January 29, 2013 in U.S. Army
The following technical bulletin was originally made available in February 2011 on the document sharing website Scribd.
SECURITY: PROCEDURES FOR SAFEGUARDING, ACCOUNTING AND SUPPLY CONTROL OF COMSEC MATERIAL
- TB 380-41
- For Official Use Only
- July 3, 2003
1.1.1 (U) Objective. This Technical Bulletin (TB) provides Communications Security (COMSEC) information regarding custodianship of accounts, accounting/reporting procedures, safeguarding material supply procedures, and Controlling Authority (CONAUTH) responsibilities in accordance with (IAW) COMSEC policy set forth in Army Regulation (AR) 380-40.
1.1.2 (U) Scope. This TB includes the following:
a. (U) Minimum Safeguards. Defines minimum safeguards and standard criteria and procedures for protecting COMSEC information.
b. (U) Special Safeguards. Defines the special safeguards of the Army COMSEC Material Control System (CMCS) and the Army Key Management System (AKMS). The defined safeguards are achieved by the use of correct procedures for the control of access, storage, distribution, accounting, and destruction of COMSEC material.
c. (U) Accounting Procedures. Defines accounting procedures for COMSEC material.
d. (U) Maintaining COMSEC material. Defines procedures for requesting, receiving, stocking, and reporting COMSEC key, publications, and equipment.
e. (U) Incorporation of National INFOSEC Policy. Incorporates the applicable provisions of the National Security Telecommunications and Information Systems Security Instructions (NSTISSI) promulgated by the National Security Agency (NSA), as implemented by AR 380-40.
1.1.3 (U) References, Abbreviations and Terms. See Appendixes.
(U) This TB shall be used by:
a. (U) Personnel. All personnel within the active Army, Army Reserve (USAR), Army National Guard (ARNG), Army Reserve Officers’ Training Corps (ROTC), civilian government employees of the Army, and Army contractors who are responsible for COMSEC material activities.
b. (U) COMSEC Accounts. The procedures contained in this TB apply to both manual and automated accounts; however, some of the procedures and instructions contained herein apply exclusively to manual records, forms, and files. COMSEC Custodians managing automated accounts will adhere to all instructions contained in Army Key Management System (AKMS) documents. Conflicts between this TB and the aforementioned stated documents, which cannot be reconciled, will be reported to the U.S. Army Communications Electronics Command (CECOM), Communications Security Logistics Activity (CSLA) IAW the instructions contained in paragraph 1.4.
2.2 COMSEC FACILITY.
2.2.1 (U) Approving Office for the COMSEC Facility. Headquarters, Department of the Army (HQDA) has delegated COMSEC Facility Approval Authority to CSLA. All requests for COMSEC Facility Approvals must be addressed to CSLA.
2.2.2 (U) COMSEC Facility Approvals. Each organization or activity that has determined the need for a COMSEC account requires a COMSEC Facility Approval (CFA) from CSLA. Approval will be obtained prior to establishing, performing major alterations that affect physical security, relocating, or upgrading the classification of a COMSEC Facility. Requests for a CFA will be submitted by the local commander through normal command channels to CSLA, based on established Major Command (MACOM) or Major Subordinate Command (MSC) policies. An updated CFA need not be routed through your chain of command unless dictated by local command policies.
a. (U) Change of Security Level. When a traditional account or AKMS account requires any security level change, a new COMSEC Facility Approval Request (CFAR) must be submitted. However, an LCMS account requires a new COMSEC Account Number, a new KOK-22A, all new FIREFLY and associated KOK-22A keys, and the transfer of all materials from the existing account to the new account. Additionally, when an AKMS account must change its security classification level, it must contact the CSLA Help Desk for detailed instructions. See Figure 2-3 for a sample CFAR.
b. (U) Additional Equipment Received. A new/updated CFA is not required when a new equipment system or new software is brought into an account unless the facility must be upgraded to accommodate the system.
c. (U) COMSEC Facility Approval for Hand Receipt Holders. The need for a COMSEC Facility for a Hand Receipt Holder will be determined by the COMSEC account custodian based on unique circumstances or mission requirements, such as large volumes of required material. If the COMSEC account custodian determines that the Hand Receipt Holder will be required to have a COMSEC Facility Approval, the COMSEC account custodian will approve the facility by use of a memorandum, which will include the information listed in paragraph 2.2.3. The memorandum will be retained, on file, in the COMSEC account files for review by COMSEC Inspectors and Auditors.
d. (U) Duration of COMSEC Facility Approval. The CFA is valid as long as the physical protective measures and security procedures, which were the basis for the approval, remain substantially unchanged. (See AR 380-40 for additional information.)
2.2.3 (U) Request for Approval. The request memorandum will be prepared using the general guidelines contained in the following paragraph. When establishing an account, attach a signed copy of the CARP. A separate request will be submitted for each COMSEC Facility approval being requested. As a minimum, the memorandum will be marked “FOR OFFICIAL USE ONLY” (FOUO). The following information will be provided on each CFAR submitted to CSLA (see Figure 2-3).
a. (U) General Information.
(1) (U) Requesting organization’s complete mailing address.
(2) (U) Unit Identification Code (UIC).
(3) (U) Telephone number (DSN and commercial).
(4) (U) COMSEC account number (if assigned; otherwise, leave blank).
(5) (U) Location of the facility (includes building, floor and room numbers).
(6) (U) Point of contact (name and telephone number).
(7) (U) Type of request (initial request or modification).
(8) (U) Classification information (the highest level/classification of material that will be used and/or stored)
b. (U) Purpose . Indicate the primary purpose of the facility:
(1) (U) Operations (on-line or off-line cryptooperations
(2) (U) Distribution (primary mission is
COMSEC logistics support).
(3) (U) Maintenance.
(4) (U) RDT&E (Research- Development-
Testing and Evaluation).
(5) (U) Other (if your account does not fall
into one of the previous categories,
explain its purpose).
c. (U) Physical Security. The planned physical security measures must be described in detail. Physical security description of the facility will indicate overall construction composition, to include walls, ceiling, floors, windows, doors, access control, and other measures designed to prevent overt or covert access. If TOP SECRET (TS) material will be stored, include planned provisions to secure TS material IAW Two Person Integrity (TPI). For example, an OCONUS account would include the use of a Joint-Service Interior Intrusion Detection System (J-SIIDS). Also provide the General Services Administration (GSA) description of all security containers used within the facility.
d. (U) Material and Equipment Security. Describe, in detail, how classified COMSEC material and equipment will be protected during non-working hours, or when not under the direct and continuous control of properly cleared and authorized personnel; that is, stored in approved containers, vaults, strong rooms, and so forth.
e. (U) Standards Statement. Prepare a statement, which certifies that applicable standards for the operation, storage, and destruction of COMSEC material can be met. These standards are as described in Chapters 4 and 5. Organizations, which have standard Positive Control Material (PCM) and/or Two Person Integrity (TPI) material, will include ONLY that information which applies to the standard material (for PCM refer to CJCSI 3260.01).
f. (U) The CFAR will also contain a statement that the commander has evaluated the risks to the facility and found them acceptable (AR 380-40, paragraph 4-2b).
2.2.4 (U) Action by Approving Authority. CSLA will promptly notify the requesting commander when the CFAR is approved. If the CFAR is not approved, CSLA will inform the commander what action is necessary to obtain approval.
Related Material From the Archive:
- (U//FOUO) NSA National COMSEC Security Incident Trends 2008-2009
- (U//FOUO) NSA Field Generation and Over-the-Air Distribution of COMSEC Key Manual
- (U//FOUO) U.S. Army Regulation 190–13 Physical Security Program
- GAO U.S. Agencies Are Not Able to Fully Account for U.S. Nuclear Material Located at Foreign Facilities
- (U//FOUO) U.S. Customs and Border Protection Security Policy and Procedures Handbook
- (U//FOUO) U.S. Navy WikiLeaks Safeguarding Classified National Security Information Recommendations
- (U//FOUO) U.S. Army Regulation 190-56 Civilian Police and Security Guard Program
- (U//FOUO) U.S. Army Security Force Handbook