Air Force
Intelligence and Security Doctrine

BY ORDER OF THE AIR FORCE INSTRUCTION 33-204
SECRETARY OF THE AIR FORCE 15 DECEMBER 1994

Communications

THE C4 SYSTEMS SECURITY AWARENESS,

TRAINING, AND EDUCATION (SATE) PROGRAM

This instruction implements Air Force Policy Directive (AFPD) 33-2, C4 Systems Security, and applicable parts of National Institute for Standards and Technology Special Publication 500-172; National Telecommunications and Information Systems Security Directive Numbers 500 and 501; Office of Personnel Management 5 CFR Part 930; and Public Law 100-235, The Computer Security Act of 1987. It provides guidance and responsibility for establishing and managing the Security Awareness, Training, and Education (SATE) Program; defines program goals; and applies to all military and civilian Air Force personnel. It also supports the awareness and education programs outlined in other publications such as Air Force Instruction (AFI) 33-201, The Communications Security (COMSEC) Program; AFI 33-202, The Computer Security (COMPUSEC) Program; and AFI 33-203, The TEMPEST Program. Additional security instructions and memorandums are listed in Air Force Indexes (AFIND) 2, Numerical Index of Standard and Recurring Air Force Publications; and 5, Specialized Communications-Computer Systems Security Publications. Air Force Manual (AFMAN) 33-270, C4 Systems Security Glossary, explains other terms. Personnel may use extracts from this AFI. Direct questions or comments on contents of this instruction through appropriate command channels to Headquarters, Air Force Command, Control, Communications, and Computer Agency, C4 Systems Security Awareness, Training, and Education Division (HQ203 W. Losey Street, Room 2040, Scott AFB IL 62225-5234. Refer recommended changes and conflicts between this and other publications to HQ AFC4A, Policy and Procedures Branch (XPXP), 203 W. Losey Street, RoomScott AFB IL 62225-5224 using AF Form 847, Recommendation for Change of Publications. See Attachment 1 for a listing of references, abbreviations, and acronyms.

SUMMARY OF CHANGES

This is the first publication of AFI 33-204. It changes all references to the term "Education, Training, and Awareness Program (ETAP)" to read "Security Awareness, Training, and Education (SATE) Program."

Section A--General Information

1. Introduction. This instruction describes and defines the Air Force C4 Systems SATE program goals, objectives, and standards. The SATE Program is a single, integrated security education, awareness, and training effort covering the communications security (COMSEC), computer security (COMPUSEC), and TEMPEST disciplines. It is a training and indoctrination program established to emphasize C4 systems security awareness and to promote consistent application of security principles in the use of Air Force C4 systems. COMSEC, as used in this publication, refers to the day-to-day application of transmission security, emission's security, and cryptographic security. Training for the safeguarding, control, use, or access to COMSEC material is not covered under SATE, but is outlined in AFI 33-201.

2. Goal. The goal of the SATE program is to make sure all personnel understand the importance of and practice safeguarding C4 systems. Personnel must know how to protect these systems against sabotage, tampering, denial of service, espionage, fraud, misappropriation, misuse, or release to unauthorized persons by applying various C4 systems security countermeasures. The SATE program objectives provide a basis for establishing the required learning objectives in all training methods.

3. Objectives. The objective of the SATE program is to train individuals to act or react automatically and responsibly to protect information generated, stored, processed, transferred, or communicated by C4 systems. Train all personnel to:

Understand the inherent weaknesses in C4 systems and the potential harm to national security due to the improper use of C4 systems.
Keep informed of the threats (including human intelligence [HUMINT]) to, and vulnerabilities of, C4 systems.
Identify the types of information requiring protection.
Take necessary measures to protect information generated, stored, processed, transferred, or communicated by C4 systems.
Recognize practices that create vulnerabilities in C4 systems, and use established security procedures to address them.
Recognize the potential damage to national security if communications security material is compromised, and understand the security measures required to protect this material.
Protect C4 systems against denial of service and unauthorized (accidental or intentional) disclosure, modification, or destruction of computer systems and data.
Understand how COMPUSEC, COMSEC, and TEMPEST relate to the protection of information generated, processed, stored, or transferred by C4 systems.

Section B--Responsibilities

4. Headquarters United States Air Force Role and Responsibilities. The Deputy Chief of Staff, Command, Control, Communications, and Computers (HQ USAF/SC) is the Air Staff office of primary responsibility (OPR) for the Air Force C4 systems security program.

