Uploaded by Chris Young

EKMS-1E-SUPP-1 Final Version 08May2017

advertisement
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
NAVAL COMMUNICATIONS SECURITY MATERIAL SYSTEM
1560 Colorado Avenue
Andrews AFB, MD 20762-6108
EKMS-1E SUPP-1
Department of the Navy Policy and
Procedures for Key Management
Infrastructure Operating Accounts
(KOAs)
08 May 2017
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
2250
Ser N5/
08 May 2017
LETTER OF PROMULGATION
1. PURPOSE. EKMS-1E Supp-1 prescribes the minimum policies for
issuing, accounting, handling, safeguarding, destroying and
disposing of COMSEC (Communications Security) material.
2. BACKGROUND.
In the Key Management Infrastructure System
(KMI), COMSEC Accounts will use a KMI Client Node/ Advanced Key
Processor (MGC/AKP) to automate the generation, accounting,
distribution, destruction, and management of COMSEC material.
As key management continues to evolve, policies and procedures
will be developed to provide the necessary guidance to ensure
the timely support to a global community which will enhance
security, minimize costs and further enhance the secure
communications capability of forward deployed elements.
3. APPLICABILITY.
a. EKMS-1E Supp-1 applies to Department of the Navy
activities including U.S. Coast Guard (USCG), Military Sealift
Command (MSC), U.S. Marine Corps (USMC), and U.S. Navy (USN)
COMSEC Accounts which have transitioned to the Key Management
Infrastructure (KMI). These provisions apply to all who require
access to or the use of COMSEC material within KMI. All such
personnel must be aware that non-compliance or deviation from
the prescribed procedures can jeopardize the security of the
United States and could result in prosecution of the parties
concerned under the espionage laws, Title 18. U.S.C., Sections
793, 794, and 798.
b. Commands whose holdings include Two-Person Controlled
(TPC) Sealed Authentication System (SAS) keying material must
maintain and consult CJCSI 3260.01(series) for guidance related
to handling and disposing of SAS/TPC material. Messages
promulgated from the Controlling Authority (ConAuth), and not
the Status of COMSEC Material (SCMR), is the authoritative
source for status information related to SAS/TPC.
4. SCOPE. The policies in this manual have been derived from
OPNAV, SECNAV, National-level policies and applicable
Operational Security Doctrine (OSD) for KMI-related components.
The guidance herein supplements, but in no way alters or amends
the provisions of U.S. Navy regulations, SECNAV M5510.30
UNCLASSIFIED//FOR OFFICIAL USE ONLY
01 of 02
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
(series), SECNAV M5510.36 (series), and ICD 705(Series).
5. ACTION. EKMS-1E Supp-1 dated 08 May 2017 is effective upon
receipt and supersedes EKMS-1B Supp-1A dated 06 Feb 2015.
6. REPRODUCTION. EKMS-1E Supp-1 is UNCLASSIFIED FOR OFFICIAL
USE ONLY (FOUO) and may be reproduced for local use.
7. Should a conflict exist or a more stringent requirement be
communicated in a revision to an Operational Security Doctrine
for COMSEC equipment addressed herein, the respective doctrine
for the equipment will have precedent over this manual.
8. COMMENTS. Submit comments, recommendations, and suggestions
for changes to Naval Communications Security Material System
(NCMS) via the respective Immediate Superior in Command (ISIC)
and Type Commander (TYCOM).
Digitally signed by
LECOUNTE.JAME LECOUNTE.JAMES.A.106246142
6
S.A.1062461426 Date: 2017.05.16 16:27:07
-04'00'
J. A. LeCOUNTE
UNCLASSIFIED//FOR OFFICIAL USE ONLY
02 of 02
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
LIST OF EFFECTIVE PAGES
Front Cover
Letter of Promulgation
List of Effective Pages
Record of Amendments
Record of Page Checks
Manual Overview
Table of Contents
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Annex A
Annex B
Annex C
Annex D
Annex E
Annex F
Annex G
Annex H
Annex I
PAGE NUMBERS
EFFECTIVE
(Unnumbered)
01 - 02
i
ii
iii
iv
v – xii
1-1 – 1-10
2-1 – 2-33
3-1 – 3-18
4-1 – 4-20
5-1 – 5-12
6-1 – 6-7
7-1 – 7-27
8-1 – 8-16
9-1 – 9-6
10-1 – 10-7
A-1 – A-3
B-1 – B-8
C-1
D-1
E-1 – E-4
F-1 - F-2
G-1 – G-13
H-1 – H-2
I-1 – I-4
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
Original
UNCLASSIFIED//FOR OFFICIAL USE ONLY
i
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
RECORD OF AMENDMENTS
AMEND NUMBER/
IDENTIFICATION
DATE ENTERED
(YYMMDD)
ENTERED BY (Signature,
Rank/Rate, Command Title)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
ii
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
RECORD OF PAGE CHECKS
DATE
CHECKED
05/15/2017
CHECKED BY (SIGNATURE,
RANK/RATE, COMMAND TITLE)
PHILLIPS.MILLARD.J.III.1114056 Digitally signed by
PHILLIPS.MILLARD.J.III.1114056975
975
M. J. PHILLIPS, CIV,
NCMS,08:08:52
GG-13
Date: 2017.05.16
-04'00'
UNCLASSIFIED//FOR OFFICIAL USE ONLY
iii
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
KMI POLICY & PROCEDURES MANUAL (OVERVIEW)
Chapter 1
Chapter 2
-
Chapter 3
-
Chapter 4
-
Chapter 5
-
Chapter
Chapter
Chapter
Chapter
Chapter
-
6
7
8
9
10
Key Management Infrastructure (KMI)
Management Client (MGC) System Overview, Security
Requirements and Equipment Matters
Privilege Management: Roles, Exclusions,
Registration and Enrollment
Account Establishment and Personnel Designation
Requirements
Duties and Responsibilities of Key Management
Operating Account (KOA) Management Personnel
Education, Training and Audits
Accounting and Accounting Functions
COMSEC incidents
Practices Dangerous to Security (PDSs)
Electronic Storage Devices
ANNEXES
A
B
C
D
E
F
G
H
I
Abbreviations and Acronyms
Definitions
COMSEC Library
KMI related forms Quick Reference
Conducting and Verification of Page Checks and
Modifications
Helpful Uniform Resource Locators (URLs)
Emergency Action and Emergency Destruction of
COMSEC Material
Sample Waiver Request for KOAM or Alternate
Appointment
Sample Statement of Responsibilities Information
System Privileged Access Agreement and
Acknowledgement of Responsibilities (Required for
CPAs and CPSOs)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
iv
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
TABLE OF CONTENTS
CHAPTER 1 - KEY MANAGEMENT INFRASTRUCTURE (KMI)
101.
INTRODUCTION TO THE KEY MANAGEMENT INFRASTRUCTURE (KMI)
103.
KEY MANAGEMENT INFRASTRUCTURE (KMI) ROLES AND SERVICES
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
m.
n.
o.
p.
q.
r.
s.
105.
NATIONAL SECURITY AGENCY (NSA)
a.
b.
107.
Central Services Node (CSN)
Client Platform Administrator (CPA)
Client Platform Security Officer (CPSO)
Command Authority (CMD Auth)
Controlling Authority (CA or CONAUTH)
Device Local Type 1 Registration Authority (DLT1RA)
Device Registration Manager (DRM)
Eligibility Authority (EA)
Eligibility Authority (EA) Proxy
Enrollment Manager (EM)
HP Service Manager (HPSM)
KMI Operating Account Manager (KOAM)
KMI Operating Account Registration Manager (KOARM)
Personnel Local Type 1 Registration Authority (PLT1RA)
Personnel Registration Manager (PRM)
Primary Services Node (PRSN)
Product Source Node (PSN)
Product Requestor (PR)
Type 1 Token Security Officer (TSO)
United States National Distribution Authority
Central Facility (CF)
DEPARTMENT OF THE NAVY (DON) ORGANIZATION AND TERMS
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
Chief of Naval Operations (CNO)
Headquarters Marine Corps (HQMC C4 CY)
Commander, Coast Guard C4IT Service Center (COGARD
C4ITSC-BOD-IAB)
Commanding Officer
COMSEC Material Issuing Office (CMIO)
Firefly Credentials Manager
Firefly Point of Contact
Immediate Superior in Command (ISIC)
Key Management Entities (KMEs)
KMI Operating Account (KOA)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
v
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
k.
l.
m.
n.
o.
p.
q.
r.
s.
t.
KOA Agent (KOAA)
COMSEC Clerk
KMI Operating Account Manager (KOAM)
KOAM (Alternate)
COMSEC Witness
Local Element (LE), LE Issuing, and LE In-Transit
Naval Communications Security Material System (NCMS)
Service Authority (SERVAUTH)
Staff CMS Responsibility Officer (SCMSRO)
Legacy Catalog Manager (LCM)
CHAPTER 2 – MANAGEMENT CLIENT (MGC) SYSTEM OVERVIEW, SECURITY
REQUIREMENTS (INCLUDES STORAGE AND SHIPMENT OF COMSEC MATERIAL)
201.
General
a.
b.
c.
d.
e.
Client Host/Management Client (MGC)
Client Host Only (CHO)
Delivery Only Client (DOC)
Advanced Key Processor (AKP)
AKP and REINIT Drive Visual Inspection Log (Figure 21)
Type-1 Token (KOV-29)
203.
Security Controls
205.
KMI Related Certificates
207.
MGC/AKP Required Cryptographic Ignition Keys (CIKS) and
Keying Material
a.
b.
c.
d.
e.
f.
g.
h.
209.
Operational (AKP) CIKS
Firefly (FF) Vector Set
FF Credentials
Message Signature Key (MSK)
Benign Fill (BF) Firefly
KG Rules
Site Re-initialization
AKP Recertification Label
Security and Accountability of KMI-related Devices
a.
b.
c.
Classification of KMI Related Devices
AKPREINIT 1 and AKPREINIT 2 Flash Drives
Location of the MGC/AKP
UNCLASSIFIED//FOR OFFICIAL USE ONLY
vi
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
211.
Field Recovery of an AKP
213.
Classification and Accountability of KMI-Related
Components
215.
PINS/Passwords
217.
Packaging, Shipping and Transportation of COMSEC
Material and Equipment
Shipping – Quick Reference Matrix (Figure 2-2)
219.
Software Upgrades
221.
Equipment Failures
223.
Security and Storage of COMSEC Material
a.
b.
c.
d.
e.
COMSEC Facilities
Security Containers
Residential Storage
Segregation of Material
Two Person Integrity (TPI)
CHAPTER 3 – PRIVILEGE MANAGEMENT: ROLES, EXCLUSIONS,
REGISTRATION AND ENROLLMENT
301.
Separation of Duties
303.
Role Exclusions
305.
KMI Role Exclusion Listing
307.
KOA Registration (Overview)
309.
KMI Operating Account (KOA) Registration Data
311.
Human User (Personnel) Registration
313.
KMI Personnel Registration Form, KMI Form 001
315.
Enrollment Process – KMI Personnel Enrollment Form, KMI
Form 002
317.
Roles Supporting KOA Registration
319.
Account Registration - COMSEC Account Data for KMI
UNCLASSIFIED//FOR OFFICIAL USE ONLY
vii
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
Registration, KMI Form 003
321.
Human (Person) User Activation
323.
Device Registration Process
325.
Device User Initialization
327.
Device Endorsement
329.
Device Activation
331.
KMI Role Management
333.
Access Control Managers
335.
User Support Manager
337.
Type 1 Token Security Officer – (TSO or SO)
339.
KOA Agent (KOAA) – A non-management Role
341.
Disenrollment
343.
Enrollment Reverification
345.
Human User Reverification
CHAPTER 4 – ACCOUNT ESTABLISHMENT AND PERSONNEL DESIGNATION
REQUIREMENTS
401.
Requirement for a KMI Account
403.
Establishing a KMI Operating Account (KOA)
KOA Account Establishment Message Routing (Figure 4-1)
Asymmetric (Modern) Key Validation Process (Figure 4-2)
Sample KOA Establishment Request (Figure 4-3)
405.
Selection of KMI Personnel
407.
Manpower Requirements for KMI Operating Account (KOA)
a.
b.
Account Composition
Grade Requirements for KOAMs, Alternates, LE Issuing
and Clerks
UNCLASSIFIED//FOR OFFICIAL USE ONLY
viii
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
409.
KOA Manager (KOAM) and Alternates
411.
Other KMI Related Roles KOAMs may Perform
Sample KOAM Appointment Letter Figure 4-4
Sample CPA or CPSO Appointment Letter Figure 4-5
CHAPTER 5 – DUTIES AND RESPONSIBILITIES OF KEY MANAGEMENT
OPERATING ACCOUNT (KOA) MANAGEMENT PERSONNEL
501.
Duties and Responsibilities of;
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
KOA Managers/Alternates
Personnel Local Type 1 Registration Authority (PLT1RA)
Device Local Type 1 Registration Authority (DLT1RA)
Product Requestors (PR)
Client Platform Administrator (CPA)
Client Platform Security Officer (CPSO)
Controlling Authorities (CONAUTH)
Command Authorities (CMDAUTH)
KOA Registration Managers (KOARM)
Device Registration Manager (DRM)
Enrollment Managers (EM)
Legacy Catalog Manager (LCM)
CHAPTER 6 – EDUCATION, TRAINING AND AUDITS
601.
Training Requirements
KMI Training Quick Reference Matrix (Figure 6-1)
603.
KMI Management Client (MGC) Course of Instruction (COI)
605.
KMI Training Locations
609.
Additional KOAM/Alternate Training Requirements
611.
Personnel Qualification Standards (PQS)
613.
CMS COR Audits
KMI Training Matrix Figure 6-1
CHAPTER 7 – ACCOUNTING AND ACCOUNT FUNCTIONS
701.
Accounting (General)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
ix
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
703.
Overview of MGC Accounting Functions
705.
Management of COMSEC Material in an Organization
a.
b.
c.
d.
e.
f.
707.
Inventory Requirements
a.
b.
709.
Receipting for COMSEC Material
Issuance of COMSEC Material on a Local Custody Basis
Issuing Quick Reference Matrix (Figure 7-1)
Management of COMSEC Material at the User, Work
Center, LE or KOAA level, as applicable (watch and
non-watch environment)
Loading and Usage of Keying Material
Authorization and Transferring COMSEC Material
Shipping Quick Reference Matrix (Figure 7-2)
Use of Possession and Relief from Accountability
Reports and Required Authorization
Account Level Inventories
Fixed-cycle Inventory Matrix (Figure 7-3)
Inventory Requirement Matrix (Figure 7-4)
Physically Conducting an Inventory
Status Information and Destruction of COMSEC Material
a.
b.
c.
d.
e.
f.
g.
h.
Status of COMSEC Material
Other Status Related Terms
Status Information and Responsibilities
Destruction Guidance Applicable at the Account and LE
Level
Destruction Time Frames for COMSEC Material at the LE
Level
Destruction Time Frames for COMSEC Material at the
Account Level
Destruction Personnel
Destruction Methods (Figure 7-5)
CHAPTER 8 – COMSEC INCIDENTS
801.
General
a.
b.
c.
d.
Reporting
Types of COMSEC Incident Reports
Time Frames for Reporting
Quick Reference Matrix (Figure 8-1)
Classification
UNCLASSIFIED//FOR OFFICIAL USE ONLY
x
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
e.
f.
Required Addees for COMSEC Incident Reports
PLA Quick Reference Matrix (Figure 8-2)
Related Accounting Reports
803.
Organizational Responsibilities
805.
Types of COMSEC Incidents
a.
b.
c.
d.
807.
Cryptographic Incidents
Personnel Incidents
Physical Incidents
Sample Initial Report of COMSEC Incident
(Figure
(Figure
(Figure
(Figure
8-3)
8-4)
8-5)
8-6)
COMSEC Incident Evaluation
a.
b.
c.
Assessing Compromise Probability
Compromise Probability Examples
Additional Information
Sample Evaluating Authority (EVALAUTH) Message
(Figure 8-7)
CHAPTER 9 – PRACTICES DANGEROUS TO SECURITY (PDSs)
901.
General
a.
b.
c.
903.
Types of PDSs
PDS Documentation
Reporting Time Frames
PDSs by Category
a.
b.
Non-Reportable PDSs
Reportable PDSs
(Figure 9-1)
(Figure 9-2)
905.
PDS Reports
907.
PDS Documentation (Samples)
Non-Reportable PDS
Reportable PDS
(Figure 9-3)
(Figure 9-4)
CHAPTER 10 – ELECTRONIC STORAGE DEVICES
1001.
General
1003.
Software Management
UNCLASSIFIED//FOR OFFICIAL USE ONLY
xi
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
1005.
Classification, Accountability, Safeguarding and Access
1007.
Types of Keying Material Related to Electronic Storage
Device (ESD)
1009.
Loading Keying Material into an ESD
1011.
Visual Inspection Requirements
1013.
Destruction of Electronic Keying Material
1015.
Transportation and Shipment
1017.
Audit Trail Review Requirements
1019.
ESD Interface Flows
1021.
Emergency Protection
1023.
Repair and Maintenance
ANNEXES
ANNEX A Acronyms
ANNEX B Definitions
ANNEX C
COMSEC Library
ANNEX D
KMI Forms Quick Reference
ANNEX E
Conducting and Verification of Page Checks and
Modifications
Helpful URLs
ANNEX F
ANNEX G
Emergency Action and Emergency Destruction of COMSEC
Material (recommend deleting due to EKMS 1 redundancy)
ANNEX H
Sample Waiver Request Message for KOAM or Alternate
Appointments
ANNEX I
Statement of Acceptance of Responsibilities Key
Management Infrastructure (KMI) Management Client
(MGC), Client Host Only (CHO) or Delivery Only Client
(DOC) Information System Privileged Access Agreement
and Acknowledgment of Responsibilities
UNCLASSIFIED//FOR OFFICIAL USE ONLY
xii
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
CHAPTER 1 - KEY MANAGEMENT INFRASTRUCTURE (KMI)
101.
INTRODUCTION TO THE KEY MANAGEMENT INFRASTRUCTURE (KMI).
a. KMI will represent a substantial change in how keying
material is; accessed, accounted for, delivered, and ordered in
comparison to previous technologies and mediums used. The
flexibility and scalability built into the KMI architecture has
been designed to operate in a unified, network-centric approach.
KMI will make use of additional and faster communications media
to deliver required products to the COMSEC community; this will
include the Secret Internet Router Protocol Network (SIPRNET),
Non-Classified Internet Router Protocol Network (NIPRNET) and
the Joint Worldwide Intelligence System (JWICS).
KMI will support web-based ordering and delivery of required
keying material to the war fighter; support benign fill
techniques; the delivery of key to End Cryptographic Units
(ECUs) and support Over the Network Key (OTNK) key delivery.
b. In the KMI, certain roles require tokens (KOV-29)
personalized to the holder of the role in lieu of user IDs and
passwords. Role and rule-based policies will be implemented to
restrict functions performed and to ensure compliance with
mandated separation of duty requirements referred to herein as
role exclusions.
c. KMI will also introduce new internal and external roles,
which will be performed by and assigned to different individuals
and organizations.
d. Access to KMI related systems and resources is restricted
to properly cleared, trained and authorized personnel whose
official duties require access and are consistent with need-toknow principles. Access controls will be in compliance with
DoD, DON and National IA regulations.
103.
KEY MANAGEMENT INFRASTRUCTURE (KMI) ROLES AND SERVICES.
a. Central Services Node (CSN) - The CSN is the KMI core
node maintained and managed at NSA and provides long-term system
archive.
b. Client Platform Administrator (CPA) – An individual
designated in writing by the Commanding Officer CO responsible
for System Administration functions involving the KMI Management
UNCLASSIFIED//FOR OFFICIAL USE ONLY
1-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
Client referred to herein as the MGC. Personnel appointed as a
CPA with administrative privileges must be registered and
enrolled in KMI, but do not require a Type 1 token. The role of
the CPA role cannot be concurrently assigned to the holder of
the Client Platform Security Officer (CPSO) role. If the role
of the CPA is performed by the KOAM, additional training
requirements discussed in Chapter 6 of this document must be
satisfied.
c. Client Platform Security Officer (CPSO) – An individual
designated in writing by the CO responsible for security
monitoring, including the review of audit data associated with
the MGC. This role requires a Type 1 token and cannot be
performed by a KOAM or CPA.
d. Command Authority (CMD Auth) – Responsible for requesting
partition codes, Department/Agency/Organization (DAO) codes and
specifying partition and code ordering privileges on behalf of
Product Requestors. If a CMD Auth has a requirement to order
keying material, they must also be enrolled as a Product
Requestor within the KMI.
e. Controlling Authority (CA or CONAUTH) In the KMI
architecture, the CA validates requirements for symmetric
(traditional) keying material and book packaged material.
f. Device Local Type 1 Registration Authority (DLT1RA) Responsible for verifying the existence and condition of KMIaware devices, approving the conversion of the device’s
infrastructure seed key, and initiating a request for a Type 1
certificate for the device. Within the DON, this role will be
performed by either the KOAM or an Alternate KOAM for the
account. This role requires a Type 1 token and cannot be held
by someone appointed as the CPSO or Device Registration Manager
(DRM).
g. Device Registration Manager (DRM) – Responsible for both
registration and initialization of KMI-aware devices. These
devices include and are not limited to; ECUs, Type 1 Tokens, and
AKPs. This role requires a Type 1 token.
h. Eligibility Authority (EA) – The EA role will be held by
the Commanding Officer of the account, unless delegated at
his/her discretion to the Command Security Manager (CSM),
Assistant Command Security Manager or Special Security Officer
(SSO). If other than the CO, the EA must be designated in
UNCLASSIFIED//FOR OFFICIAL USE ONLY
1-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
writing by the CO. The EA conducts face-to-face verification of
persons to be appointed to a position requiring registration and
enrollment in KMI. The EA is also responsible for submitting
requests for disenrollment to the EA Proxy when a manager
transfers, retires, separates, has their access or clearance
suspended or when access is no longer required.
i. Eligibility Authority (EA) Proxy – The EA Proxy is
responsible for final verification of KMI related forms and
documentation received from DON activities prior to submission
to NSA for registration and enrollment actions in the KMI. The
EA proxy role will be fulfilled by NCMS.
j. Enrollment Manager (EM) - A security-sensitive role in
which the entity/individual will be responsible for the
assignment of KMI User Identities to management roles, rulebased attributes to KMI manager identities, and privileges to a
Type 1 identity issued for use in KMI. This role requires a
Type 1 token and within the DON will be performed by NCMS.
k. Service/Agency Help Desk Manager – A role assigned to
personnel providing customer organization-specific help desk
services.
l. KOA Manager (KOAM) – Formerly referred to as an
Electronic Key Management System (EKMS) Manager or COMSEC
Custodian.
Additional duties and responsibilities of the KOAM
are outlined in EKMS-1(series) Art 455.
The role of the KOAM requires a Type 1 token and cannot be
performed by either a Client Platform Security Officer (CPSO) or
a KOA Registration Manager (KOARM). As KMI-aware devices are
developed, the KOAM will also be responsible for the proper
maintenance of the account’s Device Distribution Profile (DDP),
including the timely addition of devices to the appropriate DDP
to allow delivery of key to the device.
m. KOA Registration Manager (KOARM) - Responsible for
maintaining registration information related to KOAs. Within
the DON, NCMS will perform KOARM-related functions in KMI.
n. Personnel Local Type 1 Registration Authority (PLT1RA) –
The PLT1RA is the role assigned to individuals responsible for
performing face-to-face verification of the identity of the user
receiving the Type 1 token, initiating a certificate request,
and performing the download of the Type 1 certificates onto the
UNCLASSIFIED//FOR OFFICIAL USE ONLY
1-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
token. With exception to their own token, the PLT1RA is also
the Type 1 Token Security Officer (TSO or SO) for tokens issued
during their assignment as PLT1RA.
Within the DON, this role will be performed by either the KOAM
or an Alternate KOAM for the account. This role requires a Type
1 token and cannot be held by the CPSO or Personnel Registration
Manager (PRM).
o. Personnel Registration Manager (PRM) - Responsible for
the validation of authoritative data and the registration of
users within the KMI. This role requires a Type 1 token and
will be performed at NSA.
p. Primary Services Node (PRSN) - The PRSN maintained at NSA
is referred to as the KMI Storefront, will operate on all KMI
supported networks and serves as the interface between Client
Nodes and other Nodal components in KMI. The operating status
of the PRSN is available at www.iad.nsa.smil.mil – IA Services –
KMI Program Office – Operations Infrastructure Components.
q. Product Source Node (PSN) - The PSN maintained at NSA
will generate and produce most of the cryptographic keying
material currently produced at the Central Facility (Tier 0) and
Central Office of Record (Tier 1) based on product or service
orders received from the Primary Services Node (PRSN). The PSN
will also produce Type 1 certificates and other forms of
credentials such as Personal Identification Numbers (PINs).
r. Product Requester (PR) – An external manager responsible
for requesting products and services. PRs must be enrolled as
managers and their privileges defined by the Product Manager,
which is typically the CONAUTH or CMDAUTH. PRs who order
asymmetric products perform functions previously performed by a
User Representative (UR).
s. Type 1 Token Security Officer (TSO) (Throughout this
document, the acronym TSO or SO both refer to the same role or
person occupying such) - A TSO is not a KMI role and therefore
does not require registration, enrollment, or a Token for
perform required duties. A KOAM can perform the duties of the
TSO for another Manager’s token and vice versa; however, a KOAM
cannot be the TSO for his or her own token.
Any person performing the role of TSO must complete the required
TSO CBT; see Annex F for the URL. If the role is fulfilled by
UNCLASSIFIED//FOR OFFICIAL USE ONLY
1-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
an individual other than KOAM, he or she must be designated as
the TSO in writing by the CO.
The TSO must validate the Token is personalized to the
requesting KOAM through comparison of the name reflected on the
certificate information with the identification presented prior
to resetting the KOAM’s operational password.
See the OSD for the SKEY6500 Token (KOV-29) for TSO/SO specific
duties, responsibilities and related periodicities for the
execution of such.
105. NATIONAL SECURITY AGENCY (NSA). NSA serves as Tier 0 and
is the executive agent for developing and implementing national
level policy affecting the control of COMSEC material and
manages and maintains the Central Services Node (CSN). NSA is
also responsible for the production and distribution of most
COMSEC material used to secure communications as well as for the
development and production of cryptographic equipment.
a. UNITED STATES NATIONAL DISTRIBUTION AUTHORITY (USNDA).
USNDA serves as the consolidated COMSEC distribution facility
for physical keying material. USNDA processes and automatically
ships physical Reserve on Board (ROB) material required by each
of the services to the DCS delivery address of record.
b. CENTRAL FACILITY (CF). The CF primarily functions as a
high volume key generation and distribution center. The CF
provides commands with keying material currently produced by NSA
that cannot be generated locally or must be generated by Tier 0.
The CF will interact with commands through a variety of media,
communication devices and networks, allowing for the automated
ordering and distribution of asymmetric (modern) keying
material.
107. DEPARTMENT OF THE NAVY (DON). For COMSEC purposes, DON
encompasses KOAs owned/managed by the Navy, Marine Corps, Coast
Guard, and Military Sealift Command (MSC). The DON system
implements national policy, publishes procedures, and
establishes its own KOAs with NCMS serving as a Service
Authority (SERVAUTH) for COMSEC material.
a. CHIEF OF NAVAL OPERATIONS (CNO). Overall authority, CNO
is responsible for implementation of National COMSEC policy
within the DON. The Head, Navy Information Assurance (IA)
Branch is the COMSEC resource sponsor and is responsible for
UNCLASSIFIED//FOR OFFICIAL USE ONLY
1-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
COMSEC programming, planning and implementation of policy and
technical improvements.
NOTE: Department of Navy Chief Information Officer (DON
CIO), as the Executive Agent, is overall responsible for
DON COMSEC policy and oversight. The Deputy Under
Secretary of the Navy for Plans, Policy, Oversight and
Integration (DUSN PPOI) is the DON's Security Executive
responsible for DON security policy.
b. HEADQUARTERS MARINE CORPS (C4 CY). HQMC C4 CY serves as
COMSEC resource sponsor for the Marine Corps. The department
functions as the USMC Service Authority and coordinates with
CNO, COMNAVIDFOR, and NCMS to establish, promulgate, and oversee
COMSEC account management matters unique to the Marine Corps.
The C4/CY is the focal point for requirements and administration
for all Marine Corps COMSEC accounts.
c. COMMANDER, U.S. COAST GUARD C4IT SERVICE CENTER,
INFORMATION ASSURANCE BRANCH (C4ITSC-BOD-IAB). C4ITSC serves as
the overall authority for USCG KMI/COMSEC matters. C4ITSC
serves as the USCG Service Authority, Program Manager and
Principal Agent for the USCG COMSEC Program and functions as the
USCG’s Evaluating Authority (EVALAUTH), Command Authority (CA)
and USCG ISIC. C4ITSC promulgates USCG COMSEC Program policy,
exercises service wide management of Coast Guard accounts
including hardware and software allowances and acts as principal
USCG liaison for KMI/COMSEC matters with the CNO, NCMS and other
entities to ensure that all USCG accounts have the necessary
resources to operate effectively.
d. COMMANDING OFFICER (CO). The CO is overall responsible
for proper administration of the command's KOA and ensuring
compliance with established policy and procedures.
Throughout this manual, responsibilities/duties applicable to
Commanding Officers apply equally to Staff CMS Responsibility
Officers (SCMSROs) and Officers-In-Charge (OIC) alike.
e. COMSEC MATERIAL ISSUING OFFICE (CMIO). CMIO serves as
the Physical Material Handling Segment (PMHS) for the DON;
receives, stores, and ships Ready for Issue (RFI) equipment to
fulfill validated requirements as well as functions jointly with
NCMS as the Legacy Catalog Manager (LCM).
f. FIREFLY CREDENTIALS MANAGER. A Key Management Entity
(KME) responsible for removing outdated credentials from the
UNCLASSIFIED//FOR OFFICIAL USE ONLY
1-6
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
Directory Service. The duties of the Firefly Credentials
Manager are performed by the Central Facility (CF).
g. FIREFLY POINT OF CONTACT. NCMS serves as the FIREFLY POC
for asymmetric (modern) key privileges with the DON. Accounts
requiring replacement Firefly (FF) Vectors and/or Message
Signature Key (MSKs) must order such through NCMS.
h. IMMEDIATE SUPERIOR IN COMMAND (ISIC). Responsible for
the administrative oversight of all KMI/COMSEC matters for their
subordinate commands. Additional information related to ISIC
duties and responsibilities can be found in EKMS-1(series)
Articles 130, 315, and 440.
i. KEY MANAGEMENT ENTITIES (KMEs). A KME is an activity,
organization, or person(s) performing one or more key
management–related function for an activity assigned a KOA ID.
j. KEY MANAGEMENT INFRASTRUCTURE (KMI) OPERATING ACCOUNT
(KOA). Formerly referred to as a CMS, COMSEC or EKMS account; a
KOA is an administrative entity in which custody and control of
COMSEC material is maintained. Each KOA account is assigned and
identified by a six-digit KOA number.
k. KOA AGENT (KOAA). A KOA Agent is not a KMI management
role within the KMI; a KOAA and Product Requestor are in essence
considered COMSEC users. KOAAs are not registered and enrolled
like other KMI users, although any KMI Manager can be designated
as a KOAA by a KOA Manager. KOA Managers are always
automatically designated as KOAAs for their own KOAs.
l. COMSEC CLERK. A COMSEC Clerk assists the KOAM or
Alternate(s) with routine administrative account matters.
Appointment of a Clerk is not mandatory, but is at the
discretion of the CO. If appointed, the individual must be
designated in writing by the CO.
Contractors as COMSEC Clerks: Contractor personnel may be
appointed as account clerks provided they meet the designation
requirements of this manual for the position and are supervised
by the KOAM or Alternate. Close supervision is a necessary
condition of the appointment of contractors as clerks.
NOTE: As stipulated in the Security Doctrine for the
MGC/AKP, access to the MGC/AKP is restricted to personnel
who have received formal training and are assigned as a
UNCLASSIFIED//FOR OFFICIAL USE ONLY
1-7
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
KOAM or Alternate.
m. KOA MANAGER (KOAM). An individual designated in writing
by the CO to manage COMSEC material held by/charged to the
unit’s KOA account. The KOAM is the CO's primary advisor on
matters concerning the security and handling of COMSEC material
and the associated records, reports, and audits. Throughout
this manual the term KOAM refers to either a KOAM or Alternate,
as applicable.
n. KOA MANAGER (KOAM ALTERNATE). The individual(s)
designated in writing by the CO responsible for assisting the
KOAM in the performance of his/her duties and assuming the
duties of the KOAM in his/her absence. The alternate is equally
responsible for the proper management and administration of a
KOA.
o. COMSEC WITNESS. A properly cleared individual (includes
contractor personnel) called upon to assist a Manager or Local
Element in performing routine administrative tasks related to
the handling of COMSEC material. A witness must meet applicable
designation and security requirements set forth in this manual
and Articles 175, 410, 416 and 505 to EKMS-1(series). A witness
will be supervised by a KOAM or other qualified and cleared LE
personnel.
p. LOCAL ELEMENT, LE ISSUING, AND LE IN-TRANSIT. See EKMS1(series) Articles 165 - 166 for the definition, examples and
applicable restrictions. In KMI, such refers to a known person
or group, known locally registered in the MGC, who are
accountable and responsible for COMSEC material issued to them.
q. NAVAL COMMUNICATIONS SECURITY MATERIAL SYSTEM (NCMS).
Administers the DON KMI/COMSEC program and fulfills the
responsibilities of the SERVAUTH. Additional functions
performed by NCMS include:
(1) Drafts and publishes KMI/COMSEC policy directives,
standards, and procedures pertaining to KMI/COMSEC material
security, distribution, training, handling, and accounting
within the DON.
(2) Operates, maintains, and exercises administrative,
operational, and technical control over CMIO for distribution of
COMSEC equipment.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
1-8
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
(3) Develops procedures for and monitors compliance with
proper physical storage and account management of COMSEC
material.
(4) Monitors compliance with national standards of the
Protective Technologies Program for cryptographic keying
material.
(5) Reviews requests for and authorizes waivers to
physical security requirements and the release of DON COMSEC
material to contractors.
(6) Coordinates fleet requirements for the acquisition of
all COMSEC material, publications and equipment for DON
activities.
(7) Establishes and disestablishes DON COMSEC numbered
accounts.
(8) Ensures distribution of COMSEC material to Vault
Distribution Logistics System (VDLS) components to ensure
quantities are sufficient for COMSEC account requirements,
exercises, and contingency operations.
(9) Provides status information for COMSEC material to KMI
accounts and planners.
(10) Provides disposition instructions for DON COMSEC
material.
(11) Evaluates COMSEC incidents and Practices Dangerous to
Security (PDSs) to determine the adequacy of existing procedures
as well as overall compliance with existing policy.
(12) Manages the COR Audit Teams and audit program within
the DON, including the training and certification of CMS COR
Auditors.
(13) Liaisons with the Center for Information Dominance
(CID) and acts as the Technical Advisor within the DON training
community regarding the KMI course of instruction (COI).
(14) Inventory Control Point (ICP) for COMSEC equipment
throughout DON and manages cryptographic equipment assets for
DON.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
1-9
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
(15) As the DON KOA Registration Authority, responsible for
the registration and assignment of KMI IDs to commands for
ordering required initialization keys for AKPs and for
maintaining registration data on its activities/commands.
(16)
FIREFLY POC for asymmetric (modern) key privileges.
(17) Serves as the Legacy Catalog Manager (LCM) with CMIO
on KMI matters.
(18) Serves as the KOA Registration Manager (KOARM) and
Eligibility Authority (EA) Proxy for the DON.
r. SERVICE AUTHORITY (SERVAUTH). The role of the Service
Authority within each Service may be fulfilled by more than one
person or agency within that Service. The Service Authority is
responsible for oversight of COMSEC operations, policy,
procedures, and training. Additional duties may include:
- Cryptographic hardware management and distribution control,
including Foreign Military Sales (FMS).
- Approving account establishment and disestablishment.
- Approving authority for Certification Approval Authorities
(CAAs).
- Implementing COMSEC Material Control System (CMCS)/Key
Management Infrastructure (KMI) policy and procedures.
- Direct operational support.
- Final adjudication authority for determining when reported
COMSEC incidents result in COMSEC insecurities.
- Ensuring service compliance with COMSEC access program
Requirements.
- Standing membership on KMI working groups and the CT1 Joint
Configuration Control Board (JCCB)
s. STAFF CMS RESPONSIBILITY OFFICER (SCMSRO). A flag or
general officer in command status, or the Deputy Commander or
Chief of Staff, may either assume personal responsibility for
routine COMSEC matters, or may designate the responsibility to a
staff officer (O-4/GS-12, Pay Band 2, or above). Officers not
meeting the above requirement may not designate a SCMSRO. A
SCMSRO may exist at a command with an account or LE.
t. LEGACY CATALOG MANAGER (LCM). The LCM is responsible for
maintaining the KMI Product Catalog current with the Legacy
Electronic Key Management System (EKMS).
UNCLASSIFIED//FOR OFFICIAL USE ONLY
1-10
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
CHAPTER 2 – MANAGEMENT CLIENT (MGC) SYSTEM OVERVIEW, SECURITY
REQUIREMENTS (INCLUDES STORAGE AND SHIPMENT OF COMSEC MATERIAL)
201.
GENERAL:
KMI enhances security, improves distribution to the war
fighter and alleviates many time-consuming legacy functions
historically performed manually. Some processes that will be
enhanced through KMI include, but are not limited to:
accountability through more automated accounting, delivery of
key directly to a forward deployed users End Cryptographic Unit
(ECU), and delivery of key to devices which are KMI-aware vice
issuing all keying material for manual loading by LE personnel.
KMI is comprised of three NSA-managed core nodes and user
managed Client Nodes. Core nodes consist of the CSN, PSN and
the PRSN. KMI will introduce the use of Type 1 Public Key
Infrastructure (PKI) certificates and tokens for human users and
user devices requiring access to the KMI. KMI will also provide
secure integration of commercial products in tactical
environments through the use of PKI certificates to ensure
identification, authentication and confidentiality requirements
are enforced.
In the KMI, the Client Host Platform is referred to as the
Management Client, Client Host or simply the “MGC. The MGC
suite consists of a fully equipped MGC and related peripherals
including an Advanced Key Processor (AKP), Printer, Barcode
Scanner, Type 1 Token (KOV-29) a High Assurance Internet
Protocol Encryptor (HAIPE) device (KG-250) and other peripheral
components reflected in the OSD for the MGC.
The MGC itself consists of three separate components, a Client
Host, a KOK-32 Advanced Key Processor (AKP) and a KOV-29
(Token). Some of the functions available when disconnected are
the local management of a KOA, which include but are not limited
to, local symmetric key generation, distribution of electronic
and hard copy key stored at the KOA, and all local accounting
functions.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
a. Client Host/Management Client (MGC). The Client Host
provides the KOAM the ability to order, account for, distribute,
and manage keying material, equipment and other COMSEC
materials.
1. The Client Host is approved to process and store
Unclassified//FOUO encrypted keying material and data up to and
including Secret.
2. The Client
unencrypted key and
Secret data. At no
or data from a fill
Host shall never process or store
is not authorized to process or store Top
time will a KOAM upload Top Secret Red Key
device to the Client Host.
3. Policy, Procedural, Doctrine or other reference
material helpful in the management of the account may be
uploaded and stored in InfoCenter folder on the MGC desktop.
b. Client Host Only (CHO). The CHO is a NSA approved
management platform that operates without an AKP. The CHO will
operate on the same Window Operating System (OS) as the Client
Host where a full MGC suite is deployed. Although the CHO does
not have an AKP, it is able to receive packages and communicate
directly with another client node but does not support the
protocols for red key fill. A CHO may be the appropriate and
more cost effective solution for Controlling Authorities,
Command Authorities, Registration Managers and Registration
Authorities when personnel performing these roles are not KOAMs
for an account where an AKP is required.
Many accounting functions not related to key production and
generation are available with a CHO. Should an account equipped
with a MGC/AKP suite suffer an AKP failure, it is possible to
manage the account as a CHO; the Client Host will detect if an
AKP is available and provide the corresponding degree of service
to the KMI (i.e., “full” MGC with an AKP, CHO without an AKP).
