Air Force Intelligence and Security Doctrine
Air Force Communications
Reporting COMSEC Incidents
This Air Force instruction (AFI) implements Air Force Policy Directive (AFPD) 33-2, C4 Systems Security, and applicable parts of National Telecommunications and Information Systems Security Instruction (NTISSI) 4003, Reporting and Evaluating COMSEC Incidents. It sets up procedures for reporting incidents affecting the security of communications security (COMSEC) material to the National Security Agency (NSA); the Air Force Command, Control, Communications, and Computer Agency (AFC4A); appointed controlling authorities; and other cognizant authorities in established chains of command. It applies to all Air Force military and civilian personnel and Air Force contractors who get COMSEC support from the Air Force. This publication pertains to all COMSEC material, including controlled cryptographic items (CCI), hard-copy key-in electronic forms, keyed common-fill devices, cryptoequipment, and electronically generated keys (generated by field and key management systems [KMS]). The term "major command" (MAJCOM), when used in this publication, includes field operating agencies (FOA) and direct reporting units (DRU). Submit technical questions and recommended changes through appropriate MAJCOM COMSEC channels to the HQ AFC4A C4 Systems Security Office (HQ AFC4A/SYS), 203 West Losey Street, Room 2040, Scott AFB IL 62225-5234. Send messages to: HQ AFC4A SCOTT AFB IL//SYS//. Refer recommended changes and conflicts between this and other publications to HQ AFC4A, Policy and Procedures Branch (HQ AFC4A/XPXP), 203 West Losey Street, Room 1065, Scott AFB IL 62225-5224, using an AF Form 847, Recommendation for Change of Publication.
SUMMARY OF CHANGES
Replaces Air Force Systems Security Instruction (AFSSI) 4006, Reporting COMSEC Incidents. Numerous changes have been made including how to report practices dangerous to security (PDS) and reporting procedures for classified and unclassified accounting legend code (ALC)-4 material. Additionally, an appeals process has been set up to challenge the upgrading of an incident to an insecurity.
1. Introduction:
1.1. Purpose. COMSEC incidents are reported so that appropriate officials can determine if the incidents have seriously affected the security of the cryptosystems involved or have the potential to do any harm to the security of the United States. Reporting COMSEC incidents also provides the basis for identifying trends in incident occurrences and for developing policies and procedures to prevent recurrence of similar incidents.
1.2. References and Terms. Terms and acronyms in Air Force Manual (AFMAN) 33-270, C4 Systems Security Glossary, apply to this publication. Key terms are listed below. Additional references, acronyms, and terms used in this AFI are explained in Attachment 1.
1.2.1. COMSEC Incident. Occurrence that potentially jeopardizes the security of COMSEC material or the secure electrical transmission of national security information.
1.2.2. COMSEC Insecurity. COMSEC incident that has been investigated, evaluated, and determined to jeopardize the security of COMSEC material or the secure transmission of information.
2. Types of Communications Security Incidents. Cryptographic, personnel, and physical COMSEC incidents are identified below. Additional reportable incidents unique to a particular cryptosystem or to an application of a cryptosystem, are normally listed in the AFI 33-series, Air Force Specialized Aids (AFSAL) 3XXX-series, operating instructions, and maintenance manuals for that cryptosystem. Joint Publication (Joint Pub) 1-04, (S) Policy and Procedures Governing JCS
Positive Control Material and Devices (U), contains a complete list of reportable incidents involving positive control material (PCM). NOTE: PDS are no longer considered COMSEC incidents. However, because a PDS may have the potential to jeopardize the security of COMSEC material, the new PDS reporting procedures are included in this AFI.
2.1. Cryptographic incidents include equipment malfunction or operator error that adversely affect the cryptosecurity of a machine, auto-manual, or manual cryptosystem. Report cryptographic incidents by message (see Attachments 2 and 3). Examples are:
2.1.1. Using a COMSEC key that is compromised, superseded, defective, previously used (and not authorized for reuse), or incorrect application of keying material. Examples are:
2.1.1.1. Using keying material produced without the authorization of NSA (for example, unauthorized maintenance or data encryption standard [DES] key, or locally contrived codes).
2.1.1.2. Using any keying material for other than its intended purpose without the authorization of NSA.
2.1.1.3. Unauthorized extension of a cryptoperiod.
2.1.2. Using COMSEC equipment with defective cryptographic logic circuitry, or using unapproved operating procedures. Examples include:
2.1.2.1. Plain text transmission resulting from COMSEC equipment failure or malfunction.
2.1.2.2. Any transmission, during or after an uncorrected failure, that may cause improper operation of COMSEC equipment.
2.1.2.3. Using COMSEC equipment without completing a required alarm-check test or after failure of a required alarm-check test.
2.1.3. Using a cryptosystem not approved by NSA.
2.1.4. Discussing the details of a COMSEC equipment failure or malfunction on nonsecured telecommunications equipment.
2.1.5. Any other occurrence that may jeopardize the cryptosecurity of a COMSEC system.
2.2. Personnel incidents include the capture, attempted recruitment, or control of personnel by a known or suspected hostile intelligence entity; or the unauthorized absence or defection of personnel having knowledge of or access to COMSEC information or material. Report these incidents by message (see Attachments 2 and 3).
