r380 40

FOR OFFICIAL USE ONLY
Army Regulation 38040
Security
Policy for Safeguarding and Controlling Communications Security (COMSEC) Material
Distribution Restriction Statement. This publication contains technical or operational information that is for official U.S. Government use only. Distribution is limited to U.S. Government for release of this publication under the Freedom of Information Act will be referred to the Commanding General, United States Army Intelligence and Security command, ATTN: IACSFFI, Fort George G. Meade, MD 207555995. Requests from outside of the U.S. Government for release of this publication under the Foreign Military Sales program must be made to Deputy Chief of Staff for Intelligence (DAMICHS), 1000 Army Pentagon, Washington, DC 203101000. Destruction Notice. Destroy by any method that will prevent disclosure of contents or reconstruction of the document.
Headquarters Department of the Army Washington, DC 30 June 2000
SUMMARY of CHANGE
AR 38040 Policy for Safeguarding and Controlling Communications Security (COMSEC) Material This Revision-o _ _ o _ _

Headquarters Department of the Army Washington, DC 30 June 2000
*Army Regulation 38040

Effective 31 July 2000 Security
Policy for Safeguarding and Controlling Communications Security (COMSEC) Material

proponent may modify chapters and policies contained in this regulation. Proponent and exception authority. The proponent of this regulation is the Deputy Chief of Staff for Intelligence. The Deputy Chief of Staff for Intelligence has the authority to approve exceptions to this regulation that are consistent with controlling law and regulation. The Deputy Chief of Staff for Intelligence may delegate this approval authority in writing to a division chief within the proponent agency in the grade of colonel or the civilian equivalent. History. This regulation updates the previously published regulation to bring it in line with current laws and national and Department of Defense policy. Because the publication has been extensively revised, the changed portions have not been highlighted. Summary. This regulation prescribes Army policy for the safeguarding and controlling of communications security material. This regulation also implements Department of Defense Directive 5200.5. Applicability. This regulation applies to the Active Army, the Army National Guard of the U.S., the U.S. Army Reserve, and non-Army elements with Army communications security accounts. During mobilization or national emergency, the Record-keeping requirements. This regulation requires the creation of records to document and preserve essential evidence of Army operations. This includes all accumulated program records and information specifying policy, procedures, and instructions on carrying out the Armys business processes. The specific records prescribed by this regulation are described in appendix C. Army management control process. At the end of this publication, this regulation contains management control provisions and identifies key management controls that must be evaluated. Supplementation. Supplementation of this regulation and establishment of command and local forms are prohibited without prior approval from the Deputy Chief of Staff for Intelligence (DAMICHS), 1000 Army Pentagon, Washington, DC 203101000 Interim changes. Suggested improvements. Users of this regulation are invited to send comments and suggestions for improvements on DA Form 2028 (Recommended Changes to Publications and Blank Forms) directed to Deputy Chief of Intelligence (DAMICHS), 1000 Army Pentagon, Washington, DC 201301000. Exemptions. AR 38040 is exempt from mandatory disclosure under the provisions of AR 2555; Freedom of Information Act Exemption Category 2 applies. Committee Continuance Approval. Distribution. Distribution of this publication is made in accordance with initial distribution number (IDN) 091029, intended for command levels A, B, C, D, and E for Active Army, the Army National Guard of the U.S., and the U.S. Army Reserve.
Distribution Restriction Statement. This publication contains technical or operational information that is for official U.S. Government use only. Distribution is limited to U.S. Government for release of this publication under the Freedom of Information Act will be referred to the Commanding General, United States Army Intelligence and Security command, ATTN: IACSFFI, Fort George G. Meade, MD 207555995. Requests from outside of the U.S. Government for release of this publication under the Foreign Military Sales program must be made to Deputy Chief of Staff for Intelligence (DAMICHS), 1000 Army Pentagon, Washington, DC 203101000. Destruction Notice. Destroy by any method that will prevent disclosure of contents or reconstruction of the document.
*This publication supercedes AR 38040, 1 September 1994.
AR 38040 30 June 2000
Contents
(Listed by paragraph and page number)
Chapter 1 Introduction, page 1 Purpose 11, page 1 References 12, page 1 Explanation of abbreviations and terms 13, page 1 Responsibilities 14, page 1 Controlled cryptographic items 15, page 4 Chapter 2 Physical Protection and Accountability of COMSEC Material, page 4 Need for a COMSEC account 21, page 4 COMSEC custodian 22, page 4 Access to COMSEC material 23, page 5 Control and item accounting 24, page 6 Item accounting requirements 25, page 6 Relief from accountability 26, page 6 Classified COMSEC information 27, page 6 Use of the designator CRYPTO 28, page 6 Release of COMSEC material 29, page 6 Photographing COMSEC material 210, page 7 Magnetic media containing key 211, page 7 Hand receipting COMSEC material 212, page 7 Reproduction of COMSEC material 213, page 7 COMSEC equipment modification 214, page 7 Routine destruction of CMCS-accountable COMSEC material 215, page 7 Storage of COMSEC material 216, page 8 Transportation of COMSEC material 217, page 9 Control of TOP SECRET key 218, page 11 Use of no-lone zones 219, page 11 Storage 220, page 11 Open storage 221, page 11 Army Key Management System 222, page 12 Protective technology 223, page 12 Chapter 3 Emergency Protection of COMSEC Material, page 12 Emergency planning 31, page 12 Planning for disasters 32, page 12 Planning for hostile actions and civil disturbances 33, page 13 Preparing the emergency plan 34, page 13 Rehearsing the plan 35, page 13 Actions subsequent to emergencies 36, page 14 Chapter 4 COMSEC Facilities, page 14 General 41, page 14 COMSEC facility approval 42, page 14 COMSEC facility approval request 43, page 14 Duration of COMSEC facility approval 44, page 14 Safeguarding COMSEC facilities 45, page 15 Army COMSEC supplement to DOD industrial security regulations and manuals 46, page 15
ii
AR 38040 30 June 2000

ContentsContinued Chapter 5 Management of Cryptosystems, page 16 General 51, page 16 Emergency requirements for CMCS key support 52, page 16 Stockage levels for key 53, page 16 Requests to establish cryptonets (requests for key) 54, page 16 Issue of key 55, page 17 Use of a classified key 56, page 17 So-called used key 57, page 17 Chapter 6 Audits, Inspections, and Assessments, page 17 General 61, page 17 Command COMSEC inspections 62, page 17 CSLA COMSEC audit/inspections 63, page 18 Annual COMSEC assessment 64, page 19 Protective technology inspections 65, page 19 Chapter 7 Surveillance, page 20 General 71, page 20 Compromises and insecurities 72, page 20 Reportable COMSEC incidents 73, page 20 Types of reports 74, page 21 Classification of COMSEC incident reports 75, page 21 Regulations governing reporting 76, page 21 Report precedence and timeliness 77, page 22 Counterintelligence assessments 78, page 22 Evaluations 79, page 22 Damage assessment 710, page 23 Investigations 711, page 24 Chapter 8 Department of the Army Cryptographic Access Program, page 24 General 81, page 24 Program applicability 82, page 24 Conditions for granting access 83, page 24 Procedures 84, page 25 Other organizations or agencies 85, page 25 Appendixes A. B. C. D. E. F. References, page 26 Classification Guidelines for COMSEC Information, page 28 Records Management, page 33 Physical Security Standards, page 37 Risk Management Values, page 38 Cryptographic Access Briefing, page 39
G. Management Control Evaluation Checklist, page 43
AR 38040 30 June 2000
iii

ContentsContinued Table List Table C1: File categories, action codes, and descriptions, page 34 Table E1: Risk management value, page 38 Figure List Figure Figure Figure Figure C1: F1: F2: F3: Simplified label preparation, page 34 Authroizaiton for access to classified cryptographic information, page 41 Simplified label preparation, page 42 Simplified label preparation, page 42
Glossary
iv
AR 38040 30 June 2000

Chapter 1 Introduction
11. Purpose This regulation prescribes policy for safeguarding and controlling communications security (COMSEC) material. The procedures to implement supply control, item accounting, and transaction reporting are contained in Department of the Army (DA) Pamphlet (Pam) 253802, Technical Bulletin (TB) 38041, AR 7102, AR 7103, AR 7355, and supporting DA pamphlets in the 710 series. This regulation a. Establishes security policy for safeguarding and controlling COMSEC material within the DA. b. Supplements the standards for COMSEC established by the Department of Defense (DOD). c. Prescribes the security standards of the COMSEC Material Control System (CMCS). d. Implements selected National COMSEC Instructions (NACSI) and National Security Telecommunications and Information Systems Security Instructions (NSTISSI). e. Where there is a conflict between this and other publications concerning safeguarding and controlling COMSEC material, this regulation will take precedence. Security requirements for specific cryptosystems (published in TB 38040) are exceptions to this criterion. (1) Positive Controlled Material (formerly known as Two-Person Control material) is obtained and accounted for under Chairman, Joint Chiefs of Staff Instruction (CJCSI) 3260.01. However, COMSEC incidents involving this material will be reported to the Army COMSEC Incident Monitoring Activity. The major Army command (MACOM) of the element making the report should be an information addressee on these reports. (2) Unresolvable conflicts or situations not addressed in this regulation will be referred through command channels to HQDA (DAMICHS). f. This regulation may be provided to contractors to manage Army contractor COMSEC accounts and when required to support the bid and proposal process. 12. References Those publications required to understand and comply with this regulation, other related publications, and referenced forms are listed in appendix A. 13. Explanation of abbreviations and terms Abbreviations and special terms used in this regulation are explained in the glossary. For definitions of terms other than those given in the glossary, see Joint Pub 102 and AR 31025. 14. Responsibilities The ultimate responsibility for safeguarding COMSEC material rests with the individual in possession of the material. Within Army organizations this responsibility rests with the commander or comparable civilian director. The principal Headquarters, Department of the Army (HQDA), officials and MACOM commanders have the following responsibilities: a. Deputy Chief of Staff for Intelligence. The Deputy Chief of Staff for Intelligence (DCSINT) will (1) Prescribe policy and approve procedures for safeguarding and controlling COMSEC material. (2) Approve release of Army COMSEC material or foreign COMSEC material in custody of the Army to nonmilitary agencies, the general public, foreign nationals, or foreign governments. (3) Serve as the principal Army representative to National and DOD committees responsible for COMSEC policy. (4) Serve as principal Army Staff point of contact for the Office of the Secretary of Defense (OSD), Joint Chiefs of Staff (JCS), National Security Agency (NSA), and other military departments and DOD agencies on broad COMSEC policy matters. (5) Manage the Department of the Army Cryptographic Access Program (DACAP). (6) Accept the cryptographic access granted by other DOD components. b. Director of Information Systems for Command, Control, Communications, and Computers. The Director of Information Systems for Command, Control, Communications, and Computers (DISC4) will (1) Develop and promulgate procedural guidance for security of specific cryptographic systems. (2) Provide guidance to Army elements regarding application of specific techniques and procedures for safeguarding COMSEC systems. (3) Approve requests to take photographs of classified COMSEC equipment. c. Deputy Chief of Staff for Logistics. The Deputy Chief of Staff for Logistics (DCSLOG) will maintain visibility over controlled cryptographic item (CCI) end items from procurement through demilitarization and disposal. d. Commanding General, U.S. Army Intelligence and Security Command. The Commanding General, U.S. Army Intelligence and Security Command (CG, INSCOM), will
AR 38040 30 June 2000

(1) Assist commanders in making initial determination of whether formal assessment for foreign intelligence services involvement in COMSEC incidents is required. (2) Plan, program, and budget resources to conduct counterintelligence screening polygraph (CSP) examinations under the provisions of DOD 5210.48R in support of the DACAP. (3) Coordinate with MACOMs, major subordinate commands (MSCs), and field operating agencies (FOAs), as appropriate, to obtain names of randomly selected individuals to be polygraphed under the DACAP. (4) Upon request, provide local commanders technical assistance in evaluating security-related issues and conducting risk assessments. e. Commanding General, U.S. Army Materiel Command. The Commanding General, U.S. Army Materiel Command (AMC), will (1) Through the U.S. Army Communications-Electronics Commands Communications Security Logistics Activity (CSLA)- (a) Operate and manage the Armys COMSEC Material Control System (CMCS) to include the Army COMSEC Central Office of Record (ACCOR). (b) Develop and promulgate approved COMSEC accounting procedures. (c) Maintain a comprehensive program that ensures that the Armys COMSEC accounts are audited and inspected, including protective technology inspections. (d) Cause controlling authorities to review and validate their requirements for the cryptosystems and authentication systems under their control (Cryptosystems Evaluation Report, RCS CSGID131) annually. (e) Approve requirements for key, except the security data network system (SDNS) and secure telephone unit (STUIII) key (see DA Pam 2516). (f) Approve Army COMSEC facilities under the provisions of paragraph 42. (g) Provide technical assistance to Army COMSEC activities and non-Army elements maintaining Army COMSEC accounts. (h) Administer a COMSEC Auditor/Inspector Certification program. (i) Serve as the Army COMSEC Incident Monitoring Activity (see chap 7). (2) Through the USAMC Logistics Support Activity (LOGSA) (a) Manage the Department of the Army Central Registry for Controlled Cryptographic Items (CCI). (b) Operate and maintain the CCI Serialization Program (CCISP). (c) Administer the assignment of Management Control Numbers (MCN) for commercial COMSEC products approved for local purchase by NSA and CSLA. f. Commanding General, U.S. Army Training and Doctrine Command. The Commanding General, U.S. Army Training and Doctrine Command (TRADOC), will (1) Develop and implement the Standardized COMSEC Custodian Course (SCCC). (2) Provide a complete copy of the SCCC, to include updates, to all MACOMs who conduct this training under authority from TRADOC and who comply with standards established by the Signal Center. (3) Develop and implement training for the Army Key Management System /Local COMSEC Management Software (AKMS/LCMS). (4) Authorize the release of all COMSEC training material to the Reserve Officers Training Corps (ROTC). g. Commanders of MACOMs. Commanders of MACOMs will (1) Establish and maintain an aggressive command COMSEC inspection program in accordance with this regulation. (2) Appoint the command COMSEC inspector and determine the frequency at which command inspections are performed (see para 62). (3) Determine the appropriate level(s) below MACOM at which command COMSEC inspectors are required. (4) Approve the transportation of key via U.S. flag carrier or foreign commercial aircraft outside the continental U.S., except during unit deployments when prior approval is not required (see para 217). (5) Grant waivers to the grade restrictions for COMSEC custodians (see para 22a). (6) Implement the DACAP within their commands. The program may be managed at MACOM level or decentralized down to the major subordinate command level. (Chief, National Guard Bureau may delegate this authority to the State and Territory Adjutants General). (7) Monitor the DACAP program to ensure the appropriate number of individuals are randomly selected for polygraph examinations. (8) Designate a DACAP point of contact (either at MACOM or MSC level) for the INSCOM supporting polygraph element. (9) Provide to INSCOM, in Oct of each year, a written report that identifies the total number of MACOM personnel enrolled in DACAP; a listing of the number of DACAP personnel by installation; and, the identity of the installation DACAP point of contact. h. Other commanders. Commanders at appropriate levels will
2 AR 38040 30 June 2000

