APPENDIX D
HAND-RECEIPT HOLDER, USER, AND WITNESS RESPONSIBILITIES
___________________________________________________________________________ BRIEFING STATEMENT (This figure will be used as a sample only and will not be reproduced.) As a communications security (COMSEC) (hand-receipt holder, user, witness) I will ensure that-- a. COMSEC material received from the COMSEC custodian is safeguarded according to current Army directives. b. Material is properly handled, stored, inventoried, and destroyed when authorized. Two-person integrity (TPI) will be implemented when necessary. c. Access is based on clearance and a need to know. d. Material is inventoried shift-to-shift, daily, or just before locking the container where the material is stored, as applicable. DA Form 2653-R (COMSEC Account-Daily Shift Inventory (LRA)) or a similar form will be used to record inventories. e. Superseded keying material is destroyed immediately according to Technical Bulletin (TB) 380-41 (local commanders may grant an extension up to 72 hours only when facilities are not available for use after duty hours). Destruction will be timely, witnessed, recorded, and complete to prevent COMSEC incidents. (1) Users and witnesses will be briefed on applicable security procedures and responsibilities in this briefing statement before destruction. (2) Witnesses will have the appropriate level clearance to be granted access for destruction. (3) Destruction will be made according to TB 380-41. Hand-receipt holders destroying complete editions of ALC 1 key will prepare a destruction report using SF 153 (COMSEC Material Report) (TB 380-41). (4) DA Form 5941-R (COMSEC Material Disposition Record (LRA)) is completed for destruction of key-tape segments, marked CONFIDENTIAL for classified key and FOR OFFICIAL USE ONLY for UNCLASSIFIED KEY, paragraph 4.11.2a, TB 380-41, and returned to the custodian with the remainder of segments intact inside the canister. f. Files are maintained according to AR 25-400-2, The Modern Army Recordkeeping System (MARKS). Superseded and obsolete COMSEC files will be destroyed only during the month of January in the year following the inactive year. g. Keying material and publications are page-checked according to TB 380-41 and as directed by the COMSEC custodian. Persons making page checks will sign and date the check. h. COMSEC material is transported as follows: (1) COMSEC material will be transported according to AR 380-40, TB 380-41, and USAREUR Regulation 380-40. (2) Equipment will be transported according to AR 380-5, paragraph 8-200b(2); AR 380-40; TB 380-41, paragraph 5.12; and USAREUR Regulation 380-40. i. COMSEC incidents are reported immediately to the COMSEC custodian. j. Cryptographic operational operating manuals (KAOs), if applicable, will be read on receipt and reviewed once a year. Written records of these reviews will be maintained in file 380-40q. k. COMSEC files are maintained according to AR 25-400-2. l. COMSEC material is not subhand-receipted without the written permission of the COMSEC custodian. m. COMSEC material is ready for review or inspection at all times by the COMSEC custodian, command inspector, and auditor. n. Discrepancies noted on inspections and audits are corrected immediately and corrective actions are reported to the COMSEC custodian. (Failure to correct discrepancies found during COMSEC inspections and audits may result in the removal of the material and return of control to the COMSEC custodian.) o. COMSEC material is maintained separately from other classified documents in security containers and is easily identifiable during inventories and emergencies. p. A plan is developed to protect COMSEC material in emergencies (for example, natural disasters, fires, bomb threats, riots, enemy action). Emergency plans will include methods for secure storage, procedures for the evacuation, and, if necessary, destruction of the material. q. Evacuation routes are clearly defined. (Hand-receipt holders may combine their emergency plans with the parent-unit emergency plan.) r. Unused or undestroyed portions of keying materials are returned to the COMSEC custodian according to TB 380-41. s. Questions about procedures or other COMSEC matters are directed to the COMSEC custodian. t. Instructions from the COMSEC custodian are followed. I have been briefed, understand, and will fulfill my responsibilities as a hand-receipt holder and user. Name: ___________________ Grade: __________ Office: ____________________ Date Telephone read: ___________________ Unit: ___________ Number: ____________________ Signature of hand-receipt holder and user: _____________________________ ************************************************************************ Name: ___________________ Grade: __________ Office: ____________________ Date Telephone read: ___________________ Unit: ___________ Number: ____________________ Signature of COMSEC custodian or alternate: ____________________________ ___________________________________________________________________________
Figure D-1. Sample Briefing Statement
D-2. PUBLICATIONS
The following publications will be available to hand-receipt holders and users responsible for COMSEC material.