2.3. Physical incidents include loss of control, theft, capture, recovery by salvage, tampering, unauthorized viewing and access, photographing, or copying that can potentially jeopardize COMSEC material. All physical incidents are reported by message. Examples include:
2.3.1. Unauthorized access to COMSEC material.
2.3.2. COMSEC material found outside required physical control. Examples include:
2.3.2.1. COMSEC material shown on a destruction report as being properly destroyed when the material had not destroyed.
2.3.2.2. COMSEC material left unsecured.
2.3.3. COMSEC material improperly packaged, shipped, or received with a damaged inner wrapper.
2.3.4. Destruction of COMSEC material by other than authorized means, or COMSEC material not completely destroyed and left unattended.
2.3.5. Actual or attempted unauthorized maintenance (including maintenance by unqualified personnel) or using a maintenance procedure that deviates from established standards.
2.3.6. Tampering with, or penetration of a cryptosystem. Examples include:
2.3.6.1. Known or suspected tampering with, or unauthorized modification of, COMSEC material or its associated protective technology.
2.3.6.2. Finding an electronic surveillance or recording device in or near a COMSEC facility.
2.3.6.3. Activation of the antitamper mechanism on, or unexplained zeroization of, COMSEC equipment when other signs of unauthorized access or penetration are present. NOTE: Hold information concerning tampering with COMSEC equipment, penetration of protective technologies, or clandestine devices on a strict need-to-know basis. Immediately report by the most secure means to NSA, Air Force Office of Special Investigations (AFOSI) or Federal Bureau of Investigation (FBI), the controlling authority, and HQ AFC4A/SYSC. When tampering or penetration is known or suspected, wrap and seal the material along with all protective technologies and place the package in the most secure, limited-access storage available. Do not use or otherwise disturb the material until further instructions are received from NSA. When a clandestine surveillance or recording device is suspected, do not discuss it in the area of the device, or anywhere else you suspect a device is installed. Take no action that will alert the clandestine activity, except on instruction from the applicable counterintelligence organization or NSA. Take no action that will jeopardize potential evidence.
2.3.7. Unexplained removal of keying material from its protective technology or unexplained loose key cards in an end-opening package.
2.3.8. Unauthorized reproduction or photographing of COMSEC material.
2.3.9. Deliberate falsification of COMSEC records.
2.3.10. Loss of two-person integrity or violation of COMSEC no-lone zone (CNLZ) for TOP SECRET keying material (see AFKAG-1, Air Force Communications Security [COMSEC] Operations).
2.3.11. Incidents involving CCIs. NOTE: Final report can be submitted from the results of the report of survey or the inquiry report completed according to this AFI.
2.3.12. Any other incident that jeopardizes the physical security of COMSEC material.
3. Reporting Incidents:
3.1. Report incidents under other directives as follows:
3.1.1. Report incidents involving North Atlantic Treaty Organization (NATO) COMSEC material as prescribed in AMSG-293, NATO Cryptographic Instructions.
3.1.2. Report tampering or penetration of a protected distribution system (PDS) as prescribed in AFI 33-214, Protected Distribution System.
3.1.3. Report incidents involving communications-electronics operating instructions (CEOI) and status information of keying material according to AFI 31-401, Managing the Information Security Program.
3.1.4. Report PCM incidents according to Joint Pub 1-04.
3.1.5. Report incidents involving Minuteman Entry Control System (MECS) and Missile Electronic Encryption Device System (MEEDS) according to AFKAG-3, Controlling and Handling of Specified COMSEC Material for Missile Systems, and this AFI.
3.2. National COMSEC Incident Reporting System. To remain effective, the National COMSEC Incident Reporting System must receive prompt and clear information about the incident. This information is critical to provide damage assessment by the evaluating authority. NSA continually evaluates the security of cryptosystems used by the U.S. Government. Each incident, regardless of how minor it may seem, when compared to other reports or information, often reveals weaknesses in procedures, systems, or personnel that can result in compromises. Therefore:
3.2.1. Every person possessing, handling, operating, maintaining, or repairing COMSEC material must stay thoroughly familiar with applicable physical and cryptographic security rules and must immediately report COMSEC incidents to the COMSEC responsible officer (CRO) or the commander. Failure to promptly report an incident may seriously affect the security of the cryptosystem involved and the defense of the United States. The CRO or commander must report the incident to the COMSEC manager. The COMSEC manager, using the information provided by the CRO or commander, must report the incident as prescribed in this publication.
3.2.2. Any person or activity detecting or suspecting that an incident involving COMSEC has occurred, is responsible for reporting it according to this instruction.
3.3. AFOSI Involvement in COMSEC Investigations. When the commander of the violating unit determines that the AFOSI should assume the investigation of a COMSEC incident, the violating unit stops its inquiry or investigation. During this period the commander of the violating unit submits amplifying message reports every 30 days, indicating the AFOSI investigation is still ongoing. When AFOSI provides its final report, the commander reviews it with the COMSEC manager and sends it through COMSEC incident channels.