An illustration of a CHO is reflected on the following page.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
Client Host Only (CHO) Illustration
Client Host
(High Assurance
Platform)
Printer
Barcode
Scanner
Type 1
Token
HAIPE
(KG-250)
6
UNCLASSIFIED // FOR OFFICIAL USE ONLY
c. Delivery-Only Client (DOC). The DOC represents the
customer end of the client-server interaction and is capable of
reach-back and communications with the PRSN’s Delivery-Only
interface to receive products and services. The DOC, like the
CHO, does not consist of the fully integrated MGC/AKP suite.
The DOC interface may use either Transport Layer Service (TLS)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
or a user-name and password for identification and
authentication. Once authenticated, KMI will permit the viewing
of the Product Activity List (PAL) reflecting products and
services the requestor is authorized to receive.
d.
Advanced Key Processor (AKP).
1. The AKP is a Type 1 cryptographic device used in KMI.
It is assigned the Short Title (KOK-32), classified SECRET and
will be accounted for as ALC-1 in the CMCS.
2. Although the AKP can support either Test (TestPAC) or
Operational Positive Access Control (OpPAC), to change an AKP
from test to operational and vice versa is prohibited;
regardless of status (test or operational), the AKP must be
registered in KMI.
Note 1: Operational KOA – Operational Positive Access
Control (OpPAC) AKP with a Type 0 FIREFLY key.
Operational KMI Entity – OpPAC AKP without Type 0
FIREFLY key.
Test KOA – Test Positive Access Control (TestPAC)
AKP with Type 0 FIREFLY key.
Test KMI Entity – TestPAC AKP without Type 0
Firefly key.
Note 2: Tokens used at test KOAs/KMI Entities are not
accountable in the CMCS.
3.
The AKP must be recertified 7 years from the date of
the last certification as indicated on the devices tag.
4. The KOAM or Alternate must, at a minimum of monthly
conduct a visual inspection of the AKP to certify that no signs
of damage or tamper are evident. This will be documented in the
form of a locally created AKP Visual Inspection Log and will
include at a minimum: the Short Title and Serial Number of the
AKP, the date inspected, the printed name and signature of the
individual who conducted the inspection and whether any damage
or tamper was noted. The log will be closed out annually and
retained for two years or the next COR Audit, the sooner of the
two. A sample log for use in the conducting and documenting
visual inspections of the AKP can be found below.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
COMMAND TITLE: ______________
ACCOUNT NR ______
KOK-32 SN:
_____
CY-20XX AKP AND REINIT DRIVE VISUAL INSPECTION
Date
Inspected
Inspected by
(1st Person)
Printed Name
1st Person
Signature
Inspected by
(2nd Person)
Printed Name
2nd Person
Signature
Anomalies
noted Yes/No
*
NOTE: A visual inspection is required at a minimum of monthly in
accordance with Articles 201 and 209 to this manual. Any signs
of damage or tamper detected must be reported in accordance with
Chapter 8.
Figure 2-1
e. Type 1 Token (KOV-29). A (COTS sKey6500) is a small,
portable cryptographic hardware module that provides Type 1
security services such as signing, signature verification,
encryption, decryption, key establishment, and asymmetric keypair generation in KMI.
1. Certain roles in KMI require the use of a hardware
token to perform assigned duties. At the account level, such
roles include a KOAM, Alternates and the CPSO.
2. Hardware tokens (KOV-29s) registered in the Operational
KMI, (KOV-29) are accountable in the CMCS as an ALC-1 item.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
3. Tokens registered as discussed above are UNCLASSIFIED
when not inserted in the Client Host and SECRET when inserted in
the Client Host.
4. Each DON account will be provided with (2) tokens per
KOAM and (1) per CPSO. If additional tokens are required, the
account must submit a validation request per Article 610 to
EKMS-1(series).
5. Each Account Manager(s) must request a one-time pin for
their contingency/backup token through submission of a KMI Form
001 to the EA Proxy at NCMS. The token must be personalized to
the individual to manage the account should their primary token
fail.
6. The KOV-29 is KMI Aware and holds the Type 1 PKI
Identification and Authentication and Key Establishment
certificates for itself and the individual to which it is
personalized to.
7. Tokens are personalized to a specific individual and
are not to be shared.
8.
A token must not left inserted, unattended in a MGC.
9. Tokens will not be shipped or hand carried with the
associated pin or password.
10. The token is unlocked through a combination of userentered Personal Identification Number (PIN) and the secure
recovery of a companion value stored in the AKP or the PRSN.
11. The Type 1 Token includes active tamper protection
mechanisms to protect private and secret key materials and other
sensitive data and algorithm items it holds.
12. If more than one KMI Manager is enrolled with the same
role, each Manager must use only his/her own KOV-29 to
accomplish tasks associated with the role.
13. In an emergency such as death, emergency leave, loss or
inadvertent destruction of a token, etc…, a KOAM may use the
contingency/backup token personalized to the KOAM or Alternate
KOAM for use in such scenarios. A contingency/backup token is
not intended to replace the token personalized to the respective
KOAM.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-6
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
14. Accounts must request disposition and replacement of
failed tokens in accordance with EKMS-5(series).
15. Additional information for the KOV-29 can be found in
the OSD located in the NSA IA Library on the SIPRNET under the
doctrine tab. See Annex F for the URL.
203.
SECURITY CONTROLS.
a. Controlled usage is a property of the KMI that limits
user activities to authorized personnel through the
implementation of roles, rules and other access control
mechanisms and policies. KMI limits user access to system
resources based on attributes associated with resources (e.g.,
classification, ownership), requested function (e.g.,
authorizations), and association of the user identity (e.g.,
clearance, roles, domains, and “need-to-know”).
b. User accountability refers to a process in which KMI
enables the actions of an individual user and system activities
to be traced uniquely to the specific user. To establish user
accountability, KMI registers users and requires evidence of
eligibility to access the system; identifies users uniquely; and
enforces stronger forms of identification and authentication
across the infrastructure.
c. Administrative activities are tracked for auditing
through Attack, Sensing, Warning, and Response (ASWR) systems.
KMI records information that associates users with activities
performed on their behalf and enables authorized managers to
access and evaluate the accountability information through
secure means, within a reasonable amount of time, and without
undue difficulty.
205.
KMI RELATED CERTIFICATES.
a. Certificates stored on tokens will be used by personnel
and devices. Certificates will also be used by other KMI-aware
devices such as the AKP (KOK-32).
b. Type 1 PKI certificates are controlled by the PSN. The
AKP (KOK-32) requires several specific keys and Type 1 PKI
certificates to be fully functional. Some keys are locally
generated while others must be ordered and received from Tier 0
or the KMI storefront.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-7
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
c. The AKP locally generates a public and private key pair
supporting IA(I) Type 1 certificate as a one-time transport key
during initialization by the DRM or an operational key during
endorsement by the DLT1RA. The public key included in the IA(I)
Type 1 certificate received from the KMI storefront is used by
the AKP for authentication purposes.
d. The AKP also locally generates a public and private key
pair supporting the IA(M) Type 1 certificate during the
activation of the AKP by the KOAM. The public key included in
the IA(M) Type 1 certificate received from the KMI storefront is
used by the AKP for authentication and signature purposes.
e. Type 1 IA(I) and IA(M) certificates are valid for five
(5) and two (2) years respectively. To reduce the potential
impact to mission readiness, both the IA(I) and IA(M)
certificates will be rekeyed annually or as soon as possible
thereafter when operations permit such. Failure to rekey IA(I)
and IA(M) certificates as stated herein must be documented in
accordance with Chapter 9 of this manual.
207.
MGC/AKP REQUIRED CIKS AND KEYING MATERIAL.
Procedures for performing a site initialization, reinitialization, changeover and AKP rekey will be in accordance
with the MGC/AKP Operator’s Manual. A Type 0 FF Vector Set
(FF), Message Signature Key (MSK), and (2) Cryptographic
Ignition Keys (CIKs) are required to perform a site
initialization or re-initialization of an AKP.
a. Operational (AKP) CIKS. Each account with an AKP will
receive two operational CIKS; one of which will be operationally
affiliated with the account’s AKP by the DRM. Operational CIKS
are not for logging on to the AKP. The KOAM or Alternate must
create a backup of the operational CIK using the 2nd CIK
provided. If additional CIKS are procured, the KOA may create
one additional CIK but will not have more than three in the
account.
1. Operational CIKS are UNCLASSIFIED except when inserted
or in the vicinity of the AKP. When inserted or not secured
away from the AKP, operational CIKS will be stored and
safeguarded at the SECRET level.
2.
CRYPTO.
Operational CIKS are not subject to TPI or considered
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-8
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
3. Operational CIKS may be stored either in the account’s
vault or a GSA-approved container, with access restricted to the
KOAM or Alternates.
4. Must be protected to prevent unauthorized access by
anyone except properly cleared and appointed KOAMs and
Alternates.
5.
present.
reported
be ruled
the loss
Must not be left inserted when no account manager is
Loss of an operationally affiliated CIK must be
in accordance with Chapter 8, if unauthorized use cannot
out. If unauthorized access can be ruled out, document
as a PDS in accordance with Chapter 9.
6. In the event an operationally affiliated CIK is damaged
or lost, the KOAM must delete the corresponding split from the
AKP and the damaged CIK(s) must be sent to a Service Depot for
destruction.
b. FF Vector Set. The FF Vector Set is required and must be
loaded to enable the account to generate and exchange account
credentials necessary for conducting or receiving services
related to keying material.
1. All FF Vector Set key orders must be submitted in
accordance with EKMS-1(series) Article 670. Paragraph 1 of the
request must state the key is for a KOA. For a KOA, the only
delivery option when either a FF Vector Set or MSK is required
is electronic delivery. KSD-64A is not an option in delivery of
these for a KOA.
2. The FF Vector Set must be stored, safeguarded and
accounted for consistent with the assigned classification and
ALC which is typically the HCI of the account and ALC-6.
3. For operational accounts, upon completion of loading
the FF Vector Set, a backup of the MGC must be performed and the
FF Vector Set used destroyed from any fill device storing such
or on the MGC through the Human Machine Interface (HMI). This
does not apply to test FF Vector Sets used for test AKPs at
training facilities or by COR Audit Teams.
4. The loaded FF Vector Set must be recorded as Filled in
End Equipment and reflected on the account’s next end-of-month
destruction report. Following successful loading of the 1st
copy of the FF Vector Set, should a second copy of the Vector
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-9
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
Set be received but is not used, the second copy will be
zeroized and recorded as destroyed since it was not used or
“filled”.
5. Failure to destroy the FF Vector Sets within the time
frame discussed above must be documented in accordance with
Chapter 9 of this manual.
6. The FF Vector Set must be rekeyed at a minimum of
annually.
c.
FF Credentials.
1. Generated credentials are posted by the KOAM to the
EKMS Directory Server.
2. Credentials are not crypto but expire monthly or at the
time of the expiration of the associated FF Vector Set.
3. Unless limited by the KOARM, the KOAM can generate and
post up to twelve (12) months’ worth of credentials.
4. Failure to conduct an AKP rekey at a minimum of
annually will prohibit the account from generating credentials
or receiving keying material electronically.
5. Prior to performing a rekey of the FF Vector Set, any
pending transactions must be processed. Failure to do so will
prohibit the processing of any pending key packages, necessitate
the need for resupply impacting mission readiness, and possibly
result in accounting discrepancies.
6. It is highly recommended deployable units conduct an
AKP rekey prior to deployment and only after ensuring there are
no pending Bulk Encrypted Transactions (BETs) in the unit’s
mailbox or desktop.
d. Message Signature Key (MSK). The MSK is used to
digitally sign messages. The MSK is classified at the HCI of
the account and is assigned an ALC of 6.
1. MSKs must be requested in accordance with EKMS1(series) Article 670. Paragraph 1 of the request must state
that the key is for a KOA. Only electronic delivery is
available for a KOA. As stated above for FF Vector Sets, MSKs
cannot be shipped to a KOA on a KSD-64A.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-10
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
NOTE: With exception to test AKPs held at training
facilities and COR Audit Teams, regardless of the account’s
HCI, the loading of MSK and subsequent creation of
AKPREINIT 1 and AKPREINIT 2 Flash Drives at operational
accounts, must be conducted by the KOAM and an Alternate or
properly cleared witness adhering to Two-Person Integrity
(TPI) procedures including handling and storage following
creation.
2. AKPREINIT 1 and AKPREINIT 2 Flash Drives are created
following the loading of the MSK.
3. KOAMs will create AKPREINIT 1 and AKPREINIT 2s on NSAapproved flash drives. As stated in the OSD for the MGC, NSA
has obtained the applicable exception to the restrictions on USB
flash drive usage set forth in Computer Task Order (CTO) 10-133
for KMI-only purposes. Only NSA approved USB Flash Drives
procured for use as AKPREINIT keys shall be inserted into the
AKP USB port.
4.
For operational accounts, upon completion of loading
the MSK and creation of the AKPREINIT 1 and AKPREINIT 2 flash
drives, the KOAM must conduct a backup of the MGC and record the
MSK loaded as destroyed using the filled in end equipment or
similar function in the MGC environment. This does not apply to
test MSKs used for test AKPs at training facilities and by COR
Audit Teams.
5. The loaded MSK must be recorded as filled in end
equipment and reflected on the account’s next end-of-month
destruction report.
6. Failure to record the MSK loaded as filled in end
equipment within the time frame discussed above must be
documented in accordance with Chapter 9 of this manual. If a 2nd
copy was requested but not required, it will be zeroized and
recorded as destroyed as it was not filled. Destruction of the
second copy of the MSK will be on the same end-of-the-month
destruction report as the one filled or be documented as
described above.
7. The cryptoperiod for the Local Key Encryption Key
(KEKL) associated with an AKP is 12 months.
8. A Changeover must be performed at a minimum of
annually. Semi-annual changeovers are recommended in order to
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-11
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
reduce system down-time for large accounts and the potential for
a COMSEC incident.
9. Due to
AKPREINIT media
changeover must
cleared account
the Two Person Integrity (TPI) requirements of
in KMI, regardless of the account’s HCI,
be conducted in the presence of two properly
personnel (KOAM/Alternate).
10. A backup is recommended prior to performing a
changeover but must be performed after a changeover is
conducted.
e.
Benign Fill (BF) Firefly.
1. BF Firefly key if used is designed to encrypt key
transferred between the AKP and BF-capable end cryptographic
unit (ECU).
2. BF Firefly key is created by Tier 0 and must be
accounted for, stored and safeguarded based on its assigned
classification and ALC.
3.
BF Firefly key must be re-keyed annually.
4. The Key Management Identification Number (KMID) of an
ECU’s BF firefly key must be registered in the MGC prior to
performing Benign Fill functions.
f.
KG Rules.
1. KG Rules enable the AKP (KOK-32) to locally produce
keying material for existing and emerging COMSEC equipment.
2. KG Rules are produced and distributed electronically to
KOAs by NSA.
3. KOAMs at operational accounts must load the latest
version of KG Rules within 30 days of receipt; this is not
applicable for test AKPs used strictly in a training
environment.
4. The previous version must be destroyed NLT the 5th
working day of the month following the month of loading the new
version.
5.
Failure to destroy previous versions of KG Rules held
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-12
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
by the account as stated above will be documented in accordance
with Chapter 9 of this manual.
6. Procedures for loading the KG Rules can be found in the
KMI Operation and Maintenance Manual (OMM).
g. Site Re-initialization.
Enables the recovery of all
protected data stored on the MGC and is also performed as a
result of either an AKP failure or recertification. The AKP has
a recertification requirement of 7 years from the date on the
equipment; not from the date of receipt. The AKPREINIT 1 and
AKPREINIT 2 drives are required for use during this process.
Step-by-step procedures for performing a Site Re-initialization
can be found in KMI MGC Operations and Maintenance Manual (OMM)
which can be found at the URL in Annex F.
h. AKP Recertification Label. To enhance awareness with
regards to the AKP recertification date/status, a label with AKP
information (e.g., recertification date, PAC status, etc.) may
be applied to the AKP. Only KMI-approved and provided labels
are authorized for use. The label is to be applied only to flat
surface on the AKP’s top front right-hand corner.
209.
SECURITY AND ACCOUNTABILITY OF KMI RELATED DEVICES.
a. Classification of KMI related devices and items. All
KMI, COMSEC-accountable items, required for management of the
account are reflected in the OSD for the MGC. The OSD also
reflects the proper Short Titles, Classification, ALC and
material type for KMI-related COMSEC material.
b. AKPREINIT 1 and AKPREINIT 2 flash drives (throughout this
manual the term AKPREINIT and REINIT refer to one in the same).
1. Prior to use, AKPREINIT 1 and AKPREINIT 2 flash drives
are UNCLASSIFIED and not COMSEC accountable. Once used in the
KMI, they are classified at the SECRET level and must be brought
into CMCS accountability through submission of a possession
report to the COR.
2. Regardless of classification AKPREINIT drives which
have been used at an operational KMI account must be handled,
safeguarded and stored under Two-Person Integrity rules in a
GSA-approved security container or vault.
NOTE: TestPAC AKPREINIT USB Flash Drives used at training
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-13
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
sites are classified SECRET but are not assigned an AL Code
or accountable in the CMCS.
3. Only NSA-approved and provided USB flash drives are
authorized to be used.
4. Under no circumstances will a single flash drive be
used for creating, downloading or storing AKPREINIT 1 or
AKPREINIT 2 key splits, data, etc…
5. For accounts with a HCI of Secret, as an alternative to
programming the FF-L-2740/2740A locking mechanism with two
combinations, which would prevent access to other mission
essential keying material not subject to TPI, the account can
seal the flash drives in NSA-approved tamper evident bags.
6. If the account has an HCI of Secret and the AKPREINIT
flash drives are protected with NSA-approved tamper-evident
bags, a daily inspection of the bag must be conducted and
documented on days when the container in which they are stored
is opened.
7. Additionally, the KOAM and an Alternate will conduct a
monthly visual inspection of the tamper evident bag to detect
any possible tampering. This visual inspection must be
documented in the form of a log and the log will be closed out
annually and retained for two years at the account.
8. At a minimum, the visual inspection log mentioned above
will reflect the Command Title/Account number, the date of the
visual inspection, the printed name of the person(s) conducting
the inspection, and a remarks column for any comments, i.e. no
tampering or other signs of attempted access noted. The log
will be closed out at the end of each calendar year and retained
for 2 years.
NOTE: Figure 2-1 can be modified to accommodate both
daily and/or monthly AKP and AKPREINIT visual
inspections. Monthly visual inspections must reflect
the signature of both the KOAM and Alternate
9. AKPREINIT flash drives must have a tag affixed to them
indicating the Short Title, version number and KOA. The initial
set of AKPREINIT will be version 0 and each subsequent version
created during future changeovers will be incremented up one
number. Following completion of the changeover, the KOAM will
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-14
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
bring the new AKPREINIT flash drives into COMSEC Material
Control System accountability through submission of a report the
possession to the COR and perform a backup. Prior COR
(SERVAUTH) authorization is not required; the possession report
be signed by the manager, a witness and the CO.
10. Each KOA will have and account for (2) sets of
AKPREINIT flash drives. Each set is different and is associated
with specific back up media. The creation of additional sets
must be authorized by the SERVAUTH. If authorized, additional
sets must be brought into proper CMCS accountability.
11. AKPREINT USB Flash Drives will not be inserted into
any device except the associated AKP. Any other use or insertion
of AKPREINT USB Flash Drives containing AKPREINIT data in a
device other than the associated AKP is a COMSEC Incident and
will be reported.
12. Reuse of AKPREINIT USB flash drives is only authorized
at the same KOA account when a replacement AKP is received.
13. AKPREINIT drives must be matched with the specific
backup performed after initial AKP activation or changeover, as
applicable has been completed.
14. In future changeovers, if existing flash drives are
overwritten (reused), the oldest set will be used. For
consistency purposes, the oldest backup media associated with
the overwritten drives should also be used for the backup after
the changeover is performed. Ensure the labeling of both is
updated and matches.
15. When AKPREINIT devices are no longer required or
become corrupted, the KOAM must request disposition instructions
from NCMS for the flash drives and the associated backup media.
16. It is imperative that the KOAM establish local
procedures to accurately label and identify AKPREINIT drives
with the corresponding back-up media to which they pertain. If
the media and AKPREINIT drives do not match, any local/field
recovery efforts will fail.
17. Except during emergency destruction when directed,
AKPREINIT flash drives will not be disposed of or destroyed at
the account level without prior authorization from NCMS.
Because the drives are associated with specific backup media,
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-15
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
which is also COMSEC accountable, disposition requests for
AKPREINIT flash drives must also include the backup media.
18. Destruction, if authorized must be reported to the COR
in accordance with EKMS-1(series) Article 540.
c.
MGC/AKP Locations.
1.
Shipboard:
a.
The location in which the MGC/AKP is installed
must be designated as Restricted Area.
b.
The space must be approved for open storage
SECRET or the MGC drives and AKP must be disconnected, removed,
and stored in a GSA-approved security container when the space
is not occupied by KOAM account personnel.
c.
The location in which the MGC/AKP is installed
must be restricted to KOAMs and Alternates. Written access
authorization will be granted by the CO of the account. If
located in a vault or adjoining COMSEC office where an access
list is required, the authorization can be annotated on the
access list for the space.
d.
Access lists will be updated upon change of
command, when personnel change, or annually whichever occurs
first.
2.
Submarine:
a.
Onboard a submarine, the MGC/AKP is rack-mounted
and installed in the Radio Room where non-account personnel are
assigned.
b.
Non-account personnel who are properly cleared
will be reflected on the access list for the restricted space
negating the need to remove the drives and disconnect the AKP
daily while deployed or in-port and store it in a GSA approved
security container.
c.
Written access authorization will be granted by
the CO of the account.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-16
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
d.
Access lists will be updated upon change of
command, when personnel change, or annually whichever occurs
first.
3.
Fixed Site:
a.
The location in which the MGC/AKP is installed
must be designated as Restricted Access.
b.
The space must be approved for open storage
SECRET in accordance with SECNAV M5510.36 or the MGC drives and
AKP will be disconnected, removed, and stored in a GSA-approved
security container when the space is not occupied by KOAM
account personnel.
c.
Unescorted access to the location where the MGC
is installed must be limited to personnel holding a minimum
SECRET clearance whose official duties require access to the
space. If in installed in a COMSEC vault, unescorted access
must be restricted to KOAMs and KOAM Alternates. Written access
authorization will be granted by the CO of the account. If
located in a GSA Secure Vault or adjoining COMSEC office where
an access list is required, the authorization can be annotated
on the access list for the space.
d.
Access lists will be updated upon change of
command, when personnel change, or annually whichever occurs
first.
4. KOAMs and Alternates must take additional security
precautions in unique operating environments where a vault or
dedicated COMSEC office does not exist such as a radio room
onboard a submarine. In such instances, all personnel who
access the area where the MGC/AKP is located must possess a
valid SECRET or higher security clearance.
5. KOAMs and Alternates must ensure at no time are the
MGC and/or AKP left logged on/unattended by account management
personnel.
6. Other non-account personnel requiring access to the
location of the MGC such as a CPA (if the CPA is not the KOAM or
Alternate) or CPSO must be escorted and logged in/out in a
visitor’s log if not on the formal access list for the space.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-17
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
7. Installation of a MGC or AKP in a mobile communications
environment will be in accordance with the OSD for the MGC.
8. Neither the MGC nor AKP will be left logged on and
unattended where an unauthorized or improperly cleared person
could gain access or where such could result in a loss of TPI;
both instances require reporting as a COMSEC incident.
9. Security reminder: Access to spaces where classified
material is used and stored must be protected, restricted and
limited to appropriately cleared personnel whose official duties
require access, and who also possess a valid need-to-know for
material they have access to. If an individual is not on an
access list, the person MUST be logged in/out in the visitor’s
log. If one’s clearance status is not known and verified,
sanitize the space by turning over working papers, cover status
boards, and turn off computer displays or other viewable
classified information when the personnel are in the space.
211.
FIELD RECOVERY OF AN AKP.
a. Zeroization of an AKP for other than intentional purposes
prior to returning the AKP to a depot-level facility must be
reported as a COMSEC Incident.
1. A field-zeroization causes the AKP to zeroize and must
be reported as a COMSEC incident in accordance with Chapter 8.
The report must include all pertinent details and all facts
related to the zeroization including the name, rank, and
position of the Commanding Officer, if a field recovery is
authorized as discussed below.
2. Except during an operational emergency, approval to
perform a field-recovery must first be obtained from the
SERVAUTH (NCMS).
3. During an operational emergency which affect real-world
operations, a field-recovery may be performed when authorized by
the Commanding Officer. NCMS must be notified within 48 hours
of the field recovery.
4. Recovery accomplished with database backup media and
AKPREINIT drives associated with that particular backup will
result in the reappearance of keying material previously
destroyed on the inventory requiring that it be re-destroyed.
Any key received after the backup was conducted will be lost.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-18
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
The use of database backup media and AKPREINIT drives older than
seven calendar days must be reported as a PDS to NCMS in
accordance with Chapter 9.
5. Resurrection of key previously destroyed as a result of
restoration from backup media may require previously destroyed
and reported key be destroyed again. Failure to re-destroy
previously destroyed key NLT the 5th day of the month following
the resurrection or field-recovery actions, as applicable, must
be documented in accordance with Chapter 8 of this manual.
6. NCMS will provide assistance on clearing the KOA of any
resurrected or lost key.
213. CLASSIFICATION AND ACCOUNTABILITY OF KMI-RELATED
COMPONENTS.
a. General. Due to changes in KMI-related OSDs, the
previously published listing of components has been removed from
this document. A complete listing of KMI related components,
including Short Titles, ALCs, classification of each and
material types can be found in the Operational Security Doctrine
for the MGC available in the NSA IA Library on the SIPRNet.
b. AKP USB Flash Drives must be tagged and labeled in
accordance with the MGC OSD.
c. Device specific guidance for the MGC, the KOV-29 (Token),
and the KOK-32 (AKP) can be found in the respective Operational
Security Doctrine(OSD) at the URL located in Annex F.
NOTE: KAR 5s are only created at a Service Level Depot
facility. Any account with KAR 5s created with Spiral 1
software is required to locally destroy the media and
report the destruction to the COR. No DON accounts should
have a KAR 5 on the Product Inventory.
d. Each account will retain a current image of the client
host, backup media and one prior version of each.
Versions
older than the first previous version may be destroyed using
approved methods outlined in the NSA Evaluated Products List
(EPL). COR authorization is not required to destroy older
media; the destruction must be reported to the COR. The
discovery of client images or backups older than the first
previous set/version will be treated as a non-reportable PDS in
accordance with Chapter 9 herein.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-19
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
e. Classified material must be properly labeled,
safeguarded, stored, disposed of and be addressed in the
command’s Emergency Action and/or Emergency Destruction plans,
as applicable.
215.
PINS/PASSWORDS:
a. The Client Host (MGC) requires (3) passwords; the Data At
Rest (DAR) password which protects the MGC Hard Drive; a Windows
User Password and the Basic Input/Output System Password (BIOS).
b. Access to the DAR administrator username/password is
restricted to the CPA. The DAR user password is shared by
authorized users (Account Managers) at a specific account.
c. Only the CPA/CPSO are authorized to have knowledge of and
access to the Client Host Platform BIOS Password.
d. See the OSD for the MGC for additional information
related to the aforementioned passwords, related requirements
and/or restrictions.
e. PINS are classified at the privilege level of the holder;
passwords are Secret; both will be recorded, safeguarded and
stored as indicated below.
1. PINS and/or passwords will be recorded, protected,
stored, safeguarded, and inventoried in accordance with EKMS1(series) Article 515.f and 520.j. The exception to the
labeling discussed in EKMS-1(series) Article 520.j with regards
to KMI is the user name, if different than the employee name,
will be reflected in Blocks 5 and 10 of the SF-700. The top of
the form will be labeled MGC/AKP Administrator or Operator
PIN/Password, as applicable in lieu of LMD/KP in Block 10 of the
SF-700. Part 2A will reflect the user name, the AKP PIN, and
the Windows password and must be classified commensurate with
the privilege afforded the employee registered.
NOTE: It is highly recommended that Windows naming
conventions be standardized and one adhere to a
first name dot last name format, i.e. Willie.Nillie,
to correlate directly to a specific and unique account
manager.
2. PINS and/or passwords will be changed at a minimum of
every 90 days and will always require immediate changing when a
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-20
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
compromise or suspected compromise is discovered. A backup must
be performed and new SF-700s filled out in conjunction with
MGC/AKP pin or password changes.
NOTE: If not operationally feasible (i.e. submarines
or accounts which operate with different crews (gold,
blue, etc…) for a password to be changed within 90
days, it must be changed at first login thereafter.
3. Passwords required by a single person occupying more
than one position/role within an account may be recorded on a
single SF-700. Example: A KOAM requires a Windows password, a
password for his/her own Token, a password for another token if
they are the TSO/SO for other tokens and a password for the CPA
account if the incumbent is performing the duties of the CPA.
4. Passwords associated with the KOV-29 may be 8 – 20
characters in length and must include uppercase, lowercase,
numbers and special characters.
5. The Token SO is responsible for proper control,
management and security of the SO account password for each
token they manage.
6. The use of a single password is permitted for KOV-29s
managed by the Token SO.
7. When a new Token SO is appointed, a new password must
be created and implemented for the tokens managed by the
previous Token SO.
8. In the event a KMI Manager, whose role requires a
token, forgets his or her password, the Token SO can, in the
presence of the KOAM, perform a password reset. The performing
of a password reset requires confirmation from the KMI Manager
the token has been under proper control at all times and never
subjected to possible unauthorized access.
9. Token SOs are required to have a compromise recovery
plan (CRP) for KOV-29s associated with the Token SO password.
The CRP must include revocation procedures in the event of a
lost token. The CRP must be incorporated into the command’s
local COMSEC policy and must be verified and exercised annually
for accuracy, awareness and feasibility purposes.
10.
The MGC is configured to lock-out an account after
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-21
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
three failed logon attempts. Should this occur, contact the CPA
to have the account unlocked or password reset.
217. PACKAGING, SHIPPING AND TRANSPORTATION OF COMSEC MATERIAL
AND EQUIPMENT.
a. Packaging, shipping and transporting of COMSEC material
will be in accordance with EKMS-1(series) Articles 525 – 535.
For ease in referencing purposes, a quick matrix is located on
the following page.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-22
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
SHIPPING QUICK REFERENCE MATRIX
Shipping
Method
Top
Secret/
Secret
material
marked
“crypto”
or items
with
classified
logic or
algorithms
Confidential
material
marked
“crypto”
Unclas
material
marked
“crypto”
TS/Secret
Equipment
(not
designated
as CCI)
CCI (unclas,
not keyed)
(See Note 4)
DCS
YES
YES
YES
YES
SDCS
Designated
and cleared
couriers
Commercial
Carrier
(PSS/Ground)
Commercial
Carrier
USPS
(Registered
Mail)
USPS
(Express
Mail)
Navy Supply
System,
Military Air
(AMC,
LOGAIR,
QUICKTRANS,
etc…)
YES
YES
YES
YES
YES
YES
YES
YES
YES (OCONUS,
when other
approved
methods are
not
available or
will not
meet mission
requirement)
YES
YES
NO
YES
YES
YES
YES
YES (Note
5)
NO
NO
NO
YES
YES
(See Note 1)
YES
(See Note 6)
NO
NO
YES (See
Note 2)
YES
NO
NO
NO
NO
YES (See
Note 3)
NO
NO
NO
NO
NO
YES
NO
NO
Figure 2-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-23
MGC (with
drives
installed
and KMI
software
on them)
or MGC
hard
drives
without
the MGC
but with
KMI
software
on them;
AKP,
AKPREINIT
Flash
Drives
YES
YES
YES
NO
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
DCS = Defense Courier Service, SDCS = State Department Courier
Service, PSS = Protective Security Services. United States
Postal Service = USPS.
Registered Mail must not pass through a
foreign postal system or be subject to foreign inspection.
Material shipped to APO/FPO addresses does not pass through a
foreign postal system.
NOTES: (1) See EKMS-1(series) Article 535 for additional
information, restrictions and notification requirements.
(2) See EKMS-1(series) Article 530.a.3 for
additional information and restrictions.
(3) The shipper must obtain assurance from U.S.
Postal Service authorities that the material will receive
continuous electronic or manual tracking to the point of
delivery and a recipient‘s signature must be obtained.
Material must be introduced into the postal system acrossthe-counter at a U.S. Postal Service Facility; the use of
postal drop boxes are not authorized.
(4) Equipment which makes use of CIKS, PINS, or
passwords is considered unclassified when these items are
removed and shipped separately from the device. Devices
should always be shipped in a zeroized state however,
should mission requirements necessitate loading the device
prior to shipment, associated CIKS, PINS, or passwords MUST
be shipped separately. If any of these items are shipped
with the equipment, it must be reported in accordance with
Chapter 8. FTRs are classified SECRET and must never be
shipped with the associated equipment.
(5) CONUS ground transportation only
(6) USPS Registered Mail cannot be used to ship CCI
containing lithium batteries to/from an APO/FPO address if
the size, quantity or lithium content of the batteries
exceed the limits in the International Mail Manual or
Domestic Mail Manual (IMM/DMM).
b. Courier personnel must have current, written
authorization in the form of official travel orders or a DD-2501
or DHS 11000-1 from their organization. The authorization must
be retained on the person at all times when performing duties of
a courier.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-24
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
c. A list of commercial carriers offering PSS services may
be requested from the Surface Deployment and Distribution
Command (SDDC).
219.
SOFTWARE UPGRADES
a. Software upgrades will not be performed on COMSEC
equipment by any DON accounts until the software is approved by
NSA, has been tested and validated by the In-Service Engineering
Activity (ISEA) and is approved for installation by NCMS or the
Marine Corps Tactical Systems Support Activity (MCTSSA), for
USMC accounts.
b. When approved via official message from NCMS or
MARFORSYSCOM (USMC accounts only), commands must ensure
compliance with the upgrade and report such no later than the
established compliance date.
c. With exception to software distributed by NSA, including
Information Assurance Vulnerability Assessment (IAVA) patches
posted to the Product Availability Library (PAL), the INFOSEC
web site is the only authorized source for software upgrades by
DON accounts.
d. When warranted due to operational requirements, Program
Managers (i.e. ADNS, GCCS-M, ISNS, JWICS, etc…) may request a
waiver or extension via official message to MARFORSYSCOM or
COMNAVIDFOR, as applicable, with NCMS as an info addee on the
request. Neither individual units nor Program Managers will
submit waiver requests directly to NSA.
e. Procedures which violate other IA regulations will not be
used for performing software upgrades (i.e. use of personally
owned computers or thumb drives) by DON accounts.
f. NCMS approval is NOT required to download and install
IAVA patches from the PAL. All units are responsible for
compliance and proper reporting of IAVA compliance.
221.
EQUIPMENT FAILURES
a. Requests for assistance in troubleshooting MGC/AKP
related system failures or problems will be directed to SPAWAR
Systems Center Atlantic.
b.
Regardless of warranty status, under no circumstances
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-25
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
will a MGC with the hard drive(s) inserted or a MGC hard drive
on which KMI software has been installed be shipped to a vendor
or factory.
c. Each DON COMSEC Account were provided four hard drives
for the MGC. Two of the drives have KMI software pre-installed
on them and are COMSEC accountable. The other two hard drives
are spares without KMI software installed on them; without the
KMI software installed the drives are unclassified and not
COMSEC accountable. If required for use, as directed by the Help
Desk, if KMI software is installed on a spare hard drive, the
drive must be possessed and brought into CMCS accountability.
COR (SERVAUTH) approval is not required to possess the hard
drives but the possession must be reported to the COR.
d. The MGC operates in a Redundant Array of Independent
Disks (RAID) 1 configuration in which the (2) hard drives are
mirrored. Failure of single hard drive will not prevent the
device from operating properly.
e. The failed drive should be reported to SPAWAR, NCMS and
the unit’s ISIC in the form of a message requesting disposition
instructions for the failed drive. The message must include the
Help Desk Ticket # and date of the call or email to the Help
Desk.
f. Upon authorization in writing from NCMS, failed drives
will be destroyed locally in accordance with the NSA EPL and
Naval Technical Directive (NTD) 03-11, Disposal of Navy Computer
Hard Drives or shipped to the NSA Classified Material Conversion
(CMC) for destruction. When authorized, destruction of
equipment must be carried out within 90 days of the
authorization and must be reported to the COR. If the
destruction is not carried out and reported within 90 days,
document the matter as late destruction in accordance with
Chapter 8.
g. Defective or inoperable KOV-29s, must be disposed of in
accordance with EKMS-5 (series).
h. Prior to shipping, the KOV-29 must be zeroized when
possible and the associated IA(I) and IA(M) certificates
revoked.
223.
SECURITY AND STORAGE OF COMSEC MATERIAL
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-26
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
a. COMSEC Facilities. Regardless of the type of facility,
whether a fixed COMSEC facility, unattended or contingency fixed
secure telecommunications facility, fixed secure subscriber
facility, transportable and mobile facility, or DoD Bulk
Encryption Facility, each facility must be approved to hold
classified material PRIOR to its installation, use, or storage
as discussed below. A complete description of each type of
facility, applicable security requirements and further guidance
may be found in EKMS-1(series) Articles 550 – 575.
1. COMSEC equipment or keying material will only be
installed, used or stored in containers or spaces approved up to
or higher than the highest classification of material used or
stored in the space/container. Such approval must be in writing
by the Cognizant Security Official (CSM, Physical Security
Officer, and Special Security Officer (SSO)) PRIOR to the
installation and/or storage, as applicable.
2. Any facility or container must be re-inspected at a
minimum of biennially, or when any modifications or repairs are
conducted to the container, locking mechanism or facility, or
when reoccupied after being temporarily abandoned. Additional
or periodic inspections will be conducted based on geographical
location of the facility (CONUS vs. OCONUS), threat, and
sensitivity of the facility, materials and operational
requirements and past security concerns, discrepancies or
potential vulnerabilities. Unattended facilities must be
physically inspected every 30 days by U.S. personnel responsible
for the facility.
3. Prior to activation, in addition to the required
Physical Security Inspection, a general COMSEC inspection is
required. The general COMSEC inspection will review facility
Standard Operating Procedures (SOPs), to ensure procedures which
minimize risk to personnel and ensure the security of materials
used are in place and address both routine and emergency
destruction procedures.
4. Initial facility approvals for COMSEC vaults used to
store keying material or SCIFs will be conducted by an
Accrediting Official (AO) in accordance with ICD 705.
5. Shore-based COMSEC vaults used to store keying material
that are modified or constructed after the date of promulgation
of this manual will be constructed in accordance with
Intelligence Community Directive (ICD) 705 adhering to the
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-27
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
criteria and associated checklist in the Intelligence Community
Policy Guidance (ICPG) 705.1 or later version.
6. Existing vaults which have not been modified and vaults
onboard afloat units may continue to operate under the criteria
previously established in EKMS-1(series) Annex N.
7. A daily security checklist (SF-701) is required for
spaces where classified material is used, whether manned 24
hours a day or not, and proper securing of materials and
security containers will be verified once per watch or at the
end of the work day prior to departure and reflected on the SF701 for the space. SF-701s will not be used in lieu of other
inventory documents required herein and will be retained for a
minimum of 30 days beyond the last date recorded.
8. Access to spaces where classified material is used
and/or stored will be restricted to properly cleared personnel,
whose official duties require access to the space. Such
personnel, including newly reported personnel must be reflected
on a formal access list for the space or logged in/out of a
visitor’s register.
9. Uncleared personnel who must enter the space for
official functions such as space surveys or maintenance must be
escorted at all times by authorized personnel. Prior to
entrance, the space will be sanitized and classified material
covered or properly stored to prevent unauthorized viewing.