(1) Upon determination of the need for a COMSEC account, appoint a COMSEC custodian and at least one alternate for each COMSEC account under their jurisdiction (see TB 38041). In accounts that also contain material controlled under CJCSI 3260.01, a custodian and at least four alternates should be appointed. (2) Ensure that personnel appointed as COMSEC custodian attends a TRADOC approved Standardized COMSEC Custodian Course (SCCC) prior to appointment. (3) For AKMS COMSEC accounts, ensure that at least two personnel are formally trained on the Local COMSEC Management Software (LCMS). (4) Ensure that each COMSEC account under their jurisdiction receives a command COMSEC inspection under the provisions of chapter 6. (5) When directed, establish and maintain an aggressive command COMSEC inspection program. Organizations that have no knowledgeable COMSEC personnel, except the COMSEC custodians and alternates, should make arrangements to use a qualified person from another organization within the same geographical area. (6) Ensure that property book officers and users receive a command inspection of CCI records to ensure compliance with DA Pam 253802, AR 7102, and AR 7103 at intervals not to exceed 24 months. (7) Implement the provisions of the DACAP within their command. (8) Identify those personnel who require cryptographic access and ensure they receive the cryptographic access briefing and sign section I of a cryptographic access certification and termination memorandum. (9) Ensure that individuals who have been selected for the counterintelligence scope polygraph under DACAP are available at the time and place of the examination. (10) Deny cryptographic access to or withdraw cryptographic access from, those individuals who fail to comply with any of the specific criteria identified in chapter 8. (11) Ensure that designated managers perform Management Control Reviews following the guidance in AR 112. (12) Require the use of electronic keying and rekeying whenever possible. (13) Approve the establishment of sub-accounts subordinate to the primary account in the unit. Upon implementation of AKMS, sub-accounts will not be authorized. (14) Conduct mandatory risk assessments of all COMSEC facilities, storage areas, and other COMSEC operational areas per AR 19051 and DA Pam 19051. i. Individual users. Individual users directly influence the effectiveness of protection available through cryptographic techniques and cryptographic systems. Individual users will be responsible for (1) The physical protection and accountability of all COMSEC material in their possession or control. (2) Reporting to the proper authority any occurrence, circumstance, or act that could jeopardize the security/integrity of COMSEC material. (3) Complying with instructions provided by the COMSEC custodian for safeguarding and controlling COMSEC material. (4) Complying with instructions provided by the property book officer (PBO) for safeguarding and controlling CCI equipment. j. Controlling authority. The controlling authority is the individual directly responsible to the commander for the establishment and operation of the cryptonet (for example, network manager). The controlling authority is responsible for the following (see TB 38041 for detailed procedures): (1) Identifying and/or validating cryptonet requirements. (2) Establishing the Cryptonet. (3) Evaluating COMSEC incidents and insecurities. (4) Initiating recovery and reconstitution actions. (5) Authorizing key replacement and resupply. (6) Directing classification changes for key. (7) Establishing cryptoperiods and approving extensions. (8) Specifying implementation and supersession dates for key. (9) Specifying key change times. (10) Determining unused key status. (11) Approving the issuance of extracts of key (for example, segments from a canister) and the local reproduction of physical key. (12) Performing Cryptonet evaluations at least annually. (13) During contingency operations, temporarily delegate operational net control of appropriate systems to a regional command or net control center in the forward contingency area. k. COMSEC custodian. For the Active Army, the Army National Guard (ARNG), the U.S. Army Reserve (USAR), and the ROTC, the COMSEC custodian is the appointed person responsible to the commander for (1) Custody and accountability of CMCS accountable COMSEC material.
AR 38040 30 June 2000

(2) Supervision and oversight of all sub-accounts and hand-receipt holders (HRH) to ensure compliance with existing COMSEC material security, accounting, and operational policies/procedures. (3) Acquisition, control, and distribution of all classified COMSEC material and cryptographic key in support of organizational missions. l. Commanders at all levels. Commanders at all levels will ensure that all soldiers and Army employees under their command (when performing the duties prescribed in this regulation) create and preserve the records required by this regulation. The commands records management official provides information and assistance in identifying the recordkeeping requirements of this publication or refer to the U.S. Army Records Management and Declassification Agency. 15. Controlled cryptographic items a. A controlled cryptographic item (CCI) is an unclassified but controlled secure telecommunications or automated information-handling equipment and associated cryptographic assembly, component, or other hardware or firmware item that performs a critical COMSEC or COMSEC-ancillary function. The associated engineering drawings, logic, descriptions, theory of operation, computer programs, and related source data remain classified. All COMSEC incidents involving CCI will be reported under the provisions of chapter 7. Chapter 3 governs routine and emergency destruction of CCI. b. For procedures governing CCI, see DA Pam 2516 and DA Pam 253802. c. Where a CCI contains key that cannot be extracted from the device (for example, KIV7, KG 94/194, and so forth), it will be protected in a manner consistent with the classification of the information it is processing. d. Where a CCI contains key that can be extracted (such as a common fill device, KYK 13) it will be treated as classified equipment and protected in a manner consistent with the classification of the key.
Chapter 2 Physical Protection and Accountability of COMSEC Material

21. Need for a COMSEC account The corner stone for the protection and accountability of COMSEC material is the COMSEC account. a. Any organization or activity that requires accountable COMSEC material must obtain such material through a COMSEC account. If an existing COMSEC account, either in the organization or activity or located in close geographic proximity thereto, cannot provide the support required, a new COMSEC account will be established (see chap 4). However, COMSEC accounts will be kept to a minimum, consistent with operational and security requirements. b. When an existing COMSEC account can adequately support the requirement for COMSEC material within an organization or activity, a new COMSEC account will not be established. The material will be provided to subordinate elements and users via hand receipt. c. In instances where the commander determines that a hand receipt is not a viable way to provide material to subordinate elements (that is, a large volume of material is required), he or she may establish a COMSEC sub-account. d. The commander of the primary account approves COMSEC sub-accounts and hand receipts. They may be approved for any type of COMSEC account. Sub-accounts and hand receipts do not require CSLA approval. The custodian of the primary account is responsible for the training and oversight of the custodian(s) of all sub-accounts and all hand-receipt holders. e. There will be NO sub-accounts established under Army Key Management Systems (AKMS) accounts. 22. COMSEC custodian The custodian and alternates will be officers or warrant officers. If they are not available, enlisted soldiers or permanent civilian employees may be appointed. Minimum rank or grade requirements are staff sergeant (pay grade E6) or General Schedule (GS) 7 (or equivalent pay grade) for custodians and sergeant (pay grade E5) or GS5 (or equivalent pay grade) for alternates. They must meet the access requirements in paragraph 23. Custodians and alternates will be appointed on a DA Form 2012 (COMSEC Account Data) signed by the commander or civilian equivalent. In no case will the COMSEC Custodian or alternate sign as the Approving Authority on the DA Form 2012. a. The MACOM commanders are authorized to grant waivers to the grade restriction imposed above to appoint a sergeant (pay grade E5) or civilian GS5 as a custodian and a specialist or corporal (pay grade E4) or civilian GS4 as an alternate custodian in those subordinate commands where appropriate grade personnel are not authorized or assigned or where it is not possible to appoint people specified above. Waiver authority may be delegated to the lowest general officer level. The Chief, National Guard Bureau may delegate this authority to the State and Territory Adjutants General. The DA Form 2012 will be annotated that a waiver has been granted by the appropriate MACOM. A copy of the waiver will be kept on file with the DA Form 2012 in the COMSEC account.
4 AR 38040 30 June 2000

b. All COMSEC account custodians must satisfactorily complete the TRADOC approved Standardized COMSEC Custodian Course (SCCC) prior to appointment. In addition, AKMS COMSEC Accounts will have two individuals (custodian and alternate) who have received TRADOC approved training on the LCMS. (1) The MACOM commanders may, on a case-by-case basis, authorize the appointment of untrained personnel to fill a void created by the unplanned absence of a custodian. This authority may be delegated to the lowest general officer level. Chief, National Guard Bureau may delegate this authority to the State and Territory Adjutants General. However, the custodian must successfully complete the required training within 6 months of appointment. (2) Whenever possible, alternate custodians should also attend the TRADOC approved course. (3) Individuals who fail to successfully complete the SCCC will NOT be appointed as a COMSEC custodian. c. Persons selected will have a minimum of 1-year retainability in long-tour areas and 9 months in short-tour areas. d. The duties of the custodian and alternate(s) are found in TB 38041. No individual will be appointed custodian over more than one Army COMSEC account at a time. e. Whenever the custodian will be absent for more than 60 consecutive days, whether scheduled or unscheduled, all COMSEC material in the custodians account will be transferred to either the alternate custodian (provided the rank or grade requirements of para 22 are met) or to a newly appointed custodian. f. The appointment of a new (incoming) COMSEC custodian terminates the appointment of the old (outgoing) custodian. However, the outgoing custodian remains accountable for all COMSEC material charged to the account until properly released by the ACCOR. An outgoing custodian is considered properly released from COMSEC accountability (this does not include relief from responsibility for loss or property accountability) when a clearance of former COMSEC custodian has been received from the ACCOR. g. When the COMSEC custodian is allowed to depart prior to being released by the ACCOR, the commander for whom the account is maintained assumes personal responsibility for all discrepancies in the account. h. An inventory of accountable COMSEC material will be initiated within 24 hours after the unauthorized absence or sudden permanent departure of the custodian has been detected. The commander will assign one properly cleared witness and the alternate custodian to complete the inventory as soon as possible. The inventory will be conducted in accordance with TB 38041. A new custodian will then be appointed. If either the alternate custodian or the cleared witness is subsequently appointed COMSEC custodian, a change of COMSEC custodian inventory is not required. i. To ensure that two-person integrity can be maintained at all times, a custodian and a minimum of three alternates will be appointed for all COMSEC accounts that are approved for TOP SECRET material. 23. Access to COMSEC material The sensitivity of classified COMSEC material requires that strict need-to-know procedures be followed. No person is entitled access to classified COMSEC material solely on the basis of rank, office, position, or security clearance. a. Access to classified COMSEC material may be granted to U.S. citizens whose duties require access. Security clearance requirements for persons granted access is determined by the classification level of the material to be accessed. b. Under the provisions of AR 38067, only U.S. citizens are authorized a security clearance. Immigrant aliens and local national employees of the U.S. Government are not authorized access to classified cryptographic material. Immigrant aliens may have access only to unclassified key marked CRYPTO when their duties require access. They may not be (1) Appointed COMSEC custodians or alternates. (2) Given access to information concerning the development or production of key. (3) Given access to research and development information pertaining to any COMSEC equipment. c. There are no access requirements imposed for external viewing of COMSEC equipment where no opportunity exists for unauthorized access to either the key, the COMSEC equipment, or the input and output of the COMSEC system. d. Requirements for access to CCI are addressed in DA Pams 2516 and 253802, except that foreign access to keyed CCI is allowed only when all of the following criteria are met: (1) Such access is in connection with building maintenance, custodial duties, or other operational responsibilities normally performed by such unescorted personnel in the area prior to installation of the CCI. (2) The CCI is installed within a facility that is a U.S. controlled facility or a combined facility with a permanent U.S. presence, as opposed to a host nation facility. (3) The cognizant security authority has determined that the risk of tampering with the CCI, which could result in compromise of U.S. classified or sensitive unclassified information, is acceptable in light of the local threat, vulnerability, and sensitivity of the data being protected. (4) The system doctrine for the specific CCI does not prohibit such access. (5) The foreign national is a civilian employee of the U.S. Government or assigned to a combined facility. (6) The foreign national has been granted a limited access authorization (LAA) under the provisions of AR 38067 for the appropriate classification of information.
AR 38040 30 June 2000 5

(7) The CCI remains U.S. property and a U.S. citizen is held responsible for it. (8) The presence of such installed CCI is verified at least monthly, although no reporting is required. (9) The communications to be protected are determined to be essential to support U.S. or combined operations. (10) U.S. users communicating with such terminals are made aware of the foreign national status of the CCI users. (11) Keying of the CCI with classified U.S. key must be done by the U.S. personnel. Authorized foreign nationals may do keying of CCI with allied or unclassified U.S. key. 24. Control and item accounting a. The CMCS is a logistics and accounting system for selected COMSEC material, classified hardware, physical key, and non-Army publications. The major components of the CMCS are the AKMS, ACCOR, COMSEC Management Offices (CMO), COMSEC logistics support facilities (CLSF), and the COMSEC account. These components implement control procedures for the transfer, storage, inventory, and disposition of CMCS COMSEC material. Procedures are in TB 38041. b. Dissemination of COMSEC material is as follows: (1) All physical key, classified COMSEC equipment, and COMSEC publications assigned an account legend code (ALC) by NSA will be entered into the CMCS. (2) All CCI and other unclassified COMSEC hardware items will be entered into the standard Army supply system and logistically managed under AR 7102, AR 72550, and DA Pam 253802. (3) In DOD channels, COMSEC material (other than that specified in (1) above) may be distributed and accounted for in the same manner as other national security or national security related information. Also, after initial receipt in the CMCS, classified COMSEC material not requiring central accounting may be distributed and accounted for under either AR 3805 or TB 38041. 25. Item accounting requirements The following are the minimum item accounting requirements: a. All key is under accounting controls throughout its life cycle, from receipt until final disposition through issue, transfer, or destruction. Accounting procedures are contained in TB 38041. (1) Key designated as centrally accountable will be continuously accounted for from time of receipt or generation through final disposition. A physical inventory of this key must be reconciled with the Tier 1/ACCOR every 6 months. (2) Key designated as locally accountable after receipt or generation and key designated not accountable after a specific time or event, will be accounted for locally until final disposition. b. Classified COMSEC material marked CRYPTO must be physically inventoried at least every 6 months and the inventory reconciled with the Tier 1/ACCOR. Other COMSEC material must be inventoried at least annually. See TB 38041 for other COMSEC material not covered here. c. The Standard Form 153, including automated facsimiles produced by AKMS or Army COMSEC Commodity Logistics Accounting and Information Management System (ACCLAIMS), is used to perform most COMSEC material transactions (see TB 38041). 26. Relief from accountability a. Either the Director, CSLA, or the Controlling Authority will authorize relief from CMCS accountability, based on an evaluation of a COMSEC incident (see chap 7). b. Relief from CMCS accountability will NOT be construed as relief from property accountability. In all cases of relief from CMCS accountability, the custodian will put the following statement in the COMSEC account records: THE CIRCUMSTANCES SURROUNDING THE LOSS OF (identified material) HAVE BEEN CONSIDERED AND A DETERMINATION HAS BEEN MADE THAT A REQUEST FOR RELIEF FROM PROPERTY ACCOUNTABILITY (is/is not) REQUIRED. Relief from accountability will be obtained in accordance with TB 38041 (for CMCS) and AR 7355 (for property). 27. Classified COMSEC information Classification principles and procedures, marking, downgrading and declassification actions directed by AR 3805 also apply to COMSEC information. The general guidelines for classifying COMSEC information are in appendix B. 28. Use of the designator CRYPTO The designator CRYPTO is the marking or designator identifying COMSEC key used to secure or authenticate telecommunications carrying classified or sensitive U.S. Government or U.S. Government derived information. See paragraph B5 for applying the CRYPTO marking. 29. Release of COMSEC material Release of COMSEC material (see para 14a(2)): a. See DA Pam 253802 for release of COMSEC material designated CCI.
6 AR 38040 30 June 2000