4. Roles and Responsibilities:
4.1. NSA/V51A:
4.1.1. Evaluates all cryptographic and personnel COMSEC incidents and incidents involving COMSEC equipment.
4.1.2. Evaluates all physical COMSEC incident reports involving keying material in transit or if the controlling authority cannot be identified.
4.1.3. Evaluates all physical COMSEC incidents involving multiple controlling authorities of more than one department or agency.
4.1.4. Evaluates all reported COMSEC incidents concerning tampering, sabotage, evidence of covert penetration of packages, evidence of unauthorized or unexplained modification of COMSEC equipment, security containers, or vaults where COMSEC material is stored, and COMSEC material other than keying material (for example, documents, algorithms, logic).
4.1.5. Evaluates, or coordinates evaluation of, COMSEC incidents having significant cryptologistic impact, and direct supersession of compromised future keying material that has not reached the COMSEC account.
4.1.6. Initiates or recommends appropriate action when COMSEC material is subjected to compromise, and notify appropriate authorities of actions taken.
4.2. HQ AFC4A/SYSC:
4.2.1. Manages the Air Force COMSEC Incident Program and serves as the Air Force COMSEC incident monitoring activity.
4.2.2. Assigns Air Force COMSEC incident case numbers. Case numbers are comprised of the violating unit's MAJCOM acronym followed by a P-for physical, C-for cryptographic, H-for personnel, or an A-for aircraft followed by the next unused case number for that MAJCOM, and the year the incident took place. NOTE: Aircraft incidents are only assigned case numbers and tracked under the purview of this AFI to clear the accounting records of any COMSEC material involved and to follow any recovery efforts, if practicable.
4.2.3. Evaluates physical COMSEC incidents involving multiple Air Force controlling authorities.
4.2.4. Evaluates COMSEC incidents involving a single Air Force controlling authority when the Air Force controlling authority causes the incident.
4.2.5. Exercises adjudication authority on whether a reported COMSEC incident has resulted in a COMSEC insecurity. Closes incident reports and upgrades incidents to insecurities, if appropriate. When an incident is upgraded to an insecurity, the violating unit's MAJCOM is notified by HQ AFC4A/SY. NOTE: If the MAJCOM disagrees with the upgrading of an incident to an insecurity, it may appeal the decision to HQ USAF/SCX.
4.2.6. Provides the case status to the reporting COMSEC account, the violating unit, and the appropriate headquarters within 5 workdays from receipt of both the initial and the final incident reports. Case status includes evaluation of the report, case number assignment, and case closure notices.
4.2.7. Maintains data base files to support the COMSEC Incident Trend Analysis (CITA) data base in collaboration with NSA.
4.2.8. Furnishes NSA information about the CITA data base for trends analysis and damage assessment associated with COMSEC incidents.
4.3. MAJCOMs:
4.3.1. Review and evaluate all correspondence pertaining to COMSEC incidents and recommend case closure from units under their purview.
4.3.2. Assess and provide comments on the appropriateness and effectiveness of actions planned or implemented to prevent COMSEC incidents from recurring.
4.3.3. Make sure COMSEC incident reports suspense dates are met.
4.3.4. Uses trend analysis as a management tool, showing the possibility of needed additional training or adjustment of personnel duty assignments.
4.4. Controlling Authorities:
4.4.1. Evaluate the security impact involving material they control, when physical incidents affect superseded, current, and future cryptonet keying material held by the COMSEC account and users. Determine if a compromise of the material has occurred, except as specified in paragraphs 4.1 and 4.2.
4.4.2. Inform all required COMSEC addressees of evaluation results and may recommend incident be changed to an insecurity as soon as possible but within time limits in Attachment 8.
4.4.3. Direct emergency supersession of keying material held by the cryptonet members, if necessary.
4.4.4. Direct emergency extensions of keying material cryptoperiods, if necessary (AFI 33-215, Controlling Authorities for COMSEC Keying Material).
4.4.5. Direct reviews of record traffic encrypted using compromised cryptonet keying material.
4.5. The COMSEC Manager:
4.5.1. Briefs the commander of the violating unit on options available regarding inquiry and, or investigation.
4.5.2. Provides assistance to inquiry or investigative official.
4.5.3. Reviews and provides additional comments, including concurrence or nonconcurrence with amplifying and final reports.
4.5.4. Upon receipt of information from the violating unit, prepares and forwards all required reports according to this AFI. NOTE: Make sure reports are addressed correctly and include case number assigned by HQ AFC4A/SYSC.
4.6. Violating Unit's Commander:
4.6.1. When notified that an incident has occurred, sends a draft initial COMSEC incident report to the supporting COMSEC manager.
4.6.2. Appoints an appropriately cleared and disinterested civilian (General Schedule [GS]-9 or above), senior noncommissioned officer (NCO) (master sergeant, senior master sergeant, or chief master sergeant) or commissioned officer to conduct the inquiry or investigation (see Attachment 9).
