NASA Procedures and Guidlines

advertisement
NASA Procedures and Guidelines
NPG 1600.6A
Effective Date: March 2, 2000
Expiration Date: March 2, 2002
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
Responsible Office: JS/Security Management Office
NASA Communications Security (COMSEC)
Procedures and Guidelines
TABLE OF CONTENTS
Cover
Preface
P.1.
P.2.
P.3.
P.4.
P.5.
PURPOSE
APPLICABILITY
AUTHORITY
REFERENCES
CANCELLATION
CHAPTER 1. INTRODUCTION
1.1.
1.2.
1.3.
1.4.
1.5.
1.6.
General
Transmission of Classified Information
Applicability and Scope
Objectives
Definitions
Revisions
CHAPTER 2. COMSEC MATERIAL CONTROL
2.1.
2.2.
2.3.
2.4.
2.5.
2.6.
2.7.
2.8.
General
Responsibilities and Organization
The COMSEC Account
COMSEC Material
COMSEC Material Accountability
COMSEC Material Control System (CMCS)
Audit of COMSEC Accounts
Closing a COMSEC Account
CHAPTER 3. CONTROLLING AUTHORITIES
3.1. General
3.2. Establishing the Cryptonet and Designating the Controlling Authority
CHAPTER 4. COMSEC INFORMATION ACCESS REQUIREMENTS
4.1. Criteria for Access to COMSEC Information
4.2. COMSEC Briefing Requirements
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
1
CHAPTER 5. TWO-PERSON INTEGRITY (TPI) NO-LONE ZONE (NLZ)
CONTROLS
5.1. General
5.2. Procedures for Handling and Safeguarding Top Secret Keying Material
5.3. TPI Handling of Packages Received
CHAPTER 6. COMSEC INCIDENT REPORTING REQUIREMENTS
6.1. General
6.2. COMSEC Incidents
CHAPTER 7. ROUTINE DESTRUCTION OF COMSEC MATERIAL
7.1.
7.2.
7.3.
7.4.
7.5.
7.6.
General
Training Destruction Personnel
Routine Destruction Procedures for COMSEC Material
Routine Destruction Methods and Standards
Approved Routine Destruction Devices
Reporting Routine Destruction
CHAPTER 8. SECURE TELECOMMUNICATIONS FACILITIES
8.1. Physical Security Requirements for Classified and Unattended Keyed Controlled
Cryptographic Items (CCI) Equipment
8.2. CCI Access Controls
8.3. Storage Requirements
8.4. Record of Individuals Having Knowledge of Combinations to
Containers Storing Classified COMSEC Material
CHAPTER 9. SECURE TELEPHONE UNIT-III (STU-III)
9.1.
9.2.
9.3.
9.4.
9.5.
9.6.
9.7.
9.8.
9.9.
General
Responsibilities
Secure Telephone Unit III (STU-III) Security Education
Protecting Crypto Ignition Key (CIK)
Incidents
STU-III Terminal Keying and Rekeying
Security Data Mode
Sensitive Compartmented Information Facilities (SCIF)
Installations in Residences, Hotels, or Commercial Conference Facilities
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
2
9.10. Vehicle Installations
9.11. Acoustic Security
CHAPTER 10. COMSEC EMERGENCY ACTION PROCEDURES
10.1.
10.2.
10.3.
10.4.
Requirements
Preparedness
Preparing the Emergency Plan
Emergency Action Procedures Review
APPENDICES
A.
B.
C.
D.
E.
COMSEC Terms
Sample COMSEC Briefing
Sample Cryptographic Access Certification
Sample Emergency Action Plan
Classification Guide
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
3
Effective Date: March 2, 2000
Preface
P.1. PURPOSE
This NPG provides basic information for assignment of individual Communications Security
(COMSEC) accountability responsibilities within NASA. It sets forth minimum standards,
procedures, specifications, and guidelines for safeguarding and control of COMSEC material in
NASA's possession.
P.2. APPLICABILITY
This NPG applies to the NASA Headquarters and all NASA Centers, including Component
Facilities.
P.3. AUTHORITY
42 U.S.C. Sections 2455, 2456, 2456a, and 2473(c) -- Sections 304 and 203 (c), respectively, of
the National Aeronautics and Space Act of 1958, as amended.
P.4. REFERENCES
a. 5 U.S.C. 552(b)(1)-(9), Exemptions, Freedom of Information Act (FOIA).
b. 40 U.S.C. 1441 note, Computer Security Act of 1987, as amended.
c. 40 U.S.C. 1441, Responsibilities regarding efficiency, security, and privacy of Federal
computer systems.
d. 50 U.S.C. 435, Access to Classified Information - Procedures.
e. Pub. L. 103-236, 108 Stat. 525, Protection and Reduction of Government
Secrecy Act (50 U.S.C. 435 note).
f. E.O. 12829, National Industrial Security Program, 3 CFR (1993 Compilation).
g. E.O. 12958, Classified National Security Information, as amended, 3 CFR (1995
Compilation)
h. 32 CFR, Part 2001, ISOO Directive No. 1.
i. E.O. 12968, Access to Classified Information. 3 CFR (1995 Compilation).
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
4
j. OMB Circular A-130, Security of Federal Automated Information Resources, (Appendix III).
k. National Communications Security Committee-1 (NCSC-1), National Policy for Safeguard
and Control of COMSEC, January 16, 1991.
l. National Communications Security Committee-6 (NCSC-6), National Policy Governing the
Disclosure or Release of Communications Security Information to Foreign Governments and
International Organizations, January 16, 1981.
m. National Telecommunications and Information Systems Security Publication (NTISSP)
No. 3, National Policy for Granting Access to U.S. Classified Cryptographic Information,
December 19, 1988.
n. Index of National Security Telecommunications Information Systems Security Issuances
(NSTISSI).
o. NTISSI No. 3013, Operational Security Doctrine for the STU - III, Type 1, Terminal.
p. NSTISSI No. 4005, Safeguarding Communications Security (COMSEC) Facilities and
Materials, August 1997.
q. NTISSI No. 4009, National Information Systems Security Glossary, January 1999.
r. NTISSI No. 7000, TEMPEST Countermeasures for Facilities, October 17, 1988.
s. NTISSI No. 7003, Protected Distribution Systems, December 13, 1996.
t. National COMSEC Information Memorandum (NACSIM) No. 5203, Guidelines for Facility
Design and Red and Red/Black Installation, June 30, 1982.
u. NPD 1600.2A, NASA Security Program.
v. NPG 1620.1, NASA Security Procedures and Guidelines.
w. NPD 2810.1, Security of Information Technology.
x. NPG 2810.1, Security of Information Technology.
y. NPD 2800.1, Managing Information Technology.
z. 14 CFR, Chapter V, Part 1203a – NASA Security Areas.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
5
aa. 14 CFR, Chapter V, Part 1204, Subpart 10 – Conduct or trespass, Inspection of Persons and
Personal Effects.
bb. 18 U.S.C. Sections 641, 793, 794, 798, 952.
cc. National Security Agency (NSA) Manual 90-2, COMSEC Material Control Manual.
P.5. CANCELLATION
a. NHB 1600.6, NASA Communications Security Manual, dated May 1993.
/s/ Jeffrey E. Sutton
Associate Administrator for
Management Systems
DISTRIBUTION:
NODIS
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
6
CHAPTER 1: INTRODUCTION
1.1. General
This chapter provides procedures and guidelines for the implementation of a totally integrated
NASA Communications Account Management Program.
1.2. Transmission of Classified Information
1.2.1 Consistent with law, directives, and regulations, it is NASA policy that the Senior Agency
Official, who is concurrently the Director, Security Management Office (DSMO), and the NASA
COMSEC Manager shall establish uniform procedures to ensure the following:
1.2.1.1. Automated information systems, including networks and telecommunications systems
(voice, video, and data), that collect, create, communicate, compute, disseminate, process,
reproduce, store, zeroize, or destroy classified COMSEC information have controls that provide
adequate protection, prevent access by unauthorized persons, and ensure the integrity of the
information.
1.2.1.2. Emission Security, frequently referred to as TEMPEST countermeasure(s), will be
coordinated with the Senior Agency Official for review and approval prior to acquisition and
installation to insure that a major adverse financial impact on the program is not borne where
there is no viable hostile threat capability.
1.2.1.3. Classified COMSEC information transmitted from an area not under access controls will
be secured by NSA encryption or a Protected Distribution System (PDS).
1.3. Applicability and Scope
The provisions of this NPG specifically apply to the following:
1.3.1. NASA COMSEC Account Managers (CAM), NASA Alternate CAM (ACAM), security
organizations, and other NASA personnel and contractors using or otherwise having access to
COMSEC materials.
1.3.2. Contractors under law and/or contract as implemented by the appropriate contracting
officer. Contractor CAM and alternate contractor CAM’s responsibilities are identical to NASA
CAM’s and ACAM’s.
1.3.3. Center Chiefs of Security (CCS) in implementing effective COMSEC operations. Each
site is encouraged to implement this NPG and to tailor this guidance to their unique
environments.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
7
1.3.4. The NASA COMSEC Central Office of Record (COR) located at the Kennedy Space
Center (KSC).
1.4. Objectives
This NPG provides guidance for safeguarding and controlling COMSEC material through
facilitating the following:
1.4.1. A COMSEC Material Control System (CMCS).
1.4.2. A COMSEC COR at the Kennedy Space Center.
1.4.3. A procedure to appoint a CAM and ACAM.
1.4.4. A secure COMSEC environment through training and support.
1.5. Definitions
See definitions of terms at Appendix A.
1.6. Revisions
This NPG will be revised consistent with pertinent Executive orders, statutes, direction from the
NSA, and the development of new and improved security concepts. Changes to this NPG are
specifically prohibited unless officially promulgated by the NASA COMSEC COR in
coordination with the DSMO, and the NASA Office of the General Counsel (OGC).
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
8
CHAPTER 2: COMSEC MATERIAL CONTROL
2.1. General
This chapter establishes minimum accounting procedures to be followed by NASA CAM.
2.1.1. Direct communications between CAM, the NSA Accounting Office (STU-III and SDNS
key only); and the NSA Insecurities, Evaluation, and Reporting Branch, are authorized for
COMSEC accounting matters involving the direct shipment of COMSEC material. Send direct
communications to Director, NSA, Attention: (appropriate office designator), Fort George G.
Meade, MD 20755-6000.
2.1.2. Direct communications are authorized between NASA COMSEC Manager, NASA
COMSEC COR, NASA CAM, and any other CAM involving direct shipment of COMSEC
material.
2.2. Responsibilities and Organization
COMSEC material control is based on a system of centralized accounting and decentralized
custody and protection. Timely and accurate data are essential to continuous, effective control of
COMSEC material entrusted to or produced for NASA.
2.2.1. The NASA DSMO is responsible for the following:
2.2.1.1. Facilitating attendance at the NSA COMSEC Custodian Training Course ND 112 for all
newly appointed NASA ACAM’s.
2.2.1.2. Maintaining liaison with the civil agencies, NASA contractor COMSEC accounts, and
the military services on all policy matters.
2.2.2. The NASA COR vice KSC, is responsible for the following tasks:
a. Performing as NASA COR and conducting liaison with civil agencies, military services, and
NASA contractor accounts concerning control of accountable COMSEC material and facilitating
day-to-day operation.
b. Establishing and closing COMSEC accounts.
c. Maintaining a record of NASA COMSEC accounts, CAM, and ACAM’s.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
9
d. Processing requests to appoint or terminate the appointments of CAM and ACAM’s and
verifying their clearances.
e. Verifying semiannually the inventory of each NASA COMSEC account.
f. Maintaining master records of all material entered into the COMSEC Material Control System
(CMCS).
g. Maintaining the financial and property accountability records for all accountable COMSEC
equipment owned by or entrusted to NASA.
h. Auditing NASA CAM at least every 24 months or on an announced basis or more frequently,
based on the factors enumerated in 2.7.1, below.
i. Providing guidance and assistance on controlling accountable COMSEC material.
j. Preparing and distributing COMSEC Procedural and Material Control Bulletins.
k. The chief of each organizational element has the ultimate responsibility for controlling all
COMSEC material held within the organizational element. The chief may delegate this
responsibility to a CAM and/or alternate(s). However, delegating this responsibility in no way
relieves any individual (e.g., the user, the CAM’s supervisor, and other organizational chiefs)
from the inherent responsibility for controlling COMSEC material held within the element. The
Chief of the NASA organizational element is also responsible for ensuring that CAM and
ACAM’s receive required training.
l. The CAM is, through organizational and supervisory channels, responsible to the chief of the
organizational element for controlling all accountable COMSEC material charged to the
organizational element's account.
m. The individual users or holder of COMSEC material are personally responsible for
controlling and safeguarding COMSEC material while it is entrusted to their care and are not
authorized to provide the material to any individual without a new hand receipt issued from the
CAM. All material will be returned to the CAM for reissue.
2.3. The COMSEC Account
2.3.1. Requirements for a COMSEC account. Any element requiring COMSEC material must
obtain such material through a COMSEC account. If an existing account cannot adequately
support the requirement for material within an organization, a new COMSEC account will be
established.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
10
2.3.2. Request to Establish a COMSEC account. When a new COMSEC account must be
established, submit a written request from the CCS of the NASA organization as follows:
a. Submit the request through the CCS to the NASA COMSEC COR located at the KSC.
b. Include the title and complete address of the element in which the account will be located;
c. The purpose and justification for establishing the account;
d. The specific items of COMSEC material required, and the desired in place date.
e. A statement that the minimum physical security standards for safeguarding COMSEC material
can be met, and the names, grades, and social security numbers with Privacy Act Notice of the
individuals to be appointed as the CAM and ACAM’s. Normally, a single ACAM is sufficient at
each account. Appointments of more than 2 ACAM’s should be coordinated with the NASA
COR. Subparagraphs 2.3.5. and 2.3.6. provide CAM selection criteria.
f. Certified clearance information and a Standard Form (SF) N2942B signature specimen on the
individuals nominated as the CAM and alternate. When signature cards (SF N2942B) are used
for clearance information certification, forward these cards with the written request. The NASA
COR will initiate clearance verification.
g. Allow a minimum of 30 days for an account to be established.
2.3.3. COMSEC account approval. The COR will be responsible for the following:
a. Advising the requesting element in writing by sending an information copy to the CCS when
the account is established and the CAM and ACAM appointments are approved.
b. Assigning an account number and referencing the account number in all subsequent COR
correspondence or transactions relating to the account.
c. Providing information on how to obtain COMSEC account forms.
2.3.4. CAM and ACAM training. A newly appointed or changed CAM or ACAM will attend
the NSA COMSEC Custodian Training Course ND-112 as soon as possible. This training is
mandatory for all NASA CAM appointees, with the exception of those appointed to accounts
established solely for secure telephone units or those who have attended equivalent training
within 2 years.
2.3.5. Selecting a CAM or ACAM: Individuals selected as CAM will include the following:
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
11
a. Be a civil service employee or contractor employee qualified to assume the duties and
responsibilities of a CAM and meet the requirements contained herein.
b. Not be previously relieved of CAM duties for reasons of negligence or nonperformance of
duties.
c. Be in a position that will permit maximum tenure of not less than 1 year as a CAM or ACAM.
d. Not be assigned duties that interfere with the duties as CAM or ACAM.
e. Be actually performing the CAM functions on a day-to-day basis. The CAM position will not
be assumed solely to maintain administrative or management control of the account functions.
2.3.6. Personnel nominated as CAM or ACAM will be in grade GS-7 or above, or a contractor
employee at an equivalent level. Where personnel at the appropriate grade level are not
available, include full justification to support the nomination(s) in the appointment request.