5. Headquarters Air Force Command, Control, Communications, and Computer Agency:

Manages the SATE program.
Works closely with the Defense Information Systems Agency in producing visual aids, video presentations, and so forth, to support the SATE program.
Guides, monitors, and assists major command (MAJCOM) program managers as they develop and implement their SATE program efforts.
Performs staff assistance visits to requesting MAJCOMs.
Develops generalized educational material, such as pamphlets, films, visual aids, and posters, to support the overall Air Force missions.
Prepares specialized briefings and assists MAJCOMs as requested.
Reviews and approves developed SATE program materials, including implementing documents submitted by Air Force personnel.
Establishes a SATE information crossfeed program.
Develops and publishes SATE security articles.
Establishes a C4 systems security training advisory group (C4SSTAG) to resolve SATE issues.
Administers the HQ AFC4A/SYI bulletin board system (BBS) which is used to disseminate C4 systems security awareness and information.

6. Major Commands:
6.1. Participate in the Air Force C4 systems SATE program and support their wing or base SATE program managers.
6.2. Designate a primary and an alternate individual to develop and manage the command SATE program. Provide HQ AFC4A/SYI with the names, grades, office symbols, and telephone numbers of these individuals, and as changes occur. The primary or alternate must attend all C4SSTAG meetings called by AFC4A/SYI.
6.3. Provide support to command-hosted base SATE program managers for preparation of mission security briefings (MSB).
6.4. Develop command oriented C4 systems security educational materials, such as pamphlets, news articles, visual aids, films, and posters, to support the command C4 systems SATE program as needed. Provide all materials to subordinate units for use and to HQ AFC4A/SYI for review and crossfeed.
6.5. Develop and publish command oriented C4 systems security articles in command news media.
6.6. Conduct workshops for base C4 systems SATE program managers.
6.7. Incorporate the C4 systems SATE program into the command inspector general, total quality management, and audit programs.
6.8. Provide C4 systems SATE program materials and guidance to USAFR and ANG units gained on mobilization in coordination with Headquarters Air Force Reserve and National Guard Bureau OPRs.
6.9. Provide C4 systems security guidance and assistance, as needed, to operations security (OPSEC) program managers through the command OPSEC manager.
6.10. Include C4 systems security educational materials in command-developed courses as outlined in paragraph 6.4.
6.11. Make sure government contractors follow the provisions of this instruction when using C4 systems for the Federal government to generate, process, store, transfer, or communicate information.
6.12. Request C4 systems security support through data calls.
6.13. Perform staff assistance visits to requesting bases.

7. Air Force Field Operating Agencies and Direct Reporting Units:

Comply with paragraph 6.
Send waiver requests to HQ AFC4A/SYI.

8. Wing and Bases:

Make sure the host/SC (or senior communications officer or commander) designates primary and alternate individuals to manage the wing and base SATE program. The primary SATE manager will be a technical sergeant or General Schedule-7 or above, with knowledge of C4 systems operations. MAJCOMs will approve or disapprove waivers.

9. Wing and Base Security Awareness, Training, and Education Program Managers:
9.1. Develop, manage, and conduct base-wide C4 systems SATE programs using C4 systems security educational materials provided by the host MAJCOM, HQ AFC4A, and base-level C4 systems security staff.
9.2. Provide C4 systems security training to all C4 systems users, to include all tenants. Pay particular attention to geographically separated field offices, detachments, and operating locations.
9.3. Make sure host-tenant agreements between tenants and the base direct the tenants to participate in the host-base SATE program if they are involved in planning, programming, storing, transferring, operating, or maintaining Air Force C4 systems, or are connected to Air Force local area networks.
9.4. Conduct base C4 systems security training on the mission, and, if another major mission is on the base, incorporate their mission into the training.
9.5. Make sure the SATE portion of the MSB meets the objectives outlined in paragraph 3.
9.6. Make sure personnel make maximum use of C4 systems security educational films, posters, and briefings; that all SATE program managers are aware of their existence; and emphasize use of these training tools.
9.7. Place reminders of the need for positive C4 systems security practices in base bulletins and other media to increase and reinforce C4 systems security awareness.
9.8. Provide C4 systems security awareness training for all base and tenant unit C4 systems SATE program managers, and crossfeed locally developed material between those unit managers and wing headquarters.
9.9. Perform annual C4 systems SATE staff assistance visits to host and tenant units.
9.10. Provide indoctrination and training to newly appointed base and tenant unit C4 systems SATE program managers.
9.11. Conduct biennial or more frequent C4 systems SATE program management workshops for unit managers.