4.6.3. Upgrades an inquiry to an investigation, if the seriousness of the incident warrants it.
4.6.4. Provides the status of the inquiry or investigation to the supporting COMSEC manager.
4.6.5. Provides comments and concurrence or nonconcurrence in final reports, and the conclusions of the AFOSI investigation of the COMSEC incident if the AFOSI was involved.
4.6.6. Corrects unit deficiencies that contribute to COMSEC incidents and insecurities.
4.7. The Inquiry or Investigating Official:
4.7.1. Conducts an inquiry or investigation using the information and procedural guidance outlined in AFI 31-401. This AFI, however, is used as the authority to conduct the inquiry or investigation.
4.7.2. Completes the inquiry or investigation without intervening temporary duty (TDY), leave, or other duties.
4.7.3. Advises the violating unit's commander and COMSEC manager of the status of the inquiry or investigation.
4.7.4. Provides amplifying reports according to paragraph 5.1.
4.7.5. Documents the results, makes recommendations to prevent recurrence, and forwards the final report to the violating unit's commander who reviews, endorses, and forwards it to the COMSEC managers, who forwards it through COMSEC channels.
4.8. CROs and Users:
4.8.1. Know the types of incidents that could result from improper handling, control, and destruction of COMSEC material.
4.8.2. Know the types of reportable equipment malfunctions or operator errors.
4.8.3. Report any known or suspected incidents to the violating unit's commander, COMSEC manager, CRO or alternate immediately.
5. Reporting Procedures:
5.1. Reporting Procedures During Normal Operations:
5.1.1. Report incidents during other than time-sensitive tactical deployments according to this paragraph and using the report format specified in Attachment 2. Reporting procedures for reporting incidents during time-sensitive tactical deployments are in paragraph 5.2.
5.1.2. Do an initial report for each COMSEC incident. Do an amplifying report when new information is discovered or is requested by the evaluating authority. The initial or amplifying report may serve as the final report if it contains all information required by paragraph 5.1.6 (if report is used as final report, it must state "Request this report be accepted as final report."), has sufficient information for the controlling authorities to evaluate the incident, and is accepted as a final report by HQ AFC4A/SYSC. Initial and amplifying reports are authorized for transmission during MINIMIZE. NOTE: If a final report IS NOT completed within 30 days of the initial report, an amplifying report MUST be submitted through COMSEC channels every 30 days until the final report is completed.
5.1.3. Assign IMMEDIATE precedence to the following types of initial and amplifying reports. When an IMMEDIATE precedence incident report is submitted, the reporting unit will make sure an individual familiar with the details of the incident is available to respond to questions from the evaluating authority.
5.1.3.1. Initial incident reports involving current keying material. Submit no later than 4 hours after discovery or notification.
5.1.3.2. Incident reports involving future keying material scheduled to be effective within 15 days. Submit within 24 hours of discovery or notification.
5.1.3.3. Incidents involving currently effective keying material or keying material scheduled to become effective within 15 days.
5.1.3.4. Incidents involving defection, espionage, hostile cognizant agent activity, clandestine exploitation, tampering, sabotage, or unauthorized copying, reproduction, or photographing.
5.1.4. Assign PRIORITY precedence to initial and amplifying reports involving future keying material scheduled to become effective in more than 15 days or superseded, reserve, or contingency keying material. Submit the reports within 48 hours after discovery of the incident or receipt of amplifying information.
5.1.5. Normally, assign ROUTINE precedence to initial and amplifying reports of any COMSEC incident not covered above. Submit reports within 72 hours after discovery of the incident or upon receipt of amplifying information. Assign higher precedence to reports that have significant potential impact on security.
5.1.6. A final report is required for each COMSEC incident unless the initial or an amplifying report was accepted as the final report. The final report must include a word-for-word report of the results of all inquiries and investigations, to include the commander and COMSEC managers' comments. It must identify corrective measures taken or planned to lessen the possibility of recurrence. Additional actions required for the final report are:
5.1.6.1. Send the final report in one of the following formats:
5.1.6.1.1. Message Report. Do not send final reports during MINIMIZE. Assign ROUTINE precedence to final reports.
5.1.6.1.2. Letter Report. Use only if message capability is not available, if specifically requested, or if the final report is large due to attachments.
5.1.6.1.3. Formal Report of Investigation.
5.1.6.2. Route the report through the violating unit commander and supporting COMSEC manager for their additional comments and concurrence or nonconcurrence. The COMSEC manager then routes the report to all required addressees.
5.1.6.3. Upon receipt of the report of inquiry or investigation, the controlling authority (if not previously determined in the initial COMSEC incident report) determines if the incident is a compromise, a compromise cannot be ruled out, or no compromise, and may recommend upgrading the incident to an insecurity, if appropriate.
5.1.6.4. The MAJCOM provides comments and concurrence or nonconcurrence in message format to HQ AFC4A/SYSC and all other required addressees within 5 workdays.