D-3. FORMS
The following forms will be available to hand-receipt holders and users responsible for COMSEC material.
NOTE: Hand-receipt holders will maintain only forms that are appropriate to their operations.
D-4. FILES
COMSEC hand-receipt holders and users should keep the following files:
APPENDIX E
SAMPLE KEY MANAGEMENT STANDING OPERATING PROCEDURE
This appendix provides guidance for USAREUR communications security (COMSEC) personnel involved in writing a key management standing operating procedure (SOP). It provides specific instructions and requirements that should be included in this type of SOP.
___________________________________________________________________________SAMPLE SOP
AETV-IM-CCMO (380-40n) 1 November 1996
Electronic Key Management Standing Operating Procedures (SOP)
1. PURPOSE
This standing operating procedure (SOP) defines security procedures for the control of electronic key. It does not supersede any DA guidance, Army regulation, or USAREUR regulation.
2. ELECTRONIC KEY
Electronic key is electronically generated information (usually a sequence of random binary digits) used--
3. RESPONSIBILITIES
4. GENERAL
5. ELECTRONIC-KEYED CRYPTONETS
APPENDIX F
COMMAND INSPECTIONS
F-2. INSPECTION AREAS
USAREUR command COMSEC inspections will cover the areas in paragraphs F-3 and F-4. The areas to be inspected (D-3 and D-4) are numbered according to the inspector's checks. Units to be inspected will use this guidance to prepare for inspections.
F-3. OPERATIONS AND ACCOUNTABILITY
Facility Approval.
1. The United States Army Communications-Electronics Command, Communications Security Logistics Activity (USACCSLA) is the approving authority for COMSEC facility approval according to TB 380-41, chapter 2. Facility approval is permanent unless there is a physical change to the COMSEC facility.
File Number: 380-40a (AR 25-400-2).
Disposition: According to AR 25-400-2.
Document Markings: As a minimum, the CFAR is marked FOR OFFICIAL USE ONLY. "Protective marking is in accordance with (IAW) paragraph 4-200, exemption 2, AR 25-55" must be on the front page (AR 25-55).
NOTE: If the CFAR is classified, it must be marked according to AR 380-5. Enclosing facility diagrams is not recommended because of classification requirements.
Guidance: The approval memorandum is attached to the CFAR when filed; the physical security of the site is the same as the last approval; and the "approving agency" and "date of approval" are entered on DA Form 2012 (COMSEC Account Data).
2. Discrepancies from the previous inspection reports are reconciled (AR 380-40).
File Number: 380-40r (AR 25-400-2).
Disposition: According to AR 25-400-2.
3. Command COMSEC inspections are conducted at least once every 24 months (AR 380-40). All discrepancies noted on the last inspection must be corrected or otherwise adjudicated (USAREUR Reg 380-40).
File Number: 380-40r (AR 25-400-2).
Disposition: According to AR 25-400-2.
4. A standing operating procedure (SOP) is prepared according to TB 380-41, chapter 2.
File Number: 1oo (AR 25-400-2).
Disposition: According to AR 25-400-2.
Document Markings: As a minimum, the SOP is marked FOR OFFICIAL USE ONLY. "Protective marking is in accordance with (IAW) paragraph 4-200, exemption 2, AR 25-55" must be on the front page (AR 25-55).
Guidance: An SOP provides for secure and efficient conduct of COMSEC operations to include accounting, courier procedures, destruction, maintenance, and physical security (incident reporting). Some accounts require both an internal and an external SOP.
5. Supervisory personnel are aware of the requirements for technical surveillance countermeasure (TSCM) services (AR 380-40).
File Number: 380-40r (AR 25-400-2).
Disposition: According to AR 25-400-2.
Document Markings: The request (message or memorandum) will be classified Secret according to AR 381-14.