10. All visitors’ logs will reflect the date and time of
both arrival and departure, the printed name and signature of
the visitor, the purpose of the visit and the signature of the
official admitting the visitor. Visitor’s logs will be reviewed
periodically at the unit level for proper maintenance, and
during visits and audits. Logs will be closed out annually and
must be retained for one year. A new log will be implemented
for each facility/space for each calendar year.
b. Security Containers. COMSEC material not required for
use and under the direct control of appropriately cleared and
authorized personnel will be secured in a GSA-approved container
or Class-5 vault door equipped with a FF-L-2740 or higher
locking mechanism, which will be locked, verified and documented
on a SF-702 when not in use. For TPI containers, a separate SF702 will be used for each combination. SF-702s will be retained
for 30 days beyond the last date recorded.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-28
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
1. If the container or vault is protecting Top Secret
keying material, the locking mechanism will be programmed with
two different combinations. No single person will change or
have knowledge of both combinations. Combinations associated
with containers or vault doors at the account or LE Issuing
level will be restricted to account or LE Issuing personnel, as
applicable.
2. Combinations will be changed when a lock is initially
put in use or has been taken out of service; when someone with
knowledge of the combination is reassigned, transfers or
separates; when suspected to have been compromised or biennially
if not sooner based on the other criteria addressed herein.
3. Combinations will be stored on SF-700s and will NOT be
written down on other forms or documents (wheel books,
electronic devices, etc...)
4. A separate SF-700 (Record of Combination) is required
for each combination programmed. SF-700s are classified based
on the highest classification of material protected by the
container and locking mechanism (i.e., if the container is used
to store Top Secret, Secret and Confidential material, the SF700 will be classified Top Secret).
5. Completed SF-700s will be sealed in laminating paper or
tamper indicating envelopes.
6. Part 1 of the SF-700 is NOT considered or to be marked
as classified; it is considered Personally Identifiable
Information (PII).
Part 1 will still reflect the names,
addresses and telephone numbers of authorized holders of the
combination to contact them immediately, if discovered unsecured
and will be posted inside the door (vault) or safe (as
applicable) but must be sealed in an opaque envelope and labeled
“Security Container Information” prior to affixing it to vault
door or container. If Part 1 is unsealed, it must be resealed
no later than the following working day.
7. Part 2 is used to protect Part 2A; both must be labeled
with the highest classification of materials protected by the
combination and will reflect “Derived from: 32 CFR
2001.80(d)(3)” and declassification instructions “Upon Change of
Combination”. Part 2A will be placed inside of aluminum foil
prior to storing it in Part 2. The adhesive seam on Part 2 will
be signed and dated by the person sealing the envelope and
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-29
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
laminated afterwards.
8. To facilitate timely implementation of emergency
action, when directed, SF-700s will be stored in a central
location within the command; the container must be GSA approved
and approved for storage up to the highest level of the SF700(s) stored in it. SF-700s which are properly laminated and
sealed do NOT require TPI handling or storage.
9. An inventory document must be created and used to
inspect SF-700s at a minimum of monthly or sooner, if a
combination is changed and the SF-700 updated. The inventory
will list, the Dept/Division responsible for the container, the
container number, the location of the container, date the
combination was last changed and the signature of the person
inventorying/inspecting the SF-700s.
10. The Commanding Officer or other designated command
personnel (Command Duty Officer, Security Manager, etc….) may
direct the emergency opening of any container within the
command. Such will be conducted in the presence of two properly
cleared personnel and the personnel responsible for the
materials protected by the container or vault, as applicable
MUST conduct an inventory, report any material which may not be
accountable, change the combinations and update the SF-700s.
11. An OF-89 must be prepared and posted in any security
container used to store classified material. Any repairs to the
container MUST be recorded on it. It is a permanent record to
be maintained with the container. Commands acquiring new
containers must ensure they are GSA-approved, equipped with the
FF-L-2740 or higher locking mechanism and that an OF-89 is
prepared and posted for the container.
c. Residential Storage. Classified material will not be
brought to or stored in a private residence without the consent
of the Commanding Officer and the following approvals or
compliance measures in place prior to installation or storage;
1. Approval by the appropriate level of the unit’s chain
of command as set forth in Chapter 10 to SECNAV M5510.36.
2.
To satisfy critical operational requirements.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-30
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
3. The request fully complies with Article 10-10 to SECNAV
M5510.36, Naval Technical Directive (NTD 03-09), DOD 5200.01 and
local, ISIC or TYCOM directives.
4. A GSA-approved security container is required prior to
issuance of any materials and the combination will be restricted
to the individual responsible for the materials. CIKS, KSV-21
cards, TALON cards, etc… will be secured in the container when
not in use, a SF-702 will be used to document openings and
closings, and an OF-89 must be created and affixed inside the
container.
5. If approved, keying material issued will be limited to
a 30 days’ worth and will be issued to DTD, SKL or other
electronic storage device.
Any storage device provided is
subject to annual re-initialization and monthly audit trail
reviews. Failure to have the device reinitialized or make such
available for audit trail reviews monthly or more frequently
will be reported as a COMSEC incident.
6. Unauthorized personnel will not have access to
classified material nor will CIKS, storage devices or KSV-21
cards be left out when not in use. A STE may be used
occasionally by uncleared personnel, but only when the card is
removed and either under the direct control of the person to
whom it is issued or stored in a security container. Any
instance of unauthorized access, including to a STE with the
card inserted must be reported in accordance with Chapter 8.
d. Segregation of Material. COMSEC material will be stored,
safeguarded and handled based on the classification of the
material. Other classified or unclassified non-COMSEC material
will not be stored with COMSEC material. Material will be
segregated based on classification and status of the material to
facilitate emergency destruction, when directed. NATO material
may be stored with other COMSEC material of the same
classification.
At the account level, in addition to segregation by
classification, material will be segregated based on the status
of the material, i.e. effective, reserve on board (by effective
period, i.e. 1st month, 2nd month, 3rd month) and superseded
(typically pending end of the month destruction).
e.
Two Person Integrity (TPI).
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-31
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
1. TPI handling requires that at least two persons,
who are authorized access to COMSEC keying material, be in
constant view of each other and the COMSEC material requiring
TPI whenever that material is accessed and handled. Each
individual must be capable of detecting incorrect or
unauthorized security procedures with respect to the task being
performed.
2. TPI storage requires the use of two approved
combination locks (each with a different combination) with no
one person authorized access to both combinations.
3. TPI is required for any of following materials and or
scenarios:
a.
Top Secret keying material or designated “crypto”
b. Fill devices (DTD, SKL, TKL, etc…) storing Top Secret
keying material (when the associated CIK is also present or
accessible)
c. Equipment which generates or is loaded with Top
Secret keying material which permits extraction of key
d. The AKP if the account’s HCI is Top Secret, when (2)
personnel with Top Secret accounts on the MGC/AKP are logged on
e.
AKPREINIT 1 and AKPREINIT 2 Flash Drives
f. When picking up material from DCS, if the account’s
HCI is Top Secret or when picking up Top Secret material moved
via an account to account transfer
g.
When Top Secret key is passed via OTAD or OTAT
h. Legacy fill devices or fill devices with CIKS (DTD,
SKL, TKL, etc…) inserted or accessible in spaces where equipment
which permits extraction of key is used or installed.
4.
TPI is not required for any of the following:
a. Handling, storage and access to SECRET COMSEC
material regardless of crypto designation (with exception to
AKPREINIT 1 and AKPREINIT 2 Flash Drives)
b.
CCI keyed with Top Secret key or CIKS associated with
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-32
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
equipment which does not permit extraction of key (this does NOT
include fill devices, i.e. DTDs, SKLs, etc… storing Top Secret
key when the CIK is inserted or accessible)
c. Units engaged in tactical exercises, operational
field exercises or in a combat environment
d. Flag (CINC) communicators operationally deployed away
from their primary headquarters
e. The loading of CCI equipment onboard an aircraft;
TPI is required up to the flight-line boundary when transporting
the material.
f. CRFs and training facilities (school houses) where
operational keying material is not used
g. A Top Secret DTD CIK when placed in an Air Crew comm
box locked with TPI approved combination locks (While in flight,
a Top Secret DTD CIK may be stored in a single-lock container
onboard the aircraft)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
2-33
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
CHAPTER 3 - PRIVILEGE MANAGEMENT: SEPARATION OF DUTIES, ROLES,
EXCLUSIONS, REGISTRATION, ENROLLMENT AND ACTIVATION
301.
SEPARATION OF DUTIES.
Within the KMI, to ensure access is limited to properly cleared
and appointed personnel and in order to prevent the assignment
of operators and security auditors to the same positions, role
exclusions are used and apply to most, if not all, associated
positions. These principles are commonly referred to as
“separation of duties.”
a. Separation of duties are known as exclusions and are
enforced by policy and/or Rule Based Access Control/Role Based
Access Control (RuBAC/RoBAC) within the KMI program. Eligibility
Authorities (EAs) and Enrollment Managers (EMs) must be careful
in reviewing exclusions prior to appointing and enrolling users
in multiple roles.
(1) RoBAC – In RoBAC, system privileges are associated
with operational management roles.
(2) RuBAC – The RuBAC processes constrain the actions of
role-based privileges in the context of a specific session and
specific resource objects.
303.
ROLE EXCLUSIONS
a. Role Exclusions and Types: Within KMI, there are three
types of exclusions: Lifetime, Concurrent, and Limited.
(1) Lifetime exclusions prevent a user who has held a
specific role from ever occupying an excluded role. This
includes instances in which the person is no longer enrolled to
perform the previously assigned role.
(2)
Concurrent exclusions prohibit a user from holding
two different roles simultaneously where separation of duty
(role exclusion) is required.
(3)
Limited exclusions prohibit a user from performing
functions for a singular identity related to two different roles
for a specific process and will prohibit an individual from
performing functions related to oneself.
305.
KMI ROLE EXCLUSION LISTING
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
a. Some common KMI role exclusions include but are not
limited to:
1. A CPA role cannot concurrently hold the CPSO role.
2. A CPSO cannot concurrently hold the role of a CPA,
KOAM (or Alternate) and vice versa.
3. The TSO/SO cannot be the TSO/SO for their own token.
NOTE: A complete listing of role exclusions can be found
in the Process Security Doctrine for the Enrollment of Key
Management (KMI) Managers.
307.
KOA REGISTRATION (OVERVIEW)
KOAs are uniquely identified in order to control their
functions through attributes that are requested, approved and
assigned by a KOA Registration Manager (KOARM). Account
registration requires at least two registered users to provide
authorization for the establishment of an account in order to
ensure integrity of KMI system.
309.
KOA REGISTRATION DATA.
a. KOA Registration Data is the set of data values
maintained by the KMI for managing a KOA. Each KOA is
established through the registration process which records
administrative data for the account.
b.
same.
The registration process for a KOA and User are not the
c. When a KOA is established, the system performs a
replication with the EKMS account information contained in the
Common Tier 1 (CT-1) database therefore, accounts must ensure
their Common Account Data (CAD) is up-to-date and accurate prior
to transitioning to KMI and when account management changes.
d. Registration of a new KOA or a Change in Primary KOAM
requires the completion, verification and submission of a KMI
Form 003. Registration and enrollment of personnel requires
completion, verification and submission of KMI Form 001 and 002.
e. It is recommended forms requiring submission to the EA
Proxy be digitally signed when possible; if not possible
physical documents with a wet signature is acceptable.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
311.
HUMAN USER (PERSONNEL) REGISTRATION
When a Human User is registered, the KMI must verify the
identity’s authenticity in that the person has the right to
claim the identity being registered and has been authorized to
do so. Their eligibility is qualified and needs to be
registered. Human (Personnel) Registration and Enrollment must
be completed before the KOA is able to be registered.
Applicants may submit KMI Forms 001,002 and, 003 all at once.
313.
KMI PERSONNEL REGISTRATION FORM, KMI FORM 001
a. The applicant and EA at the command must complete Part 1
and 2 of KMI Form 001. The EA Proxy at NCMS will complete the
EA Eligibility Authority’s Proxy’s Identifying Information and
the Eligibility Authority’s Proxy’s Contact Information on the
form.
b. The KMI Form 001 is in .pdf format and must be viewed and
completed online to enable full viewing and selection of options
available using the drop down menus. Incomplete forms will not
be accepted and will be returned to the EA for review.
NOTE: The command level EA will be the Commanding Officer,
Officer-in-Charge or other designated security personnel
(Security Manager or SSO). They are responsible for
verifying security clearance information for assigned
personnel and conducting a physical review of the required
two forms of identification presented. An applicant
requesting registration in KMI cannot be their own EA if
such personnel are performing other duties in which they
have access to security clearance data.
c. In addition to verification of the information filled out
by the applicant contained in Part 1 of the KMI Form 001,
physical verification of the identification sources presented,
the EA is responsible for completing Part 2 of the KMI Form 001.
d. The applicant must provide two (2) forms of personal
identification documents to the EA as proof of identification
and verification.
e. Below you will find examples of evidence of authenticity
and eligibility.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
Source
U.S. Passport
Certificate of U.S.
Citizenship Form N560/561
Certificate of Naturalization
Form N550/N570
U.S. Driver’s License or
State ID (*)
Military ID card (*)
Identity
Establishment
X
X
Employment
Eligibility
X
X
X
X
X
X
FIGURE 3-1
Additional forms of acceptable identification for verification
purposes may be found in the Process Security Doctrine [DOC-04312].
f. Contact the EA Proxy at NCMS prior to submission of any
completed KMI Form containing PII and request an individual
email address to send the form to for review and processing.
NOTE: The KMI form contains PII and MUST BE digitally
signed AND encrypted. The unencrypted passing of
documents, including emails containing PII must be reported
as a PII breach per DON CIO guidance.
g. The EA proxy will respond within 72 hours and provide an
individual email for the unit to send the completed, signed and
encrypted KMI Form 001 to.
h. Upon verification of the information, NCMS will submit the
KMI Form 001 to the PRM at NSA for processing.
i. Once the information has been entered into KMI, the PRM
will:
(1) Verify that the registration request came from a valid
EA Proxy.
(2)
Submit One-Time Pin order to Site 1 for processing.
(3) Site 1 will send the One-Time Pin to the users email
address reflected on the KMI Form 001.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
(4) At the completion of the personnel registration phase,
notify the EA Proxy that the registration was completed and a
One-Time Pin was ordered for the applicant.
j. DON commands are not authorized to submit required KMI
forms directly to NSA; doing so will delay registration,
enrollment, account establishment or transition, as applicable.
NOTE: Additional information related to Human User
Registration can be found in the Registration of KMI
Operating Accounts and KMI User’s Manual and the Operations
and Maintenance Manual (OMM) for the KMI Client Node
located at the URL in Annex F.
315. ENROLLMENT PROCESS - KMI PERSONNEL ENROLLMENT FORM, KMI
FORM 002
a. The process of assigning a management role(s) to a
registered human user is called Enrollment and is carried out by
an Enrollment Manager (EM). Each service or agency will be a
part of an Enrollment Domain and will have individual(s)
enrolled as an Enrollment Manager. They in turn will associate
roles and assign attributes to other managers within their
domain. The Enrollment Manager function resides at NCMS.
b. Human (personnel) registration must be accomplished prior
to a user being enrolled in KMI. The human user must complete
applicable training set forth in Chapter 6. Training
requirements differ and are based on the roles the individual
will fulfill.
c. New applicants will fill out Part 2 - Candidate
Information section of the KMI Personnel Enrollment Form (KMI
Form 002) and will select the roles to be assigned. The KMI
form 002 is in .pdf format, and must be viewed and completed
online to enable full viewing and selection of options available
using the drop down menus.
d. The Eligibility Authority (EA) must fill out Part 1 – the
Eligibility Authority Information section of KMI form 002 and
verify the training and certification(s) required for the
specific role(s) has been completed through verification of the
training certificate. The Enrollment Manager (EM) cannot
proceed with the enrollment process without proof of completed
training as indicated in Part 2 of the KMI form 002, except as
indicated in the preceding section herein; the form will be
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
returned to Eligibility Authority for review. In the event
formal training cannot be accomplished prior to appointment, the
EA will follow the guidelines listed below:
(1)
In extenuating circumstances, such as an unplanned
loss, hospitalization, death, or immediate Relief for Cause of
Account personnel, the unit may request a waiver from NCMS to
the formal training requirement until mission tasking and quota
availability permit attendance. With an approved, official
waiver, the EA may complete the KMI Form 002 through citing the
originator and DTG of the waiver prior to submission of the KMI
Form 002.
(2) Personnel appointed, registered and enrolled based on a
Service Authority waiver must review and understand the TwoPerson Integrity (TPI) section of Lesson 25 "KMI MGC Operator
Training Key Distribution". They will not have a Windows useraccount on the MGC and will only be permitted access to the
MGC/AKP in the role of a "witness or 2nd person" for functions
requiring TPI.
e. Contact the Enrollment Manager at NCMS prior to
submission of the completed KMI Form and request an individual
email address the form may be sent to for review and processing.
NOTE: The form contains PII and MUST BE digitally signed
AND encrypted. The unencrypted passing of documents,
including emails containing PII must be reported as a PII
breach per DON CIO guidance.
f. The Enrollment Manager will respond within 72 hours and
provide an individual email for the unit to send the completed,
signed and encrypted form to at NCMS.
(1) The Enrollment Manager (EM) must re-verify the
accuracy and completeness of the form prior to entering the
enrollment information into KMI.
(2) Upon completion of the enrollment action, the EM will
notify the EA reflected on the KMI Form 002.
(3) Upon receipt of the email, the user/applicant will be
able to perform the roles requested in KMI (provided they have a
personalized token).
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-6
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
NOTE: Users may be required to log in and out more than
once or remove the tokens association from the MGC and reintroduce the token to the MGC again before the new roles
become effective.
g. Each account must identify and designate personnel to
perform the following roles: KOAM (Primary and Alternate),
Product Requestor (PR), DLT1RA, PLT1RA, DRM, CPA and an assigned
CPSO. Role exclusions should be reviewed prior to role
assignment.
h. The roles below ill only be performed at the PRSN, CSN or
PSN, and not at the unit/ Client Node level.
(1)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(11)
317.
ASWR Manager
Audit Data Manager
Security Configuration Manager
Incident Response Manager
Platform/Network Manager
Archive Manager
Backup Manager
Database Administrator
Accounting Data Manager
Tracking Data Manager
Help Desk Manager
ROLES SUPPORTING KOA REGISTRATION
a. To complete KOA registration, KMI supports the following
roles:
1. KMI Operating Account (KOA) Sponsor – Any person in the
organizational chain-of-command authorized to determine and
approve the KMI registration of a KOA.
2. KMI Operating Account Registration Manager (KOARM) –
The management role responsible for registration of KOAs.
Within the DON, the duties of the KOARM will be performed at
NCMS.
3. KOAM – The management role responsible for operating an
account.
319. ACCOUNT REGISTRATION- COMSEC ACCOUNT DATA FOR KMI
REGISTRATION, KMI FORM 003
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-7
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
a. Registration of a KOA requires submission of a properly
completed KMI Form 003 by the command.
(1) KMI Form 003 is in .pdf format and must be viewed and
completed online to enable full viewing and selection of options
available using the drop down menus.
(2) Upon completion and verification of the
completed KMI Form 003, contact the EA Proxy at NCMS to obtain
an individual email address to submit the KMI Form 003 to.
(3) NCMS will respond within 3 business days and provide
an individual email address for the unit to send the completed,
signed and encrypted form to. The form contains PII and MUST be
digitally signed AND encrypted. Failure to do so will be
reported as a PII breach per DON CIO PII policy.
b.
The KOARM will:
(1) Verify that the registration request came from a valid
KOA Sponsor.
(2) Retain the Sponsor-provided KMI Form 003 either
electronically or in hardcopy form for a minimum of seven (7)
years.
(3) At the completion of the KOA registration, notify the
KOA Sponsor who submitted the request.
c. Accuracy of the registration data cannot be
overemphasized as the primary KOAM is assigned to the account
during the registration process.
d. KOAMs must be registered and enrolled through completion
and submission of a KMI Form 001 and KMI Form 002 before they
can be assigned to the KOA and activate the Type 1 Token
discussed later in this chapter.
e. Establishment of an account is not related to validation
and acquisition of required equipment, keying material, or
manuals. The account manager and ISIC must ensure compliance
with other related actions set forth in Chapter 4 of EKMS1(series), including obtaining facility approval prior to the
establishment of the account and material being distributed to
the account. A matrix can be found in Figure 4-1 and 4-2
illustrating organizations with cognizance in validation and
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-8
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
allowance matters.
321. HUMAN (Person) USER ACTIVATION.
Registration of a human user who will authenticate with a U.S.
Type 1 PKI is not completed until a Registration Authority (e.g.
PLT1RA) completes the activation process. Human User
Activation, also known as Token Personalization, requires
examination and verification of authenticity and eligibility,
based on a face-to-face meeting of the User being registered
with the PLT1RA, and the production of an identifier credential
loaded as mission material onto a Type 1 Token. The activation
phase personalizes the Type 1 Token by cryptographically
associating it with a specific Human User.
a. Each human identity for which the U.S. Government Type 1
PKI is the authentication method is independently verified in a
face to face meeting between the PLT1RA and the user.
b. To personalize a token for a Human User, a PLT1RA assigns
a KMI-unique identifier for that token user, requests Type 1 PKI
authentication material for the identifier, and directs that the
material be loaded into the token as IA(M) Type 1 Certificates
and keying material. The PLT1RA must enter the Token SO
password before requesting the establishment of Type 1
Authentication Material (i.e. Type 1 private key) on a Type 1
Token, and the generation and loading of an associated Type 1
Identifier Credential (i.e. Type 1 public key certificate) for
an existing specific User Identifier of a currently registered
Human User who is to be the Token Holder.
NOTE: A Token Holder is an individual Human User who is
accountable for the use of a specific token, including use
of the Authentication Material and other security-sensitive
material that is carried by the token.
c. The Human User must appear in person with the PLT1RA and
present the same 2 forms of identification originally presented
to the EA as proof of identification as well as present the
PLT1RA with a hard copy of the one-time-pin showing issuance of
their identity and a completed KMI Users Agreement KMI Form 004
that is maintained at the KOA.
d. The PLT1RA must review, compare, and visually inspect the
user provided ID documents in the presence of the Human User
presenting them to ensure the person is who he/she claims to be
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-9
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
and authenticate the identity documents and sources as genuine
and unaltered. The PLT1RA must also:
(1) Match the User-provided ID documents against the
Evidence Information recorded by the PRM to further ensure that
the person is who he/she claims to be.
(2) Match the user provided ID documents against the name
printed on the one-time PIN document.
(3) Save an electronic image of the User-provided ID
documents and the KMI Form 004 to the KMI Management Client
(MGC) for retention for a minimum of seven (7) years.
(4) Only personalize a Token that shows no signs of tamper
or damage.
(5) Only personalize a Token intended for KMI use and
provided through KMI channels.
(6)
Change the Token SO Password.
(7) Report any discrepancies or failures to the EA
identified for the Human User.
323.
DEVICE REGISTRATION PROCESS
During the registration process, the User Identity is
initialized in the KMI for a System Entity authorized to access
the KMI. The process associates a User Identifier with the
identity and provides the User with the required Authentication
Material associated with the Identifier Credential.
Registration is designed to register and make operational both
users and devices in KMI. This is the device portion and
involves a three-step process:
(a) Initialization – Records identities and identifiers in
the system for both humans and devices to establish both the
identifier and authentication method.
(b) Endorsement – Independently verifies Device Identities
and provides devices with certificates and keying material
needed to interact with KMI.
(c) Activation – Makes devices operationally ready by loading
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-10
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
them with certificates and keying material needed to perform
their mission.
325.
DEVICE USER INITIALIZATION
a. KMI-Aware devices will be registered to have only one
global identity. The device initialization can be separated
into two logical steps that are performed sequentially. The
first step establishes the Device’s Identity and Identifier in
the KMI system and the second step loads a Transport IA(I) Type
1 certificate based on the Identity of the Device.
b.
Roles required to register a Device:
(1)
(2)
(3)
(4)
EA
DRM
Device Sponsor
DLT1RA
NOTES 1: The Device Sponsor must be an active primary KOAM
and have submitted a completed Device
Sponsor Agreement,
KMI Form 007, to the DRM. If the Device Sponsor is
performing other roles/functions, additional training and
documentation requirements may be required.
2: With a signed KMI Form 007 from another unit’s
KOAM and acceptance of the transferred sponsorship, the
Primary KOAM can transfer the DRM sponsorship of a device.
Pending establishment of an in-band process where
electronic acceptance of responsibilities as the DRM for a
device in which sponsorship is transferred, the
transferring unit may use the KMI Form 007 (Acceptance and
Acknowledgement of Responsibilities) form to document
sponsorship transfers.
c. To establish a Device’s User Identity/Identifier in KMI,
the EA must submit a completed KMI Device Registration Form, KMI
Form 006, attesting to the Device’s eligibility for KMI
registration for review and submission to the DRM.
d.
The DRM will then perform the following:
(1) Verify the authenticity and eligibility of the
identity, i.e., the User has the right to claim; the identity
being registered; the User has been authorized to be registered;
the identity is qualified to be registered; and the identity
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-11
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
needs to be registered.
(2) Verify the registration request came from a valid EA.
Due to the limited role exclusions set forth in KMI related
doctrine, the DRM and EA cannot be the same person for the
action requested in the KMI Form 006 submitted.
(3) Retain the EA-provided KMI Form 006 electronically or
in hardcopy form for a minimum of seven (7) years.
(4)
Verify the device identity (serial number).
(5) Personally examine (i.e. face-to-device) the physical
security integrity of the Device.
(6) Accurately enter the KMI-required registration
information into the KMI system:
(a) Device Manufacturer
(b) Device Short Title
(c) Device Serial Number
(d) Information identifying the organization with
operational control of the device:
1.
2.
3.
Organization Name
Organizational Affiliation
Controlling Country
(e) Evidence (Usually the EA-provided KMI Form 006)
1.
2.
Community of Interest
Maximum Classification
(f) Accurately enter the KMI-required information
related to the EA into the KMI system:
1. Organization
2. Title
3. First and Last Name
4. Commercial Phone Number
5. Email address
6. Physical Mailing Address
7. Select the authentication method to be used for
the User Identifier.
(7)
Request and load the Transport IA (I) Type 1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-12
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
certificate on the Device.
(8) Ensure the Device has a valid established
Identity/Identifier in the KMI system.
(9) Retain the KMI Form 007 for a minimum of seven (7)
years either electronically or in hardcopy form.
(10) Ensure the Device Sponsor has been properly identified
in the KMI system for the device.
(11) Set the Device User’s Identity Registration State and
Identifier Registration State to Active.
(12) Set the Security Officer (SO) Password for the Type-1
Token (KOV-29).
NOTE: Changes to a Device User’s Identity or Identifier
Registration State will only be performed if the request
is from an authorized EA, EA Proxy or Device Sponsor.
The reason for the change, whether routine or for cause
must be annotated at the time the action is taken.
(13) At the completion of the initialization phase of
identity registration, notify the EA or EA Proxy, as
applicable who requested the registration.
NOTE: Additional information related to Device
Registration can be found in the Registration of KMI
Operating Accounts and KMI Users and the OMM for the KMI
Client Node located at the URL in Annex F.
327. DEVICE ENDORSEMENT
a. The Endorsement phase is to provide authentication
material to KMI-aware devices. Only devices authenticating with
U.S. Type 1 PKI authentication material go through the device
endorsement phase as part of registration. During the
Endorsement phase, the DLT1RA will direct the conversion of a
Transport IA(I) Type 1 certificate and the loading of an
Operational IA(I) Type 1 certificate.
b. The EA must review all required information is reflected
in Part 2 to KMI Form 006, complete Part 1 of the form,
sign/date the document, and return it to the DLT1RA. This is
done to attest to the Device’s eligibility for endorsement in
KMI.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-13
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
c.
The DLT1RA will perform the following:
(1) Verify that the endorsement request has been signed
and dated by the EA, and the DLT1RA is not performing the duties
of the EA for the request being performed.
(2) Retain the EA-provided KMI Form 006 for a minimum of
seven (7) years either electronically or in hardcopy form.
(3)
Verify the device identity (Serial Number)
(4) Verify that the Device has a properly registered User
Identity with an authorized KMI-Unique User Identifier.
(5) Verify that the Device has an authorized User Device
Sponsor that is currently a Primary KOAM.
(6) Set the Device User’s Identity and Identifier
Registration state to Active.
(7) Only change the Device User’s Identity or Identifier
Registration State (i.e., Active to Inactive or Inactive to
Active) if the request is from an authorized EA or Device
Sponsor.
(8) When changing the Device User’s Identity or Identifier
state, record the reason for the change and designate the reason
as either “routine” or “for cause”.
(9) Personally (i.e. face-to-device) examine the physical
security integrity of the Device.
(10) At the completion of the endorsement phase of the
device registration, notify the EA who requested the
endorsement.
329.
DEVICE ACTIVATION
A user device other than a Token is activated upon
direction by the KOAM, through the loading of the required
mission certificates and keying material. The exact types of
material required depends on the type of device and supported
key fill methods.
331.
KMI ROLE MANAGEMENT.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-14
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
a. A role is a job title in the KMI system that has a
specified set of functional responsibilities within the system,
can be granted one or more privileges, and can have one or more
Users assigned to it.
b. KMI supports two categories of roles, one for operational
management and one for administrative functions. Operational
management roles directly involve the ordering, management,
distribution of products and services or supervision of those
functions. Operational managers use U.S. Government Type 1 PKI
authentication material and identifier credentials to
authenticate their identity to the system, and they obtain
authorizations for their actions through KMI’s role-based, rulebased, and approval-based access control mechanisms.
c. Administrative management roles do not directly involve
products and services, but these roles involve housekeeping
tasks that need to be done to support operational managers and
other authorized users. Examples of administrative functions
are installing and maintaining software, configuring accounts,
security auditing, and performing backup and recovery actions.
Many administrative functions are common to all computing and
communication platforms.
d. KMI Operational Management Roles can be categorized as
either internal or external. Internal Management Roles are
performed by people who are members of the central organization
that control the KMI. External management roles are performed
by people who are typically members of KMI customer
organizations. For operational management roles, KMI implements
a procedurally rigorous enrollment process that results in the
assignment of a user to one or more KMI roles. The assignment
to a role grants the user the system privileges associated with
the role.
333.
ACCESS CONTROL MANAGERS.
Contact the SSC LANT Information Technology Assistance
Center (ITAC) for KMI assistance. The ITAC personnel will open
an initial ticket and assign it to the Navy KMI Help Desk for
assistance/support. It is important that accounts contact the
ITAC to ensure that trouble tickets are being tracked
accurately. The ITAC point of contact phone numbers are as
follows: Commercial: 1-877-477-2927 or 1-800-304-4636, DSN: 312588-5550/5426. You can also send an email to ITAC personnel at:
NIPR: [email protected], SIPR:
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-15
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
[email protected] ITAC personnel are available
24 hours a day, seven days a week for assistance.
335.
USER SUPPORT MANAGER.
a. In Capability Increment 2 (CI-2), the only user support
manager role is the HP Service Manager/Agency Help Desk Manager.
b. Help desk support for KMI users will be provided by both
service-specific and KMI-wide help desk personnel. The Service/
Agency Help Desk Manager will provide organization-specific
support to customers and can be reached at: (Comm): 1-843-2183430/4662 or (DSN): 312-588-3430/4662 or via email at:
[email protected]
337.
TYPE 1 TOKEN SECURITY OFFICER – (TSO or SO)
The SO role is used in the Initialization, Endorsement and
Personalization processes. SOs are authorized to clear token
Audit Logs and change PINS.
a. The SO account will be created by the DRM who also will
set the SO pin. After initialization, the DRM will provide the
initialized token and SO pin to a DLT1RA.
b. The DLT1RA will log into the token during the endorsement
process as the SO. After endorsement, the DLT1RA transfers the
endorsed token and SO PIN to a PLT1RA.
c. The PLT1RA will log into the token during personalization
as the SO and change the SO PIN.
d. The user selects a user-unique PIN during the
personalization process.
339.
KOA AGENT (KOAA) – A NON-MANAGEMENT ROLE.
a. As part of KOAA registration, the KOAMs specify the
credential(s) the KOAA will use to authenticate in KMI. The
PRSN enforces that the new KOAA credential be unique and
authorized for use with KMI. KOAAs can then authenticate to KMI
using these credentials, to include username and password, KMI
authorized non-Type 1 PKI credentials or Type 1 PKI credentials.
b. KOAA registration is done within the Delivery-Only
interface at the PRSN to access KMI Products and Services for
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-16
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
the devices they support.
c. KOAAs access PRSN PDEs for the purpose of retrieving
products. A KOAA is not a KMI management role and are
“designated” by KOAMs. This process creates an Access Control
List (ACL) for the KOA that the KOAM oversees. The ACL contains
a list of all the entities that can retrieve KMI products from
the particular KOA. In this regard, KOAAs are not registered or
enrolled like other KMI users, although any KMI Manager can be
designated as a KOAA by a KOAM. KOAMs are automatically
designated as KOAAs for their own KOA.
341. DISENROLLMENT:
a. KMI enables an Enrollment Manager (EM) to withdraw an
existing assignment of a management role to a User Identity
(i.e. “disenrollment” of a manager). The disenrollment action
can be taken regardless of which EM originally made the
assignment. Reasons for disenrollment fall into but are not
limited to two primary areas:
(1) Eligibility Authority request
(2) Identity re-verification
b. An EA shall resubmit a KMI Form 002 to request the
disenrollment. Reasons for disenrollment include when: a
manager leaves an organization, there is loss or suspension of
security clearance or a manager no longer needs the KMI
Management privileges. After executing the disenrollment, the
EM must notify the EA.
343.
ENROLLMENT REVERIFICATION.
a. For each existing assignment of a User Identity to a
Management Role in an Enrollment Domain, KMI will periodically
(typically annually) prompt the EM at the Service Authority
level in that Enrollment Domain to review and reconfirm the
below items.
(1)
(2)
(3)
The need for, and organizational source of authority
for the assignment.
The associated RuBAC Access Set, if that Role has one.
The associated RuBAC Conferral Set, if the Role has
one.
If not performed within five business days, the user state will
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-17
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
be reflected as “inactive” and the incumbent will not be able to
perform functions within the KMI.
b. The re-verification process requires the cognizant EA reauthorize assignment of the role. An EM re-verifies each User
Identity assigned to a Manager Role on an annual basis.
345.
HUMAN USER REVERIFICATION.
a. Upon notification by the Personnel Registration Manager
(PRM) at NSA, NCMS will notify DON personnel due for
reverification if a discrepancy preventing such exists.
b. For annual enrollment reverification, the KOAM can
contact the EM at NCMS for any enrollment related concerns or
discrepancies which cannot be resolved at the unit level.
c. If updates are required, an updated KMI form 001 and/or
KMI form 002 may be required.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3-18
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
CHAPTER 4 – ACCOUNT ESTABLISHMENT AND PERSONNEL DESIGNATION
REQUIREMENTS
401.
REQUIREMENT FOR A KMI ACCOUNT.
a. An organization that requires COMSEC material must obtain
such material through a Key Management Infrastructure (KMI)
Operating Account (KOA) managed by a designated KMI Operating
Account Manager (KOAM). When it is not possible to draw needed
COMSEC material from an existing KOA either within the
organization or from an existing KOA located in close proximity,
the requirement to establish a new KOA must be submitted by the
requiring organization and validated by the organization’s
Immediate Supervisor in Command (ISIC).
b. For commands with a COMSEC account transitioning from
EKMS to KMI, they must:
1. Complete the KMI Form 005 (EKMS to KMI account
checklist)
2. Complete and submit the required KMI Forms 001, 002,
003 and 004 to the applicable reviewer/approving official as
discussed in Chapter 3 to this manual.
3. The KMI Form 004 can be completed online but must be
printed and signed and retained at the command level.
4. Each of the forms mentioned above are available from
the Uniform Resource Locator (URL) located in Annex F.
5. Forms submitted as attachments must be digitally signed
and encrypted with a Medium Assurance PKI token. The subject of
any emails containing KMI registration or enrollment data must
state “This email contains information subject to the Privacy
Act”.
c.
A Quick Reference Matrix for KMI related forms can be
found in Annex D.
403.
a.
ESTABLISHING A KMI OPERATING ACCOUNT (KOA).
The steps required to establish a KOA are outlined below:
1.
The organization requiring a KOA must first have an
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
account established with the COR (NCMS) in Tier 1. This is
accomplished through submission of an official message (Figure
4-3) to the ISIC for review and approval in accordance with this
manual.
2. The ISIC must validate the requirement for the account
and notify the proper approval authorities.
3. The ISIC must certify the requesting command is
compliant with applicable physical security safeguards,
including space approval for the storage of COMSEC material.
NOTE: Shore-based vaults used to store keying material
constructed or structurally modified after 01 Jan 2013,
must meet the construction requirements set forth in ICD705.
4. The ISIC, working with the KOAM, will determine the
required COMSEC material.
5. Controlling Authority approval must be obtained for
symmetric (traditional) keying material prior to the account
being validated and the account’s KOA ID added to the
distribution profile. (See Figure 4-2).
6. To acquire asymmetric (modern) key ordering
privileges, i.e. TACLANE, HAIPE, Secure Data Network System
(SDNS), Secure Telephone Equipment (STE), the activity must have
a Department, Agency, Organization (DAO) code and personnel
managing the account must be authorized ordering privileges.
7. The CO will appoint in writing a KOA Manager (KOAM)
and a minimum of (1) Alternate KOAM(s), who meet the designation
requirements set forth in Articles 405 - 409 herein. If the
account HCI is TS, it is recommended a total of (3) alternates
be appointed. A sample Letter of Appointment can be found in
Figure 4-5.
A separate appointment letter is not required for
the KOAM or Alternate if he or she is also fulfilling the role
of the Client Platform Administrator (CPA). This can be
indicated by checking the applicable box or boxes for any
additional roles the KOAM or Alternate are performing. CPAs or
CPSOs must complete the Statement of Acceptance of
Responsibilities form reflected in Annex I.
8. The KOAM must prepare and submit the applicable
documentation outlined in the Defense Courier Service (DCS)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
customer service manual and provide such information to their
headquarters and the Registration Authority (RA). The KOAM must
also ensure the Common Account Data (CAD) is up-to-date in Tier1. The DCS customer service manual is available from the U.S.
Transportation Command (USTRANSCOM) web site at the URL in Annex
F.
9. To pick-up or deliver material to/from CMIO, the KOAM
must prepare and submit a CMS Form-1. This form must be signed
by the current CO, OIC, SCMSRO or other official “Acting” in
such capacity. Forms signed “By Direction” will NOT be
accepted. Changes in account personnel or change of command
require a new form be completed, signed and submitted via
official command letterhead or naval message. The CMS Form-1
can be found in EKMS-1(series) and must be updated at a minimum
of annually or more frequently, as required.
10. Once the account is registered by the KOARM in Tier
1, the KOARM will send a digitally signed email to the InService Engineering Activity (ISEA).
11. The organization must complete and submit the
following Central Facility (CF) forms available from the Key
Support portal; CF-1202, CF-1206, and CF-1207. See Annex F for
the URL.
NOTE: For additional information and guidance related to
ordering closed partition modern key and short titles
managed by CPF, JCMO, CENTCOM, etc… please see Annex AE to
EKMS-1 (series).
12. Upon establishment of the account, SSC LANT will ship
the MGC and related peripheral equipment to the KOA address
listed in the establishment message.
13. Following establishment of the account, and CNO
validation for the AKP, CMIO will ship the AKP via DCS to the
KOA. If the KOAM does not have a DCS address, CMIO will not
ship either the AKP or required tokens to the account.
14. Upon establishment of the required ordering
privileges, submission of key order forms or validation of the
request from the unit, as applicable, Tier 0 will send the
required certificates and keys (MSK, FF) to the KOA account.
15.
Following registration and installation of the
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
MGC/AKP and related peripheral devices by SSC LANT personnel,
the KOA account must review and sign the applicable System
Operational Verification Test (SOVT) paperwork. Any functions
not demonstrated or successfully performed, required by the SOVT
must be documented and reflected on the SOVT package.
