountable using a manual SF-153 for inventory purposes. 3. It is highly recommended inventories at the account and LE/work center level be conducted by the KOAM and Alternate or one of the two and a properly cleared and authorized person serving as a witness. 4. For work centers located beyond 25 geographical miles from the supporting account or spaces in which account personnel are not permitted access, the KOAM will generate and provide an inventory to the work center. Authorized and cleared personnel at the work center level will conduct, properly document and report completion of the inventory to the supporting KOAM. 5. Material turned in to a CRF, depot or vendor for repair and return for less than 1 year will be accounted for by citing the local custody document used to turn-in the material. UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-17 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 6. Embedded COMSEC, i.e. KGV-68s, KOV-21s, etc… will be accounted for based on proper operations of the device in which it is installed in. Under no circumstance will such equipment be opened by account personnel for inventory verification purposes. 7. Units engaged in combat operations are exempt from inventory requirements but must notify NCMS of the tasking and length of such. A complete inventory is required within 45 days of return to the home base. 8. Inventories must be signed by the two personnel conducting the inventory and the CO or OIC (Block 17). 9. On multi-page accounting reports including inventories, signature requirements reside on the final page. 10. The COR must be notified via record message of the inventory completion within 90 days after the initial request for the inventory has been submitted. 709. STATUS INFORMATION AND DESTRUCTION. a. Status of COMSEC Material. COMSEC material will always be in one of the following statuses: 1. Effective: Presently authorized for use, in accordance with the guidance promulgated by the Controlling Authority. For asymmetric (modern) key, this is from the time the material is produced for a period of one year and may be used until the end of the respective calendar month produced. 2. Superseded: No longer authorized for use based on effective and supersession guidance promulgated by the Controlling Authority with exception to keying material used for off-line encryption systems such as the AN/PYQ-20 for up to 72 hours after supersession. 3. Reserve on Board (ROB): Material presently not effective and intended for future use based on status information promulgated by the Controlling Authority. b. Other Status Related Terms. 1. Contingency Key: Keying material which is typically held to sustain communications as a result of unforeseen UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-18 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 emergencies or requirements. 2. When Directed (WHENDI): Pertains to irregularly superseded material. Such material is only put in effect when directed by the Controlling Authority. c. Status Information and Responsibilities. 1. The Controlling Authority is responsible for promulgating status information for materials under their purview, which includes locally generated ALC-7 material. ALC-6 material will not be locally generated without approval of NCMS and if approved, such must be reported to the COR and local recipients or accounts provided the key via account-to-account transfer must be provided applicable guidance related to the use and status of the material. 2. There is no centralized source of status information simply because of the number of Controlling Authorities within the COMSEC community and across the services. However, if the Controlling Authority is unknown, query the Master Reference Catalog and enter the Short Title, it will display the Controlling Authority. See Annex F for the URL. The Status of COMSEC Material Report (SCMR) is a guide to be used for managing effective and supersession information but status information promulgated by the Controlling Authority is the only authorized source for destruction. 3. Due to the content, intended distribution controls, coupled with status changes promulgated more frequently than the SCMR may reflect, the SCMR will not be: (a) posted online for public access on any SIPR web portal (having a security clearance and access to SIPR does not imply all such personnel have a valid need-to-know for the information contained); (b) Elements; forwarded, reproduced or distributed to Local (c) be used as the authoritative source to carry out destruction of COMSEC material. The SCMR does NOT outline effective and supersession data for individual segments; it lists such information for the respective editions. 4. Many Controlling Authorities disseminate status UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-19 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 information for materials under their purview using a variety of communication mediums; these include but are not limited to: (a) Status messages such as those promulgated by the Joint COMSEC Management Office (JCMO) and COGARD C4ITSC are promulgated with pre-defined Date Time Groups on a quarterly and monthly basis, respectively. (b) General messages, such as ALCOMs, ALCOMLANT Alfa and ALCOMPAC P messages. Status information disseminated via ALCOM messages is generally limited to quotes from other source messages such as Central Facility (CF) notices, ALCOMLANT Alfa or ALCOMPAC P messages or changes to AMSG-600 in an effort to expand the distribution channels and reach the maximum number of recipients requiring the information. (c) Online via the Controlling Authorities SIPRNET web site. Use of a search engine using a string which includes the Short Title and key words such as effective or supersession information will most times, if not all, provide the source URL to the Controlling Authorities portal. NOTE: 5. See Annex F for a listing of helpful URLs. KOAMs or Alternates are responsible for: (1) Applying up-to-date status information to material in conjunction with receipting for the material. This will ensure the material is properly segregated at the account level to carry out Emergency Destruction in the proper order, if directed; (2) Providing copies of status messages and source Uniform Resource Locators (URLs) to material issued to internal and external LEs; (3) Inputting and verification of existing status information in the MGC database PRIOR to destruction of associated material; (4) Notification to the COR (if generation of ALC-6 material has been approved) and providing of status information, the intended application of the material and the KOAs validated for the material; (5) Notification and providing of status information to UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-20 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 holders for ALC-7 material locally generated; (6) Verification keying material issued has been destroyed within the proper time frames through the review of corresponding destruction documents, status messages and audit trail data, as applicable. d. Destruction Guidance Applicable at the Account and LE Level. 1. Destruction must be authorized. This includes routine destruction as well as emergency destruction. 2. For matters involving Sealed Authentication System Two Person Control (SAS/TPC) material, always consult the CJCSI 3260.01 (series). 3. For routine destruction, authorization must come from the Controlling Authority for the material; this includes keying material, code books, authentication tables, etc… 4. For emergency destruction, must be authorized by the CO, XO, OIC or senior person present and authorized to direct such. 5. Destruction of COMSEC equipment will not be conducted without written authorization from NCMS prior to doing so. 6. Always ensure up-do-date status information is available, reviewed and used in carrying out destruction at the account and LE level. 7. Review the working copy of the destruction report for accuracy and ensure the material identified to be destroyed is in fact authorized for destruction. 8. Except in instances when emergency destruction is directed, anyone performing routine destruction and uncertain if the material is authorized for destruction will withhold destruction and contact the KOAM or Controlling Authority, as applicable. 9. When conducting destruction, the first person must read off the information on the material to be destroyed, i.e. Short Title, Edition, and Serial Number to the second person who will verify the information is reflected on the destruction report. UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-21 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 If discrepancies are noted, stop the process and contact the KOAM or Alternate. If no discrepancies exist, a second review will be conducted prior to the destruction being carried out with the second person reading off the information on the destruction report to the first person for a second verification. 10. Both the person carrying out the destruction and the witness are equally responsible for the timeliness, accuracy and thoroughness of the destruction. e. Destruction Time Frames for COMSEC Material at the LE Level. 1. In a watch environment at the LE level, superseded COMSEC material will be destroyed within 12 hours of supersession. 2. In a non-watch environment at the LE level, superseded key will be destroyed within 12 hours of supersession or upon the next opening of the security container protecting such. 3. For physical, canister packaged material in which segments have been superseded but usage of the material is not daily, weekly, etc… the extracted segments will be destroyed in accordance with e.1 or e.2 above. This is a change to previous policy but is intended to prevent possible use of the next segment in the canister, which may be superseded resulting in a COMSEC incident in accordance with Chapter 8. 4. If emergency supersession of a segment of material is required and other earlier segments in the edition have not been superseded and have pre-defined usage in accordance with a callout message or other similar guidance from the Controlling Authority, do not extract all previous segments to carry out the destruction of the superseded segment. Place a copy of the emergency supersession message in a zip-lock bag with the canister and destroy the segment when it requires extraction or the edition supersedes, whichever occurs sooner. If the segment is issued and stored in a DTD, SKL, TKL, etc… it will be destroyed in accordance with e.1 or e.2 above, as applicable. 5. If an edition of COMSEC material is emergency superseded, it must be destroyed within 12 hours of notification of the emergency supersession. UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-22 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 6. For multi-copy keying material, each copy of the particular segment loaded must be destroyed immediately after loading except for the final copy, i.e. 3/3, 5/5, etc… the final copy must be destroyed within 12 hours of supersession. 7. Asymmetric (modern) key is Key Management Identification (KMID) specific and when loaded, the loading must be reported to the KOAM with a manually-created destruction document. The same KMID cannot be used in more than one endcryptographic unit (ECU). 8. For book-packaged material consisting of tables broken down in 6 or 12 hour increments, LE personnel do not have to tear out the individual tables for the corresponding hours in the day. The page associated with the particular day can be destroyed when authorized by the Controlling Authority. 9. Superseded material onboard an aircraft is not subject to the twelve-hour destruction criteria and will be destroyed upon completion of airborne operations if approved destruction devices are not installed on the aircraft or such may impede the mission. 10. Superseded material used for systems or devices may be retained for up to 72 hours following supersession. 11. Destroy physical, irregularly superseded maintenance, test or training keying material when it is unreadable. 12. Destroy on-the-air test key at the end of the testing period as determined by the test director. 13. GPS keying material may be retained and used for up to 12 hours after the regularly scheduled supersession period to comply with the NAVSTAR GPS Selective Availability and AntiSpoofing Host Application Equipment Design Requirements with the Precise Positioning Security Module (SAASM). Additionally, NSAGPSSOPO-0343 authorizes the use of three consecutive GPS keys during the 12-hour period following the first key‘s regular supersession period. 14. Amendment residue must be destroyed within 5 working days of the amendment entry (if issued to the LE with possession of the KAM/KAO for entry). 15. LE personnel must verify that material documented as UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-23 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 destroyed has been properly destroyed and documented as destroyed. Do not pre-sign or sign destruction documents (CMS25, SF-153, etc…) without verification of the device (DTD, SKL, TKL, etc…), the destruction device used and any local destruction documents (CMS-25 for physical keying material and AKAC-1553s). f. Destruction Time Frames for COMSEC Material at the Account Level. 1. End of the month destruction for unissued material must be carried out and documented no later than the 5th day of the month. However, it is highly recommended the actual destruction be carried out the 1st working day of the month and no later than the 3rd day of the month to permit ample time to review and confirm all working copies of destruction reports from LEs. 2. The destruction of electronic key stored on the MGC does not require a witness. Such can be performed by a single KOAM or alternate. 3. Asymmetric (modern) key which has been loaded by LE personnel must be recorded as Filled in End Equipment during the month in which it was loaded. It will appear on the next reportable or local destruction report but the use of this feature does not result in the creation of a working copy of a destruction record. 4. Material issued to LE personnel must be confirmed as destroyed no later than the 5th day of the month. However, it is recommended the confirmation be done in the MGC when the reports have been signed, dated and submitted to the KOAM. This affords time to address any concerns or material which was erroneously flagged and not authorized for destruction or destroyed. (Don’t hold onto all signed and submitted working copies until the 5th w day and then simply start confirming them all together; review them for accuracy, signatures, proper annotation (destroyed/witnessed) and if an item was lined-out “as not destroyed” look into the matter, it may be necessary to adjust the destruction report prior to confirmation.) 5. Material which is emergency superseded and not issued may be destroyed at the end of the month in which the emergency supersession occurs. A copy of the emergency supersession message will be placed with the material (if canister packaged) and stapled to it for book packaged material to prevent possible UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-24 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 use or issuance. However if an edition of issued material is emergency superseded, the KOAM and Alternates must ensure the issued edition is destroyed within 12 hours of supersession and issue the next edition put into effect by the Controlling Authority to the LE/work center. 6. If a segment of unissued material is emergency superseded, place a copy of the message in a zip-lock bag with the canister to prevent possible use or issuance. Destroy the segment upon supersession of the segment or edition, whichever occurs sooner. 7. When authorized by NCMS in writing, destruction of equipment must be carried out and the destruction reported to the COR within 90 days. Failure to carry out and report the destruction is a COMSEC Incident in accordance with Chapter 8. 8. The destruction of KAMs, KAOs must be carried out no later than the account’s end of month destruction following the supersession of the editions held. For KAMs/KAOs held which are no longer required, request disposition instructions and carry out and report the destruction no later than the following end of the month destruction. 9. Amendment residue must be destroyed within 5 days of the amendment entry. g. Destruction Personnel. 1. Destruction of COMSEC materials must be carried out with strict adherence to established policy and procedures. 2. With exception to the destruction of electronic key stored on the MGC, all other destruction evolutions require two properly cleared and authorized personnel. A person who is not authorized access to COMSEC material in writing cannot be a witness to the destruction of such. 3. In carrying out destruction, both the person performing the destruction and the witness are equally responsible for adherence to approved methods of destruction, the destruction itself and the accuracy of destruction documents. 