(U) The following guidelines provide limited instructions on classifying COMSEC information.
Additional guidance on classifying information pertaining to COMSEC equipment is contained in AR 380-40.
5.2.1 (U) Foreign Release. COMSEC information in any form is not releasable to foreign nationals unless specifically authorized.
Requests for release will be forwarded to HQDA DCS, G-2 (ATTN: DAMI-CD) per AR 380-40.
5.2.2 (U) Handling and Release of Unclassified COMSEC Information. As a general rule, all unclassified COMSEC
information is intended FOR OFFICIAL USE ONLY and should be withheld from public disclosure based on exemptions authorized under the Freedom of Information Act (FOIA). The open or public display of U.S. Government or foreign COMSEC material and information at
commercial or other public meetings, open houses, or for other nonofficial purposes is forbidden unless specifically authorized by other HQDA Directives (see DA Pamphlet 25-380-2 for CCI). This prohibition includes discussion,
information for other than official purposes. Any requests for public or nonofficial display or publication of COMSEC information, including Freedom of Information Act (FOIA) Requests, will be referred to HQDA (DAMI-CD).
5.2.3 (U) FOR OFFICIAL USE ONLY (FOUO) Application. The protective marking FOUO will be applied to unclassified COMSEC information when the originator determines that it should not be publicly released. The marking will be based on the FOIA policies contained in IAW AR 25-55. As a minimum, the FOUO marking should be applied to the following types of information, if unclassified:
a. (U) Lists of COMSEC short/long titles.
b. (U) Narrative information on characteristics of COMSEC equipment.
c. (U) Indications of new COMSEC developments.
d. (U) COMSEC planning, programming, and budgeting information.
e. (U) Specifications and purchase
descriptions pertaining to COMSEC equipment or the support of unique COMSEC requirements.
f. (U) Operating instructions, maintenance manuals, and publications related to auxiliary equipment developed exclusively for use with COMSEC equipment.
g. (U) COMSEC material reports (SF 153).
h. (U) Official photographs or line drawings of classified COMSEC equipment.
i. (U) Information of substance that relates to the application of cryptographic transmission or emission security measures to COMSEC information.
TB 380-41
5.2.4 (U) Compilations. Compilation of unclassified COMSEC information may warrant classification (see AR 380-40, Appendix B).
5.2.5 (U) Use of Caveat "CRYPTO." The caveat "CRYPTO" is always capitalized and is defined as "The marking or designator
identifying all COMSEC key used to protect or authenticate telecommunications carrying classified national security information and sensitive, unclassified Government or Government-derived information, the loss of which could adversely affect national security interests." The purpose of this marking is to identify only that key which must be handled and controlled under the special access, storage, distribution, accounting, and destruction
requirement of the CMCS as set forth in this TB.
The following apply:
a. (U) Key will be marked “CRYPTO” when its purpose is to authenticate a communication or provide protection against Signals Intelligence (SIGINT) exploitation and the communication will be passed by radio, microwave, cable (other than a protected distribution system), or other potentially exploitable means. Key, which does not meet these criteria, will not be marked
“CRYPTO.”
b. (U) Most hard copy key produced by the NSA will be marked “CRYPTO.” The principal exceptions will be key intended for
demonstration purposes, sample key for use in or outside the classroom, and maintenance key used exclusively for bench testing purposes. All other classes of key are intended to protect or authenticate and will be marked “CRYPTO.”
c. (U) The marking “CRYPTO” may be used on both classified and unclassified key (hard copy or software); it will not be used on equipment, manuals or other COMSEC material.
All AKMS-generated electronic key will be understood to carry the “CRYPTO” designation and be protected accordingly.
d. (U) Key used to protect classified communications will be marked with the appropriate classification. Key used to protect unclassified national security-related
telecommunications will not be classified unless the format or composition of the key is, in itself, classified.
e. (U) All physical key marked “CRYPTO”
must be produced by the NSA and obtained through COMSEC logistics channels.
f. (U) The marking “CRYPTO” imposes no additional investigative or access requirements on U.S. personnel. A security clearance is not required for access to key marked “CRYPTO” if it does not bear a classification marking.
g. (U) Unclassified key marked “CRYPTO”
will be stored in the most secure manner available to the user. As a minimum, it will be stored in a manner that is sufficient to preclude any reasonable chance of theft or access by unauthorized persons. It should be double- wrapped for shipment. It should be transmitted via the same means as classified key or, as a minimum, via U.S. Registered Mail. Upon receipt, packages should be examined and processed from a physical security standpoint in the same manner as classified key.