5.1.6.5. HQ AFC4A/SYSC closes the case upon receipt of the final report, the controlling authority's evaluation, and the recommendation for case closure from the MAJCOM.
5.1.7. Classify incident reports according to content. Mark unclassified reports FOR OFFICIAL USE ONLY. Send them by electronic means. Use letter reports only when electronic means are not available. AFMAN 33-272, (S/NF) Classification Guide for COMSEC and TEMPEST Information (U), provides classification guidance for COMSEC information.
5.2. Reporting During Tactical Deployments:
5.2.1. During time-sensitive tactical deployments, detailed reporting requirements may not be possible. If so, submit abbreviated reports for physical incidents involving keying material where espionage is not suspected. The report must answer the "what, where when, and how" questions and must provide enough details to enable the evaluating authority to determine if a compromise has occurred.
5.2.2. Immediately report loss of keying material during actual hostile actions to each controlling authority by the fastest means available to allow supersession or recovery actions. Use any available resource.
5.2.3. In many cases, immediate reporting to activities other than the controlling authority will serve no purpose. Individual incident reports are not needed when keying material that is scheduled for supersession within 48 hours is lost during actual hostilities and espionage is not suspected. Submit a periodic summary of all previously unreported incidents using Attachment 3 for proper addressing at the reporting unit's convenience. The
summary must list all material lost, and the dates and places of loss.
5.3. Report Format and Distribution:
5.3.1. Attachments 2 through 6 contain the format and examples of message reports for cryptographic, physical, and personnel incidents. Initial reports must include each of the paragraphs as shown in the attachment. If the reporting requirements of a paragraph shown in the attachment do not apply, state "not applicable." Report distribution requirements are in Attachment 7.
5.4. Evaluating Reports. Use the guidelines in Attachment 8 to evaluate COMSEC incidents. Consider the following when evaluating reports:
5.4.1. The basis of information in a report, consideration of the cryptosystem security characteristics, and the effect on the cryptosystem involved.
5.4.2. Notify appropriate authorities of a compromise when it is necessary to supersede any item of the cryptosystem or to review messages encrypted in a compromised system. Each authority notified is responsible for notifying individual holders to whom distribution was made. This includes those in other departments, agencies, services or commands, and nations. When a system is declared compromised, do not use for further encryption unless it is operationally essential to send encrypted messages before the supersession date and another suitable cryptosystem is not available.
5.5. Reviewing and Handling Messages Involved in a Compromised Cryptosystem. When a traffic review is ordered because of a compromised cryptosystem:
5.5.1. The COMSEC manager or person responsible for cryptosecurity duties will determine, to the extent practical, which messages were involved in the compromise and notify message originators of the involved messages. Commanding officers (or other knowledgeable officials) will initiate a review of the messages and take necessary actions for their own operations. They will notify the next higher headquarters of any compromised message affecting major operations, strategic intelligence, significant plans, or highly sensitive information. Consider information received from subordinate units along with information originated by the headquarters and include it in the notification to the next higher headquarters. Review the effects of the compromise at each major headquarters.
5.5.2. Even though classified information is considered compromised because of a compromised cryptosystem, do not automatically downgrade or declassify information involved in a traffic review solely on the basis of the compromise. Even if the information is assumed compromised, it should remain classified until destroyed or downgraded according to normal operating procedures.
5.5.3. Except in unusual circumstances, a formal review of traffic passed in a compromised voice security (ciphony) cryptosystem is impractical. If ciphony keying material is compromised, notify all keying material users of the compromise. Advise them to consider all conversations or transmissions during the period when the compromised key was in effect as possibly compromised. A formal traffic review is not required. Report any further action according to appropriate user directives.
5.6. Disposal of Material Involved in a COMSEC Incident:
5.6.1. When material on hand is subjected to a physical or cryptographic incident, keep the material until receipt of HQ AFC4A/SYSC case closure message as stated in paragraph 5.7.
5.6.2. Hold traffic that is sent during reuse of a key for 60 days.
5.7. Removing Material Involved in a Physical Loss from COMSEC Accounting Records. HQ AFC4A/SYSC issues a case closure message when the inquiry or investigation is completed and all information required in this AFI is received. Use the case closure message as the authority for destruction and dropping accountability for the material from account records. If the material involved appears on the next semiannual inventory, line through the applicable items and cite the case number and case closure date-time group (DTG) message, and state the case is closed in the remarks section to make sure the Air Force Central Office of Record can take appropriate actions.
5.8. COMSEC Incident and Insecurity Trends:
5.8.1. HQ AFC4A/SYSC will develop and send a COMSEC incident and insecurity trends summary to all MAJCOMs and HQ USAF/SCX semiannually (no later than 31 January [for July through December] and 31 July [for January through June]).
5.8.2. The summary will include the different types of physical and cryptographic incidents or insecurities, the total number and the major cause of incidents and insecurities. Personnel and aircraft incidents are not included in the summary.
5.8.3. MAJCOMs are encouraged to comment on the summaries and disseminate to their subordinate units.
6. Practices Dangerous to Security. PDS has the potential to jeopardize the security of COMSEC material if allowed to recur.