4. Local destruction documents including CMS-25s and SF153s MUST be verified and signed by two cleared and authorized personnel. Never sign a destruction document when you have not UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-25 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 carried out the destruction, witnessed the destruction or verified the accuracy and completeness of the document, including required signature and date information on a destruction document! 5. KOAMs and Alternates, in signing the consolidated reports prior to submission to the CO/OIC, are certifying they either (a) destroyed all material reflected or (b) verified the destruction documents submitted by the work centers who certified the material was properly destroyed. h. Destruction Methods. Only methods and products approved by NSA as reflected in the NSA Evaluated Products list will be used for the destruction of COMSEC materials; see Figure 7- 5 on the following page. For any products or devices not reflected in the matrix, please consult the Operational Security Doctrine (OSD) for the device or CNSS 4004.1 which is available in the NSA IA Library. See Annex F for the URL to the IA Library. UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-26 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Chemical Means NSA approved disintegrator Degauss or Overwrite Pulp Shred Burn Yes Yes Yes No Yes NA NA NA NA NA NA NA Material Paper COMSEC and Classified Material, i.e. (AKAIs, AKACs, AMSHs, USKACs) Canister Packaged Keying Material Microfiche Floppy Disks CD/DVD Classified Hard Drives COMSEC Equipment (CCI) Remarks If local policy permits burning however, it must be reduced to white ash and contained to prevent loss of unburned pieces of material. Ashes must be inspected, broken up or reduced to sludge. Only NSA-approved crosscut shredders may be used. For pulping must be broken down to non-legible fiber residue. Yes No No No Yes NA For burning, see above. Always punch holes in the canister; inspect it for any segments that may have not been completely extracted and destroyed; Remove and shred any barcode labels found to still be applied and inspect the destruction device and bag before disposal to prevent recovery of any undestroyed material. Yes No No Yes Yes NA For burning or disintegration, see above. For chemical usage (bleach, acetone, methylene chloride) immerse for 5 minutes, separate film sheets Yes Yes NA NA Yes Yes Floppy Diskettes must be removed from the casing. If shredded residue must not exceed 5mm in size. Always consult the latest NSA/CSS Optical Media Destruction Guidance. See Annex F for the URL. See the NSA/CSS Storage Device Declassification Manual and Naval Telecommunications Directive (NTD) 03-11. If authorized, must be destroyed in accordance with EKMS-5A and the NSA Equipment Demilitarization Process. Figure 7-5 NOTE: Do not transport burn bags of un-shredded COMSEC material to facilities outside the command unless controlled by the KOAM and Alternate or properly cleared and authorized witness. UNCLASSIFIED//FOR OFFICIAL USE ONLY 7-27 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 CHAPTER 8 – COMSEC INCIDENTS 801. GENERAL. Due to the importance of identification and timely reporting of COMSEC incidents, this chapter incorporates COMSEC incidents which remain applicable under KMI and those which are unique to KMI. KOAMs, Alternates, and LE personnel should familiarize themselves with device specific Operational Security Doctrine (OSD) for COMSEC equipment held by their account. OSDs are available at the URL located in Annex F. a. Reporting. All COMSEC incidents must be reported per DON and National policy. Reporting is not to be delayed for any local or external inquiries to gather additional information or conduct root cause analysis of circumstances resulting in the incident. Any unit detecting an incident is required to report such and may be other than the unit which experienced or caused the incident. b. Types of COMSEC Incident Reports. Remain unchanged from what is reflected in EKMS-1(series) Article 950; Initial, Amplifying, and Final. There are no other types of COMSEC incident reports. The subject line of all COMSEC incident messages will indicate the type of report (Initial, Amplifying, or Final, as applicable)” followed by REPORT OF COMSEC INCIDENT. c. Time Frames for Reporting. As illustrated below. Material involved Effective key, key which becomes effective within 15 days or any incidents involving espionage, subversion, defection, theft, tampering, clandestine exploitation, sabotage, hostile cognizant agent activity, or unauthorized copying, photographing or reproduction Future key (becomes effective beyond 15 days from the date of the incident), superseded key, reserve on board or contingency key Any incident not covered by the above, i.e. loss of CCI equipment, failure to use LCI documentation, etc… Figure 8-1 Report Within 24 hours Message Precedence Immediate 48 hours Priority 72 hours Routine UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 d. Classification. To reduce the possibility of a spillage, all COMSEC incident reports will be sent via approved channels and classified at a minimum of CONFIDENTIAL. See EKMS1(series) Article 930 for additional information. NOTE: It is the responsibility of the originator to ensure compliance with proper classification assignment, paragraph markings (when the entire content may not be classified or differs from that of the message) and downgrading instructions. The receipt of any information via NIPRNET which is marked as classified or has paragraphs marked as such will be reported as a spillage with the originator of such communiqués responsible for cleanup costs. e. Required Addees for COMSEC Incident Reports. Minimum addressees required to be on COMSEC incident reports can be found in the matrix reflected below. Organization DIRNSA FT GEORGE MEADE MD NCMS WASHINGTON DC COMNAVIFOR SUFFOLK VA CNO WASHINGTON DC Action/ Remarks Info A/I Action on; - all CRYPTOGRAPHIC and PERSONNEL incidents - Physical incidents involving tampering, sabotage, covert penetration. - Physical incidents where there are multiple CAs and they are not all DON. (Info on others) A/I Action on; - Physical incidents when a DON CA is the violator - Physical incidents with more than one DON CA and all are DON. (Info on all others) I On all incidents I On all incidents involving the loss of classified material (The initial COMSEC incident report satisfies the mandatory UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY CMC WASHINGTON DC I COMSC WASHINGTON DC I COMNAVRESFOR NORFOLK VA I DIRNAVCRIMINVSERV WASHINGTON DC I The accounts nearest Field Office (afloat with a NCIS Resident aboard) must include NCISRA nearest their homeport) CONTROLLING AUTHORITY NCIS units agent the I A EKMS-1E SUPP-1 Preliminary Inquiry (PI) requirement in SECNAV M5510.36 (12-8) when the CNO N09N2, DIRNSA and the local NCIS field office are included in the report. All USMC units will ensure CMC Washington is an info addee on all incident reports. For incidents involving keying material controlled by COMSC, address as an action addee. For other incidents, all MSC activities will ensure COMSC Washington is an info addee on all related message. All reserve force units and activities will include as an info addee. On all incidents involving the loss of classified material(The initial COMSEC incident report satisfies the mandatory Preliminary Inquiry(PI) requirement in SECNAV M5510.36 (12-8) when the CNO N09N2, DIRNSA and the local NCIS field office are included in the report. On all incidents involving the loss of classified material (The initial COMSEC incident report satisfies the mandatory Preliminary Inquiry (PI) requirement in SECNAV M5510.36 (12-8) when the CNO N09N2, DIRNSA and the local NCIS field office are included in the report. When keying material is involved or for physical UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY COMPACFLT PEARL HARBOR //N633// (CPF) or COMUSFLTFORCOM NORFOLK VA //N62EKMS// (USFF) A/I COGARD C4ITSC ALEXANDRIA VA//BOD-IAB// A/I HQ USPACOM J6 A/I The units Immediate Superior in Command (ISIC) I The units Operational Chain of Command Evaluating Authority (EVALAUTH) I Respective COR Audit Team I I EKMS-1E SUPP-1 incidents involving CCI loaded with key managed by the respective CA. Action for - incidents involving material controlled by CPF or USFF, as applicable. For all other incidents, PACFLT and LANTFLT surface ships will include either CPF or USFF as an info addee on incident reports. If COGARD C4ITSC is the CA and the incident involves keying material send as action. For other incidents, USCG units will include COGARD C4ITSC as an info addee. Action for incidents involving HQ USPACOM controlled material. For incidents not involving PACOM controlled material, theater policy requires all PACOM units include HQ USPACOM an info addee. If keying material is involved and the ISIC is the CA, address it “Action” to the ISIC, info the other addees. CAAS: USCG: C4ITSC; USMC: CMC; MSC: COMSC; USN (FLEET): CPF/USFF; USN (SHORE) NCMS (N5) Info addee on all FIGURE 8-2 The format for incident reporting outlined in EKMS-1(series) Article 970 is reflected herein in Figure 8-5. Do not use templates held at the account which may differ in format or UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 content. f. Related Accounting Reports. Both the loss and finding of classified COMSEC material or CCI require additional actions beyond the reporting of the matter. These scenarios will require the submission of a SF-153 Possession Report or Relief from Accountability Report to bring into accountability or remove the items which were found or are missing, respectively. KOAs will NOT originate Possession or Relief from Accountability report related to COMSEC incidents until such is authorized in the final evaluation/close-out message from NCMS. 803. ORGANIZATIONAL RESPONSIBILITIES. All COMSEC incidents are assigned case numbers and tracked in the National COMSEC Incident Reporting and Evaluation System (NCIRES). To support the NCIRES system and ensure timely reporting and evaluation of COMSEC incidents, each service has their own COMSEC Incident Monitoring Activity (CIMA). NCMS serves as the CIMA for the DON. KOAMs are responsible for submission of COMSEC incident reports within the timeframes reflected above. Controlling Authorities evaluate physical incidents for COMSEC material under their purview. The Evaluating Authority (EVALAUTH), formerly known as the Closing Action Authority (CAA), reviews the details of incidents or insecurities reported and determine if additional reporting is required. NCMS will close out incident case files following submission of required reports or supplemental data or no later than 30 days from the date of the initial or amplifying report (if directed by the EVALAUTH or other organization). 805. TYPES OF COMSEC INCIDENTS. A listing of cryptographic, personnel and physical incidents is reflected in subparagraphs a – c below. a. Cryptographic incidents. Cryptographic Incidents Use of an AKP, KP or other Key Variable Generator (KVG) beyond the recertification date Failure to perform an AKP changeover annually or more frequently Use of keying material that is compromised, expired, superseded, UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 defective, previously used (and not authorized for reuse), or incorrect application of keying material Premature or out-of-sequence use of keying material before its effective date without approval of the CONAUTH. Use, without NSA authorization, of any keying material for other than its intended purpose Unauthorized extension of NOTE: The Commanding Officer can a crypto period; this authorize the delay in change of includes use of superseded keying material for up to 2 hours key, failure to perform without Controlling Authority an AKP changeover, failure authorization when operational to reinitialize DTDs, requirements necessitate such SKLs (initialized, issued, without any external reporting or storing key) requirement. Controlling Authorities may extend crypto periods for up to 7 days for point to point circuits (KG-84, KIV-7) supported by material under their purview. In a tactical environment crypto periods may be extended for up to 30 days. Longer extensions require NSA approval. Use of COMSEC equipment or devices not approved by NSA or with defective cryptographic logic Unauthorized connection to the MGC, AKP, HAIPE, USB Flash drives or peripherals associated with the KMI client host Plain text transmission resulting from a COMSEC equipment failure or malfunction Any transmission during a failure or after an uncorrected failure that may cause improper operation of COMSEC equipment Operational use of equipment without completion of required alarm check test or after failure of required alarm check test Discussion via non-secure telecommunications of the details of a COMSEC equipment failure or malfunction Detection of malicious code, viruses, spyware or any software not approved by NSA on the MGC, CWMS or other COMSEC management device Use of a Key Encryption Key (KEK) classified lower than the Traffic Encryption Key (TEK) passed during OTAD/OTAT operations, except during a COMSEC emergency Operational use of an In-Line Network Encryptor (INE) found to not be compliant with a mandatory software upgrade by the compliance date without a waiver from NCF or DIRNSA. Over the Air Distribution (OTAD) of red (unencrypted key) via SKL with using other than a NSA-approved cable The loading of key on the SKL’s host side by means of a data/program load; key should only be loaded on the host side using “command request” Downloading classified data exceeding the highest classification of data permitted for the device in accordance with the OSD for the device. Example: Downloading TS data to the SKL UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-6 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 which is limited to Secret-high data The introduction of unencrypted (red) keymat in the CMWS/DMD PS, whether intentional or accidental The connection of the CMWS/DMD PS to an unauthorized external or internal communications device (modem or network card) or any device not specifically authorized Any other occurrence that may jeopardize the crypto security of a COMSEC system Figure 8-3 b. Personnel incidents. Personnel Incidents Known or suspected defection and/or espionage Capture by an enemy of persons who have detailed knowledge of cryptographic logic or access to keying material Unauthorized disclosure of Personal Identification Numbers (PINs) and/or or passwords used on systems, which allow access to COMSEC material/information Attempts by unauthorized persons to effect disclosure of information concerning COMSEC material or unauthorized disclosure of information related to COMSEC material Non-compliance with separation of duty/role exclusions which may compromise security or prevent timely detection of such Deliberate falsification of COMSEC records Figure 8-4 c. Physical incidents. Physical Incidents Loss or Compromise of: KMI-specific software an AKP or KP AKP keys (FF, MSK, Type 1 Private Keys) AKPREINIT 1 or 2 flash drives an AKP affiliated CIK when unauthorized use cannot be ruled out Loss of an AKP operator CIK is a locally reportable PDS when it is reported immediately to the KOAM and CPSO and a review by the CPSO of the AKP Diagnostic History Log does not reveal usage of the CIK after the loss was discovered. If no usage occurred, the KOAM must immediately delete the associated CIK split from the AKP. If detected or a determination cannot be made report as an incident. Guidance must be requested and received from NCMS prior to UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-7 UNCLASSIFIED//FOR OFFICIAL USE ONLY a KOV-29 (token) a KG-250 or FTR an operational CIK associated with a lost KG-250 EKMS-1E SUPP-1 continued use of the AKP. Requires (a) submission of a revocation request for the associated IA(I) and IA(M) certificates to the PRSN and the downloading and updating of the Certificate Revocation List (CRL) on the MGC to invalidate the certificates associated with the KOV-29 Report it to the SA and EKMS Manager to re-provision the KG-250; document locally as a PDS when re-provisioned and the CIK and KG-250 were not both lost. Classified hard drives, removable media storing classified keying material or cryptographic information (includes CDs, DVDs, floppy diskettes, flash drives, or external hard drives) PINS or passwords Change immediately, update SF-700s and associated with the address these actions in the initial MGC, AKP or tokens COMSEC