NOTE: See Article 209 for guidance regarding the location
of the MGC/AKP installation.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
KOA ACCOUNT ESTABLISHMENT MESSAGE ROUTING
ACTION/INFO
NCMS WASHINGTON DC//N3//
CMC WASHINGTON DC//C4/CY//
CNO WASHINGTON DC
COGARD C4ITSC ALEXANDRIA
VA//BOD-IAB//
COMLANTAREA COGARD OR
COMPACAREA COGARD (AS
APPLICABLE)
COMMARCORSYSCOM QUANTICO
VA//CINS//
ISIC
COMNAVRESFOR NORFOLK
VA//01A2//
ADMIN COC
COMSPAWARSYSCOM SAN DIEGO
CA//PMW161//
SPAWARSYSCEN ATLANTIC
CHARLESTON
SC//80P/526CS/721SR//
CMIO NORFOLK VA//N3//
CONTROLLING AUTHORITIES
DIRNSA FT GEORGE G MEADE
MD//IE3/IE31//
DIR TIER1 FT HUACHUCA AZ
DIR TIER1 SAN ANTONIO TX
SERVICING COR AUDIT TEAM
USN/MSC
A
NA
A
NA
USNR
A
NA
I
NA
USCG
A
NA
I
A
NA
NA
I
NA
NA
NA
NA
I
I
NA
I
I
I
NA
I
NA
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
A = Action, I = Info, NA = Not Applicable
FIGURE 4-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-5
USMC
A
I
I
NA
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
ASYMMETRIC (MODERN) KEY VALIDATION PROCESS (ALL SERVICES)
1. Asymmetric (modern) key is not automatically distributed
based on an established profile and must be ordered by the
account. Personnel ordering such must be privileged to order
the item(s).
2. Privileges are established through the completion,
submission and approval by the Command Authority of the User
Registration form (CF 1206).
3. The KOAM and a minimum of (1) alternate must have ordering
privileges. For redundancy purposes, it is recommended that
each alternate have ordering privileges.
4.
See EKMS-1(series) Article 672 and Annex U, if required.
VALIDATION PROCESS (TRADITIONAL KEYING MATERIAL)
MSC
USCG
USMC
USN (Shore)
USN (Sea)
COMSC
ISIC
ISIC
ISIC
CONAUTH
COGARD
C4ITSC
CONAUTH
For JCMO
Material:
(See Note 3)
CONAUTH
TYCOM (i.e.
COMMARFORPAC,
COMMARFORLANT,
COMMARFORRES)
CONAUTH
For JCMO
Material:
(See Note 3)
For JCMO
Material: (See
Note 3)
For JCMO
Material:
(See Note 3)
ISIC
(See Note 1)
TYCOM
FLT CDR
CONAUTH (See
Note 1)
For JCMO
material (See
Note 3)
FIGURE 4-2
NOTES (1) The ISIC obtains Controlling Authority validation
via the TYCOM and Fleet Commander.
(2) USN surface, sub-surface, and USCG surface units
do not require CONAUTH validation for COMSEC material
contained in the standard fleet allowance instructions such
as CLF/CPF/CNE C2282.1 and COMPACAREAINST C2282.1.
(3) Requests for Joint Staff ICP Material are
validated by the theater Combatant Commander after
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-6
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
validation by the Fleet Commander, MEF, or COGARD C4ITSC.
SAMPLE KEY MANAGEMENT INFRASTRUCTURE ACCOUNT (KOA) ESTABLISHMENT
REQUEST (EDIT AS REQUIRED)
R 101830Z AUG 13 ZYB
FM PRECOMUNIT RANGER
TO CNO WASHINGTON DC
COMPACFLT PEARL HARBOR HI
INFO NCMS WASHINGTON DC
COMNAVAIRPAC SAN DIEGO CA
DIR TIER1 HUACHUCA AZ
DIR TIER1 SAN ANTONIO TX
CMIO NORFOLK VA
DIRNSA FT GEORGE G MEADE MD
SPAWARSYSCEN ATLANTIC CHARLESTON SC
BT
UNCLAS//N02280//
MSGID/GENADMIN/PCU RANGER/-/AUG//
SUBJ/KEY MANAGEMENT INFRASTRUCTURE OPERATING ACCOUNT (KOA)
ACCOUNT ESTABLISHMENT//
REF/A/DOC/NCMS/-//
REF/B/LTR/COMNAVAIRPAC N321/1MAY09//
REF/C/DOC/CLF/CPF/CINCUSNAVEURINST C2282.1/-//
REF/D/GENADMIN/DIRNSA/050403ZAUG09//
NARR/REF A IS EKMS-1(SERIES) SUPP-1. REF B CERTIFIES STORAGE
REQUIREMENTS AND APPROVES ACCOUNT ESTABLISHMENT. REF C IS
CLF/CPF/CNE STANDARD SHIPBOARD ALLOWANCE PUBLICATION. REF D IS
CONTROLLING AUTHORITY VALIDATION.//
POC/SAILOR/CTOC/DSN:123-4567/EMAIL:SAILOR(AT)CVN79.NAVY.MIL//
RMKS/1. IAW REF A, REQUEST ESTABLISHMENT OF A KOA ID TO SUPPORT
OPERATIONAL REQUIREMENTS. THE FOLLOWING IS PROVIDED, AS
REQUIRED:
A. COMMAND TITLE:
USS RANGER (CVN-79)
B. COMMAND UIC:
12345
C. MAILING ADDRESS: USS RANGER (CVN-79)
COMM DEPT
FPO AP 96631
D. COMMAND PLA: PCU RANGER//OFFICE CODE//
E. ISIC AND VALIDATION REF: COMNAVAIRPAC; REF B GERMANE.
F. HCI: TOP SECRET.
G. COMMAND MEETS STORAGE/PHYSICAL SECURITY REQUIREMENTS FOR
STORING TOP SECRET MATERIAL AS VALIDATED BY REF B.
H. KEY MANAGEMENT INFRASTRUCTURE OPERATING ACCOUNT MANAGER
(KOAM) INFORMATION:
FIGURE 4-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-7
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
1. NAME (LAST NAME, FIRST NAME, MI):
2. RANK/GRADE:
3. SECURITY CLEARANCE, BASIS, AND DATE OF INVESTIGATION:
4. PHONE NUMBER COMM/DSN:
5. EMAIL ADDRESS:
6. DATE OF COMPLETION OF FORMAL KMI TRAINING:
7. DATE OF COMPLETION OF THE NSA TOKEN SECURITY OFFICER
(TSO) COMPUTER-BASED TRAINING:
NOTE: PARAGRAPH H.8 THRU H.10 IS ONLY APPLICABLE IF THE
KOAM WILL ALSO SERVE AS THE CLIENT PLATFORM ADMINISTRATOR
(CPA) FOR THE ACCOUNTS MANAGEMENT CLIENT (MGC), OTHERWISE
INDICATE N/A.
8. DATE OF COMPLETION OF INFORMATION ASSURANCE TECHNICIAN
(IAT) LEVEL I CERTIFICATION:
9. DATE OF COMPLETION OF THE NSA CPA COMPUTER-BASED
TRAINING (CBT):
10. DATE OF EXECUTION OF THE INFORMATION SYSTEM PRIVILEGED
ACCESS AGREEMENT AND ACKNOWLEDGEMENT OF RESPONSIBILITIES:
I. KEY MANAGEMENT INFRASTRUCTURE OPERATING ACCOUNT ALTERNATE
(ALT. KOAM) INFORMATION:
1. NAME (LAST NAME, FIRST NAME, MI):
2. RANK/GRADE:
3. SECURITY CLEARANCE, BASIS, AND DATE OF INVESTIGATION:
4. PHONE NUMBER COMM/DSN:
5. EMAIL ADDRESS:
6. DATE OF COMPLETION OF FORMAL KMI TRAINING:
7. DATE OF COMPLETION OF THE NSA TOKEN SECURITY OFFICER
(TSO) COMPUTER-BASED TRAINING:
NOTE: PARAGRAPH I.8 THRU I.10 IS ONLY APPLICABLE IF THE
KOAM WILL ALSO SERVE AS THE CPA FOR THE ACCOUNT’S MGC,
OTHERWISE INDICATE N/A.
8. DATE OF COMPLETION OF INFORMATION ASSURANCE TECHNICIAN
(IAT) LEVEL I CERTIFICATION:
9. DATE OF COMPLETION OF THE NSA CPA COMPUTER-BASED
TRAINING (CBT):
10. DATE OF EXECUTION OF THE INFORMATION SYSTEM PRIVILEGED
ACCESS AGREEMENT AND ACKNOWLEDGEMENT OF RESPONSIBILITIES:
J.
CLIENT PLATFORM SECURITY OFFICER (CPSO):
FIGURE 4-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-8
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
1. NAME (LAST NAME, FIRST NAME, MI):
2. RANK/GRADE:
3. SECURITY CLEARANCE, BASIS, AND DATE OF INVESTIGATION:
4. PHONE NUMBER COMM/DSN:
5. EMAIL ADDRESS:
6. DATE OF COMPLETION OF INFORMATION ASSURANCE TECHNICIAN
(IAT) LEVEL I OR CERTIFICATION (IAM LEVEL I FOR USMC ACCOUNTS):
7. DATE OF COMPLETION OF THE NSA CPSO COMPUTER-BASED
TRAINING (CBT):
8. DATE OF EXECUTION OF THE INFORMATION SYSTEM PRIVILEGED
ACCESS AGREEMENT AND ACKNOWLEDGEMENT OF RESPONSIBILITIES:
K. CLIENT PLATFORM ADMINISTRATOR (CPA):
1. NAME (LAST NAME, FIRST NAME, MI):
2. RANK/GRADE:
3. SECURITY CLEARANCE, BASIS, AND DATE OF INVESTIGATION:
4. PHONE NUMBER COMM/DSN:
5. EMAIL ADDRESS:
6. DATE OF COMPLETION OF INFORMATION ASSURANCE TECHNICIAN
(IAT) LEVEL I OR CERTIFICATION (IAM LEVEL I FOR USMC ACCOUNTS):
7. DATE OF COMPLETION OF THE NSA CPSO COMPUTER-BASED
TRAINING (CBT):
8. DATE OF EXECUTION OF THE INFORMATION SYSTEM PRIVILEGED
ACCESS AGREEMENT AND ACKNOWLEDGEMENT OF RESPONSIBILITIES:
2.
REQUIRED MATERIAL:
A. KEYING MATERIAL:
(1) AFLOAT UNITS SUBMIT REQUESTS FOR MATERIAL IAW REF C.
(2) ASHORE UNITS CONTACT ISIC, CONAUTH AND CMDAUTH, AS
APPLICABLE.
B. MANUALS/EQUIP/RELATED DEVICES:
(1) AFLOAT UNITS SUBMIT REQUESTS FOR MATERIAL IAW REF C.
(2) ASHORE UNITS CONTACT ISIC AND/OR CONAUTH, AS
APPLICABLE.
C. VALIDATION AUTHORITY/JUSTIFICATION: REF D GERMANE.
3.
DMR: 100424
A. DURATION: PERMANENT OR TEMPORARY (IF TEMPORARY, INCLUDE
DURATION)
B. SHIPPING INSTRUCTIONS:
BT
FIGURE 4-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-9
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
405.
SELECTION OF KMI PERSONNEL.
Individuals selected must:
a. Meet the existing requirements of EKMS-1(series) Articles
410, 412 and 505 with exception of completion of the EKMS
Manager COI (Art 412.f).
b. In addition to the requirements stated above, personnel
serving as either a CPA or CPSO must also complete the training
requirements and additional documentation set forth in Article
411 herein.
c. Contractor personnel will not be appointed as a KOAM or
Alternate without prior approval from NCMS.
d. For specific positions requiring appointment or
designation, i.e. KOAM, Alternate, CPA, CPSO, etc… a sample
appointment letter is contained in Figures 4-4 and 4-5.
407.
a.
MANPOWER REQUIREMENTS FOR KMI OPERATING ACCOUNT (KOA).
Account Composition.
1. The CO of each numbered account must appoint in writing
a KOA Manager, a minimum of one Alternate, one CPA and one CPSO.
It is highly recommended (2) additional alternates be appointed
for redundancy during periods of leave, TAD, etc… for accounts
with a HCI of TS to ensure compliance with National policy,
which mandates a minimum of (2) formally trained personnel be
assigned to the account at all times except as discussed in
Chapter 6.
2. A KOAM or Alternate who is IAT Level 1 or higher
certified per DoDM 8570.01 can fulfill the role of the Client
Platform Administrator (CPA). If a KOAM is not fulfilling the
CPA role, the DoDM 8570.01 requirement is not applicable to a
KOAM or Alternate.
3. To maximize existing personnel and ensure separate
oversight of security related functions requiring separation of
duties, it is recommended commands leverage use of the ISSM/IAM
or ISSO/IAO to fulfill the duties and responsibilities of the
CPSO. Personnel appointed as an ISSM or IAM are required to be
certified in accordance with DoD 8570.01M and have a SSBI per
SECNAV M5510.30. Due to role exclusions set at the National
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-10
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
level, a KOAM, Alternate or CPA cannot occupy the CPSO role.
b. Grade Requirements for KOAMs, Alternates, LE Issuing and
Clerks.
1. Grade, length of service, and other criteria for
appointment to any of the aforementioned positions is
outlined in EKMS-1(series) Articles 412 - 416.
2. Appointment letters will be signed by the current CO
and will be updated within 60 days following a change of
command. The use of By Direction is not authorized for
appointing personnel or signing accounting reports requiring the
CO’s signature. The only acceptable alternative is for such
correspondence to be signed as “Acting” by the person acting in
the absence of the CO.
409.
KOA MANAGER (KOAM) AND ALTERNATES.
a.
KMI Operating Account Manager (KOAM) & Alternate
KOAM(s). In addition to the requirements of EKMS-1(series)
articles 410, 412 and 505, personnel identified to be a KOAM or
Alternate must:
1. Successfully complete the KMI COI prior to appointment.
Personnel currently appointed who have attended previous COMSEC
Manager training must attend and successfully complete the
formal KMI training. See Chapter 6 for guidance when training
cannot be completed due to extenuating circumstances prior to
appointment.
2. Execute a SD Form 572 and maintain such on file at the
KOA for a minimum of ninety days from the date relieved. See
Annex K of EKMS-1(Series) for form.
3. Execute the required KMI Form 004 and retain it on file
with any appointment letter for the same duration as the
appointment letter. See Annex F for the URL where KMI-related
forms are available from.
4. If a KOAM or Alternate is also performing the duties of
the CPA in addition to the above training requirement, such
personnel must complete the training and documentation
requirements set forth in Article 411 herein.
411.
OTHER KMI RELATED ROLES.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-11
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
a. Personnel Local Type 1 Registration Authority (PLT1RA)
The PLT1RA is required to conduct face to face verification of
all users requiring registration in the KMI, perform annual reverification of active Human Users and personalize tokens.
b. Device Local Type 1 Registration Authority (DLT1RA)
The DLT1RA is responsible for the physical viewing and reviewing
of all new devices being endorsed in KMI; this includes both the
endorsement and provisioning of KMI-aware devices. It is
recommended the appointed KOAM or Alternate performs the duties
of the PLT1RA and DLT1RA to reduce manpower requirements. In
addition to basic access requirements, personnel appointed as
the PLT1RA or DLT1RA must possess a security clearance equal
to/higher than the Highest Classification Indicator (HCI) of the
KOA account.
c.
Type-1 Token Security Officer (TSO/SO).
1. This role will be performed by the KOAM and each
Alternate. An individual cannot be their own TSO; however, a
KOAM can be the TSO for an alternate and vice versa.
2. TSO specific duties, responsibilities and periodicities
for functions the TSO is responsible for can be found in the
SKEY6500 (KOV-29) OSD.
d.
Product Requester (If other than the KOAM/Alternate).
1. Must have a security clearance equal to/higher than the
highest classification of material required or authorized to
request. An interim Top Secret clearance may be granted if
required provided the incumbent has been granted a final secret
clearance that is within scope.
2.
Be an E-5/GS-5 or above.
3. Successfully complete the applicable portion(s) of the
KMI Management Client (MGC) COI.
e. Client Platform Administrator (CPA). The CPA is
responsible for administration of computer platforms and client
nodes, including the creation of user accounts for platform
operators, setting platform operator privileges, and performing
system maintenance functions. Personnel appointed as a CPA
must:
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-12
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
1. Have a minimum Secret security clearance. If performed
by the KOAM or an Alternate, the clearance must be equal
to/higher than the HCI of the account. In addition to the
training required of a KOAM, such personnel must also complete
the required CPA training and attain IAT Level 1 certification
in accordance with DoD 8570.01(Series) within 180 days of
appointment.
2. If performed by other than the KOAM/Alternate, such
personnel may be military, civil service or contractor personnel
employed by the U.S. government. Regardless of affiliation i.e.
military, civil service, or contractor, personnel with
privileged access to a DoD computer or network must be certified
in accordance with DoD 8570.01(Series).
3. Waivers related to IA certification requirements are
not to be submitted to NCMS and must be handled in accordance
with DoD 8570.01(Series) and applicable service-specific
guidelines. NCMS will not respond to waivers of this nature.
4. Successfully complete the application portion of
the MGC training or CBT, as applicable.
5. Complete, execute and have on file the required
Information Systems Privileged Access Agreement and
Acknowledgement of Responsibilities form required by DoD
8570.01(Series). A sample can be found in Annex I.
f. Eligibility Authority (EA). The EA performs the required
face-to-face verification on behalf of either a human or device
to ascertain that either is qualified and eligible to be
registered in KMI and that personnel requiring registration have
an official duty requiring registration for the roles requested.
To ensure no disqualifying information exists and the requesting
person has an up-to-date security clearance within scope, this
role will be performed at the unit level by the Commanding
Officer or he/she can designate the Security Manager, Special
Security Officer (SSO), or other qualified personnel to perform
the role. Minimum requirements for appointment as the EA are:
1. Meet applicable grade and security requirements
outlined in SECNAV M5510.30 of Articles 2-3 or 2-9, as
applicable.
2.
Complete classroom or CBT training, as applicable when
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-13
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
developed.
NOTE: Civil Service employees and military personnel
fulfilling the positions noted in subparagraph g - j below
must have a minimum of six months of government service.
This may include time served as enlisted personnel for
commissioned officers.
g.
Controlling Authority (CONAUTH) Designation Requirements.
1. Due to the inherent responsibilities, required decision
making abilities and level of maturity expected of someone
serving in the role of a Controlling Authority, such personnel
must be U.S. government personnel E-7/GS-7 or selectee (as
applicable) or a Commissioned Officer.
2. Contractor personnel will not perform Controlling
Authority functions without an official waiver from NCMS. If
requested and approved by NCMS, the scope of authority would
generally be limited to ALC-7 key locally generated by the
account being managed.
3. Complete the applicable Controlling Authority training
via formal classroom instruction or CBT, as applicable.
h.
Command Authority (CA) Designation Requirements.
1. Must have a minimum Secret security clearance within
scope. If a Command Authority is also serving in any other
capacity such as a KOAM, they must meet the security, grade,
training and other requirements for that position as well.
2. Must be a U.S. government employee (military or civil
service) in the grades E-7/GS-7 or selectee (as applicable) or a
Commissioned Officer.
3. Should have experience as a network planner and be
knowledgeable in the establishment of DAO and partition codes,
asymmetric key supporting crypto nets, monitoring key usage and
be able to recommend or direct appropriate actions in the event
of a suspected or actual compromise.
4. Successfully complete the required portion of the KMI
Management Client (MGC) training or CBT, as applicable.
i. Client Platform Security Officer (CPSO). The CPSO is
responsible for administering and monitoring the security of
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-14
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
client node platforms and performing audits and/or archives of
security logs. Role exclusions prohibit a KOAM or Alternate
from serving simultaneously as the CPSO.
To reduce manpower requirements, it is recommended the command’s
ISSM or ISSO perform the duties of the CPSO since such personnel
are already required to be certified in accordance with DoD
8570.01(Series) and have a SSBI within scope per SECNAV
M5510.30.
1. Personnel appointed as a CPSO with administrative
privileges require a KOV-29 (token) and must possess a security
clearance equal to or higher than the Highest Classification
Indicator (HCI) of the account. An Interim Top Secret may be
granted provided the incumbent has a final Secret clearance
within scope.
2. Be in the minimum rank/grade of E-5/GS-5 (or
selectee) or a commissioned officer with experience as an ISSM,
ISSO, etc…. The incumbent must also be knowledgeable in
establishing a crypto net, monitoring the key usage and
determining the required actions during a compromise as well as
be familiar with other Information Assurance (IA) security
related functions and responsibilities.
3.
Successfully complete the CPSO CBT, as applicable.
4. Complete and have on file the required Information
Systems Privileged Access Agreement and Acknowledgement of
Responsibilities form required by DoD 8570.01(Series). A sample
can be found in Annex I.
5. Complete, sign and submit the KMI Form 004 (KMI
Certificate of Acceptance and Acknowledgement of
Responsibilities).
6. If not already attained, personnel appointed must meet
DoD 8570.01(Series) requirements within 180 days of appointment.
Certifications previously attained must be current with the
vendor’s recertification requirements and be registered in the
service-specific database use to manage and track IA
certifications. Do not submit waiver requests for IA
certifications to NCMS. NCMS is not the approval authority for
such and will not respond to waivers of this nature.
j.
KOA Registration Manager (KOARM).
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-15
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
1. A KOARM is responsible for maintaining registration
information about KOAs.
2. The KOARM must meet the grade, security and training
requirements set forth in the Process Security Doctrine (DOC
042-12).
NOTE: The EKMS Registration Authority is located at
Tier 1; the person(s) performing that function should be
enrolled as KOA Registration Manager and provided with an
MGC and manager credentials so they can perform both
functions.
k.
Device Registration Manager (DRM).
1. The DRM is responsible for the ensuring devices have a
valid, established identifier in the KMI, physical verification
of the device integrity and changing the status of devices from
active to inactive and vice versa upon request from an EA or
Device Sponsor. Existing role exclusions prohibit a DRM from
also concurrently serving as a DLT1RA.
2. Personnel appointed to serve as a DRM must meet grade,
security and training requirements set forth in DOC 042-12.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-16
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
(SAMPLE) KEY MANAGEMENT INFRASTRUCTURE OPERATING ACCOUNT MANAGER
(KOAM) APPOINTMENT LETTER
________
(DDMMYY)
From:
To:
Commanding Officer
(Rank/Rate/Grade, Name, and DOD ID)
Subj: APPOINTMENT AS THE KEY MANAGEMENT INFRASTRUCTURE
OPERATING ACCOUNT MANAGER (KOAM) OR ALTERNATE (AS APPLICABLE)
Ref:
(a)
(b)
(c)
(d)
(e)
(f)
(g)
Encl:
(1)
(2)
(3)
(4)
(5)
EKMS 1(series) Supp-1
DoDM 8570.01(series)
Management Client (MGC) Operational Security
Doctrine (OSD)
Enrollment of KMI Managers Doctrine
Registration of KOAs and KMI Users Doctrine
Operational Security Doctrine (OSD) for the SKey6500
DoDI 1000.30
KMI MGC Course of Instruction Completion Certificate
Token Security Officer CBT Certificate
CPA CBT Certificate (Note 1)
Information Assurance Technician (IAT) Level 1
Certificate (Note 1)
Information System Privileged Access Agreement and
Acknowledgement of Responsibilities Form (Note 1)
1. In accordance with reference (a), you are hereby appointed
as the KOAM or Alternate KOAM for this command.
2.
KOA account number:
____________.
3. Date and location of completion of the KMI formal course of
instruction or Date-Time-Group (DTG) of the NCMS waiver approval
if not previously completed (See Note 2):
____________.
4. Security clearance data:
a. Clearance level:
____________.
b. SCI eligible and date: (See Note 3)
______.
c. Date and type of the most investigation: ____________.
5. Additional KMI roles, not prohibited by policy held by the
appointee. (Check each that applies)
Figure 4-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-17
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
Subj: APPOINTMENT AS THE KEY MANAGEMENT INFRASTRUCTURE
OPERATING ACCOUNT MANAGER (KOAM) OR ALTERNATE (AS APPLICABLE)
CPA (Notes 1,4)
DLT1RA
DRM
PLT1RA
TSO (Note 6)
6. You will familiarize yourself with references (a) – (f) to
ensure compliance in your execution of duties for the roles
appointed to.
_________________________________
(Signature of Commanding Officer)
NOTES: (1) Enclosures (3) – (5) are only required if the
KOAM or Alternate, as applicable are fulfilling the role of
the CPA.
(2) Appointment prior to completing formal training
requires a waiver from NCMS. See Articles 409, 601 and Annex H
of this manual if operational requirements and extenuating
circumstances prevent completion prior to appointment.
(3) If the account is validated for SCI/SI
material, the KOAM/Alternate must be SCI eligible otherwise
insert “NA”.
(4) See Article 409.a above for additional training
and documentation requirements if a KOAM or Alternate is
fulfilling the role of the CPA.
(5) Role exclusions set forth at the National level
prohibit a KOAM, Alternate or CPA from serving concurrently as
the CPSO.
(6) Each KOAM/Alternate will be a TSO but cannot be
the SO/TSO for the token held by/issued to them self.
Figure 4-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-18
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
(SAMPLE) KEY MANAGEMENT INFRASTRUCTURE (KMI) OPERATING ACCOUNT
(KOA) CLIENT PLATFORM ADMINISTRATOR (CPA) OR CLIENT PLATFORM
SECURITY OFFICER (CPSO) APPOINTMENT LETTER
________
(DDMMYY)
From: Commanding Officer
To:
(Rank/Rate/Grade, Name, and DOD ID)
Subj: APPOINTMENT AS THE KEY MANAGEMENT INFRASTRUCTURE
OPERATING CPA OR CPSO (AS APPLICABLE)
Ref:
(a)
(b)
(c)
(d)
(e)
(f)
(g)
Encl:
(1)
(2)
(3)
EKMS 1(series) Supp-1
DoDM 8570.01(series)
Management Client (MGC) Operational Security
Doctrine
Enrollment of KMI Managers Doctrine
Registration of KOAs and KMI Users Doctrine
Operational Security Doctrine (OSD) for the SKey6500
DoDI 1000.30
CPA or CPSO Computer-Based Training (CBT)
Certificate (as applicable)
Information Assurance Technician (IAT) Level 1
Certificate
Information System Privileged Access Agreement and
Acknowledgement of Responsibilities Form
1. In accordance with references (a) and (b) and based on
verification of enclosures (1) – (3), you are hereby appointed
as the CPA or CPSO, as applicable for this command.
2.
KOA account number:
____________.
3. Date and source of training in which IAT
Level 1 certification was attained:
4.
____________.
Security clearance data:
a.
Clearance level:
____________.
b.
Date and type of security investigation:
____________.
5. You will familiarize yourself with references (a) – (f) to
ensure compliance in your execution of duties.
Figure 4-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-19
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
________________________________
(Signature of Commanding Officer)
Figure 4-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY
4-20
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
CHAPTER 5 - DUTIES AND RESPONSIBILITIES OF THE KEY MANAGEMENT
INFRASTRUCTURE OPERATING ACCOUNT (KOA) MANAGEMENT PERSONNEL
501.
KOA MANAGEMENT PERSONNEL.
a.
KOA Managers/Alternates will:
1. Generate, manage and distribute local symmetric
products, and maintain KOA administrative information in KMI
with exception to centrally managed data elements such as the
account’s Highest Classification Indicator (HCI).
2. Request the cognizant KOA Registration Manager add or
remove KOA Managers from the list of KOA mangers for the KOA.
3. Add, modify, or remove KOA Agents from the list of
authorized KOA Agents (LE) for the KOA.
4. Add, modify, or remove KMI-aware End Cryptographic
Units (ECUs) from the KOA’s Device Distribution Profile (DDP).
5. Add, modify, or remove KMI-aware ECUs/fill devices from
the locally maintained fill groups.
6. Add, modify, or remove key products to ECUs/fill
devices in the locally maintained fill groups.
7.
Activate ECUs for seed key conversion.
8.
Upload new credentials for seed key conversion.
9. Associate short title(s) with Over-The-Network-Keying
(OTNK) ECUs for ECU-initiated key retrievals.
10.
Cancel short title/ECU associations, when required.
11. Upload encrypted keying material for fill devices and
ECUs to the PRSN for retrieval by authorized KOA Agents.
12. Manage encrypted keying material held at the PRSN for
download by KOA Agents and KMI-aware ECUs.
13. Associate short titles with a benign fill/encrypted
fill ECU for automated encrypting of routinely superseded key.
14.
Download encrypted key into a fill device for an
UNCLASSIFIED//FOR OFFICIAL USE ONLY
5-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
authorized KOA Agent.
15. Review reports related to tracked and accountable
events associated with the KOA.
16. Review Device Distribution Profiles (DDPs) through
comparison of the assignment of ECUs to key products.
17. Conduct periodic reviews of the tailored Product
Ordering Catalog, as required.
18. Report any compromise or potential compromise
involving KMI products.
19. Perform required accounting transactions to
effectively manage the KOA and ensure proper accountability of
material.
20. Verify and maintain status information on KMI products
held, used or responsible for.
21. Conduct and document a visual inspection of the
AKPREINIT Flash Drives (or NSA tamper evident bags), AKP and KVM
Switch (if installed) for any signs of damage or tamper as
discussed in Chapter 2 herein.
22. Review the account’s Transaction Status Log weekly and
report any anomalies or unexplained activity to the CPSO.
23. Backups must be created and offloaded at a minimum of
weekly for large accounts and monthly for small accounts.
24. Archive accounting data every six (6) months, or as
often as necessary for an active MGC. Retain archived
accounting data for 2 years or until the next COR Audit, the
sooner of the two.
25. Send, out of band, an exact copy of archived
accounting data on a CD or DVD to the CSN within 30 days of the
archive. The media must be labeled with a red SF-707 (SECRET)
label, shipped via a method approved for SECRET collateral
information and include; the KOA ID, beginning and ending dates
of the accounting data and the name of the KOAM who archived and
offloaded the accounting data. Archived records must not be
modified or deleted during the retention period or when
duplicated for shipment to the Configuration Manager. The
UNCLASSIFIED//FOR OFFICIAL USE ONLY
5-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
inner/outer mailing address for archived accounting data is:
DIRNSA
Suite 6298
Configuration Manager, Y2D4222
9800 Savage Road
Ft. Meade, MD 20755
26. Connect to the KMI Storefront and obtain an updated
Certificate Revocation List (CRL) at a minimum of every six (6)
months.
27. Ensure the KOAM turnover checklist is completed by the
outgoing Manager, witnessed by the incoming manager and retained
on file per Annex M to EKMS-1(series).
28. Additional duties and responsibilities can be found in
the OSD for the MGC, the KMI Enrollment Policy, and EKMS1(series) Article 455.
b.
will:
1.
Personnel Local Type 1 Registration Authorities (PLT1RA)
Perform personalization of Type 1 Tokens.
2. Initiate certificate requests and download Type 1
Certificates onto a token.
3. Record evidence used in the face-to-face verification
of the identity of a Type 1 Human Subscriber and perform annual
re-verification of Human Users in an active state through
examination and verification of current evidence based upon the
original evidence resubmitted by the EA in accordance with the
Type 1 Certificate Policy (Type 1 CP), the KMI Enrollment Policy,
or the Operational Security Doctrine, as required.
4. Review and maintain the Registration Data of Human
Identities associated with Type 1 Certificates at a minimum of
annually or more frequently, as required.
5. Report any compromise or potential compromise involving
KMI products.
6.
Perform revocation actions for Type 1 Certificates.
7.
Change the Token SO Password.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
5-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
8.
Verify and maintain status information on KMI products.
9. Be familiar with and adhere to the applicable
Operational Security Doctrine for the MGC, the sKey6500 Token
(KOV-29), and KMI Enrollment Policies.
c.
will:
Device Local Type 1 Registration Authorities (DLT1RA)
1.
Perform endorsement of KMI-aware devices.
2. Authorize conversions of IA(I) and Key Encryption
Infrastructure (KE(I)) certificates.
3. Record evidence of verification of the existence and
condition of KMI-aware devices.
4. Record and maintain evidence of initial and periodic
re-verification of endorsed devices.
5. Report any compromise or potential compromise involving
KMI products.
6.
Perform revocation actions for Type 1 certificates.
7.
Verify and maintain status information on KMI products.
8. Be familiar with and adhere to the applicable
Operational Security Doctrine for the MGC, the sKey6500 Token
(KOV-29), and KMI Enrollment Policies.
d.
Product Requesters will:
1. Ensure timely submission of orders for asymmetric
products specifying DAO, partition codes and delivery
instructions for accounts to meet operational requirements.
2. Specify and modify production and delivery priorities
for standing orders.
3. Modify the ADP associated with product orders, when
validated.
4. Review, cancel and manage, as applicable product
orders, tracking information related to KMI products, tailored
product ordering catalog data, and partition or DAO code data
UNCLASSIFIED//FOR OFFICIAL USE ONLY
5-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
and descriptions.
5. Report any compromise or potential compromise
involving KMI products.
6. Request the PRSN and PSN, as applicable; temporarily
or permanently cease distribution of products under their
cognizance.
7. Review, update and manage status information for KMI
products.
8. Perform duties as a Command Authority, Controlling
Authority or both, as required as discussed in Articles 103,
501, 709 and Chapters 4, 9 and 10 of this manual.
9. Additional duties and responsibilities may be further
defined in both the KMI Enrollment Policy for Managers and the
Operational Security Doctrine for the MGC.
e.
Client Platform Administrators will:
1.
Perform software installations and upgrades.
2. Establish and maintain Microsoft Windows user-accounts
and configure accounts and privileges on the Client Host.
3.
Assign database privileges to the KOAM and Alternates.
4. Configure and maintain the Client Host in accordance
with applicable configuration management and security
guidelines.
5. Perform required maintenance actions on the Client
Host, including offloading of backups to removable media.
6. Properly label, safeguard and store backup media when
offloaded from the MGC to prevent loss or unauthorized access.
NOTE: Full system backups created locally and stored on
media must be brought into CMCS accountability by the KOAM
through generation and submission of a possession report.
7. Perform system recovery actions, when required. The
use of any database backups and AKPREINIT drives older than 7
UNCLASSIFIED//FOR OFFICIAL USE ONLY
5-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
calendar days old must be reported as a Practice Dangerous to
Security (PDS) in accordance with Chapter 9.
8. Install, document and report Information Assurance
Vulnerability Advisory (IAVA) compliance to the ISSM or CPSO, as
applicable. Authorization to install IAVA patches posted by NSA
to the Product Availability Library (PAL) does not require NCMS
or SSC approval.
9. Install antivirus software and configure the client for
virus definition updates in accordance with applicable
configuration guidance.
10.
Run periodic health tests on the MGC, when required.
11. Be familiar with and adhere to the guidance contained
herein and in the Operational Security Doctrine for the MGC.
12. Complete, execute and have on file the required
Information Systems Privileged Access Agreement and
Acknowledgement of Responsibilities form required by DoD
8570.01M. A sample can be found in Annex I.
f.
Client Platform Security Officers will:
1. Conduct audit data reviews, archives and retain
archived audit data for 2 years or until the next COR Audit, the
sooner of the two.
2.
Perform security monitoring of the Client Host.
3. Perform security administration of the Client Host to
include audit review of the Client Host audit data, the AKP
audit data, and Public Key Infrastructure (PKI) audit data.
4. Verify IAVA compliance at a minimum of semi-annually in
conjunction with the Client Host audit and report compliance via
NIPRNet email which includes the KOA number and IAVA status
(Month/Year) to: [email protected]
5. Ensure proper labeling, safeguarding and storage of
audit data backups to prevent unauthorized access.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
5-6
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
6. Offload, label and safeguard optical media storing
audit data and deletion of all previously archived audit logs,
as required. The logs must be verified to have been
successfully written to optical media prior to clearing the
logs.
7. Send an exact copy of the archived audit data to the
Central Services Node (CSN) within 30 days of archiving via an
approved method for SECRET collateral information in accordance
with SECNAV M5510.36. The media used must be labeled with a red
(SF-707) SECRET label and identify; the MGC KOA ID, the
beginning and ending dates of the audit data and the name of the
CPSO who archived and offloaded the data. The mailing address
for the CSN is:
DIRNSA
Suite 6298
Configuration Manager, Y2D422
9800 Savage Road
Fort George G. Meade, MD 20755
8. Be responsible for verification and continuity of
security audit data,
9. Provide oversight regarding the control and
configuration of security resources and settings for the Client
Host.
10. Export the AKP diagnostic history log (DHL) at a
minimum of every six months or when notified by the system the
log is 80% full.
11. Review the DHL within 10 working day of exporting the
DHL to the Client Host and clearing of the log afterwards.
12. Verify the BIOS password each time an audit archive is
performed.
13.
Perform health tests on the AKP, as required.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
5-7
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
14. Perform additional duties and responsibilities
outlined in the Operational Security Doctrine for the MGC and
the Type 1 Certificate Policy (CP) as applicable.
g.
Controlling Authorities will:
1. Request the creation or deletion of short-titles for
symmetric key products.
2. Define the intended application or use of keying
material under their purview.
3. Promulgate effective and supersession dates for keying
material under their purview and disseminate such information to
all validated KOAs.
4. Designate short-title orders as either standing or a
periodic.
5. Approve, disapprove and maintain a listing of Product
Requesters authorized to order a specific product.
6. Verify and maintain KOA registration data and
credentials.
7. Perform an annual review of short titles under their
cognizance to determine if the material is still required and if
accounts validated for the material are accurate and up-to-date.
8. Specify secondary approval for a product, when
required.
9. Approve symmetric key orders when submitted by
authorized Product Requesters.
10. Evaluate COMSEC Incidents for products under their
cognizance. This includes initiating compromise recovery
actions, determining when an Emergency Supersession is warranted
and notifying all KOAs validated for the material involved.
11. Approve and disapprove product requests to transfer
products under their cognizance, as well as cancel orders no
longer required.
12. Order future editions of symmetric products
(aperiodic orders).
UNCLASSIFIED//FOR OFFICIAL USE ONLY
5-8
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
13. Create, modify and manage Account Distribution
Profiles (ADPs) for symmetric products.
14. Specify and modify the requested production and
delivery priorities for standing orders.
15. Direct the PRSN and PSN, as applicable to temporarily
or permanently cease distribution of products under their
cognizance.
16. Additional duties and responsibilities of a
Controlling Authority may be found in Annex C to EKMS-1(series).
h.
Command Authorities will:
1. Request assignment and/or removal of Department Agency
Organization (DAO) and Partition codes, as applicable.
2. Approve, disapprove and maintain a listing of Product
Requesters authorized to order asymmetric products for Partition
and DAO codes under their cognizance.
3. Perform an annual review of Product Requestors
authorized to place orders for DAO or Partition codes under
their cognizance to validate both the requirement and personnel
authorized to place orders.
4. Review and maintain partition code data and DAO codes
and descriptions.
5. Additional duties and responsibilities can be found in
the KMI Enrollment Policy for Managers and Annex U to EKMS1(series).
i.
KOA Registration Managers (KOARM) will:
1.
Ensure the proper and timely registration of the KOA.
2. Ensure the User Sponsor submits a request for a KOA and
the equipment required by the KOA.
3. Connect to the PRSN and establish the KOA within the
KMI by translating the KOA to the previously established EKMS
account number, unless the account is new and did not have an
EKMS account previously.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
5-9
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
4.
Add, modify or maintain accurate KOA registration data.
5. Associate the AKP with a KOA and a respective KOAM with
the KOA.
6.
Assign KOAMs to a KOA.
7. Add, assign or remove RuBAC access sets to KOAs and
RuBAC attribute values in a RuBAC access set.
8.
Review/verify KOA registration data and credentials.
9.
Replace a KOA’s Primary KOAM with another KOAM.
10.
Query and manage status information, as required.
11. Review, be familiar and comply with the KMI Enrollment
Policy for Managers.
NOTE: Additional duties and responsibilities of the KOARM
are outlined in the Operational Security Doctrine for the
MGC, the sKey 6500 (Token) and the KMI Registration and
Enrollment Policies.
j.
Device Registration Managers will:
1.
Register a User Identity for a respective User Device.
2. Establish new Device User identities in an active or
inactive state, as required.
3.
Initialize KMI-aware ECUs and User Devices.
4. Request initial seed keying material for KMI-aware
ECUs/devices.
5.
Request non-KMI Unique User Identifiers.
6. Register a User Identity for a User Set consisting
entirely of User Devices.
7. Record and maintain evidence of identity eligibility
and authenticity.