10. Unit Commanders:

Appoint a C4 systems SATE program manager to administer the SATE program within their unit.

11. The Unit Security Awareness, Training, and Education Program Manager:

Identifies command-unique training requirements to the base SATE program manager for inclusion in the MSB.
Makes sure all newly assigned personnel receive SATE training within 60 days of arrival.
Coordinates this training with the base C4 systems SATE program manager as needed.
Administers the annual refresher SATE training for all unit personnel including personnel from field offices, detachments, and operating locations in the local area that receive unit administrative support.
Circulates quarterly SATE related articles and displays current posters throughout the organization.
Supports and implements the base C4 systems SATE program.

Section C--Training

12. General Requirements. All military and civilian personnel will receive four types of C4 SATE training: accession, recurring, awareness, and specialized. An individual trained in C4 systems security principles and concepts will conduct this training.

13. Accession Training. Air Education and Training Command (AETC) will:
13.1. Conduct accession training during initial military training (basic military training, Officer Training School, Air Force Reserve Officer Training Corps, and specialized training in Air Force specialty code [AFSC] awarding courses).

Train students on basic C4 systems security concepts to establish a foundation of C4 systems security awareness.
Make sure they understand that certain vulnerabilities and threats exist in C4 systems and, therefore, require protection.
Define COMSEC, COMPUSEC, TEMPEST, and C4 systems security.
Stress that there is a point of contact for C4 systems security at every Air Force unit.

13.2. Administer C4 systems security training, through Air University, to students attending Senior Noncommissioned Officer Academy, Squadron Officer School, Air Command and Staff College, and Air War College.
13.3. Coordinate C4 systems security training material with HQ AFC4A/SYI through the MAJCOM SATE manager.

14. Recurring Training Requirements. SATE program managers design this training to accomplish the C4 systems SATE program objectives prescribed in paragraph 3. Convey the degree of reliance on C4 systems, the potential consequences arising from the lack of secure systems, the organization's commitment to secure C4 systems, and the means by which users can protect systems. Mission sensitivity and the potential for mission degradation from the lack of proper C4 systems security must influence the design of recurring and awareness training. This includes interruption or exploitation of service, exploitation through interception, unauthorized electronic access or related technical threats, and corruption through falsification of information or damages to storage media. Meet the minimum training criteria listed below for each category of recurring C4 systems SATE:
14.1. Permanent Change of Station (PCS). Military members who arrive at a new duty location or civilian personnel initially hired by a base, must attend a consolidated MSB. The MSB combines C4 systems security, protection from terrorism (overseas only), information warfare as it pertains to C4 systems, and reporting and countering HUMINT threats. The MSB should not exceed 1 1/2 hours for overseas and 1 hour for the continental United States. The base personnel office must schedule this briefing as part of the individualized newcomer treatment and orientation program. As the focal point for the SATE portion of the MSB, the base SATE program manager makes sure the briefing focuses on the objectives in paragraph 3. As a minimum, the SATE portion of the MSB must include:

An overview of the various threats to and vulnerabilities of C4 systems.
An overview of ways to protect C4 systems against denial of service and unauthorized (accidental or intentional) disclosure, modification, or destruction of computer systems or data.
The names and telephone numbers of the C4 systems SATE program managers and the type of assistance they can provide.
An overview of the HUMINT threat to classified and sensitive information processed by U.S. Government C4 systems using training films on C4 systems security fundamentals, supplemented with local HUMINT information.
An explanation of how TEMPEST relates to the protection of C4 systems.

14.2. Refresher Training:

Provide personnel the most current technology and information available.
Use command-tailored, AFC4A-produced, or other educational materials to reemphasize C4 systems security obligations.

15. Awareness Training. SATE program managers satisfy this requirement by displaying SATE-related posters, using public service announcements, or providing applicable articles from unit, base, and command publications to unit personnel.