incident report. Use of any KMI related tokens must be suspended pending a local investigation. If the unauthorized access or modification is detected, the IA(I) and IA(M) tokens must be deemed compromised and reported to the PRSN for the Certificate Revocation List (CRL) to be updated. Keying material, pages For KSV-21 cards: Report as an incident from classified COMSEC only if it; involves the loss of fill publications (KAMs, card or is a user card and was lost with AKACs, AKAI, etc…), the associated carry card or terminal. CCI equipment, KSV-21 If it involves a user card or TPA card cards and the terminal is not lost also, delete the card association with the NOTE: Lost includes terminal and report the loss as a individual segments, reportable PDS to obtain Authorization pages or cards (Q-kits). to generate a Relief from Accountability If charged to the to remove the item from charge to the account, the account account. For loss or compromise must have one of the involving pre-placed key (PPK), reports following; the material, must also include the applicable KMID a destruction report, a and state whether any compromised End transfer report or a User or CPSO passwords were involved, as relief from applicable. accountability report. Loss of a valid (associated) CIK when the associated equipment has not been properly stored or under the direct control of properly cleared and authorized personnel. If the device was not subject to unauthorized access document the loss as a PDS in accordance with Chapter 9. (The KOAM, SA, TA, etc… as applicable UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-8 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 must delete the CIK association from the related equipment) Other Physical Incidents Unauthorized access or This includes non-establishment of SCI access by improperly eligibility in JPAS for KOA Managers, cleared personnel Alternates and LE Issuing if the account is validated for keying material used to protect SCI/SI material. Failure to properly log off a COMSEC-related system (i.e. MGC, DMD PS) when not in use The physical loss a classified hard drive or backup media associated with a COMSEC management system (i.e. MGC, CMWS/DMD PS) The sharing of passwords or PINS associated with the MGC, CMWS/ DMD/PS, KOV-29s, etc… (except where permitted by policy) Known or suspected (1) for a KOV-29, if the cause of damage tampering or damage in is known (witnessed by 2 people), the which the cause is casing is not penetrated and the device unknown did not go into a tamper mode zeroize, document the matter as a PDS in See Note (1)for a accordance with Chapter 9 and report the KOV-29 matter locally to the CPSO; continued See Note (2)for an AKP use of the device is authorized. (2) when the cause is known and penetration did not occur and the device is not in a tampered condition, continued use must be authorized by the Commanding Officer of the KOA or NCMS. Tamper of an AKP does require submission of an incident report (See the OSD for the MGC paragraph 10.2.1.10.2 – 10.2.1.11 for additional information). unexplained zeroization For the AKP, if the cause of the of an AKP or KOV-29 zeroization is known although an incident report is still required, a field recovery of the AKP may be performed if authorized by NCMS, NSA or the Commanding Officer when immediate operational mission requirements supporting real world operations warrant such. A field recovery may not be performed when the AKP has been found zeroized and such is unexplainable. A KSV-21 (fill card) or user card if lost with its associated carry card or terminal. (For TPA cards or user cards not lost with its carry card or terminal, see the Reportable PDS section in Chapter 9). Unauthorized access or use of the AKP, HAIPE, MGC, AKPREINIT Flash Drives, Operator CIKS or AKP Diagnostic History Log (DHL) AKP or KOV-29 Audit Log When such indicates suspicious or UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-9 UNCLASSIFIED//FOR OFFICIAL USE ONLY anomalies EKMS-1E SUPP-1 unauthorized access or use to the MGC, KOV-29 or AKP. Applicable to devices which have been/are Initialized or storing key, per the requirements of the specific OSD. (See Chapter 10 herein for any stated exceptions. Where reflected, such would apply to SDSs, TKLs, etc…. Failure to conduct, document and retain proof of compliance with monthly audit trail reviews for audit capable devices such as but not limited to DTDs, To minimize auditing and annual SKLs, TKLs, re-initialization requirements, it is Talon cards, etc… highly recommended devices not required for use be returned to the account level, have the audit trail data reviewed, the device zeroized and the batteries removed. Material left unsecured This includes a GSA-approved container, vault door or door to a facility with COMSEC material stored or installed when appropriately cleared and authorized personnel are not present. Loss of TPI for; (1) This includes; physical material as well Top Secret keying as storage devices protecting such when material except as the CIK is not stored separately; leaving indicated in EKMS-1 an AKP logged; or single person access (series)Article 510.f to AKPREINIT 1 & 2 Flash Drives or where a waiver has regardless of the accounts HCI. been granted from NCMS in writing or (2) AKPREINIT 1 & 2 Flash Drives) Failure to utilize or missing Local Custody documents Improperly packaged or shipped COMSEC material, including, the shipment of CIKS/PINS/Passwords with the associated equipment. Receipt of COMSEC material in which the inner wrapper is damaged or reveals possible tampering Receipt of COMSEC Ensure prior to reporting that the material with signs of applied tamper labels are visually tamper or equipment inspected. If missing or damaged, received in an communicate this in the initial COMSEC unexplained tampered incident report. state. Material documented as This includes material erroneously destroyed and found to flagged and confirmed as destroyed still exist although not destroyed ONLY if material was not lined-out and initialed on the destruction report to indicate the material was not destroyed. Destruction of COMSEC material; by unauthorized means; improperly cleared or personnel not authorized access to COMSEC UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-10 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 material or COMSEC material not completely destroyed and left unattended or found to still exist. Undocumented removal of For physical keying material, create a COMSEC material from CMS-25 and annotate a statement to its protective explain the removal. The statement must packaging, i.e. be signed and dated by the person and a physical keying witness. Report it, when documented material or sealed properly as a reportable PDS to the CA, book packaged material. NCMS, your COR Audit Team and the Unit’s COC. If done for loading of a fill device or to issue individual segments to a LE, do not report it as a PDS (EKMS-1 (series) Article 769.g note 1 permits this) but the CMS-25 must be created and documented as described. Actual or attempted This includes both full or limited unauthorized maintenance by personnel not meeting maintenance, EKMS-5(series) Article 111 training and maintenance by documentation requirements, i.e. not unauthorized personnel trained, no DD-1435 on file with the or non-adherence to KOAM. prescribed procedures. Opening or tampering with the KOV 21 cryptographic card (embedded in the SKL) housing by other than the depot or manufacturer Loss of TEMPEST integrity as a result of not visually inspecting devices requiring such; AKP, DTD, SDS, SKL, etc… Failure to delete a lost CIK from the device it is associated with i.e. DTD, SDS, SKL The discovery of a clandestine electronic surveillance or recording device in or near a COMSEC facility Unauthorized copying, reproduction or photographing of COMSEC material Late destruction of physical COMSEC material and electronic versions of NATO keying material. Late destruction of other electronic material will be documented per Article 903.a herein. Premature or inadvertent destruction of NATO material (physical or electronic format). Premature/inadvertent destruction of nonNATO material will be documented per Article 903.a; if resupply is required, report the matter per Article 903.b and 905. Any other incident that may jeopardize the physical security of COMSEC material Figure 8-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-11 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 O 301929Z JAN 17 FROM: USS SHELLBACK TO: CONAUTH INFO: DIRNSA FT GEORGE G MEADE MD (OMIT IF DIRNSA IS THE CA) CLOSING ACTION AUTHORITY ADMINISTRATIVE CHAIN OF COMMAND COMNAVIFOR VIRGINIA BEACH VA NCMS WASHINGTON DC SERVICING COR AUDIT TEAM BT C O N F I D E N T I A L MSGID/GENADMIN/USS SHELLBACK/-/JAN// SUBJ/INITIAL REPORT OF COMSEC INCIDENT// REF/A/NCMS WASH DC/-/05APR2017// AMPN/REF A IS EKMS-1(SERIES)// POC/UNDERWAY, I B/LTJG/USS SHELLBACK/TEL:315-243-2247/EMAIL: IBUNDERWAY(AT)DDG91.NAVY.SMIL.MIL// RMKS/IAW REF A, THE FOLLOWING IS PROVIDED: 1. 427856/TS 2. USKAT 4389 EDITION F REG 1, SECRET, COMUSFLTFORCOM 3. RADIO WATCH SUPERVISOR, TS RADIO WATCH STANDER, TS 4. DURING A ROUTINE SPOT CHECK OF THE LE, IT WAS DISCOVERED THAT ONE OF THE TWO PERSONNEL IDENTIFIED IN PARA (3) HAD DEPARTED THE SPACE HOWEVER, IT WAS DISCOVERED THAT THE SECURITY CONTAINER IN WHICH THE MATERIAL IS STORED WAS SHUT BUT NOT PROPERLY LOCKED (BY SPINNING THE DIAL) AND VERIFIED PRIOR TO SIGNING THE SF-702 AND DEPARTING THE SPACE. ACCORDING TO THE SF-702 AND STATEMENTS OBTAINED FROM BOTH PERSONNEL, A SINGLE PERSON HAD ACCESS TO THE CONTAINER AND STORED MATERIAL FOR APPROXIMATELY 10 MINUTES. THE CONTAINER IS LOCATED IN A RESTRICTED AREA WHERE ACCESS IS CONTROLLED THROUGH A CIPHER LOCK (WHEN MANNED), AN ACCESS LIST AND VISITORS LOG. A COMPLETE INVENTORY WAS TAKEN AND ALL MATERIAL ACCOUNTED FOR AND IN-TACT. ONLY THE CURRENTLY EFFECTIVE SEGMENT OF THE ITEMS DESCRIBED IN PARA (2) ABOVE HAVE BEEN REMOVED FROM THEIR PROTECTIVE PACKAGING (CANISTER) FOR ROUTINE USE. 5. PHYSICAL INCIDENT (MATERIAL DISCOVERED OUTSIDE REQUIRED ACCOUNTABILITY OR PHYSICAL CONTROL) 6. COMPLETE INVENTORY TAKEN WITH NO DISCREPANCIES. 7. LOCAL COMMAND INQUIRY IN PROGRESS AND TRAINING WILL BE PROVIDED TO ALL LE PERSONNEL TO REITERATE THE NEED TO ENSURE PROPER SECURITY PROCEDURES NOT ONLY EXIST BUT ARE FOLLOWED AT ALL TIMES. FIGURE 8-6 THIS PAGE IS UNCLASSIFIED BUT MARKED “CONFIDENTIAL” FOR TRAINING PURPOSES ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-12 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 8. N/A 9. NO SF-153 (RELIEF FROM ACCOUNTABILITY OR POSSESSION REPORT) REQUIRED. 10. SAME AS POC ABOVE 11. A. 07 JUL 2013 B. 13 SEP 2013 DERIVED FROM: NSTISSI 4002// DECL/3 YEARS FROM THE DTG OF THE MESSAGE// NOTE: See EKMS-1(series) Article 970 for additional information, if necessary. FIGURE 8-6 THIS PAGE IS UNCLASSIFIED BUT MARKED “CONFIDENTIAL” FOR TRAINING PURPOSES ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-13 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 807. COMSEC INCIDENT EVALUATION. The Evaluating Authority (EVALAUTH) formerly known as the Closing Action Authority (CAA) reviews details of incidents or insecurities reported by the commands and activities for which he/she is responsible and determines the need for further actions and reporting. a. Assessing Compromise Probability: COMSEC incidents are evaluated using one of the following terms: (1) COMPROMISE: The material was irretrievably lost or available information clearly proves that the material was made available to an unauthorized person. (2) NO COMPROMISE: Available information clearly proves that the material was not made available to an unauthorized person. b. Compromise Probability Examples. Compromise probability assessment is often a subjective process, even for experienced evaluators who possess all pertinent facts concerning a COMSEC incident. To assist in assessing compromise probability, the following guidance is provided for the most commonly encountered or reported incidents: (1) Lost keying material, including keying material believed to have been destroyed without documentation, and material that is temporarily out of control (i.e. believed lost but later recovered under circumstances where continuous secure handling cannot be assured or was found in an unauthorized location): Assess as COMPROMISE. (2) Unauthorized access: If the person had the capability and opportunity to gain detailed knowledge of, or to alter information or material: Assess as COMPROMISE. If the person was under escort or under the observation of a person authorized access, or if physical controls were sufficient to prevent the person from obtaining detailed knowledge of information or material, or from altering it: Assess as NO COMPROMISE. (3) Unauthorized absence: For personnel who have access to keying material: Assess as NO COMPROMISE, unless there is evidence of theft, loss of keying material, or defection. UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-14 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 NOTE: When a person having access to keying material is reported as unauthorized absence, all material he/she could have accessed must be inventoried. If there is evidence of theft or loss of keying material, or defection of personnel, the must be considered COMPROMISED. Ensure combinations to any containers the person had knowledge of are changed. c. Additional information. – 980, if necessary. See EKMS-1(series) articles 970 UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-15 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 SAMPLE EVALUATING AUTHORITY MESSAGE FROM: (EVALAUTH) TO: (VIOLATING COMMAND) BT UNCLASSIFIED FOUO MSGID/GENADMIN/NCMS WASHINGTON DC/-// SUBJ/CLOSE-OUT OF COMSEC INCIDENT CA358156 - N302-13// REF/A/GENADMIN/USS SHELLBACK/141829ZZAPR13// REF/B/GENADMIN/DIRNSA/071157ZMAY13// REF/C/DOC/NCMS WASH DC/05APR2010/-// NARR/REF A IS USS SHELLBACK INITIAL REPORT OF COMSEC INCIDENT. REF B IS DIRNSA FINAL EVALUATION OF REF A. REF C IS EKMS1(SERIES).// POC/U.B. UNDERWAY/IA03/N5/NCMS WASHINGTON DC/TEL:240-857-7704 /EMAIL:ULYSSES.UNDERWAY@NAVY.MIL// POC/C.U. LATER/IA03/N5/NCMS WASHINGTON DC/TEL:240-857-7708 /EMAIL:CLARENCE.LATER@NAVY.MIL// RMKS/1. CONCUR WITH FINAL EVALUATION OF NO COMPROMISE. (REF B GERMANE) 2. ENSURE MEASURES ARE PUT IN PLACE TO MINIMIZE THE POTENTIAL FOR A REOCCURRENCE. 3. UNLESS ADDITIONAL INFORMATION BECOMES AVAILABLE WHICH COULD CHANGE THIS ASSESSMENT, THIS CASE IS NOW CLOSED. 4. RETAIN THIS MESSAGE AND RELATED REFERENCE DOCUMENTS IN YOUR CORRESPONDENCE FILE IAW REF C.// BT Figure 8-7 UNCLASSIFIED//FOR OFFICIAL USE ONLY 8-16 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 CHAPTER 9 – PRACTICES DANGEROUS TO SECURITY (PDSs) 901. GENERAL. Practices Dangerous to Security (PDSs) are practices that although not reportable at the National level indicate deviation from prescribed policy and could indicate a need for assistance, a review of internal practices or additional training to reduce the potential or prevent COMSEC incidents. a. Types of PDSs. PDSs are broken down into two categoriesNon-Reportable and Reportable; however, all PDSs are reportable at a minimum to the Commanding Officer of the account. b. PDS Documentation. 1. Non-reportable PDSs will be documented via official memorandum or communicated via official, digitally signed email. 2. Reportable PDSs will be submitted via official message and must be classified at a minimum of Confidential to promote consistency with COMSEC Incident reports and prevent potential spillage. Regardless of method communicated, records of both nonreportable and reportable PDSs will be maintained on file at the account level in accordance with EKMS-1(series) Annex T. Any PDS discovered during an audit not documented and reported as required, will be documented in the results and the respective CO will be briefed on the findings. c. Reporting Time Frames. Reportable PDSs will be reported as indicated in accordance with Article 905 below. 