6.1. Report the following PDS items through the COMSEC manager to the respective controlling authorities and MAJCOM of the violating unit:
6.1.1. Premature or out of sequence use of keying material without the approval of the controlling authority, as long as the material was not reused.
6.1.2. Inadvertent destruction of keying material, or destruction without authorization of the controlling authority, as long as the destruction was properly performed and documented. Request resupply, if required.
6.1.3. Removal of keying material from its protective technology before issue for use, or removing the protective technology without authorization, so long as the removal was documented and there is no evidence of espionage.
6.1.4. Incidents involving classified ALC-4 material.
6.2. Report the following items to the COMSEC manager only:
6.2.1. Receiving a package with a damaged outer wrapper in which the inner wrapper is intact.
6.2.2. Incidents involving unclassified ALC-4 material.
6.2.3. Activating the antitamper mechanism on or unexplained zeroization of COMSEC equipment when no other signs of unauthorized access or penetration are present.
6.2.4. Failure to zeroize a common fill device when a time limit is imposed.
6.2.5. Destruction of COMSEC material not performed within required time limits, as long as the material was properly stores or safeguarded.
AFPD 33-2, C4 Systems Security
AFI 31-401, Managing the Information Security Program
AFI 33-214, Protected Distribution System
AFI 33-215, Controlling Authorities for COMSEC Keying Material
AFMAN 33-270, C4 Systems Security Glossary
AFMAN 33-272, (S/NF) Classification Guide for COMSEC and TEMPEST Information (U)
AFKAG-1, Air Force Communications Security (COMSEC) Operations
AFKAG-3, Controlling and Handling of Specified COMSEC Material for Missile Systems
AMSG-293, NATO Cryptographic Instructions
Joint Pub 1-04, (S) Policy and Procedures Governing JCS Positive Control Material and Devices (U)
NTISSI 4003, Reporting and Evaluating COMSEC Incidents
Abbreviations
and Acronyms Definitions
ACN Accounting Control Number
AFC4A Air Force Command, Control, Communications, and Computer Agency
AFI Air Force Instruction
AFMAN Air Force Manual
AFOSI Air Force Office of Special Investigations
AFPD Air Force Policy Directive
AFSAL Air Force Specialized Aid
AFSSI Air Force Systems Security Instruction
ALC Accounting Legend Code
CCI Controlled Cryptographic Item
CEOI Communications-Electronics Operating Instruction
CITA COMSEC Incident Trend Analysis
CNLZ COMSEC No-Lone Zone
COMSEC Communications Security
CRO COMSEC Responsible Officer
DES Data Encryption Standard
DIRNSA Director, National Security Agency
DRU Direct Reporting Unit
DSN Defense Switched Network
DTG Date-Time Group
FBI Federal Bureau of Investigation
FOA Field Operating Agency
GS General Schedule
JCS Joint Chiefs of Staff
Joint Pub Joint Publication
KMS Key Management System
MAJCOM Major Command
MECS Minuteman Entry Control System
MEEDS Missile Electronic Encryption Device System
NATO North Atlantic Treaty Organization
NCO Noncommissioned Officer
NSA National Security Agency
NTISSI National Telecommunications and Information Systems Security Instruction
OPR Office of Primary Responsibility
PAL Permissive Action Link
PCM Positive Control Material
PDS 1. Practices Dangerous to Security
2. Protected Distribution System
PE Positive Enable
POC Point of Contact
SAS Sealed Authentication System
TDY Temporary Duty
Terms
Access--A condition where an individual has the opportunity and ability to obtain knowledge of, use, copy, remove, or tamper with COMSEC material. A person does not have access merely by being in a place where COMSEC material is kept as long as security measures (that is, physical controls or authorized escort) deny opportunity to observe the material.
COMSEC Facility--Space employed primarily for generating, storing, repairing, or using COMSEC material.
Cryptosecurity--Component of COMSEC that results from the provisions of technically sound cryptosystems and their proper use.
Electronically Generated Key--Key produced in nonphysical form by NSA or at locations designated or approved by NSA. Electronically generated keys may exist only in nonphysical form (in a computer memory or in COMSEC equipment) or stored on a physical medium such as a floppy disk. Electronically generated keys stored on a physical medium are never considered hard copy. Electronically generated keys are divided into two groups:
Protective Technologies--Special tamper-evident features and material applied to keying material packages and cryptographic equipment used to detect and deter possible compromise of COMSEC products such as tape canisters, end-opening key card packages, holographic bags, seals, screw-head coatings, and logo tapes. These technologies provide evidence of tampering with items, and deter attempts by our adversaries to gain access to equipment and keying material.
MINIMIZE--A condition wherein normal message and telephone traffic is drastically reduced so that messages connected with an actual or simulated emergency shall not be delayed (see Joint Pub 1-02).
Physical Security--The component of COMSEC that results from all physical measures necessary to safeguard classified equipment, material, and information from access or observation by unauthorized persons.