b. For release to DOD contractors, see the COMSEC supplement to DOD 5220.22S. 210. Photographing COMSEC material Photographing classified COMSEC material is prohibited. This prohibition does not apply to the reproduction of COMSEC Material (see para 213) or to the photographing of an exterior view of CCI equipment. 211. Magnetic media containing key Magnetic tapes, discs, and drums on which classified key has been recorded will be classified under paragraph B11. 212. Hand receipting COMSEC material a. The COMSEC custodians will hand receipt accountable COMSEC material only to authorized persons who have an operational need. b. Prior to releasing or approving release of COMSEC material, the custodian must verify the recipients clearance, access, and need to know and must provide written instructions to the prospective recipient on how to protect the material. In return, the custodian must get a written acknowledgment that the prospective recipient knows and will fulfill all physical protective requirements and employ all security procedures. (1) Accountable COMSEC material will not be hand receipted between COMSEC accounts. Material exchanged between accounts must be transferred. COMSEC material may, however, be hand receipted to individuals, including COMSEC custodians. (2) See TB 38041 for hand receipting procedures. c. COMSEC material will not be sub-hand receipted without written authorization from the COMSEC custodian. This authorization may be added to the SF 153 or covered in a COMSEC standing operating procedures (SOP), if used. (1) Sub-hand receipting will only be done between the hand-receipt holder and a supported user(s). (2) Sub-hand receipt holders will return unused effective or future COMSEC material to the hand-receipt holder unless they have instructions and authority to destroy the material. Superseded material will be handled under the provisions of TB 38041. (3) Sub-hand-receipt holders will not further sub-hand receipt COMSEC material. An exception to this policy will be the KOV14 card, which may be sub-hand receipted to the lowest user level. (4) Custodians will ensure that a system is established whereby no hand-receipt holder may depart his or her unit without first clearing the hand receipt. d. Periodic inspections will be conducted by the COMSEC custodian for all hand-receipt and sub-hand-receipt holders. 213. Reproduction of COMSEC material a. Reproduction of classified COMSEC documents will be in the form of extracts. Extracts will be made and controlled as shown below. Except as provided in subparagraph c below, the proponent for the document must approve the reproduction of complete documents. b. Extracts of COMSEC information are permitted unless specifically prohibited in a documents promulgating instructions. TRADOC training centers and schools, program managers, and CSLAs New Equipment Training Program have a continuous exception to extract restrictions when extracting COMSEC information to include in lesson plans and examinations. The covers of all lesson materials containing extracts of COMSEC information will cite this paragraph and regulation as authority for the extract. c. Specific guidance on making extracts of key is contained in either the cryptosystem operating instructions or the key system handling instructions. Controlling authorities have a continuous exception to extract restrictions and may issue portions or complete editions of key, to include printed key in canisters. Issuing segments from a canister is discouraged however, as it defeats the integrity provided by the canister. d. Reproduced COMSEC material is not reportable to ACCOR, but is locally accountable until destroyed. COMSEC material that has been reproduced will be annotated on account item register cards and marked and controlled as required by TB 38041. 214. COMSEC equipment modification Unless an operational waiver is in effect, only COMSEC equipment with all approved mandatory modifications applied will be used to secure information systems. Refer to TB 4300016 series for a complete listing of authorized and required modifications to COMSEC equipment. 215. Routine destruction of CMCS-accountable COMSEC material a. The destruction official and the witness must be cleared for the highest classification of material to be destroyed. Both are responsible for a properly prepared destruction report that lists all material destroyed and for ensuring that all destruction meets the appropriate standards in TB 38041. Both individuals must view the actual destruction.
AR 38040 30 June 2000

b. In high-risk environments, superseded key must always be destroyed immediately. The 72-hour extension authorized in paragraph d(1)(d) below does not apply. c. Key found to be defective or faulty will not be destroyed. The accountable COMSEC custodian will notify the ACCOR and the Director, National Security Agency (DIRNSA). The key will be held in secure storage awaiting disposition instructions. d. Routine destruction of accountable COMSEC material is a scheduled function. The schedule, method, and procedures described in TB 38041 will be complied with. Where circumstances prevent strict compliance with the 12hour destruction standard (such as an incinerator not operational or authorized personnel are not readily available over 3-day weekends), commanders are authorized to grant extensions not to exceed 72 hours. (1) Superseded tapes, one-time pads, codes, and authenticators. (a) Custodians of COMSEC accounts supporting a COMSEC Logistics Support Facility (CLSF) or custodians with consolidated holdings or reserve material for further distribution will destroy whole editions of superseded key within 15 days after supersession. (b) Custodians and hand-receipt holders at the user(s) level should destroy portions or complete editions of used key immediately after supersession. The period between supersession and destruction will not exceed 12 hours. Superseded key need not be removed from secure storage and destroyed simply to comply with the 12-hour destruction requirement. This exemption does not apply to those situations where operations are conducted 24-hours a day. However, when individual key settings or tape segments are removed from a key list or canister for use, all previous settings that have been superseded will be destroyed within 12 hours. Where special circumstances prevent compliance, commanders or responsible officials may, on a case-by-case basis, grant an extension of up to 72 hours. All requests for extension will be maintained in accordance with appendix C. (c) Superseded editions of key that have been in storage and have not been issued for use by the account will be destroyed within 5 days after supersession. For National Guard and Reserve units, destruction of key will be conducted no later than during the first drill period after supersession. (d) Unused key marked CRYPTO that is not enclosed in protective packaging must be superseded and destroyed no later than 6 years after generation or receipt, unless specific retention authority is granted by NSA. (e) Portions or complete editions of used or superseded key carried aboard special-purpose aircraft (such as airborne command posts) may be retained when a secure destruction facility is not immediately available. When a facility becomes available, the material must be destroyed without delay. (2) For electronic key, see applicable COMSEC system instructions in the DA Pam 25-series, TB 38040, NonCryptographic Operational General Publication (NAG) 16, NAG 53, and NAG 57. (3) Maintenance, classroom training, and sample key, not marked CRYPTO, are not regularly superseded. Destroy such key when it becomes physically unserviceable. (4) Amendment residue will be destroyed within 2 days after posting the amendment (see TB 38041). (5) Other COMSEC material, less equipment, will be destroyed no later than the fifteenth day of the month following supersession. (6) The CSLA commodity manager will direct non-emergency destruction of COMSEC equipment and components. e. Protective packaging used with key, such as tape canisters, will be destroyed in conjunction with the destruction of key. 216. Storage of COMSEC material Unless in use by, in the physical possession of, or continuously tended by a properly cleared person or persons, where its adequate protection is presumed, COMSEC material will be stored per AR 3805 and TB 38041. TOP SECRET key will be afforded additional protection as stated in paragraph 218 of this regulation. a. In those instances where exposed segments of current key must be held in storage for the duration of the crypto period, special emphasis must be placed on their security and accountability. b. In mobile and transportable conveyances, the current edition and one future edition of key may be stored in a standard GSA approved field safe or an equivalent container secured by a three-position combination padlock (see AR 3805). Mobile and transportable conveyances in which key is stored must have supplemental controls applied that will prevent undetected access to the key or removal of the container in which the key is stored. A guard is required for conveyances or containers that can be surreptitiously removed. c. Nonapproved containers must be under continuous guard or protected by an alarm system. d. COMSEC equipment and components. (1) When not installed in an operational configuration, unkeyed classified COMSEC equipment must be stored in the manner prescribed in AR 3805 for material of the same classification. (2) CCI will be protected under the provisions of DA Pams 2516 and 253802. (3) The commander must approve the storage of keyed COMSEC equipment. When equipment is stored in a keyed condition, storage requirements for the key must be satisfied. (4) When installed in an operational configuration in either fixed, mobile, or a transportable facility, unkeyed
8 AR 38040 30 June 2000

classified COMSEC equipment may be left unattended, provided the commander has conducted a risk analysis and determined that the risk of unauthorized access is acceptable. (See AR 19051.) (5) Future key, non-operational and spare COMSEC equipment, and COMSEC publications will not be stored in unattended mobile or transportable facilities. e. Units/elements conducting real-world mission essential operations (non-training and non-exercise) may download and store the current edition and up to a maximum of 90 days of future keying material into a data transfer device (for example, AN/CYZ10). Loading future key into a common fill device (for example, KYK13, KYX15) is not authorized. Extension to the 90 days must be requested through command channels to HQDA (DAMICHS). f. COMSEC publications (such as the cryptographic operational general publication (KAG), cryptographic operational maintenance manual (KAM), and cryptographic operational operating manual (KAO)) and cryptoancillaries (including equipment and software), key not marked CRYPTO, and other cryptographic material not governed by this paragraph will be protected commensurate with its classification. g. All COMSEC vaults constructed after the date of this regulation must meet the standards provided for in appendix D. Those storage facilities certified as vaults prior to the date of this regulation will be considered to meet the requirements of this regulation until such time as they are modified in any way. At that time, they will be required to be brought up to the standards of appendix D, or they will no longer be considered vaults for COMSEC purposes. 217. Transportation of COMSEC material The possibility of compromise is increased during shipment. All persons who handle COMSEC material must be carefully instructed in handling procedures. This includes proper methods of emergency destruction to prevent compromise during transportation. The requirements in this paragraph, AR 3805, TB 38041, and DA Pam 253802 apply to all COMSEC material. a. Key will be transported as follows: (1) For TOP SECRET key, two-person integrity (TPI) will be applied whenever unit couriers transport TOP SECRET key between COMSEC accounts or hand-receipt holders. Two persons who are cleared for TOP SECRET and authorized to receive the material must sign receipts for this material. The key must be double wrapped while in transit in accordance with AR 3805. TPI controls are not required for TOP SECRET key while it is in the custody of the Defense Courier Service (DCS) or the U.S. Diplomatic Courier Service. (2) For SECRET key: (a) Key must be transported by DCS, an officially designated unit courier or U.S. Diplomatic Courier Service. (b) Key classified SECRET or higher may not be sent by registered mail without the specific prior approval of HQDA (DAMICHS), except as follows: 1. Key must be double wrapped while in transit in accordance with AR 3805 2. The National Guard and the U.S. Army Reserve Command may ship single editions of key classified no higher than SECRET via registered mail to sub-accounts and hand-receipt holders that are not serviced by DCS and are so far away from their parent account that use of a courier is not practical. 3. The Director of Communications Security Systems at Tobyhanna Army Depot may authorize the custodian of COMSEC account 5B1099 to ship keying material classified no higher than SECRET via registered mail as necessary to meet short notice requirements when DCS cannot get the material in place by the required date. The number of editions will be kept to the minimum required to support the mission until normal DCS deliveries can be made. 4. For CONFIDENTIAL and UNCLASSIFIED key, U.S. registered mail may be used to transport key to recipients served by U.S. postal facilities. However, the mail must not pass out of the control of the U.S. Postal Service and must not pass through a foreign postal system or any foreign inspections. 5. U.S. flag aircraft can be used to carry key within the continental United States (CONUS). However, outside CONUS the use of U.S. flag aircraft or any foreign-owned, controlled, or chartered carrier to carry key is strongly discouraged because of the threat by terrorists and lack of U.S. control. The MACOM commanders may, in cases of operational necessity, approve the use of such carriers when limited quantities of future key must be carried. Quantities will be limited to no more than four editions of quarterly or more frequently superseded material or two editions of semi-annually or less frequently superseded material. Sufficient time should be available before implementation (at least 3 days) to supersede the material should it be compromised. The MACOM commanders may delegate this authority to the lowest general officer level. 6. Key will be packaged separately from its associated COMSEC equipment unless the application or design of the equipment is such that the key cannot be physically separated. 7. Key in any form must be transmitted electronically whenever possible using approved methods as outlined in NAG 16 or NAG 53. However, when transmitting physical key, the user(s) must ensure the communications systems used provide end-to-end security that is equal to or higher than the classification of the transmitted key. The key setting must not appear in the plain text anywhere in the communications path. b. COMSEC equipment will not be shipped in a keyed condition unless the physical configuration of the equipment
AR 38040 30 June 2000

makes segregation impossible. Electronic fill devices may be transported in a loaded condition by authorized individuals. This restriction does not apply to tactical movements or in emergency situations where equipment can not be zeroized. COMSEC equipment will be transported as follows: (1) Shipments of COMSEC equipment classified SECRET will be transported by DCS, U.S. Diplomatic Courier Service, officially designated unit courier, or an authorized cleared commercial carrier using protective security services (PSS) in accordance with DOD 4500.9R (applies only when shipping within the U.S., its possessions and territories, where the equipment will not leave U.S. control and be subject to foreign intervention, customs, inspections, and so forth). (2) Shipments classified CONFIDENTIAL may be transported by any means specified in paragraph (1) above or by (a) U.S. Registered Mail, provided it does not pass out of U.S. control at any time and does not pass through a foreign postal system or any foreign inspection. (b) U.S. military or military-contractor air service (for example, Air Mobility Command, LOGAIR, QUICKTRANS) provided that a continuous chain of accountability and custody for the material is maintained while in transit. (3) Unclassified COMSEC equipment designated CCI will be transported under the provisions of DA Pam 253802. (4) Unclassified COMSEC equipment not designated CCI may be transported by any means approved for the transport of high value Government property. (5) Domestic commercial passenger trains, airlines, buses, and so forth may be used by couriers at the discretion of the appointing commander, provided the provisions of AR 3805 (chap VIII) are followed. (6) Within CONUS, when operational necessity dictates, confidential and secret COMSEC equipment (zeroized) installed in standard military equipment shelters may be transported via uncleared commercial carriers, provided all of the provisions of chapter 5 of TB 38041 are met. c. Cryptographic media which embody, describe, or implement a classified cryptographic logic, such as full maintenance manuals, cryptographic logic descriptions, drawings or cryptographic logic, or specifications describing a cryptographic logic and cryptographic computer software will be transported by cleared department or unit courier, DCS, or U.S. Diplomatic Courier Service. These media may not be sent through any postal system. d. Other classified COMSEC material that does not embody, describe, implement, or contain a classified cryptologic may be transported in the same manner as the material described in subparagraphs b and c above, and if classified SECRET or CONFIDENTIAL, by a cleared commercial carrier under DOD 4500.9R. Items classified SECRET or CONFIDENTIAL may be sent by U.S. Postal Service registered mail. Standard first-class mail service will not be used for any classified COMSEC material. The provisions of AR 3805, relative to the use of commercial passenger aircraft also apply to these shipments. e. When operationally required, COMSEC equipment and COMSEC material may be airdropped, unless prohibited by a specific equipment publication, provided the material is under the control of a properly cleared person until the material leaves the aircraft, and the commander has determined that there is a high probability of immediate recovery by authorized persons. f. Vehicles or equipment shelters in which COMSEC equipment is installed may be transported by helicopter using sling-load techniques. Equipment should not be keyed unless there is an operational requirement for its immediate use upon landing. Associated key will not be sling-loaded, but may be carried inside the helicopter moving the vehicle or shelter. g. COMSEC material required in support of forward area tactical operations may be air transported across hostile territory. h. Upon receipt, all packages containing classified COMSEC material will be inspected for evidence of penetration. If such evidence is found, a COMSEC incident report will be submitted under the provisions of chapter 7. Packages and containers will be opened by the addressee within 2 working days after receipt. The addressee will report any discrepancies to the office of record and to the shipper as specified in this regulation, TB 38041, or AR 735112 as appropriate. However, unit packs in original manufacturer or depot sealed packages will not be opened except when there are signs of tampering, the material is to be used, or a physical security check is required. For inventory purposes, use the external packaging label. i. Packaging of classified COMSEC equipment will be done under the provisions of AR 3805. Packaging of unkeyed CCI will be in accordance with DA Pam 253802. j. Couriers for COMSEC material must be specifically designated in writing (DD Form 2501, Courier Authorization is recommended) by an authorized official within the individuals chain of command. (1) It is the responsibility of the COMSEC custodian directing movement of the material to ensure that all couriers are properly cleared, trustworthy, and briefed on their responsibilities for safeguarding the material entrusted to them. Couriers must be provided instructions covering emergency situations including loss or other compromise of the material they are carrying. (2) Couriers traveling outside the continental U.S. will have their request for courier orders forwarded through the unit/activity Security Manager for approval. Couriers must be provided the telephone number of the nearest U.S.
10 AR 38040 30 June 2000