2.3.7. Duties of the CAM. The CAM is responsible for the following:
a. Ensuring that all COMSEC material issued to, or generated and held by, the account is
safeguarded in accordance with requirements. This includes but is not limited to the receipt,
custody, issuance, safeguarding, accounting, and, when necessary, destruction of COMSEC
material.
b. Maintaining up-to-date records and submitting all required accounting reports.
c. Having knowledge of the procedures outlined in this NPG.
d. Inspecting user areas semiannually. The CAM must have access to accountable material held
by users. In cases where the material is used within a Sensitive Compartment Information
Facility (SCIF) or Special Access Programs (SAP) and the CAM is not indoctrinated for special
access, the area must be sanitized or the CAM escorted to allow fulfillment of his or her
responsibilities.
e. Protecting COMSEC material and limiting access to individuals with the appropriate
clearance and need to know.
f. Receiving, receipting, and ensuring the safeguarding and accounting of all COMSEC material
issued to the COMSEC account.
g. Maintaining accounts and related records as outlined in paragraph 2.5.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
12
h. With a witness, conducting an inventory, semiannually, and when a new CAM is appointed,
by physically sighting all COMSEC material charged to the account and reconciling this
inventory with the COR. The COR or other competent authority may also direct the conduct of
an inventory.
i. Destroying COMSEC material when required, or as directed by the COR.
j. Submitting transfer, inventory, destruction, and possession reports when required.
k. Inspecting the implemented protective technologies packaging upon initial receipt, during
each inventory, and prior to each use to ensure the integrity of COMSEC material, key, or
equipment.
l. Ensuring prompt and accurate entry of all amendments to COMSEC publications held by the
CAM.
m. Ensuring that all accountable COMSEC material shipped outside of the CAM's organization
is packaged and shipped in accordance with this NPG. Ensuring that all material received is
inspected for evidence of tampering and, if any is found, immediately submitting a report of
suspected physical incident according to chapter 6.
n. Having knowledge of the location of every item of accountable COMSEC material and the
purpose for which it is being used.
o. Establishing procedures to ensure strict control of each item of keying material whenever
operational requirements necessitate that material be turned over from one shift to another or
from one individual to another.
p. Ensuring that appropriate COMSEC material is readily available to properly cleared and
authorized individuals whose duties require its use. If the material is classified, verify that the
individuals are cleared to the level of the material. Briefing recipients on the requirements for
protection and procedures for safeguarding the material until it is returned to the CAM.
q. Reporting immediately to the CCS any known or suspected COMSEC incident as defined in
chapter 6, and submitting a report according to chapter 6.
r. Verifying the identification, clearance, and need to know of any individual requesting access
to the records and/or material associated with the COMSEC account.
s. Preparing for safeguarding COMSEC material during emergency situations according to
chapter 10.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
13
2.3.8. The ACAM. Individuals appointed as ACAM are responsible for the following in the
absence of the CAM:
a. Witnessing a COMSEC Inventory or Destruction.
b. Ensuring that physical inventory or destruction of COMSEC material will be witnessed by an
appropriately cleared individual. The witness should normally be the ACAM, but another
appropriately cleared and briefed individual may act as a witness when the ACAM is not
available. When an inventory or destruction is completed, the witness will sign the inventory
report, Key Disposition Record, or destruction report, as appropriate, attesting that the COMSEC
material listed has been inventoried or destroyed. The witness will sign an inventory or
destruction report only after having personally sighted the material being inventoried and
destroyed.
c. Destroying keying material that has been hand receipted to a user requires a witness to the
destruction of individual key settings. The witness will initial the Key Disposition Record
attesting that the material has been destroyed. Under no circumstances will the witness initial a
Key Disposition Record without having personally sighted the material being destroyed.
d. When the CAM is to be absent for a period not to exceed 60 days, the ACAM will assume the
responsibilities and duties of the CAM. An absence in excess of 60 days that has not been
coordinated with the COR must be treated as a permanent absence, and a new CAM must be
nominated.
e. The CAM will be informed of all changes to the COMSEC account upon his or her return
from a temporary absence. If COMSEC material was transferred to the account and accepted by
the ACAM during the absence, the CAM will inventory the material, and sign, date, and include
the remark "received from ACAM" on the front side of the COMSEC account's copy of the
transfer report, thus relieving the ACAM of accountability for the material. In those cases in
which material was transferred from the account or destroyed, the CAM should verify such
actions by comparing the transfer and destruction reports with his or her Register File to assure
the accuracy of the actions affecting the material for which he or she is held accountable.
2.3.9. Change of CAM. When it becomes necessary to terminate the CAM's or ACAM’s
appointment, NASA elements must submit a written request through the CCS to the COR and
include information and clearance certification about the replacement nominee. When written
confirmation is received from the COR, the newly appointed CAM and his or her predecessor
will perform the following duties:
a. Conduct a physical inventory of all COMSEC material held by the CAM. The change of
CAM will be effective the date the inventory is signed.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
14
b. Prepare an SF 153, listing all COMSEC material to be transferred to the new CAM. Identify
the report in block 1 as a "change of CAM" and check both "received" and "inventoried" in block
14. Address the report from the CAM (block 2) to the NASA COR (block 3). The new CAM
will sign in block 15, and the departing CAM will sign as the witness in block 17. Forward the
original copy to the COR and retain a duplicate copy in the CAM file. When an account holds
over 100 line items, a CAM may request a preprinted inventory and transfer from the COR. The
request for a preprinted inventory transfer should normally be included with the nomination
information.
c. Normally, the new CAM will have received written confirmation of appointment before
action is initiated to transfer the COMSEC account. However, if the confirmation is delayed and
the predecessor’s departure is imminent, the transfer will be accomplished prior to the receipt of
written confirmation.
d. When the transfer is complete, the new CAM assumes full responsibility for the material
charged to the COMSEC account and for its operation. The former CAM is relieved of
responsibility for only that COMSEC material included on the transfer/inventory report. He or
she is not relieved of responsibility for COMSEC material that is involved in any unresolved
discrepancy until a clear COMSEC Inventory Reconciliation Report has been received from the
COR.
e. Changes of CAM should be scheduled at least 40 days before the former CAM departs to
allow for the receipt of a clear COMSEC Inventory Reconciliation Report. However, the former
CAM may depart prior to the return of the COMSEC Inventory Reconciliation Report, provided
that no discrepancies or irregularities were evident when the inventory and transfer were made.
Responsibility for resolving discrepancies discovered after a CAM has departed rests with the
CCS.
f. Change of ACAM. When a change in ACAM is necessary, elements will submit a written
request through the local security office to the COR and will include information and clearance
certification about the replacement nominee.
g. Under emergency circumstances such as the sudden, indefinite, or permanent departure of the
CAM, the CCS will nominate a new CAM (preferably the ACAM). The new CAM and an
appropriately cleared witness will immediately conduct a complete physical inventory of all
COMSEC material held by the account. When the absence of the CAM is unauthorized, the CCS
will immediately report the circumstances in accordance with chapter 6.
h. Upon completion of the inventory, prepare an SF 153, Possession Report. Annotate the
Possession Report with the remark "Sudden, indefinite, or permanent departure of the CAM" or
"Unauthorized absence of the CAM," as appropriate. The new CAM will sign block 15 and the
witness will sign block 16. Forward the original copy of the report to the COR and retain a
duplicate copy in the COMSEC account's file.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
15
i. Sudden, Indefinite, or Permanent Departure of the ACAM. The COR should be notified as
soon as possible when an ACAM must be replaced due to a sudden, indefinite, or permanent
departure. An unauthorized absence must be immediately reported in accordance with chapter 6.
2.3.10. COMSEC Officer, COMSEC/TEMPEST Point of Contact. Several NASA Centers have
designated a COMSEC Officer to address policy issues and programmatic COMSEC
responsibilities beyond those specified for the CAM. Although national policy does not require
the designation of a COMSEC Officer, it has been NASA practice to designate a civil service
employee to act as the COMSEC and TEMPEST point of contact responsible for ensuring
oversight and implementation consistent with national policy relevant to NASA activities. It is
important to emphasize, however, that the responsibilities identified for the CAM are minimum
requirements and, depending on the experience level of the CAM, are balanced against each
NASA Center's particular needs. These additional COMSEC/TEMPEST duties can be
performed by the same individual. Regardless whether the CAM, COMSEC Officer, or
COMSEC/TEMPEST point of contact is designated to perform these additional functions, it
must be stressed that NASA Centers not construe this requirement as justification for
establishing a separate billet. The duties of the COMSEC Officer, or COMSEC/TEMPEST point
of contact, include the following:
a. Acting as the NASA Center's single focal point for COMSEC and TEMPEST policy issues.
b. Administering one-time COMSEC briefings and/or cryptographic access certification to civil
service employees whose duties require access to COMSEC material.
c. Ensuring that COMSEC awareness training is part of the NASA Center’s security education
program.
d. Providing technical assistance to Controlling Authorities for cryptographic keying material
controlled by NASA and exercising oversight in those instances where NASA contractor
COMSEC accounts have been established solely for the purpose of supporting NASA.
e. Assisting project offices in the acquisition of COMSEC material through coordination with
the supporting CAM and/or the NASA COMSEC Manager.
f. Assisting the CCS to establish selection criteria to screen, interview, and nominate candidates
for the CAM.
g. Providing technical advice and assistance concerning the use, installation, maintenance, and
procurement of secure telephone units.
h. Conducting TEMPEST countermeasure determination and coordinating with the Associate, as
required.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
16
2.4. COMSEC Material
2.4.1. Short Titles. For accounting purposes, COMSEC material may be identified by short
titles derived from the Telecommunications Security nomenclature system; or bear a designator
derived from the Joint Electronics Type Designation System; or a Federal part number; or by
short titles assigned by a military department. In many cases, the CCI category may not be
assigned any short title, instead bearing the manufacturer's commercial designator. This
equipment will, however, be marked "Controlled Cryptographic Item" or "CCI" and will bear a
Government Serial Number label. The Government Serial Number has been developed for
accounting purposes and will be the designator by which the CAM will identify and control the
CCI. The serial number is composed of three fields; for example, the label may read "GSN:
PES-B4 192." The first field "PES" identifies the manufacturer; the second field "B4" identifies
the type of product; and the third field "192" identifies the serial number of the unit. For
purposes of the SF 153 using the above example, list the designator "PES-B4" in the short title
block and "192" in the accounting number block. NOTE: The serial number for secure
telephone unit telephones will vary from the above format.
2.4.2. Accounting Numbers. Most COMSEC material is assigned an accounting (register or
serial) number at its point of origin to facilitate accounting. However, material may be received
that does not bear an accounting number or for which accounting by number is impractical and,
therefore, not required. An example of this type of material is a printed circuit board with a
Telecommunications Security nomenclature, which may bear a manufacturer's serial number but
which is only accounted for by quantity and is listed in "accounting numbers" on accounting
reports as an "N/N" (no number) item.
2.4.3. Edition. COMSEC material may be further identified by alphabetic or numeric edition.
COMSEC material is superseded when the new material becomes effective (effective edition).
NOTE: Identification of the currently effective edition of operational keying material is
considered "CONFIDENTIAL." The general rule is that this information should not be disclosed
over a mode of communications that is not secure. However, per National Security
Telecommunications Information System Security Instruction (NSTISSI) 4002, under certain
circumstances, the effective edition may be transmitted in the clear when necessary to ensure that
all holders are using the same key or when confusion exists about the effective key.
2.4.4. “CRYPTO” Marking. COMSEC keying material that is used to protect or authenticate
telecommunications carrying national security and Government-sensitive information is
identified by the bold marking “CRYPTO”. This marking makes such material readily
identifiable from other material so that its dissemination can be restricted to personnel whose
duties require access and, if the material is classified, to those who have been granted a final
security clearance equal to or higher than the classification of the keying material involved.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
17
2.4.5. Subdivisions of Equipment. Operational COMSEC equipment is identified and accounted
for by one short title rather than by individual components and/or subassemblies. Classified and
CCI subassemblies, elements, and microcircuits, when not incorporated in equipment, will be
accounted for by type and quantity.
2.5. COMSEC Material Accountability

2.5.1. NASA COMSEC Material Control System (CMCS).
2.5.1.1. When COMSEDC accountable material is received, it will be entered into the CMCS
and will remain until destruction or other authorized disposition.
2.5.1.2. Refer questions regarding whether material is qualified for entry into the CMCS and the
method of accounting (e.g., by which Account Legend Code (ALC)) to the COR.
2.5.2. ALC. For accounting purposes, all COMSEC material is identified by one of the
following ALC:
a. ALC-1. Continuously accountable by an accounting (register or serial) number to the COR.
A report will be submitted to the COR upon receipt, subsequent transfer, and destruction of
ALC-1 material. All use and destruction of ALC-1 keying material issued to users will be
recorded on a local Key Disposition Record. The CAM will retain the Key Disposition Record
for a minimum of 3 years. For FIREFLY-based systems, the COR may direct additional reports
to be submitted when operational fill devices are loaded into equipment and when seed or
operational fill devices are locally zeroized. The following material is continuously accountable
and will be assigned ALC –1:
1) All hard copy and magnetic keying material (except certain items classified confidential or
below) marked “CRYPTO”.
2) All classified equipment and CCI identified by an external nameplate containing the
equipment nomenclature and the equipment serial number.
3) Classified cryptographic software and firmware that are the functional equivalents of, or
emulate, COMSEC equipment operations and cryptography.
4) Classified full and depot maintenance NSA Manuals, and other classified TSECnomenclature publications and amendments thereto, except as specified in NTISSCI.
b. ALC-2. Continuously accountable by quantity to the COR. A report will be submitted to the
COR upon receipt and any subsequent transfer of ALC-2 material that changes the total
quantity held by the COMSEC account. The following material is continuously accountable
by quantity and will be assigned ALC-2:
1) Spare (e.g., intended for installation but not actually installed) classified and CCI components
(e.g., microcircuits, printed circuit boards, permuters, and subassemblies) that are intended
for installation in equipment that is accountable by serial number.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
18
2) Noncryptographic classified devices that perform critical key processing ancillary functions
(e.g., fill devices) key loading devices, when unkeyed.
c. ALC-4. Report of initial receipt required. This material will be handled within the CMCS,
but only the first recipient must report receipt to the COR. All subsequent transactions will be
recorded locally, using SF-153, and will not be assigned a transaction number. Local reports will
be retained for a minimum of 3 years. ALC-4 material must be safeguarded according to its
classification. The following material will be assigned ALC-4:
1) All hard copy and magnetic keying material not marked CRYPTO;
2) Call sign systems;
3) Unclassified hardware, software, or firmware (e.g., PROMS or other unclassified chips
except those marked CRYPTO);
4) Classified limited NSA Maintenance Manuals and all unclassified TSEC-nomenclature
publications and amendments thereto.
d. ALC-6. Continuously accountable to the COR by means of the Electronic Key Management
System (EKMS). A report will be submitted to the COR upon generation, receipt and all
subsequent transfers of all ALC-6 material. All transactions involving ALC-6 material
including, but not limited to, issue for use and destruction (zeroization) will be recorded in a
local disposition record to provide a Digital Transfer Device (DTD) audit trail. Local disposition
record will be retained, forwarded, or otherwise disposed of as directed by the COR. The
following EKMS-generated and -managed electronic key, and other electronic data will be
assigned ALC-6.
1) Any electronic key material requiring continuous, central accountability from a security or
operation standpoint, as determined by the controlling authority and specific system doctrine
where applicable.
2) Some examples of keys designated ALC-6 are as follows: electronic keys intended to protect
information having long-term intelligence value where such determination is made by the
controlling authority, such as TOP SECRET (TS) and Special Compartmented Information
(SCI); Key Encryption Key (KEK); electronic keys used for joint interoperability when such
keys are widely distributed; electronic keys marked CRYPTO, used to generate other
electronic keys such as Key Production Keys; and all classified software, firmware, or
equivalent data in electronic form which performs cryptographic operations.
e. ALC-7. Continuous local accountability within EKMS. Each recipient of ALC-7 key will
report receipt to the EKMS element that generated the key. Elements that generate ALC-7 key
must maintain local records that document the generation of key and identify all recipients of the
key. All holders of ALC-7 material must maintain local disposition records that permit
traceability to support compromise recovery and audits. As a minimum, these records shall
identify all transactions involving subsequent transfer, issue, fill, and destruction of the material,
as applicable. EKMS generated and managed electronic key and other electronic data not
covered by ALC-6 will be assigned as ALC-7.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
19
f. The ALC is assigned by the originating Government department or agency and represents the
minimum accounting standard to be applied.
g. The ALC will appear on all accounting reports but not necessarily on the material. Holders
will not apply accounting procedures less restrictive than those specified by the ALC assigned,
unless specifically authorized by the COR.
h. Nonaccountable COMSEC material. Material such as COR correspondence, logs, and reports
are excluded from the CMCS.
