NASA Procedures and Guidelines NPG 1600.6A Effective Date: March 2, 2000 Expiration Date: March 2, 2002 This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html Responsible Office: JS/Security Management Office NASA Communications Security (COMSEC) Procedures and Guidelines TABLE OF CONTENTS Cover Preface P.1. P.2. P.3. P.4. P.5. PURPOSE APPLICABILITY AUTHORITY REFERENCES CANCELLATION CHAPTER 1. INTRODUCTION 1.1. 1.2. 1.3. 1.4. 1.5. 1.6. General Transmission of Classified Information Applicability and Scope Objectives Definitions Revisions CHAPTER 2. COMSEC MATERIAL CONTROL 2.1. 2.2. 2.3. 2.4. 2.5. 2.6. 2.7. 2.8. General Responsibilities and Organization The COMSEC Account COMSEC Material COMSEC Material Accountability COMSEC Material Control System (CMCS) Audit of COMSEC Accounts Closing a COMSEC Account CHAPTER 3. CONTROLLING AUTHORITIES 3.1. General 3.2. Establishing the Cryptonet and Designating the Controlling Authority CHAPTER 4. COMSEC INFORMATION ACCESS REQUIREMENTS 4.1. Criteria for Access to COMSEC Information 4.2. COMSEC Briefing Requirements This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 1 CHAPTER 5. TWO-PERSON INTEGRITY (TPI) NO-LONE ZONE (NLZ) CONTROLS 5.1. General 5.2. Procedures for Handling and Safeguarding Top Secret Keying Material 5.3. TPI Handling of Packages Received CHAPTER 6. COMSEC INCIDENT REPORTING REQUIREMENTS 6.1. General 6.2. COMSEC Incidents CHAPTER 7. ROUTINE DESTRUCTION OF COMSEC MATERIAL 7.1. 7.2. 7.3. 7.4. 7.5. 7.6. General Training Destruction Personnel Routine Destruction Procedures for COMSEC Material Routine Destruction Methods and Standards Approved Routine Destruction Devices Reporting Routine Destruction CHAPTER 8. SECURE TELECOMMUNICATIONS FACILITIES 8.1. Physical Security Requirements for Classified and Unattended Keyed Controlled Cryptographic Items (CCI) Equipment 8.2. CCI Access Controls 8.3. Storage Requirements 8.4. Record of Individuals Having Knowledge of Combinations to Containers Storing Classified COMSEC Material CHAPTER 9. SECURE TELEPHONE UNIT-III (STU-III) 9.1. 9.2. 9.3. 9.4. 9.5. 9.6. 9.7. 9.8. 9.9. General Responsibilities Secure Telephone Unit III (STU-III) Security Education Protecting Crypto Ignition Key (CIK) Incidents STU-III Terminal Keying and Rekeying Security Data Mode Sensitive Compartmented Information Facilities (SCIF) Installations in Residences, Hotels, or Commercial Conference Facilities This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 2 9.10. Vehicle Installations 9.11. Acoustic Security CHAPTER 10. COMSEC EMERGENCY ACTION PROCEDURES 10.1. 10.2. 10.3. 10.4. Requirements Preparedness Preparing the Emergency Plan Emergency Action Procedures Review APPENDICES A. B. C. D. E. COMSEC Terms Sample COMSEC Briefing Sample Cryptographic Access Certification Sample Emergency Action Plan Classification Guide This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 3 Effective Date: March 2, 2000 Preface P.1. PURPOSE This NPG provides basic information for assignment of individual Communications Security (COMSEC) accountability responsibilities within NASA. It sets forth minimum standards, procedures, specifications, and guidelines for safeguarding and control of COMSEC material in NASA's possession. P.2. APPLICABILITY This NPG applies to the NASA Headquarters and all NASA Centers, including Component Facilities. P.3. AUTHORITY 42 U.S.C. Sections 2455, 2456, 2456a, and 2473(c) -- Sections 304 and 203 (c), respectively, of the National Aeronautics and Space Act of 1958, as amended. P.4. REFERENCES a. 5 U.S.C. 552(b)(1)-(9), Exemptions, Freedom of Information Act (FOIA). b. 40 U.S.C. 1441 note, Computer Security Act of 1987, as amended. c. 40 U.S.C. 1441, Responsibilities regarding efficiency, security, and privacy of Federal computer systems. d. 50 U.S.C. 435, Access to Classified Information - Procedures. e. Pub. L. 103-236, 108 Stat. 525, Protection and Reduction of Government Secrecy Act (50 U.S.C. 435 note). f. E.O. 12829, National Industrial Security Program, 3 CFR (1993 Compilation). g. E.O. 12958, Classified National Security Information, as amended, 3 CFR (1995 Compilation) h. 32 CFR, Part 2001, ISOO Directive No. 1. i. E.O. 12968, Access to Classified Information. 3 CFR (1995 Compilation). This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 4 j. OMB Circular A-130, Security of Federal Automated Information Resources, (Appendix III). k. National Communications Security Committee-1 (NCSC-1), National Policy for Safeguard and Control of COMSEC, January 16, 1991. l. National Communications Security Committee-6 (NCSC-6), National Policy Governing the Disclosure or Release of Communications Security Information to Foreign Governments and International Organizations, January 16, 1981. m. National Telecommunications and Information Systems Security Publication (NTISSP) No. 3, National Policy for Granting Access to U.S. Classified Cryptographic Information, December 19, 1988. n. Index of National Security Telecommunications Information Systems Security Issuances (NSTISSI). o. NTISSI No. 3013, Operational Security Doctrine for the STU - III, Type 1, Terminal. p. NSTISSI No. 4005, Safeguarding Communications Security (COMSEC) Facilities and Materials, August 1997. q. NTISSI No. 4009, National Information Systems Security Glossary, January 1999. r. NTISSI No. 7000, TEMPEST Countermeasures for Facilities, October 17, 1988. s. NTISSI No. 7003, Protected Distribution Systems, December 13, 1996. t. National COMSEC Information Memorandum (NACSIM) No. 5203, Guidelines for Facility Design and Red and Red/Black Installation, June 30, 1982. u. NPD 1600.2A, NASA Security Program. v. NPG 1620.1, NASA Security Procedures and Guidelines. w. NPD 2810.1, Security of Information Technology. x. NPG 2810.1, Security of Information Technology. y. NPD 2800.1, Managing Information Technology. z. 14 CFR, Chapter V, Part 1203a – NASA Security Areas. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 5 aa. 14 CFR, Chapter V, Part 1204, Subpart 10 – Conduct or trespass, Inspection of Persons and Personal Effects. bb. 18 U.S.C. Sections 641, 793, 794, 798, 952. cc. National Security Agency (NSA) Manual 90-2, COMSEC Material Control Manual. P.5. CANCELLATION a. NHB 1600.6, NASA Communications Security Manual, dated May 1993. /s/ Jeffrey E. Sutton Associate Administrator for Management Systems DISTRIBUTION: NODIS This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 6 CHAPTER 1: INTRODUCTION 1.1. General This chapter provides procedures and guidelines for the implementation of a totally integrated NASA Communications Account Management Program. 1.2. Transmission of Classified Information 1.2.1 Consistent with law, directives, and regulations, it is NASA policy that the Senior Agency Official, who is concurrently the Director, Security Management Office (DSMO), and the NASA COMSEC Manager shall establish uniform procedures to ensure the following: 1.2.1.1. Automated information systems, including networks and telecommunications systems (voice, video, and data), that collect, create, communicate, compute, disseminate, process, reproduce, store, zeroize, or destroy classified COMSEC information have controls that provide adequate protection, prevent access by unauthorized persons, and ensure the integrity of the information. 1.2.1.2. Emission Security, frequently referred to as TEMPEST countermeasure(s), will be coordinated with the Senior Agency Official for review and approval prior to acquisition and installation to insure that a major adverse financial impact on the program is not borne where there is no viable hostile threat capability. 1.2.1.3. Classified COMSEC information transmitted from an area not under access controls will be secured by NSA encryption or a Protected Distribution System (PDS). 1.3. Applicability and Scope The provisions of this NPG specifically apply to the following: 1.3.1. NASA COMSEC Account Managers (CAM), NASA Alternate CAM (ACAM), security organizations, and other NASA personnel and contractors using or otherwise having access to COMSEC materials. 1.3.2. Contractors under law and/or contract as implemented by the appropriate contracting officer. Contractor CAM and alternate contractor CAM’s responsibilities are identical to NASA CAM’s and ACAM’s. 1.3.3. Center Chiefs of Security (CCS) in implementing effective COMSEC operations. Each site is encouraged to implement this NPG and to tailor this guidance to their unique environments. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 7 1.3.4. The NASA COMSEC Central Office of Record (COR) located at the Kennedy Space Center (KSC). 1.4. Objectives This NPG provides guidance for safeguarding and controlling COMSEC material through facilitating the following: 1.4.1. A COMSEC Material Control System (CMCS). 1.4.2. A COMSEC COR at the Kennedy Space Center. 1.4.3. A procedure to appoint a CAM and ACAM. 1.4.4. A secure COMSEC environment through training and support. 1.5. Definitions See definitions of terms at Appendix A. 1.6. Revisions This NPG will be revised consistent with pertinent Executive orders, statutes, direction from the NSA, and the development of new and improved security concepts. Changes to this NPG are specifically prohibited unless officially promulgated by the NASA COMSEC COR in coordination with the DSMO, and the NASA Office of the General Counsel (OGC). This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 8 CHAPTER 2: COMSEC MATERIAL CONTROL 2.1. General This chapter establishes minimum accounting procedures to be followed by NASA CAM. 2.1.1. Direct communications between CAM, the NSA Accounting Office (STU-III and SDNS key only); and the NSA Insecurities, Evaluation, and Reporting Branch, are authorized for COMSEC accounting matters involving the direct shipment of COMSEC material. Send direct communications to Director, NSA, Attention: (appropriate office designator), Fort George G. Meade, MD 20755-6000. 2.1.2. Direct communications are authorized between NASA COMSEC Manager, NASA COMSEC COR, NASA CAM, and any other CAM involving direct shipment of COMSEC material. 2.2. Responsibilities and Organization COMSEC material control is based on a system of centralized accounting and decentralized custody and protection. Timely and accurate data are essential to continuous, effective control of COMSEC material entrusted to or produced for NASA. 2.2.1. The NASA DSMO is responsible for the following: 2.2.1.1. Facilitating attendance at the NSA COMSEC Custodian Training Course ND 112 for all newly appointed NASA ACAM’s. 2.2.1.2. Maintaining liaison with the civil agencies, NASA contractor COMSEC accounts, and the military services on all policy matters. 2.2.2. The NASA COR vice KSC, is responsible for the following tasks: a. Performing as NASA COR and conducting liaison with civil agencies, military services, and NASA contractor accounts concerning control of accountable COMSEC material and facilitating day-to-day operation. b. Establishing and closing COMSEC accounts. c. Maintaining a record of NASA COMSEC accounts, CAM, and ACAM’s. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 9 d. Processing requests to appoint or terminate the appointments of CAM and ACAM’s and verifying their clearances. e. Verifying semiannually the inventory of each NASA COMSEC account. f. Maintaining master records of all material entered into the COMSEC Material Control System (CMCS). g. Maintaining the financial and property accountability records for all accountable COMSEC equipment owned by or entrusted to NASA. h. Auditing NASA CAM at least every 24 months or on an announced basis or more frequently, based on the factors enumerated in 2.7.1, below. i. Providing guidance and assistance on controlling accountable COMSEC material. j. Preparing and distributing COMSEC Procedural and Material Control Bulletins. k. The chief of each organizational element has the ultimate responsibility for controlling all COMSEC material held within the organizational element. The chief may delegate this responsibility to a CAM and/or alternate(s). However, delegating this responsibility in no way relieves any individual (e.g., the user, the CAM’s supervisor, and other organizational chiefs) from the inherent responsibility for controlling COMSEC material held within the element. The Chief of the NASA organizational element is also responsible for ensuring that CAM and ACAM’s receive required training. l. The CAM is, through organizational and supervisory channels, responsible to the chief of the organizational element for controlling all accountable COMSEC material charged to the organizational element's account. m. The individual users or holder of COMSEC material are personally responsible for controlling and safeguarding COMSEC material while it is entrusted to their care and are not authorized to provide the material to any individual without a new hand receipt issued from the CAM. All material will be returned to the CAM for reissue. 2.3. The COMSEC Account 2.3.1. Requirements for a COMSEC account. Any element requiring COMSEC material must obtain such material through a COMSEC account. If an existing account cannot adequately support the requirement for material within an organization, a new COMSEC account will be established. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 10 2.3.2. Request to Establish a COMSEC account. When a new COMSEC account must be established, submit a written request from the CCS of the NASA organization as follows: a. Submit the request through the CCS to the NASA COMSEC COR located at the KSC. b. Include the title and complete address of the element in which the account will be located; c. The purpose and justification for establishing the account; d. The specific items of COMSEC material required, and the desired in place date. e. A statement that the minimum physical security standards for safeguarding COMSEC material can be met, and the names, grades, and social security numbers with Privacy Act Notice of the individuals to be appointed as the CAM and ACAM’s. Normally, a single ACAM is sufficient at each account. Appointments of more than 2 ACAM’s should be coordinated with the NASA COR. Subparagraphs 2.3.5. and 2.3.6. provide CAM selection criteria. f. Certified clearance information and a Standard Form (SF) N2942B signature specimen on the individuals nominated as the CAM and alternate. When signature cards (SF N2942B) are used for clearance information certification, forward these cards with the written request. The NASA COR will initiate clearance verification. g. Allow a minimum of 30 days for an account to be established. 2.3.3. COMSEC account approval. The COR will be responsible for the following: a. Advising the requesting element in writing by sending an information copy to the CCS when the account is established and the CAM and ACAM appointments are approved. b. Assigning an account number and referencing the account number in all subsequent COR correspondence or transactions relating to the account. c. Providing information on how to obtain COMSEC account forms. 2.3.4. CAM and ACAM training. A newly appointed or changed CAM or ACAM will attend the NSA COMSEC Custodian Training Course ND-112 as soon as possible. This training is mandatory for all NASA CAM appointees, with the exception of those appointed to accounts established solely for secure telephone units or those who have attended equivalent training within 2 years. 2.3.5. Selecting a CAM or ACAM: Individuals selected as CAM will include the following: This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 11 a. Be a civil service employee or contractor employee qualified to assume the duties and responsibilities of a CAM and meet the requirements contained herein. b. Not be previously relieved of CAM duties for reasons of negligence or nonperformance of duties. c. Be in a position that will permit maximum tenure of not less than 1 year as a CAM or ACAM. d. Not be assigned duties that interfere with the duties as CAM or ACAM. e. Be actually performing the CAM functions on a day-to-day basis. The CAM position will not be assumed solely to maintain administrative or management control of the account functions. 2.3.6. Personnel nominated as CAM or ACAM will be in grade GS-7 or above, or a contractor employee at an equivalent level. Where personnel at the appropriate grade level are not available, include full justification to support the nomination(s) in the appointment request. 2.3.7. Duties of the CAM. The CAM is responsible for the following: a. Ensuring that all COMSEC material issued to, or generated and held by, the account is safeguarded in accordance with requirements. This includes but is not limited to the receipt, custody, issuance, safeguarding, accounting, and, when necessary, destruction of COMSEC material. b. Maintaining up-to-date records and submitting all required accounting reports. c. Having knowledge of the procedures outlined in this NPG. d. Inspecting user areas semiannually. The CAM must have access to accountable material held by users. In cases where the material is used within a Sensitive Compartment Information Facility (SCIF) or Special Access Programs (SAP) and the CAM is not indoctrinated for special access, the area must be sanitized or the CAM escorted to allow fulfillment of his or her responsibilities. e. Protecting COMSEC material and limiting access to individuals with the appropriate clearance and need to know. f. Receiving, receipting, and ensuring the safeguarding and accounting of all COMSEC material issued to the COMSEC account. g. Maintaining accounts and related records as outlined in paragraph 2.5. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 12 h. With a witness, conducting an inventory, semiannually, and when a new CAM is appointed, by physically sighting all COMSEC material charged to the account and reconciling this inventory with the COR. The COR or other competent authority may also direct the conduct of an inventory. i. Destroying COMSEC material when required, or as directed by the COR. j. Submitting transfer, inventory, destruction, and possession reports when required. k. Inspecting the implemented protective technologies packaging upon initial receipt, during each inventory, and prior to each use to ensure the integrity of COMSEC material, key, or equipment. l. Ensuring prompt and accurate entry of all amendments to COMSEC publications held by the CAM. m. Ensuring that all accountable COMSEC material shipped outside of the CAM's organization is packaged and shipped in accordance with this NPG. Ensuring that all material received is inspected for evidence of tampering and, if any is found, immediately submitting a report of suspected physical incident according to chapter 6. n. Having knowledge of the location of every item of accountable COMSEC material and the purpose for which it is being used. o. Establishing procedures to ensure strict control of each item of keying material whenever operational requirements necessitate that material be turned over from one shift to another or from one individual to another. p. Ensuring that appropriate COMSEC material is readily available to properly cleared and authorized individuals whose duties require its use. If the material is classified, verify that the individuals are cleared to the level of the material. Briefing recipients on the requirements for protection and procedures for safeguarding the material until it is returned to the CAM. q. Reporting immediately to the CCS any known or suspected COMSEC incident as defined in chapter 6, and submitting a report according to chapter 6. r. Verifying the identification, clearance, and need to know of any individual requesting access to the records and/or material associated with the COMSEC account. s. Preparing for safeguarding COMSEC material during emergency situations according to chapter 10. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 13 2.3.8. The ACAM. Individuals appointed as ACAM are responsible for the following in the absence of the CAM: a. Witnessing a COMSEC Inventory or Destruction. b. Ensuring that physical inventory or destruction of COMSEC material will be witnessed by an appropriately cleared individual. The witness should normally be the ACAM, but another appropriately cleared and briefed individual may act as a witness when the ACAM is not available. When an inventory or destruction is completed, the witness will sign the inventory report, Key Disposition Record, or destruction report, as appropriate, attesting that the COMSEC material listed has been inventoried or destroyed. The witness will sign an inventory or destruction report only after having personally sighted the material being inventoried and destroyed. c. Destroying keying material that has been hand receipted to a user requires a witness to the destruction of individual key settings. The witness will initial the Key Disposition Record attesting that the material has been destroyed. Under no circumstances will the witness initial a Key Disposition Record without having personally sighted the material being destroyed. d. When the CAM is to be absent for a period not to exceed 60 days, the ACAM will assume the responsibilities and duties of the CAM. An absence in excess of 60 days that has not been coordinated with the COR must be treated as a permanent absence, and a new CAM must be nominated. e. The CAM will be informed of all changes to the COMSEC account upon his or her return from a temporary absence. If COMSEC material was transferred to the account and accepted by the ACAM during the absence, the CAM will inventory the material, and sign, date, and include the remark "received from ACAM" on the front side of the COMSEC account's copy of the transfer report, thus relieving the ACAM of accountability for the material. In those cases in which material was transferred from the account or destroyed, the CAM should verify such actions by comparing the transfer and destruction reports with his or her Register File to assure the accuracy of the actions affecting the material for which he or she is held accountable. 2.3.9. Change of CAM. When it becomes necessary to terminate the CAM's or ACAM’s appointment, NASA elements must submit a written request through the CCS to the COR and include information and clearance certification about the replacement nominee. When written confirmation is received from the COR, the newly appointed CAM and his or her predecessor will perform the following duties: a. Conduct a physical inventory of all COMSEC material held by the CAM. The change of CAM will be effective the date the inventory is signed. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 14 b. Prepare an SF 153, listing all COMSEC material to be transferred to the new CAM. Identify the report in block 1 as a "change of CAM" and check both "received" and "inventoried" in block 14. Address the report from the CAM (block 2) to the NASA COR (block 3). The new CAM will sign in block 15, and the departing CAM will sign as the witness in block 17. Forward the original copy to the COR and retain a duplicate copy in the CAM file. When an account holds over 100 line items, a CAM may request a preprinted inventory and transfer from the COR. The request for a preprinted inventory transfer should normally be included with the nomination information. c. Normally, the new CAM will have received written confirmation of appointment before action is initiated to transfer the COMSEC account. However, if the confirmation is delayed and the predecessor’s departure is imminent, the transfer will be accomplished prior to the receipt of written confirmation. d. When the transfer is complete, the new CAM assumes full responsibility for the material charged to the COMSEC account and for its operation. The former CAM is relieved of responsibility for only that COMSEC material included on the transfer/inventory report. He or she is not relieved of responsibility for COMSEC material that is involved in any unresolved discrepancy until a clear COMSEC Inventory Reconciliation Report has been received from the COR. e. Changes of CAM should be scheduled at least 40 days before the former CAM departs to allow for the receipt of a clear COMSEC Inventory Reconciliation Report. However, the former CAM may depart prior to the return of the COMSEC Inventory Reconciliation Report, provided that no discrepancies or irregularities were evident when the inventory and transfer were made. Responsibility for resolving discrepancies discovered after a CAM has departed rests with the CCS. f. Change of ACAM. When a change in ACAM is necessary, elements will submit a written request through the local security office to the COR and will include information and clearance certification about the replacement nominee. g. Under emergency circumstances such as the sudden, indefinite, or permanent departure of the CAM, the CCS will nominate a new CAM (preferably the ACAM). The new CAM and an appropriately cleared witness will immediately conduct a complete physical inventory of all COMSEC material held by the account. When the absence of the CAM is unauthorized, the CCS will immediately report the circumstances in accordance with chapter 6. h. Upon completion of the inventory, prepare an SF 153, Possession Report. Annotate the Possession Report with the remark "Sudden, indefinite, or permanent departure of the CAM" or "Unauthorized absence of the CAM," as appropriate. The new CAM will sign block 15 and the witness will sign block 16. Forward the original copy of the report to the COR and retain a duplicate copy in the COMSEC account's file. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 15 i. Sudden, Indefinite, or Permanent Departure of the ACAM. The COR should be notified as soon as possible when an ACAM must be replaced due to a sudden, indefinite, or permanent departure. An unauthorized absence must be immediately reported in accordance with chapter 6. 2.3.10. COMSEC Officer, COMSEC/TEMPEST Point of Contact. Several NASA Centers have designated a COMSEC Officer to address policy issues and programmatic COMSEC responsibilities beyond those specified for the CAM. Although national policy does not require the designation of a COMSEC Officer, it has been NASA practice to designate a civil service employee to act as the COMSEC and TEMPEST point of contact responsible for ensuring oversight and implementation consistent with national policy relevant to NASA activities. It is important to emphasize, however, that the responsibilities identified for the CAM are minimum requirements and, depending on the experience level of the CAM, are balanced against each NASA Center's particular needs. These additional COMSEC/TEMPEST duties can be performed by the same individual. Regardless whether the CAM, COMSEC Officer, or COMSEC/TEMPEST point of contact is designated to perform these additional functions, it must be stressed that NASA Centers not construe this requirement as justification for establishing a separate billet. The duties of the COMSEC Officer, or COMSEC/TEMPEST point of contact, include the following: a. Acting as the NASA Center's single focal point for COMSEC and TEMPEST policy issues. b. Administering one-time COMSEC briefings and/or cryptographic access certification to civil service employees whose duties require access to COMSEC material. c. Ensuring that COMSEC awareness training is part of the NASA Center’s security education program. d. Providing technical assistance to Controlling Authorities for cryptographic keying material controlled by NASA and exercising oversight in those instances where NASA contractor COMSEC accounts have been established solely for the purpose of supporting NASA. e. Assisting project offices in the acquisition of COMSEC material through coordination with the supporting CAM and/or the NASA COMSEC Manager. f. Assisting the CCS to establish selection criteria to screen, interview, and nominate candidates for the CAM. g. Providing technical advice and assistance concerning the use, installation, maintenance, and procurement of secure telephone units. h. Conducting TEMPEST countermeasure determination and coordinating with the Associate, as required. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 16 2.4. COMSEC Material 2.4.1. Short Titles. For accounting purposes, COMSEC material may be identified by short titles derived from the Telecommunications Security nomenclature system; or bear a designator derived from the Joint Electronics Type Designation System; or a Federal part number; or by short titles assigned by a military department. In many cases, the CCI category may not be assigned any short title, instead bearing the manufacturer's commercial designator. This equipment will, however, be marked "Controlled Cryptographic Item" or "CCI" and will bear a Government Serial Number label. The Government Serial Number has been developed for accounting purposes and will be the designator by which the CAM will identify and control the CCI. The serial number is composed of three fields; for example, the label may read "GSN: PES-B4 192." The first field "PES" identifies the manufacturer; the second field "B4" identifies the type of product; and the third field "192" identifies the serial number of the unit. For purposes of the SF 153 using the above example, list the designator "PES-B4" in the short title block and "192" in the accounting number block. NOTE: The serial number for secure telephone unit telephones will vary from the above format. 2.4.2. Accounting Numbers. Most COMSEC material is assigned an accounting (register or serial) number at its point of origin to facilitate accounting. However, material may be received that does not bear an accounting number or for which accounting by number is impractical and, therefore, not required. An example of this type of material is a printed circuit board with a Telecommunications Security nomenclature, which may bear a manufacturer's serial number but which is only accounted for by quantity and is listed in "accounting numbers" on accounting reports as an "N/N" (no number) item. 2.4.3. Edition. COMSEC material may be further identified by alphabetic or numeric edition. COMSEC material is superseded when the new material becomes effective (effective edition). NOTE: Identification of the currently effective edition of operational keying material is considered "CONFIDENTIAL." The general rule is that this information should not be disclosed over a mode of communications that is not secure. However, per National Security Telecommunications Information System Security Instruction (NSTISSI) 4002, under certain circumstances, the effective edition may be transmitted in the clear when necessary to ensure that all holders are using the same key or when confusion exists about the effective key. 2.4.4. “CRYPTO” Marking. COMSEC keying material that is used to protect or authenticate telecommunications carrying national security and Government-sensitive information is identified by the bold marking “CRYPTO”. This marking makes such material readily identifiable from other material so that its dissemination can be restricted to personnel whose duties require access and, if the material is classified, to those who have been granted a final security clearance equal to or higher than the classification of the keying material involved. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 17 2.4.5. Subdivisions of Equipment. Operational COMSEC equipment is identified and accounted for by one short title rather than by individual components and/or subassemblies. Classified and CCI subassemblies, elements, and microcircuits, when not incorporated in equipment, will be accounted for by type and quantity. 2.5. COMSEC Material Accountability 2.5.1. NASA COMSEC Material Control System (CMCS). 2.5.1.1. When COMSEDC accountable material is received, it will be entered into the CMCS and will remain until destruction or other authorized disposition. 2.5.1.2. Refer questions regarding whether material is qualified for entry into the CMCS and the method of accounting (e.g., by which Account Legend Code (ALC)) to the COR. 2.5.2. ALC. For accounting purposes, all COMSEC material is identified by one of the following ALC: a. ALC-1. Continuously accountable by an accounting (register or serial) number to the COR. A report will be submitted to the COR upon receipt, subsequent transfer, and destruction of ALC-1 material. All use and destruction of ALC-1 keying material issued to users will be recorded on a local Key Disposition Record. The CAM will retain the Key Disposition Record for a minimum of 3 years. For FIREFLY-based systems, the COR may direct additional reports to be submitted when operational fill devices are loaded into equipment and when seed or operational fill devices are locally zeroized. The following material is continuously accountable and will be assigned ALC –1: 1) All hard copy and magnetic keying material (except certain items classified confidential or below) marked “CRYPTO”. 2) All classified equipment and CCI identified by an external nameplate containing the equipment nomenclature and the equipment serial number. 3) Classified cryptographic software and firmware that are the functional equivalents of, or emulate, COMSEC equipment operations and cryptography. 4) Classified full and depot maintenance NSA Manuals, and other classified TSECnomenclature publications and amendments thereto, except as specified in NTISSCI. b. ALC-2. Continuously accountable by quantity to the COR. A report will be submitted to the COR upon receipt and any subsequent transfer of ALC-2 material that changes the total quantity held by the COMSEC account. The following material is continuously accountable by quantity and will be assigned ALC-2: 1) Spare (e.g., intended for installation but not actually installed) classified and CCI components (e.g., microcircuits, printed circuit boards, permuters, and subassemblies) that are intended for installation in equipment that is accountable by serial number. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 18 2) Noncryptographic classified devices that perform critical key processing ancillary functions (e.g., fill devices) key loading devices, when unkeyed. c. ALC-4. Report of initial receipt required. This material will be handled within the CMCS, but only the first recipient must report receipt to the COR. All subsequent transactions will be recorded locally, using SF-153, and will not be assigned a transaction number. Local reports will be retained for a minimum of 3 years. ALC-4 material must be safeguarded according to its classification. The following material will be assigned ALC-4: 1) All hard copy and magnetic keying material not marked CRYPTO; 2) Call sign systems; 3) Unclassified hardware, software, or firmware (e.g., PROMS or other unclassified chips except those marked CRYPTO); 4) Classified limited NSA Maintenance Manuals and all unclassified TSEC-nomenclature publications and amendments thereto. d. ALC-6. Continuously accountable to the COR by means of the Electronic Key Management System (EKMS). A report will be submitted to the COR upon generation, receipt and all subsequent transfers of all ALC-6 material. All transactions involving ALC-6 material including, but not limited to, issue for use and destruction (zeroization) will be recorded in a local disposition record to provide a Digital Transfer Device (DTD) audit trail. Local disposition record will be retained, forwarded, or otherwise disposed of as directed by the COR. The following EKMS-generated and -managed electronic key, and other electronic data will be assigned ALC-6. 1) Any electronic key material requiring continuous, central accountability from a security or operation standpoint, as determined by the controlling authority and specific system doctrine where applicable. 2) Some examples of keys designated ALC-6 are as follows: electronic keys intended to protect information having long-term intelligence value where such determination is made by the controlling authority, such as TOP SECRET (TS) and Special Compartmented Information (SCI); Key Encryption Key (KEK); electronic keys used for joint interoperability when such keys are widely distributed; electronic keys marked CRYPTO, used to generate other electronic keys such as Key Production Keys; and all classified software, firmware, or equivalent data in electronic form which performs cryptographic operations. e. ALC-7. Continuous local accountability within EKMS. Each recipient of ALC-7 key will report receipt to the EKMS element that generated the key. Elements that generate ALC-7 key must maintain local records that document the generation of key and identify all recipients of the key. All holders of ALC-7 material must maintain local disposition records that permit traceability to support compromise recovery and audits. As a minimum, these records shall identify all transactions involving subsequent transfer, issue, fill, and destruction of the material, as applicable. EKMS generated and managed electronic key and other electronic data not covered by ALC-6 will be assigned as ALC-7. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 19 f. The ALC is assigned by the originating Government department or agency and represents the minimum accounting standard to be applied. g. The ALC will appear on all accounting reports but not necessarily on the material. Holders will not apply accounting procedures less restrictive than those specified by the ALC assigned, unless specifically authorized by the COR. h. Nonaccountable COMSEC material. Material such as COR correspondence, logs, and reports are excluded from the CMCS. 2.6. COMSEC Material Control System (CMCS) This section outlines the procedures for CAM’s during day-to-day account operations. 2.6.1. Forms. The forms used in the CMCS are limited to the multipurpose SF 153, L6061, and equivalent NASA forms. a. Accounting Reports. Prepare accounting reports on an SF 153 to record transfer, possession, inventory, and destruction of COMSEC material. The required copies and distribution of accounting reports is covered elsewhere in this NPG, which outline the detailed preparation of particular reports. b. Transfer Report: Records COMSEC material transferred from one account to another. c. Destruction Report: Records the physical destruction or other authorized expenditure of COMSEC material. d. Inventory Report: Records the physical inventory of COMSEC material. e. Possession Report: Records the possession of COMSEC material. 2.6.2. Hand Receipt. A record of the acceptance of and responsibility for COMSEC material issued to a user. An SF 153, or the reverse side of form L6061, or a NASA equivalent may be used to hand receipt COMSEC material. 2.6.3. Sample Forms and Reports. Contact the COR for samples of forms and reports. 2.6.4. Accounting Files include the following: a. Incoming transfer reports, possession reports. b. Destruction and outgoing transfer reports. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 20 c. Annual or semiannual, as appropriate, inventory reports and change of CAM reports. d. Hand receipts. e. COMSEC Register File L6061 or comparable system approved by the COR. f. Transaction number log. If an approved automatic system is used, a transaction log is not required. 2.6.5. Related files are as follows: a. Courier, mail, and package receipts. b. COR correspondence, including such records as CAM and ACAM appointment confirmation letters, memoranda, messages, and other documentation related to COMSEC accounting. 