Embassy or consulate in every country through which they will travel. The identification card and letter of authorization requirements contained in Federal Aviation Administration Advisory Circular 1083, Screening of Persons Carrying U.S. Classified Material (available from the U.S. Government Printing Office), must be complied with. 218. Control of TOP SECRET key a. TOP SECRET key is used to protect the most sensitive U.S. national security information. Its loss to an adversary can subject to compromise all of the information protected by the key. There is a significant body of information indicating that TOP SECRET key is a high-priority target for exploitation by foreign intelligence services. For this reason, TOP SECRET key must be afforded special protection. TPI and no-lone zones are used to meet this requirement. b. TPI means that TOP SECRET key must always be in the possession of two appropriately cleared persons who are authorized access to the material. TOP SECRET key still in its protective packaging (for example, canister) does not require TPI controls when outside a storage container (for example, safe, vault, and so forth) as long as the custodian or his or her alternate, who has possession of the key is in the DA Cryptographic Access Program (DACAP). However, when key is removed from its protective packaging (for example, a segment is removed from a canister) or when the key is hand receipted to a user(s) all material will be signed for by two appropriately cleared individuals and will be maintained under TPI controls. Requests for exception to TPI will be forwarded through channels to the MACOM commander for consideration on a case-by-case basis. c. TOP SECRET key will always be stored (for example, locked in a safe, vault, and so forth) under TPI rules. d. The combinations for TPI safes should be protectively packaged separately and held at separate locations. It is understood that there will be situations where a single individual, such as the facility security manager, will have access to protective packages containing both combinations. If the combinations to TPI containers are not protectively packaged, the combinations MUST be stored at separate locations. e. Any violation of TPI/no lone zone control is a reportable COMSEC incident and is reportable in accordance with TB 38041. 219. Use of no-lone zones a. A no-lone zone is an area, room, or space to which no person will have unaccompanied access. A no-lone zone must always be occupied by two or more appropriately cleared people who can observe each others actions b. No-lone zones will be established whenever TOP SECRET key can be accessed from COMSEC equipment, either in physical or electronic form (for example, facilities where electronic key is generated). No-lone zones are not required where the COMSEC equipment is installed in a manner to preclude access to the equipment for extraction of key. However, TPI controls will apply to all initial and rekeying operations using TOP SECRET key. Key distribution centers (KDC) and key generation centers, CLSFs, or other logistics activities that store, generate, or distribute TOP SECRET key are subject to no-lone zone restrictions. In addition, activities engaged in the design, development, training or maintenance of COMSEC equipment should consider the application of no-lone zone restrictions. c. No-lone zones will be specifically designated by the commander, and a physical description of the no-lone zone will be posted within the area, room, or space that contains the no-lone zone. d. Requests for exception to the no-lone zone requirement will be forwarded through channels to the MACOM for consideration on a case-by-case basis. 220. Storage TOP SECRET key will be stored under TPI controls employing two different approved combination locks or a single lock meeting Federal Specification FFL2740, with no one person authorized access to both combinations. All persons with access to either of the combinations will have a TOP SECRET clearance. Storage can be in a locked strongbox within a security container, in a security container within a vault, or in a security container with two combination locks. At least one of the combination locks must be built-in, as in a vault door or in a security container drawer. Neither key locks nor cipher locks will be used to meet the requirement for two combination locks. CAUTION: For facilities in continuous operation (and/or where unaccompanied individuals are on duty), outer vault doors do not satisfy the two barrier protection requirements of TPI. Such facilities require dual combination protection (for example, a dual combination safe) within the facility to store TOP SECRET key or the establishment of a no-lone zone. 221. Open storage a. Open storage of classified COMSEC key is prohibited, with the exception of that classified key coded ALC4 (for example, OPSCODES, numeral codes, and so forth). This material will be treated as other COMSEC material under paragraph b (below). b. Open storage within a COMSEC facility of other COMSEC material classified no higher than SECRET may be authorized by commanders holding the rank of lieutenant colonel or above (or comparable civilian director), based upon their determination that the risk is acceptable (see chap 8).
AR 38040 30 June 2000 11

c. A vault is a security container in and of itself. Therefore, material stored in a vault is in a security container, regardless of whether it is on a shelf, in a file cabinet, or in a GSA approved security container. 222. Army Key Management System a. The AKMS will move the Army from paper-based keying material (physical key), centrally produced and distributed throughout the world via DCS, to electronic key, generated by the Central Facility or locally, and when necessary, distributed electronically to the user. b. The AKMS work stations are identified by account numbers. When these workstations are fielded to locations where a COMSEC account presently exists, a new AKMS account will be established and the old account assets will be automatically transferred to the AKMS account at a subsequent date as determined by CSLA. When a workstation is fielded to a location that does not currently have an account, one will be established. The commander will ensure that the minimum security requirements for a COMSEC account identified in this regulation and in TB 38041 are met. Verification will be provided to CSLA in accordance with procedures in TB 38041. c. There will be NO sub-accounts established under AKMS accounts. All AKMS workstations will be primary accounts. Subordination will be accomplished through the use of hand-receipt holders and the issuing of COMSEC material. d. The AKMS workstations will be accredited in accordance with AR 38019. e. While in operation, the AKMS workstation must be under the direct control of the COMSEC custodian or alternate and requires the same security protection, as does any other computer processing information classified at the same level. f. When not in operation, the AKMS workstation must be secured as follows: (1) All AKMS associated cryptographic ignition key (CIK) must be removed from the workstation/cryptographic multipurpose keying permuting equipment (KOK)-22 and stored in the GSA approved security container that has been designated as the COMSEC account. (2) In COMSEC accounts where the COMSEC facility is a secure room or vault, the workstation may be stored in an operational configuration. (3) In accounts where the COMSEC facility is a GSA approved container, the KOK22 must be disconnected from the workstation configuration and stored in the GSA approved safe. The hard drive must be removed and stored in a GSA approved safe in accordance with AR 3805. 223. Protective technology NSA provides state-of-the-art tamper-revealing products for information processing equipment and keying material. The level of protection obtainable from these products depends almost entirely upon the inspection and control programs conducted by users. To ensure the integrity of protective technologies, the COMSEC custodian must ensure that personnel who routinely handle or use protectively packaged keying material or tamper-sealed information processing equipment are trained in the procedures for inspection and disposal of used protective technologies (see TB 38041).
Chapter 3 Emergency Protection of COMSEC Material

31. Emergency planning a. All COMSEC accounts located outside continental United States (OCONUS), to include Alaska, Hawaii, Puerto Rico, Guam and the Virgin Islands must have an emergency plan. For COMSEC accounts located in CONUS, emergency plans are optional. For COMSEC accounts in organizations that are deployable, the custodian must ensure that an emergency plan is developed once the account is deployed OCONUS. b. Planners need to consider natural disasters such as fire, flood, tornado, and earthquake, and hostile actions such as enemy or terrorist attack, mob action, and civil disturbances. For natural disasters, planning will usually be oriented toward secure storage. Planning for hostile actions and civil disturbances will usually consider actions to effectively evacuate or destroy the COMSEC material (see TB 38041). Each plan may vary according to the geographic area involved. 32. Planning for disasters These plans must take into account the possibility of natural disasters, (for example, floods, earthquakes, and so forth) and man-made disasters, such as fire and explosions. Effective planning must provide for a. Fire reporting and initial fire fighting by persons on duty. In most cases, this will be a part of the normal fire emergency plan for the building that houses the account and need not be prepared as a separate document. b. Assignment of on-the-scene responsibility for ensuring access control of all COMSEC material.
12 AR 38040 30 June 2000

c. Securing or removing COMSEC material and evacuating the area. d. Access control of material when emergency crews are admitted into the area. e. Assessing and reporting probable exposure of COMSEC material to unauthorized persons during the emergency. f. Post-emergency inventory of COMSEC material and reporting of any losses or unauthorized exposures (see para 36). 33. Planning for hostile actions and civil disturbances These plans must take into account the types of situations that might occur, such as an ordered withdrawal over a specified period of time, an unstable political environment where destruction must be done discreetly to avoid adverse reactions, or situations where being overrun by a hostile force is imminent. Such planning must provide for the following: a. Assessing the probability of occurrence of various types of hostile actions and of the threat that these potential emergencies could pose. b. Availability and adequacy of physical protective measures, such as perimeter controls and physical defenses for fixed, mobile, or transportable facilities where COMSEC material is being used. c. Security procedures and the assets to effect evacuation of COMSEC material under emergency conditions, including an assessment of the probable risks associated with evacuation. Except when there will be an urgent need to restore secure communications after relocation, key should be destroyed rather than evacuated. d. Destruction facilities and procedures for effecting secure emergency destruction of COMSEC material, including an adequate supply of destruction devices, electrical power, adequately protected destruction areas, and sufficient personnel. e. Precautionary destruction of COMSEC material, particularly maintenance manuals and key, which are not operationally required to ensure continuity of operations during the emergency. In a deteriorating situation all full maintenance manuals should be destroyed. When there is not time under emergency conditions to completely destroy such manuals, every reasonable effort must be made to remove and destroy the sensitive pages containing cryptographic logic. f. Emergency procedures should be planned for establishing external communications. Communications should be limited to the minimum necessary. When there is warning of hostile intent and physical security protection is inadequate to prevent overrun of the facility, secure communications should be discontinued in time to do a complete destruction. 34. Preparing the emergency plan a. The COMSEC custodian should prepare the emergency plan. If the plan calls for destroying the COMSEC material in place, all emergency destruction material, devices, and facilities must be readily available and ready to use. If the plan calls for emergency evacuation, a location must be identified and a route or routes mapped out in advance, transportation arranged for, and so forth. The plan must be realistic and workable and must address all goals. It must agree with or be a part of the command, installation, or activity Basic Emergency Plan (BEP). b. The following must be included for an effective plan: (1) Clearly and concisely describe duties. Everyone must understand the plan and be able to implement and perform all actions. (2) Provisions for either secure storage, evacuation, or destruction of all COMSEC material. Planners must consider which of these options may be applicable to their facility, either alone or in combination. (3) In those instances where the plan calls for actions that require resources in addition to those within the COMSEC account, the custodian must ensure that coordination has been performed and written agreements are in place as necessary (for example, to secure a vehicle, for storage space at an alternate location, and so forth). 35. Rehearsing the plan a. The plan should be rehearsed frequently to ensure that everyone, especially newly assigned personnel who might have to take part, will be able to carry out their duties. When necessary, the plan should be changed based on the lessons learned during the rehearsal. Rehearsals will be documented (date of rehearsal, what was rehearsed, and who participated) and the documentation made available to inspectors and auditors. b. At CONUS locations where emergency plans have been developed, the plan will be rehearsed at least semiannually. c. In OCONUS locations, the plan will be rehearsed at least quarterly. d. In high-risk areas, the custodian will review the plan with all account personnel monthly, and conduct a rehearsal at least quarterly. e. Each rehearsal may cover only a portion of the entire plan. However, the custodian will ensure that all aspects of the plan have been rehearsed at least once each year.
AR 38040 30 June 2000
13

36. Actions subsequent to emergencies a. Whenever emergency plans, including precautionary actions, are implemented, the Controlling Authority will be advised immediately regarding the disposition and status of their key. If any centrally accountable COMSEC material was destroyed, a destruction report will be submitted to the ACCOR. If any material was lost or compromised, an incident report must be prepared in accordance with chapter 7. This does not apply to rehearsals or dry runs conducted for the purpose of verifying the executability of emergency plans or for training personnel in their execution. b. When the implementation of emergency plans results in the abandonment of COMSEC material, a timely, reasonable effort should be made to recover the material. The extent of this effort will be based on the likelihood of success without exposing people to undue danger. Recoverable COMSEC material will be collected and placed under the control of authorized cleared persons until disposition instructions are received from CSLA.
Chapter 4 COMSEC Facilities

41. General The term COMSEC facility is defined in the glossary. Depending upon the functions being performed, a COMSEC facility may consist of one or more GSA approved steel filing cabinets (safes) located in a room or office (in the case of multiple safes, they must be collocated within the room or office). Or it may consist of a room, a suite of rooms, a vault, or an entire building. Security requirements for COMSEC facilities will be established based upon the functions being performed, the classification of the material involved, and the information being handled. A COMSEC facility is NOT required to store, house, or operate CCI equipment, nor is one required to operate AKMS work stations. COMSEC facilities are exempt from the physical security inspections under AR 19013. 42. COMSEC facility approval a. The CSLA approval of a COMSEC facility is required before a custodian may request COMSEC material. CSLA will approve COMSEC facilities under the authority of this regulation. Procedures for establishing a COMSEC facility are contained in TB 38041. b. Approval is based on an evaluation of information given in the COMSEC facility approval request (CFAR). The CFAR will state the physical protective measures and security procedures in place, to include specific TPI protection for TOP SECRET accounts, as well as that an item accounting and transaction reporting system is in force that will provide continuous accountability for all COMSEC material. The CFAR will also contain a statement that the commander has evaluated the risks to the facility and found them to be acceptable. c. Approval for the storage of COMSEC material at sub-accounts will be granted in writing by the commander of the primary account. The basis for this approval will be the same as that in paragraph b (above). Sub-accounts do not require CSLA approval. The custodian of the primary account is responsible for maintaining a record of all subaccounts and hand-receipt holders for which his or her account is responsible. The custodian of the primary account is also responsible for ensuring those applicable provisions of this regulation and TB 38041 are complied with by all sub-account custodians and hand-receipt holders. 43. COMSEC facility approval request All COMSEC facility approval requests will be in memorandum format, with a completed (minus the account number that will be assigned by CSLA) DA Form 2012 attached (see TB 38041), signed by the commander requesting the facility and submitted through established MACOM command channels to CSLA for approval. All COMSEC facility approval requests for contractor accounts will have a DD Form 254 (Contract Security Classification Specifications) in addition to the DA Form 2012. A separate request will be submitted for each COMSEC facility requiring approval. Once the facility is approved, the ACCOR will establish the COMSEC account and provide the unit an account number. 44. Duration of COMSEC facility approval a. A COMSEC facility approval remains valid as long as the physical protective measures and security procedures that were the basis for the approval remain substantially unchanged. When a COMSEC facility approval is invalidated, CSLA will stop shipment of material until the COMSEC facility approval is reinstated. When the Director, CSLA, declares that protection is inadequate, the ACCOR will direct the return of all CMCS accountable material. In those instances where the COMSEC account is contained completely in an approved GSA security container, a new approval is not required when relocating the container within the same building if the physical security standards do not change. However, a new DA Form 2012 showing the new location must be sent to the ACCOR. b. When a COMSEC account has shown no activity for 12 months, the ACCOR will advise the unit commander, through the MACOM, that the COMSEC account is subject to being closed because of inactivity. The unit commander
14
AR 38040 30 June 2000