2.6. COMSEC Material Control System (CMCS)
This section outlines the procedures for CAM’s during day-to-day account operations.
2.6.1. Forms. The forms used in the CMCS are limited to the multipurpose SF 153, L6061, and
equivalent NASA forms.
a. Accounting Reports. Prepare accounting reports on an SF 153 to record transfer, possession,
inventory, and destruction of COMSEC material. The required copies and distribution of
accounting reports is covered elsewhere in this NPG, which outline the detailed preparation of
particular reports.
b. Transfer Report: Records COMSEC material transferred from one account to another.
c. Destruction Report: Records the physical destruction or other authorized expenditure of
COMSEC material.
d. Inventory Report: Records the physical inventory of COMSEC material.
e. Possession Report: Records the possession of COMSEC material.
2.6.2. Hand Receipt. A record of the acceptance of and responsibility for COMSEC material
issued to a user. An SF 153, or the reverse side of form L6061, or a NASA equivalent may be
used to hand receipt COMSEC material.
2.6.3. Sample Forms and Reports. Contact the COR for samples of forms and reports.
2.6.4. Accounting Files include the following:
a. Incoming transfer reports, possession reports.
b. Destruction and outgoing transfer reports.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
20
c. Annual or semiannual, as appropriate, inventory reports and change of CAM reports.
d. Hand receipts.
e. COMSEC Register File L6061 or comparable system approved by the COR.
f. Transaction number log. If an approved automatic system is used, a transaction log is not
required.
2.6.5. Related files are as follows:
a. Courier, mail, and package receipts.
b. COR correspondence, including such records as CAM and ACAM appointment confirmation
letters, memoranda, messages, and other documentation related to COMSEC accounting.
2.6.6. Classification and Marking of COMSEC Account Inventory, Reports, and File.
a. If it is determined that a compilation of records can be declassified, the combined file should
be marked, "This file has been declassified by Authority of the DDI CAO (IAW NSA COR
Accounting Bulletin 2-92)”.
b. All files/reports marked should also be marked "This document contains information
EXEMPT FROM MANDATORY DISCLOSURE UNDER THE FOIA." (It is also required
for the front cover of a file containing SF-153’s)
c. When in doubt about whether or not a record or file may be declassified, contact the COR via
a secure telephone unit (if available), or other secure means. This guidance will be implemented
in handling COR account inventories, reports, and files.
d. In addition, Exemption 5 of the Freedom of Information Act may be used for COMSEC
account reports and files that are sensitive but not classified.
e. To determine if a report or a compilation of reports is classified refer to Appendix E.
2.6.8. COMSEC Register File. All COMSEC material held by an account is controlled
internally, using a COMSEC Register File. This file consists of an active section and an inactive
section, both of which should be maintained in alphanumeric order. Normally, this file consists
of L6061's; it may be maintained on a personal computer with prior COR approval. If the file is
automated, take extreme care to control the database as much as possible, since unauthorized
persons could alter/erase information without the immediate knowledge of the CAM. Follow
good computer security practices, and maintain current backups of data. Active and inactive
sections require the following:
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
21
a. The active section of the register file consists of one form L6061, manual file, or one line item
(automated file), for each accountable item currently held in the account and must include short
title, edition, and accounting number, if any, classification and ALC; date of receipt, from whom
received (account number), and incoming transaction number.
b. The inactive section of the register file consists of one form L6061 or one line item for each
item that has been removed from the account and the specific disposition data for the item, as
follows: the type of disposition, such as transfer or destruction; (if transferred, also include
receiving account number); date of action; and outgoing transaction number.
c. Keeping the register file current and accurate is absolutely mandatory; it is a convenient
reference and important tool for maintaining strict control over all COMSEC material in the
account. Computer programs that produce a facsimile SF-153 (available commercially) may be
utilized.
2.6.9. Preparing COMSEC Accounting Reports.
a. Include in each report the official titles and addresses of the elements involved; account,
transaction, contract, if applicable, numbers; date of report by year, month, day, for example:
880107 indicates January 7, 1988; typed or stamped names of individuals signing reports; and
signatures in ink. Computer programs that produce a facsimile SF-153 (available commercially)
may be utilized.
b. List all short titles in alphanumeric order, omitting the prefix or suffix for telecommunications
security (TSEC). For equipment controlled by Government Serial Number (GSN), omit the
prefix "GSN."
c. Single-space all line item entries on a report. Follow the last line item with the remark
"NOTHING FOLLOWS" in capital letters on the next line.
d. For items having accounting numbers running consecutively, the inclusive accounting
numbers may be entered as a single line entry with total quantity entered in block 10 and the
lowest followed by the highest accounting number entered in block 11.
e. Enter "N/N" in block 11 for items not having an accounting number or for which accounting
by number is not required (e.g., ALC-2 material).
f. Ensure that consecutive accounting numbers agree with the entries made in the "quantity"
column.
g. Include any clarifying remarks deemed appropriate for the receiving CAM or the COR in
Block 13 or below the "NOTHING FOLLOWS" line.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
22
h. Initial all deletions or corrections in ink.
i. Assign each accounting report (e.g., incoming and outgoing transfers, possession, inventory,
and destruction reports) a transaction number, starting over with "1" each calendar year. When
using a manual system, maintain a log to ensure that transaction numbers do not get duplicated.
NOTE: Do not assign transaction numbers to hand receipts, accounting bulletins, reconciliation
statements.
j. Return preprinted inventories to the COR within 10 working days after receipt. Submit all
other reports within 48 hours after receipt or preparation or as otherwise directed.
k. Review all reports for completeness and accuracy, and ensure that each copy is legible.
l. Receipt of COMSEC Material.
m. Sources. Accountable COMSEC material may be received from the NSA, military
departments, other Government agencies, allied governments, international organizations, and
contractors. The Defense Courier Service (DCS) regulations require personnel who may be
required to accept DCS material to complete an Authorization Report (DCS Form 10-R) before
receipting for material. This form may be obtained from the serving DCS station. Contact the
COR if necessary for proper instructions to complete DCS Form 10-R.
n. Receiving Packages and Examining Containers (refer to subparagraph 2.6.9.u. for equipment).
Packages receipted for by individuals other than the CAM will be delivered to the CAM
unopened. When COMSEC material is delivered, examine the packages carefully for evidence
of tampering or exposure of the contents. If either is evident and the contents are classified, CCI,
or marked CRYPTO, submit a COMSEC incident report as required by chapter 6 of this NPG.
Do not open packages showing evidence of tampering until approval is received from the COR.
o. Report any discrepancy in short title, accounting number, or quantity between the contents of
the package and the transfer report to the sender and the COR. Correct the transfer report to
agree with the material actually received. If the material is classified, CCI, or marked CRYPTO,
and the discrepancy cannot be resolved with the sender, submit a report of possible compromise.
p. When the incoming check has been completed, sign and distribute the transfer report with one
copy to the COR, one copy to the shipment originator, one copy for file, and additional copies as
directed by the shipment originator. NOTE: It may be necessary to reproduce additional copies
of the SF 153.
q. When a package is received and the package inner wrap is stamped TOP SECRET CRYPTO
or contains TOP SECRET keying material, immediately initiate two-person integrity controls,
and inspect the package for evidence of damage or tampering. Both individuals will then open
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
23
the package and compare the contents with the enclosed "COMSEC Material Report" (SF 153).
If classification cannot be determined before opening, and when material received is routinely
TOP SECRET, assume that the material is TOP SECRET. If the contents are TOP SECRET
operational keying material, both two-person integrity participants will sign the SF 153 (blocks
15 and 16) and immediately place the material into two-person storage. Submit the SF 153 to the
COR. If it is found that the contents do not include TOP SECRET operational keying material,
follow standard receipting procedures.
r. Certain items of COMSEC material are protectively packaged at production time and will not,
in most cases, be opened until they are to be employed by the actual user. To ensure the integrity
of key, inspect all protective packaging. If no special handling instructions are provided, though,
open the keying material and page check as outlined in subparagraph 2.6.9.v. Protective
packaging applied to individual items of TOP SECRET key must not be removed except under
two-person integrity conditions. Inventory key tapes in canisters by noting the short title and
accounting number on the leading edge of the tape segment, which appears through the window
of the plastic canister. Do not remove punched or printed key tapes from protective canisters.
Do not open test keying material until it is to be used. Report shipping discrepancies to the COR.
s. Receipting for Tapes, Magnetic and Paper. Upon receipt of a shipment of tapes, inventory
each reel by short title, edition, and accounting number. Report discrepancies to the COR.
t. Receipting for Hardware/Firmware Keying Material. Upon receipt, inventory each item by
short title, edition, and accounting number. Report discrepancies to the COR.
u. Receipting for Equipment. Equipment received in sealed shipping cartons that have not been
opened or do not exhibit signs of tampering may be receipted without physically sighting the
material inside as long as the label on the carton agrees with the transfer report; if it does not, the
contents must be physically inventoried. Inspect any implemented protective technologies on the
equipment. Although certain types of material do not need to be opened before actual use, allow
time between opening and use to obtain replacements for incomplete or defective items. Report
shipping discrepancies to the COR. Since the CCI category of COMSEC equipment was
introduced, much existing or new stand-alone cryptographic equipment, telecommunications, and
information-handling equipment with embedded cryptography, and associated ancillary
equipment may now be controlled outside of traditional COMSEC control channels. When
controlled equipment is received via other than traditional COMSEC control channels, sign the
accompanying paperwork, and return a copy to the shipper. Initiate an SF 153 possession report
for the receipted material and submit a copy to the COR.
v. Page Checking. Conduct page checks of unsealed material to ensure the presence of all
required pages. Where the COMSEC account is so large that the CAM cannot personally
perform page checks or post amendments, other appropriately cleared individuals who have been
properly instructed by the CAM may perform these actions. To conduct the page check, verify
the presence of each page against the "List of Effective Pages" or, the "Handling Instructions," as
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
24
appropriate. Sign and date the "Record of Page Checks" page or, if the publication has no
"Record of Page Checks" page, place the notation on the "Record of Amendment" page or the
cover. Key cards and/or key lists in sealed transparent plastic wrap, and authenticators shipped in
envelopes, should not be opened until 72 hours before the effective date; therefore, do not page
check until ready to use. Do not open test keying material until it is to be used. When preparing
for actual use, open and page check keying material according to the handling instructions
provided with the material. If no special handling instructions are provided, open and page check
the keying material. Do not remove key tapes or key lists from protective canisters for inventory
or check purposes. Classified COMSEC publications must be page checked according to the
handling instructions provided with the material. If no special handling instructions are
provided, page check upon initial receipt, when entering an amendment that requires removing
and/or inserting pages, before destroying, before shipping to another COMSEC account, and
upon return from an authorized hand receipt user and annotate the “Record of Page Checks”
accordingly.
w. If any pages are missing upon initial receipt, the NSA (Y13) or originator should be notified
of a possible production error. If the publication is classified, submit a COMSEC incident report
as outlined in chapter 6 of this NPG. Submit requests for disposition instructions and a
replacement publication to the COR.
x. In the case of duplicate pages, remove and destroy the duplicate page(s). Prepare one copy of
a destruction report citing the page number and the accounting number of the basic publication,
for example, “Duplicate page number 72 removed from KAM -130A, Number 813”. Neither
notification to the COR is required nor is assignment of a COMSEC account transaction number
to this locally retained destruction report. In addition, note the duplicate page and the resultant
destruction on the "Record of Page Checks" page.
y. When a change of CAM has occurred, the incoming CAM must perform a page check of all
unsealed material within 30 days after the change of CAM takes place. If the account has a
prohibitive number of documents requiring page checks, the incoming CAM must submit a
request for an extension to the COR to allow more time to complete all page checks. It is
recommended that the outgoing CAM complete page check before transferring control of the
account to the incoming CAM.
2.6.10. Procedures for Handling Keying Material. All keying material must be stored in General
Service Agency-approved security containers with 007 lock as follows:
a. Restrict access to the container storing future editions of classified keying material marked
CRYPTO to the CAM and ACAM. Where this restriction cannot be applied because others must
have access to the container for either current editions of keying material or other material in the
container, store future editions of keying material separately in a locked strongbox that can be
opened only by the CAM and ACAM(s). Keep the strongbox in the security container.
Exceptions may be made in operational areas to allow shift supervisors access to the next edition
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
25
of keying material, but not to later editions. Routine destruction of keying material is addressed
in chapter 7.
b. Key Lists and Key Tapes. When it is necessary to relinquish physical control of operational
key lists to a user, do so on a hand receipt. If issuing individual settings is warranted, the hand
receipt user's signature or initials and the date in the "ISSUED TO" column on the
"DISPOSITION RECORD" on the inside front cover serves in lieu of a hand receipt.
c. Key lists and key tapes packaged in protective canisters will not be page checked. Annotate
the record of use card with the short title, edition, and register number of the material. Issue the
entire canister to a user on a hand receipt. The hand receipt user, however, must not remove
more tape segments from the canister than are required for current use. As each segment is
removed, have the hand receipt user sign or initial and date the “USED” column of the “USAGE
RECORD” card applicable to the material.
2.6.11. Transferring COMSEC Material. COMSEC material may be transferred from one
account to another only as prescribed in this NPG as follows:
a. Before transferring, verify the receiving activity's official address, COMSEC account number,
and authorization to hold the material being shipped. When the validity of a shipping address or
authority for shipment is in question, contact the COR before making the shipment.
b. Ensure that shipping is only by one of the authorized modes of transportation prescribed in
this NPG. Do not ship accountable material, regardless of the accounting legend code assigned,
unless a COMSEC account number is provided with the shipping address. CCI equipment may,
however, be transferred to a military department standard logistics system account.
c. Verify account numbers and shipping addresses by contacting the appropriate military
department's accounting headquarters.
d. Ensure that equipment and page checking provisions are accomplished before packing
COMSEC material for transfer. Conduct page and equipment checks no earlier than 48 hours
before packing.
e. When transferring Government-furnished equipment to a contractor CAM, annotate the SF
153 in block 13 to identify those items as Government-furnished equipment and identify the
contract number on the form. Transfer of material to external organizations (e.g., civil agencies,
and contractors) is authorized to expedite delivery of material and eliminate unnecessary
handling of the material between locations.
f. The shipping CAM assumes full responsibility for all aspects of the shipment. When transfers
are made to a non-NASA organization, include the following information in the "Remarks"
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
26
portion of the transfer report: ownership of the equipment, purpose of the transfer, contract
numbers, project name, and instructions for the receiving CAM.
g. Transferring COMSEC Material to the U.S. Military Departments. Prepare five copies of the
SF 153 and enclose the original and one copy with the shipment. Put the notation "ADVANCE
COPY" on two copies, and immediately forward one to the COR and one to the appropriate
military department accounting headquarters. Retain the final copy for file. Include the
following notations, as appropriate, on all copies of transfer reports going to the military
departments: equipment owner (e.g., NASA, U.S. Air Force); purpose of the transfer/loan; length
of loan; repayment of loan; transfer of ownership and authority for the transfer; and the contract
number/project name (if appropriate). Place the following statement on all SF 153’s reporting
the transfer of COMSEC material: “Sign all copies and distribute as prescribed by the
accounting instructions of your service. This shipment consists of _________containers."
h. Transferring of COMSEC Material to All Other Activities. Prepare four copies of the SF 153
and enclose the original and one copy with the shipment. Note "ADVANCE COPY" on the third
copy and forward it to the COR. Retain the fourth copy for file. Put the following notation on
all copies of transfer reports going to activities other than the military departments “Sign all
copies. Return one copy to John F. Kennedy Space Center, Code: CMCC/NASA COR, Kennedy
Space Center, FL 32899. Dispose of remaining copies as prescribed by the accounting
instructions of your organization. This shipment consists of _____ containers."
i. Transfer of Material between NASA CAM’s. Prepare four copies of the SF 153 and enclose
the original and one copy with the shipment. Note "ADVANCE COPY" on the third copy and
forward it to the COR. Retain the fourth copy for file. The material may be transferred through
internal mail channels, provided it is properly packaged, handled as controlled mail, and a
transmittal receipt covers the package.
j. Receipt and Transfer Responsibility. When COMSEC material is shipped to a military
activity, the COR and the military department accounting headquarters are responsible for
ensuring that the material is received by the intended recipient on a timely basis. When an
"ADVANCE COPY" of an SF 153 is received, a receipt suspense date is established by the COR
and the military department accounting headquarters, which takes any subsequent tracer action
required.
k. Tracer actions for shipments to military department standard logistics accounts are handled
solely with the appropriate military service accounting headquarters. In lieu of a signed copy of
the transfer report, record proof of shipment is the file copy of the transfer report combined with
a signed transmittal form, Government Bill of Lading (SF 1103), U.S. Registered Mail receipt,
or other shipping document. The COR will not initiate tracer actions for material shipped from
other agencies/departments unless requested to do so.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
27
l. Nonroutine Disposition of COMSEC Material. Removal from CMCS accountability of any
COMSEC material that is lost, compromised, or inadvertently destroyed, can be accomplished
only with the specific written approval of the COR.