903. a. PDSs BY CATEGORY. Non-reportable PDSs Improperly completed accounting reports; unauthorized or missing signatures, incomplete short title information Physical material transferred with status markings applied to the material Mailing, faxing (via non-secure fax) or emailing as attachments SF-153s which contains status information or used/completed CMS-25s. NOTE: If sent via email, a report of spillage and Preliminary Inquiry (PI) is mandatory in accordance with SECNAV UNCLASSIFIED//FOR OFFICIAL USE ONLY 9-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 M5510.36 Art 12-4 and Naval Technical Directive (NTD) 11-08. COMSEC material not listed on local element (LE) or user inventory when documentation exists at the account level to indicate the material is issued to the LE or user, as applicable. Issuance of red (unencrypted) keying material in hardcopy form marked/designated CRYPTO, without authorization, more than 30 days before its effective period Removal of keying material from its protective packaging prior to issue for use or removing the protective packaging without authorization, as long as the removal was documented on the CMS25 and there was no reason to suspect espionage. NOTE: See EKMS-1(series) Article 769.g note 1 for exceptions where premature extraction is not deemed a PDS. If NATO material is involved and the extraction was not conducted and documented per Article 769.g.1 to EKMS-1(series), report as an incident per SDIP-293. Receipt of a package with a damaged outer wrapper, but an intact inner wrapper Late destruction of non-NATO electronic key Premature/inadvertent destruction of non-NATO key [if resupply is required report the matter per 903.b below; the destruction report must also be submitted to the COR for resupply to occur] Activation of the anti-tamper mechanism on or unexplained zeroization of COMSEC equipment as long as no other indications of unauthorized access or penetration was present Failure to maintain OTAD/OTAR/OTAT logs Failure to perform an AKP Rekey at a minimum of annually Failure to change passwords or PINS every 90 days or update corresponding SF-700s [or at first login thereafter for KOV-29 used at accounts with different crews (gold, blue, etc.. submarine community) Failure of the KOAM or Alternate to review and document the review of the MGC Transaction Status Log (TSL) weekly Failure to download, review and record KOV-29 audit log reviews at a minimum of every 90 days. Failure to perform MGC backups at a minimum of weekly, when the transaction status changes or more frequently, as required. Failure to archive KOA accounting data, every six months, retain a copy of the archive media for (4) years or submit a copy of the archived data to the CSN within 30 days or archiving The discovery of non-COMSEC accountable material in the Product Inventory The discovery of client images or backups older than the latest set/version UNCLASSIFIED//FOR OFFICIAL USE ONLY 9-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Loss of a valid (associated) user CIK when the associated device was not subject to unauthorized access. Document as a PDS in accordance with this chapter. NOTE: The KOAM, SA, TA, etc… as applicable must delete the CIK association from the device. The loss or finding of unclassified material not marked or designated crypto or CCI Discovery of a damaged KOV-29 when the cause is known (witnessed by 2 people) and the casing has not been penetrated. Failure to report receipt of COMSEC material or corrupt Bulk Encrypted Transactions (BETs) within 3 business days of receipt or download, as applicable Failure to conduct, document and retain semi-annual selfassessments or spot checks Non-submission by the CPSO of an exact copy of archived audit data to the Central Service Node within 30 days of the archive Failure to create and retain two (2) AKP operationally affiliated CIKs (One primary, one backup) Personnel performing the role of the CPA or CPSO who are not IAT Level 1 or higher certified within 180 days of appointment; if the DAA/AO has granted a waiver, it must be not be older than 6 months from the time of appointment Failure of the TSO to regularly inspect and document inspections of active tokens Failure of the KOAM to inspect tamper-evident bags if used in lieu of a TPI container daily or upon next opening of the security. Failure of the CPSO to verify the MGC BIOS password in conjunction with audit data archives Failure of the CPSO to export the AKP Diagnostic History Log to the MGC every six (6) months Failure to inventory affiliated DTD, SKL, and TKL CIKs during account inventories Discovery of a software design device in a benign tampered condition due to battery depletion. If received in a tampered condition or signs of tamper exists, report per Article 805. CIK failure (example KIV-7M, KG-250, etc…) if discovered, the host device must be reinitialized and loaded with new keying material. Loss of User CIKS for INEs or devices which make use of CIKS. The CIK or card association, as applicable must be deleted promptly from the device. If the associated device is lost or was possibly accessible to unauthorized/improperly cleared personnel report the matter as a COMSEC incident. Figure 9-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY 9-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY b. EKMS-1E SUPP-1 Reportable PDSs Restoration of the MGC database using backup media and AKPREINIT drives older than 7 calendar days old Failure to rekey IA(I) and IA(M) certificates NOTE: Newly appointed KOAMs should perform a rekey upon assumption of account management duties. Should a rekey not be performed, the AKP will be non-operational and may adversely affect mission readiness. Inadvertent destruction of non-NATO material when resupply is required. Loss of a KSV-21 TPA or user card (when the terminal or carry card is not also lost and the association with the terminal has been deleted by the KOAM or TPA, as applicable). For TPA cards, the KOAM or TPA must re-establish a new TPA card for the affected STEs at the earliest possible opportunity. Discovery of a MGC which has been tampered, damaged, accessed by unauthorized personnel or if the case intrusion alarm is displayed during boot up. (See Note below) The inadvertent introduction of Top Secret data in the MGC. Unauthorized adjustment or modification to MGC security settings. NOTE: See of the MGC OSD for additional guidance. The OSD can be found in the NSA IA Library at the URL in Annex F. Figure 9-2 905. PDS REPORTING. PDSs will be documented (locally) or reported externally, as applicable no later than 72 hours from the time of discovery. 907. PDS DOCUMENTATION (SAMPLE). A template for both a non-reportable and reportable PDS can be found in Figures 9-3 and 9-4, as applicable. UNCLASSIFIED//FOR OFFICIAL USE ONLY 9-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 SAMPLE NON-REPORTABLE PDS MEMORANDUM 03 Apr 2016 MEMORANDUM From: To: Via: KOA Manager (or Alternate) USS Blue Horse Commanding Officer, USS Blue Horse (as applicable with command administrative procedures) Ref: (a) (b) EKMS-1(series) Supp-1 dated XXXXXXX JCMO quarterly status message DTG XXXXXXXXXXXXX Encl: (1) SF-702 for XXXXXXXXXXX security container Subj: DOCUMENTATION OF THE DISCOVERY OF A NON-REPORTABLE PDS 1. On 02 April 2016 during the conduct of required monthly audit trail reviews, it was discovered that XXXXXXXXXXXXXX (name of LE) failed to destroy superseded keying material within the time frame set forth in reference (a). 2. The late destruction was confirmed through a review of the audit trail data, reference (b) and enclosure (1). Specifically the material destroyed late has a daily crypto period and enclosure (1) reveals the container was opened on 23 Mar 2016, but segment 22 was not destroyed until the next documented opening on 25 Mar 20162. 3. Training was conducted with work center personnel to emphasize that in a non-watch environment if the container is opened that both and inventory and destruction of superseded material is required and to address the proper time frames for carrying out destruction of superseded material to prevent potential use and reporting of such as a cryptographic incident. Very Respectfully I. B. INTROUBLE Copy to: Account XXXXXX PDS/Incident File XXXXXXXXXXX (LE/work center) UNCLASSIFIED//FOR OFFICIAL USE ONLY 9-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 FIGURE 9-3 THIS PAGE IS UNCLASSIFIED BUT MARKED “CONFIDENTIAL” FOR TRAINING PURPOSES ONLY SAMPLE REPORTABLE PDS MESSAGE P FROM: TO: INFO: XXXXXXZ XXX XX (DATE TIME GROUP) XXXXXXX (PLA OF THE UNIT REPORTING THE PDS) NCMS OR THE CONTROLLING AUTHORITY (AS APPLICABLE) NCMS (ONLY IF KEYING MATERIAL IS INVOLVED AND THE MESSAGE IS SENT ACTION TO THE CA) UNITS ISIC SERVICING COR AUDIT TEAM BT C O N F I D E N T I A L //N02280// MSGID/GENADMIN/UNIT NAME/-/MON// SUBJ/REPORTABLE PRACTICE DANGEROUS TO SECURITY (PDS) (U)// REF/A/DOC/NCMS/-/XXXXXXX (THE DATE OF THIS MANUAL) REF/B/GENADMIN/CPF/031429ZMAR13// REF/C/PHONECON/USS BLUE FISH/CPF/01APR13// NARR/REF A IS EKMS-1B SUPP-1. REF B IS ALCOMPAC P XXX/XX. REF C IS PHONECON TO CPF.// POC/NILLIE, W. R./LTJG/USS BLUE FISH/TEL:240-857-4118/EMAIL: WILLIE.NILLIE@BLUE-FISH.NAVY.SMIL.MIL// RMKS/1. (C) FOLLOWING ROUTINE TROUBLESHOOTING OF A CIRCUIT OUTAGE, IT WAS DISCOVERED THAT ON 01 APR 2012, LE PERSONNEL HAD PREMATURELY LOADED SEGMENT 6 OF USKAT XXXXXX EDITION G. 2. (C) IAW REF B, SEGMENT 6 IS NOT EFFECTIVE UNTIL 080001Z APR 12. FURTHER REVIEW INDICATED THAT LE PERSONNEL DID NOT CONSULT THE COPY OF REF (B) PROVIDED TO THE WORKCENTER AND PREMATURELY DESTROYED SEGMENT 5 LEADING TO THE PREMATURE USAGE OF SEGMENT 6 FOLLOWING A CIRCUIT OUTAGE. 3. (C) FOR CPF, AS DISCUSSED ORIGINATOR HAS CONTACTED USS GREY TUNA TO OBTAIN SEGMENT 5 OF USKAT XXXXXXX EDITION G VIA OTAT TO RESTORE CIRCUIT OUTAGE. 4. (U) PERSONNEL INVOLVED WILL BE COUNSELED IN WRITING AND RETRAINED ON PROPER USE OF STATUS INFORMATION IN HANDLING COMSEC MATERIAL. DERIVED FROM/EKMS-1(SERIES) SUPP-1// DECL/02 APRIL 2015// Figure 9-4 THIS PAGE IS UNCLASSIFIED BUT MARKED “CONFIDENTIAL” FOR TRAINING PURPOSES ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY 9-6 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 CHAPTER 10 - ELECTRONIC STORAGE DEVICES 1001. GENERAL. This annex provides basic guidance related to some electronic storage devices (ESD) used within the DON. Where used herein, the term ESD primarily pertains to the AN/PYQ-10 Simple Key Loader (SKL) and the KIK-11/Tactical Key Loader (TKL). Users of Controlled Cryptographic Items (CCI) should always consult the Cryptographic Operating Manual (KAO) or Operational Security Doctrine (OSD) for the device. When a conflict exists, KAOs and OSDs have precedent over general policy manuals at the service or National level. 1003. SOFTWARE MANAGEMENT. a. Only software tested and validated by the ISEA, authorized via message from NCMS, and obtained from the INFOSEC web site is authorized for installation on COMSEC equipment within the DON. b. Records must be maintained to reflect the User Application Software (UAS) on each ESD held by the account and will reflect at a minimum the device nomenclature, serial number and the UAS installed. A single spread sheet can be used for this purpose but must be updated upon receipt of a new device or replacement of a failed unit. c. When disposition replaced by comply with the device. 1005. a device is turned in to the CRF for repair/return or instructions are received for a failed unit which is another device, the software must be verified to any mandatory software-upgrades directed relevant to CLASSIFICATION, ACCOUNTABILITY, SAFEGUARDING AND ACCESS. a. Electronic Storage Devices are unclassified CCI when the CIK has been removed; the device and CIK are not stored together and the host side of the device does not contain classified data. b. When the CIK inserted or stored together, the device both must be safeguarded based on the highest classification of unencrypted key or data, the higher of the two that can be accessed or output. c. ESDs are generally ALC-1, CMCS accountable; associated CIKS UNCLASSIFIED//FOR OFFICIAL USE ONLY 10-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 are locally accountable at the unit level (not in the MGC). d. Unrestricted access to a SKL, TKL or CIK associated with either containing keying material requires a clearance equal to or higher than the keying material or data, the higher of the two and written authorization for access to COMSEC material. e. Unrestricted access to the SSO password must be restricted to authorized personnel designating in writing and authorized privileged access to the device by the CO, if personnel other than the COMSEC Account Manager, Alternate or LE Issuing require such access. This authorization may be in the form of an individual designation letter or be reflected on the access list for the space in which the individual is assigned to. f. Loss of a CIK or device must be reported in accordance with Chapters 8 or 9 herein. 1007. TYPES OF KEYING MATERIAL RELATED TO ELECTRONIC STORAGE DEVICES. a. Storage Key Encryption Key (SKEK) and LKEK/HDPK both have a one-year crypto period from the date the device was initialized or the splits filled, as applicable from the MGC/AKP. b. Devices which are initialized must be reinitialized annually. c. Failure to reinitialize devices which have been initialized and not zeroized and removed from service must be reported as a COMSEC incident in accordance with Chapter 8. This does not apply to devices issued to school houses or COR Audit Teams as no operational key is issued to or held by these entities. d. Transfer Key Encryption Key (TrKEK). TrKEK is used to encrypt and decrypt key filled in the device and must be equal to or higher in classification than the key it protects. 1. TrKEK is restricted to a maximum of one year crypto period which should be the exception and not used simply for convenience purposes. The typical prescribed crypto period for TrKEK is one-year. 2. TrKEK may not be distributed via DTD or SKL to STE UNCLASSIFIED//FOR OFFICIAL USE ONLY 10-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 OTAD, except in an emergency. TrKeK must be preplaced in a receiving DTD or SKL and up to one year’s worth may be preplaced. e. SKEK, LKEK/HDPK or TrKEK are classified based on the highest classification of key or data stored in the device, the higher of the two. f. There is no ALC or accountability requirement for SKEK or LKEK/HDPK created manually when an ESD is initialized. g. When produced using the MGC/AKP, SKEK, LKEK/HDPK or TrKEK will be restricted to ALC-7 material and accounted for locally. 1009. LOADING KEYING MATERIAL INTO AN ELECTRONIC STORAGE DEVICE. a. The amount of key must always be limited to that required to support mission requirements consistent with limitations imposed by the respective CONAUTH and/or OSD. b. Unless operationally required to output key in unencrypted (red) form, all key output from the AKP will be in encrypted (black) form. c. Resupply to LEs operating away from the parent account may be facilitated through the use of a STE and OTAD, provided the STE’s security classification is equal to or higher in classification than the key being passed. d. The use of a STE with either a DTD or SKL for OTAD purposes requires the use of an NSA-approved adaptor/connector to connect the device to the STE data port for the purpose of distributing keying material via OTAD. Use of any other cable not approved by NSA must be reported as a COMSEC incident. e. All electronic key held at the account level will be issued from the MGC/AKP adhering to local custody procedures. f. For keying material held at the account or LE Issuing level that is not held in electronic form, the following guidance will be adhered to: 1. Premature extraction of key is permitted for loading and issuance in support of operational requirements and is not considered a PDS in these situations. UNCLASSIFIED//FOR OFFICIAL USE ONLY 10-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 2. Extracted segments of keying material not available in electronic form will be resealed in accordance with EKMS1(series) Article 772. 3. The extraction will be documented on a CMS-25 with a separate CMS-25 used, if more than one Short Title/Edition is extracted from. The discovery of extracted keying material not resealed and documented on the corresponding CMS-25 is a COMSEC incident and must be reported in accordance with Chapter 8. 4. Premature extraction done inadvertently not to support an operational requirement as discussed above is a nonreportable PDS in accordance with Chapter 9 if documented on the CMS-25 as discussed below. If discovered and such was not documented as discussed above, it must be reported in accordance with Chapter 8. 5. A manual SF-153 will be used to return the device (if previously issued from the MGC) and will reflect; the Short Title, Edition, Serial Number and ALC of the material issued and will be signed and witnessed by appropriately cleared and authorized personnel. 1011. VISUAL INSPECTION REQUIREMENTS. a. ESDs are TEMPEST certified and must be visually inspected per the OSD at the account or LE level when keying material is stored in the device. b. In a non-watch environment, a security container does not have to be opened for the sole purpose of conducting a visual inspection of a DTD or SKL. If the container is opened, an inventory of material held will be conducted, destruction of superseded key carried out and the device(s) will be visually inspected. The SF-702 for the container will be compared to the visual inspection log to ensure compliance with the policy. c. Any device cracked or damaged will be turned in to the supporting KOAM and will not be further used. The KOAM will issue a replacement device and request disposition instructions from NCMS for the damaged device. 