will be given 60 days to justify a continuing requirement for the account. If none is provided, the ACCOR will provide disposition instructions for the CMCS accountable material and close the account. 45. Safeguarding COMSEC facilities This paragraph prescribes the physical protective measures and security procedures for COMSEC facilities. a. The COMSEC facilities will be located in areas that provide positive control over access. When possible, they should be away from areas such as parking lots, ground-floor exterior walls, multiple corridors and driveways, buildings or office space in which it is difficult or impossible to effect access control, or high-risk environments. b. The COMSEC facilities established in permanent structures will be provided the required protection equivalent to the level of the classification of the COMSEC material held in that facility. The physical security standards available in appendix D of this regulation and TB 38041 will be used as guidance to establish specific construction criteria for new facilities designed to house COMSEC accounts that are large enough to require a vault. c. When a COMSEC facility consists of a safe or series of safes, it (they) must be located in an area that provides sufficient additional protection to prevent undetected, unauthorized removal of the safes. This may be accomplished as simply as by placing the safe(s) in a room with a key lock in the door and controlling access to the keys. d. Access to a COMSEC facility will be granted based on a persons duties, need-to-know requirement, and security clearance. A verified access list will be maintained in each COMSEC facility. Personnel not on the access list will be escorted by a responsible person whose name appears on the access list at all times while they are in the facility. All persons who require an escort must sign the DA Form 1999R (Restricted Area Visitors Register) prior to entering the facility. e. When the facility is one or more GSA approved security containers the DA Form 1999R is not required. Because anyone requiring access to the security container must either possess the combination or be accompanied by someone who does have the combination, the custodian may use part 1 of the Standard Form 700 (Security Container Information) (which identifies those personnel to be notified in case the container is found open or unattended) as the access list as long as the names on part 1 are the same as those on part 2 (which lists those persons having knowledge of the container combination). If part 1 of the SF 700 is used as the access roster, it will not be posted on the outside of the container, but will be located on the inside of the drawer containing the lock. f. Guards who have access to classified COMSEC material must meet the access requirements of paragraph 23. Area-control guards who cannot gain access to COMSEC material do not need to meet the requirements for access. Guards who are not U.S. citizens will only be used where it is not possible for them to gain undetected access. g. Lock combinations to COMSEC facilities, including cipher locks used to control access, will be changed: (1) When placed in use. (2) Whenever an individual knowing the combination no longer requires access. (3) When the combination has been subjected to possible compromise. (4) When the lock is taken out of service. (5) When any repair work has been performed on the lock. (6) At least annually. h. The following personally owned equipment may be introduced into a COMSEC facility with the approval of the custodian: (1) Electronic calculators, spell checkers, wrist watches, and data diaries. If equipped with data ports, the custodian will ensure that procedures are established to prevent unauthorized connection to automated information systems. (2) Receive only pagers and beepers. (3) Audio and video equipment with only a playback feature (no recording capability) or with the record feature disabled or removed. (4) Radios (receive only). i. The following personally owned electronic equipment items are prohibited in COMSEC facilities: (1) Photographic, video, and audio recording equipment. (2) Personally owned computers and associated media. j. The following U.S. Government owned or leased equipment may be introduced into a COMSEC facility only for the conduct of official duties and with the approval of the custodian. (1) Two-way transmitting equipment. (2) Recording equipment (audio, video, optical, and so forth). (3) Test, measurement, and diagnostic equipment. 46. Army COMSEC supplement to DOD industrial security regulations and manuals a. This paragraph implements, within DA, national policy concerning the release of COMSEC material to U.S. commercial contractors and the establishment and administration of Army COMSEC accounts at contractor facilities. A copy of this regulation may be given to contractors as necessary to respond to a request for proposal or to meet the requirements of a DD Form 254.
AR 38040 30 June 2000 15

b. Applicable provisions are contained in DOD 5220.22R, DOD 5220.22M, and DOD 5220.22S. c. In view of the objectives of DOD 5220.22R, to ensure its uniform and effective application throughout industry, the content of this section is limited to the minimum supplementation consistent with Army operations. In addition to the policy and procedures contained in the documents listed above, the instructions in paragraph d below apply. d. Contractor installed, maintained, and operated security communications are handled as follows: (1) Maintenance personnel assigned to maintain COMSEC equipment in fulfillment of a DA contract will be certified as meeting the formal training requirements of AR 2512. DD Form 1435 (COMSEC Maintenance Training and Experience Record) will be maintained on all maintenance personnel and validated annually. (2) The COMSEC equipment in operational use must have all NSA mandated modifications applied. e. Access to classified COMSEC information may be given to U.S. citizens who have been issued a final security clearance by the U.S. Government and have the need-to-know. Contractor-granted confidential clearances are not valid for access to classified COMSEC information. In addition to the above, the U.S. Army must formally authorize contractor employees access to classified COMSEC information or a key as annotated in the DD Form 254 contract. The same applies to those who install, maintain or operate COMSEC equipment for the Army. A statement that contractor personnel are subject to the DACAP should be included in the DD Form 254 Remarks section. The provisions of chapter 2 also apply.
Chapter 5 Management of Cryptosystems

51. General A COMSEC objective of the Army is total encryption of all electrically transmitted information and data and use of electronic generation and distribution of key. Until total encryption can be achieved, COMSEC planning will include a. Optimum use of available telecommunications systems employing on-line COMSEC equipment for protecting all electrically transmitted information. b. Use of manual and auto-manual COMSEC systems in those situations where on-line COMSEC equipment is unavailable or not suited for the mission. c. Although not a COMSEC system, the use of protected distribution systems (PDS) should be considered in those situations where on-line COMSEC equipment and manual or auto-manual systems are not available or are unsuited for the mission. 52. Emergency requirements for CMCS key support The CLSF will satisfy emergency requirements for key distributed through the CMCS from reserve stock. Controlling authorities will request emergency re-supply from their CLSF. The CLSF will notify CSLA of the re-supply. NSA will be an information addressee. 53. Stockage levels for key a. Normally, no more than four editions of a physical key distributed through the CMCS will be held in users accounts. Re-supply actions and unforeseen changes in usage may necessitate exceeding this level. However, a supply of six editions (to include the current effective edition) will not be exceeded without prior approval from HQDA (DAMICHS). b. Six editions of an irregularly superseded physical key distributed through the CMCS may be held even though the usage rate for such material is less than one edition per month. When the usage rate is more than one edition per month, the controlling authority will establish stockage levels for a 6-month period. 54. Requests to establish cryptonets (requests for key) a. All requests to establish cryptonets using CMCS distributed key, except SDNS and STUIII, will be validated by the next higher headquarters or MACOM before being sent to CSLA to be filled (see TB 38041). See DA Pam 2516 for ordering STUIII key. b. The CSLA can provide assistance in determining key requirements, the most suitable cryptosystem, and the best possible cryptonetting scheme. c. As the Army transitions to electronic key generation and distribution through the AKMS, establishing cryptonets that use a physical key will become the exception and, as such, will require specific justification. This transition will occur as follows: (1) As units within existing cryptonets begin to transition to AKMS, they will receive compatible key (the short title will be issued in both physical and electronic form) allowing them to maintain continuity until all elements of the cryptonet are AKMS-capable.
16
AR 38040 30 June 2000

(2) On the annual Cryptonet Evaluation Report, the CONAUTH will be required to justify any continued use of physical key. (3) Once a complete cryptonet is AKMS-capable, the CSLA will discontinue directing the shipment of the physical key, unless the CONAUTH can justify a continued need. (4) Any new cryptonets established after the implementation of an AKMS workstation will automatically be issued electronic key unless they have requested and received an exception to policy for physical key. (5) Director, CSLA, will be the approving authority for all requests for physical key. 55. Issue of key a. The controlling authority will establish the amount of key that may be issued to users. Only that amount necessary to satisfy the immediate operational requirement, consistent with local re-supply capabilities, should be issued. b. Issue to users may be in whole editions, an extract of an edition, or a key tape segment. The issue of segments from a key canister is discouraged as it defeats the tamper protection provided by the canister. c. Editions or extracts (segments) of editions to be carried on special purpose aircraft (such as airborne command posts) will be limited to the amount needed for the mission. 56. Use of a classified key In cases of operational necessity, key may be used to encrypt information classified one level higher than the classification of the key. For example, confidential key may be used to encrypt secret information. Operational necessity will not be construed to apply to situations of a continuing nature. In emergency situations, key that provides the greatest security protection available should be used to protect classified information, regardless of its classification. Key that is not classified will not be used to pass classified information. Classified key will not be downgraded or declassified without specific written authorization from the CONAUTH. 57. So-called used key Key tape segments that have been removed from their canisters and used to load an electronic fill device are referred to as used key. This does NOT mean that the key is superseded. It remains operational (or in some cases, future) key until it reaches the end of its crypto period. Unless the system security doctrine for the key states otherwise, these segments should be destroyed immediately after a successful load has been attained. The duplicate segments may be maintained (for example, for use in cold start situations), at the discretion of the user or the CONAUTH, until scheduled supersession of the key occurs.
Chapter 6 Audits, Inspections, and Assessments

61. General Command COMSEC inspections and CSLA COMSEC audits/inspections will be conducted as outlined in this chapter. In addition, frequent inspections or checks of the account by assigned personnel are strongly recommended. 62. Command COMSEC inspections The command COMSEC inspection is the backbone of the Armys efforts to ensure that COMSEC material is properly protected. The inspector must ensure that COMSEC material is being used, stored, distributed, destroyed, and accounted for under this regulation and TB 38041. In situations where great distances separate various elements of a MACOM, making command inspection visits impractical, the MACOM should obtain assistance from qualified COMSEC inspectors within the geographical areas. a. Frequency of command inspections (see app E). The frequency of command inspections will be determined by the MACOM based on sound risk-management principles. The following factors will be used in determining which accounts to inspect. (1) The results of the last command inspection and CSLA COMSEC audit/inspection. Accounts achieving unsatisfactory results will be more likely to be inspected sooner. (2) The type and amount of material (especially paper-based key) held in the account and the sensitivity of programs supported by the account. The larger the account, the more sensitive the programs supported, the more likely the account is to be inspected. (3) The threat in the geographic location of the account. Those accounts in higher threat areas should be inspected more frequently. (4) The number and type of COMSEC incidents occurring since the last inpection and the actions taken to correct
AR 38040 30 June 2000
17

the problems. The larger the number of incidents or the more serious the incidents are (for example, an evaluation of compromise versus no compromise), the more likely the account is to be inspected. (5) The training and experience level of the COMSEC custodian. b. Selection of a command inspector. Inspectors play a significant role in the Armys efforts to protect its COMSEC key and, thus, the information it encrypts/protects. Command inspectors must be selected based on their experience and knowledge of COMSEC policy and procedures. The command inspector must be familiar with COMSEC procedures contained in this regulation and TB 38041. The command inspector will be a graduate of the TRADOC approved Standardized COMSEC Custodian Course and have prior experience, either as a COMSEC inspector or as a custodian. Command inspectors must meet the unwaived grade requirements for COMSEC custodians and be appointed in writing (see para 14g). c. Records of inspections. The inspection checklist in TB 38041 should be used as a guide for command inspections. The results of the command inspection will be recorded on a memorandum. The results of the command COMSEC inspection will be maintained on file according to AR 254002 until the results of the next command inspection are received. A copy will be provided to the unit commander and the MACOM Information Systems Security Program Manager (ISSPM). d. Discrepancies. Discrepancies discovered during command inspections must be reconciled within 30 days after receipt of the inspection report. A reply by endorsement will be forwarded to the command inspector, with a copy furnished to the MACOM ISSPM. 63. CSLA COMSEC audit/inspections The formal CSLA COMSEC audit/inspection is the Army-wide vehicle to certify and validate central accountability and proper safeguarding and control of COMSEC material. The CSLA will conduct audit/inspections of Army COMSEC accounts (to include sub-accounts and hand receipts as necessary) under the provisions of this paragraph. COMSEC accounts that hold both CMCS accountable COMSEC material and material governed by CJCSI 3260.01 are subject to CSLA audits of the Army CMCS accountable material. Auditors will comply with CJCSI 3260.01 and obtain approval from controlling authorities and the commander of the account prior to visiting the account. a. Conduct of CSLA audit/inspections. The CSLA audit/inspections will be conducted on an aperiodic, event-driven basis. Frequency of audit/inspections will be based on sound risk management principles as discussed below, except that all accounts that hold COMSEC key classified TOP SECRET (this does NOT include unclassified STU-III seed key capable of accessing a TOP SECRET circuit) will be audited at least once every 48 months. Accounts will not be audited/inspected more frequently than every 12 months, unless directed by the Office of the Deputy Chief of Staff for Intelligence (ODCSINT) (DAMI-CHS) or requested by the MACOM of that account. (1) Factors to be used in determining how frequently to audit/inspect an account include, but are not limited to (a) The results of prior CSLA COMSEC audit/inspections. (b) The type and amount of material held in the account and the frequency of use. (c) The threat in the geographic location of the account. (d) The number and type of COMSEC incidents occurring since the last audit and actions taken to correct them. (e) The training and experience level of the command inspector and the COMSEC custodian. (f) Recommendation of the MACOM. (2) Detailed procedures, criteria, and reporting instructions are in TB 38041. Audit/inspections will include, at a minimum, a total physical inventory of all COMSEC material charged to the account (to include sub-accounts and hand receipted material) and an examination of the following: (a) Physical security measures in effect. (b) COMSEC material management. (c) Unit COMSEC operating procedures, security training, and level of general COMSEC awareness. (d) Equipment maintenance management, to include verification of required modifications. (e) Record of the last command COMSEC inspection and CSLA audit/inspection. (f) Check of accounting records. b. Notification of audit/inspection. CSLA COMSEC audit/inspections will be announced approximately 45 days in advance. However, in unusual situations, CSLA may perform an unannounced audit/inspection. The decision to do this will be coordinated with the affected MACOM in advance. In this case, the Director, CSLA, will provide the audited unit with a memorandum (hand carried) identifying the auditor/inspector(s) and the reason the audit/inspection is unannounced. c. Actions prior to audit/inspection. Upon notification of a CSLA COMSEC audit/inspection, the commander of the unit whose account is to be audit/inspected will ensure the primary and/or alternate custodians are available during the scheduled audit/inspection. The CSLA will be notified by the commander within 5 working days from initial receipt of the notification if neither the custodian nor alternate will be available. No more than 30 days prior to an audit, custodians will provide a semiannual inventory report (SAIR) to their sub-accounts and validate all hand receipts. d. CSLA auditor/inspectors. Qualified personnel who have been certified by the Director, CSLA, as COMSEC
18 AR 38040 30 June 2000