2.6.12. Military Department Accounting Headquarters Addresses:
a. Army Accounting Headquarters. Commander, U.S. Army Communications Electronics
Command, Communications Security Logistics Activity, ATTN: SELCL-KPD-OR, Fort
Huachuca, AZ 85613.
b. Navy, Marine, and Coast Guard Accounting Headquarters -- Director, COMSEC Material
System, 3801 Nebraska Avenue, NW, Washington, DC 20393.
c. Air Force Accounting Headquarters -- SAALC/LTDA, 230 Hall Boulevard, Suite 108 ATTN:
Detachment 4, ESC, San Antonio, TX 78243-7056. Verify Air Force standard logistics system
account numbers and shipping addresses by calling (512) 925-2771.
2.6.13. Packaging COMSEC Material. Securely package classified COMSEC material for
shipping in two opaque wrappers with no indication of the classification on the outside wrapper.
Use packaging material durable enough to provide protection while in transit, prevent items from
breaking through the container, and facilitate detecting tampering with the container. Mark each
wrapper with the "TO" and "FROM" addresses.
a. The outer wrapper must never carry identification of the contents that directly discloses a
cryptographic or COMSEC association, such as for a system indicator, the acronym "TSEC".
Instead, label the crate or outer wrapper with the short title of the equipment, less the "TSEC"
designation, followed by the accounting number for example, “KW-59/101”, to identify the
contents.
b. Identify assemblies, ancillary devices, elements, and subassemblies shipped individually by
short titles, accounting numbers, and the short titles of the equipment in which the items are to be
used.
c. Identify items not accountable through accounting number by short title and quantity.
d. Ensure that the markings on the crate or outer wrapper, identifying the COMSEC material
within, agree with the accompanying "COMSEC Material Report" (SF 153).
e. When material is to be hand-carried, a briefcase, pouch, or box is an appropriate outer
wrapper.
f. Specialized shipping containers for COMSEC equipment, such as locked and twice-banded
repair kits, may be considered the outer wrapper.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
28
g. Mark the inside wrapper of classified cryptographic material with the designator "CRYPTO"
and the classification. If the shipment contains keying material designated for "U.S. Use Only,"
mark the inner wrapper with the remark "SPECIAL HANDLING REQUIRED, NOT
RELEASABLE TO FOREIGN NATIONALS." If the shipment contains keying material that is
releasable, mark the inner wrapper with the remark "SPECIAL HANDLING REQUIRED, FOR
U.S. AND SPECIFIED ALLIES ONLY." Mark the inside wrapper of all accountable COMSEC
material with the notation "TO BE OPENED ONLY BY THE COMSEC CUSTODIAN." If the
classified material is an internal component of an unclassified packable equipment, the outside
equipment shell may be considered as the component's inner wrapper, only one additional
wrapper is required.
h. Mark all transfer reports and other forms covering an individual DCS shipment with the
individual shipment control number; affix the reports to the inner wrapper of the package.
NOTE: Do not place the transfer report inside the sealed container with the COMSEC material
because this defeats the purpose of marking the short title and accounting numbers on the outside
of the container.
i. For multiple package shipments, number each container beginning with package Number 1,
followed by a slash and the total number of packages making up the shipment (e.g., for a
shipment consisting of three packages, the first box would be marked “1/3”; the second one
marked “2/3”; and the third (last) one marked “3/3”). Affix the shipping document (SF 153) to
the inner wrapper of the first package of multiple package shipments. Do not annotate the serial
package number(s) and transaction number in the immediate vicinity of DCS control numbers.
j. Package keying material separately from its associated cryptographic equipment, unless the
application or design of the equipment is such that the corresponding keying material cannot be
physically separated.
k. Annotate the equipment designator on the package. The "CCI" marking may be placed on the
exterior of the package if so requested. Place the accompanying paperwork in an envelope
securely fastened to the outside of the package and mark the envelope with the "TO" and
"FROM" addresses, including the account number, without the word "COMSEC."
l. Wrap unclassified COMSEC material, except keying material marked CRYPTO, as any other
unclassified material according to packaging requirements of the agency or activity.
2.6.14. Authorized Modes of Transportation. An appropriately cleared individual may move
COMSEC material locally (e.g., within a NASA Center). Various modes of transportation are
authorized for COMSEC material.
a. Shipping Classified Keying Material and Classified COMSEC Equipment. In time-critical
situations, on a case-by-case basis, the COR, in conjunction with the appropriate NASA CCS,
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
29
may approve using commercial aircraft within the United States to transport current or
superseded keying material as long as the material is hand-carried by an appropriately cleared
individual and provided that departmental and Federal Aviation Administration procedures are
followed. This policy does not apply to the use of NASA-owned and-operated aircraft, which
may be used to transport material within the continental United States with approval from the
CCS. When commercial aircraft must be used, written courier authorization is required.
b. Classified Keying Material. When practical, limit individual shipments to not more than three
editions or 3 months' supply of a particular item of keying material (whichever is the greater
amount). This restriction does not apply to packaged irregularly superseded materials. The COR
may waive this restriction when material is issued to a newly established account or in cases
where supply is difficult and the number of shipments is limited.
c. The COR may authorize using U.S. Registered Mail to ship individual editions of
CONFIDENTIAL keying material, provided the material does not at any time pass out of U.S.
citizen control, and does not pass through a foreign postal system or any foreign inspection.
d. Do not send keying material classified SECRET or higher through the mail without prior
approval of the COR.
e. Except when using systems specifically designed for electronic rekeying, transmit operational
keying variables electrically only under emergency conditions and only when the
communications system provides end-to-end encryption equal to the classification of the
transmitted key setting, and the key setting does not appear in plain text anywhere in the
communications path.
f. Under normal conditions, ship classified keying material only by one of the following means:
DCS, appropriately cleared Government personnel who have been designated in writing to act as
couriers for cryptographic material, U.S. Diplomatic Courier Service, appropriately cleared and
briefed contractor personnel who have been designated in writing by competent authority to act
as couriers, provided the material is classified no higher than SECRET.
g. For TOP SECRET keying material, courier authorization must be obtained from the
appropriate CCS on a case-by-case basis. Two-person integrity controls must be applied
whenever local couriers transport TOP SECRET keying material from one location to another.
See chapter 5.
h. Classified COMSEC Equipment and Components. Do not ship classified COMSEC
equipment and components in a keyed condition unless the physical configuration of the
equipment makes segregating the keying material impossible. For equipment using a CIK,
removing the key permits the equipment to be treated as unkeyed. Ship the CIK separately from
the equipment. Transport COMSEC equipment and components classified higher than
CONFIDENTIAL by any of the means identified for keying material, or by a cleared commercial
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
30
carrier under Protective Security Service. Transport COMSEC equipment and components
classified CONFIDENTIAL by any of the means specified above, or any of the following: U.S.
Registered Mail, provided it does not at any time pass out of U.S. control and does not pass
through a foreign postal system or any foreign inspection; Commercial carriers (or U.S. military
or military contractor air service) provided a continuous chain of accountability and custody for
the material is maintained while it is in transit; U.S. military or military-contractor air service,
provided the requirements for DOD Constant Surveillance Service are observed.
i. Other Classified COMSEC Material. Use one of the following methods to transport media
that embodies, describes, or implements a classified cryptographic logic, such as full
maintenance manuals, cryptographic logic descriptions, drawings of cryptographic logic,
specifications describing a cryptographic logic, cryptographic computer software, and operating
Cryptographic manuals: DCS or appropriately cleared and briefed U.S. Government, contractor
or military personnel who have been designated in writing by proper authority to act as courier
for the material. These items may not be transported through any postal system.
j. Use any of the following means to transport media that does not embody, describe, implement,
or contain a classified cryptographic logic: Any of the means authorized in 2.6.15.i. above;
Registered mail or by a cleared commercial carrier, using Protective Security Service for media
classified SECRET; or U.S. Registered Mail or U.S. Postal Service Certified Mail for media
classified CONFIDENTIAL. NOTE: Using Standard First Class Mail service is not acceptable
for transporting any classified COMSEC material.
2.6.15. Shipping Unclassified COMSEC Material.
a. Unclassified Keying Material Marked CRYPTO. Within Continental United States, by U.S.
Registered Mail or authorized U.S. Government, contractor, or military personnel. Outside the
continental U.S., use authorized department, agency, or contractor couriers; U.S. Diplomatic
Courier Service; or the Defense Courier Service. Where practical, limit shipments transported by
courier to no more than three editions when shipped by U.S. Registered Mail, no more than one
edition.
b. Within CONUS, Shipping CCI Material. Do not transport controlled material in a keyed
condition, unless the equipment is designed to operate with a permanently installed hard-wired
key. Ship CCI material by the following means: Authorized department, agency or contractor
courier; U.S. Registered Mail; Authorized U.S. Government courier service (e.g., Diplomatic
Courier Service); or Commercial carrier providing DOD CSS. Coordinate the shipment with the
Transportation Officer.
c. Outside CONUS. CCI may be sent by registered mail if the package will remain in U.S. mail
channels, that is mailed to an Army Post Office or Fleet Post Office address, or will be carried by
an individual who has been briefed as a courier. The courier must be briefed on proper security
procedures and be aware of all requirements for access and the physical security of the equipment
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
31
or materials. Transportation may be by any means that permits the courier to maintain
continuous accountability and provide protection against loss and unauthorized access while in
transit. Where transportation is by commercial aircraft, the CCI should be stowed in the cabin
where the courier can maintain constant surveillance. If equipment bulk will not permit cabin
storage or creates an excessive burden for the courier, controlled circuit boards may be removed
for cabin storage, and the remainder of the equipment may be checked as hold baggage.
Controlled equipment must not be transported through countries other than those authorized to
receive the equipment. All incidents of impoundment, seizure, or loss of controlled equipment
while it is being carried must be reported in accordance with chapter 6 of this NPG.
d. All other unclassified COMSEC material may be shipped by any means that will reasonably
assure safe and undamaged arrival at the destination. Ship unclassified COMSEC items as
classified COMSEC material when an operational need exists to provide both types of material
together.
2.6.16. Authorized Modes of Transportation for Controlled Cryptographic Items and
Components within the Continental United States, U.S. Territories, and Possessions. United
States Postal Service Registered Mail -- Items shipped by registered mail must neither at any time
pass out of U.S. control nor pass through any foreign postal system. There are, however, certain
restrictions governing the size and weight of packages that can be shipped, which may preclude
using this service. Always check with postal service authorities to determine whether the
package material qualifies. U.S. First Class Mail, Fourth Class Mail, Parcel Post, Certified Mail,
Insured Mail, and Express Mail are not authorized for shipping controlled equipment and
components. The following means and capabilities will apply:
a. Commercial Carriers. When using commercial carriers, an adequate degree of physical
control and accountability for the material must be maintained while it is in transit. However, the
small number of commercial carriers that provide an approved constant surveillance service has
greatly restricted the ability of shipping activities to move controlled material. Therefore, the
existing requirement that commercial carriers must provide approved constant surveillance
service is being modified to allow shipping activities to use commercial carriers that can satisfy
the requirements set forth below. This change only applies to shipments within the continental
United States, U.S. territories, and possessions.
b. CCI and components may be transported by any commercial carrier that warrants in writing to
the shipping activity that it can satisfy all of the following requirements: The carrier must be a
firm incorporated in the United States that provides door to door service; It must guarantee
delivery within a reasonable number of days based on the distance to be traveled; and have a
means of tracking individual packages within its system to the extent that should a package
become lost, the carrier can, within 24 hours following notification, provide information
regarding the package's last known location. It must guarantee the integrity of the vehicle's
contents at all times; for example, while a driver is making pickup or delivery stops, the vehicle
must be locked. It must guarantee that the package will be stored in a security cage should it
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
32
become necessary for the carrier to make a prolonged stop at a carrier terminal. In addition to
satisfying the above requirements, the carrier must either use a signature and tally record that
accurately reflects a continuous chain of accountability and custody by each individual who
assumes responsibility for the package or shipment while it is in transit. The carrier may either
provide its own signature and tally record form or agree to use the DD Form 1907 or NSA Form
AC-10; or use an electronic tracking system that reflects a chain of accountability and custody
similar to that provided by a manually prepared signature and tally record. Positive identification
of the actual recipient of the material at the final destination must be indicated. A hard copy
printout shall be provided as proof of service, and the printout must reflect those points, during
transit, where electronic tracking of the package and shipment occurred.
c. Regardless of the method of transportation selected, the NASA activity shipping controlled
equipment and components shall provide the receiving CAM with timely notification of a
scheduled shipment. Preferably, notification should be provided at least 24 hours prior to the
estimated delivery date. This procedure will help to readily identify any shipment that might be
unduly delayed or lost en route.
d. Controlled equipment and components may only be shipped to authorized activities and
contractors and shall be labeled in a way that will ensure delivery to an individual who is
designated to accept custody of the material at the contractor facility/activity. Do not use the
individual's name on the delivery label; rather, use functional designators such as office symbols
or mail station codes. If using a commercial carrier, the accompanying shipping documents will
provide an emergency telephone number(s) of an individual(s) authorized to receipt for the
material in the event the carrier attempts to make delivery during other than normal duty or work
hours.
e. If a shipment of controlled equipment or components has not been received by the intended
recipient within 5 working days following the expected delivery date, the originating shipper’s
CAM will be contacted immediately. Unless there is a valid explanation for the delay, tracer
action shall be initiated on the shipment by the shipping CAM. If its location cannot be
determined, the controlled equipment or components shall be assumed to be lost in transit and
reported in accordance with the guidelines provided at 2.6.18. below.
2.6.17. COMSEC Incident Reporting Requirements. The following types of incidents involving
CCI shipments shall be reported to the NSA, ATTN: V51A (COMSEC Incidents), for evaluation.
a. An information copy will be forwarded to the DSMO and the NASA COR when tracer actions
have determined that controlled equipment or components are lost in transit and when shipments
that are received show evidence of possible tampering or unauthorized access. All other
incidents involving improper shipment or handling of controlled equipment and components
shall be considered administrative in nature and reported in accordance with the guidelines set
forth below. If a commercial carrier is involved, the name(s) of the carrier(s) shall be included in
the report.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
33
b. NASA Centers will report such incidents to the originator of the shipment who shall be
responsible for any corrective action. A copy of the report shall also be provided to the DSMO,
NASA COR and the NSA, ATTN: V51A, for information purposes only.
c. If a NASA contract/memorandum of understanding is involved, such incidents will be
reported to the originator of the shipment who shall be responsible for any corrective action. A
copy of the report shall also be provided to the DSMO, NASA COR and the NSA, ATTN: X722
for information purposes.