1013. DESTRUCTION OF ELECTRONIC KEYING MATERIAL. a. Will occur within the same time frame set forth in Article 709 herein. UNCLASSIFIED//FOR OFFICIAL USE ONLY 10-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 b. Destruction will be witnessed and verified by a properly cleared and trained person who is authorized access in writing to COMSEC material. c. With exception to when an edition of keying material supersedes and such material is reflected on a working copy of a destruction report provided by the KOAM for verification, signature and return to the KOAM, there is no requirement to document destruction of key in an electronic storage device with auditing capability (DTD, SKL, TKL); the audit trail provides for verification the superseded key was destroyed. d. Because multiple personnel have access to electronic storage devices at the work center level coupled with the fact that in a work center where shift-work is conducted password sharing for the SKL is permitted, it is recommended that commands consider requiring the use of CMS-25s for the destruction of electronic key. This promotes accountability to the individuals responsible for the destruction if discovered to have been conducted late or the material found to still exist and was reflected on the LE’s end of the month destruction report which is a COMSEC incident in accordance with Chapter 8. 1015. TRANSPORTATION AND SHIPMENT. Will be in accordance with EKMS-1(series) Articles 525 – 535 for additional information. 1017. AUDIT TRAIL REVIEW REQUIREMENTS. a. KOAMs, Alternates or other personnel designated in writing by the unit’s CO/OIC as a Supervisory User or SSO, as applicable are required to conduct audit trail reviews at a minimum of semiannually or more frequently per the OSD for the device if it has auditing capability. b. Audit trail reviews will not be conducted by a primary user of the device nor will such person be designated as a Supervisory User or SSO, as applicable. c. Audit trail reviews are NOT required for devices that are not initialized or in use. To exempt devices from auditing and annual reinitialization requirements, when turned in or no longer required, zeroize the device, upload and review the audit trail data, log the review and remove the batteries from the device. UNCLASSIFIED//FOR OFFICIAL USE ONLY 10-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 d. Audit trail reviews are not required for devices issued to COR Audit Teams, School Houses or other similar environments where no classified or operational keying material is used. e. It is HIGHLY recommended audit trail reviews be conducted NLT the 5th day of the month following the month in which the material was issued to ensure it is: (a) destroyed within the proper time frame; (b) not found to still exist after documenting it as destroyed. The latter requires submission of a COMSEC incident report. f. Each account must create, maintain and retain Audit Trail review logs for a minimum of two years. Minimum auditable events can be found in the OSD for the device. 1019. ELECTRONIC STORAGE DEVICE INTERFACE FLOWS Applicable security precautions, restrictions and guidance related to USB port usage or approved connections to electronic storage devices can be found in the OSD for the device. . 1021. EMERGENCY DESTRUCTION a. Follow the provisions of Annex G for emergency action or emergency destruction. Should emergency destruction be implemented, zeroize the device and smash it with fire ax, hammer, or other heavy object. b. To reduce risk or more stringent security requirements commands must remember to issue the minimum amount of key required to carry out assigned missions and never in amounts greater than authorized by this publication or the Operational Security Doctrine for the device, the more stringent of the two. 1023. REPAIR & MAINTENANCE a. Users or other authorized personnel may perform only limited maintenance and such is restricted to keypad and battery replacement. Personnel replacing these parts are not required to be Qualified Maintenance Technicians. b. Apply silicone gel to the SKL fill ports to minimize damage to the fill ports. The gel is available via supply channels under the National Stock Number (NSN) 6850-00-177-5094. Ensure compliance with applicable safety procedures including the Material Safety Data Sheet (MSDS) in handling, using or UNCLASSIFIED//FOR OFFICIAL USE ONLY 10-6 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 storing the product. c. Local maintenance of ESDs is not authorized at the unit level. d. Ensure failed devices are zeroized. If they cannot be zeroized, protect the device based upon the highest level of keying material or data stored at time of failure. e. Do not report devices which are become broken during normal use in which the source of the damage is not suspicious and the device has not accessible to unauthorized personnel. Remove the device from use, and report the matter to the supporting COMSEC Account Manager. f. Failed devices or devices received which are defective must be retained, accounted for and safeguarding pending disposition instructions from NCMS which the unit is responsible for requesting. UNCLASSIFIED//FOR OFFICIAL USE ONLY 10-7 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Annex A ACRONYMS The following acronyms are used within this document: AKP ALC AO ASWR BF CONAUTH CBT CCI CD CF CHO CID CIK CMCS CMD Auth CMIO CNO CNSSI COMSEC COI COR COTS CPA CPSO CRF CRL CSN CTO DCS DIRNSA DLT1RA DN DOC DON DRM DTD DVD EA ECU Advanced Key Processor Accountability Legend Code Authorizing Official Attack, Sensing, Warning and Response Benign Fill Controlling Authority Computer Based Training Controlled Cryptographic Item Compact Disc Central Facility Client Host Only Center for Information Dominance Crypto-Ignition Key COMSEC Material Control System Command Authority COMSEC Material Issuing Office Chief of Naval Operations Committee on National Security Systems Instruction Communications Security Course of Instruction Central Office of Record Commercial Off-the-Shelf Client Platform Administrator Client Platform Security Officer Central Repair Facility Certificate Revocation List Central Service Node Computer Task Order Defense Courier Service Director, National Security Agency Device Local Type 1 Registration Authority Distinguished Name Delivery Only Client Department of the Navy Device Registration Manager Data Transfer Device Digital Video Disc Eligibility Authority End Cryptographic Unit UNCLASSIFIED//FOR OFFICIAL USE ONLY A-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS EM EPL FF FMS HCI HMI FOUO HCI IA IA(I) IA(M) IAM IAO IAW ISSM ISSO ICP ICD INFOSEC ISIC JCCB JWICS KEK KEKL KME KMI KMID KOAA KOAM KOARM KVM LCM LE MGC MSK NCMS NSA NSTISSI OMM OOB OpPAC OS OSD OTNK EKMS-1E SUPP-1 Electronic Key Management System Enrollment Manager Evaluated Products List FIREFLY Foreign Military Sales Highest Classification Indicator Human Machine Interface For Official Use Only Highest Classification Indicator Information Assurance Identification & Authentication (Infrastructure) Identification & Authentication (Mission) Information Assurance Manger Information Assurance Officer In Accordance With Information System Security Manager Information System Security Officer Inventory Control Point Intelligence Community Directive Information Systems Security Immediate Superior in Command Joint Configuration Control Board Joint Worldwide Intelligence System Key Encryption Key Local Key Encryption Key Key Management Entities Key Management Infrastructure Key Management Identification Number KMI Operating Account Agent KOA Manager KMI Operating Account Registration Manager Keyboard/Video/Mouse Legacy Catalog Manager Local Element Management Client Message Signature Key Naval Communications Security Material System National Security Agency National Security Telecommunications and Information Systems Security Operations and Maintenance Manual Out Of Band Operational Positive Access Control Operating System Operational Security Doctrine Over the Network Key UNCLASSIFIED//FOR OFFICIAL USE ONLY A-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY PAL PCMCIA PDE PDS PIN PKI PLT1RA PR PRM PRSN PSN RM ROB SCMSRO SDDC SERVAUTH SKL SO SOVT SSO TEK TestPAC TKL TLS TPI TrKEK TSO USB USNDA VDLS EKMS-1E SUPP-1 Product Activity List Personal Computer Memory Card International Assoc Product Delivery Enclave Practice Dangerous to Security Personal Identification Number Public Key Infrastructure Personnel Local Type 1 Registration Authority Product Requester Personnel Registration Manager Primary Service Node Product Source Node Registration Manager Reserve-on-board Staff CMS Responsibility Officer Surface Deployment and Distribution Command Service Authority Simple Key Loader Security Officer System Operational Verification Test Special Security Officer Transmission Encryption Key Test Positive Access Control Tactical Key Loader Transport Layer Service Two-Person Integrity Transfer Key Encryption Key Token Security Officer Universal Serial Bus United States National Distribution Authority Vault Distribution Logistics System UNCLASSIFIED//FOR OFFICIAL USE ONLY A-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Annex B DEFINITIONS This glossary lists the terms for which this volume has definition statements. Access. The ability and means to communicate with or otherwise interact with a system’s resources in order to either handle data held by the system or control system components and their functions. Access Control. A service that protects against unauthorized access to system resources including protecting against use of a system resource in an unauthorized manner. Advanced Key Processor (AKP). A Type-1 cryptographic device that performs all cryptographic functions for a Management Client Node and provides the interfaces necessary to exchange information with a Client Platform, interact with fill devices, and connect a Client Platform securely to the PRSN. Attribute Certificate. A digital certificate that binds a set of descriptive data items other than a public key such as authorizations for an Access Control process either directly to a subject name or to the identifier of another public-key certificate. Authentication Material. A unit of information that a registered user employs to prove a claimed User Identity when accessing the system. Client Node. A type of node that enables Human Users to perform KMI functions by accessing KMI products and services offered by a PRSN across a communication network, invoking functions performed locally by the Client Node, or both. Central Services Node (CSN). The CSN is the Key Management Infrastructure core node that provides centralized Security and Data Management services. Component. A set of system resources that (1) forms a physical or logical part of the system, (2) has specified functions and interfaces, and (3) is treated, by policies or requirement statements, as existing independently of other parts. UNCLASSIFIED//FOR OFFICIAL USE ONLY B-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Computer Host. A combination of computer hardware and an operating system (consisting of software, firmware, or both) for that hardware which supports automated KMI functions. Controlling Authority (CONAUTH). Official responsible for directing the operation of a cryptonet and for managing the operational use and control of keying material assigned to the cryptonet. Controlled Cryptographic Item (CCI). A secure telecommunications or information handling equipment, or associated cryptographic component that is unclassified but governed by a special set of control requirements. Such items are marked "CONTROLLED CRYPTOGRAPHIC ITEM" or, where space is limited, "CCI". Credential. Information passed from one entity to another to establish the sending entity’s access rights. Crypto-Ignition Key (CIK). Device or electronic key used enable secure operations of crypto-equipment. Device Local Type 1 Registration Authority. The Management Role responsible for endorsing user devices and for requesting infrastructure Identification and Authentication credentials for the user devices. Device Registration Manager. The Management Role responsible for performing activities related to registering users that are devices. End Cryptographic Unit (ECU). A device that performs cryptographic functions, may be part of a larger system for which the device provides security services and from a security perspective, is the lowest identifiable component with which a management transaction can be conducted. Enrollment. The KMI process that assigns a User Identity to a Management Role. Evaluating Authority. The official responsible for evaluating a reported COMSEC incident for the possibility of compromise. Formerly known as the Closing Action Authority. Fill Device. A COMSEC device used to transfer, store or load key into crypto-equipment. UNCLASSIFIED//FOR OFFICIAL USE ONLY B-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY Fill Group. EKMS-1E SUPP-1 A named set of User Devices owned by a single KOA. FIREFLY. Key management protocol based on public key cryptography. Global Identity. A User Identity for which the Identity Registration Data is maintained in a database at the PRSN level for recognition across the KMI. Group Identity. A User Identity that is registered for a User Set for which the KMI does not maintain a record of the members of the set. Hardware Token. A type of ECU that serves as a Human User’s individual cryptographic device to carry that person’s authentication material and any associated Identifier Credentials or other keying material. Highest Classification Indicator (HCI). Used to determine the highest classification of COMSEC material that an account may hold. Human User. A human being that is registered to be a user. Identifier Credential. A data object that is a portable, secure representation of the association between a User Identifier and some Authentication Material which can be presented for use in proving a claimed identity to which that User Identifier has been assigned. Identifier Registration Data. A subset of the User Registration Data that describes a specific User Identifier. Identifier Registration State. A KMI-Unique User Identifier that has been registered and is authorized for accessing the KMI. The difference between an Active State and Inactive State is simply that to be Active, the registered entity must be authorized. Identity Registration Data. A subset of the User Registration Data that describes a specific User Identity. Identity Registration State. A User Identity that has been registered and authorized for accessing the KMI. The difference between an Active State and Inactive State is simply that to be Active, the registered entity must be authorized. UNCLASSIFIED//FOR OFFICIAL USE ONLY B-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Key-Encryption-Key (KEK). Key that encrypts or decrypts other key for transmission or storage. Key Management Infrastructure (KMI). All parts—computer hardware, firmware, software, and other equipment and its documentation; facilities that house the equipment and related functions; and companion standards, policies, procedures, and doctrine—that form the system that manages and supports the ordering and delivery of cryptographic material and related information products and services to users. KMI-Aware Device. A User Device that can receive and use products that are wrapped for it for which a Global Device Identity has been registered so that a product can be generated and wrapped by a PSN for distribution to that specific User Device for use in that identity. KMI Operating Account (KOA). A KMI business relationship established to manage the set User Devices that are under the control of a specific KMI customer organization and to control the distribution of KMI products to those devices. This was previously referred to as either an EKMS or COMSEC account. KMI-Unique User Identifier. A User Identifier that can be used to access the KMI, takes a form specified in the KMI Policy for Registration of Users, and is unique among all current and past User Identities. KOA Agent (KOAA). The User Identity of a Human User is one which has been designated by a KOAM to access KMI for the purpose of retrieving products for User Devices assigned to that KOA. A KOA Agent is not considered a role; it is a designation for the registered identity of a human user which has been associated with one or more KOAs. KOA Manager. The management role responsible for the operation of one of more KOAs (i.e., manages distribution of KMI to the ECUs, fill devices, and AKPs that are assigned to the manager’s KOA). KMI User Number (KU#). A KMI-unique value assigned by the KMI to a Registered User. It is used by the system’s internal