auditor/inspectors will perform CSLA COMSEC audit/inspections. Certification of both military and civilian personnel is authorized. The CSLA COMSEC auditor/inspectors must meet the unwaived grade requirements for COMSEC custodians (see para 22). e. Audit/inspection results. (1) Reports of CSLA COMSEC audit/inspections will be forwarded to the command within 45 days of the audit/ inspection. Accounts will be rated as either satisfactory, marginal, or unsatisfactory, based on the auditor/inspectors evaluation of all factors involved. Generally, the ratings will be based on the following: (a) A satisfactory rating indicates the auditor/inspector found both the security and accountability of the COMSEC material to be acceptable, even though minor discrepancies may exist. (b) A marginal rating indicates the auditor/inspector found numerous deficiencies, usually of an administrative nature, that do not directly impair the accountability or security of the material (for example, the requirement control symbol (RCS) left off the SF 153 (COMSEC Material Report); files being maintained beyond their cutoff dates; and so forth). However, they do reflect a failure on the part of the custodian to pay sufficient attention to detail, and they indicate a potential for more serious problems in the future. (c) A rating of unsatisfactory indicates the auditor/inspector found serious problems such as the possible loss of accountability of COMSEC material or several deficiencies that directly impair accountability or security of the material in the account (for example, unreported COMSEC incident involving loss of accountability; custodian fails to submit necessary accounting records to the ACCOR; unauthorized lock being used to secure classified COMSEC material; and so forth). (2) All discrepancies must be reconciled within 30 days of receipt of the report and a reply by endorsement forwarded to CSLA, with an information copy to the MACOM ISSPM. For Reserve and National Guard units, discrepancies will be resolved within 90 days after receipt of the report. The results of the COMSEC audit/inspection will be maintained on file according to AR 254002 until the results of the next audit/inspection are received. 64. Annual COMSEC assessment The CSLA will prepare an annual assessment of the sate of COMSEC operations within the Army. This report will be derived from the results of CSLA audit/inspections, COMSEC Incident Monitoring activities, and any special COMSEC assessments performed during the year. a. The assessment will include the following: (1) Total number of COMSEC accounts in the Army. (2) Number of accounts audited during the year (CONUS and OCONUS) and why they were selected. (3) Number of accounts that received an UNSATISFACTORY rating and a discussion of the most prevalent reasons for the rating. (4) Number of accounts that received a MARGINAL rating and a discussion of the most prevalent reasons for the rating. (5) Discussion of the most common findings in the audits. (6) Comparison with the previous 2 years to identify any trends. (7) Total number of COMSEC incidents reported during the year (CONUS and OCONUS). (8) Number of incidents that resulted in a finding of COMPROMISE or COMPROMISE CANNOT BE RULED OUT. (9) Discussion of the most common causes of the incidents. (10) Comparison with the previous 2 years to identify any trends. (11) Recommendations to correct the problems noted. (12) Other information as appropriate. b. This assessment, covering the calendar year, will be available not later than 1 April. The report will be addressed to the Deputy Chief of Staff for Intelligence (DAMI-CHS), with copies furnished to each MACOM ISSPM. 65. Protective technology inspections To ensure the integrity of protective technologies, the following inspections will be performed. a. The custodian will inspect all protectively packaged material upon receipt, during each semi-annual inventory, and prior to opening or removal of the protective technology when required for use or maintenance. b. The USACSLA will inspect protected TOP SECRET material at COMSEC account locations on a random basis such that 100 percent of the accounts will be inspected every 4 years. These inspections may include the use of classified and other special inspection techniques made available by NSA. c. The USACSLA auditors will inspect protectively packaged material during audit/inspections.
AR 38040 30 June 2000
19

Chapter 7 Surveillance
71. General a. The most damaging COMSEC insecurity is the one that cannot be neutralized because the incident that caused it was not reported. All persons who are responsible for protecting COMSEC material must be able to recognize any incident that has the potential to develop into COMSEC insecurity and report it to cognizant authorities. b. Surveillance, in this context of COMSEC, is a methodology that allows for the continuous appraisal of security standards for COMSEC material used in the Army, and the identification, reporting, evaluation, and investigation of any deviation from or circumvention of these standards. c. The goal of surveillance is (1) To reduce or eliminate conditions that cause or contribute to COMSEC incidents. (2) To minimize or negate the adverse effect of COMSEC insecurities. d. Incidents involving signal operating instructions (SOI) material are not COMSEC incidents under this regulation. If classified, they will be reported under the provisions of AR 3805 as a loss of classified information. e. Incidents or insecurities that are unique to a specific cryptosystem are contained in either the NAGs, KAOs, KAMs, limited maintenance manuals, or technical bulletins or in specific DA pamphlets. 72. Compromises and insecurities a. A COMSEC insecurity is any investigated or evaluated incident that has been determined as jeopardizing the security integrity of COMSEC material or the secure transmission of U.S. Government information. Any COMSEC insecurity that results in the known or presumed unauthorized access to COMSEC material is judged a compromise. b. There are three types of COMSEC incidents, any of that may be determined to be an insecurity: (1) Physical incidents. Any occurrence (for example, loss, theft, loss of control, capture, recovery by salvage, tampering, or unauthorized viewing, access or photography) that has the potential to result in the degradation of the security integrity of COMSEC material. (2) Cryptographic incident. An equipment malfunction or operator or custodian error that adversely affects the crypto-security of a machine, auto-manual, or manual cryptosystem. (3) Personnel incident. The capture, unauthorized absence, defection, attempted recruitment or control by a foreign intelligence service (FIS) entity of a person having knowledge of or access to COMSEC information or material. 73. Reportable COMSEC incidents Note: AR 38112 requires the local U.S. Army counterintelligence supporting unit to be notified of all reportable COMSEC incidents. The following incidents will be reported to NSA, CSLA, the MACOM ISSPM, and the appropriate Controlling Authority (see TB 38041 for reporting procedures). CSLA, as the Armys COMSEC Incident Monitoring Activity, will evaluate each to determine whether or not it is an insecurity. Production errors and reports of defective keying material are not considered COMSEC incidents. These are reported to NSA for resolution. a. Incidents involving physical security. (1) Loss of accountability or control of COMSEC material. Any loss of COMSEC material because of technical surveillance, combat loss, or capture, theft, and so forth. COMSEC material that had previously been reported as properly destroyed when, in fact, the material was found not to have been destroyed. COMSEC material left unsecured or unattended where unauthorized persons could have had access to it. (2) Unauthorized access to COMSEC material. Unauthorized copying, reproduction, or photographing of COMSEC material. Unexplained removal of key from its protective packaging. Unauthorized disclosure of COMSEC material. Attempts by unauthorized persons to gain access to COMSEC material. (3) Receipt of COMSEC material through unauthorized shipping channels. Material that shows evidence of possible tampering. Material shipped via regular mail that should have been shipped via registered mail. Unexplained lack of protective technology on equipment. Damage to inner wrappings on packages. (4) Improper destruction of COMSEC material. Destruction without a witness or with an improperly cleared witness. Destruction by other than authorized means. One signature on a destruction certificate. Material not completely destroyed and left unattended. (5) Unauthorized maintenance of COMSEC equipment. Maintenance by unauthorized persons. Tampering with or unauthorized modification of COMSEC equipment. (6) Deliberate falsification of COMSEC records or reports. (7) Loss of two-person integrity or no-lone zone for TOP SECRET keying material, except where a waiver has been granted. (8) Any other occurrence that may jeopardize the physical security of COMSEC material or the information it protects. b. Incidents involving cryptographic security.
20 AR 38040 30 June 2000

(1) Use of COMSEC keying material that is compromised, superseded, defective, or previously used (and not authorized for reuse) or incorrect application of keying material; such as (a) Use of keying material that was produced without the authorization of NSA (for example, homemade maintenance or digital encryption standard (DES) key, homemade codes). (b) Use, without the authorization of NSA, of any keying material for other than its intended purpose (for example, use of test key for operational purposes or use of a key on more than one type of equipment). This does not include the use of operational key for training purposes when authorized by the controlling authority. (c) Unauthorized extension of a crypto period. (2) Use of COMSEC equipment having defective cryptologic circuitry or use of an unapproved operating procedure, such as (a) Plain text transmission resulting from COMSEC equipment failure or malfunction. (b) Any transmission during a failure or after an uncorrected failure that may cause improper operation of COMSEC equipment. (c) Operational use of COMSEC equipment without completion of a required alarm-check test or after failure of a required alarm-check. (3) Use of any COMSEC equipment or device that has not been approved by NSA. (4) Discussions via non-secure telecommunications of details of a COMSEC equipment failure or malfunction. (5) Any other occurrence that may jeopardize the crypto security of a COMSEC system. c. Incidents involving personnel security. (1) Known or suspected absence without leave, defection, espionage, treason, or sabotage by a person having access to or a detailed knowledge of COMSEC information. (2) Any other occurrence that may jeopardize the security of COMSEC material or the information it protects. d. Administrative incidents. The following administrative incidents will be reported only to the Controlling Authority and considered to be actions that jeopardize the integrity of COMSEC material: (1) Premature or out-of-sequence use of keying material without the approval of the controlling authority, as long as the material was not reused. (2) Inadvertent destruction of keying material or destruction without authorization of the controlling authority, as long as the destruction was properly performed and documented. (3) Removing keying material from its protective packing prior to issue for use or removing the protective packaging without authorization, as long as the removal was documented and there was no reason to suspect espionage. (4) Destruction of COMSEC material not performed within required time limits, provided continuous accountability and control prevented unauthorized access. Note: Unauthorized access or any retention of CRYPTO key 30 days or more past its supersession date will be reported as a physical COMSEC incident per a above. 74. Types of reports a. Initial report. This report will be submitted for each reportable COMSEC incident. When all the facts regarding the incident are included in an initial report, that also contains all the information required by paragraph c below, subsequent reporting is not required. In this case, the initial report will also become the final report and will so state. b. Amplifying report. This report will be submitted when there is new information regarding an incident for which an initial report has been submitted or every 30 days until a final report is submitted. It may also serve as a final report (see para c below). c. Final report. This report is always required (although it may be incorporated into the initial or amplifying report when appropriate) and must always contain a summary of the results of all inquiries and investigations. This report will include the corrective measures taken or planned to minimize the possibility of a recurrence. d. Abbreviated reports. During ground combat operations, abbreviated reports may be submitted to report incidents involving physical security of key. This type of report will give sufficient details to enable the controlling authority to assess whether a compromise resulted. At a minimum, this type of report must answer the questions who, what, when, where, and how. Where the Controlling Authority orders an unscheduled supersession of key as a result of the incident, a subsequent complete report will be submitted, under this paragraph, as soon as possible. 75. Classification of COMSEC incident reports The COMSEC incident reports will be classified according to content. Appendix B contains classification guidance. Unclassified reports will be marked FOR OFFICIAL USE ONLY and exempted from automatic disclosure under the provisions of AR 2555, Exemption Category 7. 76. Regulations governing reporting a. The COMSEC incident reports constitute official command correspondence. They will be submitted by or for the commander. Use direct channels to ensure the report is received within the required time frame. At a minimum, these reports will contain that information required by TB 38041. Incident reports that involve Joint Staff positive control
AR 38040 30 June 2000 21

material and devices must be addressed in accordance with requirements of CJCSI 3260.01. Reporting commands are responsible for notifying their chain of command that a COMSEC incident has occurred. b. The discovery of possible clandestine intercept devices or the loss of COMSEC information through compromising emanations (TEMPEST) will be reported under AR 38114 (S). c. Suspected deliberate security compromises or possible involvement of foreign intelligence services or foreign national personnel will be reported under AR 38112. 77. Report precedence and timeliness a. Message precedence for action addressees and report submission times are indicated below. A lower precedence may be given to information addressees. Reports not submitted within the prescribed time frames will contain an explanation for the delay. b. Initial reports for the following will be submitted within 24 hours of discovery of the incident, at IMMEDIATE precedence for ACTION addressees and ROUTINE precedence for INFORMATION addressees. (1) Currently effective key or key scheduled to become effective within 15 days. (2) Possible defection, espionage, clandestine exploitation, tampering, or sabotage or unauthorized copying, reproduction, or photographing. (3) Recently (within 30 days) superseded key. c. Initial reports for the following will be submitted within 48 hours of discovery of the incident and at PRIORITY precedence: (1) Future key scheduled to become effective in more than 15 days. (2) Superseded (over 30 days ago), reserve, or contingency key. d. Initial reports of any COMSEC incident not covered in paragraphs b and c, above, will be reported within 72 hours of discovery of the incident, normally at ROUTINE precedence. However, if the incident has significant potential impact, originators should assign higher precedence. e. Amplifying and final reports will normally be assigned ROUTINE precedence. However, they may be assigned a higher precedence if they contain significant new information that will impact on the evaluation of the incident. f. Initial and amplifying reports may be transmitted during MINIMIZE, but final reports should not. 78. Counterintelligence assessments a. The human intelligence (HUMINT) threat to COMSEC has been documented as a continuous threat. In order to combat this threat, each reportable COMSEC incident will be reviewed to determine whether or not an assessment of foreign intelligence service involvement is required. The supporting counterintelligence (CI) unit will be notified of the incident. They will assist in making an initial determination as to whether or not a formal CI assessment is required. Refer to appendix B for classification guidance when reporting to the CI unit. b. Suspicion or clear evidence of an incident listed below suggests foreign intelligence service involvement and must be reported as such: (1) Attempts by unauthorized persons to obtain COMSEC information through questioning, elicitation, trickery, bribery, threats, coercion, either through direct or indirect personal contacts. (2) Attempts by unauthorized persons to obtain COMSEC information through photographs, observation, document collection, or by other means. (3) Unexplained or unjustifiable loss of COMSEC material, except that caused by combat or a natural disaster. (4) Incidents or situations that appear to be deliberate circumvention of COMSEC accounting and control procedures, including falsification of destruction reports. (5) Known or suspected acts or plots to damage or destroy COMSEC material by sabotage. (6) Tampering with or unauthorized modification of COMSEC equipment or key. c. Results of an informal inquiry conducted by the commander of the reporting unit will be included in either the initial, amplifying, or final COMSEC incident report. 79. Evaluations a. COMSEC incidents are evaluated on the basis of information contained in the COMSEC incident reports and considerations of the security characteristics of the cryptosystem involved. Evaluations are made to determine the effect of the occurrence on the cryptosystem involved. When a cryptosystem has been declared compromised, it will not be used for further encryption unless it is operationally essential to encrypt messages before the supersession date, and another suitable system is not available. Evaluations are performed at different levels for different types of incidents. (See TB 38041.) b. Evaluation of a COMSEC incident will result in one of the following determinations: (1) Compromise. This evaluation will be used when material is irretrievably lost or available information clearly proves that the material was made available to an unauthorized person. This will always be declared an insecurity. (2) Compromise cannot be ruled out. This evaluation will be used when available information indicates that the
22 AR 38040 30 June 2000

material could have been made available to an unauthorized person, but there is no clear evidence that it was. This may be declared an insecurity. (3) No compromise. This evaluation will be used when information clearly indicates the material was not made available to unauthorized persons. This will not be declared an insecurity c. Evaluation of COMSEC incidents will be as follows: (1) NSA will evaluate (a) All cryptographic and personnel COMSEC incident reports. (b) All physical COMSEC incident reports involving keying material where the controlling authority cannot be identified. (c) All reported COMSEC incidents concerning tampering, sabotage, evidence of covert penetration of packages, evidence of unauthorized or unexplained modification to COMSEC equipment, security containers, or vaults where COMSEC material is stored and other COMSEC material promulgated by NSA (for example, documents algorithms, logic). (d) Coordinate evaluation of COMSEC incidents having significant logistic impact. (e) All reports of physical incidents involving maintenance key, cryptosystems operating and maintenance instructions and general COMSEC publications produced by NSA. (f) Incidents involving multiple controlling authorities or more than one department or agency. (g) All physical incidents involving a key being processed through or stored in COMSEC logistics channels that has not reached the custodian or custodians of user accounts. (2) The Army COMSEC Incident Monitoring Activity will monitor and review all COMSEC incident reports involving Army organizations and will (a) Evaluate all physical incidents involving multiple controlling authorities of the same department or agency. (b) Evaluate physical incidents involving a single controlling authority of the same department or agency when that controlling authority caused the incident. (c) Have final adjudication authority to determine when a reported COMSEC incident has resulted in a COMSEC insecurity. (d) Immediately report the following COMSEC incidents to the Deputy Chief of Staff for Intelligence, ATTN: DAMICHS: 1. Loss or theft of mission/Intertheater COMSEC Package (ICP) key. 2. Falsification of records that results in a compromise of key. 3. Any incident that may impact mission critical command, control, and communications (C3) operations. (e) Direct additional reporting as warranted. (3) The Controlling Authority will (a) Evaluate physical COMSEC incidents involving keying material they control, except as specified in paragraphs above. Controlling authorities for communications-electronics operating instructions (CEOI)/joint CEOI (JCEOI)/signal operating instructions (SOI) material will evaluate incidents as specified in AR 3805. (b) Inform CSLA and NSA of all evaluations. (c) Initiate recovery actions in accordance with TB 38041 when they believe material has been compromised. Note: Controlling Authority responsibilities regarding COMSEC incidents are limited to initiating precautionary supersession or other recovery actions as warranted and rendering an evaluation as part of the administrative closure. Related items such as recommending disciplinary action are outside of the controlling authoritys purview. 710. Damage assessment a. The Controlling Authority will promptly notify all net members when net key is compromised or involved in an incident where compromise cannot be ruled out. In turn, net members will promptly notify all supported commanders that their net key has been compromised or subject to possible compromise and that all their communications occurring since that time have been or may have been affected. b. When a supported commander is notified of a compromise involving key, that commander will determine if and to what degree the compromise effects operations. In making this damage assessment, the commander must consider the type, sensitivity, and classification of information transmitted and the vulnerability of the transmission. Whenever the circumstances dictate, the commander will, as part of the assessment, direct a review of all messages encrypted with the compromised key and take appropriate actions. An overall review of the effects of the compromise should be made at each major headquarters and the Controlling Authority should be notified of all conclusions. Information involved in a compromise will not be automatically downgraded or declassified because of the compromise. The classified information contained therein should be reevaluated and downgraded or declassified, as appropriate, under AR 3805, paragraph 2210. c. The NSA will evaluate all COMSEC incidents involving SDNS and STUIII key. Reports will be addressed to DIRNSA and to CSLA.
AR 38040 30 June 2000
23

