ORDER
Date: 3/5/91
Initiated
by: ACO-300
Subject: COMMUNICATIONS SECURITY (COMSEC)
FOREWORD
This order establishes policies and procedures and assigns
responsibilities for ensuring agency compliance with requirements
of the national communications security (COMSEC) policy.
The guidance in this order is based upon COMSEC policy directives
promulgated by the National Security Agency and implementing
regulations and directives issued by the United States Air Force.
Should a conflict exist between the requirements of this order
and the appropriate national COMSEC policy or implementing
directive, the national policy or directive will in all cases
apply. Instances of this type will be reported expeditiously to
this headquarters.
This order is marked FOR OFFICIAL USE ONLY. It is to be
safeguarded, handled and processed in accordance with
requirements of Order 1600.15D. This order is not releasable to
contractors or to foreign nationals without the specific approval
of the Assistant Administrator for Civil Aviation Security,
Washington, D.C. However, dissemination of pertinent information
extracted from this order to contractors having a need-to-know is
permissible when such release is authorized by applicable
National COMSEC Instructions (NACI).
Changes in national COMSEC policy reflected in this order such as
the institution of the Formal Cryptographic Access Program have
been coordinated with and accurately state the position of the
Office of the Secretary of Transportation.
All FAA personnel whose duties require them to handle, process,
store, safeguard, or otherwise have access to classified
cryptographic material are required to become familiar with and
conform to the requirements of this order.
/s/ James B. Busey
Administrator
FOR OFFICIAL USE ONLY
NOT RELEASABLE TO FOREIGN NATIONALS
NOT RELEASABLE TO CONTRACTORS WITHOUT ORIGINATOR'S APPROVAL
TABLE OF CONTENTS
Page
CHAPTER 1. GENERAL 1
1. Purpose 1
2. Distribution 1
3. Cancellation 1
4. Explanation of Changes 1
5. Definitions 2
6. Forms and Reports 2
7. Requests for Information 2
8. Statement of Intent 2
9. Scope 2
10. Responsibilities 2
11. Interpretation 2
12. Authority to change this Order 7
13.-19. Reserved 7
CHAPTER 2. POLICY FOR GRANTING ACCESS TO U.S.
CLASSIFIED CRYPTOGRAPHIC INFORMATION 13
SECTION 1. POLICY 13
20. General 13
21. Policy 13
SECTION 2. DEFINITION 13
22. Cryptographic Information 13
SECTION 3. CRITERIA 14
23. Access Requirements 14
24. Polygraph 14
25. Contacts with Foreign Nationals and Unofficial
Foreign Travel to Communist or other Designated
Countries 15
SECTION 4. GRANTING FORMAL CRYPTOGRAPHIC ACCESS 15
26. Scope 15
27. Preparing AFCOMSEC Form 9 17
28. Withdrawing FCA 18
29. Certificates of Personnel Declining Cryptographic
Access 19
30.-34. Reserved 19
CHAPTER 3. COMMUNICATIONS SECURITY (COMSEC) DUTIES AND
RESPONSIBILITIES 27
35. General 27
36. COMSEC Custodians and Alternates 27
37. Training 28
38. Waivers 30
39. Duties of the COMSEC Custodian 30
40. Performance Standards 31
41. Appointment of Custodians and Alternates 32
42. Monitoring Responsibilities 32
43.-49. Reserved. 33
CHAPTER 4. SAFEGUARDING COMSEC FACILITIES 39
SECTION 1. GENERAL 39
50. Purpose 39
51. Referenced Publications 39
52. Background 39
SECTION 2. PHYSICAL SECURITY STANDARDS 40
53. Physical Security Standards for Fixed COMSEC
Facilities 40
54. Installation Criteria 40
55. Facility Approvals, Inspection, and Tests 41
56. Intrusion Detecting Systems 43
57.-60. Reserved 43
SECTION 3. ACCESS RESTRICTIONS AND CONTROLS 43
61. Unescorted Access 43
62. Escorted Access 45
63. Visitor Register 45
64. No-Lone Zones 46
65. Guard Services 46
66.-70. Reserved 47
SECTION 4. PROTECTION OF UNATTENDED COMSEC EQUIPMENT 47
71. General 47
72. Protection Requirements 47
73.-77. Reserved 48
SECTION 5. PROTECTION OF LOCK COMBINATIONS 48
78. Purpose 48
79. Protection Requirements 48
80. Access to Combinations 49
81. Record of Combinations 49
82.-86. Reserved. 50
SECTION 6. NONESSENTIAL AUDIO/VISUAL EQUIPMENT 51
87. Personally Owned Equipment 51
88. Government Owned Equipment 51
89.-94. Reserved 51
SECTION 7. STANDARD OPERATING PROCEDURES (SOP) 51
95. Requirement 51
96. Emergency Plan 52
97.-101. Reserved 53
CHAPTER 5. SAFEGUARDING AND CONTROL OF COMMUNICATIONS
SECURITY MATERIALS 65
102. General 65
103. Definitions 66
104. Handling Keying Material 66
105.109. Reserved 66
SECTION 1. GENERAL INFORMATION APPLICABLE TO ALL
COMSEC MATERIAL 66
110. Responsibilities for Safeguarding COMSEC Material 66
111. Transport of COMSEC Material 67
112. Courier Responsibilities 68
113. Open Display of COMSEC Material and Information 68
114. Destruction 68
115. Reporting Insecurities 68
116. Evidence of Tampering 69
117. Alteration of COMSEC Material 69
118. Clearance Requirements for Guards 69
119. Storage Requirements 69
120. Other COMSEC Information 70
121. Disposition of COMSEC Materials 71
122. Page Checks of COMSEC Publications 72
123. Daily or Shift Inventory Requirements 73
124. COMSEC Account Record File 73
125.-129. Reserved 74
CHAPTER 6. CONTROLLED CRYPTOGRAPHIC ITEMS (CCI) 79
130. Purpose and Background 79
131. Definitions 79
132. Control Requirements 80
133. Inventories 84
134. Reporting Insecurities 84
135. Routine and Emergency Destruction 84
136.-144. Reserved 84
CHAPTER 7. SECURE VOICE 89
SECTION 1. GENERAL 89
145. Purpose 89
146. Types and Models of STU-III 89
147. Definitions 89
148.-150. Reserved 91
SECTION 2. EXCEPTIONS 91
151. Requests for Exception 91
152.-153. Reserved 91
SECTION 3. COMSEC CUSTODIAN DUTIES AND
RESPONSIBILITIES 91
154. General 91
155. Receipt of Key 91
156. Accounting for Key 92
157. Notices from the KMS/CAO 93
158.-160. Reserved 94
SECTION 4. KEYING OF TERMINALS 94
161. Initial Keying of Terminals 94
162.-163. Reserved 94
SECTION 5. ACCOUNTABILITY 94
164. Cryto-Ignition Key Handling and Local Accounting 94
165.-166. Reserved 95
SECTION 6. REKEYING 96
167. Electronic Rekeying 96
168.-170. Reserved 96
SECTION 7. PHYSICAL SECURITY 96
171. Unkeyed Terminal Type 1 96
172. Keyed Terminal 96
173. Terminal Display 97
174. Use by Other U.S. Personnel 97
175. Use by Foreign Nationals 98
176. Storage 98
177. Use of the Secure Data Mode 98
178. After Hours Protection 98
SECTION 8. TRANSPORTATION 98
179. Type 1 Terminals 98
180.-182. Reserved 99
SECTION 9. INSTALLATION 99
183. General 99
184. Residences 100
185.-186. Reserved 100
SECTION 10. MAINTENANCE 100
187. General 100
188. Access 100
189.-190. Reserved 100
SECTION 11. PROTECTION OF KEY STORAGE DEVICES 101
191. General 101
192. Fill Devices 101