8. View, add or modify, as applicable Device User
registration data
UNCLASSIFIED//FOR OFFICIAL USE ONLY
5-10
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
9. Add, assign or remove RuBAC Access sets to KOAs and
RuBAC attribute values in a RuBAC access set.
10. Report any compromise or potential compromise
involving KMI products.
11. Verify and maintain status information on KMI
products.
12. Review, be familiar and comply with the applicable
Operational Security Doctrine for the MGC, the sKey 6500 (KOV29), and KMI Enrollment Policies.
k.
Enrollment Managers will:
1.
Create enrollment sub domains.
2.
Enroll and disenroll KOAMs.
3. Assign the singular identity of a human user to a
Manager role.
4. Assign either a group or shared identity, as applicable
of a user set of human users to a Manager role.
5. Record evidence of identity eligibility and
authenticity, as well as reverification, when required.
6. Assign RuBAC access and Conferral sets to KMI Managers
(e.g. EM, DRM and KOARM).
7. Add or remove an attribute value in both RuBAC Access
and Conferral sets, as required.
8. Review, manage and maintain registration and enrollment
data, as applicable.
9.
Verify and maintain status information on KMI products.
10. Review, be familiar and comply with the applicable
Operational Security Doctrine for the MGC, the sKey 6500 (KOV29), and KMI Registration and Enrollment Policies.
l. Legacy Catalog Manager (LCM):
The LCM will:
UNCLASSIFIED//FOR OFFICIAL USE ONLY
5-11
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
1. Ensure timely updating of the KMI product ordering
data based on CONAUTH and CMDAUTH direction.
2. Keep the KMI Product Ordering Catalog current with
the legacy Electronic Key Management System (EKMS) for all
Traditional (Symmetric) Key Short Titles and Distribution
Management.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
5-12
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
CHAPTER 6 - EDUCATION, TRAINING, AND CMS COR AUDITS
601.
TRAINING REQUIREMENTS.
a. Personnel assigned as a KOAM or Alternate must
successfully complete formal training prior to appointment and
assumption of duties to be enrolled in KMI. The incumbent must
be enrolled to obtain the KOV-29 (token) required for the role.
The EA completing and submitting the form on behalf of the
member is responsible for verifying completion of the training
prior to submission of the form.
b. When attendance at training is not possible due to
extenuating circumstances such as hospitalization, unplanned
loss, death, or immediate Relief for Cause of Account personnel,
etc., the EA is permitted to still complete the KMI Form 002, if
an official waiver to the formal training requirement has been
granted by the Service Authority (NCMS). Waivers of this nature
must be submitted to NCMS via record message and must include
the unit’s ISIC, TYCOM and servicing COR Audit Team. A sample
waiver request can be found in Annex H. NCMS may authorize a
waiver of up to 90 days for a KOAM and 180 days for an Alternate
to complete formal training. If granted, the EA will annotate
on the KMI Form 002, the originator and DTG of the Service
Authority waiver and will submit a copy with the KMI Form 002.
c. The above flexibility set forth at the National level is
not intended to accommodate administrative matters such as
regular leave, stand downs, etc… when training is otherwise
available. Commands must ensure reviews are conducted of
manning documents prior to personnel transferring or separating
to enable early identification of a replacement and ensure the
prospective KOAM or Alternate meets designation requirements for
the position including completion of formal training.
d. Personnel appointed, registered and enrolled based on a
Service Authority waiver will not have a Windows user-account on
the MGC and will only be permitted access to the MGC/AKP in the
role of a "witness" for TPI purposes. Personnel appointed under
a Service Authority granted waiver must also review and
understand the Two-Person Integrity (TPI) section of Lesson 25
"KMI MGC Operator Training Key Distribution".
e. A KOAM or Alternate performing the duties of the Client
Platform Administrator (CPA) must be Level 1 Information
UNCLASSIFIED//FOR OFFICIAL USE ONLY
6-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
Assurance Technician (IAT) certified within 180 days of
assignment to IA duties in accordance with DOD 8570.01M.
f. In organizations where the roles and duties of the CPA
are performed by other appointed, cleared and certified
personnel, the KOAM or Alternate are not required to be Level 1
IAT certified.
g. IAT Level 1 certification can be attained through
successful passing of the COMPTIA A+, COMPTIA Network+, or the
ISC2 System Security Certified Practitioner (SSCP) examination.
See Appendix 3 to DoD 8570.01(Series) for additional
information.
h. The command or service Designated Approval Authority or
Authorizing Official (DAA/AO), not NCMS, may grant IA
certification waivers consistent with the criteria and time
limitations set forth in DoD 8570.01M. NCMS will take no action
on IA certification waivers received.
i. The KMI-Interactive Courseware (ICW) is a prerequisite
for attendance in the formal KMI Manager COI. It is available
on the Total Workforce Management System (TWMS), the My Navy
portal, the Navy Information Application Product Suite (NIAPS)
server for afloat units and the Navy E-Learning (NEL) ashore and
afloat. Completion of the COI on the NEL must be on the side
(ashore or afloat) the ICW is started on. A minimum score of
80% or better is required to successfully complete the ICW.
All COR Auditor personnel are also required to complete the ICW
prior to appointment. The course must be successfully completed
every 3 years for active COMSEC Account Managers and COR Auditor
personnel.
The course can be completed via government computer or personal
computer with a valid CAC card and reader. Minimum hardware and
software requirements: Windows 7 or higher, IE 11, Adobe Flash
Player, Adobe PDF Player and Active Card reader for the CAC card
reader.
j. A quick reference matrix reflecting training requirements
can be found in Figure 6-1.
603.
KEY MANAGEMENT INFRASTRUCTURE (KMI) MANAGEMENT CLIENT
(MGC) COURSE OF INSTRUCTION (COI).
UNCLASSIFIED//FOR OFFICIAL USE ONLY
6-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
GENERAL.
All automated accounts must have a minimum of two formally
trained MGC operators at all times. Should unforeseen
circumstances result in the absence of all trained operators,
the account must discontinue processing automated transactions
immediately and report that fact to NCMS. In such a scenario,
the account must revert to back to manual accounting operations
until a minimum of two formally trained personnel are available
and appointed in writing unless a waiver has been requested from
and is granted by NCMS as discussed above.
a. KMI Operating Account Manager (KOAM) Course of
Instruction (COI). The KOAM COI is 15 days and is intended to
train KOAMs, Alternates and COR Auditors on use of the MGC suite
to perform basic account management functions including;
distribution, destruction, issuance, and transfer of COMSEC
material. This training also addresses how to register,
initialize, endorse, activate, and enroll both users and KMIAware devices in the KMI system. The target audience for the
COI is those whose official duties in the following roles
require access and use of the MGC/AKP including:
(1)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
KOA Managers
Controlling Authority (CONAUTH)
Command Authority (CMDAUTH)
Product Requester (PR)
Device Registration Manager (DRM)
Device Local Type 1 Registration Authority (DLT1RA)
Personnel Local Type 1 Registration Authority (PLT1RA)
Token Security Officer (TSO)
Legacy Catalog Manager (LCM)
It is highly recommended that KOAMs scheduled to attend training
have prior experience in most, if not all of the following areas
prior to attendance:
(1) Experience as a COMSEC Account Manager and knowledge
of DON COMSEC policy.
(2) Proficiency and understanding of Microsoft WindowsBased operating system.
(3) Familiarity with the use of ancillary fill devices,
i.e. SKLs, TKLs, etc…
UNCLASSIFIED//FOR OFFICIAL USE ONLY
6-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
(4) Knowledge, experience and understanding of the use of
Public Key Infrastructure tokens/certificates for managing
access to DoD systems.
(5) Knowledge and experience configuring and/or
maintaining a High Assurance Internet Protocol Encryptor (HAIPE)
device.
NOTE: With exception to unforeseen circumstances, i.e.
death, extended TDY, relief for cause, etc... to negate
unnecessary expenditure of funding for required training,
including attainment of applicable 8570.01 certification
and to promote continuity in account management, it is
not recommended that individuals with less than six (6)
months remaining in their present assignment be appointed
as a KOAM.
605.
KMI TRAINING LOCATIONS.
a. The formal KMI training is available in each of the fleet
concentrated areas and Marine Expeditionary Force (MEF)
locations reflected in Article 305 to EKMS-1(series).
b. Attendance criteria: Attendance at the KOAM COI is
restricted to personnel who meet the same grade, security and
length of service requirements outlined in EKMS-1(series)
Article 305. Additionally, prospective students must be
appointed to positions requiring attendance. This training is
not for LE personnel, KOA Agents (unless the incumbent is also a
KOAM), CPAs or CPSOs.
609.
ADDITIONAL KOAM TRAINING REQUIREMENTS.
a. If a KOAM or Alternate is also performing the duties of
the Client Platform System Administrator (CPA), such personnel
must also:
1. Be certified at a minimum as an Information Assurance
Technician (IAT) Level 1 in accordance with DOD 8570.01M.
2. Complete the CPA computer-based training.
for the URL.
See Annex F
3. Complete the required Information System Privileged
Access Agreement and Acknowledgement of Responsibilities form
required by DoD 8570.01M. A sample can be found in Annex I.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
6-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
b. In organizations where the roles and duties of the CPA
are performed by other appointed and properly trained and
cleared personnel, the KOAM or Alternate is not required to be
IAT Level 1 certified.
c. Personnel appointed as a CPA with administrative
privileges are performing those duties within the computer
environment and must meet Information Assurance Technical (IAT)
Level 1 training or higher.
d. Personnel performing IA functions must obtain one of the
certifications required for the IAT position assigned to. IAT
Level 1 certification baseline requirements can be obtained by
successful completion of any one of the following:
(1)
(2)
(3)
Comp TIA A+
Comp TIA Network +
(ISC) 2 System Security Certified Practitioner (SSCP)
e. Personnel performing duties as the TSO must complete the
computer-based training reflected in Annex F.
611.
PERSONNEL QUALIFICATION STANDARDS (PQS).
a. All military personnel except those assigned to USCG and
USMC accounts appointed or designated as KOA Managers,
Alternates, KOA Agents/LEs Issuing and LE Using, must complete
the applicable portions of the latest version of NAVEDTRA 43462
(EKMS or KMI, as applicable) PQS for the position they are
fulfilling. The PQS can be obtained from the Navy Knowledge
Online (NKO) Portal.
b. Although PQS is not required for civil service employees,
due to the outsourcing of COMSEC account management duties at
many shore commands, Commanding Officers may, at their own
discretion require all personnel with access to COMSEC material,
including civil service employees and contractors complete PQS
for the respective position appointed, i.e. Manager, LE Issuing
or LE Using, as applicable. If required for civil service
employees, the requirement should be documented in the employees
Position Description (PD) and Performance Appraisals and also
written into the commands local COMSEC policy and any related
LOAs/MOUs for external LEs supported, as applicable.
613.
CMS COR AUDITS.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
6-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
a. CMS COR Audits will be conducted on a biennial basis by
the COR Audit Teams or other CMS COR Auditors certified by NCMS.
b. CMS COR Auditors must meet the criteria set forth in
EKMS-3(series)
c. The criteria related to incidents, PDSs and
administrative discrepancies found in EKMS-3(series) will remain
in place in assessing the health and management of the account.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
6-6
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
KMI TRAINING MATRIX
ICW
Command
Authority
Controlling
Authority
Formal
Training
Required
NA
CBT for
Role
PQS
Yes
No
NA
NA **
CPA
CPSO
DLT1RA
No
No
No
NA
NA
Yes
KOAA/LE
Personnel
No
NA
NA
When
developed
for KMI
Yes
Yes
CPA & TSO
CBT if
serving
as either
NA
NAVEDTRA
43462-2
(304
section)
NA
KOAM
CPA *
CPSO
NA
NA
NA
NA
DoD 8570.01 (IAT
Level 1)
Yes, only if
also serving as
a KOAM serving
as a CPA. No,
if serving as a
KOAM but the CPA
role is
fulfilled by
other cleared
and certified
personnel
Yes
Yes
Yes, only if
also serving as
a KOAM serving
as a CPA.
No, unless
performing as a
CPA, CPSO or
other non-KMI
related position
with privileged
access requiring
such.
Yes, only if
performing as a
CPA
Remarks
The CPA,
CPSO and
any other
non-KMI
duty
requiring
privileged
access
requires a
Privileged
Access
Agreement
be
executed
by the
incumbent
(See Annex
I)
Yes, only if
also serving as
a KOAM serving
as a CPA.
TSO
No
NA
TSO
NA
No, unless
performing as a
CPA or other
non-KMI related
position with
privileged
access requiring
such.
COR Auditor
Yes
Yes
Yes
Yes
Yes, only if
Personnel
performing a
role requiring
certification
“R” indicates recommended; not mandated. Not included herein are external roles
performed by CMIO, NCMS and SPAWAR. ** Personnel performing duties as a Controlling
Authority must also complete the NSA Controlling Authority CBT.
PLT1RA
No
Yes
Figure 6-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
6-7
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
CHAPTER 7 – ACCOUNTING AND ACCOUNTING FUNCTIONS
701.
a.
ACCOUNTING (GENERAL).
All COMSEC material is accountable.
b. COMSEC material is accountable based on its assigned
Accountability Legend Code (ALC).
c. ALC-1, 2, and 6 material is accountable to the Central
Office of Record (COR). ALC-4 and 7 material is locally
accountable after initial receipt. Regardless of ALC, all
COMSEC accountable material will be accounted for and managed
within the MGC. In addition to CHVP products, other non-COMSEC
accountable items cannot be accounted for in the MGC Product
Inventory and if discovered must be documented in accordance
with Chapter 9 of this manual.
d. With exception to CIKS or other locally accountable
materials that do not possess a CMCS/KMI-wide recognizable Short
Title, the movement of all COMSEC material into, within and
outside an account, is the responsibility of the KOAM and
Alternates and will be documented with appropriate documentation
produced from the account’s MGC.
e. Manual accounting is only permitted for (a) items that
cannot be accounted for in the MGC environment (as discussed
above); (b) at the LE Issuing level; or (c) when operationally
necessary to issue physical material when the account’s MGC is
not operational due to a system casualty or when the account
must revert to manual accounting due to non-availability of
formally trained account management personnel.
f. If during any inventories a classified COMSEC accountable
item or Controlled Cryptographic Item (CCI) is discovered that
is not being accounted for or an item cannot be found, a COMSEC
incident report is required in accordance with Chapter 8. The
loss or finding of unclassified material not marked or
designated CRYPTO or not CCI must be documented and reported in
accordance with Chapter 9.
g. Found or missing material MUST be brought into proper
accountability or relieved from accountability through the use
of a Possession or Relief from Accountability Report, as
applicable. These reports will NOT be used without written
prior approval to do so from NCMS when related to a COMSEC
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
incident or Reportable PDS.
h. All destruction, generation, possession, relief from
accountability and transfers involving ALC-1, 2, and 6 material
must be reported to the COR, Tier-1 or PRSN, as applicable.
i. Transaction logs will be printed, closed out annually and
retained for the current and previous (2) years.
j. Cryptographic High Value Products (CHVP) products are not
COMSEC accountable and cannot be accounted for in the MGC
Product Inventory. If acquired, they must be locally accounted
for as high-value government property. When keyed, they must be
safeguarded based on the level of the key loaded but are
unclassified if the CIK is removed and stored separately, if the
device makes use of CIKS. See CNSSI 4031 for additional
information on CHVP products.
703.
OVERVIEW OF MGC ACCOUNTING FUNCTIONS.
KMI provides accountability and tracking services compatible to
those used to manage and account for COMSEC material in the
COMSEC Material Control System (CMCS) using previous automated
systems but with additional enhancements.
KMI will improve accountability and security as well as reduce
manpower requirements associated with inventory requirements by
tracking products directly delivered to ECUs and not to an
account for issuing to LE personnel.
a. The MGC will provide for automated accounting for both
physical and electronic COMSEC material, including keying
material, authenticators, operating and maintenance manuals
(KAOs/KAMs), Controlled Cryptographic Items (CCI) and other
COMSEC items requiring accountability within the KMI.
Some of the accounting functions, features or processes provided
by the MGC include an Accountable Item Summary, Transaction
Status Log, Inventory Reports, Reconciliation, Material Issues,
Transfers, Destruction, Generation, Tracer Notifications,
Conversion Reports, Possession and Relief from Accountability
Reports.
b. DON entities will continue to operate with Tier 1
performing COR-related functions including the processing of
transactions reported.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
705.
a.
MANAGEMENT OF COMSEC MATERIAL IN AN ORGANIZATION.
Receipting for COMSEC Material.
1. Personnel receipting for COMSEC material must be
authorized access to COMSEC material, have a security clearance
equal to or higher than the HCI of the account, be SCI eligible
(if the account is validated for SCI/SI material), be properly
trained, be appointed in writing, complete a SD Form 572, be on
the CMS Form-1 or USTC Form-10 for the account, as applicable,
and have written authorization (Official command letter or
Courier Card).
2. If the account HCI is TS, two personnel will conduct
all material pickups from DCS, regardless of whether the account
gets little, if any, physical TS material. NCMS will not waive
this and if the account has no requirement for TS material, the
KOAM should consult with their chain of command and NCMS to
consider changing the HCI of the account to Secret.
3. COMSEC material picked up/dropped off must be
transported directly to/from the command and be properly
safeguarded at all times until properly stored or signed for
when material is turned in. Delays or stops except for
emergencies are strictly prohibited.
4. Use of a POV is highly discouraged and to the fullest
extent possible government vehicles should be used.
5. Physical material including keying material, code
books, authenticators, and CCI equipment will be visually
inspected upon receipt, page checked (unsealed books and/or
amendments) and the accounting information will be verified
against the related transfer documentation. See Annex E for page
check requirements.
6. Discrepancies with accounting reports must be corrected
and reported to the originator or the shipment within 24 hours.
Hard copy documentation must be manually corrected by the
recipient and the use of the “select exceptions” or similar
function in the MGC must be used in processing electronic
receipts to prevent receipting for material either not received
or not as reflected on the associated accounting reports.
7. Receipts for material or the reporting of corrupt Bulk
Encrypted Transactions (BETs) must be reported to the COR and
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
originator of the transfer within 3 business days of receipt of
the material or downloading of BET. Non-compliance with the 96
hour time frame must be documented in accordance with Chapter 9.
8. Material received with a damaged outer wrapper will be
documented in accordance with Chapter 9. Material received in
which the inner wrapper, box or material itself is damaged or
could have been tampered with must be reported in accordance
with Chapter 8.
b.
Issuance of COMSEC Material on a Local Custody Basis.
1. All COMSEC material not physically held or reflected as
“on hand” at the account level must be documented with a local
custody document. When such occurs outside an automated
environment, a manual SF-153 will be used.
2. Issuances of material outside the MGC/AKP environment
will not be conducted except by a LE-issuing or for physical
material issues when the account has experienced a MGC failure.
3. It is the responsibility of the KOAM, Alternate or LE
Issuing entity to verify personnel signing local custody
documentation meet all of the below requirements PRIOR to
issuing material to the personnel. See (Figure 7-1) below.
Requirement (Narrative)
Be authorized access to COMSEC
material either on an access list
for the space/work center in
which assigned or in the form of
an individual appointment or
designation letter signed by the
current CO/OIC.
Have a security clearance within
scope and equal to or higher than
the material to be issued.
Be SCI eligible and indoctrinated
(if being issued keying material
used to protect SCI/SI
information.
Remarks
Access list must be less than 12
months old. Access lists,
appointment or designation letters
must be updated and signed by the
new CO within 60 days of a Change
of Command.
Recommend the KOAM consult with the
Security Manager to ensure
clearance data on access lists and
designation letters is consistent
with that reflected in the Joint
Personnel Adjudication System
(JPAS) or other security-related
database.
This should be verified by the
Security Manager and/or Special
Security Officer (SSO) at the time
of appointment, designation or when
access lists for spaces where these
personnel are assigned is updated.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
Be properly trained.
Complete a SD Form 572 (only
required if access to keying
material or equipment which
permits extraction of key is
require; not for end users of CCI
without access to keying
material)
Letter of Agreement/Memorandum of
Understanding (LOA/MOU)
If military, with exception to USCG
and USMC, PQS is not optional, it
is required for KOAMs, Alternates,
Clerks, LEs or Users.
KOAM must have on file.
Required when providing support to
personnel of other commands than
the one owning the account.
If the above has not been verified, consult the appropriate personnel
prior to issuing COMSEC material to the individual(s).
Figure 7-1
NOTE: For one-time support to embarked personnel including
Special Forces, squadron personnel in transit, etc… the
KOAM must have written documentation that the recipients
are appropriately cleared, authorized access to COMSEC
material and authorized to hold the material by the
Controlling Authority. If the Controlling Authority cannot
be contacted, the Commanding Officer may authorize
the issuance but the Controlling Authority must
be notified via phone, email or record message within 24
hours and provided the recipients unit information to
ensure notifications related to emergency supersession or
crypto period changes are sent to the unit.
For these
unique, often time-sensitive mission critical functions, a
LOA/MOU is not required. The written authorization
submitted by the requesting unit authorizing their
personnel access to COMSEC material infers that the
requesting command bears full responsibility for compliance
with the other requirements noted above (clearance within
scope, PQS, CRYPTO briefing requirement) and not the
issuing KOAM or Alternate. Just because a LE draws support
in the above scenarios does not imply it is for further
issue (as a LE Issuing). When issued in electronic form,
the recipient personnel may very well all be Users.
4. Due to differing retention periods, it is highly
recommended keying material or code books not be issued on the
same local custody SF-153 with CCI equipment.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
5. Keying material issued will be limited to that which is
required by the work center. Most accounts typically issue
material on a monthly basis for supported work centers.
NOTE: Policy prohibits issuing red (unencrypted) keying
material marked or designated as crypto prior to 30 days
before its effective date; however, this refers to the
edition not individual segments. Accounts may issue keying
material or book-packaged material (in the canister or
electronically) up to 30 days before the edition is
effective.
6. If the keying material required is only available in
physical canister form, up to (3) segments may be issued or the
entire canister must be issued. When issued extracted segments,
the supporting KOAM will create and provide a local destruction
record (CMS-25) for the segments issued and will provide the
most recent status information message to the recipient.
7. Up to a maximum of 120 days’ worth of keying material
may be issued to a fill device (i.e. electronic storage device;
DTD, SKL, TKL) to support real-world operational or contingency
missions without a waiver from NCMS. To mitigate or reduce
risk, KOAMs must realize the amount permitted for issuance in
these scenarios may exceed what is operationally required and
should consider the operational location, re-supply methods,
risk to the materials and the impact to all holders of the key
to limit the amount to that required for the mission.
8. The timeframes and limits discussed above are not
applicable to Black Key packages. With the concurrence of the
Controlling Authority, both current and future editions may be
issued in a black key package without authorization from NCMS
provided the KEK is withheld by the KOAM or LE Issuing and not
made available to the end user prior to 30 days before the
effective period of the keying material with which it is
associated.
9. For units in a combat environment, keying material will
be issued in electronic form. If the material is only available
at the supporting account in physical (canister form), it will
be extracted prematurely at the account level and issued in an
electronic fill device (DTD, SKL, TKL). The KOAM will create a
CMS-25 for the extracted material and annotate the material was
prematurely extracted for loading in support of operational
requirements (two personnel at the account level will sign and
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-6
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
date the CMS-25 and reseal the segments extracted). This is NOT
a PDS; however, if the segments are not resealed and the
premature extraction not explained and documented on a CMS-25,
it must be reported as a COMSEC incident, in accordance with
Chapter 8 herein.
10. One edition of When-Directed (WHENDI) material may be
issued to LE personnel operating in areas where resupply is not
possible or could impede operational mission requirements.
11. The KOAM will retain the original, signed and dated
local custody document for a period of 90 days after the
material has either: (a) been superseded and destroyed; or (b)
returned and signed for by the KOAM or Alternate. The KOAM must
provide a copy to the recipient of the material and will also
provide a copy of an up-to-date status message for the material
issued.
c. Management of COMSEC Material at the User, Work Center,
LE or KOAA Level, as applicable (Watch and non-watch
environment)
1. In a watch environment, where a shift in responsibility
occurs from supervisor to supervisor per shift, or a non-watch
environment, all COMSEC material including CIKS for equipment
issued will be reflected and accounted for on a watch to watch
inventory.
2. The provisions of this section are not applicable to
individuals issued only KSV-21 cards for secure voice
communications, however, these and other similar COMSEC
accountable items will be issued using proper local custody
procedures and the immediate reporting of a loss or compromise
of a card, or other COMSEC accountable product to the KOAM is
the direct responsibility of the holder.
NOTE: This change (related to a non-watch inventory) is
because policy has and will continue to require an
inventory be conducted in a non-watch environment when a
security container storing COMSEC material is opened. Use
of a LCI document in lieu of a watch to watch inventory
created for and previously used to receipt for the
material, does not permit for additional signatures when
an inventory is required.
3.
The inventory will reflect, the Short Title, Edition
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-7
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
and Register/Serial Number for all ALC-1 and ALC-6 material
issued. ALC-2, 4 and 7 materials may be listed by Short Title,
Edition (if applicable) and Quantity.
4. Equipment, regardless of ALC, may be reflected as a
single line item on watch to watch inventories. The quantity
must match the quantity of like items held when more than one
and must be adjusted if an increase or decrease occurs as result
of an additional like item being issued or returned to the
custody of the KOAM.
5. All COMSEC material requiring page checks will be page
checked during watch-to-watch inventories or when a security
container is opened if in a non-watch environment. This
includes book packaged (unsealed) material, segmented keying
material removed from its protective packaging, maintenance
manuals, operating manuals (KAMs/KAOs) and repair (Q-kits), if
issued. Any discrepancies will be brought to the attention of
the watch supervisor immediately while all watch personnel are
present. Unresolved discrepancies will be reported immediately
to the KOAM or Alternate.
6. In a space which is not a watch environment but the
space is shared or accessible by other cleared personnel,
installed or spare equipment not requiring storage in a security
container will be inventoried daily when the space is occupied.
For this reason, it is highly recommended the inventory be
segregated into (2) parts keying material, books, fill devices
stored in a safe and installed equipment not stored in a safe.
This is not applicable to individuals issued KSV-21 cards.
7. The inventory will be signed by (2) properly cleared,
trained and authorized personnel however the responsibility
itself remains that of the supervisor or person in charge of the
work center.
8. Any adjustments to a watch to watch inventory will be
done in black ink, and initialed by the person making the change
and verified and initialed by a second person. Example: the
inventory reflects AKAC 1553 Edition 34 Reg Number 72. This
item is turned in to the vault when the ship pulls in or the
material is no longer required. The watch personnel will lineout the remaining calendar days on the watch-to-watch inventory,
annotate the line item entry on the inventory to reflect the
material as turned in to the KOAM and (2) personnel. Two
personnel will date and initial line-outs or additions to
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-8
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
inventory documents.
9. The KOAM or Alternate, as applicable, will return in
the MGC any material returned to the account and will prepare
and sign for the material(s) returned providing a copy of the
custody document to the work center returning the material.
10. At both the work center and account level, local
custody documents will be retained for 90 days from the date the
material is turned in, destroyed, or upon submission of the next
completed LE inventory, as applicable.
11. Local custody files will have (2) sides to them; an
active side for custody documents for material still issued and
an in-active side for documents related to materials turned in
or destroyed.
The corresponding local custody issuing document used to issue
the material will be annotated as returned or destroyed, destroy
on or after (90 days from the date turned-in or destroyed), as
applicable and placed on the inactive side of the local custody
file. The same can be applied upon receipt of a Manager
provided, LE conducted inventory. If other materials were
issued using the same local custody document, the material
returned or destroyed will be lined-out and initialed by account
and LE personnel, as applicable and the local custody document
will remain on the active side of the local custody file until
the remaining materials reflected are destroyed or turned in to
the account.
12. All inactive files will have the authorized date of
destruction reflected/annotated on them, which will be 90 days
from the material turn-in date.
13. Watch-to-watch inventories will be retained on file for
a minimum of 30 days beyond the last date recorded.
14. If during a training visit or CMS COR Audit, it is
discovered the LE is accounting for the material on a watch-towatch inventory but the LE does not have the local custody
document on file, as required, have the LE report to the KOAM or
an Alternate, obtain a copy from the account files and file it
in the work center’s local custody file. This is not to be
assessed as an incident when the material is being accounted for
on a watch-to-watch inventory and the KOAM has the original
local custody file. However, training should be conducted on
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-9
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
the spot to educate work center personnel on the purpose,
importance and retention period for local custody documents.
15. Failure to adhere to proper local custody procedures
(issuing material without such) must be reported in accordance
with Chapter 8.
d.
Loading and Usage of Keying Material.
1. Keying material will be used in accordance with the
effective and supersession guidance promulgated by the
Controlling Authority of the material.
2. Premature usage (does not require successful
establishment of communications) involves the loading of key
prior to its effective date when the circuit is either online or
an on-the-air attempt to establish communications has occurred.
Premature usage requires reporting to the Controlling Authority
in accordance with Chapter 8.
3. For Have Quick radios, operational requirements and
logistical constraints will dictate whether more than two daily
keys (current and future) up to a maximum of 6 segments may be
loaded in the Have Quick Radio at the discretion of the
Operational Commander or Commanding Officer, as applicable.
4. During normal operations, two segments of weekly key or
one segment of annual key may be issued and loaded into the
TAMPS. Up to a maximum of six weekly segments may be loaded
when operational requirements warrant doing so, but this should
be operationally and not convenience driven.
5. With the consent of the Controlling Authority, up to 31
daily segments (single edition) of Link-16 Traffic Encryption
Key (TEK) may be loaded by squadron personnel in the
Multifunctional Information Distribution System Joint Tactical
Radio System (MIDS-JTRS).
6. Keying material used in systems employing off-line
encryption such as the KL-51, AN/PYQ-20, etc… may be retained
and used for up to 72 hours from the time of supersession.
7. Key Encryption Key (KEK) and Traffic Encryption Key
(TEK) usage and destruction for KG-84/KIV-7 point to point
applications will be in accordance with NAG-53(series). It
should be noted herein that NAG-53(series) continues to strictly
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-10
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
prohibit retention of KEK used in point to point applications
and requires that segments used be destroyed within 12 hours of
loading. Failure to comply with this is a COMSEC incident in
accordance with Chapter 8.
NOTE: On a circuit supported via OTAR or during OTAD or
OTAT operations, the KEK used must be equal to or higher in
classification than the TEK encrypted/decrypted. Except in
a communications emergency, use of a KEK classified lower
than the TEK is a COMSEC incident and must be reported in
accordance with Chapter 8. This includes OTAD operations
when the key loaded on the KSV-21 is classified lower than
the key passed electronically.
8. The loading of Pre-Placed Key (PPK), Authenticated PrePlaced Key (APPK), FF Vector Sets (FFVS) and Enhanced Firefly
Vector Sets (EFFVS) will be in accordance with the Operational
Security Doctrine (OSD) for the device. EKMS Managers must
review, train on and provide a copy of OSDs to LE personnel.
e.
Authorization and Transferring COMSEC Material.
1. COMSEC material will not be transferred without prior
authorization except as indicated in the matrix on the following
page (Figure 7-2). Transfer documentation must reflect the
source of the authorization.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-11
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
Proper
Authorization
Command
Authority
(CMDAUTH)
Commanding
Officer
Keying
CCI
Material, Code
Books,
Authentication
Tables
NA
No
Asymmetric
(Modern)
Key
Remarks
Yes
Yes
Yes
Yes
Controlling
Authority
(CONAUTH)
Yes
No
NCMS (Service
Authority/
COR)
TYCOM/FLTCDR
No
Yes
Yes
No (Unless
they are the
CONAUTH of the
material)
Yes
Yes (If
they are
the
CMDAUTH)
NA
Emergency transfers
only. Report to
CMDAUTH, CONAUTH
and COR via message
after the fact.
If the material is
ALC-6 or ALC-7 and
the account
conducting the
transfer is the
CONAUTH, other
authorization is
not required. If
ALC-6 material is
involved, it must
be reported to the
COR.
Only for partitions
and key managed
See EKMS-5A Art.
401, if required.
Figure 7-2
2. COMSEC material will not be transferred (permanently or
temporarily) to a contractor/vendor account without prior NCMS
approval. With exception to device failures in which the
equipment is under warranty, these matters are handled on a temp
loan basis and NCMS is responsible to issuing temp-loan numbers
to ensure that DON funded assets are properly returned to the
issuing DON account.
3. COMSEC equipment, including CCI, will NOT be
transferred or issued to any foreign government/country. These
matters require prior approval from NSA (DP22) and are typically
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-12
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
conducted under the Foreign Military Sales (FMS) program.
4. U.S. only keying material will not be transferred,
issued to or loaded by non-U.S. personnel without express
permission from the Controlling Authority, except as indicated
in National Doctrine.
5. COMSEC equipment transferred or issued requiring
shipment to a geographically detached entity will NOT be shipped
with any associated CIKS or PINS included in the same shipment.
Such will be shipped physically separate and not in one box
placed inside the same box as the associated equipment.
6. Electronic transfer documentation may be used but a
printed hard copy must be included with the shipment and
maintained on file by the originating account pending receipt of
an electronic receipt from the recipient.
7. If the recipient used the “select exceptions feature”
to indicate the material received did not match the
documentation, a local investigation must be conducted to
determine if the material reflected on the transfer
documentation was reflected but not actually shipped. If the
item reflected was not received and cannot be accounted for at
the account which originated the transfer, a COMSEC incident
must be submitted in accordance with Chapter 8.
8. If no discrepancies exist and the recipient receipts to
the COR and originator of the shipment with an electronic
receipt, the originator of the shipment may discard the unsigned
paper SF-153 used to document the transfer.
9. Recipients of physical shipments may reconcile for the
material with an electronic SF-153, if provided by the
originator but will complete, sign and retain the SF-153
enclosed with the material in accordance with Annex T to EKMS1(series).
10. Originators of physical shipments are required to
notify the intended recipient within 24 hours of entering the
material into shipment and provide the recipient with the
article number, the method of delivery (DCS, Registered Mail,
FEDEX, etc…) and date of the shipment. If a receipt is not
received within 30 days, the originator must contact the
intended recipient and if not received initiate tracer action.
If within five working days of initiating tracer action, the
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-13
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
location of the item(s) cannot be ascertained, the originator
will submit a COMSEC incident report in accordance with Chapter
8 based on the potential that the material is lost.
11. CCI equipment will not be installed on foreign ships
for exercises or other purposes without properly cleared and
authorized personnel being present at all times from the time
the equipment is brought onboard until it is removed and
returned by the U.S. personnel to the supporting account. These
functions require prior submission and approval of a Ship Rider
Request (SRR) as discussed in CJSCI 6510.06B which is available
in the Information Assurance (IA) Library on NSA’s SIPRNET site.
f. Use of Possession and Relief from Accountability Reports
and Required Authorization. Possession and Relief from
Accountability reports are considered special accounting reports
and although not always, are generally related to found or
missing material associated with a COMSEC incident.
1. Except under the scenarios outlined in subparagraphs
f.2 – f.3 below, prior authorization from NCMS in writing is
required to generate, prepare or make use of Possession and
Relief from Accountability reports.
2. Prior authorization from NCMS to use a Possession
Report is not required to bring items into accountability under
the following scenarios:
a. Material received via an inter-service transfer
conducted with a DD-1149.
b. Reproduced copies of book packaged material, when the
Handling Instruction for the publication permits such.
c. AKPREINIT Flash Drives when an AKP is site
initialized or subsequent changeover is conducted.
d. New backup media for use in conducting backups or
creating images on the MGC.
e. To bring into accountability COMSEC material removed
from a host system.
3. Prior authorization from NCMS is not required to
perform a Relief from Accountability when required to
conduct and document an inter-service transfer or when a
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-14
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
separately accountable Lowest Repairable Unit (LRU) is installed
in a host which is already accounted for in the CMCS.
4. Possession and Relief from Accountability reports
involving ALC-1, 2, and 6 materials must be submitted
electronically to NCMS (COR) within 3 business days or when the
CO signs the end of the month destruction report for the
account, whichever occurs first.
5. Do not submit possession and Relief from Accountability
reports to the COR for ALC-4 or 7 materials.
6. All possession reports require three signatures; KOAM,
Alternate (or properly cleared witness) and the Commanding
Officer. In the absence of the CO, another official may sign as
“Acting”. The use of By-Direction is strictly prohibited for
COMSEC accounting reports.
7. Both Possession and Relief from Accountability reports
require three signatures: the KOAM, Alternate (or properly
cleared witness), and the Commanding Officer.
707.
INVENTORY REQUIREMENTS
a. Account Level Inventories. COMSEC material, including
keying material, code books, and authenticators and CCI
equipment will be inventoried at a minimum of semi-annually or
as indicated in the below matrices (Figures 7-3 or 7-4).
Beginning
Account Number
Ending Account
Number
100000
158501
200000
258101
300000
358201
158500
199999
258100
299999
358200
399999
1st semi-annual
(fixed-cycle)
month
Jan
Feb
Mar
Apr
May
Jun
2nd semi-annual
(fixed-cycle)
month
Jul
Aug
Sep
Oct
Nov
Dec
Figure 7-3
Occasion
Fixed-Cycle
Inv.
When
Conducted /Witnessed by
Semi-annually
(SAIR) based on
account number
KOAM and Alternate or other
properly cleared and
authorized person serving
Remarks
Failure to conduct,
and retain inventory
documentation must be
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-15
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
as a witness.
Change of
Command
Change of
Account
Manager or
LE Issuing
entity
Consolidated
Inv.
Combined Inv
Hull Swaps
Crew Swaps
Change of
Account
Location
(COAL), if
available in
the MGC
Discovery of
an unsecured
vault or
container
reported in accordance
with Chapter 8.
Required by this
manual and Chapter 8
to Navy Regulations.
In conjunction
with Change of
Command or
Change of OIC
at the account
or external LE
level.
When the KOAM
or LE Issuing
(as applicable)
is to be
replaced or has
been removed.
Is intended to
be used to
document a
simultaneous
Change of
Command and
Change of KOAM.
Occasionally
used to satisfy
the both a SAIR
and change of
command or KOAM
requirement
together
Whenever (2)
ships are
conducting a
hull swap.
KOAM and Alternate or other
properly cleared and
authorized person serving
as a witness. The outgoing
CO will sign Block 17. The
incoming CO can initial, if
desired
Will be conducted by the
outgoing person and
witnessed by their relief.
When a crew
swap is
conducted on a
submarine or
MCM ship.
Monthly
The off-going crew manager;
witnessed by the on-coming
crew manager.
KOAM or Alternate. Does
not require a physical
inventory but does require
resolution within 30 days
of IRST errors.
Used to ensure proper
submission of
documentation to
minimize accounting
discrepancies.
Circumstantial
The person responsible for
the vault or container and
witnessed by a 2nd person.
The discovery requires
a COMSEC incident
report in accordance
with Chapter 8.
Until the account is
reconciled, the
outgoing KOAM is
responsible.
Conducted by the outgoing
EKMS Manager, witnessed by
the incoming. The Outgoing
CO signs Block 17.
There is no
requirement for the
incoming CO to sign
when used with a SAIR
and Change of Command.
Conducted by the outgoing
EKMS Manager, witnessed by
the incoming. The Outgoing
CO signs Block 17.
There is no
requirement for the
incoming CO to sign
when used for a SAIR
and Change of Command.
The Manager from both units
as discussed in the remarks
column.
Requires (2)
inventories. One
conducted by the
Manager on unit “A”
and witnessed by the
Manager from unit “B”
and a second conducted
by the Manager on unit
“B” and witnessed by
the Manager of unit
“A”.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-16
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
Emergency
opening of a
vault or
container,
when
directed by
the CO.
Circumstantial
The person responsible for
the vault or container and
witnessed by a 2nd person.
Any material not
accounted for must be
reported with a COMSEC
incident report in
accordance with
Chapter 8.
Figure 7-4
b. Physically Conducting an Inventory. All physical
material must be physically sighted and page-checked during
inventories. This includes the use of corresponding CMS-25
(local destruction records) when inventorying segmented material
or ALC-1 book-packaged material with daily extractable pages.
Electronic keying material is inventoried through verification
of the account inventory on the MGC and verification of
electronic storage devices storing the key.
