Air Force
Intelligence and Security Doctrine

Communications

COMMUNICATIONS SECURITY (COMSEC)

FUNCTIONAL REVIEW PROGRAM

This instruction implements Air Force Policy Directive (AFPD) 33-2, C4 Systems Security. It establishes the Communications Security (COMSEC) Functional Review Program and takes precedence over all other Air Force publications affecting this program. It is applicable to Air Force military, civilian, and contractor personnel involved in the COMSEC inspection program. Refer recommended changes or questions pertaining to this instruction to the Headquarters Air Force Command, Control, Communications, and Computer (C4) Agency (HQ AFC4A), Directorate of Systems and Procedures, Systems Security Branch (HQ AFC4A/SYSC), 203 West Losey St, Room 2040, Scott AFB IL 62225-5234. Refer conflicts between this and other instructions to HQ AFC4A, Plans and Analysis, Policy and Procedures Branch (HQ AFC4A/XPXP), 203 West Losey St, Room 1065, Scott AFB, IL 62225-5224, on AF Form 847, Recommendation for Change of Publication. Provide printed copies of supplements to this instruction to HQ AFC4A/SYSC. For a listing of references and acronyms, see attachment 1.

SUMMARY OF REVISIONS

This is the initial publication of this Air Force instruction (AFI) that supersedes Air Force Special Security Instruction (AFSSI) 4009 (FOUO), COMSEC Inspection Program, and aligns it with AFPD 33-2. It changes the title "COMSEC Inspection Program" to "COMSEC Functional Review Program." It changes the rating categories from a four-level system to a two-level system. It deletes using the contractor account checklist.

1. COMSEC Functional Review Program. This program consists of:
1.1. Command COMSEC Functional Reviews--managed by major command (MAJCOM) COMSEC functional managers.
1.2. Wing COMSEC Manager's Functional Reviews--managed by wing COMSEC managers.

2. Command COMSEC Functional Review. These reviews evaluate the wing COMSEC program and is comprised of two elements:
2.1. A COMSEC administrative functional review that includes but is not limited to:
2.1.1. Review of secure operating procedures and practices.
2.1.2. Review of handling and storage of COMSEC material.
2.1.3. Evaluation of routine and emergency destruction capabilities and procedures.
2.1.4. Review of support provided to and received from COMSEC responsible officers (CRO) and COMSEC users (CU).
2.2. A COMSEC account audit that is:
2.2.1. A Complete physical accounting of the COMSEC Material Control System (CMCS) holdings of the COMSEC account, CROs and CUs.
2.2.2.. A review of all COMSEC accounting reports and records. NOTE: The administrative review and the audit are conducted concurrently.

3. Reviewers of Command COMSEC Functional Reviews. The reviewers must be master sergeants or above, or GS-9 or above civilian equivalents. Personnel performing these reviews must have extensive on-the-job experience in COMSEC account management or have completed the COMSEC Account Management Qualification Training Package.
3.1. Normal review procedures contained herein typically do not apply to two-person control COMSEC aids. To review COMSEC accounts that hold this material, use the following procedures:

3.1.1. For positive control material and devices, perform required COMSEC functional reviews and inventories using AFKAG-31, Control and Handling of PAL Code Material, review requirements and guidance.
3.1.2. For COMSEC material in support of missile systems, perform all required reviews using the checklist in AFKAG-3, Controlling and Handling of Specified COMSEC Material for Missile Systems.

NOTE: Some MAJCOMs have COMSEC aids that are placed under two-person control following receipt by individual COMSEC accounts. For this type of material, the MAJCOM must establish the control and review criteria.

4. Types of Command COMSEC Functional Reviews:
4.1. Initial Reviews. MAJCOMs will perform initial reviews within 60 days of activation of new United States Air Force (USAF) or USAF contractor-operated COMSEC accounts. This review will ensure the COMSEC manager, the Facility Security Officer (FSO), and the COMSEC personnel are maintaining the account satisfactorily. During the review, the reviewer will provide assistance and guidance as required. (See Department of Defense [DoD] 5220.22-S, COMSEC Supplement to Industrial Security Manual for Safeguarding Classified Information, March 1988)
4.2. Periodic Reviews. Perform periodic reviews within 24 months (12 months for research and development contractor's Air Force accounts) after a previous command review, or as directed. If the COMSEC account is in an overseas area where the tour is 15 months or less, MAJCOMs must review it within the last 90 days of the manager's tour. Review administrative or special accounts below MAJCOM level every 24 months.
4.2.1. Except for secure telephone unit (STU)-III Responsible Officers (SRO), review all CROs and CUs holding CMCS material. Indicate CROs and CUs that were not reviewed and the reason why in the report.
4.2.2. MAJCOM reviewers will evaluate the corrective actions taken as a result of the previous command reviews. Reviewers will also evaluate corrective actions taken as a result of COMSEC incidents and Wing COMSEC Managers Reviews. They will also provide additional assistance and guidance as needed.
4.2.3. At the conclusion of a Command COMSEC Functional Review, reviewers will out-brief the senior host operational commander (normally the wing commander) supported by the wing COMSEC account or the contractor's FSO. Additionally, reviewers will out-brief the commander exercising authority over the COMSEC manager, and the commander of CROs and CUs who fail to meet minimum storage, handling, and destruction requirements for their COMSEC material.
4.2.4. Personnel from HQ AFC4A/SYSC will periodically accompany MAJCOM reviewers and are available to assist them during Command COMSEC Functional Reviews of operational accounts. Frequency of HQ AFC4A/SYSC visits will be kept to a minimum necessary to maintain currency in COMSEC operations.
4.3. Close-Out Review. MAJCOMs will conduct a close-out review of contractor and contractor-operated COMSEC accounts prior to account deactivation.
4.3.1. Perform the review within 60 days of the scheduled account deactivation date.
4.3.2. The reviewer will assist the FSO and the COMSEC manager by validating the accuracy, completeness, and clarity of the procedures to dispose of all material held by the account.