2.6.18. Hand Receipts. The following assurances, procedures, and forms will be employed:
a. An SF 153, the reverse side of NSA Form L6061 or equivalent NASA form may serve as a
hand receipt.
b. Before issuing material, determine that the proposed recipient has the need to know; has a
COMSEC briefing as applicable; and has the appropriate clearance. Clearance or level of
position does not, in itself, entitle any individual to have access to keying material. Each person
having access to keying material must need the material in the performance of duties and be
familiar with his or her responsibilities for its protection, use, and will be the actual user of the
material. Clerical or other personnel who are not the user may not sign hand receipts.
c. The proposed recipient knows the physical security measures necessary to protect the material
and the possible consequences of compromise and, accordingly, has the physical means to secure
and use the material, commensurate with the classification of the item. The file safe protected by
a 007 lock should be located in the user's immediate work area.
d. COMSEC material issued on hand receipt shall be signed for and controlled by the actual
user, who is accountable until the material is returned to the issuing COMSEC account. Under
no circumstances will the recipient reissue the material to another individual without the consent
of the CAM. If the material is needed by another individual outside the immediate office of the
original recipient, the material must be returned to the issuing CAM for reissuance.
e. Physical security measures necessary to protect the material from the possible consequences
of compromise and a security container must be located in the recipient's immediate work area.
f. Pages are not to be removed from basic documents.
g. Reproduction authorization of a document, in whole or in part, is contained in the handling
instructions, usually the front cover, of each document produced.
h. All accountable COMSEC items issued on a hand receipt must be returned to the issuing
CAM before the individual is transferred, reassigned, or absent for more than 30 days.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
34
i. Any possible compromise, access by unauthorized persons, or violation of security regulations
affecting the material (user cannot locate document or suspects document was borrowed) must be
reported to the issuing CAM immediately.
j. The recipient's signature on the hand receipt certifies his or her understanding of the above
handling requirements.
k. The CAM must conduct a semiannual review of hand receipts for accuracy and update
procedures as necessary.
2.6.19. A possession report, will be prepared on an SF 153. Enter appropriate remarks below the
"NOTHING FOLLOWS" line, citing the reason for the report. Forward the signed original copy
to the COR and retain a signed duplicate copy for file. Possession reports will be prepared as
follows.
a. When COMSEC material is received without accompanying transfer reports.
b. Whenever reporting conversion of COMSEC material;
c. When COMSEC material was previously lost or removed from accountability, but
subsequently recovered;
d. When a new CAM is appointed because of the sudden permanent departure or unauthorized
absence of the previous CAM;
e. When the holdings of the COMSEC account are large, a preprinted inventory may be
requested from the COR for this purpose, and the properly completed inventory with a notation
explaining the circumstances may serve as the possession report;
f. When a document with a TSEC nomenclature that requires control in the CMCS is originated
or reproduced;
g. When COMSEC material is received without an accompanying transfer report, forward a
signed copy of the possession report to the shipping COMSEC account, if known, and to the
military department accounting headquarters, if applicable.
2.6.20. The CAM will report converted COMSEC material as follows:
a. Whenever it is necessary to convert the short title and/or accounting number of an item of
COMSEC material, report the conversion to the COR so that accounting records may be properly
adjusted. A conversion can result from major modification of equipment requiring the
equipment to be redesignated; for example, TSEC/KL-60, redesignated as TSEC/KL-60A).
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
35
b. Report a conversion by simultaneously submitting a possession report and a destruction report
prepared on SF 153's.
c. On the possession report, list the item by its new short title and accounting number, and
include a remark referencing the associated destruction report.
d. On the destruction report, list the previous short title and accounting number, and include a
remark that the destruction is for record purposes only and reference the associated possession
report.
e. Forward one signed copy of each report to the COR and retain one signed copy of each report
for file.
2.6.21. Inventories. Preprinted inventories are issued semiannually by the COR and reflect all
accountable COMSEC material charged to the account as of the date the report was printed. The
following procedures will be followed:
a. Conduct 100-percent physical (sight) inventory and return inventory reports to the COR no
later than 10 days after receipt. Hold inventories forwarded in preparation for an audit of the
account until an auditor arrives.
b. Upon arrival, the auditor and CAM will jointly conduct a physical inventory of all
accountable COMSEC material held by the account, and all material issued on hand receipts,
with the ACAM or another properly cleared witness.
c. Assume COMSEC equipment in use to contain all the required subassemblies and elements,
so it need not be opened for semiannual inventory purposes.
d. Check implemented protective technology for possible signs of tampering before the
equipment will be used operationally.
e. Inventory equipment that remains in sealed shipping cartons against the marking on the outer
wrapper or crate identifying the contents and inspect each carton for evidence of tampering.
f. Inventory COMSEC material that is unit packed by the label affixed to the exterior of the
package. Inspect each unit package for evidence of tampering.
g. COMSEC publications need not be page checked at the time of the semiannual inventory.
h. Do not use the preprinted inventory as a checklist when conducting the inventory. Doing so
could cause oversight of material held that is not listed on the inventory.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
36
i. The COMSEC Inventory should be used to conduct the inventory.
j. Compare the results of the physical inventory against the preprinted inventory. Resolve any
discrepancies that exist by comparing the preprinted inventory against the COMSEC Register
File.
k. Give particular attention to additions to, or deletions from, the account made close to the date
of the report, since these transactions may not be reflected in the inventory.
l. Update the report by deleting an item or supplementing the report with an SF 153. Line out in
ink each item to be deleted from the inventory; erasures are not authorized.
m. Provide complete details to support the deletion in the "remarks" column opposite the item. If
the item was transferred, include the receiving account number, the outgoing transfer number, the
transfer report date, and the CAM's initials.
n. If the item was destroyed, provide the date, transaction number, and initial the entry. Attach a
copy of the referenced SF 153 reports to the inventory report.
o. Items listed on the preprinted inventory, but not physically sighted, will be lined out and the
appropriate paperwork attached (e.g., Transfer or Destruction Reports).
p. When material held is not listed on the inventory, list the material on an SF 153, appropriately
classified, signed by the same individuals signing the inventory, and attach as a supplement to the
preprinted report.
q. Annotate the SF 153 below the "NOTHING FOLLOWS" line to indicate for each item the
name and account number of the sender; the incoming transaction number and date; and/or
details, as appropriate, to support the supplement.


r. Assign the same transaction number to the supplement to the preprinted inventory as given to
the inventory report.


s. When all the material to be put on the supplement is from a complete shipment received on an
individual SF 153, do not list the material on the supplemental SF 153. Instead, enclose the
supporting SF 153 with the report, annotate the supplemental SF 153 report "See attached SF
153," and list the transaction number and date of receipt.

t. During the course of updating the preprinted inventory, review each item on the inventory to
determine if the material is still required. If any material is found to be no longer needed, place a
remark to that effect in the "Remarks" column opposite each item.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
37
u. When the preprinted inventory has been reconciled to agree with the account's actual
holdings, the CAM and witness will sign and date the certification on the preprinted inventory
and any supplemental SF 153’s.
v. Indicate the number of supplemental forms in the space provided in the CAM's certification
block; if no supplement was created, mark "NONE."
w. Make a final review of the inventory ensuring that any deletions or additions are fully
documented and that the certification blocks are signed and dated.
x. Forward the original preprinted inventory, along with any supplemental SF 153's, to the COR
and retain a copy of these, along with all working papers used in performing the physical
inventory, for file.
y. When the certified inventory is received by the COR, it will be reconciled with the central
office’s records.
z. The COR will respond only if discrepancies are noted.
aa. If the account is cited with any discrepancy, the CAM will take corrective action within 48
hours of being notified and advise the COR of the action taken. Submit to the COR any
substantiating reports required.
bb. Complete a change of CAM inventory before the outgoing CAM departs, and account for all
transactions so that the completed inventory reflects that material actually held by the account on
the date of the changeover.
cc. When a COMSEC account does not hold accountable COMSEC material, the CAM and a
witness, usually the ACAM should sign the negative inventory, certifying that the account does
not hold accountable COMSEC material.
dd. COMSEC accounts will continue to receive semiannual inventories until a requirement for
the COMSEC account no longer exists and the COMSEC account is formally closed. If the
COMSEC account has received or still holds accountable COMSEC material when a negative
preprinted inventory is received, supplement the inventory to reflect the accountable COMSEC
material held by the COMSEC account.
2.6.22. Destruction
Chapter 7 contains routine destruction procedures and requirements, as well as destruction
methods and minimum standards that ensure that COMSEC material is adequately destroyed.
2.6.23. Accounting for, and Entering Amendments to, COMSEC Publications as follows:
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
38
a. A message amendment is used to announce information that must be immediately entered in a
COMSEC publication. After posting the amendment and noting the entry on the "Record of
Amendments" page, destroy classified message amendments. Do not report the destruction of
message amendments to the COR.
b. Account for printed amendments as COMSEC publications until they have been posted, the
residue destroyed, and the destruction reported to the COR. Since preprinted amendments (ALC1 and ALC-2) are accountable and will reflect on inventories, provide an SF 153, Destruction
Report, to the COR to remove them from the account after they have been posted to the basic
documents. Take care when preparing the SF 153 to report the short title, edition, and
accounting number of the amendment, and not that of the basic document.
c. Post amendments as soon as possible after receipt or effective date to keep the basic
publication current. The following guidance is to help avoid errors that commonly occur when
posting amendments. If replacement pages are included in the amendment, page check both the
basic publication and the residue of the amendment before destroying the residue. Inadvertently
destroying effective portions of documents, together with residue from amendments, is a major
cause of COMSEC material security violations. Note that the amendment was posted on the
"Record of Amendments" page, and, if pages were added to or removed from the publication,
date and sign the "Record of Page Checks" page. If an individual posts the amendment other
than the CAM, return all residue of the amendment, including any pages removed from the basic
publication, to the CAM for destruction.
d. Destroy the residue as soon as possible or within 5 days after entering the amendment.
2.6.24. Accounting for COMSEC Material Launched into Space. Accountable COMSEC
material launched into space aboard expendable vehicles or in Space Shuttle deployed payloads
is normally considered unrecoverable. COMSEC equipment installed aboard Shuttle vehicles
does not fall into this category. The following steps will be taken to remove unrecoverable
COMSEC material from accountability records at the COR:
a. Prior to launch, strip TSEC nomenclature nameplates and any other markings from
cryptographic equipment and keying elements at the time equipment is installed in a payload.
Make unclassified photographs that show COMSEC equipment installation in the payload. Keep
nomenclature nameplates and photographs with COMSEC accounting paperwork until after
launch or certain destruction of the space vehicle.
b. Following the launch, complete a destruction report within 24 hours of launch. Below the
"NOTHING FOLLOWS" line, include the date of launch, identify the launch vehicle, briefly
explain events, and request that COR accountability be dropped because of launch. Attach
equipment nomenclature nameplates and forward the report to the COR. The CAM will retain a
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
39
copy of nomenclature nameplates and photographs with COMSEC accounting paperwork as part
of official records.
c. Classify any COR correspondence associating COMSEC equipment use aboard space
vehicles, except Shuttle vehicles, at the minimum level of CONFIDENTIAL.
d. With today's technology, recovery from space is possible. When COMSEC materials are
recovered from space, the receiving CAM will file a Possession Report. Because nomenclature
nameplates will not be attached to recovered cryptographic equipment, the Possession Report
must identify the spacecraft from which the equipment was recovered and must reference the
Destruction Report that removed the material from accountability following launch.
e. The receiving CAM may be required to coordinate this action with the losing CAM if the
spacecraft was launched from a location other than the receiving CAM's. This information will
allow the COR to positively identify and properly track recovered COMSEC materials.
2.7. Audit of COMSEC Accounts
2.7.1. Basis
COMSEC accounts will be audited by the COR at least every 24 months on an announced basis
(see 12-month unannounced inspection requirement at paragraph 2.7.4.5.) and/or as deemed
necessary based on the following factors:
a. Size of the account and volume of transactions;
b. Frequency of CAM changes;
c. Classification and sensitivity of the material held;
d. Frequency of deviation from accounting procedures.
2.7.2. Notification. Prior notice may or may not be provided when a COMSEC account has
been selected for an audit other than the regularly scheduled audit.
2.7.3. COR Access. The COR will have access to all accountable material held by the CAM.
The COR will present proper identification prior to gaining access to the account.
2.7.4. Scope of the Audit. The audit will include the following actions:
a. Verifying the completeness and accuracy of accounting reports and files.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
40
b. Determining the CAM and ACAM's knowledge of and adherence to the provisions of this
NPG.
c. Reviewing all procedures related to the control and safeguarding of material.
d. Physically sighting all accountable material.
e. Conducting inspections of selected protective technologies, including the use of classified and
other special inspection techniques made available by NSA to the COR on user and CAM
locations (where feasible, implement a program of inspections conducted at random intervals
without advance notification).
f. As a general guideline, at least 10 percent of the total number of applicable locations under
NASA should be subjected to unscheduled inspections annually.
g. The COR will inform NSA of any suspect or possible compromised items and forward this
information in accordance with instructions from the NSA Protective Technologies Division, as
operational necessity permits.
h. Soliciting any problems encountered by the CAM in maintaining the account.
i. Issuing recommendations for improving local accounting and control procedures.
j. Conducting a cursory inspection of implemented protective technologies.
k. Verifying current briefings for contractor personnel who have access to COMSEC material.
2.7.5. Audit Report. After completing the audit, the COR will notify the CAM and consult with
the CCS regarding any situation requiring immediate action and will conduct an exit interview
with the CAM's supervisor as follows:
a. A formal report of audit outlining any discrepancies noted during the audit, the condition of
the account, and any recommendations for improvement will be forwarded to the DSMOHQ and
the applicable CCS.
b. When serious deficiencies are found, a Certificate of Action Statement will be submitted
independently to the CAM. All actions required in the report must be completed within 10
working days after the report is received. See paragraph 2.4.7.e. for additional special reporting
requirements regarding NSA Protective Technologies.
2.8. Closing a COMSEC Account
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
41
When it has been determined that a COMSEC account should be closed because it no longer is
required and all material has been properly disposed of and no discrepancies exist, submit a
formal written request to the COR. The COR will notify the element or activity in writing that
the account has been closed, the appointments of the CAM and alternate(s) have been terminated,
and provide disposition for accounting records and files.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
42
CHAPTER 3: CONTROLLING AUTHORITIES
3.1. General
A Controlling Authority is designated for each Cryptonet to manage its operation and associated
keying material. NTISSI 4006 provides duties and responsibilities for Controlling Authorities.
This chapter provides supplemental guidance for NASA.
3.2. Establishing the Cryptonet and Designating the Controlling Authority
3.2.1. The lead NASA Government element, such as the project office or circuit demander, is
responsible for initiating the request to establish a cryptonet and performing controlling authority
functions and coordinates with the CCS and CAM to submit a brief written proposal to the COR.
3.2.2. When no lead Government office is identified, contact the CCS or the COR for technical
advice. For electronically generated key, the element that directed the key generation performs
the controlling authority functions unless those functions are specifically delegated to another
organization.
3.2.3. All cryptonet proposals and controlling authority designations are subject to review and
validation by the COR.
3.2.4. Where contractors perform this function, the lead Government office in coordination with
the CCS will designate a U.S. Government civil service employee to ensure that controlling
authority functions of the contractor are being performed adequately.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
43
CHAPTER 4: COMSEC INFORMATION ACCESS
REQUIREMENTS
4.1. Criteria for Access to COMSEC Information
Access to classified cryptographic information shall only be granted to individuals who satisfy
the following criteria:
4.1.1. U.S. Citizen.
4.1.2. An employee of the U.S. Government, U.S. Government-cleared contractor, or employed
as a U.S. Government representative (including consultants of the U.S. Government) as follows:
a. Resident aliens who are U.S. Government civilian or military personnel may have access to
unclassified COMSEC material, if their duties require it.
b. Resident aliens may have access to CONFIDENTIAL COMSEC material, if they have a
clearance based on a successful background investigation, an indoctrination, and their duties
require such access. They may not be appointed CAM/custodian or have access to areas where
COMSEC material is stored.
c. Foreign nationals representing a foreign government or international organization may be
given access to COMSEC information specifically released to the represented government or
organization under the provision of NSTISSP No. 8. Before any release is made, the foreign
government or organization must state in writing that the representative has an appropriate
clearance and is officially designated to receive the information.