Positive Control Material (PCM)--Includes sealed authentication systems (SAS), permissive action links (PAL), and positive enable (PE) material.
Protective Packaging--Packaging techniques for COMSEC material that discourage penetration, reveal that a penetration has occurred or was attempted, or inhibit viewing or copying of keying material before it is exposed for use.
SUBJECT: Consists of only the words "COMSEC Incident" followed by complete case number IF ALREADY ASSIGNED
REFERENCES: Identify the reporting requirement and all previous related messages and correspondence.
A2.1. COMSEC Account: COMSEC account number supporting the unit responsible for the incident.
A2.1.1 Must include the violating unit and its MAJCOM.
A2.2. Material Involved:
A2.2.1. For Hard-Copy Keying Material, Hard-Copy Key-in Electronic Form, and Documents: List the short title; edition; register number; specific segments, tables, pages, and so forth, if not a complete edition or document; and date stamped on the protective technology, if applicable. The controlling authority for each short title MUST BE stated by each piece of material on the initial COMSEC incident message report.
A2.2.2. For Electronically Generated Key: List the key designator, tag, or other identifier; circuit designator; type of cryptoequipment used to secure the circuit; and type of key generator.
A2.2.3. For Equipment: List the system designator or nomenclature; modification number, if applicable; serial number of ALC-1 material (all other by quantity); serial number on the protective technology (if applicable); and associated or host equipment. If the equipment was keyed, provide the information required for keying material.
A2.3. Personnel Involved in the Incident: For each individual, provide name and grade, citizenship, duty position, military or civilian occupation specialty, level of security clearance, and parent MAJCOM.
A2.4. Circumstances of the Incident: Give a clear chronological account of the events that caused the incident. The chronology must include all dates, times, frequency of events, precise locations and organizational elements, and so forth. If the reason for the incident is not known, describe the events that led to the discovery of the incident. Include a description of the security measures in effect at the location and estimate the possibility of unauthorized personnel gaining access to the material.
A2.5. Possibility of Compromise: Provide an opinion as to the possibility of compromise and the basis for the opinion.
A2.6. Additional Reporting Requirements When Incident Involves:
A2.6.1. Incorrect Use of COMSEC Keying:
A2.6.1.1. Describe the communications activity (for example, COMSEC keying on-line/off-line, simplex/half-duplex/full-duplex, point-to-point/netted operations).
A2.6.1.2. Describe the operating mode of the cryptoequipment (for example, clock start, message indicator).
A2.6.2. Use of Unapproved Operating Procedures:
A2.6.2.1. Estimate the amount and type of traffic involved.
A2.6.2.2. Estimate the length of time the key was used.
A2.6.3. Use of Malfunctioning COMSEC Equipment:
A2.6.3.1. Describe the symptoms of the malfunction.
A2.6.3.2. Estimate the likelihood that the malfunction was deliberately induced. If so, also refer to paragraph
A2.6.3.3. Estimate how long the malfunctioning equipment was in use.
A2.6.3.4. Estimate the amount and type of traffic involved.
A2.6.4. Unauthorized Modification or Discovery of a Clandestine Electronic Surveillance or Recording Device in or Near a COMSEC Facility:
A2.6.4.1. Describe the modification or modification of device, installation, symptoms, host maintenance of COMSEC equipment involved, and protective equipment technology, if applicable.
A2.6.4.2. Estimate how long the item was in place.
A2.6.4.3. Estimate the amount and type of traffic involved.
A2.6.4.4. Identify the counterintelligence organization, a point of contact (POC), and telephone number.
A2.6.5. Known or Suspected Defection, Hostile Cognizant Agent Activity, Attempted Recruitment, Espionage, Sabotage, Treason, Capture, or Unauthorized Absence:
A2.6.5.1. Describe the individual's general background in COMSEC and the extent of knowledge of crypto principles and protective technologies.
A2.6.5.2. List the cryptosystems that the individual had access to and whether the access was to cryptographic logic or keying material. For logic, state whether access was too full or limited maintenance manuals; for keying material, list the short titles and editions involved.
A2.6.5.3. Identify the counterintelligence organization, a POC, and telephone number.
A2.6.6. Unauthorized Access to COMSEC Material:
A2.6.6.1. Estimate how long unauthorized personnel had access to the material.
A2.6.6.2. State whether espionage is suspected. If espionage is suspected, refer to paragraph
A2.6.7. Loss of COMSEC Material:
A2.6.7.1. Describe the circumstances of last sighting. Provide all available information concerning the cause of disappearance.
A2.6.7.2. Describe actions taken to locate the material. Note: Consider the possibility that material was removed by authorized or unauthorized persons.
A2.6.7.3. Describe the methods of disposal of classified and unclassified waste and the possibility of loss by those methods.
A2.6.8. COMSEC Material Discovered Outside of Required COMSEC Accountability or Control:
A2.6.8.1. Describe the action that restored accountability or physical control.
A2.6.8.2. Estimate the likelihood of unauthorized access.
A2.6.8.3. Estimate the time the material was unsecured.