1. ALC-1 and ALC-6 material will be accounted for by the
Short Title, Edition, Serial Number and Quantity. ALC-2, 4, and
7 material will be accounted for by Short Title, Edition (if
applicable) and quantity. On-hand ALC-6/7 material is
inventoried electronically by the MGC/AKP which is a trusted and
certified component. ALC-6/7 material on the MGC Product
Inventory is verified during inventories by a KOAM and like
destruction of electronic key in EKMS or KMI does not require a
witness to carry out the function.
2. CIKS for equipment in-use or issued must be locally
accountable using a manual SF-153 for inventory purposes.
3. It is highly recommended inventories at the account and
LE/work center level be conducted by the KOAM and Alternate or
one of the two and a properly cleared and authorized person
serving as a witness.
4. For work centers located beyond 25 geographical miles
from the supporting account or spaces in which account personnel
are not permitted access, the KOAM will generate and provide an
inventory to the work center. Authorized and cleared personnel
at the work center level will conduct, properly document and
report completion of the inventory to the supporting KOAM.
5. Material turned in to a CRF, depot or vendor for repair
and return for less than 1 year will be accounted for by citing
the local custody document used to turn-in the material.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-17
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
6. Embedded COMSEC, i.e. KGV-68s, KOV-21s, etc… will be
accounted for based on proper operations of the device in which
it is installed in. Under no circumstance will such equipment
be opened by account personnel for inventory verification
purposes.
7. Units engaged in combat operations are exempt from
inventory requirements but must notify NCMS of the tasking and
length of such. A complete inventory is required within 45 days
of return to the home base.
8. Inventories must be signed by the two personnel
conducting the inventory and the CO or OIC (Block 17).
9. On multi-page accounting reports including inventories,
signature requirements reside on the final page.
10. The COR must be notified via record message of the
inventory completion within 90 days after the initial request
for the inventory has been submitted.
709.
STATUS INFORMATION AND DESTRUCTION.
a. Status of COMSEC Material. COMSEC material will always
be in one of the following statuses:
1. Effective: Presently authorized for use, in accordance
with the guidance promulgated by the Controlling Authority. For
asymmetric (modern) key, this is from the time the material is
produced for a period of one year and may be used until the end
of the respective calendar month produced.
2. Superseded: No longer authorized for use based on
effective and supersession guidance promulgated by the
Controlling Authority with exception to keying material used for
off-line encryption systems such as the AN/PYQ-20 for up to 72
hours after supersession.
3. Reserve on Board (ROB): Material presently not
effective and intended for future use based on status
information promulgated by the Controlling Authority.
b.
Other Status Related Terms.
1. Contingency Key: Keying material which is typically
held to sustain communications as a result of unforeseen
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-18
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
emergencies or requirements.
2. When Directed (WHENDI): Pertains to irregularly
superseded material. Such material is only put in effect when
directed by the Controlling Authority.
c.
Status Information and Responsibilities.
1. The Controlling Authority is responsible for
promulgating status information for materials under their
purview, which includes locally generated ALC-7 material. ALC-6
material will not be locally generated without approval of NCMS
and if approved, such must be reported to the COR and local
recipients or accounts provided the key via account-to-account
transfer must be provided applicable guidance related to the use
and status of the material.
2. There is no centralized source of status information
simply because of the number of Controlling Authorities within
the COMSEC community and across the services. However, if the
Controlling Authority is unknown, query the Master Reference
Catalog and enter the Short Title, it will display the
Controlling Authority. See Annex F for the URL. The Status of
COMSEC Material Report (SCMR) is a guide to be used for managing
effective and supersession information but status information
promulgated by the Controlling Authority is the only authorized
source for destruction.
3. Due to the content, intended distribution controls,
coupled with status changes promulgated more frequently than the
SCMR may reflect, the SCMR will not be:
(a) posted online for public access on any SIPR web
portal (having a security clearance and access to SIPR does not
imply all such personnel have a valid need-to-know for the
information contained);
(b)
Elements;
forwarded, reproduced or distributed to Local
(c) be used as the authoritative source to carry out
destruction of COMSEC material. The SCMR does NOT outline
effective and supersession data for individual segments; it
lists such information for the respective editions.
4.
Many Controlling Authorities disseminate status
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-19
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
information for materials under their purview using a variety of
communication mediums; these include but are not limited to:
(a) Status messages such as those promulgated by the
Joint COMSEC Management Office (JCMO) and COGARD C4ITSC are
promulgated with pre-defined Date Time Groups on a quarterly and
monthly basis, respectively.
(b) General messages, such as ALCOMs, ALCOMLANT Alfa and
ALCOMPAC P messages. Status information disseminated via ALCOM
messages is generally limited to quotes from other source
messages such as Central Facility (CF) notices, ALCOMLANT Alfa
or ALCOMPAC P messages or changes to AMSG-600 in an effort to
expand the distribution channels and reach the maximum number of
recipients requiring the information.
(c) Online via the Controlling Authorities SIPRNET web
site. Use of a search engine using a string which includes the
Short Title and key words such as effective or supersession
information will most times, if not all, provide the source URL
to the Controlling Authorities portal.
NOTE:
5.
See Annex F for a listing of helpful URLs.
KOAMs or Alternates are responsible for:
(1) Applying up-to-date status information to material
in conjunction with receipting for the material. This will
ensure the material is properly segregated at the account level
to carry out Emergency Destruction in the proper order, if
directed;
(2) Providing copies of status messages and source
Uniform Resource Locators (URLs) to material issued to internal
and external LEs;
(3) Inputting and verification of existing status
information in the MGC database PRIOR to destruction of
associated material;
(4) Notification to the COR (if generation of ALC-6
material has been approved) and providing of status information,
the intended application of the material and the KOAs validated
for the material;
(5)
Notification and providing of status information to
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-20
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
holders for ALC-7 material locally generated;
(6) Verification keying material issued has been
destroyed within the proper time frames through the review of
corresponding destruction documents, status messages and audit
trail data, as applicable.
d. Destruction Guidance Applicable at the Account and LE
Level.
1. Destruction must be authorized. This includes routine
destruction as well as emergency destruction.
2. For matters involving Sealed Authentication System Two
Person Control (SAS/TPC) material, always consult the CJCSI
3260.01 (series).
3. For routine destruction, authorization must come from
the Controlling Authority for the material; this includes keying
material, code books, authentication tables, etc…
4. For emergency destruction, must be authorized by the
CO, XO, OIC or senior person present and authorized to direct
such.
5. Destruction of COMSEC equipment will not be conducted
without written authorization from NCMS prior to doing so.
6. Always ensure up-do-date status information is
available, reviewed and used in carrying out destruction at the
account and LE level.
7. Review the working copy of the destruction report for
accuracy and ensure the material identified to be destroyed is
in fact authorized for destruction.
8. Except in instances when emergency destruction is
directed, anyone performing routine destruction and uncertain if
the material is authorized for destruction will withhold
destruction and contact the KOAM or Controlling Authority, as
applicable.
9. When conducting destruction, the first person must read
off the information on the material to be destroyed, i.e. Short
Title, Edition, and Serial Number to the second person who will
verify the information is reflected on the destruction report.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-21
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
If discrepancies are noted, stop the process and contact the
KOAM or Alternate. If no discrepancies exist, a second review
will be conducted prior to the destruction being carried out
with the second person reading off the information on the
destruction report to the first person for a second
verification.
10. Both the person carrying out the destruction and the
witness are equally responsible for the timeliness, accuracy and
thoroughness of the destruction.
e. Destruction Time Frames for COMSEC Material at the LE
Level.
1. In a watch environment at the LE level, superseded
COMSEC material will be destroyed within 12 hours of
supersession.
2. In a non-watch environment at the LE level, superseded
key will be destroyed within 12 hours of supersession or upon
the next opening of the security container protecting such.
3. For physical, canister packaged material in which
segments have been superseded but usage of the material is not
daily, weekly, etc… the extracted segments will be destroyed in
accordance with e.1 or e.2 above. This is a change to previous
policy but is intended to prevent possible use of the next
segment in the canister, which may be superseded resulting in a
COMSEC incident in accordance with Chapter 8.
4. If emergency supersession of a segment of material is
required and other earlier segments in the edition have not been
superseded and have pre-defined usage in accordance with a callout message or other similar guidance from the Controlling
Authority, do not extract all previous segments to carry out the
destruction of the superseded segment. Place a copy of the
emergency supersession message in a zip-lock bag with the
canister and destroy the segment when it requires extraction or
the edition supersedes, whichever occurs sooner. If the segment
is issued and stored in a DTD, SKL, TKL, etc… it will be
destroyed in accordance with e.1 or e.2 above, as applicable.
5. If an edition of COMSEC material is emergency
superseded, it must be destroyed within 12 hours of notification
of the emergency supersession.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-22
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
6. For multi-copy keying material, each copy of the
particular segment loaded must be destroyed immediately after
loading except for the final copy, i.e. 3/3, 5/5, etc… the final
copy must be destroyed within 12 hours of supersession.
7. Asymmetric (modern) key is Key Management
Identification (KMID) specific and when loaded, the loading must
be reported to the KOAM with a manually-created destruction
document. The same KMID cannot be used in more than one endcryptographic unit (ECU).
8. For book-packaged material consisting of tables broken
down in 6 or 12 hour increments, LE personnel do not have to
tear out the individual tables for the corresponding hours in
the day. The page associated with the particular day can be
destroyed when authorized by the Controlling Authority.
9. Superseded material onboard an aircraft is not subject
to the twelve-hour destruction criteria and will be destroyed
upon completion of airborne operations if approved destruction
devices are not installed on the aircraft or such may impede the
mission.
10. Superseded material used for systems or devices may be
retained for up to 72 hours following supersession.
11. Destroy physical, irregularly superseded maintenance,
test or training keying material when it is unreadable.
12. Destroy on-the-air test key at the end of the testing
period as determined by the test director.
13. GPS keying material may be retained and used for up to
12 hours after the regularly scheduled supersession period to
comply with the NAVSTAR GPS Selective Availability and AntiSpoofing Host Application Equipment Design Requirements with the
Precise Positioning Security Module (SAASM). Additionally, NSAGPSSOPO-0343 authorizes the use of three consecutive GPS keys
during the 12-hour period following the first key‘s regular
supersession period.
14. Amendment residue must be destroyed within 5 working
days of the amendment entry (if issued to the LE with possession
of the KAM/KAO for entry).
15.
LE personnel must verify that material documented as
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-23
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
destroyed has been properly destroyed and documented as
destroyed. Do not pre-sign or sign destruction documents (CMS25, SF-153, etc…) without verification of the device (DTD, SKL,
TKL, etc…), the destruction device used and any local
destruction documents (CMS-25 for physical keying material and
AKAC-1553s).
f. Destruction Time Frames for COMSEC Material at the
Account Level.
1. End of the month destruction for unissued material must
be carried out and documented no later than the 5th day of the
month. However, it is highly recommended the actual destruction
be carried out the 1st working day of the month and no later than
the 3rd day of the month to permit ample time to review and
confirm all working copies of destruction reports from LEs.
2. The destruction of electronic key stored on the MGC
does not require a witness. Such can be performed by a single
KOAM or alternate.
3. Asymmetric (modern) key which has been loaded by LE
personnel must be recorded as Filled in End Equipment during the
month in which it was loaded. It will appear on the next
reportable or local destruction report but the use of this
feature does not result in the creation of a working copy of a
destruction record.
4. Material issued to LE personnel must be confirmed as
destroyed no later than the 5th day of the month. However, it is
recommended the confirmation be done in the MGC when the reports
have been signed, dated and submitted to the KOAM. This affords
time to address any concerns or material which was erroneously
flagged and not authorized for destruction or destroyed. (Don’t
hold onto all signed and submitted working copies until the 5th w
day and then simply start confirming them all together; review
them for accuracy, signatures, proper annotation
(destroyed/witnessed) and if an item was lined-out “as not
destroyed” look into the matter, it may be necessary to adjust
the destruction report prior to confirmation.)
5. Material which is emergency superseded and not issued
may be destroyed at the end of the month in which the emergency
supersession occurs. A copy of the emergency supersession
message will be placed with the material (if canister packaged)
and stapled to it for book packaged material to prevent possible
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-24
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
use or issuance. However if an edition of issued material is
emergency superseded, the KOAM and Alternates must ensure the
issued edition is destroyed within 12 hours of supersession and
issue the next edition put into effect by the Controlling
Authority to the LE/work center.
6. If a segment of unissued material is emergency
superseded, place a copy of the message in a zip-lock bag with
the canister to prevent possible use or issuance. Destroy the
segment upon supersession of the segment or edition, whichever
occurs sooner.
7. When authorized by NCMS in writing, destruction of
equipment must be carried out and the destruction reported to
the COR within 90 days. Failure to carry out and report the
destruction is a COMSEC Incident in accordance with Chapter 8.
8. The destruction of KAMs, KAOs must be carried out no
later than the account’s end of month destruction following the
supersession of the editions held. For KAMs/KAOs held which are
no longer required, request disposition instructions and carry
out and report the destruction no later than the following end
of the month destruction.
9. Amendment residue must be destroyed within 5 days of
the amendment entry.
g.
Destruction Personnel.
1. Destruction of COMSEC materials must be carried out
with strict adherence to established policy and procedures.
2. With exception to the destruction of electronic key
stored on the MGC, all other destruction evolutions require two
properly cleared and authorized personnel. A person who is not
authorized access to COMSEC material in writing cannot be a
witness to the destruction of such.
3. In carrying out destruction, both the person performing
the destruction and the witness are equally responsible for
adherence to approved methods of destruction, the destruction
itself and the accuracy of destruction documents.
4. Local destruction documents including CMS-25s and SF153s MUST be verified and signed by two cleared and authorized
personnel. Never sign a destruction document when you have not
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-25
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
carried out the destruction, witnessed the destruction or
verified the accuracy and completeness of the document,
including required signature and date information on a
destruction document!
5. KOAMs and Alternates, in signing the consolidated
reports prior to submission to the CO/OIC, are certifying they
either (a) destroyed all material reflected or (b) verified the
destruction documents submitted by the work centers who
certified the material was properly destroyed.
h. Destruction Methods. Only methods and products approved
by NSA as reflected in the NSA Evaluated Products list will be
used for the destruction of COMSEC materials; see Figure 7- 5 on
the following page. For any products or devices not reflected
in the matrix, please consult the Operational Security Doctrine
(OSD) for the device or CNSS 4004.1 which is available in the
NSA IA Library. See Annex F for the URL to the IA Library.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-26
UNCLASSIFIED//FOR OFFICIAL USE ONLY EKMS-1E SUPP-1
Chemical
Means
NSA approved
disintegrator
Degauss or
Overwrite
Pulp
Shred
Burn
Yes
Yes
Yes
No
Yes
NA
NA
NA
NA
NA
NA
NA
Material
Paper
COMSEC and
Classified
Material,
i.e.
(AKAIs,
AKACs,
AMSHs,
USKACs)
Canister
Packaged
Keying
Material
Microfiche
Floppy
Disks
CD/DVD
Classified
Hard
Drives
COMSEC
Equipment
(CCI)
Remarks
If local policy permits burning
however, it must be reduced to
white ash and contained to prevent
loss of unburned pieces of
material. Ashes must be
inspected, broken up or reduced to
sludge. Only NSA-approved crosscut shredders may be used. For
pulping must be broken down to
non-legible fiber residue.
Yes No
No
No
Yes NA
For burning, see above. Always
punch holes in the canister;
inspect it for any segments that
may have not been completely
extracted and destroyed; Remove
and shred any barcode labels found
to still be applied and inspect
the destruction device and bag
before disposal to prevent
recovery of any undestroyed
material.
Yes No
No
Yes Yes NA
For burning or disintegration, see
above. For chemical usage
(bleach, acetone, methylene
chloride) immerse for 5 minutes,
separate film sheets
Yes Yes NA
NA
Yes Yes Floppy Diskettes must be removed
from the casing. If shredded
residue must not exceed 5mm in
size.
Always consult the latest NSA/CSS Optical Media Destruction
Guidance. See Annex F for the URL.
See the NSA/CSS Storage Device Declassification Manual and Naval
Telecommunications Directive (NTD) 03-11.
If authorized, must be destroyed
in accordance with EKMS-5A and the
NSA Equipment Demilitarization
Process.
Figure 7-5
NOTE: Do not transport burn bags of un-shredded COMSEC
material to facilities outside the command unless
controlled by the KOAM and Alternate or properly cleared
and authorized witness.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
7-27
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
CHAPTER 8 – COMSEC INCIDENTS
801. GENERAL. Due to the importance of identification and
timely reporting of COMSEC incidents, this chapter incorporates
COMSEC incidents which remain applicable under KMI and those
which are unique to KMI. KOAMs, Alternates, and LE personnel
should familiarize themselves with device specific Operational
Security Doctrine (OSD) for COMSEC equipment held by their
account. OSDs are available at the URL located in Annex F.
a. Reporting. All COMSEC incidents must be reported per DON
and National policy. Reporting is not to be delayed for any
local or external inquiries to gather additional information or
conduct root cause analysis of circumstances resulting in the
incident. Any unit detecting an incident is required to report
such and may be other than the unit which experienced or caused
the incident.
b. Types of COMSEC Incident Reports. Remain unchanged from
what is reflected in EKMS-1(series) Article 950; Initial,
Amplifying, and Final. There are no other types of COMSEC
incident reports. The subject line of all COMSEC incident
messages will indicate the type of report (Initial, Amplifying,
or Final, as applicable)” followed by REPORT OF COMSEC INCIDENT.
c.
Time Frames for Reporting.
As illustrated below.
Material involved
Effective key, key which becomes
effective within 15 days or any incidents
involving espionage, subversion,
defection, theft, tampering, clandestine
exploitation, sabotage, hostile cognizant
agent activity, or unauthorized copying,
photographing or reproduction
Future key (becomes effective beyond 15
days from the date of the incident),
superseded key, reserve on board or
contingency key
Any incident not covered by the above,
i.e. loss of CCI equipment, failure to
use LCI documentation, etc…
Figure 8-1
Report
Within
24
hours
Message
Precedence
Immediate
48
hours
Priority
72
hours
Routine
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
d. Classification. To reduce the possibility of a
spillage, all COMSEC incident reports will be sent via approved
channels and classified at a minimum of CONFIDENTIAL. See EKMS1(series) Article 930 for additional information.
NOTE: It is the responsibility of the originator to ensure
compliance with proper classification assignment, paragraph
markings (when the entire content may not be classified or
differs from that of the message) and downgrading
instructions. The receipt of any information via NIPRNET
which is marked as classified or has paragraphs marked as
such will be reported as a spillage with the originator of
such communiqués responsible for cleanup costs.
e. Required Addees for COMSEC Incident Reports. Minimum
addressees required to be on COMSEC incident reports can be
found in the matrix reflected below.
Organization
DIRNSA FT GEORGE MEADE MD
NCMS WASHINGTON DC
COMNAVIFOR SUFFOLK VA
CNO WASHINGTON DC
Action/
Remarks
Info
A/I
Action on;
- all CRYPTOGRAPHIC and
PERSONNEL incidents
- Physical incidents
involving tampering,
sabotage, covert
penetration.
- Physical incidents
where there are multiple
CAs and they are not all
DON. (Info on others)
A/I
Action on;
- Physical incidents
when a DON CA is the
violator
- Physical incidents
with more than one DON CA
and all are DON.
(Info on all others)
I
On all incidents
I
On all incidents involving
the loss of classified
material (The initial
COMSEC incident report
satisfies the mandatory
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
CMC WASHINGTON DC
I
COMSC WASHINGTON DC
I
COMNAVRESFOR NORFOLK VA
I
DIRNAVCRIMINVSERV
WASHINGTON DC
I
The accounts nearest
Field Office (afloat
with a NCIS Resident
aboard) must include
NCISRA nearest their
homeport)
CONTROLLING AUTHORITY
NCIS
units
agent
the
I
A
EKMS-1E SUPP-1
Preliminary Inquiry
(PI) requirement in SECNAV
M5510.36 (12-8) when the
CNO N09N2, DIRNSA and the
local NCIS field office are
included in the report.
All USMC units will ensure
CMC Washington is an info
addee on all incident
reports.
For incidents involving
keying material controlled
by COMSC, address as an
action addee. For other
incidents, all MSC
activities will ensure
COMSC Washington is an
info addee on all related
message.
All reserve force units and
activities will include as
an info addee.
On all incidents involving
the loss of classified
material(The initial COMSEC
incident report satisfies
the mandatory Preliminary
Inquiry(PI) requirement in
SECNAV M5510.36 (12-8) when
the CNO N09N2, DIRNSA and
the local NCIS field office
are included in the report.
On all incidents involving
the loss of classified
material (The initial
COMSEC incident report
satisfies the mandatory
Preliminary Inquiry
(PI) requirement in SECNAV
M5510.36 (12-8) when the
CNO N09N2, DIRNSA and the
local NCIS field office are
included in the report.
When keying material is
involved or for physical
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
COMPACFLT PEARL HARBOR
//N633// (CPF) or
COMUSFLTFORCOM NORFOLK VA
//N62EKMS// (USFF)
A/I
COGARD C4ITSC ALEXANDRIA
VA//BOD-IAB//
A/I
HQ USPACOM J6
A/I
The units Immediate
Superior in Command (ISIC)
I
The units Operational Chain
of Command
Evaluating Authority
(EVALAUTH)
I
Respective COR Audit Team
I
I
EKMS-1E SUPP-1
incidents involving CCI
loaded with key managed by
the respective CA.
Action for
- incidents involving
material controlled by CPF
or USFF, as applicable.
For all other incidents,
PACFLT and LANTFLT surface
ships will include either
CPF or USFF as an info
addee on incident reports.
If COGARD C4ITSC is the CA
and the incident involves
keying material send as
action. For other
incidents, USCG units will
include COGARD C4ITSC as an
info addee.
Action for incidents
involving HQ USPACOM
controlled material. For
incidents not involving
PACOM controlled material,
theater policy requires all
PACOM units include HQ
USPACOM an info addee.
If keying material is
involved and the ISIC is
the CA, address it “Action”
to the ISIC, info the other
addees.
CAAS: USCG: C4ITSC; USMC:
CMC; MSC: COMSC; USN
(FLEET): CPF/USFF; USN
(SHORE) NCMS (N5)
Info addee on all
FIGURE 8-2
The format for incident reporting outlined in EKMS-1(series)
Article 970 is reflected herein in Figure 8-5. Do not use
templates held at the account which may differ in format or
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
content.
f. Related Accounting Reports. Both the loss and finding of
classified COMSEC material or CCI require additional actions
beyond the reporting of the matter. These scenarios will
require the submission of a SF-153 Possession Report or Relief
from Accountability Report to bring into accountability or
remove the items which were found or are missing, respectively.
KOAs will NOT originate Possession or Relief from Accountability
report related to COMSEC incidents until such is authorized in
the final evaluation/close-out message from NCMS.
803. ORGANIZATIONAL RESPONSIBILITIES. All COMSEC incidents are
assigned case numbers and tracked in the National COMSEC
Incident Reporting and Evaluation System (NCIRES). To support
the NCIRES system and ensure timely reporting and evaluation of
COMSEC incidents, each service has their own COMSEC Incident
Monitoring Activity (CIMA). NCMS serves as the CIMA for the
DON.
KOAMs are responsible for submission of COMSEC incident reports
within the timeframes reflected above. Controlling Authorities
evaluate physical incidents for COMSEC material under their
purview.
The Evaluating Authority (EVALAUTH), formerly known as the
Closing Action Authority (CAA), reviews the details of incidents
or insecurities reported and determine if additional reporting
is required.
NCMS will close out incident case files following submission of
required reports or supplemental data or no later than 30 days
from the date of the initial or amplifying report (if directed
by the EVALAUTH or other organization).
805. TYPES OF COMSEC INCIDENTS. A listing of cryptographic,
personnel and physical incidents is reflected in subparagraphs a
– c below.
a.
Cryptographic incidents.
Cryptographic Incidents
Use of an AKP, KP or other Key Variable Generator (KVG) beyond
the recertification date
Failure to perform an AKP changeover annually or more frequently
Use of keying material that is compromised, expired, superseded,
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
defective, previously used (and not authorized for reuse), or
incorrect application of keying material
Premature or out-of-sequence use of keying material before its
effective date without approval of the CONAUTH.
Use, without NSA authorization, of any keying material for other
than its intended purpose
Unauthorized extension of
NOTE: The Commanding Officer can
a crypto period; this
authorize the delay in change of
includes use of superseded keying material for up to 2 hours
key, failure to perform
without Controlling Authority
an AKP changeover, failure authorization when operational
to reinitialize DTDs,
requirements necessitate such
SKLs (initialized, issued, without any external reporting
or storing key)
requirement. Controlling Authorities
may extend crypto periods for up to 7
days for point to point circuits
(KG-84, KIV-7) supported by material
under their purview. In a tactical
environment crypto periods may be
extended for up to 30 days. Longer
extensions require NSA approval.
Use of COMSEC equipment or devices not approved by NSA or with
defective cryptographic logic
Unauthorized connection to the MGC, AKP, HAIPE, USB Flash drives
or peripherals associated with the KMI client host
Plain text transmission resulting from a COMSEC equipment failure
or malfunction
Any transmission during a failure or after an uncorrected
failure that may cause improper operation of COMSEC equipment
Operational use of equipment without completion of required
alarm check test or after failure of required alarm check test
Discussion via non-secure telecommunications of the details of a
COMSEC equipment failure or malfunction
Detection of malicious code, viruses, spyware or any software not
approved by NSA on the MGC, CWMS or other COMSEC management
device
Use of a Key Encryption Key (KEK) classified lower than the
Traffic Encryption Key (TEK) passed during OTAD/OTAT operations,
except during a COMSEC emergency
Operational use of an In-Line Network Encryptor (INE) found to
not be compliant with a mandatory software upgrade by the
compliance date without a waiver from NCF or DIRNSA.
Over the Air Distribution (OTAD) of red (unencrypted key) via SKL with
using other than a NSA-approved cable
The loading of key on the SKL’s host side by means of a
data/program load; key should only be loaded on the host side
using “command request”
Downloading classified data exceeding the highest classification
of data permitted for the device in accordance with the
OSD for the device. Example: Downloading TS data to the SKL
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-6
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
which is limited to Secret-high data
The introduction of unencrypted (red) keymat in the CMWS/DMD PS,
whether intentional or accidental
The connection of the CMWS/DMD PS to an unauthorized external or
internal communications device (modem or network card) or any
device not specifically authorized
Any other occurrence that may jeopardize the crypto security of a COMSEC
system
Figure 8-3
b.
Personnel incidents.
Personnel Incidents
Known or suspected defection and/or espionage
Capture by an enemy of persons who have detailed knowledge of
cryptographic logic or access to keying material
Unauthorized disclosure of Personal Identification Numbers (PINs) and/or
or passwords used on systems, which allow access to COMSEC
material/information
Attempts by unauthorized persons to effect disclosure of
information concerning COMSEC material or unauthorized disclosure
of information related to COMSEC material
Non-compliance with separation of duty/role exclusions which may
compromise security or prevent timely detection of such
Deliberate falsification of COMSEC records
Figure 8-4
c.
Physical incidents.
Physical Incidents
Loss or Compromise of:
KMI-specific software
an AKP or KP
AKP keys (FF, MSK, Type 1 Private Keys)
AKPREINIT 1 or 2 flash drives
an AKP affiliated
CIK when unauthorized
use cannot be ruled
out
Loss of an AKP operator CIK is a locally
reportable PDS when it is reported
immediately to the KOAM and CPSO and a
review by the CPSO of the AKP Diagnostic
History Log does not reveal usage of the
CIK after the loss was discovered. If
no usage occurred, the KOAM must
immediately delete the associated CIK
split from the AKP. If detected or a
determination cannot be made report as
an incident. Guidance must be requested
and received from NCMS prior to
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-7
UNCLASSIFIED//FOR OFFICIAL USE ONLY
a KOV-29 (token)
a KG-250 or FTR
an operational CIK
associated with a lost
KG-250
EKMS-1E SUPP-1
continued use of the AKP.
Requires (a) submission of a revocation
request for the associated IA(I) and
IA(M) certificates to the PRSN and the
downloading and updating of the
Certificate Revocation List (CRL) on the
MGC to invalidate the certificates
associated with the KOV-29
Report it to the SA and EKMS Manager to
re-provision the KG-250; document
locally as a PDS when re-provisioned and
the CIK and KG-250 were not both lost.
Classified hard drives, removable media storing classified keying
material or cryptographic information (includes CDs, DVDs, floppy
diskettes, flash drives, or external hard drives)
PINS or passwords
Change immediately, update SF-700s and
associated with the
address these actions in the initial
MGC, AKP or tokens
COMSEC incident report. Use of any KMI
related tokens must be suspended pending
a local investigation. If the
unauthorized access or modification is
detected, the IA(I) and IA(M) tokens must
be deemed compromised and reported to
the PRSN for the Certificate Revocation
List (CRL) to be updated.
Keying material, pages
For KSV-21 cards: Report as an incident
from classified COMSEC
only if it; involves the loss of fill
publications (KAMs,
card or is a user card and was lost with
AKACs, AKAI, etc…),
the associated carry card or terminal.
CCI equipment, KSV-21
If it involves a user card or TPA card
cards
and the terminal is not lost also,
delete the card association with the
NOTE: Lost includes
terminal and report the loss as a
individual segments,
reportable PDS to obtain Authorization
pages or cards (Q-kits). to generate a Relief from Accountability
If charged to the
to remove the item from charge to the
account, the account
account. For loss or compromise
must have one of the
involving pre-placed key (PPK), reports
following; the material, must also include the applicable KMID
a destruction report, a and state whether any compromised End
transfer report or a
User or CPSO passwords were involved, as
relief from
applicable.
accountability report.
Loss of a valid (associated) CIK when the associated equipment
has not been properly stored or under the direct control of
properly cleared and authorized personnel. If the device was not
subject to unauthorized access document the loss as a PDS in
accordance with Chapter 9. (The KOAM, SA, TA, etc… as applicable
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-8
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
must delete the CIK association from the related equipment)
Other Physical Incidents
Unauthorized access or
This includes non-establishment of SCI
access by improperly
eligibility in JPAS for KOA Managers,
cleared personnel
Alternates and LE Issuing if the account
is validated for keying material used to
protect SCI/SI material.
Failure to properly log off a COMSEC-related system (i.e. MGC,
DMD PS) when not in use
The physical loss a classified hard drive or backup media
associated with a COMSEC management system (i.e. MGC, CMWS/DMD
PS)
The sharing of passwords or PINS associated with the MGC, CMWS/
DMD/PS, KOV-29s, etc… (except where permitted by policy)
Known or suspected
(1) for a KOV-29, if the cause of damage
tampering or damage in
is known (witnessed by 2 people), the
which the cause is
casing is not penetrated and the device
unknown
did not go into a tamper mode zeroize,
document the matter as a PDS in
See Note (1)for a
accordance with Chapter 9 and report the
KOV-29
matter locally to the CPSO; continued
See Note (2)for an AKP
use of the device is authorized.
(2) when the cause is known and
penetration did not occur and the device
is not in a tampered condition, continued
use must be authorized by the Commanding
Officer of the KOA or NCMS. Tamper of
an AKP does require submission of an
incident report (See the OSD
for the MGC paragraph 10.2.1.10.2 –
10.2.1.11 for additional information).
unexplained zeroization For the AKP, if the cause of the
of an AKP or KOV-29
zeroization is known although an
incident report is still required,
a field recovery of the AKP may
be performed if authorized by NCMS, NSA
or the Commanding Officer when
immediate operational mission
requirements supporting real world
operations warrant such. A field
recovery may not be performed when the
AKP has been found zeroized and such
is unexplainable.
A KSV-21 (fill card) or user card if lost with its associated
carry card or terminal. (For TPA cards or user cards not lost
with its carry card or terminal, see the Reportable PDS section
in Chapter 9).
Unauthorized access or use of the AKP, HAIPE, MGC, AKPREINIT
Flash Drives, Operator CIKS or AKP Diagnostic History Log (DHL)
AKP or KOV-29 Audit Log When such indicates suspicious or
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-9
UNCLASSIFIED//FOR OFFICIAL USE ONLY
anomalies
EKMS-1E SUPP-1
unauthorized access or use to the MGC,
KOV-29 or AKP.
Applicable to devices which have been/are
Initialized or storing key, per the
requirements of the specific OSD. (See
Chapter 10 herein for any stated
exceptions. Where reflected, such
would apply to SDSs, TKLs, etc….
Failure to conduct,
document and retain
proof of compliance
with monthly audit
trail reviews
for audit capable
devices such as but not
limited to DTDs,
To minimize auditing and annual
SKLs, TKLs,
re-initialization requirements, it is
Talon cards, etc…
highly recommended devices not required
for use be returned to the account
level, have the audit trail data
reviewed, the device zeroized and the
batteries removed.
Material left unsecured This includes a GSA-approved container,
vault door or door to a facility with
COMSEC material stored or installed when
appropriately cleared and authorized
personnel are not present.
Loss of TPI for; (1)
This includes; physical material as well
Top Secret keying
as storage devices protecting such when
material except as
the CIK is not stored separately; leaving
indicated in EKMS-1
an AKP logged; or single person access
(series)Article 510.f
to AKPREINIT 1 & 2 Flash Drives
or where a waiver has
regardless of the accounts HCI.
been granted from NCMS
in writing or (2)
AKPREINIT 1 & 2 Flash
Drives)
Failure to utilize or missing Local Custody documents
Improperly packaged or shipped COMSEC material, including, the
shipment of CIKS/PINS/Passwords with the associated equipment.
Receipt of COMSEC material in which the inner wrapper is
damaged or reveals possible tampering
Receipt of COMSEC
Ensure prior to reporting that the
material with signs of
applied tamper labels are visually
tamper or equipment
inspected. If missing or damaged,
received in an
communicate this in the initial COMSEC
unexplained tampered
incident report.
state.
Material documented as
This includes material erroneously
destroyed and found to
flagged and confirmed as destroyed
still exist
although not destroyed ONLY if material
was not lined-out and initialed on the
destruction report to indicate the
material was not destroyed.
Destruction of COMSEC material; by unauthorized means;
improperly cleared or personnel not authorized access to COMSEC
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-10
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
material or COMSEC material not completely destroyed and left
unattended or found to still exist.
Undocumented removal of For physical keying material, create a
COMSEC material from
CMS-25 and annotate a statement to
its protective
explain the removal. The statement must
packaging, i.e.
be signed and dated by the person and a
physical keying
witness. Report it, when documented
material or sealed
properly as a reportable PDS to the CA,
book packaged material. NCMS, your COR Audit Team and the
Unit’s COC. If done for loading of a fill
device or to issue individual segments
to a LE, do not report it as a PDS
(EKMS-1 (series) Article 769.g note 1
permits this) but the CMS-25 must be
created and documented as described.
Actual or attempted
This includes both full or limited
unauthorized
maintenance by personnel not meeting
maintenance,
EKMS-5(series) Article 111 training and
maintenance by
documentation requirements, i.e. not
unauthorized personnel
trained, no DD-1435 on file with the
or non-adherence to
KOAM.
prescribed procedures.
Opening or tampering with the KOV 21 cryptographic card (embedded
in the SKL) housing by other than the depot or manufacturer
Loss of TEMPEST integrity as a result of not visually inspecting
devices requiring such; AKP, DTD, SDS, SKL, etc…
Failure to delete a lost CIK from the device it is associated
with i.e. DTD, SDS, SKL
The discovery of a clandestine electronic surveillance or
recording device in or near a COMSEC facility
Unauthorized copying, reproduction or photographing of COMSEC
material
Late destruction of physical COMSEC material and electronic
versions of NATO keying material. Late destruction of other
electronic material will be documented per Article 903.a herein.
Premature or inadvertent destruction of NATO material (physical
or electronic format). Premature/inadvertent destruction of nonNATO material will be documented per Article 903.a; if resupply
is required, report the matter per Article 903.b and 905.
Any other incident that may jeopardize the physical security of
COMSEC material
Figure 8-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-11
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
O 301929Z JAN 17
FROM: USS SHELLBACK
TO: CONAUTH
INFO: DIRNSA FT GEORGE G MEADE MD (OMIT IF DIRNSA IS THE CA)
CLOSING ACTION AUTHORITY
ADMINISTRATIVE CHAIN OF COMMAND
COMNAVIFOR VIRGINIA BEACH VA
NCMS WASHINGTON DC
SERVICING COR AUDIT TEAM
BT
C O N F I D E N T I A L
MSGID/GENADMIN/USS SHELLBACK/-/JAN//
SUBJ/INITIAL REPORT OF COMSEC INCIDENT//
REF/A/NCMS WASH DC/-/05APR2017//
AMPN/REF A IS EKMS-1(SERIES)//
POC/UNDERWAY, I B/LTJG/USS SHELLBACK/TEL:315-243-2247/EMAIL:
IBUNDERWAY(AT)DDG91.NAVY.SMIL.MIL//
RMKS/IAW REF A, THE FOLLOWING IS PROVIDED:
1. 427856/TS
2. USKAT 4389 EDITION F REG 1, SECRET, COMUSFLTFORCOM
3. RADIO WATCH SUPERVISOR, TS
RADIO WATCH STANDER, TS
4. DURING A ROUTINE SPOT CHECK OF THE LE, IT WAS DISCOVERED THAT
ONE OF THE TWO PERSONNEL IDENTIFIED IN PARA (3) HAD DEPARTED THE
SPACE HOWEVER, IT WAS DISCOVERED THAT THE SECURITY CONTAINER IN
WHICH THE MATERIAL IS STORED WAS SHUT BUT NOT PROPERLY LOCKED (BY
SPINNING THE DIAL) AND VERIFIED PRIOR TO SIGNING THE SF-702 AND
DEPARTING THE SPACE. ACCORDING TO THE SF-702 AND STATEMENTS
OBTAINED FROM BOTH PERSONNEL, A SINGLE PERSON HAD ACCESS TO THE
CONTAINER AND STORED MATERIAL FOR APPROXIMATELY 10 MINUTES. THE
CONTAINER IS LOCATED IN A RESTRICTED AREA WHERE ACCESS IS
CONTROLLED THROUGH A CIPHER LOCK (WHEN MANNED), AN ACCESS LIST AND
VISITORS LOG. A COMPLETE INVENTORY WAS TAKEN AND ALL MATERIAL
ACCOUNTED FOR AND IN-TACT. ONLY THE CURRENTLY EFFECTIVE SEGMENT OF
THE ITEMS DESCRIBED IN PARA (2) ABOVE HAVE BEEN REMOVED FROM THEIR
PROTECTIVE PACKAGING (CANISTER) FOR ROUTINE USE.
5. PHYSICAL INCIDENT (MATERIAL DISCOVERED OUTSIDE REQUIRED
ACCOUNTABILITY OR PHYSICAL CONTROL)
6. COMPLETE INVENTORY TAKEN WITH NO DISCREPANCIES.
7. LOCAL COMMAND INQUIRY IN PROGRESS AND TRAINING WILL BE PROVIDED
TO ALL LE PERSONNEL TO REITERATE THE NEED TO ENSURE PROPER SECURITY
PROCEDURES NOT ONLY EXIST BUT ARE FOLLOWED AT ALL TIMES.
FIGURE 8-6
THIS PAGE IS UNCLASSIFIED BUT MARKED “CONFIDENTIAL” FOR TRAINING
PURPOSES ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-12
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
8. N/A
9. NO SF-153 (RELIEF FROM ACCOUNTABILITY OR POSSESSION REPORT)
REQUIRED.
10. SAME AS POC ABOVE
11. A. 07 JUL 2013
B. 13 SEP 2013
DERIVED FROM: NSTISSI 4002//
DECL/3 YEARS FROM THE DTG OF THE MESSAGE//
NOTE: See EKMS-1(series) Article 970 for additional
information, if necessary.
FIGURE 8-6
THIS PAGE IS UNCLASSIFIED BUT MARKED “CONFIDENTIAL” FOR TRAINING
PURPOSES ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-13
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
807. COMSEC INCIDENT EVALUATION. The Evaluating Authority
(EVALAUTH) formerly known as the Closing Action Authority (CAA)
reviews details of incidents or insecurities reported by the
commands and activities for which he/she is responsible and
determines the need for further actions and reporting.
a. Assessing Compromise Probability: COMSEC incidents are
evaluated using one of the following terms:
(1) COMPROMISE: The material was irretrievably lost or
available information clearly proves that the material was made
available to an unauthorized person.
(2) NO COMPROMISE: Available information clearly proves
that the material was not made available to an unauthorized
person.
b. Compromise Probability Examples. Compromise
probability assessment is often a subjective process, even for
experienced evaluators who possess all pertinent facts
concerning a COMSEC incident. To assist in assessing compromise
probability, the following guidance is provided for the most
commonly encountered or reported incidents:
(1) Lost keying material, including keying material
believed to have been destroyed without documentation, and
material that is temporarily out of control (i.e. believed lost
but later recovered under circumstances where continuous secure
handling cannot be assured or was found in an unauthorized
location): Assess as COMPROMISE.
(2) Unauthorized access: If the person had the capability
and opportunity to gain detailed knowledge of, or to alter
information or material: Assess as COMPROMISE. If the person
was under escort or under the observation of a person authorized
access, or if physical controls were sufficient to prevent the
person from obtaining detailed knowledge of information or
material, or from altering it: Assess as NO COMPROMISE.
(3) Unauthorized absence: For personnel who have access
to keying material: Assess as NO COMPROMISE, unless there is
evidence of theft, loss of keying material, or defection.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-14
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
NOTE: When a person having access to keying material
is reported as unauthorized absence, all material he/she
could have accessed must be inventoried. If there is
evidence of theft or loss of keying material, or
defection of personnel, the must be considered COMPROMISED.
Ensure combinations to any containers the person had
knowledge of are changed.
c. Additional information.
– 980, if necessary.
See EKMS-1(series) articles 970
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-15
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
SAMPLE EVALUATING AUTHORITY MESSAGE
FROM: (EVALAUTH)
TO:
(VIOLATING COMMAND)
BT
UNCLASSIFIED FOUO
MSGID/GENADMIN/NCMS WASHINGTON DC/-//
SUBJ/CLOSE-OUT OF COMSEC INCIDENT CA358156 - N302-13//
REF/A/GENADMIN/USS SHELLBACK/141829ZZAPR13//
REF/B/GENADMIN/DIRNSA/071157ZMAY13//
REF/C/DOC/NCMS WASH DC/05APR2010/-//
NARR/REF A IS USS SHELLBACK INITIAL REPORT OF COMSEC INCIDENT.
REF B IS DIRNSA FINAL EVALUATION OF REF A. REF C IS EKMS1(SERIES).//
POC/U.B. UNDERWAY/IA03/N5/NCMS WASHINGTON DC/TEL:240-857-7704
/EMAIL:[email protected]//
POC/C.U. LATER/IA03/N5/NCMS WASHINGTON DC/TEL:240-857-7708
/EMAIL:[email protected]//
RMKS/1. CONCUR WITH FINAL EVALUATION OF NO COMPROMISE. (REF B
GERMANE)
2. ENSURE MEASURES ARE PUT IN PLACE TO MINIMIZE THE POTENTIAL
FOR A REOCCURRENCE.
3. UNLESS ADDITIONAL INFORMATION BECOMES AVAILABLE WHICH COULD
CHANGE THIS ASSESSMENT, THIS CASE IS NOW CLOSED.
4. RETAIN THIS MESSAGE AND RELATED REFERENCE DOCUMENTS IN YOUR
CORRESPONDENCE FILE IAW REF C.//
BT
Figure 8-7
UNCLASSIFIED//FOR OFFICIAL USE ONLY
8-16
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
CHAPTER 9 – PRACTICES DANGEROUS TO SECURITY (PDSs)
901. GENERAL. Practices Dangerous to Security (PDSs) are
practices that although not reportable at the National level
indicate deviation from prescribed policy and could indicate a
need for assistance, a review of internal practices or
additional training to reduce the potential or prevent COMSEC
incidents.
a. Types of PDSs. PDSs are broken down into two categoriesNon-Reportable and Reportable; however, all PDSs are reportable
at a minimum to the Commanding Officer of the account.
b.
PDS Documentation.
1. Non-reportable PDSs will be documented via official
memorandum or communicated via official, digitally signed email.
2. Reportable PDSs will be submitted via official message
and must be classified at a minimum of Confidential to promote
consistency with COMSEC Incident reports and prevent potential
spillage.
Regardless of method communicated, records of both nonreportable and reportable PDSs will be maintained on file at the
account level in accordance with EKMS-1(series) Annex T. Any
PDS discovered during an audit not documented and reported as
required, will be documented in the results and the respective
CO will be briefed on the findings.
c. Reporting Time Frames. Reportable PDSs will be reported
as indicated in accordance with Article 905 below.
903.
a.
PDSs BY CATEGORY.
Non-reportable PDSs
Improperly completed accounting reports; unauthorized or missing
signatures, incomplete short title information
Physical material transferred with status markings applied to the
material
Mailing, faxing (via non-secure fax) or emailing as attachments
SF-153s which contains status information or used/completed
CMS-25s. NOTE: If sent via email, a report of spillage and
Preliminary Inquiry (PI) is mandatory in accordance with SECNAV
UNCLASSIFIED//FOR OFFICIAL USE ONLY
9-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
M5510.36 Art 12-4 and Naval Technical Directive (NTD) 11-08.
COMSEC material not listed on local element (LE) or user
inventory when documentation exists at the account level to
indicate the material is issued to the LE or user, as applicable.
Issuance of red (unencrypted) keying material in hardcopy form
marked/designated CRYPTO, without authorization, more than 30
days before its effective period
Removal of keying material from its protective packaging prior
to issue for use or removing the protective packaging without
authorization, as long as the removal was documented on the CMS25 and there was no reason to suspect espionage. NOTE: See
EKMS-1(series) Article 769.g note 1 for exceptions where
premature extraction is not deemed a PDS. If NATO material is
involved and the extraction was not conducted and documented per
Article 769.g.1 to EKMS-1(series), report as an incident per
SDIP-293.
Receipt of a package with a damaged outer wrapper, but an intact
inner wrapper
Late destruction of non-NATO electronic key
Premature/inadvertent destruction of non-NATO key [if resupply
is required report the matter per 903.b below; the destruction
report must also be submitted to the COR for resupply to occur]
Activation of the anti-tamper mechanism on or unexplained
zeroization of COMSEC equipment as long as no other indications
of unauthorized access or penetration was present
Failure to maintain OTAD/OTAR/OTAT logs
Failure to perform an AKP Rekey at a minimum of annually
Failure to change passwords or PINS every 90 days or update
corresponding SF-700s [or at first login thereafter for KOV-29
used at accounts with different crews (gold, blue, etc..
submarine community)
Failure of the KOAM or Alternate to review and document the
review of the MGC Transaction Status Log (TSL) weekly
Failure to download, review and record KOV-29 audit log
reviews at a minimum of every 90 days.
Failure to perform MGC backups at a minimum of weekly, when the
transaction status changes or more frequently, as required.
Failure to archive KOA accounting data, every six months, retain
a copy of the archive media for (4) years or submit a copy of
the archived data to the CSN within 30 days or archiving
The discovery of non-COMSEC accountable material in the Product
Inventory
The discovery of client images or backups older than the latest
set/version
UNCLASSIFIED//FOR OFFICIAL USE ONLY
9-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
Loss of a valid (associated) user CIK when the associated device
was not subject to unauthorized access. Document as a PDS in
accordance with this chapter. NOTE: The KOAM, SA, TA, etc… as
applicable must delete the CIK association from the device.
The loss or finding of unclassified material not marked or
designated crypto or CCI
Discovery of a damaged KOV-29 when the cause is known (witnessed
by 2 people) and the casing has not been penetrated.
Failure to report receipt of COMSEC material or corrupt Bulk
Encrypted Transactions (BETs) within 3 business days of receipt
or download, as applicable
Failure to conduct, document and retain semi-annual selfassessments or spot checks
Non-submission by the CPSO of an exact copy of archived audit
data to the Central Service Node within 30 days of the archive
Failure to create and retain two (2) AKP operationally
affiliated CIKs (One primary, one backup)
Personnel performing the role of the CPA or CPSO who are not IAT
Level 1 or higher certified within 180 days of appointment; if
the DAA/AO has granted a waiver, it must be not be older than 6
months from the time of appointment
Failure of the TSO to regularly inspect and document inspections
of active tokens
Failure of the KOAM to inspect tamper-evident bags if used in
lieu of a TPI container daily or upon next opening of the
security.
Failure of the CPSO to verify the MGC BIOS password in
conjunction with audit data archives
Failure of the CPSO to export the AKP Diagnostic History Log to
the MGC every six (6) months
Failure to inventory affiliated DTD, SKL, and TKL CIKs during
account inventories
Discovery of a software design device in a benign tampered
condition due to battery depletion. If received in a tampered
condition or signs of tamper exists, report per Article 805.
CIK failure (example KIV-7M, KG-250, etc…) if discovered, the
host device must be reinitialized and loaded with new keying
material.
Loss of User CIKS for INEs or devices which make use of CIKS.
The CIK or card association, as applicable must be deleted
promptly from the device. If the associated device is lost or
was possibly accessible to unauthorized/improperly cleared
personnel report the matter as a COMSEC incident.
Figure 9-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
9-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
b.
EKMS-1E SUPP-1
Reportable PDSs
Restoration of the MGC database using backup media and AKPREINIT
drives older than 7 calendar days old
Failure to rekey IA(I) and IA(M) certificates
NOTE: Newly appointed KOAMs should perform a rekey upon
assumption of account management duties. Should a rekey not be
performed, the AKP will be non-operational and may
adversely affect mission readiness.
Inadvertent destruction of non-NATO material when resupply is
required.
Loss of a KSV-21 TPA or user card (when the terminal or carry
card is not also lost and the association with the terminal has
been deleted by the KOAM or TPA, as applicable). For TPA cards,
the KOAM or TPA must re-establish a new TPA card for the
affected STEs at the earliest possible opportunity.
Discovery of a MGC which has been tampered, damaged, accessed by
unauthorized personnel or if the case intrusion alarm is
displayed during boot up. (See Note below)
The inadvertent introduction of Top Secret data in the MGC.
Unauthorized adjustment or modification to MGC security settings.
NOTE: See of the MGC OSD for additional guidance. The OSD can
be found in the NSA IA Library at the URL in Annex F.
Figure 9-2
905.
PDS REPORTING.
PDSs will be documented (locally) or reported externally,
as applicable no later than 72 hours from the time of discovery.
907.
PDS DOCUMENTATION (SAMPLE).
A template for both a non-reportable and reportable PDS can
be found in Figures 9-3 and 9-4, as applicable.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
9-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
SAMPLE NON-REPORTABLE PDS MEMORANDUM
03 Apr 2016
MEMORANDUM
From:
To:
Via:
KOA Manager (or Alternate) USS Blue Horse
Commanding Officer, USS Blue Horse
(as applicable with command administrative procedures)
Ref:
(a)
(b)
EKMS-1(series) Supp-1 dated XXXXXXX
JCMO quarterly status message DTG XXXXXXXXXXXXX
Encl:
(1)
SF-702 for XXXXXXXXXXX security container
Subj:
DOCUMENTATION OF THE DISCOVERY OF A NON-REPORTABLE PDS
1. On 02 April 2016 during the conduct of required monthly
audit trail reviews, it was discovered that XXXXXXXXXXXXXX (name
of LE) failed to destroy superseded keying material within the
time frame set forth in reference (a).
2. The late destruction was confirmed through a review of the
audit trail data, reference (b) and enclosure (1). Specifically
the material destroyed late has a daily crypto period and
enclosure (1) reveals the container was opened on 23 Mar 2016,
but segment 22 was not destroyed until the next documented
opening on 25 Mar 20162.
3. Training was conducted with work center personnel to
emphasize that in a non-watch environment if the container is
opened that both and inventory and destruction of superseded
material is required and to address the proper time frames for
carrying out destruction of superseded material to prevent
potential use and reporting of such as a cryptographic incident.
Very Respectfully
I. B. INTROUBLE
Copy to:
Account XXXXXX PDS/Incident File
XXXXXXXXXXX (LE/work center)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
9-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
FIGURE 9-3
THIS PAGE IS UNCLASSIFIED BUT MARKED “CONFIDENTIAL” FOR TRAINING
PURPOSES ONLY
SAMPLE REPORTABLE PDS MESSAGE
P
FROM:
TO:
INFO:
XXXXXXZ XXX XX (DATE TIME GROUP)
XXXXXXX (PLA OF THE UNIT REPORTING THE PDS)
NCMS OR THE CONTROLLING AUTHORITY (AS APPLICABLE)
NCMS (ONLY IF KEYING MATERIAL IS INVOLVED AND THE MESSAGE
IS SENT ACTION TO THE CA)
UNITS ISIC
SERVICING COR AUDIT TEAM
BT
C O N F I D E N T I A L //N02280//
MSGID/GENADMIN/UNIT NAME/-/MON//
SUBJ/REPORTABLE PRACTICE DANGEROUS TO SECURITY (PDS) (U)//
REF/A/DOC/NCMS/-/XXXXXXX (THE DATE OF THIS MANUAL)
REF/B/GENADMIN/CPF/031429ZMAR13//
REF/C/PHONECON/USS BLUE FISH/CPF/01APR13//
NARR/REF A IS EKMS-1B SUPP-1. REF B IS ALCOMPAC P XXX/XX. REF C
IS PHONECON TO CPF.//
POC/NILLIE, W. R./LTJG/USS BLUE FISH/TEL:240-857-4118/EMAIL:
[email protected]//
RMKS/1. (C) FOLLOWING ROUTINE TROUBLESHOOTING OF A CIRCUIT
OUTAGE, IT WAS DISCOVERED THAT ON 01 APR 2012, LE PERSONNEL HAD
PREMATURELY LOADED SEGMENT 6 OF USKAT XXXXXX EDITION G.
2. (C) IAW REF B, SEGMENT 6 IS NOT EFFECTIVE UNTIL 080001Z APR
12. FURTHER REVIEW INDICATED THAT LE PERSONNEL DID NOT CONSULT
THE COPY OF REF (B) PROVIDED TO THE WORKCENTER AND PREMATURELY
DESTROYED SEGMENT 5 LEADING TO THE PREMATURE USAGE OF SEGMENT 6
FOLLOWING A CIRCUIT OUTAGE.
3. (C) FOR CPF, AS DISCUSSED ORIGINATOR HAS CONTACTED USS GREY
TUNA TO OBTAIN SEGMENT 5 OF USKAT XXXXXXX EDITION G VIA OTAT TO
RESTORE CIRCUIT OUTAGE.
4. (U) PERSONNEL INVOLVED WILL BE COUNSELED IN WRITING AND
RETRAINED ON PROPER USE OF STATUS INFORMATION IN HANDLING COMSEC
MATERIAL.
DERIVED FROM/EKMS-1(SERIES) SUPP-1//
DECL/02 APRIL 2015//
Figure 9-4
THIS PAGE IS UNCLASSIFIED BUT MARKED “CONFIDENTIAL” FOR TRAINING
PURPOSES ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
9-6
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
CHAPTER 10 - ELECTRONIC STORAGE DEVICES
1001.
GENERAL.
This annex provides basic guidance related to some
electronic storage devices (ESD) used within the DON. Where
used herein, the term ESD primarily pertains to the AN/PYQ-10
Simple Key Loader (SKL) and the KIK-11/Tactical Key Loader
(TKL). Users of Controlled Cryptographic Items (CCI) should
always consult the Cryptographic Operating Manual (KAO) or
Operational Security Doctrine (OSD) for the device. When a
conflict exists, KAOs and OSDs have precedent over general
policy manuals at the service or National level.
1003.
SOFTWARE MANAGEMENT.
a. Only software tested and validated by the ISEA, authorized
via message from NCMS, and obtained from the INFOSEC web site is
authorized for installation on COMSEC equipment within the DON.
b. Records must be maintained to reflect the User Application
Software (UAS) on each ESD held by the account and will reflect at
a minimum the device nomenclature, serial number and the UAS
installed. A single spread sheet can be used for this purpose but
must be updated upon receipt of a new device or replacement of a
failed unit.
c. When
disposition
replaced by
comply with
the device.
1005.
a device is turned in to the CRF for repair/return or
instructions are received for a failed unit which is
another device, the software must be verified to
any mandatory software-upgrades directed relevant to
CLASSIFICATION, ACCOUNTABILITY, SAFEGUARDING AND ACCESS.
a. Electronic Storage Devices are unclassified CCI when the
CIK has been removed; the device and CIK are not stored together
and the host side of the device does not contain classified
data.
b. When the CIK inserted or stored together, the device both
must be safeguarded based on the highest classification of
unencrypted key or data, the higher of the two that can be
accessed or output.
c.
ESDs are generally ALC-1, CMCS accountable; associated CIKS
UNCLASSIFIED//FOR OFFICIAL USE ONLY
10-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
are locally accountable at the unit level (not in the MGC).
d. Unrestricted access to a SKL, TKL or CIK associated with
either containing keying material requires a clearance equal to or
higher than the keying material or data, the higher of the two and
written authorization for access to COMSEC material.
e. Unrestricted access to the SSO password must be restricted
to authorized personnel designating in writing and authorized
privileged access to the device by the CO, if personnel other than
the COMSEC Account Manager, Alternate or LE Issuing require such
access. This authorization may be in the form of an individual
designation letter or be reflected on the access list for the
space in which the individual is assigned to.
f. Loss of a CIK or device must be reported in accordance with
Chapters 8 or 9 herein.
1007. TYPES OF KEYING MATERIAL RELATED TO ELECTRONIC STORAGE
DEVICES.
a. Storage Key Encryption Key (SKEK) and LKEK/HDPK both have
a one-year crypto period from the date the device was
initialized or the splits filled, as applicable from the
MGC/AKP.
b. Devices which are initialized must be reinitialized
annually.
c. Failure to reinitialize devices which have been
initialized and not zeroized and removed from service must be
reported as a COMSEC incident in accordance with Chapter 8.
This does not apply to devices issued to school houses or COR
Audit Teams as no operational key is issued to or held by these
entities.
d. Transfer Key Encryption Key (TrKEK). TrKEK is used to
encrypt and decrypt key filled in the device and must be equal
to or higher in classification than the key it protects.
1. TrKEK is restricted to a maximum of one year crypto
period which should be the exception and not used simply for
convenience purposes. The typical prescribed crypto period for
TrKEK is one-year.
2.
TrKEK may not be distributed via DTD or SKL to STE
UNCLASSIFIED//FOR OFFICIAL USE ONLY
10-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
OTAD, except in an emergency. TrKeK must be preplaced in a
receiving DTD or SKL and up to one year’s worth may be
preplaced.
e. SKEK, LKEK/HDPK or TrKEK are classified based on the
highest classification of key or data stored in the device, the
higher of the two.
f. There is no ALC or accountability requirement for SKEK or
LKEK/HDPK created manually when an ESD is initialized.
g. When produced using the MGC/AKP, SKEK, LKEK/HDPK or TrKEK
will be restricted to ALC-7 material and accounted for locally.
1009. LOADING KEYING MATERIAL INTO AN ELECTRONIC STORAGE
DEVICE.
a. The amount of key must always be limited to that required
to support mission requirements consistent with limitations
imposed by the respective CONAUTH and/or OSD.
b. Unless operationally required to output key in
unencrypted (red) form, all key output from the AKP will be in
encrypted (black) form.
c. Resupply to LEs operating away from the parent account
may be facilitated through the use of a STE and OTAD, provided
the STE’s security classification is equal to or higher in
classification than the key being passed.
d. The use of a STE with either a DTD or SKL for OTAD
purposes requires the use of an NSA-approved adaptor/connector to
connect the device to the STE data port for the purpose of
distributing keying material via OTAD. Use of any other cable
not approved by NSA must be reported as a COMSEC incident.
e. All electronic key held at the account level will be
issued from the MGC/AKP adhering to local custody procedures.
f. For keying material held at the account or LE Issuing
level that is not held in electronic form, the following
guidance will be adhered to:
1. Premature extraction of key is permitted for loading
and issuance in support of operational requirements and is not
considered a PDS in these situations.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
10-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
2. Extracted segments of keying material not available in
electronic form will be resealed in accordance with EKMS1(series) Article 772.
3. The extraction will be documented on a CMS-25 with a
separate CMS-25 used, if more than one Short Title/Edition is
extracted from. The discovery of extracted keying material not
resealed and documented on the corresponding CMS-25 is a COMSEC
incident and must be reported in accordance with Chapter 8.
4. Premature extraction done inadvertently not to support
an operational requirement as discussed above is a nonreportable PDS in accordance with Chapter 9 if documented on the
CMS-25 as discussed below. If discovered and such was not
documented as discussed above, it must be reported in accordance
with Chapter 8.
5. A manual SF-153 will be used to return the device (if
previously issued from the MGC) and will reflect; the Short
Title, Edition, Serial Number and ALC of the material issued and
will be signed and witnessed by appropriately cleared and
authorized personnel.
1011.
VISUAL INSPECTION REQUIREMENTS.
a. ESDs are TEMPEST certified and must be visually inspected
per the OSD at the account or LE level when keying material is
stored in the device.
b. In a non-watch environment, a security container does not
have to be opened for the sole purpose of conducting a visual
inspection of a DTD or SKL. If the container is opened, an
inventory of material held will be conducted, destruction of
superseded key carried out and the device(s) will be visually
inspected. The SF-702 for the container will be compared to the
visual inspection log to ensure compliance with the policy.
c. Any device cracked or damaged will be turned in to the
supporting KOAM and will not be further used. The KOAM will
issue a replacement device and request disposition instructions
from NCMS for the damaged device.
1013.
DESTRUCTION OF ELECTRONIC KEYING MATERIAL.
a. Will occur within the same time frame set forth in Article
709 herein.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
10-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
b. Destruction will be witnessed and verified by a properly
cleared and trained person who is authorized access in writing to
COMSEC material.
c. With exception to when an edition of keying material
supersedes and such material is reflected on a working copy of a
destruction report provided by the KOAM for verification,
signature and return to the KOAM, there is no requirement to
document destruction of key in an electronic storage device with
auditing capability (DTD, SKL, TKL); the audit trail provides for
verification the superseded key was destroyed.
d. Because multiple personnel have access to electronic
storage devices at the work center level coupled with the fact
that in a work center where shift-work is conducted password
sharing for the SKL is permitted, it is recommended that commands
consider requiring the use of CMS-25s for the destruction of
electronic key. This promotes accountability to the individuals
responsible for the destruction if discovered to have been
conducted late or the material found to still exist and was
reflected on the LE’s end of the month destruction report which is
a COMSEC incident in accordance with Chapter 8.
1015.
TRANSPORTATION AND SHIPMENT.
Will be in accordance with EKMS-1(series) Articles 525 – 535
for additional information.
1017.
AUDIT TRAIL REVIEW REQUIREMENTS.
a. KOAMs, Alternates or other personnel designated in writing
by the unit’s CO/OIC as a Supervisory User or SSO, as applicable
are required to conduct audit trail reviews at a minimum of semiannually or more frequently per the OSD for the device if it has
auditing capability.
b. Audit trail reviews will not be conducted by a primary user
of the device nor will such person be designated as a Supervisory
User or SSO, as applicable.
c. Audit trail reviews are NOT required for devices that are
not initialized or in use. To exempt devices from auditing and
annual reinitialization requirements, when turned in or no longer
required, zeroize the device, upload and review the audit trail
data, log the review and remove the batteries from the device.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
10-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
d. Audit trail reviews are not required for devices issued to
COR Audit Teams, School Houses or other similar environments where
no classified or operational keying material is used.
e. It is HIGHLY recommended audit trail reviews be conducted
NLT the 5th day of the month following the month in which the
material was issued to ensure it is: (a) destroyed within the
proper time frame; (b) not found to still exist after
documenting it as destroyed. The latter requires submission of
a COMSEC incident report.
f. Each account must create, maintain and retain Audit Trail
review logs for a minimum of two years. Minimum auditable
events can be found in the OSD for the device.
1019.
ELECTRONIC STORAGE DEVICE INTERFACE FLOWS
Applicable security precautions, restrictions and guidance
related to USB port usage or approved connections to electronic
storage devices can be found in the OSD for the device.
.
1021.
EMERGENCY DESTRUCTION
a. Follow the provisions of Annex G for emergency action or
emergency destruction. Should emergency destruction be
implemented, zeroize the device and smash it with fire ax, hammer,
or other heavy object.
b. To reduce risk or more stringent security requirements
commands must remember to issue the minimum amount of key
required to carry out assigned missions and never in amounts
greater than authorized by this publication or the Operational
Security Doctrine for the device, the more stringent of the two.
1023.
REPAIR & MAINTENANCE
a. Users or other authorized personnel may perform only
limited maintenance and such is restricted to keypad and battery
replacement. Personnel replacing these parts are not required to
be Qualified Maintenance Technicians.
b. Apply silicone gel to the SKL fill ports to minimize
damage to the fill ports. The gel is available via supply
channels under the National Stock Number (NSN) 6850-00-177-5094.
Ensure compliance with applicable safety procedures including
the Material Safety Data Sheet (MSDS) in handling, using or
UNCLASSIFIED//FOR OFFICIAL USE ONLY
10-6
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
storing the product.
c. Local maintenance of ESDs is not authorized at the unit
level.
d. Ensure failed devices are zeroized. If they cannot be
zeroized, protect the device based upon the highest level of
keying material or data stored at time of failure.
e. Do not report devices which are become broken during normal
use in which the source of the damage is not suspicious and the
device has not accessible to unauthorized personnel. Remove the
device from use, and report the matter to the supporting COMSEC
Account Manager.
f. Failed devices or devices received which are defective must
be retained, accounted for and safeguarding pending disposition
instructions from NCMS which the unit is responsible for
requesting.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
10-7
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
Annex A
ACRONYMS
The following acronyms are used within this document:
AKP
ALC
AO
ASWR
BF
CONAUTH
CBT
CCI
CD
CF
CHO
CID
CIK
CMCS
CMD Auth
CMIO
CNO
CNSSI
COMSEC
COI
COR
COTS
CPA
CPSO
CRF
CRL
CSN
CTO
DCS
DIRNSA
DLT1RA
DN
DOC
DON
DRM
DTD
DVD
EA
ECU
Advanced Key Processor
Accountability Legend Code
Authorizing Official
Attack, Sensing, Warning and Response
Benign Fill
Controlling Authority
Computer Based Training
Controlled Cryptographic Item
Compact Disc
Central Facility
Client Host Only
Center for Information Dominance
Crypto-Ignition Key
COMSEC Material Control System
Command Authority
COMSEC Material Issuing Office
Chief of Naval Operations
Committee on National Security Systems
Instruction
Communications Security
Course of Instruction
Central Office of Record
Commercial Off-the-Shelf
Client Platform Administrator
Client Platform Security Officer
Central Repair Facility
Certificate Revocation List
Central Service Node
Computer Task Order
Defense Courier Service
Director, National Security Agency
Device Local Type 1 Registration Authority
Distinguished Name
Delivery Only Client
Department of the Navy
Device Registration Manager
Data Transfer Device
Digital Video Disc
Eligibility Authority
End Cryptographic Unit
UNCLASSIFIED//FOR OFFICIAL USE ONLY
A-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS
EM
EPL
FF
FMS
HCI
HMI
FOUO
HCI
IA
IA(I)
IA(M)
IAM
IAO
IAW
ISSM
ISSO
ICP
ICD
INFOSEC
ISIC
JCCB
JWICS
KEK
KEKL
KME
KMI
KMID
KOAA
KOAM
KOARM
KVM
LCM
LE
MGC
MSK
NCMS
NSA
NSTISSI
OMM
OOB
OpPAC
OS
OSD
OTNK
EKMS-1E SUPP-1
Electronic Key Management System
Enrollment Manager
Evaluated Products List
FIREFLY
Foreign Military Sales
Highest Classification Indicator
Human Machine Interface
For Official Use Only
Highest Classification Indicator
Information Assurance
Identification & Authentication (Infrastructure)
Identification & Authentication (Mission)
Information Assurance Manger
Information Assurance Officer
In Accordance With
Information System Security Manager
Information System Security Officer
Inventory Control Point
Intelligence Community Directive
Information Systems Security
Immediate Superior in Command
Joint Configuration Control Board
Joint Worldwide Intelligence System
Key Encryption Key
Local Key Encryption Key
Key Management Entities
Key Management Infrastructure
Key Management Identification Number
KMI Operating Account Agent
KOA Manager
KMI Operating Account Registration Manager
Keyboard/Video/Mouse
Legacy Catalog Manager
Local Element
Management Client
Message Signature Key
Naval Communications Security Material System
National Security Agency
National Security Telecommunications and
Information Systems Security
Operations and Maintenance Manual
Out Of Band
Operational Positive Access Control
Operating System
Operational Security Doctrine
Over the Network Key
UNCLASSIFIED//FOR OFFICIAL USE ONLY
A-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
PAL
PCMCIA
PDE
PDS
PIN
PKI
PLT1RA
PR
PRM
PRSN
PSN
RM
ROB
SCMSRO
SDDC
SERVAUTH
SKL
SO
SOVT
SSO
TEK
TestPAC
TKL
TLS
TPI
TrKEK
TSO
USB
USNDA
VDLS
EKMS-1E SUPP-1
Product Activity List
Personal Computer Memory Card International Assoc
Product Delivery Enclave
Practice Dangerous to Security
Personal Identification Number
Public Key Infrastructure
Personnel Local Type 1 Registration Authority
Product Requester
Personnel Registration Manager
Primary Service Node
Product Source Node
Registration Manager
Reserve-on-board
Staff CMS Responsibility Officer
Surface Deployment and Distribution Command
Service Authority
Simple Key Loader
Security Officer
System Operational Verification Test
Special Security Officer
Transmission Encryption Key
Test Positive Access Control
Tactical Key Loader
Transport Layer Service
Two-Person Integrity
Transfer Key Encryption Key
Token Security Officer
Universal Serial Bus
United States National Distribution Authority
Vault Distribution Logistics System
UNCLASSIFIED//FOR OFFICIAL USE ONLY
A-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
Annex B
DEFINITIONS
This glossary lists the terms for which this volume has
definition statements.
Access. The ability and means to communicate with or otherwise
interact with a system’s resources in order to either handle
data held by the system or control system components and their
functions.
Access Control. A service that protects against unauthorized
access to system resources including protecting against use of a
system resource in an unauthorized manner.
Advanced Key Processor (AKP). A Type-1 cryptographic device
that performs all cryptographic functions for a Management
Client Node and provides the interfaces necessary to exchange
information with a Client Platform, interact with fill devices,
and connect a Client Platform securely to the PRSN.
Attribute Certificate. A digital certificate that binds a set
of descriptive data items other than a public key such as
authorizations for an Access Control process either directly to
a subject name or to the identifier of another public-key
certificate.
Authentication Material. A unit of information that a
registered user employs to prove a claimed User Identity when
accessing the system.
Client Node. A type of node that enables Human Users to perform
KMI functions by accessing KMI products and services offered by
a PRSN across a communication network, invoking functions
performed locally by the Client Node, or both.
Central Services Node (CSN). The CSN is the Key Management
Infrastructure core node that provides centralized Security and
Data Management services.
Component. A set of system resources that (1) forms a physical
or logical part of the system, (2) has specified functions and
interfaces, and (3) is treated, by policies or requirement
statements, as existing independently of other parts.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
B-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
Computer Host. A combination of computer hardware and an
operating system (consisting of software, firmware, or both) for
that hardware which supports automated KMI functions.
Controlling Authority (CONAUTH). Official responsible for
directing the operation of a cryptonet and for managing the
operational use and control of keying material assigned to the
cryptonet.
Controlled Cryptographic Item (CCI). A secure telecommunications
or information handling equipment, or associated cryptographic
component that is unclassified but governed by a special set of
control requirements. Such items are marked "CONTROLLED
CRYPTOGRAPHIC ITEM" or, where space is limited, "CCI".
Credential. Information passed from one entity to another to
establish the sending entity’s access rights.
Crypto-Ignition Key (CIK). Device or electronic key used enable
secure operations of crypto-equipment.
Device Local Type 1 Registration Authority. The Management Role
responsible for endorsing user devices and for requesting
infrastructure Identification and Authentication credentials for
the user devices.
Device Registration Manager. The Management Role responsible
for performing activities related to registering users that are
devices.
End Cryptographic Unit (ECU). A device that performs
cryptographic functions, may be part of a larger system for
which the device provides security services and from a security
perspective, is the lowest identifiable component with which a
management transaction can be conducted.
Enrollment. The KMI process that assigns a User Identity to a
Management Role.
Evaluating Authority. The official responsible for evaluating a
reported COMSEC incident for the possibility of compromise.
Formerly known as the Closing Action Authority.
Fill Device. A COMSEC device used to transfer, store or load
key into crypto-equipment.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
B-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Fill Group.
EKMS-1E SUPP-1
A named set of User Devices owned by a single KOA.
FIREFLY. Key management protocol based on public key
cryptography.
Global Identity. A User Identity for which the Identity
Registration Data is maintained in a database at the PRSN level
for recognition across the KMI.
Group Identity. A User Identity that is registered for a User
Set for which the KMI does not maintain a record of the members
of the set.
Hardware Token. A type of ECU that serves as a Human User’s
individual cryptographic device to carry that person’s
authentication material and any associated Identifier
Credentials or other keying material.
Highest Classification Indicator (HCI). Used to determine the
highest classification of COMSEC material that an account may
hold.
Human User.
A human being that is registered to be a user.
Identifier Credential. A data object that is a portable, secure
representation of the association between a User Identifier and
some Authentication Material which can be presented for use in
proving a claimed identity to which that User Identifier has
been assigned.
Identifier Registration Data. A subset of the User Registration
Data that describes a specific User Identifier.
Identifier Registration State. A KMI-Unique User Identifier
that has been registered and is authorized for accessing the
KMI. The difference between an Active State and Inactive State
is simply that to be Active, the registered entity must be
authorized.
Identity Registration Data. A subset of the User Registration
Data that describes a specific User Identity.
Identity Registration State. A User Identity that has been
registered and authorized for accessing the KMI. The difference
between an Active State and Inactive State is simply that to be
Active, the registered entity must be authorized.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
B-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
Key-Encryption-Key (KEK). Key that encrypts or decrypts other
key for transmission or storage.
Key Management Infrastructure (KMI). All parts—computer
hardware, firmware, software, and other equipment and its
documentation; facilities that house the equipment and related
functions; and companion standards, policies, procedures, and
doctrine—that form the system that manages and supports the
ordering and delivery of cryptographic material and related
information products and services to users.
KMI-Aware Device. A User Device that can receive and use
products that are wrapped for it for which a Global Device
Identity has been registered so that a product can be generated
and wrapped by a PSN for distribution to that specific User
Device for use in that identity.
KMI Operating Account (KOA).
A KMI business relationship
established to manage the set User Devices that are under the
control of a specific KMI customer organization and to control
the distribution of KMI products to those devices. This was
previously referred to as either an EKMS or COMSEC account.
KMI-Unique User Identifier. A User Identifier that can be used
to access the KMI, takes a form specified in the KMI Policy for
Registration of Users, and is unique among all current and past
User Identities.
KOA Agent (KOAA). The User Identity of a Human User is one
which has been designated by a KOAM to access KMI for the
purpose of retrieving products for User Devices assigned to that
KOA. A KOA Agent is not considered a role; it is a designation
for the registered identity of a human user which has been
associated with one or more KOAs.
KOA Manager. The management role responsible for the operation
of one of more KOAs (i.e., manages distribution of KMI to the
ECUs, fill devices, and AKPs that are assigned to the manager’s
KOA).
KMI User Number (KU#). A KMI-unique value assigned by the KMI
to a Registered User. It is used by the system’s internal
database as an index, label, or abbreviated name for associating
data elements pertaining to that user.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
B-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
Limited Device. A User Device for which a Local Device Identity
has been registered at an MGC, through which products are
distributed to that User for use in that identity.
Local (Device) Identity. A User Device’s User Identity for
which the Identity Registration Data is maintained in a database
at a single MGC. The device is only recognized at the accounts
MGC and not globally.
Management Client (MGC). A configuration consisting of a Client
Node that enables an external Operational Manager to manage KMI
products and services through accessing a PRSN or exercising
locally-provided capabilities. An MGC consists of a Client
Platform and an AKP.
Node. A collection of related components located on one or more
computer platforms at a single Site.
Non-KMI User Identifier. A User Identifier that cannot be used
to access the KMI as a user and either takes the same form as a
KMI-Unique User Identifier or some other form.
Over-The-Air Key Distribution (OTAD).
Providing electronic key
via over-the-air rekeying, over-the-air key transfer, or
cooperative key generation.
Over-The-Air Key Transfer (OTAT). Electronically distributing
key without changing traffic encryption key used on the secured
communications path over which the transfer is accomplished.
Over-The-Air Rekeying (OTAR). Changing traffic encryption key
or transmission security key in remote cryptographic equipment
by sending new key directly to the remote cryptographic
equipment over the communications path it secures.
PDE-Enabled Device. A KMI-Aware Device that also equipped to be
able to establish network connectivity to a PRSN PDE to obtain
KMI products and services.
Personnel Local Type 1 Registration Authority. The Management
Role responsible for personalizing a user to a device and for
requesting Infrastructure Identification and Authentication
credentials for human users.
Personnel Registration Manager. The Management Role responsible
for registering Human Users, i.e., Users that are people.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
B-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
Principle of Separation of Duties (Exclusions). The separation
of functions, management and security-related oversight of a
system among different entities or roles, to prevent a single
entity from subverting the process.
Primary Service Node (PRSN). The PRSN is a Key Management
Infrastructure core that provides the user’s central point of
access to KMI products, services and information.
Product Source Node (PSN). The PSN is the Key Management
Infrastructure core node that provides central generation of
cryptographic key material and Type 1 PKI certificates.
Registered User (abbreviated as User). A System Entity
authorized to receive KMI’s products and services or otherwise
access System Resources.
Set Identity. A User Identity registered for a User Set
composed of entirely of Human Users or User Devices.
Shared Identity. A User Identity registered for a User Set in
which each member of the set is authorized to assume that
identity individually and for which the KMI maintains membership
records for the set.
Singular Identity. A User Identity registered for exactly one
Human User or User Device.
Tactical Key Loader (TKL). A small, lightweight key loader
replacement for legacy key fill devices (KYK-13, CYZ-10, etc.).
Token Holder. The individual Human User who is accountable for
the use of a specific Hardware Token, including use of the
Authentication Material and other security-sensitive material
carried by the Token.
Token Holder Identity. A User Identity which belongs to the
Token Holder of a Hardware Token and to which that Token is
assigned for accountability purposes by the KMI.
Token Mission Identity. The User Identity of a Human User (or
of a User Set consisting of Human Users) for which cryptographic
material is loaded into a Hardware Token to enable the Token to
support the authentication of that Identity.
Token SO Account.
An account established on the token for use
UNCLASSIFIED//FOR OFFICIAL USE ONLY
B-6
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
by the Token SO to perform maintenance functions. These
functions include initialization, endorsement, personalization,
and general lifecycle maintenance.
Two-Person Integrity (TPI). System of storage and handling
designed to prohibit individual access by requiring the presence
of at least two authorized individuals, each capable of
detecting incorrect or unauthorized security procedures with
respect to the task being performed.
User.
See Registered User.
User Authentication. A security service that verifies a User
Identity claimed by or for a System Entity that attempts to
access the KMI.
User Core Data. A subset of the User Registration Data, that
distinguishes a Registered User from all other Registered Users,
has the same values for all User Identities of the User and
includes some attributes that have values that remain constant
over the life of the User.
User
with
as a
that
Device. A cryptographic device—a specific hardware unit
specific software running on it—that is registered to act
User, either a User that accesses the KMI directly or one
is receives KMI products and services indirectly.
User Device Sponsor. The Primary KOA Manager of the KOA that is
currently accountable for use of a User Device; i.e., the KOA to
which a User Device is currently assigned.
User Identifier. A name that can be unambiguously represented
by a printable, non-blank character string.
User Identity. The collective aspect of a set of attribute
values in which the specific individuality of a Registered User
is recognized or known by the KMI and which are sufficient to
distinguish the identity from any other.
User Number.
See “KMI-Unique User Identifier”.
User Registration. The process that; initializes an identity in
the KMI for a System Entity authorized to access the KMI. The
process also associates an identifier with the identity, may
associate authentication material with the identifier and
UNCLASSIFIED//FOR OFFICIAL USE ONLY
B-7
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
dependent upon the authentication mechanism used, may also issue
or associate with an identifier credential.
User Registration Data. The set of attribute values acquired
by, stored in and maintained in the KMI to establish and
describe a Registered User.
User Set. A set consisting of entirely Human Users or User
Devices that is registered to act as a single User.
User Set Sponsor. A Human User represented in the KMI by a User
Identity who requests that a new User Identity be registered for
a User Set and who continues to officially represent the KMI
customer organization accountable for use of the new identity.
User Sponsor. A Human User, represented in the KMI by a User
Identity, who requests that a new User Identity be registered
for a User Device or a User Set or who officially represents the
KMI customer organization accountable for the use of a
registered User Identity associated with a particular User
Device or User Set.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
B-8
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
Annex C
COMSEC LIBRARY
All KOAs must maintain a COMSEC Library, which in addition to
the library requirements set forth in Article 721 of EKMS1(series) must consist of the below documents. Accounts which
have transitioned are not required to hold EKMS-704.
Document
KMI 101 - Computer Based Training (CBT)
KMI 201 – Computer Based Training (CBT)
Token Security Officer - Computer Based Training (CBT)
EKMS-1(series) DON EKMS Policy & Procedures Manual
EKMS-1(series) Supp-1 – DON KMI Policy and Procedures Manual
Operational Security Doctrine for Key Management
Infrastructure (KMI) KOV-29 (sKey6500)
Operational Security Doctrine for the Key Management
Infrastructure (KMI) Management Client (MGC) Node
Operational Security Doctrine for KG-250X – High Assurance
Internet Protocol Encryptor (HAIPE)
Process Security doctrine for the Enrollment of KMI Managers
Process Security Doctrine for the Registration of KMI
Operating Accounts and KMI Users
Type 1 Certificate Policy (CP)
MGC Operations and Maintenance Manual for the KMI Client Node
NAG-53(series) [Shore-based accounts only]
Each of the items reflected above can be obtained from the NSA
URLs located in Annex F.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
C-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
Annex D
KMI FORMS QUICK REFERENCE
Form Name
KMI Form 001
KMI Form 002
KMI Form 003
KMI Form 004
KMI Form 005
KMI Form 006
KMI Form 007
Purpose
KMI Personnel Registration Form (Any person
whose official duties require registration in
the KMI)
KMI Enrollment Eligibility Form (Any person
fulfilling one or more roles reflected in the
Conferral Roles section of the form)
COMSEC Account Data for KMI Registration (New
and Transitioning Accounts Must Submit)
KMI Certificate of Acceptance and
Acknowledgement of Responsibilities (All roles
requiring a token)
Checklist for EKMS to KMI account transition
KMI Device Registration Form (EA Only)
KMI Certificate of Acceptance and
Acknowledgement of Responsibilities (Device
Sponsors Only)
Each of the above forms, as well as CPA, CPSO, and TSO training
is available online at the NSA KMI portal. See Annex F for the
URL.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
D-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
Annex E
CONDUCTING AND VERIFICATION OF PAGE CHECKS AND MODIFICATIONS
a. Purpose of Page checks: Page checks are conducted to
ensure the completeness of COMSEC material. Material that is
protectively packaged is intended to remain intact until the
material must be removed for issue or use and must NOT be opened
solely for page check purposes.
b. Verify Before Installation/Use: COMSEC equipment,
related devices, and components must be verified for
completeness prior to installation or use to afford ample time
to obtain replacement equipment or parts, if required.
c. Establish Internal Procedures: The Manager must
establish internal procedures to ensure that all COMSEC material
received by an account is page checked and/or verified for
completeness.
d. Certify Completed Page checks: Certification of
completed page checks for COMSEC accountable publications,
keying material or repair (Q-kits) must be recorded on the
Record of Page checks (ROPs) page for the material, the front
cover (for material having no ROPs page) or the locally created
inventory which is to be maintained inside Q-kits held by the
command.
e. Page check Requirements: Minimum page check
requirements for all COMSEC material are reflected in the matrix
(Figure E-1) in this annex. Key points reiterated herein are:
(1) Do not open sealed crates containing COMSEC
equipment or sealed/resealed packages of keying material for the
sole purpose of complying with the page check requirements upon
receipt.
(2) Page check unsealed COMSEC keying material upon
initial receipt, prior to transfer, during all account
inventories, watch-to-watch inventories or when a container
protecting such is opened in a non-watch environment and prior
to destruction.
(3) Unsealed daily changing call signs or code books
Communication Electronic Operating Instructions (CEOI) (e.g.,
UNCLASSIFIED//FOR OFFICIAL USE ONLY
D-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
AKAI, AKAU, AMSH) are exempt from the requirement to page check
each copy upon initial receipt. Recipients need only check one
or two copies of each new edition upon receipt to ensure page
and print continuity.
(4) To reduce the possibility of a COMSEC incident as a
result of a missing page to a classified COMSEC publication, all
classified COMSEC-related publications issued to LEs including
but not limited to KAMs, KAOs, AKACs, AKAIs, AMSH, etc. will be
page checked during watch to watch inventories or when a
container is opened if held by a non-watch environment. These
items will be indicated by an asterisk (*) on watch-to-watch
inventories to reflect that a page check is required. Due to
space limitations on the cover or ROP page, the signing of the
inventories at the LE level will certify the page check was
properly conducted with no discrepancies.
f. Procedures: Each item of printed COMSEC material
contains a List of Effective Pages (LOEP), either on a separate
page or on the front cover of the material. This list indicates
which pages should be in the publication and identifies the
status of each page (i.e., an original page or a specific
amendment number page).
NOTE: EKMS 5 (series) contains a list of components
contained as part of Repair (Q Kits) and will be consulted
to create local inventory documents and verification
purposes when conducting page checks, as required.
(1) To conduct a page check of printed COMSEC material,
compare each page in the publication being checked against its
LOEP.
(2) Each page listed on the LOEP must be in the
publication and each page must reflect the correct status.
For
example, pages identified on the LOEP as "ORIGINAL", must be
ORIGINAL pages. Pages identified on the LOEP as being a
specific amendment page (e.g., 1 or AMEND 1), must be that
specific amendment page.
g. Verify Mandatory Modifications: Verify the
installation of DON and NSA mandatory equipment modifications in
accordance with EKMS 5 (series) and/or the NSA Mandatory
Modification Verification Guide (MMVG) as follows:
(1) Should an examination of the equipment indicate a
UNCLASSIFIED//FOR OFFICIAL USE ONLY
E-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
requirement to install a mandatory modification, the KOAM will
ensure that the mandatory modification is installed by an
appropriately qualified maintenance technician as specified in
the instructions accompanying the modification.
(2) Before transferring equipment, the KOAM will also
ensure that the modification record (plate) on the COMSEC
equipment accurately reflects all installed modifications.
h. Report Page Check or Other Discrepancies:
If a
discrepancy is noted during the page check and verification of
any COMSEC accountable material, it must be reported in
accordance with Chapter 8 if the material is classified, marked
or designated crypto or designated CCI. For unclassified
material not marked or designated crypto or CCI, document and
report the matter in accordance with Chapter 9.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
E-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
PAGE CHECK QUICK REFERENCE MATRIX
TYPE OF
MATERIAL
UPON
INITIAL
RECEIPT
AFTER ENTRY
OF
AMENDMENT
WHICH
CHANGES
PAGES
UPON INSTALLATION/MODIFICATION
DURING EKMS
ACCOUNT
INVENTORIES
DURING
WATCH
INVENTORIES
PRIOR TO
TRANSFER TO
NEW ACCT
UPON
DEST
INVENTORIES
THESE PAGE CHECK REQUIREMENTS DO NOT APPLY TO KEYING MATERIAL PACKAGED IN CANISTERS
UNSEALED
KEYING
MATERIAL
RESEALED
KEYING
MATERIAL
CLASSIFIED
COMSEC
ACCOUNTABLE
PUBLICATIONS
(I.E. AKAA,
AKAC, AKAI,
KTCs,USKAC,
USKTC)
UNSEALED
MAINTENANCE
AND
OPERATING
MANUALS
YES
N/A
N/A
YES
YES
YES
YES
N/A
N/A
N/A
YES
N/A
YES
YES
YES EXCEPT
AS
INDICATED
IN ART
757.E.3
YES
N/A
YES EXCEPT
AS INDICATED
IN ART
757.E.3
YES
YES
YES
YES
YES
N/A
N/A
YES
YES
ALL
UNSEALED
AMENDMENTS
YES
BY PERSON
ENTERING &
BY PERSON
VERIFYING
ENTRY
YES
YES EXCEPT
AS INDICATED
IN ART
757.E.3
N/A
YES
YES
YES
UNSEALED
AMENDMENT
RESIDUE
N/A
BY PERSON
ENTERING &
BY PERSON
VERIFYING
ENTRY
YES
YES EXCEPT
AS INDICATED
IN ART
757.E.3
N/A
N/A
N/A
N/A
YES
MAINTENANCE
AND REPAIR
(PWB OR Q)
KITS
YES
BY PERSON
ENTERING &
BY PERSON
VERIFYING
ENTRY
N/A
YES
N/A
YES
YES
YES
YES
YES
N/A
YES
N/A
EQUIPMENT
MANDATORY
MODIFICATION
ON NSA/NAVY
YES
N/A
N/A
YES EXCEPT
AS INDICATED
IN ART
757.E.3
(CLASSIFIED
COMPONENTS
ONLY)
YES
UPON
UNCRATING
YES
N/A
YES
YES
ALL
COMPONENTS
SEE NOTE 1
CLASSIFIED
COMPONENTS
ONLY
ALL
COMPONENTS
MOD PLATE ONLY
FIGURE E-1
NOTE:
Maintenance personnel must inventory all components upon
initial local custody issue and return of repair kits.
Resealing keying material, including ROB and WHENDI material to
UNCLASSIFIED//FOR OFFICIAL USE ONLY
E-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
negate page check requirements is authorized.
Annex F
HELPFUL URLs
The URLs contained herein are intended to assist KOAM personnel
in obtaining: status information; information related to KMI
including Computer Based Training (CBT) material; KMI related
forms; modernization information related to CCI equipment and
related algorithms; and other information which, if consulted
may enhance the management of the account. NCMS has no
administrative privileges or operational responsibility for the
availability or content hosted on the sites reflected herein
other than the NCMS portal(s).
Status Information
NCMS has published a listing of many Controlling Authorities and
the URLs to where their status information is posted on the
SIPRNET. The file titled “Helpful URLs for COMSEC Account
Managers” also contains hyperlinks to various OPTASKs, OPORDS
and Communication Information Advisories and Bulletins
(CIAs/CIBs). The file can be found on the NCMS (SIPR)
Collaboration at Sea (CAS) Portal; the URL is reflected below.
Hyperlinks for SIPR URLs below have been removed to properly
display the correct path.
General & Other Information
NCMS CAS Portal (SIPR):
http://www.uar.cas.navy.smil.mil/secret/navy/39/site.nsf
Controlling Authority Computer-Based Training (CBT):
www.ia.nsa.smil.mil/iaservices/cawg/training/index.cfm
Defense Courier Service (DCS) Customer Service Manual and USTC
Form-10: http://www.ustranscom.mil/cmd/associated/dcd/
KMI CPA, CPSO AND TSO Computer-Based Training (CBTs) and other
information:
http://www.ia.nsa.smil.mil/iaservices/programs/km/kmi_program_of
fice/programdocs/suitabilitydocs.cfm
MGC Operators Manual:
http://www.ia.nsa.smil.mil/programs/km/kmi_program_office/progra
mdocs/suitabilitydocs.cfm
UNCLASSIFIED//FOR OFFICIAL USE ONLY
E-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
NSA Classified Material Conversion (CMC):
http://www.nsa.gov/cmc/
NSA KMI (SIPR) Portal:
http://www.iad.nsa.smil.mil/iaservices/km/kmi_program_office/pro
gramdocs/suitabilityDocs.cfm
NSA Master Reference Catalog
http://secure.ia.nsa.smil.mil/iaservices/cawg/mrc/index.cfm
NSA Media Destruction Guidance (including the Evaluated Products
List (EPL))
http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guid
ance/index.shtml
Operational Security Doctrine (OSD) for CCI equipment:
www.iad.nsa.smil.mil – IA Library – Doctrine
UNCLASSIFIED//FOR OFFICIAL USE ONLY
F-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
Annex G
EMERGENCY ACTION AND EMERGENCY DESTRUCTION OF COMSEC MATERIAL
1. Purpose. This Annex prescribes policy and procedures for
planning, protecting, and destroying COMSEC material during
emergency conditions. The KOAM is responsible for the COMSEC
portion of the Command Emergency Action Plan.
2.
Emergency Protection Planning.
a. Every command that holds classified COMSEC or CCI
material must prepare and maintain a current, written emergency
plan for safeguarding such material in the event of an
emergency.
b. For commands located within the U.S. and its territories
planning must consider natural disasters (e.g., fire, flood,
tornado, and earthquake) and hostile actions (terrorist attack,
rioting, or civil uprising).
c. For commands located outside the U.S. and its territories
and deployable commands, planning must include both an Emergency
Action Plan (EAP) for natural disasters and an Emergency
Destruction Procedures (EDP) for hostile action.
d. All activities located within the U.S and its territories
that hold classified COMSEC or CCI material will maintain an upto-date, written Emergency Action Plan for the protection of
COMSEC material appropriate for natural disasters likely to
occur in their region of the country (e.g., hurricanes in the
South, tornados and floods in the mid-West, wild fires in the
West, etc…).
e. All activities located within the U.S and its territories
will have conducted an initial written risk assessment and must
maintain an up-to-date copy of the risk determination document
that assesses the potential for hostile actions against their
facilities (such as terrorist attack, rioting, or civil
uprising). Based on the sensitivity of the operations, or the
facility, the cognizant security official will either certify
that the review has determined no need for the Emergency Plan to
consider hostile actions, or, if it is determined that a
UNCLASSIFIED//FOR OFFICIAL USE ONLY
F-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
potential risk exists, develop EDPs for inclusion in their
Emergency Plan.
f. The head of any department or agency may, at their
discretion, direct any facility to create an Emergency Plan that
considers hostile action, regardless of local risk. Government
Contracting Officers may also direct that the Emergency Plan for
contractor facilities consider hostile action.
g. Planning for hostile actions must concentrate on
necessary procedures to safely evacuate or securely destroy the
COMSEC material, to include providing for the proper type and a
sufficient number of destruction devices to carry out emergency
destruction. Planning for hostile action shall also include the
necessary training for all individuals who might perform
emergency destruction. By contrast, planning for natural
disasters should be directed toward maintaining security control
over the material until the situation stabilizes, taking into
account the possible loss of normal physical security protection
that might occur during and after a natural disaster. The
operating routines for COMSEC facilities should be structured so
as to minimize the number and complexity of actions that must be
taken during emergencies to protect COMSEC material. For
example:
(1) Only the minimum amount of COMSEC material should be
held at any one time; i.e., routine destruction should be
conducted frequently and excess COMSEC material disposed of in
accordance with department or agency directives. COMSEC
requirements should be reviewed at least annually to validate
need for material on hand.
(2) COMSEC material should be stored and inventoried in
ways that will facilitate emergency evacuation or destruction.
Emergency protection of classified COMSEC and CCI material
applies to U.S. Government contractor facilities, other U.S.
non-governmental entities who produce or hold COMSEC material,
and any other facilities that are designed to provide a backup
COMSEC capability (whether U.S. Government or contractor owned).
h. Planning for acts of terrorism is much more difficult but
must concentrate on maintaining security control over the
material, evacuation of the material, and/or secure destruction.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
G-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
i. These plans will be incorporated into the overall
Emergency Action Plan (EAP)/Emergency Destruction Plan (EDP) of
the command.
j. All Emergency Plans will be reviewed annually and updated
as necessary, or whenever changes in the local environment
dictate an update to the plan.
k. Efficient planning and training, which involving every
individual who uses COMSEC material, increases the probability
of preventing its loss or compromise during an emergency.
l. The command EAP/EDP, if not specific to LE operations,
must be modified or annexed to include specific actions to be
taken by LEs.
m. Any detachment that operates independently (i.e. aircraft
and communications/special purpose vans) from their parent
command should have their own unique EAP/EDP specifically
tailored for those times of independent operation. In all
cases, they should be included in the command's EAP/EDP.
3.
Guidelines For Minimizing Actions.
a. Hold only the minimum amount of COMSEC material at any
time (i.e., routine destruction should be conducted frequently
and excess COMSEC material disposed of as directed by
appropriate authorities).
b. Store COMSEC material to facilitate emergency removal or
destruction (e.g., separate COMSEC material from other
classified material, and segregate COMSEC keying material by
status, type and classification). NATO material may be stored
with other COMSEC material of the same classification.
c. Should an emergency situation develop, initiate
precautionary destruction or evacuation of all material not
immediately needed for continued operational effectiveness.
After destroying material, notify appropriate authorities so
they may begin re-supply planning.
4. Preparedness Planning For Disasters.
must provide for:
Planning for disasters
a. Fire reporting and initial firefighting by assigned
personnel.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
G-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
b. Assignment of on-the-scene responsibility for ensuring
protection of the COMSEC material held.
c. Security or removing classified COMSEC material and
evacuating the area(s).
d. Protection of material when admission of outside
emergency personnel into the secure area(s) is necessary.
e. Assessment and reporting of probable exposure of
classified COMSEC material to unauthorized persons during the
emergency.
f. Post-emergency inventory of classified COMSEC and CCI
material and reporting any losses or unauthorized exposure to
appropriate authorities.
5. Preparedness Planning for Hostile Actions. Planning for
hostile actions must take into account the possible types of
situations that may occur (e.g., an ordered withdrawal over a
specified period of time, a hostile environment situation where
destruction must be carried out in a discrete manner to avoid
triggering hostile actions, or fully hostile imminent overrun
situations). Ensure that the plan provides for the following:
a. Assessing the threat of occurrence of the various types
of hostile emergencies at the particular activity and of the
threat that these potential emergencies pose to the COMSEC
material held.
b. The availability and adequacy of physical security
protection capabilities (e.g., perimeter controls, guard forces,
and physical defenses) at the individual buildings and other
locations when COMSEC material is held.
c. Facilities for effecting emergency evacuation of COMSEC
material under emergency conditions, including an assessment of
the probable risks associated with evacuation. Except under
extraordinary conditions (e.g., an urgent need to restore secure
communications after relocation), COMSEC keying material should
be destroyed rather than evacuated.
d. Facilities and procedures for effecting secure emergency
destruction of COMSEC material must address:
(1)
(2)
Adequate number of destruction devices
Availability of electrical power
UNCLASSIFIED//FOR OFFICIAL USE ONLY
G-4
UNCLASSIFIED//FOR OFFICIAL USE ONLY
(3)
(4)
(5)
(6)
emergency
EKMS-1E SUPP-1
Secure storage facilities nearby
Adequately protected destruction areas
Personnel assignments
Clear delineation of responsibilities for implementing
destruction
e. Precautionary destruction of COMSEC material,
particularly maintenance manuals (KAMs) and keying material not
operationally required to ensure continuity of operations during
the emergency.
(1) In a deteriorating situation all "full" maintenance
manuals (i.e., contains cryptographic logic information) which
are not absolutely essential for continued mission
accomplishment must be destroyed.
(2) When there is insufficient time under emergency
conditions to completely destroy such manuals, every reasonable
effort must be made to remove and destroy their sensitive pages
(i.e., those containing cryptographic logic/classified
schematics).
NOTES: 1. Sensitive pages in U.S. produced KAMs are listed
on fold-out Lists of Effective Pages at the rear of other
textual portions.
2. Some KAMs further identify their sensitive pages
pages by means of gray or black diagonal or rectangular
markings at the upper portion of the binding edge.
f. To prepare for possible emergency destruction of
sensitive pages from KAMs in areas or situations where capture
by hostile forces is possible, comply with the following
guidance:
(1) Apply distinctive markings (e.g., red stripes) to the
binder edge and covers of all KAMs containing identified
sensitive pages.
(2) Remove the screw posts or binders rings, or open the
multi-ring binder, whichever is applicable.
(3) Remove each sensitive page from the KAM and cut off
the upper left-hand corner of the page so that the first binder
hole is removed. Care must be taken not to delete any text or
diagram.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
G-5
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
g. Should it become necessary to implement emergency
destruction, the sensitive KAM pages may be removed as follows:
(1) Remove the screw posts or binders rings, or open the
multi-ring binder and remove all pages from the KAM.
(2) Insert a thin metal rod (e.g., wire or screwdriver)
through the remaining top left-hand hole of the document.
(3) Grasp the rod in both hands and shake the document
vigorously; the sensitive pages should fall out freely.
h.
Establishment of emergency communications procedures.
(1) External communications during emergency situations
should be limited to contact with a single remote point.
(2) This point will act as a distribution center for
outgoing message traffic and a filter for incoming queries and
guidance.
(3) When there is warning of hostile intent and physical
security protection is inadequate to prevent overrun of the
facility, secure communications should be discontinued in time
to allow for thorough destruction of all classified COMSEC and
CCI material, including classified and CCI elements of COMSEC
equipment.
6.
Preparing the Emergency Plan:
a. The person who is most aware of the extent and
significance of the COMSEC material on hand should prepare the
emergency plan.
b. The Commanding Officer or other responsible official must
be aware of and approve the emergency plan.
c. If the plan calls for destroying COMSEC material, all
destruction material, devices, and facilities must be readily
available and in good working order.
d. The plan must be realistic, workable, and accomplish the
goals for which it is prepared. Factors that will contribute to
this are:
UNCLASSIFIED//FOR OFFICIAL USE ONLY
G-6
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
(1) All duties under the plan must be clearly and
concisely described.
(2) All authorized personnel at the command should be
aware of the existence of the plan.
(a) Each individual assigned duties under the plan must
receive detailed instructions on how to carry out those duties
when the plan is implemented.
(b) All personnel should be familiar with all duties so
that changes in assignment may be made, if necessary. This may
be accomplished by periodically rotating the emergency duties of
all personnel.
(3) Training exercises will be conducted at a minimum of
annually or more frequently to ensure that everyone, especially
newly assigned personnel, will be able to carry out their
duties. If necessary, the plan should be modified based on
based on the training exercise results.
(4) The three options available in an emergency are:
securing the material, removing it from the scene of the
emergency, or destroying it. Planners must consider which of
these options may be applicable to their command.
(5) For example, if it appears that a civil uprising is to
be short lived, and the COMSEC facility is to be only
temporarily abandoned, the actions to take could be:
(a) Ensure that all superseded keying material has been
destroyed.
(b) Gather up the current and future keying material and
take it along.
(c) Remove classified and CCI elements from cryptoequipment and lock them, along with other classified COMSEC
material, in approved storage containers.
(d)
Secure the facility door(s), and leave.
(e)
Upon return, conduct a complete inventory.
NOTE: If it appears that the facility is likely to be
overrun, the emergency destruction plan should be put into
UNCLASSIFIED//FOR OFFICIAL USE ONLY
G-7
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
effect.
7. Emergency Destruction Planning: Three categories of COMSEC
material that may require destruction in hostile emergencies
are: COMSEC keying material, COMSEC-related material (e.g.,
maintenance manuals, operating instructions, and general
doctrinal publications), and equipment.
a. Precautionary Destruction (Priority List A & B): When
precautionary destruction is necessary, destroy keying material
and non-essential manuals in accordance with this Annex and the
EAP/EDP.
b. Complete Destruction Priority List (C): When sufficient
personnel and facilities are available, assign different persons
to destroy the material in each category by means of separate
destruction facilities and follow the priorities listed herein
as incorporated into your EAP/EDP.
c. When personnel and/or destruction facilities are
limited, join the three categories and destroy the material
following the priorities listed in Priority List C.
8.
Emergency Destruction Priorities:
a.
Precautionary Destruction Priority List A:
(1)
(a)
Superseded keying material and secondary variables.
TOP SECRET primary keying material.
(b) SECRET, CONFIDENTIAL, and UNCLASSIFIED primary
keying material.
(2) Future (reserve on board) keying material for use one
or two months in the future.
(3)
Non-essential classified manuals:
(a)
Maintenance manuals.
(b)
Operating manuals.
(c)
Administrative manuals.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
G-8
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
b. Complete Destruction Priority List B: When sufficient
personnel and facilities are available, destroy COMSEC material
in the following order:
(1)
Keying Material:
(a) All superseded keying material designated CRYPTO,
except tactical operations and authentication codes classified
below SECRET.
(b) Currently effective keying material designated
CRYPTO including key stored electrically in crypto equipment and
FDs (see paragraph c. below regarding STE or KSV-21 material),
except unused two-holder keying material and unused one-time
pads.
(c) Zeroize all STE keying material held by the account
in the following order:
1. Operational Keying Material designated TOP SECRET,
SECRET, CONFIDENTIAL, UNCLASSIFIED.
2. Seed Keying Material – TOP SECRET, SECRET,
CONFIDENTIAL, UNCLASSIFIED.
(d) TOP SECRET multi-holder (i.e., more than two
holders) keying material marked CRYPTO which will become
effective within the next 30 days.
(e) Superseded tactical operations codes classified
below SECRET.
(f) SECRET and CONFIDENTIAL multi-holder keying material
marked CRYPTO which will become effective within the next 30
days.
(g) All remaining classified keying material,
authentication systems, maintenance, and unused one-time pads.
(2) COMSEC Aids:
(a) Complete COMSEC equipment maintenance manuals or
their sensitive pages. When there is insufficient time to
completely destroy these manuals, every reasonable effort must
be made to destroy their sensitive pages.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
G-9
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
(b) National, department, agency, and service general
doctrinal guidance publications.
(c) Status documents showing the effective dates for
COMSEC keying material.
(d)
Keying material holder lists and directories.
(e)
Remaining classified pages of maintenance manuals.
(f) Classified cryptographic and non-cryptographic
operational general publications (e.g., AMSGs, NAGs and SDIPs).
(g)
Cryptographic Operating Instructions (KAOs).
(h)
Remaining classified COMSEC documents.
(3) Equipment: Make a reasonable effort to evacuate
equipment, but the immediate goal is to render them unusable and
un-repairable. Although it is desirable to destroy jeopardized
crypto-equipment so thoroughly that logic reconstruction is
impossible, this cannot be guaranteed in most field
environments.
(a) Zeroize the equipment if the keying element cannot
be physically withdrawn.
(b) Remove and destroy readily removable classified
elements (e.g., printed-circuit boards).
(c)
Destroy remaining classified elements.
NOTE: Unclassified chassis and unclassified elements need
not be destroyed.
(d) Zeroize all loaded STEs held by the account in the
following order based on the level of keying material loaded
into the terminal: TOP SECRET, SECRET, CONFIDENTIAL,
UNCLASSIFIED. If a lack of power prohibits keying material
stored in equipment from being zeroized, ensure that all keying
material and CIKs are physically removed from the area. In
extreme emergencies, an attempt to physically destroy fill
devices and CIKs is allowed. Material can be burned or broken
as much as possible to prevent unauthorized use. It should be
noted that the effectiveness of these methods has not been
documented.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
G-10
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
c. Complete Destruction Priority List C: In cases where
personnel and/or facilities are limited, follow the destruction
priority list below:
(1) All superseded and currently effective keying material
marked CRYPTO (including key stored electrically in cryptoequipment and fill devices), except tactical operations codes
and authentication systems classified below SECRET, unused twoholder keying material, and unused one-time pads.
(2)
SECRET.
Superseded tactical operations codes classified below
(3) Complete COMSEC equipment maintenance manuals or their
sensitive pages.
(4) Classified general COMSEC doctrinal guidance
publications.
(5)
Classified elements of COMSEC equipment.
(6) Remaining COMSEC equipment maintenance manuals and
classified operating instructions.
(7)
Remaining classified COMSEC material.
(8) Future editions of multi-holder (i.e., more than two
holders) keying material and current but unused copies of twoholder keying material.
9. Conducting Emergency Destruction: Any of the methods
approved for routine destruction of classified COMSEC material
may be used for emergency destruction.
a. Printed Matter:
(1)
Destroy keying material and other classified COMSEC
publications beyond reconstruction.
(2) Destroy all "full" maintenance manuals (i.e., those
containing cryptographic logic information/classified
schematics). When time does not permit, every reasonable effort
must be made to remove and destroy their sensitive pages in
accordance with paragraph 5.e.
b.
Classified Crypto-Equipment
UNCLASSIFIED//FOR OFFICIAL USE ONLY
G-11
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
(1) Render classified crypto-equipment inoperable (i.e.,
beyond reuse).
(2) If time permits, destroy the cryptographic logic of
the equipment beyond reconstruction by removing and destroying
the classified portions of the equipment, which include certain
printed circuit boards and multi-layer boards and keyed
permuting devices.
(3) If these classified elements are destroyed, it is not
necessary to destroy the remainder of the equipment.
c. Emergency Destruction in Aircraft: When time or facility
limitations preclude complete destruction of COMSEC material
aboard aircraft, make all reasonable efforts to prevent the
material from falling into unauthorized hands.
(1) When the aircraft is operating over water and an
emergency or forced landing is imminent, zeroize the COMSEC
equipment, shred or tear up the keying material, and disperse
it. If feasible, remove the classified elements from the
equipment and smash and disperse them.
(2) If an aircraft is in danger of making an emergency
landing in friendly territory, zeroize the equipment and keep
all the COMSEC materials in the aircraft.
(3) If the aircraft is being forced or shot down over
hostile territory, zeroize the equipment, then shred or tear up
and disperse the keying material, and make all reasonable
efforts to remove, smash, and disperse the classified equipment
components.
d.
Emergency Destruction Aboard Ship:
(1) If the ship is in imminent danger of sinking in a U.S.
controlled area, zeroize the equipment, destroy all COMSEC
material as completely as possible in the time available, lock
it in security containers and permit it to sink with the ship.
(2) If the ship is in imminent danger of capture or of
sinking in an area where foreign elements would have salvage
opportunities, destroy all COMSEC equipment and all keying
material.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
G-12
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
(a) Destroy all COMSEC equipment as completely as time
permits, and jettison the undestroyed or partially destroyed
COMSEC material overboard.
(b) Place paper items and other material that could
float in weighted canvas bags before jettisoning.
e.
Emergency Destruction in Mobile Communication Vehicles:
When time or facility limitations preclude complete destruction
of COMSEC material located in the vehicle, make all reasonable
efforts to prevent the material from falling into unauthorized
hands.
10.
Reporting Emergency Destruction:
a. Accurate information relative to the extent of an
emergency is absolutely essential to the effective evaluation of
the COMSEC impact of the occurrence, and is second in importance
only to the completeness of the destruction.
b. The Commanding Officer/OIC or official responsible for
safeguarding COMSEC material, which has been subjected to
emergency destruction, is responsible for reporting the
attendant facts to the appropriate seniors in the chain of
command by the most expeditious means available.
(1) Reporting Instructions: The senior official shall
report the facts surrounding the destruction to the CNO//N614//,
NCMS//N5//, DIRNSA//I3// and the unit’s operational and
administrative command echelons as soon as possible; if
feasible, use a secure means of reporting.
(2) Required Information: Identify the following in the
report; the material destroyed, the method and extent of
destruction, and any classified COMSEC material items presumed
compromised (e.g., items either not destroyed or not completely
destroyed).
NOTE: Follow the reporting procedures for COMSEC Incidents
as outlined in Chapter 8. Ensure the EAP/EDP includes
guidance for providing the required information.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
G-13
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
Annex H
SAMPLE WAIVER REQUEST MESSAGE FOR KOAM OR ALTERNATE APPOINTMENTS
From:
To:
Info:
Unit PLA
NCMS Washington DC
TYCOM
ISIC
Servicing COR Audit Team PLA
BT
CLASSIFICATION (DETERMINED BY ORIGINATOR, BASED ON CONTENT. IF
CLASSIFIED, ENSURE COMPLIANCE WITH SECNAV M5510.36 REGARDING
SUBJECT AND PARAGRAPH MARKINGS AND DECLASSIFICATION MARKINGS)
MSGID/GENADMIN/UNIT NAME/-/MONTH//
SUBJ/WAIVER REQUEST//
REF/A/DOC/NCMS WASH DC/XXXXXXXX(MO/DD/YEAR OF THIS MANUAL)
AMPN/REF A IS EKMS-1B SUPP-1//
POC/IAM UNDERWAY/GRADE/UNIT NAME/TEL:XXX-XX-XXXX/EMAIL:
IAM.UNDERWAY(AT)NAVY.MIL (OR .SMIL.MIL, AS APPLICABLE)
RMKS/1. IAW REF A, THE FOLLOWING IS SUBMITTED:
A. IAW ARTICLES 409 AND 601 TO REF A, THE FOLLOWING IS
SUBMITTED:
B. REASON FOR THE WAIVER:
XXXXXXXXXX
C. FULL NAME, GRADE AND PROJECTED ROTATION
DATE (PRD) OF THE INDIVIDUAL IN WHICH THE
WAIVER PERTAINS: (OMIT PRD FOR CIVILIAN
EMPLOYEES)
XXXXXXXXXXX
D. SECURITY CLEARANCE DATA: INCLUDE THE
MEMBER’S: CLEARANCE, TYPE AND DATE OF MOST
RECENT SECURITY INVESTIGATION AND GRANTING
AGENCY:
XXXXXXXXXXX
E. DURATION THE WAIVER IS REQUESTED FOR:
XXXXXXXXXXX
The notes below are for informational purposes; do
not include them in the message.
NOTES: (1) IF RELATED TO THE INABILITY TO COMPLETE FORMAL
TRAINING REQUIREMENTS PRIOR TO APPOINTMENT, THIS WILL BE
LIMITED TO A MAXIMUM OF 90 DAYS FOR A KOAM OR 180 DAYS
FOR AN ALTERNATE BY NCMS. ALL OTHER WAIVERS SUCH AS
GRADE WAIVERS ARE LIMITED TO A MAXIMUM OF ONE YEAR AND
ARE NOT AUTO-RENEWED.
(2) APPROVED WAIVERS MUST BE ON FILE WITH THE
ACCOUNT AND ARE SUBJECT TO REVIEW DURING VISITS OR
AUDITS. IF IT’S NOT ON FILE AND VERIFIABLE, IT
UNCLASSIFIED//FOR OFFICIAL USE ONLY
H-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
DOESN’T EXIST.
(3) WAIVERS WILL NOT BE GRANTED TO PERSONNEL WITH
EXPIRED BACKGROUND INVESTIGATIONS.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
H-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
Annex I
STATEMENT OF ACCEPTANCE OF RESPONSIBILITIES
KEY MANAGEMENT INFRASTRUCTURE (KMI) MANAGEMENT CLIENT (MGC),
CLIENT HOST ONLY (CHO) OR DELIVERY ONLY CLIENT (DOC)
INFORMATION SYSTEM PRIVILEGED ACCESS AGREEMENT AND
ACKNOWLEDGMENT OF RESPONSIBILITIES
Date: __________
1. I understand there are two DoD Information Systems (IS);
classified (SIPRNET) and unclassified (NIPRNET), and that I have
the necessary clearance for privileged access to the KMI
Management Client (MGC) for Key Management Operating Account
(KOA) #________. I will not introduce or process data or
software for the IS that I have not been specifically authorized
to handle.
2. I understand the need to protect all passwords and other
authenticators at the highest level of data they secure. I will
not share any password(s), account(s), or other authenticators
with other coworkers or other personnel not authorized to access
the KMI MGC. As a privileged user, I understand the need to
protect the root password and/or authenticators at the highest
level of data it secures. I will NOT share the root password
and/or authenticators with coworkers who are not authorized KMI
MGC.
3. I understand that I am responsible for all actions taken
under my account(s), root, or otherwise. I will not attempt to
“hack” the network or any connected information systems, or
gain access to data to which I do not have authorized access.
4. I understand my responsibility to appropriately protect and
label all output generated under my account (including printed
materials, magnetic tapes, floppy disks, and downloaded hard
disk files).
5. I will immediately report any indication of computer network
intrusion, unexplained degradation or interruption of network
services, or the actual or possible compromise of data or
file access controls to the appropriate KMI MGC Information
Assurance Management (IAM) or senior Information Assurance
Technical (IAT) Level representatives. I will NOT install,
modify, or remove any hardware or software (i.e. e.g.,
freeware/shareware and security tools) without written
UNCLASSIFIED//FOR OFFICIAL USE ONLY
I-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
permission and approval from the KMI MGC Information Assurance
Manager (IAM) or senior IAT Level representatives.
6. I will not install any unauthorized software (e.g., games,
entertainment software) or hardware (e.g., sniffers).
7. I will not add/remove any users’ names to the Domain
Administrators, Local Administrator, or Power Users group
without the prior approval and direction of the KMI MGC IAM/or
senior IAT Level representatives.
8. I will not introduce any unauthorized code, Trojan horse
programs, malicious code, or viruses into the KMI MGC local area
networks.
9. I understand that I am prohibited from the following while
using the DoD IS:
a. Introducing Classified and/or Controlled Unclassified
Information (CUI) into a NIPRNET environment.
b. Accessing, storing, processing, displaying, distributing,
transmitting, or viewing material that is abusive, harassing,
defamatory, vulgar, pornographic, profane, or racist; that
promotes hate crimes, or is subversive or objectionable by
nature, including material encouraging criminal activity, or
violation of local, state, federal, national, or international
law.
c. Storing, accessing, processing, or distributing
Classified, Proprietary, CUI, For Official Use Only (FOUO), or
Privacy Act protected information in violation of established
security and information release policies.
d. Obtaining, installing, copying, pasting, transferring, or
using software or other materials obtained in violation of the
appropriate vendor’s patent, copyright, trade secret, or license
agreement.
e. Knowingly writing, coding, compiling, storing,
transmitting, or transferring malicious software code, to
include viruses, logic bombs, worms, and macro viruses.
f.
Engaging in prohibited political activity.
g.
Using the system for personal financial gain such as
UNCLASSIFIED//FOR OFFICIAL USE ONLY
I-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
advertising or solicitation of services or sale of personal
property (e.g., eBay), or stock trading (i.e., issuing buy,
hold, and/or sell directions to an online broker).
h. Fundraising activities, either for profit or non-profit,
unless the activity is specifically approved by the organization
(e.g., organization social event fund raisers and charitable
fund raisers, without approval).
i.
Gambling, wagering, or placing of any bets.
j.
Writing, forwarding, or participating in chain letters.
k.
Posting personal home pages.
l. Any other actions prohibited by DoD 5500.7-R (Reference
(y)) or any other DoD issuances.
10. Personal encryption of electronic communications is
strictly prohibited and can result in the immediate termination
of access.
11. I understand that if I am in doubt as to any of my roles or
responsibilities I will contact the KMI MGC IAT Level III
Supervisor for clarification.
12. I understand that all information processed on the KMI MGC
is subject to monitoring. This includes email and browsing the
web.
13. I will not allow any user who is not cleared access to the
network or any other connected system without prior approval or
specific guidance from the KMI MGC IAM.
14. I will use the special access or privileges granted to me
ONLY to perform authorized tasks or mission related functions.
15. I will not use any <DOD/Components> owned information
system to violate software copyright by making illegal copies of
software.
16. I will ONLY use my PRIVILEGED USER account for official
administrative actions. This account will NOT be used for day
to day network communications.
17.
I understand that failure to comply with the above
UNCLASSIFIED//FOR OFFICIAL USE ONLY
I-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
EKMS-1E SUPP-1
requirements will be reported and may result in the following
actions:
a. Revocation of IS privileged access.
b. Counseling.
c. Adverse actions pursuant to the Uniform Code of Military
Justice and/or criminal prosecution.
d. Disciplinary action, discharge or loss of employment.
e. Revocation of Security Clearance.
18. I will obtain and maintain required certification(s),
according to DoD 8570.01-M and the certification provider, to
retain privileged system access.
Your IAT Level III Supervisor is
_______________________
Information System Name
_______________________
IAT/IASAE/CND’s Name
_______________________
IAT/IASAE/CND’s Signature
_______________________
Date
_______________________
IAM Manager Level I Name
_______________________
IAM Manager Level I Signature
_______________________
Date
_______________________
(Level I or II Managers with privileged access will have
signatures of the IAM Level II or III responsible for their IS
functions).
UNCLASSIFIED//FOR OFFICIAL USE ONLY
I-4
Download