4.1.3. The employee has been granted a security clearance appropriate to the classification of the
cryptographic information to be accessed. The security clearances of personnel occupying the
positions of CAM and ACAM must be based on a background investigation (BI) that is current
within 5 years. Other employees who require access to COMSEC information that is classified
SECRET or below do not require a security clearance based on a BI.
4.1.4. The employee has a valid need to know as determined necessary to perform duties for, or
on behalf of, the U.S. Government.
4.1.5. The employee has received a security briefing appropriate to the classified cryptographic
information to be accessed.
4.1.6. The employee has signed a cryptographic access certificate shown in Appendix C.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
44
4.2. COMSEC Briefing Requirements
4.2.1. A member of the NASA Center Security Office, Contractor Security Office, CAM,
ACAM, member of the Security Management Office, or designated representatives will
administer a COMSEC briefing to all employees whose duties require accessing COMSEC
materials and maintaining associated records. For U.S. Government personnel, this briefing
remains in effect during the time the employee has uninterrupted access. A COMSEC briefing is
not required for individuals who only need access to a secure telephone unit, unclassified
CRYPTO materials, or to unclassified COMSEC security memoranda and issuances. Local
security requirements may augment these minimum briefing requirements.
4.2.2. Employees shall understand their individual responsibilities in handling and safeguarding
procedures for classified COMSEC material. See Appendix B.
4.2.3. Complete Section One of the cryptographic access certificate shown in Appendix C after
the COMSEC briefing is received and before access is granted to classified COMSEC
information. Execute Section Two of this form when the individual no longer requires such
access. Make the signed original certificate a permanent part of the official security records of
the individual.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
45
CHAPTER 5: TWO-PERSON INTEGRITY (TPI) AND
NO-LONE ZONE (NLZ) CONTROLS
5.1. General
TOP SECRET keying material is used to protect the most sensitive national security information
and its loss could compromise all information protected by the key. Also, a significant body of
information indicates that TOP SECRET keying material is a high-priority target for exploitation
by hostile intelligence services. For these reasons, TOP SECRET keying material is afforded the
special protection of TPI and NLZ controls. NLZ is an area, room or space to which no one
person may have unaccompanied access and which, when manned, must be occupied by two or
more appropriately cleared individuals. TPI is a system of storage and handling designed to
prohibit access to certain COMSEC keying material by requiring the presence of at least two
authorized persons, each capable of detecting incorrect or unauthorized security procedures with
respect to the task being performed. The concept of TPI procedures differs from NLZ procedures
in that under TPI, two authorized persons must directly participate in the handling and
safeguarding of the keying material (as in accessing storage containers, transportation,
keying/rekeying operations, and destruction). NLZ controls are less restrictive in that the two
authorized persons need only to be present physically in the common area where the material is
located.
5.1.1. Waivers to requirements in this chapter may be requested; however, maintaining a strong
national COMSEC posture dictates that waivers be granted on a case-by-case basis only when a
genuine hardship exists. Direct written requests for waivers, containing justification, through the
CAM and CCS to the NASA COR. When the controlling authority for the material is not within
NASA, the requester must notify that controlling authority of the waiver as soon as it is received.
5.1.2. Any violation of the TPI or NLZ requirements in this chapter is reportable as a COMSEC
incident in accordance with chapter 6.
5.2. Procedures for Handling and Safeguarding Top Secret Keying Material
TPI of TOP SECRET keys requires that COMSEC accounts and all local holders, including hand
receipt users, have TPI storage capabilities and procedures to ensure that lone individuals will not
have access to TOP SECRET keying material and key generators. Procedures in this chapter do
not apply to key locally generated for immediate use, but they do apply to locally generated key
that is held in physical or electronic form for future use. TPI must be maintained for TOP
SECRET materials at all times, except as follows below:
5.2.1. Transportation. TPI controls apply whenever local couriers transport TOP SECRET
keying material from one location to another. Receipts for this material must be signed by two
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
46
individuals who are cleared for TOP SECRET and authorized to receive the material. TPI
controls are not required for TOP SECRET keying material while it is in the custody of the
Defense Courier Service or the Diplomatic Courier Service.
5.3. TPI Handling of Packages Received
5.3.1. Upon initial receipt of TOP SECRET operational keying material by the CAM, TPI
controls shall be implemented immediately. When a package is received and the classification
cannot be determined by the CAM prior to opening, assume that the material is TOP SECRET.
The CAM and a TOP SECRET-cleared, TPI-control participant will then inspect the package for
evidence of damage or tampering. Both individuals will then open the package and compare the
contents with the enclosed COMSEC Material Report (SF-153). If the material is TOP SECRET
operational keying material, both participants will sign the SF-153 (Blocks 15 and 16) and
immediately place the material into TPI storage. A copy of the SF-153 will then be submitted to
the Central Office of Record. If the material is not TOP SECRET operational key, standard
procedures for the receipt of COMSEC material will be executed as specified in chapter 2.
5.3.2. The above procedure provides a written record that reflects that TPI control was
implemented upon initial receipt by the CAM. The SF-153's reflecting receipt of TOP SECRET
operational keying material will be reviewed by NASA auditors during audits to ensure
compliance with the two-signature requirement.
5.3.3. Wrapping TOP SECRET Material.
a. On NASA Centers, enclose material in a sealed package or within a locked briefcase or other
closed bag or container.
b. Off NASA Centers, place material in sealed inner and outer wrappers. Wrappers can be
paper, canvas, or briefcases. Briefcases must be locked, with built-in combination locks or
padlocks that are key or combination operated. Mark the inner wrapper with the highest
classification of the material inside, and with the "To" and "From" addresses.
5.3.4. Storage. TPI storage for TOP SECRET keying material requires two different approved
combination locks, per National Security Agency Communications Security Issuance 4005 with
no one person authorized access to both combinations. TPI storage can be in a strong box within
a security container, in a security container within a vault, or in a security container with two 007
locks. At least one of the locks must be built into the vault or container.
5.3.5. Use. Establish NLZ’s as follows:
a. Wherever COMSEC equipment contains TOP SECRET key in hard copy form or in a
mechanical permuter installed in a piece of equipment.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
47
b. User locations where equipment holds TOP SECRET key in key card form or has key set on
mechanical permuters will be operated as NLZ’s.
c. NLZ controls are not required when the key is resident in the cryptographic equipment in
electronic form or when cryptographic equipment has been modified to preclude access by a
single individual to the hard copy key inside. However, TPI controls always apply to initial
keying and rekeying operations.
d. Whenever possible, persons designated as TPI integrity team members should have previous
COMSEC experience. If this is not possible, then the CAM should ensure that team members
become familiar with those aspects of COMSEC operations, e.g., key loading procedures,
necessary in fully understanding TPI control procedures.
5.3.6. Record of Combinations requirements is as follows:
a. Maintain a central record of container combinations to ensure that TPI materials are accessible
in emergencies.
b. Record and protectively package each lock combination separately to prevent unauthorized
access to the combinations.
c. Store the record of combinations as TOP SECRET material. One method that may be used to
protectively package records of lock combinations is contained in National Security
Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4005,
Paragraph 102.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
48
CHAPTER 6: COMSEC INCIDENT REPORTING
REQUIREMENTS
6.1. General
COMSEC incident reports provide the information necessary to determine if an incident results
in a COMSEC insecurity. The guidelines in NSTISSI 4003, Reporting and Evaluating COMSEC
Incidents, require that all incidents involving COMSEC material are reported and evaluated
promptly so action can be taken to minimize adverse impacts on security, take recovery
measures, and prevent similar incidents from occurring. NSTISSI 4001, Controlled
Cryptographic Items, reporting requirements must be followed for unkeyed CCI. All COMSEC
incidents must be reported within 24 hours to the NASA COMSEC COR and the CCS.
Individuals will not be disciplined for reporting a COMSEC incident. Disciplinary action should
be considered for individuals who, through either gross negligence or willful acts, jeopardize the
security of COMSEC material.
6.2. COMSEC Incidents
COMSEC incidents fall into three categories: Cryptographic Incidents, Personnel Incidents, and
Physical Incidents. Specific reportable incidents that are peculiar to a given crypto system are
listed in the operational security doctrine, operating instructions, and maintenance manual(s) for
that crypto system.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
49
CHAPTER 7: ROUTINE DESTRUCTION OF COMSEC
MATERIAL
7.1. General
The security of cryptographic systems depends on the physical protection afforded the associated
keying material. All keying material, current and superseded, is extremely sensitive since all
traffic encrypted with a compromised key could be compromised as well. For this reason, keying
material other than defective or faulty key must be destroyed as soon as possible after
supersession. Destroying superseded or obsolete cryptographic equipment and supporting
documentation is also essential for maintaining a satisfactory national COMSEC posture, since
these materials may be of significant long-term benefit to hostile interests desiring to exploit U.S.
communications for intelligence purposes.
7.2. Training Destruction Personnel
Supervisors must ensure that destruction personnel receive proper instruction in using and
handling destruction devices and destruction procedures. Personnel involved must also be
cleared to the highest classification level of the material to be destroyed and briefed on handling
and procedures for protecting COMSEC information.
7.3. Routine Destruction Procedures for COMSEC Material
Routine destruction should normally be done by the CAM and the ACAM. However, this
restriction should not be enforced at the cost of delaying destruction. Granting additional
appropriately cleared people the authority to destroy superseded material and certifying the
destruction to the CAM is preferable to delaying destruction, even for a short time. Note: In
order to expedite destruction, it is suggested that where a NASA Center has a COR for the
handling of classified information, the registry may be designated as an agent for the routine
destruction of COMSEC material. COMSEC material must always be destroyed in the presence
of an appropriately cleared witness. Whenever system doctrine requirements conflict with
procedures in this manual, the system doctrine requirements take precedence.
7.3.1. In a small facility with only a few pieces of COMSEC equipment, the CAM should collect
used or superseded key and other COMSEC material, replace it with new material as necessary
and, with a witness, destroy the used or superseded material.
7.3.2. In a large facility, or in mobile situations, the CAM may authorize a hand-receipt user and
a witness to destroy certain COMSEC material as soon as it is used, replaced, or superseded.
Hand receipt users must use an approved destruction device. The individual destroying
COMSEC material and the witness must indicate that the material has been destroyed by
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
50
initialing an appropriate record such as the Key Disposition record and providing that record to
the CAM at the end of each month. Such local destruction records serve as the basis for the
CAM's destruction report to the NASA COMSEC COR. When approved destruction devices are
not available at the user facility, the material must be collected by the CAM immediately after
supersession so that it may be destroyed within the time specified for that material in
subparagraph 7.3.4.b. on defective or faulty keying material. The COR must report such material
to the NSA, X71A, and hold for disposition instructions.
7.3.3. The CAM must brief hand receipt users authorized to destroy keying material,
emphasizing correct destruction procedures, the necessity for prompt and complete destruction of
used or superseded keying material and for immediately reporting any loss of control of material
before it was destroyed.
7.3.4. Scheduling Routine Destruction as follows:
a. COMSEC material is ordered destroyed by superseding editions unless directed otherwise by
the NASA COMSEC COR. Do not destroy, dismantle, or cannibalize COMSEC material, other
than superseded material, without specific authorization from the NASA COMSEC COR.
b. Keying material designated CRYPTO must be destroyed as soon as possible after use or
supersession and may not be held longer than 12 hours following supersession.
c. Where special circumstances prevent complying with the 12-hour standard, such as a facility
unmanned over weekend or holiday period, an extension to a maximum of 72 hours is
authorized.
d. For other circumstances, such as the requirement to maintain archival key, contact the NASA
COMSEC COR for instructions.
e. COMSEC material involved in compromise situations must be destroyed within 72 hours after
disposition instructions are received.
f. Complete editions of superseded keying material designated CRYPTO that are held by a
COMSEC account must be destroyed within 5 days after supersession.
g. Maintenance and sample keying material not designated CRYPTO is not regularly superseded
and need only be destroyed when physically unserviceable.
h. Superseded classified COMSEC publications that are held by a COMSEC account must be
destroyed within 15 days after supersession.
i. The residue of amendments to classified COMSEC publications must be destroyed within 5
days after the amendment is entered.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
51
7.4. Routine Destruction Methods and Standards
Authorized methods for routinely destroying paper COMSEC material are burning, chopping or
pulverizing crosscut shredding, and pulping. COMSEC material that is not paper, when
authorized for routine destruction, must be destroyed by burning, chopping, pulverizing, or
chemical alteration. The goal is to destroy the material so thoroughly that classified information
cannot be reconstructed by physical, chemical, electrical, optical, or other means.
7.4.1. Do not destroy hardware keying material, such as proms and permuter plugs, and
associated manufacturing aids without approval from the NASA COMSEC COR.
7.4.2. Routine destruction of COMSEC equipment and components are not authorized.
Disposition instructions for equipment that cannot be repaired or is no longer required must be
obtained from the NSA.
7.5. Approved Routine Destruction Devices
Information concerning routine destruction devices, which have been tested and approved by the
NSA, may be obtained from the NASA COMSEC COR.
7.6. Reporting Routine Destruction
7.6.1. The CAM must report routine destruction of all centrally accountable COMSEC aids,
such as items assigned ALC 1 and 2, to the NASA COMSEC COR, no later than the 16th day of
each month. No exceptions are authorized; however, negative reports are not required if no
keying material is held that was authorized for destruction during the preceding month. Chapter
2 contains instructions for completing and submitting destruction reports.
7.6.2. Destruction records must be maintained by the CAM for 3 years and protected in the same
manner as other comparable classified COMSEC material. Local destruction reports must be
retained by the preparing element until the next scheduled audit.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
52
CHAPTER 8: SECURE TELECOMMUNICATIONS
FACILITIES
8.1. Physical Security Requirements for Classified and Unattended Keyed CCI Equipment
8.1.1. Secure telecommunications facilities must be provided positive access control, and they
shall be constructed of solid, strong material to prevent unauthorized penetration or show
evidence of attempted penetration. They must provide adequate attenuation of internal sounds
that could divulge classified information through walls, doors, windows, ceilings, air vents, and
ducts. Maximum physical security is achieved when the facilities are of vault-type construction.
At a minimum, construction or modification of a secure telecommunications facility shall
conform to the requirements stated in NSTISSI 4005, August 1997.
8.1.2. Responsibilities. The CAM and Alternate need to be cognizant of the number of persons
performing cryptographic duties, the number of secure circuits, types of COMSEC equipment,
and operational keys used in the secure telecommunications facility; the number of days before
operational key is received in the secure telecommunications facility, restricting access to future
key until received in the secure telecommunications facility, and waivers granted to the secure
telecommunications facility. The CAM and alternate are also responsible for the following:
a. Establishing an access list for authorized individuals.
b. Establishing a visitors' register.
c. Establishing and documenting a daily security check procedure.
d. Prohibiting personally owned cameras, photographic devices/equipment capable of receiving
and recording intelligible images; sound recording devices/equipment, including magnetic tapes
or magnetic wire; amplifiers and speakers; radio transmitting and receiving equipment;
microphones and television receivers from the telecommunications facility.
e. Being knowledgeable of the capabilities and installation of anti-intrusion devices employed by
the secure telecommunications facility to include the number of devices, the manufacturer, type
and model number of each device, the operating procedures, a floor plan of the alarm system, and
a response procedure.
8.2. CCI Access Controls
CCI are by definition unclassified, but controlled. Minimum controls for CCI are prescribed
under three different conditions: unkeyed; keyed with unclassified key; and keyed with classified
key. The provisions apply to controlled items that are installed for operational use. All
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
53
controlled items are to be protected in a manner that provides protection sufficient to preclude
theft, sabotage, tampering or unauthorized access, and that provides accountability for the
material, whether or not installed.
8.2.1. Installed and Unkeyed. Establish procedures to provide physical controls adequate
enough to prevent unauthorized removal of the controlled item or its components. Where
practical, rooms containing unkeyed controlled items should be locked at the end of the workday,
e.g., rooms housing an unkeyed secure telephone unit must be locked.