A2.6.9. COMSEC Material Received with a Damaged Inner Wrapper:
A2.6.9.1. Give a complete description of the damage.
A2.6.9.2. Describe situations where damage occurred in transit and identify the mode of transportation. Include the package number and point of origin.
A2.6.9.3. Describe how the material was stored if the damage occurred in storage.
A2.6.9.4. Estimate the likelihood of unauthorized access or viewing.
A2.6.9.5. Retain all packaging containers, wrappers, and so forth, until destruction is authorized.
A2.6.10. Known or Evidence of Suspected Tampering with COMSEC Material:
A2.6.10.1. Describe the evidence of tampering.
A2.6.10.2. Identify the mode of transportation if the suspected tampering occurred in transportation. Include the package number and point of origin.
A2.6.10.3. Describe how the material was stored if the suspected tampering occurred in storage.
A2.6.10.4. Identify the counterintelligence organization, a POC, and telephone number.
A2.6.10.5. Identify the date stamped on the protective technology, or serial number on the protective technology, if applicable.
A2.6.11. Unauthorized Reproduction or Photography:
A2.6.11.1. Identify the material or equipment reproduced or photographed.
A2.6.11.2. Provide the reason for the reproduction and describe how the material was controlled.
A2.6.11.3. Specify how detailed the photographs of equipment internals were.
A2.6.11.4. State whether espionage is suspected. If espionage is suspected, refer to paragraph
A2.6.11.5. Forward copies of each photograph or reproduction to Director, NSA (DIRNSA/V51A) and HQ AFC4A/SYSC.
A2.6.12. Aircraft Crash:
A2.6.12.1. Identify the location and coordinates of the crash, and specify whether the crash was in friendly or hostile territory. If at sea, refer to paragraph A2.6.13.
A2.6.12.2. State whether the aircraft remained largely intact or if wreckage was scattered over a large area. Estimate the size of the wreckage area.
A2.6.12.3. State whether the area was secured. If the area was secured, state how soon after the crash and by whom.
A2.6.12.4. State whether recovery efforts for COMSEC material were made or are anticipated.
A2.6.13. Material Lost at Sea:
A2.6.13.1. Provide the coordinates (when available) or the approximate distance and direction from shore.
A2.6.13.2. Estimate the depth of the water.
A2.6.13.3. State whether material was in weighted containers or was observed sinking.
A2.6.13.4. Estimate the sea state, tidal tendency, and the most probable landfall.
A2.6.13.5. State whether United States salvage efforts were made or are anticipated.
A2.6.13.6. State whether foreign vessels were in the immediate area and their registry, if known.
A2.6.13.7. Estimate the possibility of successful salvage operations by unfriendly nations.
A2.6.14. Space Vehicles:
A2.6.14.1. Provide the launch date and time.
A2.6.14.2. State whether the space vehicle was destroyed or lost in space.
A2.6.14.3. State whether the keying material involved was unique to the operation or is common to other operations.
A2.6.14.4. Estimate the probable impact point on the Earth's surface, if applicable. If the impact point was on land, refer to paragraph A2.6.12; if at sea, refer to paragraph A2.6.13.
A2.6.15. POC: Include name, COMSEC account number, secure telephone number, and Defense Switched Network (DSN) and, or commercial telephone number of an individual who is prepared to respond to questions concerning this incident.
A8.2.1. Evaluate COMSEC incident reports within the time limits specified below. Time limits begin upon receipt of the initial or amplifying report if the initial report does not contain sufficient information to make an evaluation. The evaluating authority must solicit any information required to make an evaluation.
A8.2.2. Evaluate initial reports of the following incidents or respond within 24 hours:
A8.2.2.1. Currently effective keying material or keying material scheduled to become effective within 15 days.
A8.2.2.2. Defection, espionage, hostile cognizant agent activity, clandestine exploitation, tampering, penetration or sabotage, or unauthorized copying, reproduction, or photography.
A8.2.3. Evaluate initial reports of the following incidents or respond within 48 hours:
A8.2.3.1. Future keying material scheduled to become effective beyond the next 15 days.
A8.2.3.2. Superseded, reserve, or contingency keying material.
A8.2.4. Evaluate initial reports of COMSEC incidents not covered above or respond within 5 duty days.
FROM: 932 AAW/CC
1. You are appointed to perform the duties of an inquiry (or investigating) official as outlined in AFI 33-212, Reporting COMSEC Incidents. As the appointed official, you are my personal representative in this matter. Your primary duties are to conduct an inquiry (or investigation) into the (state reason for appointment), to determine if a compromise has occurred, and to prepare a report according to AFI 31-401, Managing the Information Security Program, and appropriate attachments. Second, you are to determine if COMSEC weaknesses exist that need to be addressed.
2. You are to gather the facts surrounding the incident and to make recommendations based on those facts. You DO NOT evaluate COMSEC incidents; that decision is made by the controlling authority.
3. Process your report through me. The report is due by (15 days from the date of the initial report). If you cannot meet the deadline, contact my office immediately.
4. Point of contact throughout this inquiry is (name of POC) at extension XXXX.