193. Crypto-Ignition Keys (CIKs) 102
194. Protection and Use of the Micro-KMODC 104
195.-198. Reserved 104
SECTION 12. DESTRUCTION AND EMERGENCY DESTRUCTION 104
199. General Requirement 104
200. Reserved 104
SECTION 13. REPORTABLE INSECURITIES 105
201. Insecure Practice/COMSEC Incident Handling 105
202.-204. Reserved 106
SECTION 14. RECORDS RETENTION 106
205. General 106
206.-208. Reserved 106
APPENDIX 1. REQUIRED FORMS AND REPORTS (2 pages) 1
APPENDIX 2. SAMPLE CRYPTOGRAPHIC ACCESS BRIEFING (9 pages) 1
APPENDIX 3. CRYPTOGRAPHIC ACCESS CERTIFICATE (1 page) 1
APPENDIX 4. SECURE TELECOMMUNICATIONS FACILITY 1
AND COMSEC ACCOUNT CHECKLIST (6 pages)
APPENDIX 5. PUBLICATIONS TO BE MAINTAINED BY ALL 1
FAA COMSEC ACCOUNTS (2 pages)
APPENDIX 6. PHYSICAL SECURITY STANDARDS FOR FIXED 1
COMSEC FACILITIES (3 pages)
APPENDIX 7. STANDARDS FOR SAFEGUARDING KEYING MATERIAL 1
(4 pages)
APPENDIX 8. ROUTINE DESTRUCTION AND EMERGENCY PROTECTION 1
OF COMSEC MATERIAL (7 pages)
FOR OFFICIAL USE ONLY
PUBLIC AVAILABILITY TO BE
DETERMINED UNDER 5 U.S.C. 552
CHAPTER 1. GENERAL 1. PURPOSE. This order prescribes FAA standards and procedures for communications security (COMSEC) and implements changes in national COMSEC policy for FAA COMSEC operations. 2. DISTRIBUTION. This order is distributed to Regional Administrators and Center Directors: to the director level in the Office of System Engineering and Program Management, Office of Air Traffic System Management, Air Traffic Plans and Requirements Service, Advanced System Design Service, Office of Human Resource Development, Office of Training and Higher Education, and Logistics Service; to the division level in the Systems Maintenance Service, and Office of Civil Aviation Security, Operations to Emergency Operations Staff (ADA-20), Regional and Aeronautical Center Civil Aviation Security Divisions, Technical Center Civil Aviation Security Staff, Europe, Africa and Middle East Civil Aviation Security Staff; to COMSEC custodians including Air Route Traffic Control Centers; to the FAA manager/supervisor at each Joint Use System Long Range Radar Site; to Associate Program Managers for Engineering, Communications and Aircraft Acquisition Program. 3. CANCELLATION. Order 1600.8B, Communications Security (COMSEC), dated November 14, 1975, is canceled 4. EXPLANATION OF CHANGES. This order updates FAA COMSEC policies and procedures to reflect national COMSEC policy guidance from the National Security Agency (NSA), and the U.S. Air Force (USAF). It also establishes new training standards for individuals assigned as COMSEC custodians. This revision: a. Promulgates changes in national policy contained in NSA National COMSEC Instructions (NACSI) and National Telecommunications and Information Systems Security Instructions (NTISSI). b. Establishes a Formal Cryptographic Access (FCA) Program in FAA to include mandatory requirements for cryptographic access briefings and Cryptographic Access Certificates. c. Disseminates USAF guidance for implementing national COMSEC policy as set forth in USAF Regulations (AFR), USAF Special Purpose/Operational Miscellaneous (AFSAL) publications and related documents. d. Prescribes policies and procedures governing the utilization and safeguarding of Controlled Cryptographic Items (CCI). e. Prescribes mandatory formal training requirements for COMSEC custodians. f. Prescribes guidance concerning the Secure Terminal Unit (STU) III secure voice system. g. Establishes requirements for the inclusion of COMSEC duties and responsibilities as a Critical Job Element (CJE) in the individual performance standards for the COMSEC custodian and alternate(s). 5. DEFINITIONS. The definitions contained in National Communications Security Committee (NCSC) 9 and Air Force Regulation (AFR) 56-2 apply to this order. Definitions not contained in these references will be provided in the body of the order. 6. FORMS AND REPORTS. Appendix 1, Required Forms and Reports, contains a listing of the forms and reports required by this order. Additional reporting requirements will be addressed in the portion of the order to which they pertain. 7. REQUESTS FOR INFORMATION. Questions on the interpretation of the provisions of this order or their application shall be referred to the servicing security element in regions and centers or to the Director, Office of Civil Aviation Security, Operations, ACO-1, 800 Independence Avenue, S.W., Washington, D.C. 20591. 8. STATEMENT OF INTENT. It is the intention of the FAA to ensure that requirements of the national COMSEC policy are fully understood and implemented by all having responsibilities for COMSEC operations and support within the agency. 9. SCOPE. a. The provisions of this order apply to all FAA employees, military, civilian, and contractor, who are holders or users of NSA produced or authorized cryptographic information or who otherwise have access to such information, regardless of duty station, location, or position. b. FAA procurement actions which result in requirements for contractors to generate or utilize NSA approved or authorized/ cryptographic information in the performance of the contract will be accomplished in accordance with Order 1600.56, Guidelines for FAA Participation in the Department of Defense (DOD) Industrial Security Program (ISP). Access requirements shall be specified in accordance with National Telecommunications and Information Systems Security Policy (NTISSP) Number 3. 10. RESPONSIBILITIES. a. Director, Office of Civil Aviation Security, ACO-1 is responsible for: (1) Implementing the national COMSEC policy and the provisions of this order within the FAA. (2) Recommending policies for safeguarding of FAA information and data using COMSEC techniques to provide the required degree of protection. (3) Ensuring that cryptologic access briefings and debriefings are conducted and that cryptographic access certificates are signed in accordance with provisions of this order. (4) Establishing and ensuring the implementation of standards and procedures for handling, safeguarding, accounting, destruction, storage, access and control of classified and unclassified COMSEC and other NSA approved and authorized cryptographic materials in accordance with national COMSEC policy and this order. (5) Developing standards and procedures for physical and environmental security of FAA cryptographic communications installations. (6) Ensuring in coordination with the Program Director for Communications, FAA COMSEC equipment installations are designed in accordance with applicable national COMSEC policies pertaining to on-line and TEMPEST engineering standards. (7) Monitoring headquarters, region, and center COMSEC accounts and appointment of COMSEC custodians. (8) Ensuring that countermeasures and specialized communications security inspections are conducted of COMSEC secure communications areas in accordance with NSA and USAF directives, and this order. b. National Airspace System Engineering Service, ASE, is responsible for: (1) Development of National Airspace System (NAS) plan/and baseline system requirements for COMSEC systems. (2) Ensuring the baselined COMSEC system requirements and interface requirements are consistent with national COMSEC engineering and security standards established by the NSA. (3) Formulating guidance and standards applicable to acquisition of facilities and equipment including COMSEC systems. (4) Coordination with the Office of Civil Aviation Security, on NAS plans and NAS system specifications involving COMSEC security requirements and resources. c. Office of Air Traffic Systems Management, ATM, is responsible for: (1) Establishing COMSEC requirements for support of air traffic control operational telecommunications. (2) Developing and recommending national guidance, standards, and procedures for implementation of COMSEC in the security control of military and other air traffic pursuant to the FAA's support of the national defense. (3) Coordination with the Office of Civil Aviation Security in establishing procedures and standards for the identification of sensitive and classified information and data in the air traffic control system requiring COMSEC protection. (4) Ensuring that sensitive and classified telecommunications in the air traffic control system are safeguarded in accordance with national COMSEC policy. d. Air Traffic Plans and Requirements Service, ATR, is responsible for: (1) Coordination with the Office of Civil Aviation Security in developing and implementing procedures and standards for the identification of COMSEC support required to ensure a secure and effective air traffic system telecommunications capability. (2) Serving as the air traffic system focal point for coordination of COMSEC programs and requirements in support of the NAS. e. Systems Maintenance Service, ASM, is responsible for: (1) Coordination with the Office of Civil Aviation Security to: (a) Identify requirements for communications security during network planning and engineering of future telecommunications networks or expansions or modifications to present networks. (b) Ensure operational compliance with communications security requirements in telecommunications maintenance support. (2) Participate in the development of maintenance planning for COMSEC equipment and systems in the FAA, including identification of required COMSEC maintenance training for FAA personnel. f. Office of Human Resource Development, AHD, is responsible for: (1) Providing administrative and technical guidance and support for inclusion of the COMSEC custodian position in the Performance Evaluation Rating (PER) system. (2) Establishing standards and criteria for designating the responsibilities of the custodian and alternate as CJE'S. g. Office of Training and Higher Education, AHT, is responsible for: (1) Providing administrative and technical guidance and support for mandatory training for custodians at the USAF COMSEC Account Management course. (2) Establishing and incorporating in appropriate directives criteria for evaluation of COMSEC responsibilities and training in career development programs for selected employees. h. Office of Labor and Employee Relations, ALR, is responsible for facilitating the implementation of the requirements of this order as required. i. Regions and Centers are responsible for implementation of this order within their areas of jurisdiction. j. Office of Air Traffic System Management, Air Traffic Plans and Requirements Service, Systems Maintenance Service, National Airspace System Engineering Service are responsible for: (1) Implementing this order in those organizations that report to them who have a requirement for access to COMSEC information. (2) Ensuring that COMSEC custodians receive formal COMSEC account management training and that operators and maintenance personnel are properly trained in procedures for safeguarding and handling of COMSEC material required in the performance of their duties. (3) Ensuring that all authorized COMSEC materials are properly obtained, procured, installed, operated, safeguarded, destroyed, or transferred when no longer required. (4) Ensuring that viable emergency plans exist to minimize the risk of compromise of COMSEC materials during crisis situations. k. Region and Center Civil Aviation Security Divisions and Staffs are responsible for: (1) Ensuring that COMSEC information and material in offices and activities under their control or jurisdiction are safeguarded and controlled in accordance with this order. (2) Providing staff guidance, assistance, and interpretation with regard to this order. (3) Conducting COMSEC account inspections. (4) Ensuring that insecurities involving COMSEC materials are reported to cognizant authorities in a timely and comprehensive manner as required by U.S. Air Force General Publication (AFKAG) 2 and NTISSI-4003. (5) Developing and administering a Cryptologic Access Program in accordance with provisions of chapter 2, of this directive, to include the following: (a) Ensuring that all personnel within their jurisdiction requiring access to U.S. classified cryptographic information sign a Cryptologic Access Certificate (AFCOMSEC Form 9) prior to being granted access in accordance with provisions of Chapter 2 of this order and (b) Ensuring that the signed cryptographic access certificate is made a permanent part of the individual employee's official security records and is accounted for in accordance with provisions of Order 1600.1C concerning retention of security clearance/access certificates. l. COMSEC Custodian is the properly appointed individual who manages and controls the accountable COMSEC material in the COMSEC Material Control System charged to his/her activity with responsibilities which include: (1) The receipt, storage, amendment, accountability, inventory, and issuance of COMSEC material charged to his/her account and destruction or transfer of material when it is no longer required. (2) Ensuring that appropriate COMSEC material is readily available to properly authorized individuals whose duties require its use. (3) Ensuring that all persons requiring access to U.S. classified cryptographic information receive a cryptographic access briefing in accordance with this directive and sign a cryptographic access certificate before they are permitted access. (4) Advising users and supervisors, as appropriate, of the required protection and procedures which must be provided COMSEC material issued to them for use, including the authorized procedures for destruction or disposition of such material when it is no longer required. (5) Reporting COMSEC insecurities in accordance with instructions in AFKAG-2 and NTISSI-4003. COMSEC insecurities fall into three categories, cryptographic, personnel and physical. Specific examples of each type are given in NTISSI 4003. m. Individual users are responsible for: (1) Knowledge of the requirements of this order. (2) Safeguarding and proper employment of all COMSEC material he or she uses or for which he or she is responsible in accordance with the provisions of this order. (3) Promptly reporting to the custodian any occurrences, circumstances, or acts which could jeopardize the security of COMSEC material. Should the custodian be unavailable the report is submitted to the servicing security element or ACO-300. p. Program Manager, Communications and Aircraft Acquisition, ANC-1, is responsible for: (1) Management of engineering planning, development, acquisition, and implementation of COMSEC equipments and systems in support of FAA requirements and the national COMSEC policy. (2) Recommending, through coordination with the Office of Air Traffic System Management and the Office of Civil Aviation Security, and other Federal Agencies, appropriate COMSEC equipments and systems to meet identified needs. (3) Identification of required maintenance training for FAA personnel in coordination with the Systems Maintenance Service and the Office of Training and Higher Education. (4) Coordination with the Office of Civil Aviation Security, Operations, to ensure that plans and specifications for COMSEC installations are reviewed and meet all FAA NSA security requirements prior to installation. (5) Developing and recommending engineering standards and procedures to implement national TEMPEST and COMSEC engineering criteria for the secure installation and operation of COMSEC equipment in the FAA in concert with ACS. 11. INTERPRETATION. Questions regarding the interpretation of the provisions of this order or their application shall be referred to the Regional or Center Civil Aviation Security Division or Staff, or to the Manager, Investigations and Security Division, ACO-300, Office of Civil Aviation Security Operations, 800 Independence Avenue, S.W., Washington, D.C., 20591. 12. AUTHORITY TO CHANGE THIS ORDER. The Assistant Administrator for Civil Aviation Security is authorized to issue changes to this order which do not contain policy, assign responsibilities, or delegate authority. 13.-19. RESERVED. FOR OFFICIAL USE ONLY PUBLIC AVAILABILITY TO BE DETERMINED UNDER 5 U.S.C. 552
CHAPTER 2. POLICY FOR GRANTING ACCESS TO U.S. CLASSIFIED CRYTOGRAPHIC INFORMATION SECTION 1. POLICY 20. GENERAL. In accordance with policies established by the National Telecommunications and Information Systems Security Committee (NTISSC) in National Telecommunications and Information Systems Security Policy (NTISSP) Number 3, issued in December 1988, and implemented by the Air Force Systems Security Instruction (AFSSI) 4000 of October 1, 1989, the FAA requires special access controls for certain U.S. classified cryptographic information, the loss of which would cause serious or exceptionally grave damage to U.S. national security. This order provides policy, guidelines, and procedures as applicable to the Formal Cryptographic Access (FCA) Program. It provides for an individual's eligibility, unofficial foreign-travel requirements, contacts with foreign nationals, procedures for granting and withdrawing FCA, and actions to take when personnel decline FCA. 21. POLICY. A formal Cryptographic Access Program is established in the FAA whereby access to certain U.S. classified cryptographic information shall only be granted to individuals who satisfy the criteria set forth herein. All FAA employees and FAA contractor employees assigned duties as communications security (COMSEC) custodians; alternate COMSEC custodians; COMSEC accountants; COMSEC inspectors; cryptoequipment maintenance and installation personnel; key distribution center (KDC) personnel; telecommunications center personnel; any personnel identified by ACO-300; and any other persons who work full time in the above areas who have access to the cryptomaterial must have the FCA to meet the requirements of this order as well as the requirements established for two-person integrity. SECTION 2. DEFINITION 22. CRYPTOGRAPHIC INFORMATION. The terms used in this order are defined in AFR 56-2. For the purposes of this directive U.S. classified cryptographic information is defined as: a. TOP SECRET and SECRET, CRYPTO designated, key and authenticators. b. All cryptographic media which embody, describe, or implement classified cryptographic logic; this includes full maintenance manuals, cryptographic descriptions, drawings of cryptographic logics, specifications describing a cryptographic logic, cryptographic computer software, or any other media which may be specifically identified by the NTISSC. SECTION 3. CRITERIA 23. ACCESS REQUIREMENTS. An individual may be granted access to U.S. classified cryptographic information, only if that individual: a. Is a U.S. citizen. b. Is an FAA employee or is a U.S. Government-cleared contractor approved by ACO-300. c. Possesses a security clearance appropriate to the classification of the U.S. cryptographic information to be accessed. d. Possesses a valid need-to-know that has been determined to be necessary to perform duties for, or on behalf, of FAA. e. Receives a security briefing from the servicing security element in regions and centers, or from ACO-300 in headquarters, detailing the sensitive nature of cryptomaterial and the individual's responsibility for protecting cryptomaterial. Appendix 2 contains the text of the briefing. f. Acknowledges the granting of such access by signing the Cryptographic Access Certificate AFCOMSEC Form 9 an example of which is contained in Appendix 3 of this order. 24. POLYGRAPH. The NTISSP Number 3 provides for utilization of non lifestyle counterintelligence polygraph examinations under certain conditions. FAA has determined however that the use of the polygraph will not be a requirement in the FAA COMSEC Program. 25. CONTACTS WITH FOREIGN NATIONALS AND UNOFFICIAL FOREIGN TRAVEL TO COMMUNIST OR OTHER DESIGNATED COUNTRIES. a. All FAA employees possessing an FCA must advise their servicing security element of all contacts with nationals of the listed governments and receive written permission from their facility or office manager with an information copy to the servicing security element and to ACO-300 for unofficial travel to these countries. Afghanistan Latvia Albania Libyan Arab Republic Angola Lithuania Berlin (Soviet Sector) Mongolian Peoples Bulgaria Republic (Outer Cambodia (Kampuchia) Mongolia) Peoples Republic of Nicaragua China (Including Tibet) Poland Cuba Rumania Czechoslovakia South Yemen Estonia Syria Ethiopia Union of Soviet Hungarian Peoples Socialist Republics Republic (Hungary) (Russia) Iran Democratic Republic of Iraq Vietnam (North Democratic Peoples Vietnam) Republic of Korea South Vietnam (North Korea) Yugoslavia Laos b. The above restrictions are in addition to those requirements of Order 1600.61, Defensive Security Briefing Requirements for FAA Employees Traveling to Communist-Controlled Countries. SECTION 4. GRANTING FORMAL CRYPTOGRAPHIC ACCESS 26. SCOPE. This policy shall apply to all FAA employees civilian and military who satisfy the requirements of Section 3, above, and whose official duties require continuing access to U.S. classified cryptographic information. Procedures to be followed in the granting of a Cryptographic Access Certificate are as follows: a. COMSEC Manager and Custodian. The COMSEC custodian or the manager responsible for COMSEC operations in a facility or office shall: (1) Upon receipt of this order take appropriate action to coordinate with the supporting personnel office and the servicing security element to provide them with the names and positions of all personnel requiring FCA. (2) Immediately notify the servicing security element of any change in status or need-to-know of individuals having FCA. b. Personnel Offices. The personnel office will coordinate with the supporting security element to accomplish the following: (1) To ensure that the master record reflects the requirement for FCA, and to arrange for the procedures to be followed to provide the required briefing, as well as need-to-know and clearance verification for each individual. (2) The personnel office will be responsible for entering into the Consolidated Management Information System (CPMIS) the correct information pertaining to FCA requirements for designated positions. (3) To develop procedures that will ensure that the servicing security element is informed whenever individuals with FCA change positions, terminate or otherwise no longer have need for the FCA in accordance with this directive. (4) To coordinate with the servicing security element and to take such additional actions as may be required to ensure that the national security objectives of the FCA are supported and implemented. c. Servicing Security Element. The servicing security element will designate in writing an individual to serve as the FCA point-of-contact for implementation and coordination of the FCA Program. This individual may be the personnel security officer and will be responsible for implementing the FCA Program within his/her area of responsibility. To include the following actions: (1) Ensure that the requirements of this order are met. (2) Provide guidance to operating offices and personnel offices on the FCA Program. (3) Ensure that clearance data and other relevant information pertinent to individuals seeking FCA is correct and is entered into the CPMIS and Civil Aviation Security Information System (CASIS) to the extent that is necessary to permit accurate tracking of individuals in the FCA Program. (4) Coordinate with Personnel and the operating facility or office to schedule briefing indoctrinations required for FCA and to obtain required signatures on Cryptographic Access Certificates (AFCOMSEC Form 9). (5) Ensure that the properly filled out AFCOMSEC Form 9 (Cryptographic Access Certificate) is handled, documented, and retained as required by Order 1600.1C for clearance certifications. d. Cryptographic Access Certificate. (1) The facility or office manager having responsibility for the COMSEC operation or his or her designated representative in coordination with the supporting personnel office and the servicing security element will establish procedures for briefing personnel requiring FCA. (2) Upon completion of the required briefing each individual requiring FCA will be asked to sign the Cryptographic Access Certificate. The manager will normally sign as witness to the signature of the persons being granted access. (3) The original copy of the signed certificate will be forwarded to the servicing security element in regions and centers, and to ACO-300 in the Washington Headquarters, where it will be permanently retained. e. Local Tracking Procedures for FCA. Each facility or office having personnel assigned duties in paragraph 21 will, in coordination with the supporting Personnel Office and the servicing security element, develop written procedures, to include out-processing, for reporting the granting and termination of FCA. f. FAA employees requiring an FCA at TDY locations and who meet all requirements of the FCA Program will be briefed prior to their departure and asked to sign the Cryptographic Access Certificate. When all requirements have been met, clearance status notifications will include the fact that the individual has FCA. 27. PREPARING AFCOMSEC FORM 9. a. AFCOMSEC Form 9. (Appendix 3) Include the following information on the AFCOMSEC Form 9: (1) Installation. Facility or office where the individual is permanently assigned. (2) Unit or Office Symbol. Individual's office and office symbol. (3) Supporting COMSEC Account. Self-explanatory. (4) Signature. Payroll signature. (5) Name. Full name, last name, first name, middle initial. (6) SSN: Will contain dashes (that is 001-01-0001) (7) Grade and Date of Birth. Self-explanatory. (8) In Section 2, paragraph B, a line will be drawn through the last sentence in this paragraph which reads: "I understand that I am subject to and consent to a periodic, counterintelligence polygraph examination." This modification will be initialed both by the person signing the form and by the witness. NOTE: Type AFCOMSEC Forms 9 to ensure legibility and accuracy of the information. The servicing security element and ACS-300 will return AFCOMSEC Forms 9 not properly and completely filled in. b. FAA Cryptographic Access Program. Prepare three copies of AFCOMSEC Form 9. Forward the original signed certificate to the servicing security element in regions and centers and to ACS-300 in the Washington Headquarters; one copy to the individual; and one copy for retention by the local COMSEC account (Folder 2). Maintain locally retained certificates as long as individuals require cryptographic access. Termination statements shall be copies of the locally retained certificate with the properly filled in bottom portion. c. Supply of AFCOMSEC Forms 9. Initial distribution of AFCOMSEC Forms 9 will be made by ACO-300 to servicing security elements in regions and centers who in turn will distribute the forms to the accounts for which they have monitor responsibility. After initial distribution, forms should be requisitioned as needed in accordance with guidance provided in AFKAG-2. 28. WITHDRAWING FCA. a. Once granted the FCA may be withdrawn for only three reasons: (1) Administrative. An individual is being reassigned by the facility or office manager to a position not requiring FCA, or a person is being reassigned to another FAA facility or region or is terminating employment. (2) Suspension. If a person's security clearance or any special access is suspended as outlined in Order 1600.1C, that person's FCA must be suspended until the matter is adjudicated favorably. Suspension of the FCA requires that the individual be removed from COMSEC custodian and accounting duties that require access to cryptographic material until a final determination of reinstatement or revocation can be made. (3) Revocation. Any person who has a security clearance withdrawn or special access denied will also have the FCA revoked. This revocation of FCA is permanent and cannot be reinstated and permanently bars the individual from ever being assigned to duties within the areas in paragraph 21. b. Facility and office managers will advise the servicing security element by message of any change in a person's FCA status resulting from suspension or revocation including reason for suspension or revocation. The servicing security element will advise ACO-300 by message of all such actions. In addition the facility and office manager will send an original copy of the Cryptographic Access Certificate to the servicing security element. Keep a copy of the Cryptographic Access Certificate for 90 days after signature for local records. 29. CERTIFICATES OF PERSONNEL DECLINING CRYPTOGRAPHIC ACCESS. Send the original copy of certificates of any personnel who decline to sign the Cryptographic Access Certificates through the servicing security element to ACO-300 for permanent retention. Certificates should contain all the information on the individual less the signature. State that the individual has refused FCA on the face of the form and on the administering official's signature and signature block. 30.-34. RESERVED. FOR OFFICIAL USE ONLY PUBLIC AVAILABILITY TO BE DETERMINED UNDER 5 U.S.C. 552
CHAPTER 3. COMMUNICATIONS SECURITY (COMSEC) DUTIES AND RESPONSIBILITIES 35. GENERAL. All COMSEC material shall be entered into and retained in the COMSEC accounting system from the time of its origin until its ultimate destruction. COMSEC accounts are established when a facility or activity manager has a need for secure information processing, and application is made through the servicing security element and ACO-300 to the USAF Cryptologic Support Center (AFCSC). Upon approval by AFCSC the type of COMSEC account established will vary according to the mission it supports. Within the FAA the two most common types of accounts are operational and administrative or monitor accounts. 36. COMSEC CUSTODIANS AND ALTERNATES. a. Designation. When a COMSEC account has been authorized the cognizant facility or office manager will appoint a qualified COMSEC custodian and at least one alternate custodian. The appointment will be made in writing by properly completing an Air Force COMSEC (AFCOMSEC) Form 3, Appointment of COMSEC Custodians, for each COMSEC account. (1) Managers of Civil Aviation Security Divisions shall be the appointing officials for COMSEC monitor accounts under their security cognizance. (2) The Manager, Investigations and Security Division, Operations, ACO-300, will be the appointing official for the headquarters COMSEC monitor account custodian and alternate. b. Grade Requirements. (1) FAA COMSEC custodians must be grade GS-9 or above. (2) FAA alternate custodians must be grade GS-7 or higher. c. Clearance Requirements. Custodians and alternate custodian(s) positions are designated as non-critical sensitive for COMSEC accounts handling material at the Secret level or lower classification; for accounts handling Top Secret material the custodian and alternate custodian(s) positions are designated as critical sensitive. Persons designated to fill these positions must be cleared for the highest classification of COMSEC material they will be required to handle or have access to. Requirements are as follows: (1) For Top Secret COMSEC accounts, the designating official must ensure that persons designated as custodians and alternate custodians have a final Top Secret clearance based on a favorably adjudicated background investigation completed within the past 5 years. Periodic reinvestigations (PRI) will be conducted within 5 years from the date of the last Sensitive Background Information, Background Information, or PRI in accordance with Order 1600.1C. (2) For COMSEC accounts handling classified material up to and including Secret, the designating official must ensure that the individuals designated as custodian and alternate custodian(s) as a minimum, have a final Secret clearance based on a favorably adjudicated Minimum Background Investigation (MBI). A PRI is recommended 5 years after placement and every 5 years thereafter. (3) In making selections for custodian and alternate custodian the designating official shall give preference to qualified candidates who have maximum retainability in their current assignment. Other considerations include the following: (a) The individual must never have been relieved from COMSEC custodian duties for cause. (b) If practical, custodians and alternate custodians should be selected on the basis of best qualified rather than seniority. In this regard, consideration should be given to the following: 1 Persons with a background in COMSEC. 2 Persons having a minimum total of three years previous COMSEC experience. 37. TRAINING. a. COMSEC Custodian. For the purposes of this order the following shall apply: (1) For individuals who have had no prior COMSEC experience and for individuals who have not been actively engaged in COMSEC activities during the 3 years prior to the date of their designation, attendance at the three week COMSEC Account Management Course conducted by the USAF is mandatory. (a) It is the responsibility of the FAA manager or other official designating the custodian to ensure that the designee is scheduled for attendance at this course within 60 days of the date of appointment. (b) Because the waiting period for this particular course is often several months, it is important that requests for allocations be submitted through appropriate region/center channels as soon as possible. (c) Additional information concerning this course may be obtained from the servicing security element, or from ACO-300, Washington, D.C. (2) For employees who have attended the U.S. Air Force COMSEC Account Management Course or other formal COMSEC training provided by the government within the past 3 years prior to their designation as custodian, attendance at the USAF COMSEC Account Management Training Course will normally not be required. Similarly, employees who have been actively engaged in COMSEC operations during the 3 years prior to their designation, will not be required to attend formal COMSEC training provided the nature of their duties has enabled them to develop the skills and proficiency required to perform the duties of custodian. b. Alternate COMSEC Custodian(s). Training for the employee(s) designated as alternate COMSEC custodian(s) is important, since the alternate performs the duties of the custodian in the custodian's absence. (1) Normally if the individual(s) designated as alternate custodian(s) have been engaged in COMSEC activities during the 3 years prior to their designation additional formal training will not be required. It is highly desirable that at least one alternate custodian attend the 3 week USAF COMSEC Account Management Course. (2) As a minimum, however, it is mandatory that alternate custodians who have not been actively engaged in COMSEC activities during the 3 years prior to their designation be scheduled to attend approved COMSEC training of shorter duration than the USAF course within 60 days of their appointment. (a) Courses approved for alternate custodian training include COMSEC account management training courses offered by the General Services Administration (GSA). These are 1 week training courses in COMSEC accounting offered at various times during the year in different geographic locations. (b) Allocations for GSA courses are obtained through appropriate region/center personnel training channels. Information concerning these courses is available from the General Services Administration, Communications Security Training Center, ATTN: Registrar 7 KET-6, 1500 East Bannister Road, Kansas City, MO 64131-3087. c. Qualification Training Package. As an interim training measure while an individual is awaiting a class date for the COMSEC Account Management Course in the case of custodians, or the GSA course for alternate custodians, the Qualification Training Package (QTP) should be used. This is an Air Force produced COMSEC Account Management training package designed for self-study. Requests for this package should be addressed to ACO-300 through the servicing security element. d. Recurrent Training. Recurrent training for COMSEC custodians and alternates shall be scheduled as necessary to ensure that individuals maintain a high level of proficiency in COMSEC account management procedures and practices. Recurrent or proficiency training should be scheduled when the custodian determines that such training is required to achieve the required level of proficiency. e. Coordination. The servicing security element COMSEC monitor account will be provided an information copy of all requests for COMSEC training for custodians and alternate custodians. 38. WAIVERS. a. Problems encountered in meeting minimum grade or training requirements for custodians or alternate custodians will be referred to ACO-300, through the appropriate servicing security element. b. Where operational necessity is a consideration a request for waiver of minimum requirements may be submitted. c. ACO-300 will be the approving authority for all waiver requests. If a waiver is granted, it applies only to the designated individual and must not be transferred; it applies to the designated individual only while currently assigned; and it must be terminated if a qualified person meeting minimum grade requirements becomes available. In addition, the waiver must be renewed annually. Include the following information in all requests: (1) COMSEC account number. (2) Name, grade, and clearance of the individuals desired for appointment. (3) Present duty assignment. (4) Type custodian (primary or alternate). (5) Complete justification. (6) Reason for nonselection, if applicable, of assigned individuals who are senior in grade and meet all other selection criterions. (7) Date of any known projected personnel gains who would meet the minimum grade and/or training requirements. (8) Date the appointment is planned. 39. DUTIES OF THE COMSEC CUSTODIAN. Specific duties for which the COMSEC custodian is responsible include the following: a. The development and implementation of a comprehensive user-training program for all persons who, in performing official duties, deal with COMSEC material. An example would be the employees responsible for operation of COMSEC equipment at Joint Use Sites. The training will include programs for user personnel that ensure these individuals are completely familiar with their duties and responsibilities in areas of control, physical protection, inventory and destruction of COMSEC material, and reporting of security hazards, violations, and possible compromises. Refresher training is required as needed. b. Ensure that requirements established in FAA's Formal Cryptographic Access (FCA) Program are understood and implemented. This includes ensuring that personnel having an operational need for access have received a cryptographic access briefing, and have signed a Cryptographic Access Certificate, AFCOMSEC Form 9, as required by this order. c. Be thoroughly familiar with directives concerning classified material such as Order 1600.2C, National Security Information. d. Issue on hand receipt, all COMSEC material to users who need it for their job and ensure that all responsible users of this material know the procedures for protecting, accounting, destroying, and reporting possible compromise of such material. e. In coordination with the facility emergency planning staff, develop written plans to protect COMSEC materials in an emergency, and ensure that the plans are integrated with the facility contingency plan. Train COMSEC personnel in their duties under the plan and ensure that adequate and appropriate destruction equipment and materials are readily available. f. Ensure that all necessary and appropriate COMSEC material is maintained by the account and that disposition instructions have been requested from the Central Office of Record (COR) for surplus or unneeded material. Prepare and submit accounting reports promptly and accurately. g. Ensure that standard operating procedures (SOP) are prepared as required, for secure and efficient conduct of COMSEC/operations within the cryptofacility. 40. PERFORMANCE STANDARDS. a. General. The position of COMSEC custodian and that of alternate COMSEC custodian require persons of unquestioned integrity and loyalty. The quality of the work performance of individuals in these positions has a direct reflection on the national security of the United States and is a vital factor in the support provided by the FAA COMSEC effort to the National Airspace System. It is appropriate therefore that the position descriptions (PD) for individuals designated as COMSEC custodian or alternate COMSEC custodian include the COMSEC responsibilities assigned to that individual. b. Requirement. Managers responsible for performance evaluation rating of individuals designated as COMSEC custodians or alternate COMSEC custodians will: (1) Ensure that the PD's include the COMSEC responsibilities of the individual(s). (2) Identify the COMSEC responsibility as a critical job element (CJE) in the performance standards for the individual(s). 41. APPOINTMENT OF CUSTODIANS AND ALTERNATES. a. Each COMSEC account must have a COMSEC custodian and at least one alternate COMSEC custodian. From a practical viewpoint, the COMSEC custodian should be thoroughly familiar with the day-to-day transactions of the COMSEC account. b. As part of their monitor responsibilities, servicing security elements will: (1) Ensure that proposed custodians and alternates meet the clearance requirements and qualifications for appointment as described in paragraph 21. (2) Obtain original signatures of the designated custodian and alternate(s) in the proper blocks on each of four copies (three copies when action concerns a monitoring account) of AFCOMSEC Form 3. (3) Ensure that all applicable blocks of all copies of the AFCOMSEC Form 3 are completed, including the "Effective Date" and "From" block. (4) Forward the original copy of AFCOMSEC Form 3 under a covering letter to the Air Force Cryptologic Support Center (AFCSC), Attention: MMIC, San Antonio, Texas 78243. Refer to Situation F-2, AFKAG-2. The letter should designate appointment or rescission of a custodian or alternate(s), as appropriate. One copy of AFCOMSEC Form 3 will be forwarded to FAA Headquarters, Washington, D.C. 20591, Attention: ACO-300. One copy shall be retained by the servicing security element monitoring account, and one copy shall be retained in the operational account. 42. MONITORING RESPONSIBILITIES. a. FAA/USAF Agreement. By agreement with the U.S. Air Force (USAF), FAA will provide for the monitoring of all FAA COMSEC accounts. The Manager, Investigations and Security Division, Operations, ACO-300, is responsible for the agencywide COMSEC monitoring effort at the headquarters level. ACO-300 is also responsible for monitoring the administrative/monitor accounts of the regions, Aeronautical Center and Technical Center, and the operational and user accounts at the Washington Telecommunications Center. The regional and center servicing security elements have been established as administrative accounts with the responsibility for the monitoring of operational and secure telecommunications facilities within their respective jurisdictions. b. Monitor/Inspection Requirements. Monitor and inspection activities shall be conducted in accordance with the following requirements: (1) Regional and center monitor accounts shall conduct a general inspection of each operational COMSEC account and secure telecommunication facility in their jurisdiction at least once each year. Additional inspections will be conducted as required by Order 1650.7B. (2) Appendix 4, Secure Telecommunications Facility and COMSEC Account Checklist, shall be used as a guide in the conduct of the inspection. The completion of the checklist does not in itself constitute a COMSEC inspection. The inspector must be competent and knowledgeable in all phases of COMSEC. A formal written report containing the results of the inspection and recommended corrective actions shall be provided to the facility or office manager having responsibility for the COMSEC operation, and to the custodian of the inspected account. An information copy of COMSEC inspection reports shall be provided to ACO-300, ATTN: ACO-320. (3) Technical surveillance countermeasures (TSCM) inspections of secure telecommunications facilities shall be conducted in accordance with provisions of this order and Order 1600.12C, Technical Security Countermeasures Program. (4) ACO-300 will inspect regional and center monitor accounts at least once every two years. In addition, ACO-300 will schedule COMSEC inspections and surveys as required agencywide to ensure effective monitoring of regional and center COMSEC programs. c. Administrative Requirements. (1) The custodian of each FAA COMSEC account shall forward a copy of all reports, correspondence, etc., pertaining to COMSEC accounting to his/her servicing security element monitoring account. Regional and center monitor accounts shall provide copies of the documents pertaining to their account operations to ACO-300, ATTN: ACO-320. Conversely, AFCSC sends a copy of all reports, correspondence, etc., it originates to the appropriate monitoring account. (2) The monitoring account shall review these documents and ensure the completeness, accuracy, and timeliness of the accounting actions. In the event that a monitor account receives a copy of a discrepancy report from AFCSC, the monitor account custodian shall ensure that the required corrective action is accomplished expeditiously. 43.-49. RESERVED. FOR OFFICIAL USE ONLY PUBLIC AVAILABILITY TO BE DETERMINED UNDER U.S.C. 552
🛑 BERND PULCH ARCHIVE | SECURE MIRROR 