8.2.2. Installed and Keyed with Unclassified Key.
a. Attended. Establish procedures to prevent access by unauthorized personnel using physical
controls and/or monitoring access with authorized personnel.
b. Unattended. Establish procedures to prevent access by unauthorized personnel using adequate
physical controls, such as locked rooms, alarms, or random checks.
8.2.3. Installed and Keyed with Classified Key.
a. Attended. CCI must be under the continuous positive control of personnel who possess a
security clearance at least equal to the classification level of the keying material in use and, if the
keying material is TOP SECRET, the NLZ’s controls must be instituted.
b. Unattended. CCI must be in an area as described in subparagraphs 8.2.2.a and 8.2.2.b.
8.3. Storage Requirements
A facility or organization will not be eligible to receive or generate classified COMSEC
information until adequate storage has been established.
8.3.1. Classified COMSEC equipment and information other than keying material marked
CRYPTO must be stored as prescribed for other classified material at the same classification
level.
8.3.2. Keying material marked CRYPTO must be stored according to the requirements of
NTISSI 4005, August 1997.
8.3.3. CCI must never be stored in a keyed condition. Before placing CCI in storage, all keying
material must be removed. When unkeyed, controlled items must be protected against
unauthorized removal or theft during storage placed in a locked room or a room with an adequate
alarm system.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
54
8.4. Record of Individuals Having Knowledge of Combinations to Containers Storing
Classified COMSEC Material
A record must be maintained of the names, organizations, and telephone numbers of individuals
who know the combinations to containers storing classified COMSEC material. In the event of
an emergency, such as a container or vault being found open after normal working hours, one of
these individuals must be notified. Normally, these containers are under the direct control of the
CAM and alternate (s); however, where operational need necessitates, classified COMSEC
material, to include one edition of current keying material marked CRYPTO, may be issued on
hand receipt to a user. Under these circumstances, the notified individual must also contact
either the CAM or alternate (s). Immediately inventory the contents of the container or vault
found not secure. When the inventory is completed the container or vault combination must be
changed. Compare the results of the inventory against the account’s COMSEC Register File and,
if any material is determined to be missing, include information in the incident report made
according to the provisions of chapter 6.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
55
CHAPTER 9: SECURE TELEPHONE UNIT (STU-III)
9.1. General
This chapter augments doctrine provided in NTISSI 3013, Operational Security Doctrine for the
STU-III, Type 1, Terminal.
9.2. Responsibilities
9.2.1. The NASA COR acts as the command authority for NASA STU-III terminals.
9.2.2. User Representatives prepare and submit key orders for designated users of STU-III
terminals within the classification and type limitations of their privileges. User Representative
responsibilities include the following:
a. Interacting with users to determine key requirements.
b. Interacting with the Command Authority for Department Agency Organization administration
and User Representative privilege changes.
c. Verifying security information with the CCS.
d. Preparing and submitting key orders.
e. Notifying the COMSEC Account Manager that delivery of a key order is anticipated.
9.2.3. Users. Each STU-III user has a number of responsibilities related to the security of the
STU-III and the security of the information transmitted, outlined in the following subparagraphs
9.2.3.a. through 9.2.3.g. Users are encouraged to use the secure mode to protect both classified
and unclassified national security information.
a. Monitor the display during the secure call to determine the identification of the distant party,
the maximum-security classification for the call, and for security-related messages. The security
classification will appear on the top line of the display for the duration of the secure call and will
be the highest level shared by the two terminals. Restrict the classification level of the
conversation to no higher than the displayed level. The next three lines display the identity of the
distant STU-III. This information will be scrolled through the display during secure call setup.
The classification level and the first line of the identification information will remain on the
display for the duration of the secure call.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
56
b. The information displayed indicates the approved level for the call but does not authenticate
the person using the terminal. The need-to-know principle is still binding. The mere connection
to another STU-III does not signify a need to know.
c. The calling and the called party establish the clearance of the other party by a means
independent of the display, either by knowledge of the other party through voice recognition, or
by introduction by another known cleared party.
d. Since access to the STU-III with the CIK installed gives anyone the opportunity to use the
STU-III in the secure mode, restrict access to the STU-III with the CIK installed to those people
who hold a security clearance equal to or higher than the classification level of the key.
e. Users are responsible for the environment in which a secure conversation is held. This
includes their own and the other party's environment. An indication that either party is not in an
authorized location to conduct a classified discussion should result in a termination of the call.
f. The STU-III user is responsible for protecting his CIK. CIK should be treated as valuable
personal property. Do not leave an ignition key where an unauthorized person would have access
to both it and the associated STU-III. During the workday, the CIK may be left in the STU-III
only if continuously attended by cleared personnel. When not in use, or if the terminal is
unattended, the CIK must be removed from the terminal.
g. The room or area in which a STU-III is located will be provided adequate protection at the
end of the workday or whenever authorized personnel are not present.
9.2.4. CAM.
a. The CAM holding the STU-III key in their accounts must have a clearance equal to the
operational level of the key, i.e., the seed key will become classified to the appropriate level once
converted in the terminal. SCI access is not required when the account manager does not
perform the conversion process. Once the conversion process has occurred, all individuals who
use a terminal keyed with Class 6 key must have SCI access. Additionally, when the operational
level of the key is unclassified, a clearance is not required.
b. Type 1 operational and Type 1 seed keys are ALC - 1. All test keys are UNCLASSIFIED and
are ALC - 4.
c. Fill devices stored in the COMSEC account should remain sealed in the plastic shipping bag.
Each fill device will have an attached card label. Remove the card label when the key in the Key
Storage Device is loaded into the terminal. Maintain a local record of key material identification
numbers and the serial numbers of the associated STU-III.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
57
d. Respond to Key Conversion Notices (KCN) acknowledging the conversion of seed key to
operational key. If a KCN is not received for key that was loaded into a terminal, notify the NSA
Key Management System (KMS) and be prepared to provide the COMSEC account number and
the conversion date.
e. Ensure that terminals are rekeyed by a call to the NSA KMS at least annually.
f. An expired key may be returned to the NSA KMS for disposition. Transfer the fill devices to
NSA COMSEC account 880103, using an SF 153. See paragraph 2.6. for shipping methods. SF
153 destruction reports with two signatures must be completed for fill devices zeroized other
than during a loading procedure, at the account.
9.3. STU-III Security Education
9.3.1. COMSEC CAM will educate STU-III users when they receive their terminals, stressing
the proper use of the terminal, how to handle and protect their CIK’s, and the importance of and
correct procedures for reporting incidents. Information contained in this chapter will be issued to
STU-III users when they receive their terminals.
9.3.2. Each user will sign a briefing statement acknowledging understanding of the
responsibilities.
9.4. Protecting CIK
9.4.1. COMSEC CAM will maintain local records of CIK, to which terminals they are
associated, and to which users they are assigned.
9.4.2. CIK will be protected as valuable U.S. Government property. Any person who is
permitted unrestricted access to a keyed terminal can retain the ignition in his personal
possession. If an ignition key is stored in the same room as the terminal, protect it according to
the classification of the keyed terminal. When terminals are installed in residences, the user must
be sure to remove the ignition key from the terminal following each use and keep it in his or her
personal possession or store it in a security container approved for the classification level of the
key in the terminal.
9.4.3. A master CIK is used to create other ignition keys for the same terminal, so greater
controls should be exercised. Maintain master ignition keys in locked storage commensurate
with the classification level of the key it protects, except when being used to create other CIK,
and keep under the personal control of an authorized person who has been briefed on its
sensitivity and the requirements for its control. Master CIK keys should not be used on a day-today basis with the STU-III.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
58
9.4.4. Report lost CIK immediately to the CAM so that he can delete that CIK from all terminals
with which they were associated. Deleting a CIK does not affect the usability of other CIK
created for that terminal. Once a CIK has been disassociated from a terminal, it no longer needs
to be controlled and can be reused.
9.4.5. Use of a CIK, by other than personnel for whom the authentication information appearing
on the terminal display applies, may only be permitted if the intended user is verifiably cleared to
the level that the key is classified and the ignition key is under continuous control and
supervision by the authorized person. To place such a call, the authorized person must first make
voice contact with the distant end identifying the intended user and indicating the intended user's
clearance level before allowing access to the terminal.
9.5. Incidents
9.5.1. The following incidents apply specifically to the Type 1 STU-III and will be reported to
the CCS, NASA COMSEC COR, and CAM:
a. Failure of the CAM to notify the Key Management System that a seed key listed on the
conversion notice still exists in the COMSEC account.
b. Any instance in which the authentication information displayed during a secure call is not
representative of the distant terminal.
c. Failure to adequately protect or erase a CIK that is associated with a lost terminal.
d. Any instance in which the display indicates that the distant terminal contains compromised
key, for example, "Hang Up - Far Key Compromised" on the terminal display, indicating an
unauthorized user may be at the distant end.
e. Leaving a CIK in a STU-III when access to the STU-III is uncontrolled, unless area is
approved for open storage for classified material. See NTISSI 4003. Reports of COMSEC
incidents involving keys must include the assigned key material identification number, whether
or not any CIK’s were involved, and whether or not the keys were protected when the incident
occurred.
f. CIK Failure. If a CIK that had previously operated properly fails, the failure could be
attributed to a malfunction in the key itself or in the terminal. It could also be an indication that
the key has been copied and the copy used in the terminal. To preclude the possibility of further
use in the event the key was copied, the failed key should be promptly deleted from the terminal;
deleting the key does not affect the usability of other keys created for that terminal.
g. Loss of a CIK. Once reported, the ignition key should be deleted from the system.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
59
h. Initial discovery of loss or unauthorized relocation of a STU-III. If a STU-III is discovered
missing, secure all associated CIK until other instructions are received.
i. Transmission of classified information using a terminal with a failed display. If the display
fails, terminate the call immediately.
j. Failure to rekey a terminal within 2 months after the end of the Cryptoperiod will trigger the
NSA KMS to zeroize terminals automatically at the end of the 2-month period.
k. "Security Failure" on the terminal display when a CIK is removed. This display is
accompanied by a continuous audible tone to notify the user that an emergency condition exists
and that prompt action is required. Protect the terminal as classified until further instructions are
received.
l. "CIK Not Updated" on the terminal display.
9.6. STU-III Terminal Keying and Rekeying
9.6.1. Electronic keying of a Type 1 STU-III is accomplished by loading a seed key, which
includes authentication information for the terminal display, into the STU-III from the key
security device followed by immediately creating at least one CIK, and calling the NSA KMS.
During the call, the KMS electronically provides an operational key at the classification level
ordered to replace the seed key in the terminal. Once this process, called conversion, is
complete, the terminals may be used in the secure mode to call other STU-III terminals.
9.6.2. During the rekey call to the KMS, it is the key in the terminal that is being rekeyed, not
the CIK. Therefore, only one call is necessary; rekey calls are not required for each of the
multiple keys associated with one terminal. It is not necessary to use the master key.
9.7. Secure Data Mode
The STU-III is designed to prevent disclosure of information in transit only, and the end system
is still responsible for determining and properly reacting to the accreditation range of the system
to which it will communicate, the identity of the user of the distant end system, and the STU-III
negotiated classification level of the connection. When appropriate, computer security
safeguards must also be employed to prevent improper and/or unauthorized access to
information.
9.7.1. Data Installation as Follows:
a. STU-III terminals may be used to secure communications between classified computer
systems, provided the key in the terminal matches the classification of the information to be
transmitted.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
60
b. Authorization from the CCS and/or the Designated Approval Authority (DAA) is required
before data processing equipment may be installed and operated with a STU-III terminal.
9.7.2. Facsimile Installations.
a. STU-III terminals may be used with facsimile machines to transmit classified information,
provided the key in the terminal matches the classification of the information to be transmitted.
b. Authorization from the CCS is required before facsimile equipment may be installed and
operated with a STU-III terminal.
c. Facsimile machines used to transmit classified information will be protected in the same
manner as the associated STU-III terminal.
d. Secure voice contact must be established before switching to data mode and transmitting the
material. Classified material receipting regulations apply when transmitting classified
information between NASA Centers or to other addresses. The sending operator will remain at
the terminal until the transmission is complete and returned to secure voice mode to verify
receipt.
9.8. Sensitive Compartmented Information Facility (SCIF)
9.8.1. Use only SCI level keys (Class 6, Code 10).
9.8.2. The CIK’s associated with the terminals may not be removed from the SCIF.
9.8.3. STU-III terminals will not be removed from the SCIF except for maintenance.
9.9. Installations in Residences, Hotels, or Commercial Conference Facilities
Installations in residences, hotels, or commercial conference facilities require the express written
permission of the CCS. Requests for permission to install a STU-III terminal in a residence,
hotel, or commercial conference facility need to include a statement of need.
9.10. Vehicle Installations
9.10.1. Installations of STU-III secure cellular terminals in vehicles require the express written
permission of the CCS.
9.10.2. The CCI portion of a STU-III cellular terminal is normally installed in the trunk of the
vehicle. When the vehicle is to be unattended, remove the CIK and terminal mounting
mechanism key, and lock the vehicle. When the vehicle will be unattended for an extended
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
61
period or will be parked in an area where there is a high threat of theft or tampering, or if the
vehicle will be turned over for commercial repair, first remove the CCI portion of the terminal,
the message center, and the handset.
9.11. Acoustic Security
9.11.1. Acoustical isolation must be sufficient to prevent classified conversation from being
overheard, without the aid of electronic equipment in adjacent uncleared areas. Acoustical
separation can be achieved by implementing adequate separation, physical barriers, area access
controls, or some combination thereof. Acoustic isolation must be sufficient to prevent classified
conversations from being overheard at nonsecure telephones.
9.11.2. Measures to implement the requirements outlined above will include the following or a
combination thereof:
a. Individual offices, in which the structure provides the needed isolation.
b. Sound absorbent office partitions between individual work areas in open plan offices.
c. Other protective measures specified by a NASA Installation Security Officer .
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
62
CHAPTER 10: COMSEC EMERGENCY ACTION
PROCEDURES
10.1. Requirements
All organizations holding classified or CCI COMSEC material must prepare a plan to protect the
material during natural disasters and accidental emergencies, such as fire, flood, tornado, and
earthquake. Planning and actions should emphasize maintaining security control over the
material without endangering life until order is restored. Incorporate the requirements of this
chapter into the emergency action procedures established for the entire facility. Additionally,
structure normal operating routines to minimize the number and complexity of actions to be
taken to protect COMSEC material during emergencies. For example, hold only the minimum
amount of COMSEC material at any time; that is, conduct routine destruction frequently and
dispose of excess COMSEC material according to disposition instructions.
10.2. Preparedness
Planning for natural disasters and accidental emergencies must provide for the following:
10.2.1. Fire reporting and initial fire fighting by assigned personnel. Note: The Emergency Plan
must be coordinated with the appropriate security and fire and safety personnel.
10.2.2. Assigning on-the-scene responsibility to ensure that COMSEC material is protected.
10.2.3. Securing or removing classified COMSEC material and evacuating the area(s).
10.2.4. Protecting material when outside fire fighters, and/or other emergency personnel, must
be admitted into the secure area(s).
10.2.5. Assessing and reporting probable exposure of classified COMSEC material to
unauthorized persons during the emergency.
10.2.6. Postemergency inventorying classified and CCI COMSEC material and reporting any
losses or unauthorized exposures to appropriate authority.
10.2.7. Destroying COMSEC Material. While destruction of COMSEC material is usually not
considered in a location within the continental United States, the possibility of destruction prior
to evacuation in the case of other natural disasters or emergencies will be discussed with the
COR.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
63
10.3 Preparing the Emergency Plan
Preparing the COMSEC material emergency plan is the COMSEC Account Manager’s
responsibility. A sample emergency plan is included as Appendix D. The plan should be
coordinated with appropriate security, fire, and safety personnel. The plan must be realistic and
workable, and it must accomplish the goals for which it is prepared. Contributing factors to this
are as follows:
10.3.1. All duties under the plan must be described clearly and concisely.
10.3.2. All authorized personnel at the facility should be aware of the existence of the plan.
Each individual who has duties assigned under the plan should receive detailed instructions on
how to carry out these duties when the plan becomes effective. Personnel involved should be
familiar with all duties so that assignment changes may be made, if necessary. This can be
achieved by periodically rotating the emergency duties of all personnel.
10.3.3. Conduct training exercises periodically to ensure that all personnel, especially those
newly assigned, who might have to take part in an actual emergency, will be able to carry out
their duties. As necessary, change the plan based on the experience of the training exercises.
10.4. Emergency Action Procedures Review
COMSEC emergency procedures developed under these guidelines will be made available for
review upon the request of the COR.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
64
APPENDIX A: COMSEC TERMS
Definitions of generic COMSEC terms used in this manual can be found in NTISSI 4009.
NASA specific definitions are listed below:
1. ACAM. Individual designated to perform the duties of the CAM during their temporary
absence. Outside NASA, this position is known as Alternate COMSEC Custodian.
2. NASA COR. The COR is located at KSC and keeps records of all NASA COMSEC material
received by elements subject to its oversight. COR duties include establishing and closing NASA
COMSEC accounts, maintaining records of CAM and ACAM appointments, distributing
inventories, performing audits, and responding to queries concerning account management.
3. COMSEC Account. An entity administratively subordinate to the NASA COR, identified by an
account number, responsible for maintaining custody and control of accountable COMSEC
material.
4. CAM. The individual designated by proper authority to be responsible for receipting,
transferring, safeguarding, destroying, and the accountability of COMSEC material assigned to a
COMSEC account. Outside NASA this position is known as COMSEC Custodian.
5. NASA Systems Security Manager. The individual, employed at the NASA Security Mangement
Office, responsible for the development of agencywide policy and oversight of the management and
utilization of COMSEC within NASA.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
65
APPENDIX B: SAMPLE COMSEC BRIEFING
1. You have been selected to perform duties requiring access to U.S. classified COMSEC
information. It is essential that you become fully aware of facts relating to protecting this
information before access is granted. This briefing will give you a description of the type of
COMSEC information to which you may have access, the reasons why special safeguards are
necessary for protecting this information, the directives and rules that prescribe such safeguards,
and the penalties you may incur for the unauthorized disclosure, unauthorized retention, or
negligent handling of U.S. classified COMSEC information. Failing to properly safeguard this
information could cause serious or exceptionally grave damage, or irreparable injury, to the
national security of the United States, or could be used to a foreign nation's advantage.
2.
COMSEC is the general term used for all steps taken to deny unauthorized persons
information, derived from the telecommunications of the U.S. Government, and to ensure the
authenticity of those communications. COMSEC has four main components -- transmission
security, physical security, emission security, and cryptographic security. Transmission security
is methods and techniques applied to protect information while in transmission from
unauthorized intercept, traffic analysis, imitative deception, and disruption. Physical security is
those barriers put in place to prevent access by an unauthorized person to materials, information,
documents, and equipment. Emission security is measures taken to prevent compromising
signals from emanating from equipment or telecommunications systems. Cryptographic security
is rules applied to alter information, making it unintelligible to unauthorized people during
communications. To ensure that telecommunications are secure, all four of these components
must be considered.
3. COMSEC equipment and keying material are especially sensitive because they are used to
protect other classified information while that information is communicated from one point to
another. Any particular piece of COMSEC equipment, keying material, or other cryptographic
material may be the critical element that protects large amounts of classified information from
interception, analysis, and exploitation. If the integrity of the COMSEC system is weakened at
any point, all information protected by the system could be compromised; even more damaging is
if this loss of classified information goes undetected. The procedural safeguards placed on
COMSEC equipment and materials, covering every phase of their existence from creation
through disposition, are designed to reduce or eliminate the possibility of such loss.
4. COMSEC equipment and materials receive special handling for distribution and accounting as
part of physical security protection. Two separate channels are used for handling such equipment
and materials: COMSEC channels and administrative channels. The COMSEC channel or
COMSEC Material Control System is used to distribute accountable COMSEC such as keying
material, maintenance manuals for cryptographic, and classified, and CCI equipment. The
COMSEC Material Control System channel is composed of a series of COMSEC accounts, each
of which is appointed a COMSEC Account Manager who is personally responsible and
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
66
accountable for all COMSEC materials in the account. The COMSEC Account Manager
assumes responsibility for the material from the time it is received and controls its dissemination
to authorized users on a need to know basis. The administrative channel is used to distribute
COMSEC information and materials other than that accountable in the CMCS.
5. To adequately protect COMSEC equipment and materials, you must understand all the
pertinent security regulations and the importance of reporting any compromise, suspected
compromise, or other security problem involving these materials. If a COMSEC system is
compromised but the compromise is not reported, all information that was ever protected by that
system may be lost as a result. If the compromise is reported, steps can be taken to change the
system and replace the keying material, to reduce the damage done. In short, it is your individual
responsibility to know and to put into practice all the provisions of the appropriate publications
relating to properly using and protecting the COMSEC equipment and materials to which you
will have access.
6. Because access to U.S. classified cryptologic information is granted on a strict need-to-know
basis, you will be given access to only that cryptographic information necessary for you to
perform your duties.
7. You may not disclose any COMSEC information without the specific approval of the NASA
COMSEC Manager or the National Security Agency. This applies to both classified and
unclassified COMSEC information and means that you may not prepare newspaper articles,
speeches, technical papers, or make any other "release" of COMSEC information without
specific Government approval. The best personal policy is to avoid any discussions that reveal
your knowledge of or access to COMSEC information and, thus, avoid making yourself
interesting to those who seek the information you possess.
8. When your duties include access to classified COMSEC information, in addition to the above,
you should avoid travel to any countries that are adversaries of the United States or to their
establishments or facilities within the United States. Should such travel become necessary, your
security office must be notified in advance, allowing sufficient time for you to receive a
defensive security briefing. Any attempt to elicit the classified COMSEC information you have,
either through friendship, favors, or coercion, must be reported immediately to your security
office.
9. Finally, you must know that if you willfully disclose or give any of the classified COMSEC
information, equipment, including CCI, or associated keying materials to which you have access
to any unauthorized persons, you will be subject to prosecution under the criminal laws of the
United States. The laws that apply are contained in Title 18, U.S.C., Sections 641, 793, 794,
798, and 952.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
67
SIGNATURE OF EMPLOYEE BRIEFED
DATE
SIGNATURE OF BRIEFER
APPENDIX C: SAMPLE CRYPTOGRAPHIC ACCESS
CERTIFICATION
INSTRUCTION
Section One of this certification must be executed before an individual may be granted access to
U.S. classified cryptographic information. Section Two will be executed when the individual no
longer requires such access. The original signed certificate will be made a permanent part of the
official security records of the individual concerned.
SECTION ONE
AUTHORIZATION FOR ACCESS TO U.S. CLASSIFIED CRYPTOGRAPHIC
INFORMATION:
a. I understand that I am being granted access to U.S. classified cryptographic information. I
understand that my being granted access to this information involves me in a position of special
trust and confidence concerning matters of national security. I hereby acknowledge that I have
been briefed concerning my obligations with respect to such access.
b. I understand that safeguarding U.S. classified cryptographic information is of the utmost
importance and that the loss or compromise of such information could cause serious or
exceptionally grave damage to the national security of the United States. I understand that I am
obligated to protect U.S. classified cryptographic information, and I have been instructed in the
special nature of this information and the reasons for the protection of such information. I agree
to comply with any special instructions issued by NASA or my NASA Center regarding
unofficial foreign travel or contacts with foreign nationals.
c. I fully understand the information presented during the briefing I received. I have read this
certificate and my questions, if any, have been satisfactorily answered. I acknowledge that the
briefing officer has made available to me the provisions of Title 18, U.S.C., Sections 641, 793,
794, 798, and 952 (see attached). I understand that, if I willingly disclose to any unauthorized
person any of the U.S. classified cryptographic information to which I might have access, I am
subject to prosecution under the criminal laws of the United States, as appropriate. I understand
and accept that unless I am released in writing by an authorized representative of the
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
68
NASA Security Office, the terms of this certificate and my obligation to protect all U.S.
classified cryptographic information to which I may have access apply during the time of my
access and at all times afterward.
ACCESS GRANTED THIS
DAY OF
19
SIGNATURE
NAME/GRADE/SSN
SIGNATURE OF ADMINISTERING OFFICIAL
NAME/GRADE/OFFICIAL POSITION
SECTION TWO
TERMINATION OF ACCESS TO U.S. CLASSIFIED CRYPTOGRAPHIC INFORMATION:
I am aware that my authorization for access to U.S. classified cryptographic information is being
withdrawn. I fully appreciate and understand that the preservation of the security of this
information is of vital importance to the welfare and defense of the United States. I certify that I
will never divulge any U.S. classified cryptographic information I acquired, nor discuss with any
person any of the U.S. classified cryptographic information to which I have had access, unless
and until freed from this obligation by unmistakable notice from proper authority. I have read
this agreement carefully and my questions, if any, have been answered to my satisfaction. I
acknowledge that the briefing officer has made available to me Title 18, U.S.C., Sections 641,
793, 794, 798, and 952.
ACCESS WITHDRAWN THIS
DAY OF
20___
SIGNATURE
NAME/GRADE/SSN
SIGNATURE OF ADMINISTERING OFFICIAL
NAME/GRADE/OFFICIAL POSITION
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
69
PRIVACY ACT STATEMENT
In accordance with the Privacy Act of 1974, as amended (5 U.S.C. 552a), the following notice is
provided: Authority to request Social Security Number is Executive Order 9397. Routine and
sole use of the Social Security Number is to identify the individual precisely, when necessary, to
certify access to U.S. classified and/or unclassified cryptographic information. While disclosure
of your Social Security Number is voluntary, failure to do so could delay certification and, in
some cases, prevent original access to U.S. classified and/or unclassified cryptographic
information.
SIGNATURE
DATE
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
70
APPENDIX D: SAMPLE EMERGENCY ACTION PLAN
1. Purpose. To protect and minimize the risk of compromise of COMSEC material during
emergency situations.
2. Discussion. National COMSEC policy requires that all organizations holding classified or
CCI materials have an Emergency Action Plan with procedures for the protection of such
material during natural disasters and accidental emergencies, such as fire, flood, tornado, and
earthquake. The actions contained within this plan provide for the security to the material
without endangering the lives or safety of personnel implementing the plan. Specifically, the
plan provides for the following:
a. Fire reporting.
b. Assignment of on-the-scene responsibility for ensuring protection of the COMSEC material
held.
c. Securing of classified COMSEC material and evacuation of the area.
d. Protecting of material when admission of outside firefighters into the secure area is necessary.
e. Assessing and reporting of probable exposure of classified COMSEC material to unauthorized
persons during the emergency.
f. Postemergency inventory of classified and CCI materials and the reporting of any losses or
unauthorized exposures to appropriate authority.
3. Implementation. The senior individual present will take the action outlined in subsequent
paragraphs to safeguard the COMSEC material. The actions are directed toward maintaining
positive control over the material while not endangering the health or safety of personnel.
4. Action.
a. Fire reporting. In the event a fire is discovered within the Message Processing Center, the
following actions will be taken, as the situation permits:
1) The person discovering the fire should immediately alert all others in the vicinity by loudly
shouting "Fire!” then sound the alarm by pulling the alarm located inside the Message Processing
Center, to the right of the main door.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
71
2) If possible, without endangering the safety of Message Processing Center personnel, should
attempt to extinguish the fire using the extinguishers located inside the center.
3) Carry out the actions regarding the evacuation of the spaces outlined in paragraph 4(c) of this
Plan.
b. Responsibility for safeguarding COMSEC material. All personnel assigned to the Message
Processing Center are responsible for safeguarding COMSEC material. In the event of an
emergency situation, the senior individual has primary on-the-scene responsibility for ensuring
the protection of the material.
c. Securing of classified material and evacuation.
1) If the situation permits, open the safe and stow all COMSEC material that may have been
removed from the safe. Stow all Automated Defense Information Network disks. Secure the
safe.
2) Remove the COMSEC Register files for Account 800121 from the file box located on the
COMSEC Account Manager’s desk and place in an envelope. Message Processing Center
personnel will take this envelope when evacuation occurs.
3) Remove the three inventory folders located inside the vault door, and to the right of the door,
and prepare to evacuate the spaces with these three folders and the COMSEC Register file
envelope.
4) Lock the vault door. Evacuate the spaces, taking the COMSEC Register file envelope and
three inventory folders. Set the alarm as you exit, and secure the door to the Message Processing
Center. Follow the directions of the floor wardens and proceed to the designated evacuation
area, remaining well clear of the building.
5) If the situation does not allow for stowage of material, evacuate immediately. Take the three
inventory folders if possible, but not if it will endanger lives.
d. Protecting material when admission of outside firefighters is necessary. In the event that it
becomes necessary to admit firefighters or other emergency personnel, the following protective
measures are to be followed:
1) If the situation permits, open the safe and stow any COMSEC material that may have been
removed. Secure the safe.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
72
2) If unable to stow the material in the safe, take whatever actions are necessary to minimize fire
team exposure to COMSEC material without hindering fire-fighting efforts. For example, cover
or stow the material in a desk drawer.
e. Assessing and reporting of probable expose of classified COMSEC material to unauthorized
persons during emergency situations. In the event that probable exposure of classified COMSEC
material occurs, the following actions are to be taken:
1) If possible, obtain the name, citizenship, and clearance level (if any), of the unauthorized
persons.
2) Make a complete list of the COMSEC material involved.
3) Using a STU-III, notify the NASA COR of the details of the incident. The NASA Central
Office of Record may direct additional reporting.
f. Postemergency inventory of classified and CCI COMSEC materials. Upon resolution of the
emergency situation, the following actions will be taken:
(1) Conduct a complete inventory of all classified and controlled items.
(2) Report any discrepancies/losses to the NASA COR immediately.
g. Other Natural Disasters/Emergencies. Other natural disasters, such as floods, earthquakes, or
hurricanes, may require the evacuation of the Message Processing Center. Follow the procedures
in paragraphs 4. (c), (d), (e), and (f) of this Appendix D.
5. Destruction of COMSEC Material. While destruction of COMSEC material is usually not
considered for locations within the continental United States, the possibility of destruction prior
to evacuation in the case of other natural disasters or emergencies will be discussed with the
NASA COR.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
73
APPENDIX E: CLASSIFICATION GUIDE
ITEM
UNCLASSIFIED
Individual SF-153
transfer, destruction,
possession of inventory
N/A
FOR OFFICIAL
USE ONLY
CLASSIFIED
When no
classified info
is included
CONFIDENTIAL when
effective or
supersession dates
for classified CRYPTO
are identified.
According to content,
but minimum of
CONFIDENTIAL if remarks
Are classified or
association of address
is classified.
Individual L6061 Cards
and Hand Receipts
When no
classified info
is on a card/
Hand receipt
N/A
When Classified info is
included, classify
according to content.
Compilation of records
(e.g., the Register File;
a File(s) containing
completed SF-153/s,
inventories, consolidated
Hand receipts)
N/A
When no
classified
info is
included.
When classified info is
included, a file MUST be
classified according to
The highest level in the
file.
When info does
not reveal
details of
allocation and
deployment.*
CONFIDENTIAL when
detailed info re:
allocation and
deployment is included.*
Crypto equipment
Completed classified
keying material
disposition record
N/A
N/A
CONFIDENTIAL
Any info that provides
the effective date and/
or supersession date for
classified operational
key marked CRYPTO
N/A
N/A
CONFIDENTIAL
Any Correspondence
associating COMESC
equipment use aboard
space vehicles, except
Shuttle vehicles.
N/A
N/A
CONFIDENTIAL
*DOES NOT APPLY TO STU-III ALLOCATION AND DEPLOYMENT UNLESS SENSITIVE GOVERNMENT
FACILITY/LOCATION INVOLVED.
This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to verify that this is the correct version before use:
http://nodis.hq.nasa.gov/Library/Directives/NASA-WIDE/contents.html
74
Download