16. Specialized Training--Formal Course Integration. AETC and the United States Air Force Academy (USAFA) will provide students with an understanding of the threat to and vulnerabilities of Air Force C4 systems, a knowledge of countermeasures available to overcome the threat, and ways to apply the countermeasures. This instruction provides general guidance for integrating C4 systems security education and training into the Air Force accession programs, AFSC-awarding courses, formal schools, and professional military education courses. Base the depth of other formal training programs coverage on the potential for students to become involved in planning, programming, managing, operating, or maintaining C4 systems, or who work routinely with such material. The courses should emphasize the threat to and vulnerabilities of C4 systems, the C4 systems security countermeasures available to overcome the threat, and ways to apply those countermeasures. USAFA and AETC courses should also address those aspects of C4 systems security that could affect the success of tactical and strategic operations. All course developers will coordinate C4 systems security training material with HQ AFC4A/SYI through the MAJCOM SATE manager. HQ AFC4A/SYI will provide advisory assistance for program development.

17. RCS: HAF-SC(A)8902, Security Awareness, Training, and Education Utilization Report. This annual report provides a basis for assessing the impact of C4 systems security training on mission accomplishment. It shows the number of personnel receiving SATE training and the total number of hours actually spent in providing training. Use these records for local and command program management and for providing the minimum data required by AFC4A for reporting to HQ USAF/SCXX.
17.1. MAJCOM SATE Program Managers:

Send a consolidated report (RCS: HAF-SC[A]8902) to HQ AFC4A/SYI by 1 February each year, or as otherwise directed. HQconsolidates and evaluates the information according to AFPD 33-2 and AFI-205, C4 Systems Security Metrics and Measurement Program.
Establish specific command procedures to acquire, compile, and report command training information (see Figure 1).

17.2. The consolidated military personnel flight, mission support personnel, and the base SATE program manager jointly perform the reporting of C4 systems security training. The MAJCOM SATE program manager acts as the conduit for providing AFC4A/SYI information for reporting SATE training. SATE program managers at every level must make sure this reporting is completed on time.
Number of Personnel Training and Man-Hours Expended

Officers Enlisted Civilian
Numbers/Hours Numbers/Hours Numbers/Hours

Initial Training XXXX XX XXXX XX XXXX XX
Annual Refresher
Training XXXX XX XXXX XX XXXX XX

NOTE: "Hours" is the total time expended by trainers to actually conduct training sessions; it does not include preparation time.

Figure 1. SATE Utilization Report Format

CARL G. O'BERRY, Lt General, USAF

DCS/Command, Control, Communications, and Computers

Attachment
Glossary of References, Abbreviations, and Acronyms
GLOSSARY OF REFERENCES, ABBREVIATIONS, AND ACRONYMS

References

AFPD 33-2, C4 Systems Security

AFI 33-201, The Communications Security (COMSEC) Program

AFI 33-202, The Computer Security (COMPUSEC) Program

AFI 33-203, The TEMPEST Program

AFI 33-205, C4 Systems Security Metrics and Measurement Program

AFIND 2, Numerical Index of Standard and Recurring Air Force Publications

AFIND 5, Specialized Communications-Computer Systems Security Publications

AFMAN 33-270, C4 Systems Security Glossary

National Institute for Standards and Technology Special Publication 500-172

National Telecommunications and Information Systems Security Directive Numbers 500 and 501

Office of Personnel Management 5 CFR Part 930

Public Law 100-235, The Computer Security Act of 1987

Abbreviations and Acronyms

Abbreviations
and Acronyms Definition

AETC Air Education and Training Command
AFC4A Air Force Command, Control, Communications, and Computer Agency
AFI Air Force Instruction
AFIND Air Force Index
AFMAN Air Force Manual
AFPD Air Force Policy Directive
AFSC Air Force Specialty Code
ANG Air National Guard
BBS Bulletin Board System
C4 Command, Control, Communications, and Computer
C4SSTAG C4 Systems Security Training Advisory Group
COMPUSEC Computer Security
COMSEC Communications Security
HUMINT Human Intelligence
MAJCOM Major Command
MSB Mission Security Briefing
OPR Office of Primary Responsibility
OPSEC Operations Security
PCS Permanent Change of Station
SATE Security Awareness, Training, and Education
USAFA United States Air Force Academy
USAFR United States Air Force Reserve

Air Force Intelligence and Security Doctrine

Air Force
Intelligence and Security Doctrine