database as an index, label, or abbreviated name for associating data elements pertaining to that user. UNCLASSIFIED//FOR OFFICIAL USE ONLY B-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Limited Device. A User Device for which a Local Device Identity has been registered at an MGC, through which products are distributed to that User for use in that identity. Local (Device) Identity. A User Device’s User Identity for which the Identity Registration Data is maintained in a database at a single MGC. The device is only recognized at the accounts MGC and not globally. Management Client (MGC). A configuration consisting of a Client Node that enables an external Operational Manager to manage KMI products and services through accessing a PRSN or exercising locally-provided capabilities. An MGC consists of a Client Platform and an AKP. Node. A collection of related components located on one or more computer platforms at a single Site. Non-KMI User Identifier. A User Identifier that cannot be used to access the KMI as a user and either takes the same form as a KMI-Unique User Identifier or some other form. Over-The-Air Key Distribution (OTAD). Providing electronic key via over-the-air rekeying, over-the-air key transfer, or cooperative key generation. Over-The-Air Key Transfer (OTAT). Electronically distributing key without changing traffic encryption key used on the secured communications path over which the transfer is accomplished. Over-The-Air Rekeying (OTAR). Changing traffic encryption key or transmission security key in remote cryptographic equipment by sending new key directly to the remote cryptographic equipment over the communications path it secures. PDE-Enabled Device. A KMI-Aware Device that also equipped to be able to establish network connectivity to a PRSN PDE to obtain KMI products and services. Personnel Local Type 1 Registration Authority. The Management Role responsible for personalizing a user to a device and for requesting Infrastructure Identification and Authentication credentials for human users. Personnel Registration Manager. The Management Role responsible for registering Human Users, i.e., Users that are people. UNCLASSIFIED//FOR OFFICIAL USE ONLY B-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Principle of Separation of Duties (Exclusions). The separation of functions, management and security-related oversight of a system among different entities or roles, to prevent a single entity from subverting the process. Primary Service Node (PRSN). The PRSN is a Key Management Infrastructure core that provides the user’s central point of access to KMI products, services and information. Product Source Node (PSN). The PSN is the Key Management Infrastructure core node that provides central generation of cryptographic key material and Type 1 PKI certificates. Registered User (abbreviated as User). A System Entity authorized to receive KMI’s products and services or otherwise access System Resources. Set Identity. A User Identity registered for a User Set composed of entirely of Human Users or User Devices. Shared Identity. A User Identity registered for a User Set in which each member of the set is authorized to assume that identity individually and for which the KMI maintains membership records for the set. Singular Identity. A User Identity registered for exactly one Human User or User Device. Tactical Key Loader (TKL). A small, lightweight key loader replacement for legacy key fill devices (KYK-13, CYZ-10, etc.). Token Holder. The individual Human User who is accountable for the use of a specific Hardware Token, including use of the Authentication Material and other security-sensitive material carried by the Token. Token Holder Identity. A User Identity which belongs to the Token Holder of a Hardware Token and to which that Token is assigned for accountability purposes by the KMI. Token Mission Identity. The User Identity of a Human User (or of a User Set consisting of Human Users) for which cryptographic material is loaded into a Hardware Token to enable the Token to support the authentication of that Identity. Token SO Account. An account established on the token for use UNCLASSIFIED//FOR OFFICIAL USE ONLY B-6 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 by the Token SO to perform maintenance functions. These functions include initialization, endorsement, personalization, and general lifecycle maintenance. Two-Person Integrity (TPI). System of storage and handling designed to prohibit individual access by requiring the presence of at least two authorized individuals, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed. User. See Registered User. User Authentication. A security service that verifies a User Identity claimed by or for a System Entity that attempts to access the KMI. User Core Data. A subset of the User Registration Data, that distinguishes a Registered User from all other Registered Users, has the same values for all User Identities of the User and includes some attributes that have values that remain constant over the life of the User. User with as a that Device. A cryptographic device—a specific hardware unit specific software running on it—that is registered to act User, either a User that accesses the KMI directly or one is receives KMI products and services indirectly. User Device Sponsor. The Primary KOA Manager of the KOA that is currently accountable for use of a User Device; i.e., the KOA to which a User Device is currently assigned. User Identifier. A name that can be unambiguously represented by a printable, non-blank character string. User Identity. The collective aspect of a set of attribute values in which the specific individuality of a Registered User is recognized or known by the KMI and which are sufficient to distinguish the identity from any other. User Number. See “KMI-Unique User Identifier”. User Registration. The process that; initializes an identity in the KMI for a System Entity authorized to access the KMI. The process also associates an identifier with the identity, may associate authentication material with the identifier and UNCLASSIFIED//FOR OFFICIAL USE ONLY B-7 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 dependent upon the authentication mechanism used, may also issue or associate with an identifier credential. User Registration Data. The set of attribute values acquired by, stored in and maintained in the KMI to establish and describe a Registered User. User Set. A set consisting of entirely Human Users or User Devices that is registered to act as a single User. User Set Sponsor. A Human User represented in the KMI by a User Identity who requests that a new User Identity be registered for a User Set and who continues to officially represent the KMI customer organization accountable for use of the new identity. User Sponsor. A Human User, represented in the KMI by a User Identity, who requests that a new User Identity be registered for a User Device or a User Set or who officially represents the KMI customer organization accountable for the use of a registered User Identity associated with a particular User Device or User Set. UNCLASSIFIED//FOR OFFICIAL USE ONLY B-8 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Annex C COMSEC LIBRARY All KOAs must maintain a COMSEC Library, which in addition to the library requirements set forth in Article 721 of EKMS1(series) must consist of the below documents. Accounts which have transitioned are not required to hold EKMS-704. Document KMI 101 - Computer Based Training (CBT) KMI 201 – Computer Based Training (CBT) Token Security Officer - Computer Based Training (CBT) EKMS-1(series) DON EKMS Policy & Procedures Manual EKMS-1(series) Supp-1 – DON KMI Policy and Procedures Manual Operational Security Doctrine for Key Management Infrastructure (KMI) KOV-29 (sKey6500) Operational Security Doctrine for the Key Management Infrastructure (KMI) Management Client (MGC) Node Operational Security Doctrine for KG-250X – High Assurance Internet Protocol Encryptor (HAIPE) Process Security doctrine for the Enrollment of KMI Managers Process Security Doctrine for the Registration of KMI Operating Accounts and KMI Users Type 1 Certificate Policy (CP) MGC Operations and Maintenance Manual for the KMI Client Node NAG-53(series) [Shore-based accounts only] Each of the items reflected above can be obtained from the NSA URLs located in Annex F. UNCLASSIFIED//FOR OFFICIAL USE ONLY C-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Annex D KMI FORMS QUICK REFERENCE Form Name KMI Form 001 KMI Form 002 KMI Form 003 KMI Form 004 KMI Form 005 KMI Form 006 KMI Form 007 Purpose KMI Personnel Registration Form (Any person whose official duties require registration in the KMI) KMI Enrollment Eligibility Form (Any person fulfilling one or more roles reflected in the Conferral Roles section of the form) COMSEC Account Data for KMI Registration (New and Transitioning Accounts Must Submit) KMI Certificate of Acceptance and Acknowledgement of Responsibilities (All roles requiring a token) Checklist for EKMS to KMI account transition KMI Device Registration Form (EA Only) KMI Certificate of Acceptance and Acknowledgement of Responsibilities (Device Sponsors Only) Each of the above forms, as well as CPA, CPSO, and TSO training is available online at the NSA KMI portal. See Annex F for the URL. UNCLASSIFIED//FOR OFFICIAL USE ONLY D-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Annex E CONDUCTING AND VERIFICATION OF PAGE CHECKS AND MODIFICATIONS a. Purpose of Page checks: Page checks are conducted to ensure the completeness of COMSEC material. Material that is protectively packaged is intended to remain intact until the material must be removed for issue or use and must NOT be opened solely for page check purposes. b. Verify Before Installation/Use: COMSEC equipment, related devices, and components must be verified for completeness prior to installation or use to afford ample time to obtain replacement equipment or parts, if required. c. Establish Internal Procedures: The Manager must establish internal procedures to ensure that all COMSEC material received by an account is page checked and/or verified for completeness. d. Certify Completed Page checks: Certification of completed page checks for COMSEC accountable publications, keying material or repair (Q-kits) must be recorded on the Record of Page checks (ROPs) page for the material, the front cover (for material having no ROPs page) or the locally created inventory which is to be maintained inside Q-kits held by the command. e. Page check Requirements: Minimum page check requirements for all COMSEC material are reflected in the matrix (Figure E-1) in this annex. Key points reiterated herein are: (1) Do not open sealed crates containing COMSEC equipment or sealed/resealed packages of keying material for the sole purpose of complying with the page check requirements upon receipt. (2) Page check unsealed COMSEC keying material upon initial receipt, prior to transfer, during all account inventories, watch-to-watch inventories or when a container protecting such is opened in a non-watch environment and prior to destruction. (3) Unsealed daily changing call signs or code books Communication Electronic Operating Instructions (CEOI) (e.g., UNCLASSIFIED//FOR OFFICIAL USE ONLY D-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 AKAI, AKAU, AMSH) are exempt from the requirement to page check each copy upon initial receipt. Recipients need only check one or two copies of each new edition upon receipt to ensure page and print continuity. (4) To reduce the possibility of a COMSEC incident as a result of a missing page to a classified COMSEC publication, all classified COMSEC-related publications issued to LEs including but not limited to KAMs, KAOs, AKACs, AKAIs, AMSH, etc. will be page checked during watch to watch inventories or when a container is opened if held by a non-watch environment. These items will be indicated by an asterisk (*) on watch-to-watch inventories to reflect that a page check is required. Due to space limitations on the cover or ROP page, the signing of the inventories at the LE level will certify the page check was properly conducted with no discrepancies. f. Procedures: Each item of printed COMSEC material contains a List of Effective Pages (LOEP), either on a separate page or on the front cover of the material. This list indicates which pages should be in the publication and identifies the status of each page (i.e., an original page or a specific amendment number page). NOTE: EKMS 5 (series) contains a list of components contained as part of Repair (Q Kits) and will be consulted to create local inventory documents and verification purposes when conducting page checks, as required. (1) To conduct a page check of printed COMSEC material, compare each page in the publication being checked against its LOEP. (2) Each page listed on the LOEP must be in the publication and each page must reflect the correct status. For example, pages identified on the LOEP as "ORIGINAL", must be ORIGINAL pages. Pages identified on the LOEP as being a specific amendment page (e.g., 1 or AMEND 1), must be that specific amendment page. g. Verify Mandatory Modifications: Verify the installation of DON and NSA mandatory equipment modifications in accordance with EKMS 5 (series) and/or the NSA Mandatory Modification Verification Guide (MMVG) as follows: (1) Should an examination of the equipment indicate a UNCLASSIFIED//FOR OFFICIAL USE ONLY E-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 requirement to install a mandatory modification, the KOAM will ensure that the mandatory modification is installed by an appropriately qualified maintenance technician as specified in the instructions accompanying the modification. (2) Before transferring equipment, the KOAM will also ensure that the modification record (plate) on the COMSEC equipment accurately reflects all installed modifications. h. Report Page Check or Other Discrepancies: If a discrepancy is noted during the page check and verification of any COMSEC accountable material, it must be reported in accordance with Chapter 8 if the material is classified, marked or designated crypto or designated CCI. For unclassified material not marked or designated crypto or CCI, document and report the matter in accordance with Chapter 9. UNCLASSIFIED//FOR OFFICIAL USE ONLY E-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 PAGE CHECK QUICK REFERENCE MATRIX TYPE OF MATERIAL UPON INITIAL RECEIPT AFTER ENTRY OF AMENDMENT WHICH CHANGES PAGES UPON INSTALLATION/MODIFICATION DURING EKMS ACCOUNT INVENTORIES DURING WATCH INVENTORIES PRIOR TO TRANSFER TO NEW ACCT UPON DEST INVENTORIES THESE PAGE CHECK REQUIREMENTS DO NOT APPLY TO KEYING MATERIAL PACKAGED IN CANISTERS UNSEALED KEYING MATERIAL RESEALED KEYING MATERIAL CLASSIFIED COMSEC ACCOUNTABLE PUBLICATIONS (I.E. AKAA, AKAC, AKAI, KTCs,USKAC, USKTC) UNSEALED MAINTENANCE AND OPERATING MANUALS YES N/A N/A YES YES YES YES N/A N/A N/A YES N/A YES YES YES EXCEPT AS INDICATED IN ART 757.E.3 YES N/A YES EXCEPT AS INDICATED IN ART 757.E.3 YES YES YES YES YES N/A N/A YES YES ALL UNSEALED AMENDMENTS YES BY PERSON ENTERING & BY PERSON VERIFYING ENTRY YES YES EXCEPT AS INDICATED IN ART 757.E.3 N/A YES YES YES UNSEALED AMENDMENT RESIDUE N/A BY PERSON ENTERING & BY PERSON VERIFYING ENTRY YES YES EXCEPT AS INDICATED IN ART 757.E.3 N/A N/A N/A N/A YES MAINTENANCE AND REPAIR (PWB OR Q) KITS YES BY PERSON ENTERING & BY PERSON VERIFYING ENTRY N/A YES N/A YES YES YES YES YES N/A YES N/A EQUIPMENT MANDATORY MODIFICATION ON NSA/NAVY YES N/A N/A YES EXCEPT AS INDICATED IN ART 757.E.3 (CLASSIFIED COMPONENTS ONLY) YES UPON UNCRATING YES N/A YES YES ALL COMPONENTS SEE NOTE 1 CLASSIFIED COMPONENTS ONLY ALL COMPONENTS MOD PLATE ONLY FIGURE E-1 NOTE: Maintenance personnel must inventory all components upon initial local custody issue and return of repair kits. Resealing keying material, including ROB and WHENDI material to UNCLASSIFIED//FOR OFFICIAL USE ONLY E-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 negate page check requirements is authorized. Annex F HELPFUL URLs The URLs contained herein are intended to assist KOAM personnel in obtaining: status information; information related to KMI including Computer Based Training (CBT) material; KMI related forms; modernization information related to CCI equipment and related algorithms; and other information which, if consulted may enhance the management of the account. NCMS has no administrative privileges or operational responsibility for the availability or content hosted on the sites reflected herein other than the NCMS portal(s). Status Information NCMS has published a listing of many Controlling Authorities and the URLs to where their status information is posted on the SIPRNET. The file titled “Helpful URLs for COMSEC Account Managers” also contains hyperlinks to various OPTASKs, OPORDS and Communication Information Advisories