711. Investigations In certain situations, commanders may determine that an investigation of a COMSEC incident is warranted under the provisions of AR 156. This is the commanders prerogative. When an AR 156 investigation is conducted the convening authority for the investigation will make one copy (or a summary) of the report available upon request to CSLA for use in evaluating the COMSEC incident, as well as to the appropriate MACOM headquarters.
Chapter 8 Department of the Army Cryptographic Access Program

81. General The Department of the Army cryptographic access program (DACAP) governs the granting of access to classified cryptographic information that is owned, is produced by or for, or is under the control of the Department of the Army. 82. Program applicability a. This program applies to all U.S. Army military personnel and civilian employees, including those assigned to the Reserve components and the National Guard Bureau, and agents of the department of the Army, who have access to classified cryptographic information as described below. The term agents, as used herein, refers to contractors, consultants, and other persons affiliated with the Department of the Army. b. The program also pertains to persons assigned the following duties that require continuing access to cryptographic information classified TOP SECRET. The fact that an individual has a TOP SECRET clearance or that the COMSEC account is approved for TOP SECRET material is not sufficient to meet the requirement for continuing access. Actual TOP SECRET cryptographic information must be present in the account. (1) Communications security (COMSEC) custodians, alternates, and hand-receipt holders. (2) Producers or developers of cryptographic key or logic. (3) Personnel who certify or recertify cryptographic key generating equipment. (4) Personnel who perform administrative and supply functions at locations where cryptographic keys are generated or stored (only those personnel actually having access to such materials). (5) Personnel whose duties require keying of cryptographic equipment. (6) Personnel who prepare, authenticate, or decode nuclear control orders (actual or exercise). c. The program also pertains to cryptographic maintenance, engineering, or installation technicians who meet the full maintenance qualifications of AR 2512 and have access to full maintenance manuals that contain cryptologic, regardless of their classification. d. However, this program does not apply to individuals whose duties are to operate (not to key or maintain) systems using cryptographic equipment nor does it apply to persons who use a KOV14, FORTEZZA Plus Card, a KSD64A cryptographic ignition key to access the secure features of the SDNS or STUIII device. Further, this policy does not apply to COMSEC inspectors, investigators, or CSLA auditors unless they also fit into one of the categories in paragraph b above. e. All Federal agencies requiring access to classified cryptographic information are required to have a Cryptographic Access Program. In situations where the Army provides COMSEC support to another DOD element or a non-DOD governmental agency, the Army COMSEC custodian providing the material will request a statement from the supported agency verifying that they are in compliance with the cryptographic access requirements of National Telecommunications and Information Systems Security Policy (NTISSP) No. 3, National Policy for Granting Access to U.S. Classified Cryptographic Information. If the custodian is unable to obtain this verification, he or she will immediately notify the Deputy Chief of Staff for Intelligence (DAMICHS), with an information copy to CSLA (SELCLLROM) and request guidance. 83. Conditions for granting access It is Army policy that a person may be granted access to classified cryptographic information, as specified in paragraph 82 above, only if that person a. Is a U.S. citizen. b. Is a member of the U.S. Army, a civilian employee of the Department of the Army (DA), or a DOD cleared contractor or employee of such contractor or is employed as a DA representative (including consultants of the DA). c. Requires access (as defined in para 22d) to perform official duties for or on behalf of, the Department of the Army. d. Possesses a security clearance appropriate to the level of the classified cryptographic information to be accessed. e. Receives a security briefing detailing the sensitive nature of crypto material and the individuals responsibility for protecting the crypto material (see app F).
24
AR 38040 30 June 2000

f. Acknowledges the granting of access by signing section I of the cryptographic access certification and termination memorandum (app F). g. Agrees to report all foreign travel and contacts in accordance with AR 38067. h. Acknowledges the possibility of being subject to a counterintelligence scope polygraph examination administered in accordance with the provisions of DOD 5210.48R. No adverse action will be taken against any individual based solely on the results of a CSP. 84. Procedures a. Granting cryptographic access. (1) The COMSEC custodian is responsible for advising the commander on who should be granted cryptographic access. The custodian is also responsible for notifying the unit Security Manager when any individual no longer requires access. (2) The unit commander is responsible for identifying those personnel requiring cryptographic access (see para 82 above). (3) The unit security manager will be the unit DACAP point of contact (POC) and submit initial and update reports to the MACOM DACAP POC any time a person is added or deleted to the program. (4) The unit security manager will administer the cryptographic access briefing and prepare the Cryptographic Access Certification and Termination memorandum (see app F). The security manager will also be responsible for preparing the termination of access portion when an individuals access is terminated for any reason. (5) The Cryptographic Access Certification and Termination memorandum will be retained locally for 2 years following termination of access. The memorandum will be maintained in accordance with appendix C. (6) Any individual who refuses to sign section I of the Cryptographic Access Certification and Termination memorandum will be denied access to all classified cryptographic information. b. Withdrawing cryptographic access. Cryptographic access will be withdrawn whenever an individual is no longer qualified for access to classified cryptographic material. Examples include reassignment to a position not requiring access, termination of employment, suspension of access, or revocation of clearance. Whenever cryptographic access is withdrawn, the individual will be debriefed and will sign the termination of access portion of the memorandum. The security manager will complete the termination of access portion of the Cryptographic Access Certification and Termination memorandum. (1) If the cryptographic access is withdrawn as a result of the suspension of an individuals access to classified information, the memorandum will be held in a suspense file until the case has been adjudicated. (a) If, after adjudication by the central clearance facility (CCF), the commander decides to grant access again, the security manager will brief the individual, complete a new memorandum, and handle it according to paragraph a(4) above. (b) If after adjudication by CCF, the commander decides not to grant access again, the memorandum, with the termination of access portion completed, will be maintained according to paragraph a(4) above. (2) If the individuals access is withdrawn for administrative reasons or revoked, the termination of access portion of the memorandum will be completed and the memorandum maintained according to paragraph a(4) above. (3) Any individual who signs section I of the cryptographic access certification and termination memorandum and then later refuses to submit to the CSP exam, will have his or her access suspended and will become the subject of a counterintelligence (CI) investigation. In the case of civilian personnel, when such suspension will result in removal of the individual from his or her position or involuntary reassignment to other duties, the withdrawal should be coordinated with the servicing installation labor counselor before any action is taken. c. Polygraph notification. The INSCOM polygraph element will notify the MACOM, MSC, or FOA POC of the location, times, and number of personnel they are prepared to examine. d. Polygraph selection. The MACOM, MSC, or FOA POC will ensure that the appropriate number of personnel are randomly selected and notified. A list of the names of the individuals selected will be provided to the supporting INSCOM polygraph element. e. Individuals available for examination. Unit commanders will ensure that the selected individuals are available for the examination. f. Individuals not available for examination. The INSCOM polygraph element will advise the MACOM, MSC, or FOA POC of any personnel who did not show up for the exam. 85. Other organizations or agencies In instances where Army COMSEC key classified TOP SECRET is being hand receipted to personnel from other Services or DOD organizations, those personnel must be in that Service or organizations cryptographic access program. If it is not considered feasible for them to be enrolled in the program or if that Service or organization does not have a cryptographic access program, notify HQDA (DAMICHS). The same applies to situations where the recipient of the key belongs to a non-DOD organization or activity.
AR 38040 30 June 2000
25

Appendix A References
Section I Required Publications The following publications are required for the user to understand this publication. These publications DO NOT have to be on-hand in the COMSEC account. AR 2555 The Department of the Army Freedom of Information Act Program. (Cited in para 75, B8.) AR 19051 Security of Unclassified Army Property (Sensitive and Nonsensitive). (Cited in para 14) AR 31025 Dictionary of United States Army Terms. (Cited in paras 13, B4.) AR 3805 Department of the Army Information Security Program (Cited in paras 24, 27, 216, 217, 222, 79, 710.) AR 38019 Information Systems Security. (Cited in paras 14, B11.) AR 38067 The Department of the Army Personnel Security Program. (Cited in paras 23, 83.) AR 7102 Inventory Management Supply Policy Below the Wholesale Level. (Cited in paras 11, 14, 24.) AR 7103 Asset and Transaction Reporting System. (Cited in paras 11, 14.) DA PAM 19051 Risk Analysis for Army Property. (Cited in para 14) DOD 4500.9R, Part II Defense Transportation Regulation (Cargo Movement). (Cited in paras 217b(1) and 217d.) FAA Advisory Circular 1083 Screening of Persons Carrying U.S. Classified Material. Obtain from the U.S. Government Printing Office. (Cited in para 217j(2).) Joint Publication 102 Department of Defense Dictionary of Military and Associated Terms. (Cited in para 13, B4.) Section II Related Publications A related publication is a source of additional information. The user does not have to read a related publication to understand this regulation. AR 156 Procedures for Investigating Officers and Boards of Officers. AR 2512 Communications Security Equipment Maintenance and Maintenance Training AR 254002 The Modern Army Recordkeeping System (MARKS).
26
AR 38040 30 June 2000

AR 19011 Physical Security of Arms, Ammunition and Explosives. AR 38010 Technology Transfer, Disclosure of Information and Contacts with Foreign Representatives. AR 38112 Subversion and Espionage Directed Against the U.S. Army (SAEDA). AR 38114(S) Technical Surveillance Countermeasures (TCI) (U). AR 38120 The Army Counterintelligence Program. AR 7355 Policies and Procedures for Property Accountability. AR 735112/DLAR 414055/SECNAVINST 4355.18/AFR 40054 Reporting of Item and Packaging Discrepancies. AR 7501 Army Material Maintenance Policy and Retail Maintenance Operations. ARKAG 1 (S) Status of COMSEC Aids Material (U). DA Pam 253802 (FOUO) Security Standards for Controlled Cryptographic Items. DA Pam 2516 Security Procedures for the Secure Telephone Unit, Third Generation (STU III) DA PAM 2535 (C) Military Publications Index of Communications Security (COMSEC) (U). DCID 1/21 Physical Security Standards for Sensitive Compartmented Information Facilities (SCIF) DOD 5220.22M National Industrial Security Program Operating Manual. DOD 5210.48R Polygraph Program DOD 5220.22R Industrial Security Regulation. DOD 5220.22S COMSEC Supplement to Industrial Security Manual for Safeguarding Classified Information. DODD 5205.8 Access to Classified Cryptographic Information. TB 38041 (FOUO) Procedures for Safeguarding, Accounting and Supply Control of COMSEC Material. RCS CSGID131 Cryptosystems Evaluation Report
AR 38040 30 June 2000
27

Section III Prescribed Forms This section contains no entries Section IV Referenced Forms DA Form 112R Management Control Evaluation Certification Statement DA Form 1999R Restricted Area Visitors Register DA Form 2012 COMSEC Account Data DD Form 254 Contract Security Classification Specification DD Form 1435 COMSEC Maintenance Training and Experience Record SF 153 COMSEC Material Report SF 700 Security Container Information
Appendix B Classification Guidelines for COMSEC Information

B1. Purpose This appendix provides classification guidance for COMSEC information. B2. Applicability and implementation The information contained in this appendix is applicable to all persons who classify, mark, or handle COMSEC information. The information contained in this appendix will be given appropriate dissemination on a need-to-know basis. In instances where more stringent classification guidance exists (for example, in system-specific security guidance), that guidance will be used. All classification guidance for contractors is to be provided by DD Form 254. Queries concerning COMSEC-related topics or subjects should be directed to HQDA (DAMICH). B3. Duration Unless a particular item of COMSEC information will become declassified at a particular time or following a specific event, the guidance prescribed herein has indefinite duration. Information classified according to this appendix will be marked-DERIVED FROM: NTISSI NO. 4002, CLASSIFICATION GUIDE FOR COMSEC INFORMATION (S): DATED 5 JUNE 1986. DECLASSIFY ON: X1 In those instances where documents are prepared from multiple sources, the declassification date or event that provides the longest period of classification will be used. B4. Definitions The definitions contained in AR 31025 and Joint Pub 102 apply to this appendix, with the exception of the terms CRYPTO and COMSEC crypto-algorithm, which are defined as follows: a. CRYPTO. A marking or designator identifying all COMSEC key used to protect or authenticate telecommunications carrying classified national security information and sensitive, unclassified U.S. Government or U.S. Governmentderived information, the loss of which could adversely affect national security interests. b. CRYTPO-algorithm. A well-defined procedure or sequence of rules or steps, or a series of mathematical equations used to describe cryptographic processes such as encryption/decryption, key generation, authentication, signatures, and so forth.
28
AR 38040 30 June 2000