5.2.6 (U) Marking of COMSEC Equipment.
COMSEC equipment and components in the U.S. inventory will carry markings as follows:
a. (U) COMSEC Equipment and Assemblies. All COMSEC equipment and assemblies (including telecommunications equipment with integral cryptography) will be marked with a short title, the term
"GOVERNMENT PROPERTY," and the accounting number (serial number).
b. (U) Element Boards. Printed circuit element boards used in COMSEC equipment or performing COMSEC functions in other
equipment will be marked with a short title and accounting number (serial number).
c. (U) Other Items. Those separate items, which perform a COMSEC function as
determined by the NSA, will be marked with a short title.
d. (U) Equipment and Assembly Short Titles. With regard to the short titles mentioned in the preceding paragraphs:
(1) (U) Radio sets and other
communications equipment with an integral COMSEC capability may, with the approval of the NSA, be
nomenclatured in the Joint Electronic
TB 380-41
Type Designation System (JETDS), MIL-STD -196D.
(2) (U) Short titles for COMSEC items will be assigned by the NSA.
e. (U) Classified Items. In addition, those items determined as classified by the NSA will bear an appropriate classification marking.
COMSEC equipment with hardwired operational keying variables installed will be marked
"CRYPTO."
f. (U) Unclassified items designated CCI. Unclassified CCI items will contain a CCI label (see paragraph 5.2.7).
g. (U) Previous Markings. Equipment marked under previous guidance need not be re-marked except as directed by the NSA.
5.2.7 (U) Controlled Cryptographic Items (CCI).
a. (U) CCI equipment is unclassified controlled end items or assemblies that perform a critical COMSEC or COMSEC ancillary function. Although CCI equipment is unclassified, it requires access controls and physical protection against actions that could affect its continued integrity. Physical protection controls applied to CCI are detailed in DA PAM 25-380-2.
b. (U) The marking "CONTROLLED CRYPTOGRAPHIC ITEM" or "CCI" will be used to identify those items of COMSEC hardware and microcircuits to the end item and assembly level when they are designated Controlled Cryptographic Items by the NSA.
c. (U) As a minimum, un-keyed CCI will be safeguarded as sensitive, valuable property. No security clearance is required for access to un-keyed CCI, but access will be limited per DA Pam 25-380-2 on a need-to-know basis.
Sensitive Item management and controls, as prescribed in AR 710-2, will be applied to CCI.
5.2.8 (U) COMSEC Classification Guidance.
(U) See AR 380-40.
5.2.9 (U) Classification Duration.
information must be protected to prevent hostile activities from building a database to exploit our systems, equipment, and material. Unless a particular item of COMSEC information will become declassified at a particular time or following a specified event, the item
classification will be derived from the source document and the information shall be marked IAW DoD 5200.1-PH:
Derived From:
Declassify On:
Date of Source:
(U) In those instances where documents are prepared from multiple sources, the
declassification date or event that provides the longest period of classification shall be used and entered in the “Declassify On” statement.
5.3 PHYSICAL SECURITY MEASURES.
a. (U) COMSEC material plays a vital role in the protection of national security
communications. This chapter describes minimum physical security measures designed to safeguard the integrity of COMSEC material and the facilities in which COMSEC material is operated or stored. Access is defined as the capability and opportunity to obtain knowledge of or to alter information on material.
b. (U) The broad dispersal of COMSEC material and its positioning in a large variety of environments have created the need for increased emphasis on physical security procedures. Individual commanders are
responsible for ensuring that access to classified COMSEC material within their commands or organizations is properly controlled and that the material is stored, accounted for, transmitted, and destroyed IAW AR 380-40 and this TB.
c. (U) The procedures for safeguarding COMSEC Material and facilities are designed to ensure the integrity of COMSEC material against the following threats:
(1) (U) Loss, theft, sabotage, unauthorized access to, or observation of COMSEC material.
TB 380-41
(3) (U) Clandestine exploitation of sensitive communications within a secure telecommunications facility.
d. (U) Users should also refer to local operating instructions for security procedures pertaining to specific systems, and to AR 380-40 for policy related to the security of COMSEC material. Security procedures for CCI are contained in DA Pam 25-380-2.
5.4 ACCESS TO AND IDENTIFICATION OF A COMSEC FACILITY.
(U) A COMSEC Facility is defined as a secure space, area, room, structure or series of
structures approved by a competent authority for the primary purpose of generating, operating, storing, repairing or training personnel in the use or maintenance of classified COMSEC material.
In those instances when, due to operational necessity, a larger facility is not required, a COMSEC Facility may consist of nothing more than a GSA-approved security container or multiple containers in a common administrative office area: provided adequate safeguards are present to inhibit unsupervised access by unauthorized individuals.
a. (U) Access. Access to COMSEC Facilities may be granted by the commander (or his/her designated representative) to personnel whose duties require such access (need-t o-know). These personnel must possess security clearances equal to the classification level of the COMSEC material (as well as the national security information) to which they will have access. Commanders are authorized to employ local systems (e.g., clearance status rosters) for verifying individual clearances. Access is defined as the capability and opportunity to obtain knowledge of or to alter information or material.
b. (U) Visitors. Persons whose duties do not require access, or those who are not properly cleared, will be permitted entry only upon approval from the commander or his/her designated representative.
c. (U) Visitors’ Register. DA Form 1999-E, Restricted Area Visitor Register, will be used to record the arrival and departure of any person not on the access roster. The commander may waive this requirement when the COMSEC Facility is merely a classified container (e.g., Mosler safe) within a common use office area. It is also at the discretion of the commander whether or not a visitor is/is not required to fill in the SSN block of the DA Form 1999-E. The SSN, which is sensitive in nature and should not be openly displayed for public view, is already listed on the security clearance information form provided to the security manager of the
restricted area prior to the visit. (See Appendix D for reproducible forms.)
d. (U) Privacy Act Statement. Within COMSEC Facilities that the commander has determined the SSN will be used (i.e., an individual entering both his/her SSN and
signature on the DA Form 1999-E), the following Privacy Act Statement, which appears at the bottom of DA Form 1999-E, must be conspicuous to the signer’s view: “Authority: 10 USC
3012/EO. The SSN is used only for
identification. Access to this COMSEC Facility may be denied without SSN.”
e. (U) Equipment Screening. Except for closed crypto-equipment, all classified COMSEC material will be screened from view by visitors.
f. (U) Visitor Surveillance. All visitors will be kept under constant surveillance and will not be permitted access to classified COMSEC information.
g. (U) Maintenance Personnel Access.
Maintenance personnel will only be allowed access to classified COMSEC equipment and information for which they have appropriate clearance. If maintenance personnel do not have the appropriate clearance, they MUST be kept under constant surveillance to prevent their unauthorized access to classified equipment.
h. (U) Identification of Facility.
(1) (U) In accordance with AR 190-13, Chapter 6, COMSEC Facilities SHALL be designated by the Installation/Activity Commander (or civilian equivalent), in writing, as a RESTRICTED AREA. A prominent sign placed conspicuously
TB 380-41
Warning Notice contained in paragraph 6-4, AR 190-11 will be posted to identify the restricted area. No other phrase will be used. Commanders outside the U.S., its possessions, and its territories will establish such restricted areas for COMSEC Facilities consistent with local security conditions, risk assessments, and Host-Country Agreements, as applicable.
(2) (U) When conditions warrant, the designation of a COMSEC Facility as a Restricted Area may be waived, at the commander's discretion. For example, when a COMSEC Facility is merely a safe or series of classified containers within a common use office area or building, the designation of that limited space occupied by the classified container(s) as a "Restricted Area" may not be appropriate.
(3) (U) To enhance security, the physical location of a COMSEC Facility will not be advertised or made conspicuous by the posting of external signs, except as noted above for the placement of a
"Restricted Area" sign. However, within a secure or restricted area that is not accessible to the general public, there are no restrictions as to the placement of
"internal signs" giving directions to a COMSEC Facility or identifying a room or office as the COMSEC Facility for the benefit of customers and other official visitors to the COMSEC Facility.
5.5 PROTECTION OF FIXED COMSEC FACILITIES.
(U) Fixed COMSEC Facilities are vulnerable to both overt and covert security violations.