and Bulletins (CIAs/CIBs). The file can be found on the NCMS (SIPR) Collaboration at Sea (CAS) Portal; the URL is reflected below. Hyperlinks for SIPR URLs below have been removed to properly display the correct path. General & Other Information NCMS CAS Portal (SIPR): http://www.uar.cas.navy.smil.mil/secret/navy/39/site.nsf Controlling Authority Computer-Based Training (CBT): www.ia.nsa.smil.mil/iaservices/cawg/training/index.cfm Defense Courier Service (DCS) Customer Service Manual and USTC Form-10: http://www.ustranscom.mil/cmd/associated/dcd/ KMI CPA, CPSO AND TSO Computer-Based Training (CBTs) and other information: http://www.ia.nsa.smil.mil/iaservices/programs/km/kmi_program_of fice/programdocs/suitabilitydocs.cfm MGC Operators Manual: http://www.ia.nsa.smil.mil/programs/km/kmi_program_office/progra mdocs/suitabilitydocs.cfm UNCLASSIFIED//FOR OFFICIAL USE ONLY E-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 NSA Classified Material Conversion (CMC): http://www.nsa.gov/cmc/ NSA KMI (SIPR) Portal: http://www.iad.nsa.smil.mil/iaservices/km/kmi_program_office/pro gramdocs/suitabilityDocs.cfm NSA Master Reference Catalog http://secure.ia.nsa.smil.mil/iaservices/cawg/mrc/index.cfm NSA Media Destruction Guidance (including the Evaluated Products List (EPL)) http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guid ance/index.shtml Operational Security Doctrine (OSD) for CCI equipment: www.iad.nsa.smil.mil – IA Library – Doctrine UNCLASSIFIED//FOR OFFICIAL USE ONLY F-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Annex G EMERGENCY ACTION AND EMERGENCY DESTRUCTION OF COMSEC MATERIAL 1. Purpose. This Annex prescribes policy and procedures for planning, protecting, and destroying COMSEC material during emergency conditions. The KOAM is responsible for the COMSEC portion of the Command Emergency Action Plan. 2. Emergency Protection Planning. a. Every command that holds classified COMSEC or CCI material must prepare and maintain a current, written emergency plan for safeguarding such material in the event of an emergency. b. For commands located within the U.S. and its territories planning must consider natural disasters (e.g., fire, flood, tornado, and earthquake) and hostile actions (terrorist attack, rioting, or civil uprising). c. For commands located outside the U.S. and its territories and deployable commands, planning must include both an Emergency Action Plan (EAP) for natural disasters and an Emergency Destruction Procedures (EDP) for hostile action. d. All activities located within the U.S and its territories that hold classified COMSEC or CCI material will maintain an upto-date, written Emergency Action Plan for the protection of COMSEC material appropriate for natural disasters likely to occur in their region of the country (e.g., hurricanes in the South, tornados and floods in the mid-West, wild fires in the West, etc…). e. All activities located within the U.S and its territories will have conducted an initial written risk assessment and must maintain an up-to-date copy of the risk determination document that assesses the potential for hostile actions against their facilities (such as terrorist attack, rioting, or civil uprising). Based on the sensitivity of the operations, or the facility, the cognizant security official will either certify that the review has determined no need for the Emergency Plan to consider hostile actions, or, if it is determined that a UNCLASSIFIED//FOR OFFICIAL USE ONLY F-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 potential risk exists, develop EDPs for inclusion in their Emergency Plan. f. The head of any department or agency may, at their discretion, direct any facility to create an Emergency Plan that considers hostile action, regardless of local risk. Government Contracting Officers may also direct that the Emergency Plan for contractor facilities consider hostile action. g. Planning for hostile actions must concentrate on necessary procedures to safely evacuate or securely destroy the COMSEC material, to include providing for the proper type and a sufficient number of destruction devices to carry out emergency destruction. Planning for hostile action shall also include the necessary training for all individuals who might perform emergency destruction. By contrast, planning for natural disasters should be directed toward maintaining security control over the material until the situation stabilizes, taking into account the possible loss of normal physical security protection that might occur during and after a natural disaster. The operating routines for COMSEC facilities should be structured so as to minimize the number and complexity of actions that must be taken during emergencies to protect COMSEC material. For example: (1) Only the minimum amount of COMSEC material should be held at any one time; i.e., routine destruction should be conducted frequently and excess COMSEC material disposed of in accordance with department or agency directives. COMSEC requirements should be reviewed at least annually to validate need for material on hand. (2) COMSEC material should be stored and inventoried in ways that will facilitate emergency evacuation or destruction. Emergency protection of classified COMSEC and CCI material applies to U.S. Government contractor facilities, other U.S. non-governmental entities who produce or hold COMSEC material, and any other facilities that are designed to provide a backup COMSEC capability (whether U.S. Government or contractor owned). h. Planning for acts of terrorism is much more difficult but must concentrate on maintaining security control over the material, evacuation of the material, and/or secure destruction. UNCLASSIFIED//FOR OFFICIAL USE ONLY G-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 i. These plans will be incorporated into the overall Emergency Action Plan (EAP)/Emergency Destruction Plan (EDP) of the command. j. All Emergency Plans will be reviewed annually and updated as necessary, or whenever changes in the local environment dictate an update to the plan. k. Efficient planning and training, which involving every individual who uses COMSEC material, increases the probability of preventing its loss or compromise during an emergency. l. The command EAP/EDP, if not specific to LE operations, must be modified or annexed to include specific actions to be taken by LEs. m. Any detachment that operates independently (i.e. aircraft and communications/special purpose vans) from their parent command should have their own unique EAP/EDP specifically tailored for those times of independent operation. In all cases, they should be included in the command's EAP/EDP. 3. Guidelines For Minimizing Actions. a. Hold only the minimum amount of COMSEC material at any time (i.e., routine destruction should be conducted frequently and excess COMSEC material disposed of as directed by appropriate authorities). b. Store COMSEC material to facilitate emergency removal or destruction (e.g., separate COMSEC material from other classified material, and segregate COMSEC keying material by status, type and classification). NATO material may be stored with other COMSEC material of the same classification. c. Should an emergency situation develop, initiate precautionary destruction or evacuation of all material not immediately needed for continued operational effectiveness. After destroying material, notify appropriate authorities so they may begin re-supply planning. 4. Preparedness Planning For Disasters. must provide for: Planning for disasters a. Fire reporting and initial firefighting by assigned personnel. UNCLASSIFIED//FOR OFFICIAL USE ONLY G-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 b. Assignment of on-the-scene responsibility for ensuring protection of the COMSEC material held. c. Security or removing classified COMSEC material and evacuating the area(s). d. Protection of material when admission of outside emergency personnel into the secure area(s) is necessary. e. Assessment and reporting of probable exposure of classified COMSEC material to unauthorized persons during the emergency. f. Post-emergency inventory of classified COMSEC and CCI material and reporting any losses or unauthorized exposure to appropriate authorities. 5. Preparedness Planning for Hostile Actions. Planning for hostile actions must take into account the possible types of situations that may occur (e.g., an ordered withdrawal over a specified period of time, a hostile environment situation where destruction must be carried out in a discrete manner to avoid triggering hostile actions, or fully hostile imminent overrun situations). Ensure that the plan provides for the following: a. Assessing the threat of occurrence of the various types of hostile emergencies at the particular activity and of the threat that these potential emergencies pose to the COMSEC material held. b. The availability and adequacy of physical security protection capabilities (e.g., perimeter controls, guard forces, and physical defenses) at the individual buildings and other locations when COMSEC material is held. c. Facilities for effecting emergency evacuation of COMSEC material under emergency conditions, including an assessment of the probable risks associated with evacuation. Except under extraordinary conditions (e.g., an urgent need to restore secure communications after relocation), COMSEC keying material should be destroyed rather than evacuated. d. Facilities and procedures for effecting secure emergency destruction of COMSEC material must address: (1) (2) Adequate number of destruction devices Availability of electrical power UNCLASSIFIED//FOR OFFICIAL USE ONLY G-4 UNCLASSIFIED//FOR OFFICIAL USE ONLY (3) (4) (5) (6) emergency EKMS-1E SUPP-1 Secure storage facilities nearby Adequately protected destruction areas Personnel assignments Clear delineation of responsibilities for implementing destruction e. Precautionary destruction of COMSEC material, particularly maintenance manuals (KAMs) and keying material not operationally required to ensure continuity of operations during the emergency. (1) In a deteriorating situation all "full" maintenance manuals (i.e., contains cryptographic logic information) which are not absolutely essential for continued mission accomplishment must be destroyed. (2) When there is insufficient time under emergency conditions to completely destroy such manuals, every reasonable effort must be made to remove and destroy their sensitive pages (i.e., those containing cryptographic logic/classified schematics). NOTES: 1. Sensitive pages in U.S. produced KAMs are listed on fold-out Lists of Effective Pages at the rear of other textual portions. 2. Some KAMs further identify their sensitive pages pages by means of gray or black diagonal or rectangular markings at the upper portion of the binding edge. f. To prepare for possible emergency destruction of sensitive pages from KAMs in areas or situations where capture by hostile forces is possible, comply with the following guidance: (1) Apply distinctive markings (e.g., red stripes) to the binder edge and covers of all KAMs containing identified sensitive pages. (2) Remove the screw posts or binders rings, or open the multi-ring binder, whichever is applicable. (3) Remove each sensitive page from the KAM and cut off the upper left-hand corner of the page so that the first binder hole is removed. Care must be taken not to delete any text or diagram. UNCLASSIFIED//FOR OFFICIAL USE ONLY G-5 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 g. Should it become necessary to implement emergency destruction, the sensitive KAM pages may be removed as follows: (1) Remove the screw posts or binders rings, or open the multi-ring binder and remove all pages from the KAM. (2) Insert a thin metal rod (e.g., wire or screwdriver) through the remaining top left-hand hole of the document. (3) Grasp the rod in both hands and shake the document vigorously; the sensitive pages should fall out freely. h. Establishment of emergency communications procedures. (1) External communications during emergency situations should be limited to contact with a single remote point. (2) This point will act as a distribution center for outgoing message traffic and a filter for incoming queries and guidance. (3) When there is warning of hostile intent and physical security protection is inadequate to prevent overrun of the facility, secure communications should be discontinued in time to allow for thorough destruction of all classified COMSEC and CCI material, including classified and CCI elements of COMSEC equipment. 6. Preparing the Emergency Plan: a. The person who is most aware of the extent and significance of the COMSEC material on hand should prepare the emergency plan. b. The Commanding Officer or other responsible official must be aware of and approve the emergency plan. c. If the plan calls for destroying COMSEC material, all destruction material, devices, and facilities must be readily available and in good working order. d. The plan must be realistic, workable, and accomplish the goals for which it is prepared. Factors that will contribute to this are: UNCLASSIFIED//FOR OFFICIAL USE ONLY G-6 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 (1) All duties under the plan must be clearly and concisely described. (2) All authorized personnel at the command should be aware of the existence of the plan. (a) Each individual assigned duties under the plan must receive detailed instructions on how to carry out those duties when the plan is implemented. (b) All personnel should be familiar with all duties so that changes in assignment may be made, if necessary. This may be accomplished by periodically rotating the emergency duties of all personnel. (3) Training exercises will be conducted at a minimum of annually or more frequently to ensure that everyone, especially newly assigned personnel, will be able to carry out their duties. If necessary, the plan should be modified based on based on the training exercise results. (4) The three options available in an emergency are: securing the material, removing it from the scene of the emergency, or destroying it. Planners must consider which of these options may be applicable to their command. (5) For example, if it appears that a civil uprising is to be short lived, and the COMSEC facility is to be only temporarily abandoned, the actions to take could be: (a) Ensure that all superseded keying material has been destroyed. (b) Gather up the current and future keying material and take it along. (c) Remove classified and CCI elements from cryptoequipment and lock them, along with other classified COMSEC material, in approved storage containers. (d) Secure the facility door(s), and leave. (e) Upon return, conduct a complete inventory. NOTE: If it appears that the facility is likely to be overrun, the emergency destruction plan should be put into UNCLASSIFIED//FOR OFFICIAL USE ONLY G-7 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 effect. 7. Emergency Destruction Planning: Three categories of COMSEC material that may require destruction in hostile emergencies are: COMSEC keying material, COMSEC-related material (e.g., maintenance manuals, operating instructions, and general doctrinal publications), and equipment. a. Precautionary Destruction (Priority List A & B): When precautionary destruction is necessary, destroy keying material and non-essential manuals in accordance with this Annex and the EAP/EDP. b. Complete Destruction Priority List (C): When sufficient personnel and facilities are available, assign different persons to destroy the material in each category by means of separate destruction facilities and follow the priorities listed herein as incorporated into your EAP/EDP. c. When personnel and/or destruction facilities are limited, join the three categories and destroy the material following the priorities listed in Priority List C. 8. Emergency Destruction Priorities: a. Precautionary Destruction Priority List A: (1) (a) Superseded keying material and secondary variables. TOP SECRET primary keying material. (b) SECRET, CONFIDENTIAL, and UNCLASSIFIED primary keying material. (2) Future (reserve on board) keying material for use one or two months in the future. (3) Non-essential classified manuals: (a) Maintenance manuals. (b) Operating manuals. (c) Administrative manuals. UNCLASSIFIED//FOR OFFICIAL USE ONLY G-8 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 b. Complete Destruction Priority List B: When sufficient personnel and facilities are available, destroy COMSEC material in the following order: (1) Keying Material: (a) All superseded keying material designated CRYPTO, except tactical operations and authentication codes classified below SECRET. (b) Currently effective keying material designated CRYPTO including key stored electrically in crypto equipment and FDs (see paragraph c. below regarding STE or KSV-21 material), except unused two-holder keying material and unused one-time pads. (c) Zeroize all STE keying material held by the account in the following order: 1. Operational Keying Material designated TOP SECRET, SECRET, CONFIDENTIAL, UNCLASSIFIED. 