The following is an example of the marking:
DERIVED FROM: Para E7a, DoD INSTR. 5420.5 DTD 23 MAY 84. DECLASSIFY ON: Source Marked OADR DATE OF SOURCE: _____________________
Guidance: A TSCM service is requested according to USAREUR Regulation 380-85, appendix B. The message address is: CDRUSAREUR HEIDELBERG GE//AEAGB-CI-S//, INFO: CDR COLLECTION BN AUGSBURG GE//IAPG-VOT-T//.
6. Maintenance personnel are certified on DD Form 1435 (COMSEC Maintenance Training and Experience Record) according to AR 25-12, chapter 4.
7. COMSEC equipment is installed, maintained, and repaired according to National, DOD, and DA instructions for COMSEC equipment. Personnel who receive this training also receive COMSEC awareness training (AR 25-12, chap 2).
8. The requirements for access to COMSEC information are known and followed (AR 380-40), and security clearances are verified according to AR 380-67.
9. The following publications are available or are on requisition: AR 380-5, AR 380-40, AR 710-2, TB 380-41, USAREUR Regulation 380-40, and USAREUR Pamphlet 380-40.
File Number: 1jj (AR 25-400-2).
Disposition: According to AR 25-400-2.
10. Account personnel and hand-receipt holders understand the use of the caveat CRYPTO (TB 380-41, chap 5).
11. Account personnel and hand-receipt holders know limitations on the handling and release of unclassified COMSEC information (TB 380-41, chap 5). COMSEC information is marked and handled according to AR 25-55, paragraph 3-200.
12. The COMSEC custodian and alternate custodian are appointed on DA Form 2012 (TB 380-41, chap 2).
File Number: 380-40q (AR 25-400-2).
Disposition: According to AR 25-400-2.
Document Markings: COMSEC information is marked and handled according to AR 25-55, paragraph 3-200.
Guidance: Custodian and alternates have appropriate security clearance and access.
13. DA Form 2012 is filled out and sent out according to TB 380-41, chapter 2. If no changes are made on the semiannual inventory report (SAIR), the SAIR may be completed in one of the following ways:
File Number: 380-40q (AR 25-400-2).
Disposition: According to AR 25-400-2.
Document Markings: COMSEC information is marked and handled according to AR 25-55, paragraph 3-200.
14. The COMSEC custodian and the alternate are graduates of the SCCC. Certificates of graduation are available in the COMSEC facility (AR 380-40 and USAREUR Reg 380-40, para B-1).
15. The COMSEC custodian has time to perform custodial duties (TB 380-41, chap 2) along with the other assigned duties.
16. Centrally accountable COMSEC material on hand is mission essential. Excess material and shortages are reported for corrective action through command channels (TB 380-41, para 3.7).
17. In COMSEC facilities with 24-hour operation, the SF 702 (Security Container Check Sheet) is annotated at the end of each shift change (TB 380-41, para 5.4.1c).
18. The COMSEC accounting system provides security control and handling of accountable COMSEC material (TB 380-41, chap 4).
Guidance: Perform an audit trail on material received to ensure proper accounting of receipt through posting, storage, operation, and destruction including STU-III key. Accounting legend code (ALC) 3 material should be issued, not hand-receipted.
Control and Handling: When the COMSEC custodian returns from an absence, the alternate custodian formally turns over material received during the absence according to TB 380-41. COMSEC records have the correct signatures and are properly marked (if required). Audits should cover 100 percent of the material.
19. Authorized quantities of classified cryptoequipment on hand or ordered are being used and are required for mission accomplishment (TB 380-41).
20. Mandatory modifications to classified COMSEC equipment are applied and equipment modification record plates document the modification according to TB 43-0001-06 series.
21. COMSEC records are maintained according to AR 25-400-2. COMSEC accounting reports are filed in 380-40q.
22. Personnel are aware of the procedures for checking packages for evidence of tampering or content exposure (TB 380-41, chap 4).
23. Account personnel, including hand-receipt holders, are aware of page-check requirements (TB 380-41, chap 4).
Guidance: Page-checks are made--
24. The manner of inventorying keying material assures continuous protection and control (TB 380-41, chap 4).
File Number: 380-40p (AR 25-400-2).