Standards for securing and protecting fixed COMSEC Facilities are presented in this paragraph and are the minimum-security measures that must be employed.
5.5.1 (U) Installation of On-Line Crypto-Equipment. To prevent foreign intelligence exploration of compromising emanations, the installation of on-line crypto-equipment and
guidance see your Certified TEMPEST Technical Authority (CTTA).
5.5.2 (U) Secure Room Operations. When fixed plant COMSEC Facilities employ several types of COMSEC equipment and handle a large volume of classified traffic, the facility will be located in a SECURE ROOM or
CONTROLLED AREA as specified in the following paragraphs:
a. (U) General Office Use. When the COMSEC Facility area is also used for general office purposes, it is the responsibility of the commander to enforce compliance with access requirements as described in AR 380-40. CCI equipment keyed with unclassified “CRYPTO”
key used for passing Sensitive But Unclassified (SBU) information will be provided double barrier protection.
b. (U) Secure Storage Area. If a COMSEC Facility is used for secure storage of classified material, facility construction
standards apply as directed by AR 380-40.
5.5.3 (U) General Area Operations.
(U) When fixed COMSEC Facilities do not have the requirements for a signal center, they may be located in a controlled, general area.
5.5.4 (U) Devices (other than COMSEC Equipment) Used Within a COMSEC Facility.
Communication devices, such as telephones, interoffice communication systems and other transmitting devices, must meet the provisions of AR 381-14 (C) when installed in an
operational COMSEC Facility. This restriction does not apply to a COMSEC Facility used solely for storage of COMSEC information. For all other items, see AR 380-40.
5.5.5 (U) Electronic Access Control Devices. Electronic access control devices (e.g., cipher locks, keyless push buttons) do not afford the required protection against
unauthorized admittance and, therefore, will not be substituted for the required built-in, three-position combination lock.
a. (U) Electronic access control devices will be properly installed to prevent tampering.
Electronic access control devices using
electro-TB 380-41
be used only for the admittance of known authorized personnel into occupied or otherwise guarded COMSEC Facility areas.
b. (U) Operation of electronic access control devices will meet the following criteria:
c. (U) The code sequence will be screened or masked to prevent unauthorized viewing during door-opening procedures.
d. (U) A positive means will be provided to ensure identification of all persons prior to their admittance.
e. (U) Authorized personnel will change code combinations annually, upon duty
termination of any individual who knows or has access to the code combination, and at any time the code becomes compromised. An SF 700 will be used to record combination change information and will be posted to the inside of the door.
f. (U) Push buttons will be kept dust free to prevent reconstruction of the code.
5.6 SECURITY CHECKS.
(U) Security checks will be made by COMSEC Facility personnel or by other specifically designated personnel.
5.6.1 (U) Types of Security Checks.
a. (U) End of Workday Security Check.
As directed by AR 380-5, at the end of each workday, Security Container Check Sheet (SF 702) will be used to verify that each security container, cabinet, secure room, or vault containing classified material is secure. When another individual is not present to check the locks for security, the person who locked the container, cabinet, room or vault must also perform the second security check and complete the "checked by" section of the SF 702. Such checks must be performed as a separately distinct action after the locking process to satisfy the requirements of AR 380-5.
b. (U) Non-Workday Security Check.
Non-workday Security Checks are not required unless the facility is opened during weekends, holidays, or after hours. If the facility is a TS
Security Check IS required unless an Intrusion Detection System is operating.
c. (U) 24-Hour Operations. In a COMSEC Facility that operates continuously (24-hours -a-day), an area check will be completed at the end of each shift and the SF 702 properly annotated IAW AR 380-5.
5.6.2 (U) Area Security.
a. (U) Non-continuous Operations.
COMSEC Facilities, which do not operate continuously, require a security check be made at the end of each workday to establish that the facility is secure and that all classified COMSEC information is properly stored and safeguarded.
b. (U) Area Checklist. Area checklist forms will be designed and produced by the local commander (an SF 701 may be used).
The area checklist will provide for and require the signature or initial of the individual performing the check. The area checklist will verify that:
(1) (U) Security containers are locked and double-checked.
(2) (U) Classified trash is properly stored.
(3) (U) Windows are locked.
(4) (U) Alarms are activated and working properly.
(5) (U) Other security measures are in effect IAW local SOP.