2. Seed Keying Material – TOP SECRET, SECRET, CONFIDENTIAL, UNCLASSIFIED. (d) TOP SECRET multi-holder (i.e., more than two holders) keying material marked CRYPTO which will become effective within the next 30 days. (e) Superseded tactical operations codes classified below SECRET. (f) SECRET and CONFIDENTIAL multi-holder keying material marked CRYPTO which will become effective within the next 30 days. (g) All remaining classified keying material, authentication systems, maintenance, and unused one-time pads. (2) COMSEC Aids: (a) Complete COMSEC equipment maintenance manuals or their sensitive pages. When there is insufficient time to completely destroy these manuals, every reasonable effort must be made to destroy their sensitive pages. UNCLASSIFIED//FOR OFFICIAL USE ONLY G-9 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 (b) National, department, agency, and service general doctrinal guidance publications. (c) Status documents showing the effective dates for COMSEC keying material. (d) Keying material holder lists and directories. (e) Remaining classified pages of maintenance manuals. (f) Classified cryptographic and non-cryptographic operational general publications (e.g., AMSGs, NAGs and SDIPs). (g) Cryptographic Operating Instructions (KAOs). (h) Remaining classified COMSEC documents. (3) Equipment: Make a reasonable effort to evacuate equipment, but the immediate goal is to render them unusable and un-repairable. Although it is desirable to destroy jeopardized crypto-equipment so thoroughly that logic reconstruction is impossible, this cannot be guaranteed in most field environments. (a) Zeroize the equipment if the keying element cannot be physically withdrawn. (b) Remove and destroy readily removable classified elements (e.g., printed-circuit boards). (c) Destroy remaining classified elements. NOTE: Unclassified chassis and unclassified elements need not be destroyed. (d) Zeroize all loaded STEs held by the account in the following order based on the level of keying material loaded into the terminal: TOP SECRET, SECRET, CONFIDENTIAL, UNCLASSIFIED. If a lack of power prohibits keying material stored in equipment from being zeroized, ensure that all keying material and CIKs are physically removed from the area. In extreme emergencies, an attempt to physically destroy fill devices and CIKs is allowed. Material can be burned or broken as much as possible to prevent unauthorized use. It should be noted that the effectiveness of these methods has not been documented. UNCLASSIFIED//FOR OFFICIAL USE ONLY G-10 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 c. Complete Destruction Priority List C: In cases where personnel and/or facilities are limited, follow the destruction priority list below: (1) All superseded and currently effective keying material marked CRYPTO (including key stored electrically in cryptoequipment and fill devices), except tactical operations codes and authentication systems classified below SECRET, unused twoholder keying material, and unused one-time pads. (2) SECRET. Superseded tactical operations codes classified below (3) Complete COMSEC equipment maintenance manuals or their sensitive pages. (4) Classified general COMSEC doctrinal guidance publications. (5) Classified elements of COMSEC equipment. (6) Remaining COMSEC equipment maintenance manuals and classified operating instructions. (7) Remaining classified COMSEC material. (8) Future editions of multi-holder (i.e., more than two holders) keying material and current but unused copies of twoholder keying material. 9. Conducting Emergency Destruction: Any of the methods approved for routine destruction of classified COMSEC material may be used for emergency destruction. a. Printed Matter: (1) Destroy keying material and other classified COMSEC publications beyond reconstruction. (2) Destroy all "full" maintenance manuals (i.e., those containing cryptographic logic information/classified schematics). When time does not permit, every reasonable effort must be made to remove and destroy their sensitive pages in accordance with paragraph 5.e. b. Classified Crypto-Equipment UNCLASSIFIED//FOR OFFICIAL USE ONLY G-11 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 (1) Render classified crypto-equipment inoperable (i.e., beyond reuse). (2) If time permits, destroy the cryptographic logic of the equipment beyond reconstruction by removing and destroying the classified portions of the equipment, which include certain printed circuit boards and multi-layer boards and keyed permuting devices. (3) If these classified elements are destroyed, it is not necessary to destroy the remainder of the equipment. c. Emergency Destruction in Aircraft: When time or facility limitations preclude complete destruction of COMSEC material aboard aircraft, make all reasonable efforts to prevent the material from falling into unauthorized hands. (1) When the aircraft is operating over water and an emergency or forced landing is imminent, zeroize the COMSEC equipment, shred or tear up the keying material, and disperse it. If feasible, remove the classified elements from the equipment and smash and disperse them. (2) If an aircraft is in danger of making an emergency landing in friendly territory, zeroize the equipment and keep all the COMSEC materials in the aircraft. (3) If the aircraft is being forced or shot down over hostile territory, zeroize the equipment, then shred or tear up and disperse the keying material, and make all reasonable efforts to remove, smash, and disperse the classified equipment components. d. Emergency Destruction Aboard Ship: (1) If the ship is in imminent danger of sinking in a U.S. controlled area, zeroize the equipment, destroy all COMSEC material as completely as possible in the time available, lock it in security containers and permit it to sink with the ship. (2) If the ship is in imminent danger of capture or of sinking in an area where foreign elements would have salvage opportunities, destroy all COMSEC equipment and all keying material. UNCLASSIFIED//FOR OFFICIAL USE ONLY G-12 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 (a) Destroy all COMSEC equipment as completely as time permits, and jettison the undestroyed or partially destroyed COMSEC material overboard. (b) Place paper items and other material that could float in weighted canvas bags before jettisoning. e. Emergency Destruction in Mobile Communication Vehicles: When time or facility limitations preclude complete destruction of COMSEC material located in the vehicle, make all reasonable efforts to prevent the material from falling into unauthorized hands. 10. Reporting Emergency Destruction: a. Accurate information relative to the extent of an emergency is absolutely essential to the effective evaluation of the COMSEC impact of the occurrence, and is second in importance only to the completeness of the destruction. b. The Commanding Officer/OIC or official responsible for safeguarding COMSEC material, which has been subjected to emergency destruction, is responsible for reporting the attendant facts to the appropriate seniors in the chain of command by the most expeditious means available. (1) Reporting Instructions: The senior official shall report the facts surrounding the destruction to the CNO//N614//, NCMS//N5//, DIRNSA//I3// and the unit’s operational and administrative command echelons as soon as possible; if feasible, use a secure means of reporting. (2) Required Information: Identify the following in the report; the material destroyed, the method and extent of destruction, and any classified COMSEC material items presumed compromised (e.g., items either not destroyed or not completely destroyed). NOTE: Follow the reporting procedures for COMSEC Incidents as outlined in Chapter 8. Ensure the EAP/EDP includes guidance for providing the required information. UNCLASSIFIED//FOR OFFICIAL USE ONLY G-13 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Annex H SAMPLE WAIVER REQUEST MESSAGE FOR KOAM OR ALTERNATE APPOINTMENTS From: To: Info: Unit PLA NCMS Washington DC TYCOM ISIC Servicing COR Audit Team PLA BT CLASSIFICATION (DETERMINED BY ORIGINATOR, BASED ON CONTENT. IF CLASSIFIED, ENSURE COMPLIANCE WITH SECNAV M5510.36 REGARDING SUBJECT AND PARAGRAPH MARKINGS AND DECLASSIFICATION MARKINGS) MSGID/GENADMIN/UNIT NAME/-/MONTH// SUBJ/WAIVER REQUEST// REF/A/DOC/NCMS WASH DC/XXXXXXXX(MO/DD/YEAR OF THIS MANUAL) AMPN/REF A IS EKMS-1B SUPP-1// POC/IAM UNDERWAY/GRADE/UNIT NAME/TEL:XXX-XX-XXXX/EMAIL: IAM.UNDERWAY(AT)NAVY.MIL (OR .SMIL.MIL, AS APPLICABLE) RMKS/1. IAW REF A, THE FOLLOWING IS SUBMITTED: A. IAW ARTICLES 409 AND 601 TO REF A, THE FOLLOWING IS SUBMITTED: B. REASON FOR THE WAIVER: XXXXXXXXXX C. FULL NAME, GRADE AND PROJECTED ROTATION DATE (PRD) OF THE INDIVIDUAL IN WHICH THE WAIVER PERTAINS: (OMIT PRD FOR CIVILIAN EMPLOYEES) XXXXXXXXXXX D. SECURITY CLEARANCE DATA: INCLUDE THE MEMBER’S: CLEARANCE, TYPE AND DATE OF MOST RECENT SECURITY INVESTIGATION AND GRANTING AGENCY: XXXXXXXXXXX E. DURATION THE WAIVER IS REQUESTED FOR: XXXXXXXXXXX The notes below are for informational purposes; do not include them in the message. NOTES: (1) IF RELATED TO THE INABILITY TO COMPLETE FORMAL TRAINING REQUIREMENTS PRIOR TO APPOINTMENT, THIS WILL BE LIMITED TO A MAXIMUM OF 90 DAYS FOR A KOAM OR 180 DAYS FOR AN ALTERNATE BY NCMS. ALL OTHER WAIVERS SUCH AS GRADE WAIVERS ARE LIMITED TO A MAXIMUM OF ONE YEAR AND ARE NOT AUTO-RENEWED. (2) APPROVED WAIVERS MUST BE ON FILE WITH THE ACCOUNT AND ARE SUBJECT TO REVIEW DURING VISITS OR AUDITS. IF IT’S NOT ON FILE AND VERIFIABLE, IT UNCLASSIFIED//FOR OFFICIAL USE ONLY H-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 DOESN’T EXIST. (3) WAIVERS WILL NOT BE GRANTED TO PERSONNEL WITH EXPIRED BACKGROUND INVESTIGATIONS. UNCLASSIFIED//FOR OFFICIAL USE ONLY H-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 Annex I STATEMENT OF ACCEPTANCE OF RESPONSIBILITIES KEY MANAGEMENT INFRASTRUCTURE (KMI) MANAGEMENT CLIENT (MGC), CLIENT HOST ONLY (CHO) OR DELIVERY ONLY CLIENT (DOC) INFORMATION SYSTEM PRIVILEGED ACCESS AGREEMENT AND ACKNOWLEDGMENT OF RESPONSIBILITIES Date: __________ 1. I understand there are two DoD Information Systems (IS); classified (SIPRNET) and unclassified (NIPRNET), and that I have the necessary clearance for privileged access to the KMI Management Client (MGC) for Key Management Operating Account (KOA) #________. I will not introduce or process data or software for the IS that I have not been specifically authorized to handle. 2. I understand the need to protect all passwords and other authenticators at the highest level of data they secure. I will not share any password(s), account(s), or other authenticators with other coworkers or other personnel not authorized to access the KMI MGC. As a privileged user, I understand the need to protect the root password and/or authenticators at the highest level of data it secures. I will NOT share the root password and/or authenticators with coworkers who are not authorized KMI MGC. 3. I understand that I am responsible for all actions taken under my account(s), root, or otherwise. I will not attempt to “hack” the network or any connected information systems, or gain access to data to which I do not have authorized access. 4. I understand my responsibility to appropriately protect and label all output generated under my account (including printed materials, magnetic tapes, floppy disks, and downloaded hard disk files). 5. I will immediately report any indication of computer network intrusion, unexplained degradation or interruption of network services, or the actual or possible compromise of data or file access controls to the appropriate KMI MGC Information Assurance Management (IAM) or senior Information Assurance Technical (IAT) Level representatives. I will NOT install, modify, or remove any hardware or software (i.e. e.g., freeware/shareware and security tools) without written UNCLASSIFIED//FOR OFFICIAL USE ONLY I-1 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 permission and approval from the KMI MGC Information Assurance Manager (IAM) or senior IAT Level representatives. 6. I will not install any unauthorized software (e.g., games, entertainment software) or hardware (e.g., sniffers). 7. I will not add/remove any users’ names to the Domain Administrators, Local Administrator, or Power Users group without the prior approval and direction of the KMI MGC IAM/or senior IAT Level representatives. 8. I will not introduce any unauthorized code, Trojan horse programs, malicious code, or viruses into the KMI MGC local area networks. 9. I understand that I am prohibited from the following while using the DoD IS: a. Introducing Classified and/or Controlled Unclassified Information (CUI) into a NIPRNET environment. b. Accessing, storing, processing, displaying, distributing, transmitting, or viewing material that is abusive, harassing, defamatory, vulgar, pornographic, profane, or racist; that promotes hate crimes, or is subversive or objectionable by nature, including material encouraging criminal activity, or violation of local, state, federal, national, or international law. c. Storing, accessing, processing, or distributing Classified, Proprietary, CUI, For Official Use Only (FOUO), or Privacy Act protected information in violation of established security and information release policies. d. Obtaining, installing, copying, pasting, transferring, or using software or other materials obtained in violation of the appropriate vendor’s patent, copyright, trade secret, or license agreement. e. Knowingly writing, coding, compiling, storing, transmitting, or transferring malicious software code, to include viruses, logic bombs, worms, and macro viruses. f. Engaging in prohibited political activity. g. Using the system for personal financial gain such as UNCLASSIFIED//FOR OFFICIAL USE ONLY I-2 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 advertising or solicitation of services or sale of personal property (e.g., eBay), or stock trading (i.e., issuing buy, hold, and/or sell directions to an online broker). h. Fundraising activities, either for profit or non-profit, unless the activity is specifically approved by the organization (e.g., organization social event fund raisers and charitable fund raisers, without approval). i. Gambling, wagering, or placing of any bets. j. Writing, forwarding, or participating in chain letters. k. Posting personal home pages. l. Any other actions prohibited by DoD 5500.7-R (Reference (y)) or any other DoD issuances. 10. Personal encryption of electronic communications is strictly prohibited and can result in the immediate termination of access. 11. I understand that if I am in doubt as to any of my roles or responsibilities I will contact the KMI MGC IAT Level III Supervisor for clarification. 12. I understand that all information processed on the KMI MGC is subject to monitoring. This includes email and browsing the web. 13. I will not allow any user who is not cleared access to the network or any other connected system without prior approval or specific guidance from the KMI MGC IAM. 14. I will use the special access or privileges granted to me ONLY to perform authorized tasks or mission related functions. 15. I will not use any <DOD/Components> owned information system to violate software copyright by making illegal copies of software. 16. I will ONLY use my PRIVILEGED USER account for official administrative actions. This account will NOT be used for day to day network communications. 17. I understand that failure to comply with the above UNCLASSIFIED//FOR OFFICIAL USE ONLY I-3 UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1 requirements will be reported and may result in the following actions: a. Revocation of IS privileged access. b. Counseling. c. Adverse actions pursuant to the Uniform Code of Military Justice and/or criminal prosecution. d. Disciplinary action, discharge or loss of employment. e. Revocation of Security Clearance. 18. I will obtain and maintain required certification(s), according to DoD 8570.01-M and the certification provider, to retain privileged system access. Your IAT Level III Supervisor is _______________________ Information System Name _______________________ IAT/IASAE/CND’s Name _______________________ IAT/IASAE/CND’s Signature _______________________ Date _______________________ IAM Manager Level I Name _______________________ IAM Manager Level I Signature _______________________ Date _______________________ (Level I or II Managers with privileged access will have signatures of the IAM Level II or III responsible for their IS functions). UNCLASSIFIED//FOR OFFICIAL USE ONLY I-4

EKMS-1E-SUPP-1 Final Version 08May2017

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib