Information System Security Section 1 Responsibilities and Duties
Section 4. Communications Security (COMSEC)
9-400. General. This section was prepared by NSA.
The procedures in this section pertaining to COMSEC information shall apply to contractors when the contractor requires the use of COMSEC systems in the performance of a contract; the contractor is required to install, maintain, or operate COMSEC equipment for the U.S. Government; or the contractor is required to accomplish research, development, or production of COMSEC systems, COMSEC equipment, or related COMSEC material.
9-401. Instructions. Specific requirements for the
management and safeguarding of COMSEC material in industry are established in the COMSEC material control and operating procedures provided to the custodian of each industrial COMSEC account by the agency Central Office of Record (COR) responsible for establishing the account. Such procedures that are above the baseline requirements detailed in the other sections of this manual shall be contractually mandated.
9-402. Clearance and Access Requirements
a. Before a COMSEC account can be established and a contractor may receive or possess COMSEC material accountable to a COR, individuals occupying the positions of FSO, COMSEC custodian, and alternate COMSEC custodian must have a final PCL appropriate for the material to be held in the account. COMSEC custodians and alternate COMSEC custodians having access to TOP SECRET keying material marked as containing CRYPTOGRAPHIC (CRYPTO) information must have a final security clearance based upon an SSBI current within five years. This requirement does not apply to contractors using only data transfer devices and seed key.
b. Before disclosure of COMSEC information to a contractor, GCAs must first verify with the CSA that appropriate COMSEC procedures are in place at the contractor facility. If procedures are not in place, the GCA shall provide a written request and justification to the CSA to establish COMSEC procedures and a COMSEC account, if appropriate, at the facility and to conduct the initial COMSEC briefings for the FSO and custodians.
c. Access to COMSEC information by a contractor requires a final FCL and a government-issued final PCL at the appropriate level; however, an Interim TOP SECRET FCL or PCL is valid for access to COMSEC at the SECRET and CONFIDENTIAL levels.
d. If a COMSEC account will be required, the Contract Security Classification Specification shall contain a statement regarding the establishment of a COMSEC account as appropriate.
9-403. Establishing a COMSEC Account
a. When COMSEC material which is accountable to a COR is to be provided, acquired or produced under a contract, the contracting officer shall inform the contractor that a COMSEC account must be established. The contractor shall forward the names of U.S. citizen employees who will serve as the COMSEC Custodian and Alternate COMSEC Custodian to the CSA. The CSA shall forward the names of the FSO, COMSEC Custodian, and Alternate Custodian to the appropriate COR, with a copy to the GCA, indicating that the persons have been cleared and COMSEC has been briefed.
b. The COR will then establish the COMSEC account and notify the CSA that the account has been established.
c. An individual may be appointed as the COMSEC custodian for more than one account only when approved by each COR concerned.
9-404. COMSEC Briefing and Debriefing Requirements
a. All contractor employees who require access to classified COMSEC information in the performance of their duties shall be briefed before access is granted. Depending on the nature of COMSEC access required, either a COMSEC briefing or a Cryptographic Access Briefing will be given. The FSO, the COMSEC Custodian, and the Alternate Custodian shall be briefed by a government representative or their designee. Other contractor employees shall be briefed by the FSO, the COMSEC Custodian, the Alternate Custodian, or other individual designated by the FSO. The purpose of the briefing is to ensure that the contractor understands:
(1) The unique nature of COMSEC information and its unusual sensitivity,
(2) The special security requirements for the handling and protection of COMSEC information, and
DoD 5220.22-M, February 28, 2006
(3) The penalties prescribed in Title 18, U.S.C., §§ 793, 794, and 798 (reference (t)) for willful disclosure of COMSEC information.
b. COMSEC debriefings are not required.
c. The contractor shall maintain a record of all COMSEC briefings.
9-405. CRYPTO Access Briefing and Debriefing Requirements
a. U.S. classified CRYPTO information is defined as:
(1) TOP SECRET and SECRET, CRYPTO, key and authenticators that are designated CRYPTO, and (2) CRYPTO media that embody, describe, or implement classified CRYPTO logic; this includes full maintenance manuals, CRYPTO descriptions, drawings of a CRYPTO logic, specifications describing a CRYPTO logic, CRYPTO computer software, or any other media which may be specifically identified.
b. U.S. classified CRYPTO information does not include seed key and CCI.
c. A contractor’s employee may be granted access to U.S. classified CRYPTO information only if the employee:
(1) Is a U.S. citizen;
(2) Has a final government-issued security clearance appropriate to the classification of the U.S. CRYPTO information to be accessed;
(3) Has a valid need-to-know to perform duties for, or on behalf of, the U.S. Government;
(4) Receives a security briefing appropriate to the U.S. classified CRYPTO information to be accessed;
(5) Acknowledges the granting of access by executing Section I of Secretary of Defense Form (SD) 572, Cryptographic Access Certification and Termination; and
(6) Where so directed by a U.S. Government Department or Agency head, acknowledges the possibility of being subject to a non-lifestyle, CI-scope polygraph examination that shall be administered in accordance with department or agency directives and applicable law.
d. An employee granted access to CRYPTO information shall be debriefed and execute Section II of the SD 572 not later than 90 days from the date access is no longer required.
e. The contractor shall maintain the SD 572 for a minimum of three years following the debriefing.
f. CRYPTO access briefings fully meet the requirements of paragraph 9-407 of this manual for COMSEC briefings.
9-406. Destruction and Disposition of COMSEC Material. The COR shall provide directions to the
contractor when accountable COMSEC material is to be destroyed. These directions may be provided in superseding editions of publications or by specific instructions.
9-407. Subcontracting COMSEC Work.
Subcontracts requiring the disclosure of classified COMSEC information shall be awarded only upon the written approval of the GCA.
9-408. Unsolicited Proposals. Any unsolicited
proposal for a COMSEC system, equipment, development, or study that may be submitted by a contractor to a government agency shall be forwarded to the Deputy Director, Information Systems Security, NSA, Fort George G. Meade, MD 20755-6000, for review and appropriate follow-up action.