2.6.6. Classification and Marking of COMSEC Account Inventory, Reports, and File. a. If it is determined that a compilation of records can be declassified, the combined file should be marked, "This file has been declassified by Authority of the DDI CAO (IAW NSA COR Accounting Bulletin 2-92)”. b. All files/reports marked should also be marked "This document contains information EXEMPT FROM MANDATORY DISCLOSURE UNDER THE FOIA." (It is also required for the front cover of a file containing SF-153’s) c. When in doubt about whether or not a record or file may be declassified, contact the COR via a secure telephone unit (if available), or other secure means. This guidance will be implemented in handling COR account inventories, reports, and files. d. In addition, Exemption 5 of the Freedom of Information Act may be used for COMSEC account reports and files that are sensitive but not classified. e. To determine if a report or a compilation of reports is classified refer to Appendix E. 2.6.8. COMSEC Register File. All COMSEC material held by an account is controlled internally, using a COMSEC Register File. This file consists of an active section and an inactive section, both of which should be maintained in alphanumeric order. Normally, this file consists of L6061's; it may be maintained on a personal computer with prior COR approval. If the file is automated, take extreme care to control the database as much as possible, since unauthorized persons could alter/erase information without the immediate knowledge of the CAM. Follow good computer security practices, and maintain current backups of data. Active and inactive sections require the following: This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 21 a. The active section of the register file consists of one form L6061, manual file, or one line item (automated file), for each accountable item currently held in the account and must include short title, edition, and accounting number, if any, classification and ALC; date of receipt, from whom received (account number), and incoming transaction number. b. The inactive section of the register file consists of one form L6061 or one line item for each item that has been removed from the account and the specific disposition data for the item, as follows: the type of disposition, such as transfer or destruction; (if transferred, also include receiving account number); date of action; and outgoing transaction number. c. Keeping the register file current and accurate is absolutely mandatory; it is a convenient reference and important tool for maintaining strict control over all COMSEC material in the account. Computer programs that produce a facsimile SF-153 (available commercially) may be utilized. 2.6.9. Preparing COMSEC Accounting Reports. a. Include in each report the official titles and addresses of the elements involved; account, transaction, contract, if applicable, numbers; date of report by year, month, day, for example: 880107 indicates January 7, 1988; typed or stamped names of individuals signing reports; and signatures in ink. Computer programs that produce a facsimile SF-153 (available commercially) may be utilized. b. List all short titles in alphanumeric order, omitting the prefix or suffix for telecommunications security (TSEC). For equipment controlled by Government Serial Number (GSN), omit the prefix "GSN." c. Single-space all line item entries on a report. Follow the last line item with the remark "NOTHING FOLLOWS" in capital letters on the next line. d. For items having accounting numbers running consecutively, the inclusive accounting numbers may be entered as a single line entry with total quantity entered in block 10 and the lowest followed by the highest accounting number entered in block 11. e. Enter "N/N" in block 11 for items not having an accounting number or for which accounting by number is not required (e.g., ALC-2 material). f. Ensure that consecutive accounting numbers agree with the entries made in the "quantity" column. g. Include any clarifying remarks deemed appropriate for the receiving CAM or the COR in Block 13 or below the "NOTHING FOLLOWS" line. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 22 h. Initial all deletions or corrections in ink. i. Assign each accounting report (e.g., incoming and outgoing transfers, possession, inventory, and destruction reports) a transaction number, starting over with "1" each calendar year. When using a manual system, maintain a log to ensure that transaction numbers do not get duplicated. NOTE: Do not assign transaction numbers to hand receipts, accounting bulletins, reconciliation statements. j. Return preprinted inventories to the COR within 10 working days after receipt. Submit all other reports within 48 hours after receipt or preparation or as otherwise directed. k. Review all reports for completeness and accuracy, and ensure that each copy is legible. l. Receipt of COMSEC Material. m. Sources. Accountable COMSEC material may be received from the NSA, military departments, other Government agencies, allied governments, international organizations, and contractors. The Defense Courier Service (DCS) regulations require personnel who may be required to accept DCS material to complete an Authorization Report (DCS Form 10-R) before receipting for material. This form may be obtained from the serving DCS station. Contact the COR if necessary for proper instructions to complete DCS Form 10-R. n. Receiving Packages and Examining Containers (refer to subparagraph 2.6.9.u. for equipment). Packages receipted for by individuals other than the CAM will be delivered to the CAM unopened. When COMSEC material is delivered, examine the packages carefully for evidence of tampering or exposure of the contents. If either is evident and the contents are classified, CCI, or marked CRYPTO, submit a COMSEC incident report as required by chapter 6 of this NPG. Do not open packages showing evidence of tampering until approval is received from the COR. o. Report any discrepancy in short title, accounting number, or quantity between the contents of the package and the transfer report to the sender and the COR. Correct the transfer report to agree with the material actually received. If the material is classified, CCI, or marked CRYPTO, and the discrepancy cannot be resolved with the sender, submit a report of possible compromise. p. When the incoming check has been completed, sign and distribute the transfer report with one copy to the COR, one copy to the shipment originator, one copy for file, and additional copies as directed by the shipment originator. NOTE: It may be necessary to reproduce additional copies of the SF 153. q. When a package is received and the package inner wrap is stamped TOP SECRET CRYPTO or contains TOP SECRET keying material, immediately initiate two-person integrity controls, and inspect the package for evidence of damage or tampering. Both individuals will then open This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 23 the package and compare the contents with the enclosed "COMSEC Material Report" (SF 153). If classification cannot be determined before opening, and when material received is routinely TOP SECRET, assume that the material is TOP SECRET. If the contents are TOP SECRET operational keying material, both two-person integrity participants will sign the SF 153 (blocks 15 and 16) and immediately place the material into two-person storage. Submit the SF 153 to the COR. If it is found that the contents do not include TOP SECRET operational keying material, follow standard receipting procedures. r. Certain items of COMSEC material are protectively packaged at production time and will not, in most cases, be opened until they are to be employed by the actual user. To ensure the integrity of key, inspect all protective packaging. If no special handling instructions are provided, though, open the keying material and page check as outlined in subparagraph 2.6.9.v. Protective packaging applied to individual items of TOP SECRET key must not be removed except under two-person integrity conditions. Inventory key tapes in canisters by noting the short title and accounting number on the leading edge of the tape segment, which appears through the window of the plastic canister. Do not remove punched or printed key tapes from protective canisters. Do not open test keying material until it is to be used. Report shipping discrepancies to the COR. s. Receipting for Tapes, Magnetic and Paper. Upon receipt of a shipment of tapes, inventory each reel by short title, edition, and accounting number. Report discrepancies to the COR. t. Receipting for Hardware/Firmware Keying Material. Upon receipt, inventory each item by short title, edition, and accounting number. Report discrepancies to the COR. u. Receipting for Equipment. Equipment received in sealed shipping cartons that have not been opened or do not exhibit signs of tampering may be receipted without physically sighting the material inside as long as the label on the carton agrees with the transfer report; if it does not, the contents must be physically inventoried. Inspect any implemented protective technologies on the equipment. Although certain types of material do not need to be opened before actual use, allow time between opening and use to obtain replacements for incomplete or defective items. Report shipping discrepancies to the COR. Since the CCI category of COMSEC equipment was introduced, much existing or new stand-alone cryptographic equipment, telecommunications, and information-handling equipment with embedded cryptography, and associated ancillary equipment may now be controlled outside of traditional COMSEC control channels. When controlled equipment is received via other than traditional COMSEC control channels, sign the accompanying paperwork, and return a copy to the shipper. Initiate an SF 153 possession report for the receipted material and submit a copy to the COR. v. Page Checking. Conduct page checks of unsealed material to ensure the presence of all required pages. Where the COMSEC account is so large that the CAM cannot personally perform page checks or post amendments, other appropriately cleared individuals who have been properly instructed by the CAM may perform these actions. To conduct the page check, verify the presence of each page against the "List of Effective Pages" or, the "Handling Instructions," as This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 24 appropriate. Sign and date the "Record of Page Checks" page or, if the publication has no "Record of Page Checks" page, place the notation on the "Record of Amendment" page or the cover. Key cards and/or key lists in sealed transparent plastic wrap, and authenticators shipped in envelopes, should not be opened until 72 hours before the effective date; therefore, do not page check until ready to use. Do not open test keying material until it is to be used. When preparing for actual use, open and page check keying material according to the handling instructions provided with the material. If no special handling instructions are provided, open and page check the keying material. Do not remove key tapes or key lists from protective canisters for inventory or check purposes. Classified COMSEC publications must be page checked according to the handling instructions provided with the material. If no special handling instructions are provided, page check upon initial receipt, when entering an amendment that requires removing and/or inserting pages, before destroying, before shipping to another COMSEC account, and upon return from an authorized hand receipt user and annotate the “Record of Page Checks” accordingly. w. If any pages are missing upon initial receipt, the NSA (Y13) or originator should be notified of a possible production error. If the publication is classified, submit a COMSEC incident report as outlined in chapter 6 of this NPG. Submit requests for disposition instructions and a replacement publication to the COR. x. In the case of duplicate pages, remove and destroy the duplicate page(s). Prepare one copy of a destruction report citing the page number and the accounting number of the basic publication, for example, “Duplicate page number 72 removed from KAM -130A, Number 813”. Neither notification to the COR is required nor is assignment of a COMSEC account transaction number to this locally retained destruction report. In addition, note the duplicate page and the resultant destruction on the "Record of Page Checks" page. y. When a change of CAM has occurred, the incoming CAM must perform a page check of all unsealed material within 30 days after the change of CAM takes place. If the account has a prohibitive number of documents requiring page checks, the incoming CAM must submit a request for an extension to the COR to allow more time to complete all page checks. It is recommended that the outgoing CAM complete page check before transferring control of the account to the incoming CAM. 2.6.10. Procedures for Handling Keying Material. All keying material must be stored in General Service Agency-approved security containers with 007 lock as follows: a. Restrict access to the container storing future editions of classified keying material marked CRYPTO to the CAM and ACAM. Where this restriction cannot be applied because others must have access to the container for either current editions of keying material or other material in the container, store future editions of keying material separately in a locked strongbox that can be opened only by the CAM and ACAM(s). Keep the strongbox in the security container. Exceptions may be made in operational areas to allow shift supervisors access to the next edition This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 25 of keying material, but not to later editions. Routine destruction of keying material is addressed in chapter 7. b. Key Lists and Key Tapes. When it is necessary to relinquish physical control of operational key lists to a user, do so on a hand receipt. If issuing individual settings is warranted, the hand receipt user's signature or initials and the date in the "ISSUED TO" column on the "DISPOSITION RECORD" on the inside front cover serves in lieu of a hand receipt. c. Key lists and key tapes packaged in protective canisters will not be page checked. Annotate the record of use card with the short title, edition, and register number of the material. Issue the entire canister to a user on a hand receipt. The hand receipt user, however, must not remove more tape segments from the canister than are required for current use. As each segment is removed, have the hand receipt user sign or initial and date the “USED” column of the “USAGE RECORD” card applicable to the material. 2.6.11. Transferring COMSEC Material. COMSEC material may be transferred from one account to another only as prescribed in this NPG as follows: a. Before transferring, verify the receiving activity's official address, COMSEC account number, and authorization to hold the material being shipped. When the validity of a shipping address or authority for shipment is in question, contact the COR before making the shipment. b. Ensure that shipping is only by one of the authorized modes of transportation prescribed in this NPG. Do not ship accountable material, regardless of the accounting legend code assigned, unless a COMSEC account number is provided with the shipping address. CCI equipment may, however, be transferred to a military department standard logistics system account. c. Verify account numbers and shipping addresses by contacting the appropriate military department's accounting headquarters. d. Ensure that equipment and page checking provisions are accomplished before packing COMSEC material for transfer. Conduct page and equipment checks no earlier than 48 hours before packing. e. When transferring Government-furnished equipment to a contractor CAM, annotate the SF 153 in block 13 to identify those items as Government-furnished equipment and identify the contract number on the form. Transfer of material to external organizations (e.g., civil agencies, and contractors) is authorized to expedite delivery of material and eliminate unnecessary handling of the material between locations. f. The shipping CAM assumes full responsibility for all aspects of the shipment. When transfers are made to a non-NASA organization, include the following information in the "Remarks" This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 26 portion of the transfer report: ownership of the equipment, purpose of the transfer, contract numbers, project name, and instructions for the receiving CAM. g. Transferring COMSEC Material to the U.S. Military Departments. Prepare five copies of the SF 153 and enclose the original and one copy with the shipment. Put the notation "ADVANCE COPY" on two copies, and immediately forward one to the COR and one to the appropriate military department accounting headquarters. Retain the final copy for file. Include the following notations, as appropriate, on all copies of transfer reports going to the military departments: equipment owner (e.g., NASA, U.S. Air Force); purpose of the transfer/loan; length of loan; repayment of loan; transfer of ownership and authority for the transfer; and the contract number/project name (if appropriate). Place the following statement on all SF 153’s reporting the transfer of COMSEC material: “Sign all copies and distribute as prescribed by the accounting instructions of your service. This shipment consists of _________containers." h. Transferring of COMSEC Material to All Other Activities. Prepare four copies of the SF 153 and enclose the original and one copy with the shipment. Note "ADVANCE COPY" on the third copy and forward it to the COR. Retain the fourth copy for file. Put the following notation on all copies of transfer reports going to activities other than the military departments “Sign all copies. Return one copy to John F. Kennedy Space Center, Code: CMCC/NASA COR, Kennedy Space Center, FL 32899. Dispose of remaining copies as prescribed by the accounting instructions of your organization. This shipment consists of _____ containers." i. Transfer of Material between NASA CAM’s. Prepare four copies of the SF 153 and enclose the original and one copy with the shipment. Note "ADVANCE COPY" on the third copy and forward it to the COR. Retain the fourth copy for file. The material may be transferred through internal mail channels, provided it is properly packaged, handled as controlled mail, and a transmittal receipt covers the package. j. Receipt and Transfer Responsibility. When COMSEC material is shipped to a military activity, the COR and the military department accounting headquarters are responsible for ensuring that the material is received by the intended recipient on a timely basis. When an "ADVANCE COPY" of an SF 153 is received, a receipt suspense date is established by the COR and the military department accounting headquarters, which takes any subsequent tracer action required. k. Tracer actions for shipments to military department standard logistics accounts are handled solely with the appropriate military service accounting headquarters. In lieu of a signed copy of the transfer report, record proof of shipment is the file copy of the transfer report combined with a signed transmittal form, Government Bill of Lading (SF 1103), U.S. Registered Mail receipt, or other shipping document. The COR will not initiate tracer actions for material shipped from other agencies/departments unless requested to do so. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 27 l. Nonroutine Disposition of COMSEC Material. Removal from CMCS accountability of any COMSEC material that is lost, compromised, or inadvertently destroyed, can be accomplished only with the specific written approval of the COR. 2.6.12. Military Department Accounting Headquarters Addresses: a. Army Accounting Headquarters. Commander, U.S. Army Communications Electronics Command, Communications Security Logistics Activity, ATTN: SELCL-KPD-OR, Fort Huachuca, AZ 85613. b. Navy, Marine, and Coast Guard Accounting Headquarters -- Director, COMSEC Material System, 3801 Nebraska Avenue, NW, Washington, DC 20393. c. Air Force Accounting Headquarters -- SAALC/LTDA, 230 Hall Boulevard, Suite 108 ATTN: Detachment 4, ESC, San Antonio, TX 78243-7056. Verify Air Force standard logistics system account numbers and shipping addresses by calling (512) 925-2771. 2.6.13. Packaging COMSEC Material. Securely package classified COMSEC material for shipping in two opaque wrappers with no indication of the classification on the outside wrapper. Use packaging material durable enough to provide protection while in transit, prevent items from breaking through the container, and facilitate detecting tampering with the container. Mark each wrapper with the "TO" and "FROM" addresses. a. The outer wrapper must never carry identification of the contents that directly discloses a cryptographic or COMSEC association, such as for a system indicator, the acronym "TSEC". Instead, label the crate or outer wrapper with the short title of the equipment, less the "TSEC" designation, followed by the accounting number for example, “KW-59/101”, to identify the contents. b. Identify assemblies, ancillary devices, elements, and subassemblies shipped individually by short titles, accounting numbers, and the short titles of the equipment in which the items are to be used. c. Identify items not accountable through accounting number by short title and quantity. d. Ensure that the markings on the crate or outer wrapper, identifying the COMSEC material within, agree with the accompanying "COMSEC Material Report" (SF 153). e. When material is to be hand-carried, a briefcase, pouch, or box is an appropriate outer wrapper. f. Specialized shipping containers for COMSEC equipment, such as locked and twice-banded repair kits, may be considered the outer wrapper. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 28 g. Mark the inside wrapper of classified cryptographic material with the designator "CRYPTO" and the classification. If the shipment contains keying material designated for "U.S. Use Only," mark the inner wrapper with the remark "SPECIAL HANDLING REQUIRED, NOT RELEASABLE TO FOREIGN NATIONALS." If the shipment contains keying material that is releasable, mark the inner wrapper with the remark "SPECIAL HANDLING REQUIRED, FOR U.S. AND SPECIFIED ALLIES ONLY." Mark the inside wrapper of all accountable COMSEC material with the notation "TO BE OPENED ONLY BY THE COMSEC CUSTODIAN." If the classified material is an internal component of an unclassified packable equipment, the outside equipment shell may be considered as the component's inner wrapper, only one additional wrapper is required. h. Mark all transfer reports and other forms covering an individual DCS shipment with the individual shipment control number; affix the reports to the inner wrapper of the package. NOTE: Do not place the transfer report inside the sealed container with the COMSEC material because this defeats the purpose of marking the short title and accounting numbers on the outside of the container. i. For multiple package shipments, number each container beginning with package Number 1, followed by a slash and the total number of packages making up the shipment (e.g., for a shipment consisting of three packages, the first box would be marked “1/3”; the second one marked “2/3”; and the third (last) one marked “3/3”). Affix the shipping document (SF 153) to the inner wrapper of the first package of multiple package shipments. Do not annotate the serial package number(s) and transaction number in the immediate vicinity of DCS control numbers. j. Package keying material separately from its associated cryptographic equipment, unless the application or design of the equipment is such that the corresponding keying material cannot be physically separated. k. Annotate the equipment designator on the package. The "CCI" marking may be placed on the exterior of the package if so requested. Place the accompanying paperwork in an envelope securely fastened to the outside of the package and mark the envelope with the "TO" and "FROM" addresses, including the account number, without the word "COMSEC." l. Wrap unclassified COMSEC material, except keying material marked CRYPTO, as any other unclassified material according to packaging requirements of the agency or activity. 2.6.14. Authorized Modes of Transportation. An appropriately cleared individual may move COMSEC material locally (e.g., within a NASA Center). Various modes of transportation are authorized for COMSEC material. a. Shipping Classified Keying Material and Classified COMSEC Equipment. In time-critical situations, on a case-by-case basis, the COR, in conjunction with the appropriate NASA CCS, This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 29 may approve using commercial aircraft within the United States to transport current or superseded keying material as long as the material is hand-carried by an appropriately cleared individual and provided that departmental and Federal Aviation Administration procedures are followed. This policy does not apply to the use of NASA-owned and-operated aircraft, which may be used to transport material within the continental United States with approval from the CCS. When commercial aircraft must be used, written courier authorization is required. b. Classified Keying Material. When practical, limit individual shipments to not more than three editions or 3 months' supply of a particular item of keying material (whichever is the greater amount). This restriction does not apply to packaged irregularly superseded materials. The COR may waive this restriction when material is issued to a newly established account or in cases where supply is difficult and the number of shipments is limited. c. The COR may authorize using U.S. Registered Mail to ship individual editions of CONFIDENTIAL keying material, provided the material does not at any time pass out of U.S. citizen control, and does not pass through a foreign postal system or any foreign inspection. d. Do not send keying material classified SECRET or higher through the mail without prior approval of the COR. e. Except when using systems specifically designed for electronic rekeying, transmit operational keying variables electrically only under emergency conditions and only when the communications system provides end-to-end encryption equal to the classification of the transmitted key setting, and the key setting does not appear in plain text anywhere in the communications path. f. Under normal conditions, ship classified keying material only by one of the following means: DCS, appropriately cleared Government personnel who have been designated in writing to act as couriers for cryptographic material, U.S. Diplomatic Courier Service, appropriately cleared and briefed contractor personnel who have been designated in writing by competent authority to act as couriers, provided the material is classified no higher than SECRET. g. For TOP SECRET keying material, courier authorization must be obtained from the appropriate CCS on a case-by-case basis. Two-person integrity controls must be applied whenever local couriers transport TOP SECRET keying material from one location to another. See chapter 5. h. Classified COMSEC Equipment and Components. Do not ship classified COMSEC equipment and components in a keyed condition unless the physical configuration of the equipment makes segregating the keying material impossible. For equipment using a CIK, removing the key permits the equipment to be treated as unkeyed. Ship the CIK separately from the equipment. Transport COMSEC equipment and components classified higher than CONFIDENTIAL by any of the means identified for keying material, or by a cleared commercial This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 30 carrier under Protective Security Service. Transport COMSEC equipment and components classified CONFIDENTIAL by any of the means specified above, or any of the following: U.S. Registered Mail, provided it does not at any time pass out of U.S. control and does not pass through a foreign postal system or any foreign inspection; Commercial carriers (or U.S. military or military contractor air service) provided a continuous chain of accountability and custody for the material is maintained while it is in transit; U.S. military or military-contractor air service, provided the requirements for DOD Constant Surveillance Service are observed. i. Other Classified COMSEC Material. Use one of the following methods to transport media that embodies, describes, or implements a classified cryptographic logic, such as full maintenance manuals, cryptographic logic descriptions, drawings of cryptographic logic, specifications describing a cryptographic logic, cryptographic computer software, and operating Cryptographic manuals: DCS or appropriately cleared and briefed U.S. Government, contractor or military personnel who have been designated in writing by proper authority to act as courier for the material. These items may not be transported through any postal system. j. Use any of the following means to transport media that does not embody, describe, implement, or contain a classified cryptographic logic: Any of the means authorized in 2.6.15.i. above; Registered mail or by a cleared commercial carrier, using Protective Security Service for media classified SECRET; or U.S. Registered Mail or U.S. Postal Service Certified Mail for media classified CONFIDENTIAL. NOTE: Using Standard First Class Mail service is not acceptable for transporting any classified COMSEC material. 2.6.15. Shipping Unclassified COMSEC Material. a. Unclassified Keying Material Marked CRYPTO. Within Continental United States, by U.S. Registered Mail or authorized U.S. Government, contractor, or military personnel. Outside the continental U.S., use authorized department, agency, or contractor couriers; U.S. Diplomatic Courier Service; or the Defense Courier Service. Where practical, limit shipments transported by courier to no more than three editions when shipped by U.S. Registered Mail, no more than one edition. b. Within CONUS, Shipping CCI Material. Do not transport controlled material in a keyed condition, unless the equipment is designed to operate with a permanently installed hard-wired key. Ship CCI material by the following means: Authorized department, agency or contractor courier; U.S. Registered Mail; Authorized U.S. Government courier service (e.g., Diplomatic Courier Service); or Commercial carrier providing DOD CSS. Coordinate the shipment with the Transportation Officer. c. Outside CONUS. CCI may be sent by registered mail if the package will remain in U.S. mail channels, that is mailed to an Army Post Office or Fleet Post Office address, or will be carried by an individual who has been briefed as a courier. The courier must be briefed on proper security procedures and be aware of all requirements for access and the physical security of the equipment This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 31 or materials. Transportation may be by any means that permits the courier to maintain continuous accountability and provide protection against loss and unauthorized access while in transit. Where transportation is by commercial aircraft, the CCI should be stowed in the cabin where the courier can maintain constant surveillance. If equipment bulk will not permit cabin storage or creates an excessive burden for the courier, controlled circuit boards may be removed for cabin storage, and the remainder of the equipment may be checked as hold baggage. Controlled equipment must not be transported through countries other than those authorized to receive the equipment. All incidents of impoundment, seizure, or loss of controlled equipment while it is being carried must be reported in accordance with chapter 6 of this NPG. d. All other unclassified COMSEC material may be shipped by any means that will reasonably assure safe and undamaged arrival at the destination. Ship unclassified COMSEC items as classified COMSEC material when an operational need exists to provide both types of material together. 2.6.16. Authorized Modes of Transportation for Controlled Cryptographic Items and Components within the Continental United States, U.S. Territories, and Possessions. United States Postal Service Registered Mail -- Items shipped by registered mail must neither at any time pass out of U.S. control nor pass through any foreign postal system. There are, however, certain restrictions governing the size and weight of packages that can be shipped, which may preclude using this service. Always check with postal service authorities to determine whether the package material qualifies. U.S. First Class Mail, Fourth Class Mail, Parcel Post, Certified Mail, Insured Mail, and Express Mail are not authorized for shipping controlled equipment and components. The following means and capabilities will apply: a. Commercial Carriers. When using commercial carriers, an adequate degree of physical control and accountability for the material must be maintained while it is in transit. However, the small number of commercial carriers that provide an approved constant surveillance service has greatly restricted the ability of shipping activities to move controlled material. Therefore, the existing requirement that commercial carriers must provide approved constant surveillance service is being modified to allow shipping activities to use commercial carriers that can satisfy the requirements set forth below. This change only applies to shipments within the continental United States, U.S. territories, and possessions. b. CCI and components may be transported by any commercial carrier that warrants in writing to the shipping activity that it can satisfy all of the following requirements: The carrier must be a firm incorporated in the United States that provides door to door service; It must guarantee delivery within a reasonable number of days based on the distance to be traveled; and have a means of tracking individual packages within its system to the extent that should a package become lost, the carrier can, within 24 hours following notification, provide information regarding the package's last known location. It must guarantee the integrity of the vehicle's contents at all times; for example, while a driver is making pickup or delivery stops, the vehicle must be locked. It must guarantee that the package will be stored in a security cage should it This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 32 become necessary for the carrier to make a prolonged stop at a carrier terminal. In addition to satisfying the above requirements, the carrier must either use a signature and tally record that accurately reflects a continuous chain of accountability and custody by each individual who assumes responsibility for the package or shipment while it is in transit. The carrier may either provide its own signature and tally record form or agree to use the DD Form 1907 or NSA Form AC-10; or use an electronic tracking system that reflects a chain of accountability and custody similar to that provided by a manually prepared signature and tally record. Positive identification of the actual recipient of the material at the final destination must be indicated. A hard copy printout shall be provided as proof of service, and the printout must reflect those points, during transit, where electronic tracking of the package and shipment occurred. c. Regardless of the method of transportation selected, the NASA activity shipping controlled equipment and components shall provide the receiving CAM with timely notification of a scheduled shipment. Preferably, notification should be provided at least 24 hours prior to the estimated delivery date. This procedure will help to readily identify any shipment that might be unduly delayed or lost en route. d. Controlled equipment and components may only be shipped to authorized activities and contractors and shall be labeled in a way that will ensure delivery to an individual who is designated to accept custody of the material at the contractor facility/activity. Do not use the individual's name on the delivery label; rather, use functional designators such as office symbols or mail station codes. If using a commercial carrier, the accompanying shipping documents will provide an emergency telephone number(s) of an individual(s) authorized to receipt for the material in the event the carrier attempts to make delivery during other than normal duty or work hours. e. If a shipment of controlled equipment or components has not been received by the intended recipient within 5 working days following the expected delivery date, the originating shipper’s CAM will be contacted immediately. Unless there is a valid explanation for the delay, tracer action shall be initiated on the shipment by the shipping CAM. If its location cannot be determined, the controlled equipment or components shall be assumed to be lost in transit and reported in accordance with the guidelines provided at 2.6.18. below. 2.6.17. COMSEC Incident Reporting Requirements. The following types of incidents involving CCI shipments shall be reported to the NSA, ATTN: V51A (COMSEC Incidents), for evaluation. a. An information copy will be forwarded to the DSMO and the NASA COR when tracer actions have determined that controlled equipment or components are lost in transit and when shipments that are received show evidence of possible tampering or unauthorized access. All other incidents involving improper shipment or handling of controlled equipment and components shall be considered administrative in nature and reported in accordance with the guidelines set forth below. If a commercial carrier is involved, the name(s) of the carrier(s) shall be included in the report. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 33 b. NASA Centers will report such incidents to the originator of the shipment who shall be responsible for any corrective action. A copy of the report shall also be provided to the DSMO, NASA COR and the NSA, ATTN: V51A, for information purposes only. c. If a NASA contract/memorandum of understanding is involved, such incidents will be reported to the originator of the shipment who shall be responsible for any corrective action. A copy of the report shall also be provided to the DSMO, NASA COR and the NSA, ATTN: X722 for information purposes. 2.6.18. Hand Receipts. The following assurances, procedures, and forms will be employed: a. An SF 153, the reverse side of NSA Form L6061 or equivalent NASA form may serve as a hand receipt. b. Before issuing material, determine that the proposed recipient has the need to know; has a COMSEC briefing as applicable; and has the appropriate clearance. Clearance or level of position does not, in itself, entitle any individual to have access to keying material. Each person having access to keying material must need the material in the performance of duties and be familiar with his or her responsibilities for its protection, use, and will be the actual user of the material. Clerical or other personnel who are not the user may not sign hand receipts. c. The proposed recipient knows the physical security measures necessary to protect the material and the possible consequences of compromise and, accordingly, has the physical means to secure and use the material, commensurate with the classification of the item. The file safe protected by a 007 lock should be located in the user's immediate work area. d. COMSEC material issued on hand receipt shall be signed for and controlled by the actual user, who is accountable until the material is returned to the issuing COMSEC account. Under no circumstances will the recipient reissue the material to another individual without the consent of the CAM. If the material is needed by another individual outside the immediate office of the original recipient, the material must be returned to the issuing CAM for reissuance. e. Physical security measures necessary to protect the material from the possible consequences of compromise and a security container must be located in the recipient's immediate work area. f. Pages are not to be removed from basic documents. g. Reproduction authorization of a document, in whole or in part, is contained in the handling instructions, usually the front cover, of each document produced. h. All accountable COMSEC items issued on a hand receipt must be returned to the issuing CAM before the individual is transferred, reassigned, or absent for more than 30 days. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 34 i. Any possible compromise, access by unauthorized persons, or violation of security regulations affecting the material (user cannot locate document or suspects document was borrowed) must be reported to the issuing CAM immediately. j. The recipient's signature on the hand receipt certifies his or her understanding of the above handling requirements. k. The CAM must conduct a semiannual review of hand receipts for accuracy and update procedures as necessary. 2.6.19. A possession report, will be prepared on an SF 153. Enter appropriate remarks below the "NOTHING FOLLOWS" line, citing the reason for the report. Forward the signed original copy to the COR and retain a signed duplicate copy for file. Possession reports will be prepared as follows. a. When COMSEC material is received without accompanying transfer reports. b. Whenever reporting conversion of COMSEC material; c. When COMSEC material was previously lost or removed from accountability, but subsequently recovered; d. When a new CAM is appointed because of the sudden permanent departure or unauthorized absence of the previous CAM; e. When the holdings of the COMSEC account are large, a preprinted inventory may be requested from the COR for this purpose, and the properly completed inventory with a notation explaining the circumstances may serve as the possession report; f. When a document with a TSEC nomenclature that requires control in the CMCS is originated or reproduced; g. When COMSEC material is received without an accompanying transfer report, forward a signed copy of the possession report to the shipping COMSEC account, if known, and to the military department accounting headquarters, if applicable. 2.6.20. The CAM will report converted COMSEC material as follows: a. Whenever it is necessary to convert the short title and/or accounting number of an item of COMSEC material, report the conversion to the COR so that accounting records may be properly adjusted. A conversion can result from major modification of equipment requiring the equipment to be redesignated; for example, TSEC/KL-60, redesignated as TSEC/KL-60A). This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 35 b. Report a conversion by simultaneously submitting a possession report and a destruction report prepared on SF 153's. c. On the possession report, list the item by its new short title and accounting number, and include a remark referencing the associated destruction report. d. On the destruction report, list the previous short title and accounting number, and include a remark that the destruction is for record purposes only and reference the associated possession report. e. Forward one signed copy of each report to the COR and retain one signed copy of each report for file. 2.6.21. Inventories. Preprinted inventories are issued semiannually by the COR and reflect all accountable COMSEC material charged to the account as of the date the report was printed. The following procedures will be followed: a. Conduct 100-percent physical (sight) inventory and return inventory reports to the COR no later than 10 days after receipt. Hold inventories forwarded in preparation for an audit of the account until an auditor arrives. b. Upon arrival, the auditor and CAM will jointly conduct a physical inventory of all accountable COMSEC material held by the account, and all material issued on hand receipts, with the ACAM or another properly cleared witness. c. Assume COMSEC equipment in use to contain all the required subassemblies and elements, so it need not be opened for semiannual inventory purposes. d. Check implemented protective technology for possible signs of tampering before the equipment will be used operationally. e. Inventory equipment that remains in sealed shipping cartons against the marking on the outer wrapper or crate identifying the contents and inspect each carton for evidence of tampering. f. Inventory COMSEC material that is unit packed by the label affixed to the exterior of the package. Inspect each unit package for evidence of tampering. g. COMSEC publications need not be page checked at the time of the semiannual inventory. h. Do not use the preprinted inventory as a checklist when conducting the inventory. Doing so could cause oversight of material held that is not listed on the inventory. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 36 i. The COMSEC Inventory should be used to conduct the inventory. j. Compare the results of the physical inventory against the preprinted inventory. Resolve any discrepancies that exist by comparing the preprinted inventory against the COMSEC Register File. k. Give particular attention to additions to, or deletions from, the account made close to the date of the report, since these transactions may not be reflected in the inventory. l. Update the report by deleting an item or supplementing the report with an SF 153. Line out in ink each item to be deleted from the inventory; erasures are not authorized. m. Provide complete details to support the deletion in the "remarks" column opposite the item. If the item was transferred, include the receiving account number, the outgoing transfer number, the transfer report date, and the CAM's initials. n. If the item was destroyed, provide the date, transaction number, and initial the entry. Attach a copy of the referenced SF 153 reports to the inventory report. o. Items listed on the preprinted inventory, but not physically sighted, will be lined out and the appropriate paperwork attached (e.g., Transfer or Destruction Reports). p. When material held is not listed on the inventory, list the material on an SF 153, appropriately classified, signed by the same individuals signing the inventory, and attach as a supplement to the preprinted report. q. Annotate the SF 153 below the "NOTHING FOLLOWS" line to indicate for each item the name and account number of the sender; the incoming transaction number and date; and/or details, as appropriate, to support the supplement. r. Assign the same transaction number to the supplement to the preprinted inventory as given to the inventory report. s. When all the material to be put on the supplement is from a complete shipment received on an individual SF 153, do not list the material on the supplemental SF 153. Instead, enclose the supporting SF 153 with the report, annotate the supplemental SF 153 report "See attached SF 153," and list the transaction number and date of receipt. t. During the course of updating the preprinted inventory, review each item on the inventory to determine if the material is still required. If any material is found to be no longer needed, place a remark to that effect in the "Remarks" column opposite each item. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 37 u. When the preprinted inventory has been reconciled to agree with the account's actual holdings, the CAM and witness will sign and date the certification on the preprinted inventory and any supplemental SF 153’s. v. Indicate the number of supplemental forms in the space provided in the CAM's certification block; if no supplement was created, mark "NONE." w. Make a final review of the inventory ensuring that any deletions or additions are fully documented and that the certification blocks are signed and dated. x. Forward the original preprinted inventory, along with any supplemental SF 153's, to the COR and retain a copy of these, along with all working papers used in performing the physical inventory, for file. y. When the certified inventory is received by the COR, it will be reconciled with the central office’s records. z. The COR will respond only if discrepancies are noted. aa. If the account is cited with any discrepancy, the CAM will take corrective action within 48 hours of being notified and advise the COR of the action taken. Submit to the COR any substantiating reports required. bb. Complete a change of CAM inventory before the outgoing CAM departs, and account for all transactions so that the completed inventory reflects that material actually held by the account on the date of the changeover. cc. When a COMSEC account does not hold accountable COMSEC material, the CAM and a witness, usually the ACAM should sign the negative inventory, certifying that the account does not hold accountable COMSEC material. dd. COMSEC accounts will continue to receive semiannual inventories until a requirement for the COMSEC account no longer exists and the COMSEC account is formally closed. If the COMSEC account has received or still holds accountable COMSEC material when a negative preprinted inventory is received, supplement the inventory to reflect the accountable COMSEC material held by the COMSEC account. 2.6.22. Destruction Chapter 7 contains routine destruction procedures and requirements, as well as destruction methods and minimum standards that ensure that COMSEC material is adequately destroyed. 2.6.23. Accounting for, and Entering Amendments to, COMSEC Publications as follows: This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 38 a. A message amendment is used to announce information that must be immediately entered in a COMSEC publication. After posting the amendment and noting the entry on the "Record of Amendments" page, destroy classified message amendments. Do not report the destruction of message amendments to the COR. b. Account for printed amendments as COMSEC publications until they have been posted, the residue destroyed, and the destruction reported to the COR. Since preprinted amendments (ALC1 and ALC-2) are accountable and will reflect on inventories, provide an SF 153, Destruction Report, to the COR to remove them from the account after they have been posted to the basic documents. Take care when preparing the SF 153 to report the short title, edition, and accounting number of the amendment, and not that of the basic document. c. Post amendments as soon as possible after receipt or effective date to keep the basic publication current. The following guidance is to help avoid errors that commonly occur when posting amendments. If replacement pages are included in the amendment, page check both the basic publication and the residue of the amendment before destroying the residue. Inadvertently destroying effective portions of documents, together with residue from amendments, is a major cause of COMSEC material security violations. Note that the amendment was posted on the "Record of Amendments" page, and, if pages were added to or removed from the publication, date and sign the "Record of Page Checks" page. If an individual posts the amendment other than the CAM, return all residue of the amendment, including any pages removed from the basic publication, to the CAM for destruction. d. Destroy the residue as soon as possible or within 5 days after entering the amendment. 2.6.24. Accounting for COMSEC Material Launched into Space. Accountable COMSEC material launched into space aboard expendable vehicles or in Space Shuttle deployed payloads is normally considered unrecoverable. COMSEC equipment installed aboard Shuttle vehicles does not fall into this category. The following steps will be taken to remove unrecoverable COMSEC material from accountability records at the COR: a. Prior to launch, strip TSEC nomenclature nameplates and any other markings from cryptographic equipment and keying elements at the time equipment is installed in a payload. Make unclassified photographs that show COMSEC equipment installation in the payload. Keep nomenclature nameplates and photographs with COMSEC accounting paperwork until after launch or certain destruction of the space vehicle. b. Following the launch, complete a destruction report within 24 hours of launch. Below the "NOTHING FOLLOWS" line, include the date of launch, identify the launch vehicle, briefly explain events, and request that COR accountability be dropped because of launch. Attach equipment nomenclature nameplates and forward the report to the COR. The CAM will retain a This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 39 copy of nomenclature nameplates and photographs with COMSEC accounting paperwork as part of official records. c. Classify any COR correspondence associating COMSEC equipment use aboard space vehicles, except Shuttle vehicles, at the minimum level of CONFIDENTIAL. d. With today's technology, recovery from space is possible. When COMSEC materials are recovered from space, the receiving CAM will file a Possession Report. Because nomenclature nameplates will not be attached to recovered cryptographic equipment, the Possession Report must identify the spacecraft from which the equipment was recovered and must reference the Destruction Report that removed the material from accountability following launch. e. The receiving CAM may be required to coordinate this action with the losing CAM if the spacecraft was launched from a location other than the receiving CAM's. This information will allow the COR to positively identify and properly track recovered COMSEC materials. 2.7. Audit of COMSEC Accounts 2.7.1. Basis COMSEC accounts will be audited by the COR at least every 24 months on an announced basis (see 12-month unannounced inspection requirement at paragraph 2.7.4.5.) and/or as deemed necessary based on the following factors: a. Size of the account and volume of transactions; b. Frequency of CAM changes; c. Classification and sensitivity of the material held; d. Frequency of deviation from accounting procedures. 2.7.2. Notification. Prior notice may or may not be provided when a COMSEC account has been selected for an audit other than the regularly scheduled audit. 2.7.3. COR Access. The COR will have access to all accountable material held by the CAM. The COR will present proper identification prior to gaining access to the account. 2.7.4. Scope of the Audit. The audit will include the following actions: a. Verifying the completeness and accuracy of accounting reports and files. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 40 b. Determining the CAM and ACAM's knowledge of and adherence to the provisions of this NPG. c. Reviewing all procedures related to the control and safeguarding of material. d. Physically sighting all accountable material. e. Conducting inspections of selected protective technologies, including the use of classified and other special inspection techniques made available by NSA to the COR on user and CAM locations (where feasible, implement a program of inspections conducted at random intervals without advance notification). f. As a general guideline, at least 10 percent of the total number of applicable locations under NASA should be subjected to unscheduled inspections annually. g. The COR will inform NSA of any suspect or possible compromised items and forward this information in accordance with instructions from the NSA Protective Technologies Division, as operational necessity permits. h. Soliciting any problems encountered by the CAM in maintaining the account. i. Issuing recommendations for improving local accounting and control procedures. j. Conducting a cursory inspection of implemented protective technologies. k. Verifying current briefings for contractor personnel who have access to COMSEC material. 2.7.5. Audit Report. After completing the audit, the COR will notify the CAM and consult with the CCS regarding any situation requiring immediate action and will conduct an exit interview with the CAM's supervisor as follows: a. A formal report of audit outlining any discrepancies noted during the audit, the condition of the account, and any recommendations for improvement will be forwarded to the DSMOHQ and the applicable CCS. b. When serious deficiencies are found, a Certificate of Action Statement will be submitted independently to the CAM. All actions required in the report must be completed within 10 working days after the report is received. See paragraph 2.4.7.e. for additional special reporting requirements regarding NSA Protective Technologies. 2.8. Closing a COMSEC Account This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 41 When it has been determined that a COMSEC account should be closed because it no longer is required and all material has been properly disposed of and no discrepancies exist, submit a formal written request to the COR. The COR will notify the element or activity in writing that the account has been closed, the appointments of the CAM and alternate(s) have been terminated, and provide disposition for accounting records and files. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 42 CHAPTER 3: CONTROLLING AUTHORITIES 3.1. General A Controlling Authority is designated for each Cryptonet to manage its operation and associated keying material. NTISSI 4006 provides duties and responsibilities for Controlling Authorities. This chapter provides supplemental guidance for NASA. 3.2. Establishing the Cryptonet and Designating the Controlling Authority 3.2.1. The lead NASA Government element, such as the project office or circuit demander, is responsible for initiating the request to establish a cryptonet and performing controlling authority functions and coordinates with the CCS and CAM to submit a brief written proposal to the COR. 3.2.2. When no lead Government office is identified, contact the CCS or the COR for technical advice. For electronically generated key, the element that directed the key generation performs the controlling authority functions unless those functions are specifically delegated to another organization. 3.2.3. All cryptonet proposals and controlling authority designations are subject to review and validation by the COR. 3.2.4. Where contractors perform this function, the lead Government office in coordination with the CCS will designate a U.S. Government civil service employee to ensure that controlling authority functions of the contractor are being performed adequately. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 43 CHAPTER 4: COMSEC INFORMATION ACCESS REQUIREMENTS 4.1. Criteria for Access to COMSEC Information Access to classified cryptographic information shall only be granted to individuals who satisfy the following criteria: 4.1.1. U.S. Citizen. 4.1.2. An employee of the U.S. Government, U.S. Government-cleared contractor, or employed as a U.S. Government representative (including consultants of the U.S. Government) as follows: a. Resident aliens who are U.S. Government civilian or military personnel may have access to unclassified COMSEC material, if their duties require it. b. Resident aliens may have access to CONFIDENTIAL COMSEC material, if they have a clearance based on a successful background investigation, an indoctrination, and their duties require such access. They may not be appointed CAM/custodian or have access to areas where COMSEC material is stored. c. Foreign nationals representing a foreign government or international organization may be given access to COMSEC information specifically released to the represented government or organization under the provision of NSTISSP No. 8. Before any release is made, the foreign government or organization must state in writing that the representative has an appropriate clearance and is officially designated to receive the information. 4.1.3. The employee has been granted a security clearance appropriate to the classification of the cryptographic information to be accessed. The security clearances of personnel occupying the positions of CAM and ACAM must be based on a background investigation (BI) that is current within 5 years. Other employees who require access to COMSEC information that is classified SECRET or below do not require a security clearance based on a BI. 4.1.4. The employee has a valid need to know as determined necessary to perform duties for, or on behalf of, the U.S. Government. 4.1.5. The employee has received a security briefing appropriate to the classified cryptographic information to be accessed. 4.1.6. The employee has signed a cryptographic access certificate shown in Appendix C. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 44 4.2. COMSEC Briefing Requirements 4.2.1. A member of the NASA Center Security Office, Contractor Security Office, CAM, ACAM, member of the Security Management Office, or designated representatives will administer a COMSEC briefing to all employees whose duties require accessing COMSEC materials and maintaining associated records. For U.S. Government personnel, this briefing remains in effect during the time the employee has uninterrupted access. A COMSEC briefing is not required for individuals who only need access to a secure telephone unit, unclassified CRYPTO materials, or to unclassified COMSEC security memoranda and issuances. Local security requirements may augment these minimum briefing requirements. 4.2.2. Employees shall understand their individual responsibilities in handling and safeguarding procedures for classified COMSEC material. See Appendix B. 4.2.3. Complete Section One of the cryptographic access certificate shown in Appendix C after the COMSEC briefing is received and before access is granted to classified COMSEC information. Execute Section Two of this form when the individual no longer requires such access. Make the signed original certificate a permanent part of the official security records of the individual. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 45 CHAPTER 5: TWO-PERSON INTEGRITY (TPI) AND NO-LONE ZONE (NLZ) CONTROLS 5.1. General TOP SECRET keying material is used to protect the most sensitive national security information and its loss could compromise all information protected by the key. Also, a significant body of information indicates that TOP SECRET keying material is a high-priority target for exploitation by hostile intelligence services. For these reasons, TOP SECRET keying material is afforded the special protection of TPI and NLZ controls. NLZ is an area, room or space to which no one person may have unaccompanied access and which, when manned, must be occupied by two or more appropriately cleared individuals. TPI is a system of storage and handling designed to prohibit access to certain COMSEC keying material by requiring the presence of at least two authorized persons, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed. The concept of TPI procedures differs from NLZ procedures in that under TPI, two authorized persons must directly participate in the handling and safeguarding of the keying material (as in accessing storage containers, transportation, keying/rekeying operations, and destruction). NLZ controls are less restrictive in that the two authorized persons need only to be present physically in the common area where the material is located. 5.1.1. Waivers to requirements in this chapter may be requested; however, maintaining a strong national COMSEC posture dictates that waivers be granted on a case-by-case basis only when a genuine hardship exists. Direct written requests for waivers, containing justification, through the CAM and CCS to the NASA COR. When the controlling authority for the material is not within NASA, the requester must notify that controlling authority of the waiver as soon as it is received. 5.1.2. Any violation of the TPI or NLZ requirements in this chapter is reportable as a COMSEC incident in accordance with chapter 6. 5.2. Procedures for Handling and Safeguarding Top Secret Keying Material TPI of TOP SECRET keys requires that COMSEC accounts and all local holders, including hand receipt users, have TPI storage capabilities and procedures to ensure that lone individuals will not have access to TOP SECRET keying material and key generators. Procedures in this chapter do not apply to key locally generated for immediate use, but they do apply to locally generated key that is held in physical or electronic form for future use. TPI must be maintained for TOP SECRET materials at all times, except as follows below: 5.2.1. Transportation. TPI controls apply whenever local couriers transport TOP SECRET keying material from one location to another. Receipts for this material must be signed by two This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 46 individuals who are cleared for TOP SECRET and authorized to receive the material. TPI controls are not required for TOP SECRET keying material while it is in the custody of the Defense Courier Service or the Diplomatic Courier Service. 5.3. TPI Handling of Packages Received 5.3.1. Upon initial receipt of TOP SECRET operational keying material by the CAM, TPI controls shall be implemented immediately. When a package is received and the classification cannot be determined by the CAM prior to opening, assume that the material is TOP SECRET. The CAM and a TOP SECRET-cleared, TPI-control participant will then inspect the package for evidence of damage or tampering. Both individuals will then open the package and compare the contents with the enclosed COMSEC Material Report (SF-153). If the material is TOP SECRET operational keying material, both participants will sign the SF-153 (Blocks 15 and 16) and immediately place the material into TPI storage. A copy of the SF-153 will then be submitted to the Central Office of Record. If the material is not TOP SECRET operational key, standard procedures for the receipt of COMSEC material will be executed as specified in chapter 2. 5.3.2. The above procedure provides a written record that reflects that TPI control was implemented upon initial receipt by the CAM. The SF-153's reflecting receipt of TOP SECRET operational keying material will be reviewed by NASA auditors during audits to ensure compliance with the two-signature requirement. 5.3.3. Wrapping TOP SECRET Material. a. On NASA Centers, enclose material in a sealed package or within a locked briefcase or other closed bag or container. b. Off NASA Centers, place material in sealed inner and outer wrappers. Wrappers can be paper, canvas, or briefcases. Briefcases must be locked, with built-in combination locks or padlocks that are key or combination operated. Mark the inner wrapper with the highest classification of the material inside, and with the "To" and "From" addresses. 5.3.4. Storage. TPI storage for TOP SECRET keying material requires two different approved combination locks, per National Security Agency Communications Security Issuance 4005 with no one person authorized access to both combinations. TPI storage can be in a strong box within a security container, in a security container within a vault, or in a security container with two 007 locks. At least one of the locks must be built into the vault or container. 5.3.5. Use. Establish NLZ’s as follows: a. Wherever COMSEC equipment contains TOP SECRET key in hard copy form or in a mechanical permuter installed in a piece of equipment. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 47 b. User locations where equipment holds TOP SECRET key in key card form or has key set on mechanical permuters will be operated as NLZ’s. c. NLZ controls are not required when the key is resident in the cryptographic equipment in electronic form or when cryptographic equipment has been modified to preclude access by a single individual to the hard copy key inside. However, TPI controls always apply to initial keying and rekeying operations. d. Whenever possible, persons designated as TPI integrity team members should have previous COMSEC experience. If this is not possible, then the CAM should ensure that team members become familiar with those aspects of COMSEC operations, e.g., key loading procedures, necessary in fully understanding TPI control procedures. 5.3.6. Record of Combinations requirements is as follows: a. Maintain a central record of container combinations to ensure that TPI materials are accessible in emergencies. b. Record and protectively package each lock combination separately to prevent unauthorized access to the combinations. c. Store the record of combinations as TOP SECRET material. One method that may be used to protectively package records of lock combinations is contained in National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4005, Paragraph 102. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 48 CHAPTER 6: COMSEC INCIDENT REPORTING REQUIREMENTS 6.1. General COMSEC incident reports provide the information necessary to determine if an incident results in a COMSEC insecurity. The guidelines in NSTISSI 4003, Reporting and Evaluating COMSEC Incidents, require that all incidents involving COMSEC material are reported and evaluated promptly so action can be taken to minimize adverse impacts on security, take recovery measures, and prevent similar incidents from occurring. NSTISSI 4001, Controlled Cryptographic Items, reporting requirements must be followed for unkeyed CCI. All COMSEC incidents must be reported within 24 hours to the NASA COMSEC COR and the CCS. Individuals will not be disciplined for reporting a COMSEC incident. Disciplinary action should be considered for individuals who, through either gross negligence or willful acts, jeopardize the security of COMSEC material. 6.2. COMSEC Incidents COMSEC incidents fall into three categories: Cryptographic Incidents, Personnel Incidents, and Physical Incidents. Specific reportable incidents that are peculiar to a given crypto system are listed in the operational security doctrine, operating instructions, and maintenance manual(s) for that crypto system. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 49 CHAPTER 7: ROUTINE DESTRUCTION OF COMSEC MATERIAL 7.1. General The security of cryptographic systems depends on the physical protection afforded the associated keying material. All keying material, current and superseded, is extremely sensitive since all traffic encrypted with a compromised key could be compromised as well. For this reason, keying material other than defective or faulty key must be destroyed as soon as possible after supersession. Destroying superseded or obsolete cryptographic equipment and supporting documentation is also essential for maintaining a satisfactory national COMSEC posture, since these materials may be of significant long-term benefit to hostile interests desiring to exploit U.S. communications for intelligence purposes. 7.2. Training Destruction Personnel Supervisors must ensure that destruction personnel receive proper instruction in using and handling destruction devices and destruction procedures. Personnel involved must also be cleared to the highest classification level of the material to be destroyed and briefed on handling and procedures for protecting COMSEC information. 7.3. Routine Destruction Procedures for COMSEC Material Routine destruction should normally be done by the CAM and the ACAM. However, this restriction should not be enforced at the cost of delaying destruction. Granting additional appropriately cleared people the authority to destroy superseded material and certifying the destruction to the CAM is preferable to delaying destruction, even for a short time. Note: In order to expedite destruction, it is suggested that where a NASA Center has a COR for the handling of classified information, the registry may be designated as an agent for the routine destruction of COMSEC material. COMSEC material must always be destroyed in the presence of an appropriately cleared witness. Whenever system doctrine requirements conflict with procedures in this manual, the system doctrine requirements take precedence. 7.3.1. In a small facility with only a few pieces of COMSEC equipment, the CAM should collect used or superseded key and other COMSEC material, replace it with new material as necessary and, with a witness, destroy the used or superseded material. 7.3.2. In a large facility, or in mobile situations, the CAM may authorize a hand-receipt user and a witness to destroy certain COMSEC material as soon as it is used, replaced, or superseded. Hand receipt users must use an approved destruction device. The individual destroying COMSEC material and the witness must indicate that the material has been destroyed by This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 50 initialing an appropriate record such as the Key Disposition record and providing that record to the CAM at the end of each month. Such local destruction records serve as the basis for the CAM's destruction report to the NASA COMSEC COR. When approved destruction devices are not available at the user facility, the material must be collected by the CAM immediately after supersession so that it may be destroyed within the time specified for that material in subparagraph 7.3.4.b. on defective or faulty keying material. The COR must report such material to the NSA, X71A, and hold for disposition instructions. 7.3.3. The CAM must brief hand receipt users authorized to destroy keying material, emphasizing correct destruction procedures, the necessity for prompt and complete destruction of used or superseded keying material and for immediately reporting any loss of control of material before it was destroyed. 7.3.4. Scheduling Routine Destruction as follows: a. COMSEC material is ordered destroyed by superseding editions unless directed otherwise by the NASA COMSEC COR. Do not destroy, dismantle, or cannibalize COMSEC material, other than superseded material, without specific authorization from the NASA COMSEC COR. b. Keying material designated CRYPTO must be destroyed as soon as possible after use or supersession and may not be held longer than 12 hours following supersession. c. Where special circumstances prevent complying with the 12-hour standard, such as a facility unmanned over weekend or holiday period, an extension to a maximum of 72 hours is authorized. d. For other circumstances, such as the requirement to maintain archival key, contact the NASA COMSEC COR for instructions. e. COMSEC material involved in compromise situations must be destroyed within 72 hours after disposition instructions are received. f. Complete editions of superseded keying material designated CRYPTO that are held by a COMSEC account must be destroyed within 5 days after supersession. g. Maintenance and sample keying material not designated CRYPTO is not regularly superseded and need only be destroyed when physically unserviceable. h. Superseded classified COMSEC publications that are held by a COMSEC account must be destroyed within 15 days after supersession. i. The residue of amendments to classified COMSEC publications must be destroyed within 5 days after the amendment is entered. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 51 7.4. Routine Destruction Methods and Standards Authorized methods for routinely destroying paper COMSEC material are burning, chopping or pulverizing crosscut shredding, and pulping. COMSEC material that is not paper, when authorized for routine destruction, must be destroyed by burning, chopping, pulverizing, or chemical alteration. The goal is to destroy the material so thoroughly that classified information cannot be reconstructed by physical, chemical, electrical, optical, or other means. 7.4.1. Do not destroy hardware keying material, such as proms and permuter plugs, and associated manufacturing aids without approval from the NASA COMSEC COR. 7.4.2. Routine destruction of COMSEC equipment and components are not authorized. Disposition instructions for equipment that cannot be repaired or is no longer required must be obtained from the NSA. 7.5. Approved Routine Destruction Devices Information concerning routine destruction devices, which have been tested and approved by the NSA, may be obtained from the NASA COMSEC COR. 7.6. Reporting Routine Destruction 7.6.1. The CAM must report routine destruction of all centrally accountable COMSEC aids, such as items assigned ALC 1 and 2, to the NASA COMSEC COR, no later than the 16th day of each month. No exceptions are authorized; however, negative reports are not required if no keying material is held that was authorized for destruction during the preceding month. Chapter 2 contains instructions for completing and submitting destruction reports. 7.6.2. Destruction records must be maintained by the CAM for 3 years and protected in the same manner as other comparable classified COMSEC material. Local destruction reports must be retained by the preparing element until the next scheduled audit. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 52 CHAPTER 8: SECURE TELECOMMUNICATIONS FACILITIES 8.1. Physical Security Requirements for Classified and Unattended Keyed CCI Equipment 8.1.1. Secure telecommunications facilities must be provided positive access control, and they shall be constructed of solid, strong material to prevent unauthorized penetration or show evidence of attempted penetration. They must provide adequate attenuation of internal sounds that could divulge classified information through walls, doors, windows, ceilings, air vents, and ducts. Maximum physical security is achieved when the facilities are of vault-type construction. At a minimum, construction or modification of a secure telecommunications facility shall conform to the requirements stated in NSTISSI 4005, August 1997. 8.1.2. Responsibilities. The CAM and Alternate need to be cognizant of the number of persons performing cryptographic duties, the number of secure circuits, types of COMSEC equipment, and operational keys used in the secure telecommunications facility; the number of days before operational key is received in the secure telecommunications facility, restricting access to future key until received in the secure telecommunications facility, and waivers granted to the secure telecommunications facility. The CAM and alternate are also responsible for the following: a. Establishing an access list for authorized individuals. b. Establishing a visitors' register. c. Establishing and documenting a daily security check procedure. d. Prohibiting personally owned cameras, photographic devices/equipment capable of receiving and recording intelligible images; sound recording devices/equipment, including magnetic tapes or magnetic wire; amplifiers and speakers; radio transmitting and receiving equipment; microphones and television receivers from the telecommunications facility. e. Being knowledgeable of the capabilities and installation of anti-intrusion devices employed by the secure telecommunications facility to include the number of devices, the manufacturer, type and model number of each device, the operating procedures, a floor plan of the alarm system, and a response procedure. 8.2. CCI Access Controls CCI are by definition unclassified, but controlled. Minimum controls for CCI are prescribed under three different conditions: unkeyed; keyed with unclassified key; and keyed with classified key. The provisions apply to controlled items that are installed for operational use. All This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 53 controlled items are to be protected in a manner that provides protection sufficient to preclude theft, sabotage, tampering or unauthorized access, and that provides accountability for the material, whether or not installed. 8.2.1. Installed and Unkeyed. Establish procedures to provide physical controls adequate enough to prevent unauthorized removal of the controlled item or its components. Where practical, rooms containing unkeyed controlled items should be locked at the end of the workday, e.g., rooms housing an unkeyed secure telephone unit must be locked. 8.2.2. Installed and Keyed with Unclassified Key. a. Attended. Establish procedures to prevent access by unauthorized personnel using physical controls and/or monitoring access with authorized personnel. b. Unattended. Establish procedures to prevent access by unauthorized personnel using adequate physical controls, such as locked rooms, alarms, or random checks. 8.2.3. Installed and Keyed with Classified Key. a. Attended. CCI must be under the continuous positive control of personnel who possess a security clearance at least equal to the classification level of the keying material in use and, if the keying material is TOP SECRET, the NLZ’s controls must be instituted. b. Unattended. CCI must be in an area as described in subparagraphs 8.2.2.a and 8.2.2.b. 8.3. Storage Requirements A facility or organization will not be eligible to receive or generate classified COMSEC information until adequate storage has been established. 