5. Wing COMSEC Manager's Functional Review. These reviews provide an effective local management tool to ensure COMSEC material is properly safeguarded and managed. They are performed by COMSEC managers in the name of the senior host operational commander and the FSO for contractors. In the absence of the FSO, a designated representative or the COMSEC manager may perform the review for contractor accounts. Reviews cover the wing COMSEC account and all CROs that have CMCS holdings (except SROs) supported by the wing account. Individuals performing the reviews will physically inspect the facilities, review procedures, and audit the CMCS holdings. Commanders are encouraged to participate in these reviews.
5.1. Perform Wing COMSEC Manager's Functional Reviews semiannually.
5.2. Perform these reviews at newly established COMSEC accounts between the third and the sixth month after the initial review. These reviews may be conducted as staff assistance visits, and the results must be documented.

6. AFCOMSEC Form 19, COMSEC Functional Review Criteria. Use AFCOMSEC Form 19 or the Inspector software program during Command COMSEC Functional Reviews and Wing COMSEC Manager's Functional Reviews. MAJCOMs and COMSEC accounts may supplement the form or the program. When a question on the form results in a "no" response, consider that item a discrepancy.

7. Review Rating Procedures.
7.1. MAJCOMs will establish rating criteria for their Command COMSEC Functional Reviews, using ratings of "satisfactory" or "unsatisfactory." MAJCOM rating criteria should take into consideration the impact of discrepancies identified (e.g., significant accountability problems are certainly grounds for an unsatisfactory rating regardless of how the remainder of the functional review turns out, whereas strong accountability with several minor administrative discrepancies wouldn't necessarily make an account unsatisfactory). Reviews will rate each COMSEC account using the MAJCOM rating criteria.
7.2. Wing COMSEC Manager's Functional Reviews of CROs and CUs will use the host command rating criteria.
7.3. Functional review reports must include the rationale for the overall rating.
7.4. MAJCOMs will conduct follow-up reviews of "unsatisfactory" accounts within 90 days.

8. Review Report Preparation. The reviewer documents the results of all Command COMSEC Functional Reviews and Wing COMSEC Manager's Functional Reviews in a narrative format (see attachment 2). You may attach copies of annotated checklists.
8.1. Reviewers must properly classify review reports according to Air Force Manual (AFMAN) 33-272 (S), Classifying Communications Security and TEMPEST Information (U).
8.2. If it was not possible to review all CROs and CUs holding CMCS material, indicate that in the report and include the reasons.

9. Functional Review Report Processing.
9.1. Process Command COMSEC Functional Review reports containing deficiencies through COMSEC channels to the reviewed activity's Command COMSEC functional manager. When a review is performed by a MAJCOM other than the reviewed activity's headquarters, the reviewed activity processes the report through its own MAJCOM COMSEC channels to its MAJCOM COMSEC functional manager. MAJCOM COMSEC functional managers will provide information copies of command reviews and follow-up reports to HQ AFC4A/SYSC which includes unit responses. HQ AFC4A/SYSC uses these reports to identify and resolve weaknesses in the Air Force COMSEC Program and to develop trend analysis summaries.
9.2. Send a courtesy copy of Wing COMSEC Manager's Functional Review reports through the COMSEC manager's commander to the senior host operational commander.
9.2.1. Also send a copy of each CU Wing COMSEC Manager's Functional Review through the CU's commander to the CRO.
9.3. Process functional review reports within 10 workdays.

10. Functional Review Report Responses.
10.1. Frequently a Command COMSEC Functional Review reveals deficiencies that must remain open until corrected. Open items require 90-day follow-up reporting through MAJCOM COMSEC channels to the MAJCOM COMSEC functional manager.
10.2. Reviewed activities must address all deficiencies identified in functional review reports. Replies must address the specific actions to correct and eliminate the basic cause of the deficiencies and provide enough detail to permit effective evaluation. (See example in attachment 3.)
10.3. Each reviewing authority must provide a concurrence or nonconcurrence with the corrective actions taken and endorse the report to the next reviewing authority.
10.4. MAJCOM COMSEC functional managers are the final authority on determining the adequacy of unit responses to MAJCOM reviews and the closing of individual deficiencies or reports.
10.5. The local COMSEC manager is the final authority on determining the adequacy of unit responses to Wing COMSEC Manager's Functional Review and the closing of individual discrepancies or reports.
10.5.1. Open items on Wing COMSEC Functional Manager's Review reports require 60-day follow-up reporting to the COMSEC manager.