Disposition: According to AR 25-400-2.
Document Markings: DA Form 2653-R (COMSEC Account--Daily Shift Inventory (LRA)) is marked FOR OFFICIAL USE ONLY. If the form identifies effective dates of a cryptosystem or the complete holder or copy distribution list, it must be marked CONFIDENTIAL. The implementation or supersession date of a single item of key also is marked CONFIDENTIAL (TB 380-41, chap 5).
Guidance: Inventories must be complete and accurate. DA Form 2653-R must be checked. Inventory date must coincide on the SF 701 (Activity Security Checklist), SF 702, and SF 153 (when material is received). Destruction records must be checked.
25. Inventories of ALC 3 and ALC 4 material are recorded on item register (IR) cards or an SF 153. The SF 153 must be prepared, signed, and witnessed and should list ALC 3 or ALC 4 by account (TB 380-41, chap 4).
File Number: 380-40q (AR 25-400-2).
Disposition: According to AR 25-400-2.
Document Markings: COMSEC information is marked and handled according to AR 25-55, paragraph 3-200.
Guidance: For manual accounts, IR cards or inventory reports are prepared, signed, and witnessed for each SAIR and change-of-custodian inventory report (CCIR). If a SF 153 is used, it should be attached to the basic report. Army COMSEC Commodity Logistics Accounting and Information Management System (ACCLAIMS) inventory printouts must have valid dates and signatures.
26. COMSEC material (including amendment residue) is destroyed according to the schedule and procedures in TB 380-41, chapter 4. Superseded key is completely destroyed by burning or by using destruction devices and methods according to the guidance in TB 380-41, chapters 4 and 5.
Guidance: Maintenance manuals and operating instructions are destroyed not later than 15 days after the item was superseded and posted to an IR card or an asset inventory and destruction report. Destroyed items are removed from DA Form 2653-R. Every effort is made to destroy COMSEC material within 12 hours after supersession according to TB 380-41, paragraph 4.22. Destruction reports must be signed. DA Form 2011 (COMSEC Aids Items Register (Using Unit)) must be signed and witnessed when used for whole destruction of material. Inspect the burning and shredding area; run a test if necessary. Classified microfiche are only destroyed by burning or an approved chemical solution according to TB 380-41. If double cut shredders are used to destroy paper, the material is considered destroyed if CHAD (residue) is not more than 1.2mm X 13mm or not more than .73mm X 22.2mm (TB 380-41, para 4.22.2).
27. COMSEC publications, if applicable, are posted with the latest changes and amendments and are page-checked (TB 380-41, chap 4).
Guidance: Reference publications are filed under 1jj according to AR 25-400-2. COMSEC publications must be checked for the latest amendments and changes according to DA Pamphlet 25-35. Amendments should be posted within 48 hours (2 workdays) of receipt, in sequence, and page-checked after posting. The message or memorandum amendment file number is: 1nn (AR 25-380-2).
28. Local accounting procedures for the issue and hand-receipt of COMSEC material are known and properly implemented (TB 380-41).
Guidance: ALC 3 and ALC 4 (category-2) are permanently issued, not hand-receipted. Issues are either from DA Form 2011 or SF 153. The COMSEC custodian ensures recipients have the correct security clearance and have a need-to-know. All hand-receipted ALC 1, ALC 2, and category-1 ALC 4 materials are annotated in pencil on DA Form 2011 (TB 380-41, pages 4-71).
29. Cryptosystems used by the command are either locally generated electronic key or preprinted key produced by the National Security Agency (NSA). The authentication system must be NSA-approved.
Guidance: Keying material approved for use within the U.S. Army must be produced by NSA (TB 380-41, chap 3).
30. The keying material on hand is routinely used or is held for a valid contingency (TB 380-41, para 3.7).
Guidance: The amount of key issued to accounts by a controlling authority (CONAUTH) is reviewed four times a year to ensure that minimum stock levels are consistent with the operations and contingency plans on hand. The custodian coordinates with the CONAUTH to decide if a distribution change is required (TB 380-41, chap 3).
31. The number of editions and the quantity of each key held are no more than the minimum required (TB 380-41, chap 3).
Guidance: Guidance is in TB 380-41, paragraph 3.9.1.
32. Training cryptosystems and authentication systems are used only as prescribed in AR 380-40.
33. Users know the identity and address of the CONAUTH for the key held.
NOTE: The CONAUTH must know cryptonet members and identify user problems with the keying material. The COMSEC custodian informs each hand-receipt holder (user) of CONAUTH information (TB 380-41, chap 3).
34. COMSEC account personnel operating cryptosystems in the COMSEC facility must be able to use the systems and the cryptoequipment, or a training program must be in effect (TB 380-41).
NOTE: Personnel in operational accounts should read the cryptographic operational operating manual (KAO) or technical manual (TM) semiannually and verify that they have read the publications on a signature sheet.
35. The CONAUTH should complete the annual review and have required documentation on hand.
Guidance: The CONAUTH completes the annual crypto-evaluation report (CER) review and keeps a copy on file.
36. Custodians who are also CONAUTHs should take appropriate action to adjust the key-copy count, based on information from users.
37. Personnel enrolled in the Department of the Army Cryptographical Access Program (DACAP) are briefed and DACAP "certification memorandums" are signed, according to AR 380-40.
Guidance: A roster of personnel enrolled in DACAP should be sent to the appropriate security office. Personnel no longer qualified under DACAP should sign the "termination of access" portion of the DACAP certification memorandum. A copy of the memorandum should be sent to the appropriate security office.
38. A command COMSEC inspector is appointed in writing (AR 380-40).
39. The command COMSEC inspector is a graduate of the TRADOC-approved SCCC (AR 380-40).
40. The commander confirms that each COMSEC account under the jurisdiction of the command receives a command COMSEC inspection at least once every 24 months (AR 380-40).
Guidance: Property-book officers and users receive a command inspection of CCI records to ensure compliance with AR 710-2, AR 710-3, AR 380-40, and DA Pamphlet 25-380-2.
41. If a secure room is used for operations, it meets the minimum requirements in TB 380-41, chapter 5.
Guidance: Verify the CFAR using TB 380-41, chapter 2.
42. When the COMSEC facility is unoccupied, it has the necessary safeguards, determined by the commander, to protect against unauthorized entry (TB 380-41, chap 5). There must be General Services Administration (GSA)-approved security containers available, a trained guard force, and an emergency plan that reflects both issues.
43. Unsecured telephones and other transmitting devices on site are not more than the number required for operations (TB 380-41, para 5.5.3).
44. Government-owned tape recorders, radios, television receivers, and cameras are required for facility operations or are authorized by the commander as mission essential (TB 380-41, para 5.3.5).
45. Installation and operation of electronic, access-control devices (cipher locks) meet the requirements in TB 380-41, chapter 5. Combinations are changed every 3 months. A modified SF 700 (Security Container Information) (top part) is posted, and panel buttons are kept clean.
46. All COMSEC key is stored according to TB 380-41, chapter 5.
NOTE: Future key cannot be stored in unattended facilities (AR 380-40).
Guidance: Current and future editions of key are stored in separate drawers. If only a one-drawer security container is available, current and future key are separated by a file divider.
47. Physical security of stored, classified cryptokey is modified to prevent unauthorized access to the storage container or COMSEC facility (TB 380-41, chap 5).
48. Containers used for storing classified COMSEC information meet original procurement specifications for physical security (TB 380-41, chap 5).
Guidance: Containers must not be damaged (for example, drilled). Locks must function properly and containers that are modified for two locks must meet the prescribed specifications of USAREUR Regulation 380-40, paragraph 7e. Check containers against TB 380-41, paragraph 5.8.
49. Containers and secure rooms used to store classified COMSEC material have built-in combination locks or approved combination padlocks according to TB 380-41, chapter 5.
50. When not installed in an operational configuration, classified cryptoequipment and components are securely stored (TB 380-41, chap 5).
51. When installed in an operational configuration, unattended, unkeyed cryptoequipment is left installed and protected in a manner approved by the commander according to TB 380-41, chapter 5.