8.3.1. Classified COMSEC equipment and information other than keying material marked CRYPTO must be stored as prescribed for other classified material at the same classification level. 8.3.2. Keying material marked CRYPTO must be stored according to the requirements of NTISSI 4005, August 1997. 8.3.3. CCI must never be stored in a keyed condition. Before placing CCI in storage, all keying material must be removed. When unkeyed, controlled items must be protected against unauthorized removal or theft during storage placed in a locked room or a room with an adequate alarm system. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 54 8.4. Record of Individuals Having Knowledge of Combinations to Containers Storing Classified COMSEC Material A record must be maintained of the names, organizations, and telephone numbers of individuals who know the combinations to containers storing classified COMSEC material. In the event of an emergency, such as a container or vault being found open after normal working hours, one of these individuals must be notified. Normally, these containers are under the direct control of the CAM and alternate (s); however, where operational need necessitates, classified COMSEC material, to include one edition of current keying material marked CRYPTO, may be issued on hand receipt to a user. Under these circumstances, the notified individual must also contact either the CAM or alternate (s). Immediately inventory the contents of the container or vault found not secure. When the inventory is completed the container or vault combination must be changed. Compare the results of the inventory against the account’s COMSEC Register File and, if any material is determined to be missing, include information in the incident report made according to the provisions of chapter 6. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 55 CHAPTER 9: SECURE TELEPHONE UNIT (STU-III) 9.1. General This chapter augments doctrine provided in NTISSI 3013, Operational Security Doctrine for the STU-III, Type 1, Terminal. 9.2. Responsibilities 9.2.1. The NASA COR acts as the command authority for NASA STU-III terminals. 9.2.2. User Representatives prepare and submit key orders for designated users of STU-III terminals within the classification and type limitations of their privileges. User Representative responsibilities include the following: a. Interacting with users to determine key requirements. b. Interacting with the Command Authority for Department Agency Organization administration and User Representative privilege changes. c. Verifying security information with the CCS. d. Preparing and submitting key orders. e. Notifying the COMSEC Account Manager that delivery of a key order is anticipated. 9.2.3. Users. Each STU-III user has a number of responsibilities related to the security of the STU-III and the security of the information transmitted, outlined in the following subparagraphs 9.2.3.a. through 9.2.3.g. Users are encouraged to use the secure mode to protect both classified and unclassified national security information. a. Monitor the display during the secure call to determine the identification of the distant party, the maximum-security classification for the call, and for security-related messages. The security classification will appear on the top line of the display for the duration of the secure call and will be the highest level shared by the two terminals. Restrict the classification level of the conversation to no higher than the displayed level. The next three lines display the identity of the distant STU-III. This information will be scrolled through the display during secure call setup. The classification level and the first line of the identification information will remain on the display for the duration of the secure call. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 56 b. The information displayed indicates the approved level for the call but does not authenticate the person using the terminal. The need-to-know principle is still binding. The mere connection to another STU-III does not signify a need to know. c. The calling and the called party establish the clearance of the other party by a means independent of the display, either by knowledge of the other party through voice recognition, or by introduction by another known cleared party. d. Since access to the STU-III with the CIK installed gives anyone the opportunity to use the STU-III in the secure mode, restrict access to the STU-III with the CIK installed to those people who hold a security clearance equal to or higher than the classification level of the key. e. Users are responsible for the environment in which a secure conversation is held. This includes their own and the other party's environment. An indication that either party is not in an authorized location to conduct a classified discussion should result in a termination of the call. f. The STU-III user is responsible for protecting his CIK. CIK should be treated as valuable personal property. Do not leave an ignition key where an unauthorized person would have access to both it and the associated STU-III. During the workday, the CIK may be left in the STU-III only if continuously attended by cleared personnel. When not in use, or if the terminal is unattended, the CIK must be removed from the terminal. g. The room or area in which a STU-III is located will be provided adequate protection at the end of the workday or whenever authorized personnel are not present. 9.2.4. CAM. a. The CAM holding the STU-III key in their accounts must have a clearance equal to the operational level of the key, i.e., the seed key will become classified to the appropriate level once converted in the terminal. SCI access is not required when the account manager does not perform the conversion process. Once the conversion process has occurred, all individuals who use a terminal keyed with Class 6 key must have SCI access. Additionally, when the operational level of the key is unclassified, a clearance is not required. b. Type 1 operational and Type 1 seed keys are ALC - 1. All test keys are UNCLASSIFIED and are ALC - 4. c. Fill devices stored in the COMSEC account should remain sealed in the plastic shipping bag. Each fill device will have an attached card label. Remove the card label when the key in the Key Storage Device is loaded into the terminal. Maintain a local record of key material identification numbers and the serial numbers of the associated STU-III. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 57 d. Respond to Key Conversion Notices (KCN) acknowledging the conversion of seed key to operational key. If a KCN is not received for key that was loaded into a terminal, notify the NSA Key Management System (KMS) and be prepared to provide the COMSEC account number and the conversion date. e. Ensure that terminals are rekeyed by a call to the NSA KMS at least annually. f. An expired key may be returned to the NSA KMS for disposition. Transfer the fill devices to NSA COMSEC account 880103, using an SF 153. See paragraph 2.6. for shipping methods. SF 153 destruction reports with two signatures must be completed for fill devices zeroized other than during a loading procedure, at the account. 9.3. STU-III Security Education 9.3.1. COMSEC CAM will educate STU-III users when they receive their terminals, stressing the proper use of the terminal, how to handle and protect their CIK’s, and the importance of and correct procedures for reporting incidents. Information contained in this chapter will be issued to STU-III users when they receive their terminals. 9.3.2. Each user will sign a briefing statement acknowledging understanding of the responsibilities. 9.4. Protecting CIK 9.4.1. COMSEC CAM will maintain local records of CIK, to which terminals they are associated, and to which users they are assigned. 9.4.2. CIK will be protected as valuable U.S. Government property. Any person who is permitted unrestricted access to a keyed terminal can retain the ignition in his personal possession. If an ignition key is stored in the same room as the terminal, protect it according to the classification of the keyed terminal. When terminals are installed in residences, the user must be sure to remove the ignition key from the terminal following each use and keep it in his or her personal possession or store it in a security container approved for the classification level of the key in the terminal. 9.4.3. A master CIK is used to create other ignition keys for the same terminal, so greater controls should be exercised. Maintain master ignition keys in locked storage commensurate with the classification level of the key it protects, except when being used to create other CIK, and keep under the personal control of an authorized person who has been briefed on its sensitivity and the requirements for its control. Master CIK keys should not be used on a day-today basis with the STU-III. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 58 9.4.4. Report lost CIK immediately to the CAM so that he can delete that CIK from all terminals with which they were associated. Deleting a CIK does not affect the usability of other CIK created for that terminal. Once a CIK has been disassociated from a terminal, it no longer needs to be controlled and can be reused. 9.4.5. Use of a CIK, by other than personnel for whom the authentication information appearing on the terminal display applies, may only be permitted if the intended user is verifiably cleared to the level that the key is classified and the ignition key is under continuous control and supervision by the authorized person. To place such a call, the authorized person must first make voice contact with the distant end identifying the intended user and indicating the intended user's clearance level before allowing access to the terminal. 9.5. Incidents 9.5.1. The following incidents apply specifically to the Type 1 STU-III and will be reported to the CCS, NASA COMSEC COR, and CAM: a. Failure of the CAM to notify the Key Management System that a seed key listed on the conversion notice still exists in the COMSEC account. b. Any instance in which the authentication information displayed during a secure call is not representative of the distant terminal. c. Failure to adequately protect or erase a CIK that is associated with a lost terminal. d. Any instance in which the display indicates that the distant terminal contains compromised key, for example, "Hang Up - Far Key Compromised" on the terminal display, indicating an unauthorized user may be at the distant end. e. Leaving a CIK in a STU-III when access to the STU-III is uncontrolled, unless area is approved for open storage for classified material. See NTISSI 4003. Reports of COMSEC incidents involving keys must include the assigned key material identification number, whether or not any CIK’s were involved, and whether or not the keys were protected when the incident occurred. f. CIK Failure. If a CIK that had previously operated properly fails, the failure could be attributed to a malfunction in the key itself or in the terminal. It could also be an indication that the key has been copied and the copy used in the terminal. To preclude the possibility of further use in the event the key was copied, the failed key should be promptly deleted from the terminal; deleting the key does not affect the usability of other keys created for that terminal. g. Loss of a CIK. Once reported, the ignition key should be deleted from the system. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 59 h. Initial discovery of loss or unauthorized relocation of a STU-III. If a STU-III is discovered missing, secure all associated CIK until other instructions are received. i. Transmission of classified information using a terminal with a failed display. If the display fails, terminate the call immediately. j. Failure to rekey a terminal within 2 months after the end of the Cryptoperiod will trigger the NSA KMS to zeroize terminals automatically at the end of the 2-month period. k. "Security Failure" on the terminal display when a CIK is removed. This display is accompanied by a continuous audible tone to notify the user that an emergency condition exists and that prompt action is required. Protect the terminal as classified until further instructions are received. l. "CIK Not Updated" on the terminal display. 9.6. STU-III Terminal Keying and Rekeying 9.6.1. Electronic keying of a Type 1 STU-III is accomplished by loading a seed key, which includes authentication information for the terminal display, into the STU-III from the key security device followed by immediately creating at least one CIK, and calling the NSA KMS. During the call, the KMS electronically provides an operational key at the classification level ordered to replace the seed key in the terminal. Once this process, called conversion, is complete, the terminals may be used in the secure mode to call other STU-III terminals. 9.6.2. During the rekey call to the KMS, it is the key in the terminal that is being rekeyed, not the CIK. Therefore, only one call is necessary; rekey calls are not required for each of the multiple keys associated with one terminal. It is not necessary to use the master key. 9.7. Secure Data Mode The STU-III is designed to prevent disclosure of information in transit only, and the end system is still responsible for determining and properly reacting to the accreditation range of the system to which it will communicate, the identity of the user of the distant end system, and the STU-III negotiated classification level of the connection. When appropriate, computer security safeguards must also be employed to prevent improper and/or unauthorized access to information. 9.7.1. Data Installation as Follows: a. STU-III terminals may be used to secure communications between classified computer systems, provided the key in the terminal matches the classification of the information to be transmitted. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 60 b. Authorization from the CCS and/or the Designated Approval Authority (DAA) is required before data processing equipment may be installed and operated with a STU-III terminal. 9.7.2. Facsimile Installations. a. STU-III terminals may be used with facsimile machines to transmit classified information, provided the key in the terminal matches the classification of the information to be transmitted. b. Authorization from the CCS is required before facsimile equipment may be installed and operated with a STU-III terminal. c. Facsimile machines used to transmit classified information will be protected in the same manner as the associated STU-III terminal. d. Secure voice contact must be established before switching to data mode and transmitting the material. Classified material receipting regulations apply when transmitting classified information between NASA Centers or to other addresses. The sending operator will remain at the terminal until the transmission is complete and returned to secure voice mode to verify receipt. 9.8. Sensitive Compartmented Information Facility (SCIF) 9.8.1. Use only SCI level keys (Class 6, Code 10). 9.8.2. The CIK’s associated with the terminals may not be removed from the SCIF. 9.8.3. STU-III terminals will not be removed from the SCIF except for maintenance. 9.9. Installations in Residences, Hotels, or Commercial Conference Facilities Installations in residences, hotels, or commercial conference facilities require the express written permission of the CCS. Requests for permission to install a STU-III terminal in a residence, hotel, or commercial conference facility need to include a statement of need. 9.10. Vehicle Installations 9.10.1. Installations of STU-III secure cellular terminals in vehicles require the express written permission of the CCS. 9.10.2. The CCI portion of a STU-III cellular terminal is normally installed in the trunk of the vehicle. When the vehicle is to be unattended, remove the CIK and terminal mounting mechanism key, and lock the vehicle. When the vehicle will be unattended for an extended This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 61 period or will be parked in an area where there is a high threat of theft or tampering, or if the vehicle will be turned over for commercial repair, first remove the CCI portion of the terminal, the message center, and the handset. 9.11. Acoustic Security 9.11.1. Acoustical isolation must be sufficient to prevent classified conversation from being overheard, without the aid of electronic equipment in adjacent uncleared areas. Acoustical separation can be achieved by implementing adequate separation, physical barriers, area access controls, or some combination thereof. Acoustic isolation must be sufficient to prevent classified conversations from being overheard at nonsecure telephones. 9.11.2. Measures to implement the requirements outlined above will include the following or a combination thereof: a. Individual offices, in which the structure provides the needed isolation. b. Sound absorbent office partitions between individual work areas in open plan offices. c. Other protective measures specified by a NASA Installation Security Officer . This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 62 CHAPTER 10: COMSEC EMERGENCY ACTION PROCEDURES 10.1. Requirements All organizations holding classified or CCI COMSEC material must prepare a plan to protect the material during natural disasters and accidental emergencies, such as fire, flood, tornado, and earthquake. Planning and actions should emphasize maintaining security control over the material without endangering life until order is restored. Incorporate the requirements of this chapter into the emergency action procedures established for the entire facility. Additionally, structure normal operating routines to minimize the number and complexity of actions to be taken to protect COMSEC material during emergencies. For example, hold only the minimum amount of COMSEC material at any time; that is, conduct routine destruction frequently and dispose of excess COMSEC material according to disposition instructions. 10.2. Preparedness Planning for natural disasters and accidental emergencies must provide for the following: 10.2.1. Fire reporting and initial fire fighting by assigned personnel. Note: The Emergency Plan must be coordinated with the appropriate security and fire and safety personnel. 10.2.2. Assigning on-the-scene responsibility to ensure that COMSEC material is protected. 10.2.3. Securing or removing classified COMSEC material and evacuating the area(s). 10.2.4. Protecting material when outside fire fighters, and/or other emergency personnel, must be admitted into the secure area(s). 10.2.5. Assessing and reporting probable exposure of classified COMSEC material to unauthorized persons during the emergency. 10.2.6. Postemergency inventorying classified and CCI COMSEC material and reporting any losses or unauthorized exposures to appropriate authority. 10.2.7. Destroying COMSEC Material. While destruction of COMSEC material is usually not considered in a location within the continental United States, the possibility of destruction prior to evacuation in the case of other natural disasters or emergencies will be discussed with the COR. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 63 10.3 Preparing the Emergency Plan Preparing the COMSEC material emergency plan is the COMSEC Account Manager’s responsibility. A sample emergency plan is included as Appendix D. The plan should be coordinated with appropriate security, fire, and safety personnel. The plan must be realistic and workable, and it must accomplish the goals for which it is prepared. Contributing factors to this are as follows: 10.3.1. All duties under the plan must be described clearly and concisely. 