11. Form Prescribed. This publication prescribes AFCOMSEC Form 19, COMSEC Functional Review Criteria.

CARL G. O'BERRY, Lt General, USAF

DCS, Command, Control, Communications

and Computers

AFKAG-1, Air Force Communications Security (COMSEC) Operations
AFKAG-2, AF COMSEC Accounting Manual
AFKAG-3, Controlling and Handling of Specified COMSEC Material for Missile Systems
AFKAG-31, Control and Handling of PAL Code Material
DoD 5220.22-S, COMSEC Supplement to Industrial Security Manual for Safeguarding Classified Information
AFPD 33-2, C4 Systems Security
AFMAN 33-272 (S), Classifying Communications Security and TEMPEST Information (U)

Abbreviations and Acronyms

Abbreviation Definition
or Acronym

AFCOMSEC Air Force Communications Security
AFDP Air Force Policy Directive
AFI Air Force Instruction
AFMAN Air Force Manual
AFSSI Air Force Special Security Instruction
C4 Command, Control, Communications, and Computers
CMCS COMSEC Material Control System
COMSEC Communications Security
CRO COMSEC Responsible Officers
CU COMSEC Users
DoD Department of Defense
FSO Facility Security Officer
HQ AFC4A Headquarters Air Force C4 Agency
MAJCOM Major Command
SRO STU-III Responsible Officer
STU Secure Telephone Unit
USAF United States Air Force

FROM: HQ AFC4A/SYSC

SUBJECT: Report of Command COMSEC Functional Review - ACTION MEMORANDUM

Section I - General

1. This overall review rating is Satisfactory.

2. The Command COMSEC Functional Review of COMSEC Account 600000, 0001 Communications Group, Scott AFB IL was conducted by (names of reviewers) from (inclusive dates of the Review). The review provides valuable insight into the COMSEC posture of (wing/site name), and includes all users of the COMSEC account. The previous review was conducted (date of last review). The authority for this review is AFI 33-213.

3. COMSEC Account 600000 is an operational account providing COMSEC support and guidance to 28 user agencies.

4. Personnel contacted:

Colonel Jones--275AAW Commander
Colonel Parks--0001CG Commander
Lt Colonel West--001CG Director of Operations
MSgt Young--COMSEC Manager
MSgt Davis--Alternate COMSEC Manager
Sgt Owens--COMSEC Accountant

Section II - Findings/Recommendations

5. Deficiencies associated with the AFCOMSEC Form 19 or Inspector program's checklist.

Item 1.

a. Finding: Wing COMSEC Manger's Functional Reviews of the COMSEC account and user agencies were not conducted semiannually or during the change of manager in August 1993.

Ref: AFI 33-213, paragraph 4

b. Recommendation: The COMSEC Manager must ensure:

(1) Thorough self-reviews of the COMSEC account and each user agency are scheduled and conducted at approximately 6-month intervals.

(2) AFCOMSEC Form 19 or the Inspector program's checklist is used to conduct reviews.

(3) All reviews are documented and forwarded through user agency commanders. Aggressive follow-up actions should be pursued and review reports must be maintained on file for review during Command COMSEC Functional Reviews.

Section III - Other Comments:

6. Other Deficiencies.

a. Finding 1: The COMSEC account did not have a suspense system to ensure accurate and timely issuance of COMSEC materials required by their user agencies.
(CA600000)

Ref: AFKAG-1/ACC Sup 1, paragraph 1-20(added)

b. Recommendation: The COMSEC Manager must establish a suspense system and ensure it meets the minimum requirements outlined in the applicable directives.

7. Laudatory comments.

8. List all user agencies that were not reviewed and the reason why.

9. Request you endorse this report through command COMSEC channels within 10 workdays of receipt. If you are unable to correct all deficiencies in the 10 days, then provide the status of the corrective actions underway and include the estimated completion date.

Signature Block

FROM: DOM/CA600000

SUBJECT: Follow-up Number 2 to Command COMSEC Functional Review, (inclusive Review date) - ACTION MEMORANDUM

Section I

1. This is our second follow-up to the Command COMSEC Functional Review conducted by (names of reviewers) from 20-24 Feb 94. The following items remain open from follow-up number 1, 5 Mar 94.

Section II

Item 1.

a. COMMENTS: A Wing COMSEC Manager's Functional Review schedule was established and 18 user reviews are complete. Ten users and the COMSEC account must still be reviewed. The functional reviews are proceeding very well. We are using this opportunity to train users and to improve rapport with our users.

b. STATUS: Open. Estimated completion date is 1 Apr 94.

Section III

Finding 1.

a. COMMENTS: A viable suspense system was developed and tested.

b. STATUS: Recommend item be closed.

2. Additional comments, if required.

3. POC is MSgt Yount, COMSEC Manager, DSN 555-1234.

Signature Block