52. Classified documents are stored securely (TB 380-41, chap 5). Open and closed signs are used on security containers according to AR 380-5.
53. Lock combinations are changed every 12 months. For containers storing NATO material, combinations are changed every 6 months according to TB 380-41, chapter 5. Combinations also are changed when an individual knowing the combination no longer needs access (AR 380-5).
54. Lock combinations are given as few authorized personnel as possible (TB 380-41, chap 5).
55. Access to the COMSEC facility is granted and controlled according to the provisions of TB 380-41, chapter 5.
Guidance: Personnel have a "need-to-know" and a current DA Form 1999-R (Restricted Area Visitor Register (LRA)) is completed correctly. The 1999-R for the last calendar year is closed out and filed (USAREUR Pam 380-40, para 6-1a(7)).
56. Daily security checks are made at the end of each work-day and on non-workdays as required (TB 380-41, chap 5).
57. Classified COMSEC material is properly prepared and packaged for shipment (TB 380-41, chap 5). Custodians and alternates are aware of the special procedures for shipments through the defense courier service (DCS).
58. Authorized means of transporting classified COMSEC material are known and followed (TB 380-41, chap 5).
Guidance: The DCS is used whenever possible; unit couriers have DD Form 2501 (Courier Authorization Card) and an SOP is available.
59. The emergency plan includes provisions from TB 380-41, chapter 5, determined as appropriate by the commander.
File Number: 500-4a (AR 25-400-2).
Disposition: According to AR 25-400-2.
Document Markings: The minimum marking for this file is FOR OFFICIAL USE ONLY.
Guidance: the plan should be realistic, simple, and workable. The plan must be signed by the commander and contain the required provisions of TB 380-41.
NOTE: Task cards are recommended. The commander decides whether or not to use task cards.
60. The emergency plan is compatible with the command emergency plans.
Guidance: The emergency plan has a coordination sheet for signatures from units and elements that support the plan. The plan is coordinated with the command emergency plan to ensure evacuation, storage, and destruction of key will be effectively and securely performed in the event of an actual emergency (TB 380-41, chap 5, and app D).
61. The emergency plan procedures provide for the immediate destruction of superseded key, according to TB 380-41, chapter 5. Emergency procedures are exact for the destruction of keying material. Plan task cards are correct and prioritized.
62. Adequate emergency destruction material and devices are available and working (TB 380-41, chap 5).
Guidance: The recommended types of destruction methods and devices are covered in TB 380-41, chapter 5. Whenever COMSEC equipment is used, destruction tools (for example, an axe, pick, sledge hammer) are available.
63. Briefings and dry runs of the emergency plan are held four times a year and are documented. Account personnel know their responsibilities in an emergency, according to AR 380-40.
File Number: 350-28a (AR 25-400-2).
Disposition: According to AR 25-400-2.
Document Marking: The minimum marking for this file is FOR OFFICIAL USE ONLY.
Guidance: COMSEC custodians will document emergency-plan dry-runs by giving the date of training, the portion of plan to be tested (for example, evacuation, destruction, secure storage), the training results, and the names of participating personnel and witnesses. This document is signed by the commander and the COMSEC custodian. Any discrepancy found during the dry run is corrected immediately and the plan changed accordingly (AR 380-40).
64. Sensitive pages of COMSEC cryptographic operational maintenance manuals (KAM) are prepared for quick removal where required, and personnel are familiar with the emergency implementing procedures (TB 380-41, chap 5).
65. Personnel are familiar with reportable incidents pertaining to cryptosystems and associated material (AR 380-40).
Guidance: Personnel know what constitutes an incident, the types of incidents, and how to prevent them. This information is part of the local COMSEC SOP.
66. Supervisory personnel are familiar with the requirements and time limits for reporting incidents according to AR 380-40. The local SOP contains added information for reporting incidents.
67. Users are aware of the requirement to report all circumstances, occurrences, or acts that could lead to a compromise of key, directly to the appropriate CONAUTH (TB 380-41, chap 5).
Guidance: Custodian, alternates, and hand-receipt holders know the message address, the mailing address, and the telephone number of the CONAUTH. This information is included in the local SOP.