10.3.2. All authorized personnel at the facility should be aware of the existence of the plan. Each individual who has duties assigned under the plan should receive detailed instructions on how to carry out these duties when the plan becomes effective. Personnel involved should be familiar with all duties so that assignment changes may be made, if necessary. This can be achieved by periodically rotating the emergency duties of all personnel. 10.3.3. Conduct training exercises periodically to ensure that all personnel, especially those newly assigned, who might have to take part in an actual emergency, will be able to carry out their duties. As necessary, change the plan based on the experience of the training exercises. 10.4. Emergency Action Procedures Review COMSEC emergency procedures developed under these guidelines will be made available for review upon the request of the COR. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 64 APPENDIX A: COMSEC TERMS Definitions of generic COMSEC terms used in this manual can be found in NTISSI 4009. NASA specific definitions are listed below: 1. ACAM. Individual designated to perform the duties of the CAM during their temporary absence. Outside NASA, this position is known as Alternate COMSEC Custodian. 2. NASA COR. The COR is located at KSC and keeps records of all NASA COMSEC material received by elements subject to its oversight. COR duties include establishing and closing NASA COMSEC accounts, maintaining records of CAM and ACAM appointments, distributing inventories, performing audits, and responding to queries concerning account management. 3. COMSEC Account. An entity administratively subordinate to the NASA COR, identified by an account number, responsible for maintaining custody and control of accountable COMSEC material. 4. CAM. The individual designated by proper authority to be responsible for receipting, transferring, safeguarding, destroying, and the accountability of COMSEC material assigned to a COMSEC account. Outside NASA this position is known as COMSEC Custodian. 5. NASA Systems Security Manager. The individual, employed at the NASA Security Mangement Office, responsible for the development of agencywide policy and oversight of the management and utilization of COMSEC within NASA. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 65 APPENDIX B: SAMPLE COMSEC BRIEFING 1. You have been selected to perform duties requiring access to U.S. classified COMSEC information. It is essential that you become fully aware of facts relating to protecting this information before access is granted. This briefing will give you a description of the type of COMSEC information to which you may have access, the reasons why special safeguards are necessary for protecting this information, the directives and rules that prescribe such safeguards, and the penalties you may incur for the unauthorized disclosure, unauthorized retention, or negligent handling of U.S. classified COMSEC information. Failing to properly safeguard this information could cause serious or exceptionally grave damage, or irreparable injury, to the national security of the United States, or could be used to a foreign nation's advantage. 2. COMSEC is the general term used for all steps taken to deny unauthorized persons information, derived from the telecommunications of the U.S. Government, and to ensure the authenticity of those communications. COMSEC has four main components -- transmission security, physical security, emission security, and cryptographic security. Transmission security is methods and techniques applied to protect information while in transmission from unauthorized intercept, traffic analysis, imitative deception, and disruption. Physical security is those barriers put in place to prevent access by an unauthorized person to materials, information, documents, and equipment. Emission security is measures taken to prevent compromising signals from emanating from equipment or telecommunications systems. Cryptographic security is rules applied to alter information, making it unintelligible to unauthorized people during communications. To ensure that telecommunications are secure, all four of these components must be considered. 3. COMSEC equipment and keying material are especially sensitive because they are used to protect other classified information while that information is communicated from one point to another. Any particular piece of COMSEC equipment, keying material, or other cryptographic material may be the critical element that protects large amounts of classified information from interception, analysis, and exploitation. If the integrity of the COMSEC system is weakened at any point, all information protected by the system could be compromised; even more damaging is if this loss of classified information goes undetected. The procedural safeguards placed on COMSEC equipment and materials, covering every phase of their existence from creation through disposition, are designed to reduce or eliminate the possibility of such loss. 4. COMSEC equipment and materials receive special handling for distribution and accounting as part of physical security protection. Two separate channels are used for handling such equipment and materials: COMSEC channels and administrative channels. The COMSEC channel or COMSEC Material Control System is used to distribute accountable COMSEC such as keying material, maintenance manuals for cryptographic, and classified, and CCI equipment. The COMSEC Material Control System channel is composed of a series of COMSEC accounts, each of which is appointed a COMSEC Account Manager who is personally responsible and This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 66 accountable for all COMSEC materials in the account. The COMSEC Account Manager assumes responsibility for the material from the time it is received and controls its dissemination to authorized users on a need to know basis. The administrative channel is used to distribute COMSEC information and materials other than that accountable in the CMCS. 5. To adequately protect COMSEC equipment and materials, you must understand all the pertinent security regulations and the importance of reporting any compromise, suspected compromise, or other security problem involving these materials. If a COMSEC system is compromised but the compromise is not reported, all information that was ever protected by that system may be lost as a result. If the compromise is reported, steps can be taken to change the system and replace the keying material, to reduce the damage done. In short, it is your individual responsibility to know and to put into practice all the provisions of the appropriate publications relating to properly using and protecting the COMSEC equipment and materials to which you will have access. 6. Because access to U.S. classified cryptologic information is granted on a strict need-to-know basis, you will be given access to only that cryptographic information necessary for you to perform your duties. 7. You may not disclose any COMSEC information without the specific approval of the NASA COMSEC Manager or the National Security Agency. This applies to both classified and unclassified COMSEC information and means that you may not prepare newspaper articles, speeches, technical papers, or make any other "release" of COMSEC information without specific Government approval. The best personal policy is to avoid any discussions that reveal your knowledge of or access to COMSEC information and, thus, avoid making yourself interesting to those who seek the information you possess. 8. When your duties include access to classified COMSEC information, in addition to the above, you should avoid travel to any countries that are adversaries of the United States or to their establishments or facilities within the United States. Should such travel become necessary, your security office must be notified in advance, allowing sufficient time for you to receive a defensive security briefing. Any attempt to elicit the classified COMSEC information you have, either through friendship, favors, or coercion, must be reported immediately to your security office. 9. Finally, you must know that if you willfully disclose or give any of the classified COMSEC information, equipment, including CCI, or associated keying materials to which you have access to any unauthorized persons, you will be subject to prosecution under the criminal laws of the United States. The laws that apply are contained in Title 18, U.S.C., Sections 641, 793, 794, 798, and 952. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 67 SIGNATURE OF EMPLOYEE BRIEFED DATE SIGNATURE OF BRIEFER APPENDIX C: SAMPLE CRYPTOGRAPHIC ACCESS CERTIFICATION INSTRUCTION Section One of this certification must be executed before an individual may be granted access to U.S. classified cryptographic information. Section Two will be executed when the individual no longer requires such access. The original signed certificate will be made a permanent part of the official security records of the individual concerned. SECTION ONE AUTHORIZATION FOR ACCESS TO U.S. CLASSIFIED CRYPTOGRAPHIC INFORMATION: a. I understand that I am being granted access to U.S. classified cryptographic information. I understand that my being granted access to this information involves me in a position of special trust and confidence concerning matters of national security. I hereby acknowledge that I have been briefed concerning my obligations with respect to such access. b. I understand that safeguarding U.S. classified cryptographic information is of the utmost importance and that the loss or compromise of such information could cause serious or exceptionally grave damage to the national security of the United States. I understand that I am obligated to protect U.S. classified cryptographic information, and I have been instructed in the special nature of this information and the reasons for the protection of such information. I agree to comply with any special instructions issued by NASA or my NASA Center regarding unofficial foreign travel or contacts with foreign nationals. c. I fully understand the information presented during the briefing I received. I have read this certificate and my questions, if any, have been satisfactorily answered. I acknowledge that the briefing officer has made available to me the provisions of Title 18, U.S.C., Sections 641, 793, 794, 798, and 952 (see attached). I understand that, if I willingly disclose to any unauthorized person any of the U.S. classified cryptographic information to which I might have access, I am subject to prosecution under the criminal laws of the United States, as appropriate. I understand and accept that unless I am released in writing by an authorized representative of the This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 68 NASA Security Office, the terms of this certificate and my obligation to protect all U.S. classified cryptographic information to which I may have access apply during the time of my access and at all times afterward. ACCESS GRANTED THIS DAY OF 19 SIGNATURE NAME/GRADE/SSN SIGNATURE OF ADMINISTERING OFFICIAL NAME/GRADE/OFFICIAL POSITION SECTION TWO TERMINATION OF ACCESS TO U.S. CLASSIFIED CRYPTOGRAPHIC INFORMATION: I am aware that my authorization for access to U.S. classified cryptographic information is being withdrawn. I fully appreciate and understand that the preservation of the security of this information is of vital importance to the welfare and defense of the United States. I certify that I will never divulge any U.S. classified cryptographic information I acquired, nor discuss with any person any of the U.S. classified cryptographic information to which I have had access, unless and until freed from this obligation by unmistakable notice from proper authority. I have read this agreement carefully and my questions, if any, have been answered to my satisfaction. I acknowledge that the briefing officer has made available to me Title 18, U.S.C., Sections 641, 793, 794, 798, and 952. ACCESS WITHDRAWN THIS DAY OF 20___ SIGNATURE NAME/GRADE/SSN SIGNATURE OF ADMINISTERING OFFICIAL NAME/GRADE/OFFICIAL POSITION This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 69 PRIVACY ACT STATEMENT In accordance with the Privacy Act of 1974, as amended (5 U.S.C. 552a), the following notice is provided: Authority to request Social Security Number is Executive Order 9397. Routine and sole use of the Social Security Number is to identify the individual precisely, when necessary, to certify access to U.S. classified and/or unclassified cryptographic information. While disclosure of your Social Security Number is voluntary, failure to do so could delay certification and, in some cases, prevent original access to U.S. classified and/or unclassified cryptographic information. SIGNATURE DATE This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 70 APPENDIX D: SAMPLE EMERGENCY ACTION PLAN 1. Purpose. To protect and minimize the risk of compromise of COMSEC material during emergency situations. 2. Discussion. National COMSEC policy requires that all organizations holding classified or CCI materials have an Emergency Action Plan with procedures for the protection of such material during natural disasters and accidental emergencies, such as fire, flood, tornado, and earthquake. The actions contained within this plan provide for the security to the material without endangering the lives or safety of personnel implementing the plan. Specifically, the plan provides for the following: a. Fire reporting. b. Assignment of on-the-scene responsibility for ensuring protection of the COMSEC material held. c. Securing of classified COMSEC material and evacuation of the area. d. Protecting of material when admission of outside firefighters into the secure area is necessary. e. Assessing and reporting of probable exposure of classified COMSEC material to unauthorized persons during the emergency. f. Postemergency inventory of classified and CCI materials and the reporting of any losses or unauthorized exposures to appropriate authority. 3. Implementation. The senior individual present will take the action outlined in subsequent paragraphs to safeguard the COMSEC material. The actions are directed toward maintaining positive control over the material while not endangering the health or safety of personnel. 4. Action. a. Fire reporting. In the event a fire is discovered within the Message Processing Center, the following actions will be taken, as the situation permits: 1) The person discovering the fire should immediately alert all others in the vicinity by loudly shouting "Fire!” then sound the alarm by pulling the alarm located inside the Message Processing Center, to the right of the main door. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 71 2) If possible, without endangering the safety of Message Processing Center personnel, should attempt to extinguish the fire using the extinguishers located inside the center. 3) Carry out the actions regarding the evacuation of the spaces outlined in paragraph 4(c) of this Plan. b. Responsibility for safeguarding COMSEC material. All personnel assigned to the Message Processing Center are responsible for safeguarding COMSEC material. In the event of an emergency situation, the senior individual has primary on-the-scene responsibility for ensuring the protection of the material. c. Securing of classified material and evacuation. 1) If the situation permits, open the safe and stow all COMSEC material that may have been removed from the safe. Stow all Automated Defense Information Network disks. Secure the safe. 2) Remove the COMSEC Register files for Account 800121 from the file box located on the COMSEC Account Manager’s desk and place in an envelope. Message Processing Center personnel will take this envelope when evacuation occurs. 3) Remove the three inventory folders located inside the vault door, and to the right of the door, and prepare to evacuate the spaces with these three folders and the COMSEC Register file envelope. 4) Lock the vault door. Evacuate the spaces, taking the COMSEC Register file envelope and three inventory folders. Set the alarm as you exit, and secure the door to the Message Processing Center. Follow the directions of the floor wardens and proceed to the designated evacuation area, remaining well clear of the building. 5) If the situation does not allow for stowage of material, evacuate immediately. Take the three inventory folders if possible, but not if it will endanger lives. d. Protecting material when admission of outside firefighters is necessary. In the event that it becomes necessary to admit firefighters or other emergency personnel, the following protective measures are to be followed: 1) If the situation permits, open the safe and stow any COMSEC material that may have been removed. Secure the safe. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 72 2) If unable to stow the material in the safe, take whatever actions are necessary to minimize fire team exposure to COMSEC material without hindering fire-fighting efforts. For example, cover or stow the material in a desk drawer. e. Assessing and reporting of probable expose of classified COMSEC material to unauthorized persons during emergency situations. In the event that probable exposure of classified COMSEC material occurs, the following actions are to be taken: 1) If possible, obtain the name, citizenship, and clearance level (if any), of the unauthorized persons. 2) Make a complete list of the COMSEC material involved. 3) Using a STU-III, notify the NASA COR of the details of the incident. The NASA Central Office of Record may direct additional reporting. f. Postemergency inventory of classified and CCI COMSEC materials. Upon resolution of the emergency situation, the following actions will be taken: (1) Conduct a complete inventory of all classified and controlled items. (2) Report any discrepancies/losses to the NASA COR immediately. g. Other Natural Disasters/Emergencies. Other natural disasters, such as floods, earthquakes, or hurricanes, may require the evacuation of the Message Processing Center. Follow the procedures in paragraphs 4. (c), (d), (e), and (f) of this Appendix D. 5. Destruction of COMSEC Material. While destruction of COMSEC material is usually not considered for locations within the continental United States, the possibility of destruction prior to evacuation in the case of other natural disasters or emergencies will be discussed with the NASA COR. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 73 APPENDIX E: CLASSIFICATION GUIDE ITEM UNCLASSIFIED Individual SF-153 transfer, destruction, possession of inventory N/A FOR OFFICIAL USE ONLY CLASSIFIED When no classified info is included CONFIDENTIAL when effective or supersession dates for classified CRYPTO are identified. According to content, but minimum of CONFIDENTIAL if remarks Are classified or association of address is classified. Individual L6061 Cards and Hand Receipts When no classified info is on a card/ Hand receipt N/A When Classified info is included, classify according to content. Compilation of records (e.g., the Register File; a File(s) containing completed SF-153/s, inventories, consolidated Hand receipts) N/A When no classified info is included. When classified info is included, a file MUST be classified according to The highest level in the file. When info does not reveal details of allocation and deployment.* CONFIDENTIAL when detailed info re: allocation and deployment is included.* Crypto equipment Completed classified keying material disposition record N/A N/A CONFIDENTIAL Any info that provides the effective date and/ or supersession date for classified operational key marked CRYPTO N/A N/A CONFIDENTIAL Any Correspondence associating COMESC equipment use aboard space vehicles, except Shuttle vehicles. N/A N/A CONFIDENTIAL *DOES NOT APPLY TO STU-III ALLOCATION AND DEPLOYMENT UNLESS SENSITIVE GOVERNMENT FACILITY/LOCATION INVOLVED. This Document Is Uncontrolled When Printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html 74