B5. CRYPTO-marked information The following guidance is provided with respect to the marking CRYPTO: a. Documents, correspondence, messages, memoranda, publications, reports, and specifications will not be marked CRYPTO unless they contain cryptographic key. b. In documents that require the CRYPTO caveat, the caveat will appear at the bottom of each page, immediately following the classification. Marking CRYPTO will always be capitalized. B6. Foreign release COMSEC information in any form is not releasable to foreign nationals unless specifically authorized. Requests for release will be forwarded through command channels to HQDA (DAMICHS). When a determination has been made that there is a risk of unauthorized foreign access to specific classified COMSEC material or when a specific prior determination has been made that the material will not be released, it will be marked NOT RELEASABLE TO FOREIGN NATIONALS or NOFORN. Regardless of the presence or absence of the NOFORN marking, no COMSEC material or information may be released to a foreign nation, foreign national, or an international organization without the express permission of HQDA (DAMICHS). B7. COMSEC equipment and related documentation The classification of all COMSEC equipment used to protect or authenticate classified national security information, other sensitive but unclassified U.S. Government or U.S. Government-derived information, or transmission security processes is determined by NSA. Guidance for the classification and marking of such equipment and the documentation associated with their development, production, maintenance, and use are set forth below. a. Documentation pertaining to cryptographic logic. In development contracts, documentation pertaining to cryptographic logic, including crypto-algorithms and any associated software coding, will normally be classified SECRET and declassified upon the determination of the originating agency. b. Production of unclassified COMSEC equipment. Production of unclassified COMSEC equipment is normally done in uncleared contractor facilities. However, in production contracts, documentation pertaining to the cryptographic logic of such equipment will be classified at least CONFIDENTIAL and will be declassified only upon the originating agencys determination. c. Production of classified COMSEC equipment. Production of classified COMSEC equipment must be done in cleared facilities. In production contracts, documents pertaining to the cryptographic logic of such equipment will be classified at least at the level of the associated equipment and will be declassified only upon the originating agencys determination. d. Full maintenance manuals. COMSEC software and other technical documentation that provide detailed schematics or descriptions of the cryptographic circuits of specific cryptosystems will be classified at least CONFIDENTIAL and will be declassified only upon the originating agencys determination. e. Items impossible to physically mark. Because of the size or configuration, it may be impossible to physically mark certain COMSEC items with the required classification authority and declassification notice. In such cases, these notices will be included on the associated documentation or package. B8. Application of the marking FOR OFFICIAL USE ONLY The marking FOR OFFICIAL USE ONLY (FOUO) is to be used only for information that may be withheld from the public for one or more reasons cited in AR 2555. The marking FOUO will be applied to unclassified COMSEC information (according to AR 2555) when the preparing organization determines that such information qualifies for the FOUO marking under the Freedom of Information Act (FOIA). The acronym FOUO is to be used for individual paragraphs when required and for electronic communications. The marking FOUO should be considered for the following types of unclassified information: a. Narrative technical information on the characteristics of COMSEC equipment. b. Indications of new COMSEC developments. c. Any COMSEC planning, programming, and budgeting information. d. Specifications and purchase descriptions pertaining to COMSEC equipment or the support of unique COMSEC requirements. e. Publications on ancillary equipment developed exclusively for use with COMSEC equipment. f. Handling instructions and doctrinal information relating to COMSEC material. g. Manual cryptosystems produced exclusively for sample and unclassified training purposes. h. Unclassified COMSEC material reports (SF 153). B9. Compilation of unclassified COMSEC information that may warrant classification When unclassified COMSEC information is assembled for publication, good judgement must be exercised by the preparing organization in deciding whether such information in the aggregate needs classification before publication.
AR 38040 30 June 2000
29

The classification authority should carefully weigh the value of COMSEC information to hostile intelligence organizations and consider whether access to the information would assist these organizations in deploying their collection and analytical resources in exploitation efforts, especially when the information contains details about new systems employing COMSEC equipment. Following are examples of compilations of unclassified information that may require a minimum classification of CONFIDENTIAL. a. Detailed planning and implementation information on COMSEC equipment to be deployed. Additionally, planning or operational information that could be used by foreign intelligence activities for targeting. b. Information on crypto systems, equipment, components in development or to be fielded together, with amplifying details such as how, when, where, and why the equipment is to be deployed and used. c. Complete parts list for COMSEC equipment. d. A complete or substantially complete listing of unclassified short and long titles of equipment in the department or agency COMSEC inventory and their supporting documents. e. Compilations of narrative technical information describing the characteristics and functions of classified COMSEC equipment. f. Total COMSEC program and budget information for individual departments and agencies. B10. Key classification Normally, key will be assigned a classification equal to the highest classification of the information to be encrypted. B11. COMSEC classifications a. General. (1) Operational, exercise, and training key being used where information is transmitted using telecommunications. Classify based on content of information protected. They are marked CRYPTO. (2) Training key being used in a classroom or other situations where information is not transmitted. Classify based on content of the information protected. Usually the key is marked to resemble operational key with the note FOR TRAINING ONLY. (3) Test key for on-line testing of equipment. Classify based on net circuitry or intended level of information and equipment parameters protected. It is marked CRYPTO. (4) Maintenance key for off-line or in-shop use. Classify based on intended level of information and equipment parameters being protected. (5) Sample key for demonstration use. Classify based on content. Normally it is marked to resemble operational key. (6) Cryptographic ignition key. UNCLASSIFIED. b. Crypto equipment characteristics. (1) Information that reveals that an equipment encrypts or decrypts or conforms to Military Standard (MILSTD) 188 or the fact that equipment has anti-jam or low probability-of-intercept (LPI) capability is UNCLASSIFIED. (2) The fact that a COMSEC equipment item has an anti-depth or anti-spoof capability is CONFIDENTIAL. (3) Identification of a particular COMSEC equipment item with a particular system is unclassified FOUO. (4) Interface control documents or specifications that include descriptive amplifying information regarding COMSEC functions, rules or motion, internal activities, and security techniques are classified at the level of the equipment cryptologic. (5) Information indicating that a specific COMSEC equipment item employs a cover named cryptographic logic is UNCLASSIFIED. (6) Information concerning COMSEC equipment if it reveals or can be associated with any of the following types of information about an equipment item: (a) Specific cryptologic details and parameters information is SECRET. (b) Specific anti-tamper and anti-tapping design details and parameters information is SECRET NOFORN. (c) Reasons for certain design features information is SECRET NOFORN. It may bear higher classification than the details of the design. (7) Information concerning test equipment (for example, factory, field, or depot test equipment) reflecting any of the information covered in paragraph (6) above is classified SECRET. (8) Magnetic media (for example, core memory disks, drums, tapes) that have held key designated CRYPTO must retain the highest classification of any information previously recorded on them. They cannot be declassified. (9) Magnetic media that have never held key designated CRYPTO may be declassified using the procedures in AR 38019. (10) Classify information as SECRET, including photo masters, drawings, etched boards, and diagnostic test routines of classified COMSEC equipment and components, such as printed circuit boards, modules, and so forth, if the information reveals the same as may be obtained from an examination of the complete component. (11) The fact that a randomizer is used in a specific COMSEC equipment or crypto algorithm is unclassified FOUO. (12) The randomizer itself and documentation that reveals the complete design are CONFIDENTIAL.
30 AR 38040 30 June 2000

c. Computer cryptographic system characteristics. (1) The fact that a computer performs a COMSEC function, such as encryption, decryption, authentication, or control of a piece of COMSEC hardware, is UNCLASSIFIED. (2) Classification of the details of a specific computer crypto algorithm interface program will be determined by HQDA (DAMICHS) on a case-by-case basis. (3) Specific details and parameters of computer crypto-algorithms or information that reveals the exact length of key is classified SECRET. (4) Computer crypto algorithm diagnostic checks are classified a minimum of CONFIDENTIAL. (5) The classification of access control techniques, such as passwords and authentication systems, is determined by HQDA (DAMICHS) on a case-by-case basis. d. Usage. (1) Implementation or supersession dates of (a) A single item of classified key marked CRYPTO are classified CONFIDENTIAL unless specified otherwise in an operating instruction or other document. (b) A general or instructional COMSEC publication is unclassified for official use only. (2) Circuit status information is classified as follows: (a) Information pertaining to a single sealed authenticator for use in command and control is classified SECRET. (b) Circuit status charts that reveal crypto-periods of classified key is unclassified FOUO unless specified otherwise in an operating instruction or other document. (c) Filled in operational key card book covers and key list certificates of use of a classified key are CONFIDENTIAL unless specified otherwise in an operating instruction or other document. (3) The identification of COMSEC material suspected of being compromised is classified CONFIDENTIAL, unless it pertains to two-person control material, in which case it is classified SECRET. (4) Cryptoperiods-related information revealing the length of a cryptoperiod of classified COMSEC key is normally unclassified FOUO. However, NSA may classify non-standard or special cryptoperiods. (5) Information that reveals only the specific application of an equipment item (for example, to secure the communications of a specific network or command) is UNCLASSIFIED. e. Weapons and space systems. (1) The fact that NSA or one of the Service cryptologic elements is associated with a space or weapons system, that a space or weapons system has a cryptographic capability, or the identification of a specific COMSEC equipment by short title with a specific space or weapons system is unclassified FOUO. The mere existence of certain space and weapons systems is classified. (2) Details of amplification of the cryptographic capabilities, characteristics, or limitations of a specific space system are classified SECRET NOFORN. Depending upon the details or amplification, the classification may be TOP SECRET NOFORN. (3) The exact location of a satellite or weapons system containing classified COMSEC hardware following reentry into the earths atmosphere is SECRET NOFORN. (4) Details or amplification of the cryptographic capabilities, characteristics, or limitations of a weapon system are CONFIDENTIAL NOFORN. (5) Information revealing the extent of support furnished by NSA for a specific space system is SECRET NOFORN at a minimum and, depending upon the program involved, may be TOP SECRET. (6) Information revealing the extent of support furnished by NSA for a specific weapons system is SECRET unless specifically downgraded. (7) Information or evaluation revealing the vulnerability of a weapons systems COMSEC subsystem and associated storage media is TOP SECRET NOFORN. (8) Launch evaluations of weapons systems and COMSEC sub-systems that reveal weaknesses or threats that may be applicable to other weapons systems are TOP SECRET NOFORN. (9) Evaluations that reveal the vulnerability of a space COMSEC system to cryptanalysis are TOP SECRET NOFORN. f. Abandonment and recovery of COMSEC material. (1) The location of a recovery area when release of the location is essential to save or protect human life is unclassified FOUO. The location is releasable to any person or nation by any communications means that will expedite the search and rescue efforts. The fact that COMSEC material may be recoverable should not be mentioned in the communication. (2) The fact that key or keyed COMSEC equipment of a particular site or element may have been compromised is CONFIDENTIAL. It may be transmitted in the clear if essential to emergency supersession actions to minimize damage from compromise and if no secure communications means is available. (3) The location of recovery or abandonment area when key or keyed COMSEC equipment is involved is classified at the same level as the key involved, when preservation of life is not an issue.
AR 38040 30 June 2000 31

(4) The location of recovery or abandonment area for classified COMSEC equipment or logic is SECRET when the preservation of life is not an issue. (5) The location of recovery or abandonment area of unkeyed CCI and CONFIDENTIAL COMSEC aids is CONFIDENTIAL, when preservation of life is not an issue. g. Security fault analysis, cryptanalysis, crypto key extraction, and tampering or bugging. (1) The classification of the terms security fault analysis, cryptanalysis, failure modes and logic effects, key extraction analysis, and tampering or bugging analysis, as well as their definitions, is UNCLASSIFIED. (2) The statement that equipment may contain security fault deficiencies without mentioning specific deficiencies or effects is CONFIDENTIAL. (3) Statements and details about specific unremedied weaknesses of COMSEC equipment or functions within a system, including specific vulnerabilities to cryptanalysis, TEMPEST, exploitation, tampering, key extraction, security fault analysis, and so forth are TOP SECRET NOFORN. (4) A statement about the types of security fault deficiencies and their effects is SECRET NOFORN. (5) The statement, without giving details, that a particular equipment has a cryptanalytic weakness is SECRET NOFORN. (6) The statement, without giving details, that the security life of a particular equipment (including CCI) extends to the year (xxxx) is SECRET NOFORN. (7) A statement about the types of key extraction and/or tampering or bugging attacks is SECRET NOFORN. (8) The statement that a specific equipment contains no security fault deficiencies or that a specific equipment is not vulnerable to key extraction or tampering and bugging attacks is UNCLASSIFIED. (9) The statement, without details, that a specific equipment contains security fault deficiencies or that a specific equipment is vulnerable to key extraction or tampering and bugging attacks is SECRET NOFORN. (10) The description of types of attacks related to key extraction or tampering and bugging without mentioning specific equipment (in its pre-production phases of development) contains security fault deficiencies is SECRET NOFORN. (11) The statement, giving details, that a specific equipment (in its pre-production phases of development) contains security fault deficiencies is SECRET NOFORN. (12) The statement giving details that a specific equipment contains security fault deficiencies, information revealing specific components or circuits within a specific equipment designed to protect against security fault deficiencies, or security fault analysis type information that reveals specific information about cryptanalytic attacks on equipment is TOP SECRET NOFORN. h. COMSEC records and reports. (1) Production records or forms for classified key when these indicate the material by short title, copies per edition, quantity produced, and so forth but not the effective date are UNCLASSIFIED. Compilations of these records or forms are also UNCLASSIFIED. (2) Lists of COMSEC material that are not crypto holdings (inventories) are UNCLASSIFIED. (3) Inventory reports of COMSEC material that list only unclassified material, and all negative inventory reports are UNCLASSIFIED. (4) Individual accounting reports (for example, transfer, possession, destruction) and individual accounting reports involving DOD contractors are normally UNCLASSIFIED, unless the reports contain classified addresses or classified information in the remarks block. Reports relating to material controlled by CJCSI 3260.01 will be classified CONFIDENTIAL. If the effective material is designated the classification will be SECRET. (5) Administrative or managerial reports containing information relative to total inventory of a specified classified COMSEC equipment held by a department or agency is normally CONFIDENTIAL. Depending on the holdings, it may be SECRET or unclassified FOUO. (6) COMSEC audit reports and command COMSEC inspection reports that show no discrepancies with the crypto holdings or that describe poor procedures or conditions that cannot be used to breach facility security are unclassified FOUO. (7) Reports that contain information that could be used to mount a physical, cryptographic, TEMPEST, communications intelligence (COMINT) or HUMINT attack against a facility or its personnel is classified a minimum of CONFIDENTIAL. (8) COMSEC incident reports, audit reports, and other accounting reports will be classified according to content. Unclassified reports will be marked FOUO.
Appendix C Records Management
32
AR 38040 30 June 2000

C1. Records identification as a part of doing business a. Complying with Federal law. When performing the duties specified in this regulation, all soldiers and Army employees must comply with section 3101, title 44, U.S. Code. This statute requires that essential evidence of operations be preserved. The functional proponent and the Records Management Program analysts from both the Army and the National Archives identify that information that qualifies as essential evidence of operations and how long it must be retained. Detailed information and the criteria or definition of the types of information to be saved are provided below. If someone discovers or creates information that fits the criteria of information to be saved but is not included in this appendix, he or she must save the information and notify the command records manager. b. Important information to be saved. The following information is deemed important record material that must be turned in to the Records Management Program for long-term preservation. This requirement applies whether the information is in hard copy or electronic format. (See AR 254002 for detailed information on how to transfer important records.) (1) All information specifying the policy, procedures, and instructions on carrying out the Armys COMSEC and SIGSEC operations program to include (a) SIGSEC management files such as long-range planning, programming, and budgeting of resources; development of policy and procedures; and operational functions of the organization. (b) Signal security investigation reports of incidents of a sufficiently serious nature to be classified as felonies. (2) All accumulated program records. c. Other information. All other information needed to perform the mission and functions of this program that does not need to be transferred to a records management facility for long term storage may be retained for as long as the creating office needs it but not longer than 6 years and then be destroyed. Certain information may need to be retained until a specific event occurs (for example, the expiration of a contract). This may take longer than 6 years to happen, but the information should be kept in the creating office area for the duration of that time period. After the event occurs, retain the record until no longer needed for current operations but not more than 6 years after the event, and then destroy it. C2. Simplified procedures Both action officers and file custodians should review paragraph C6 of this appendix. The key to the Army recordkeeping system is to determine which files ultimately should be transferred and retired. The folder labels on files to be transferred should be annotated with a T. a. File labeling. Use appropriate plain language file folder titles. Users may review the list at paragraph C6 as a reference for common record categories; however, they are not limited to these categories. b. File maintenance. Files are maintained until they are no longer needed, at which time they are either transferred to the records management facility or destroyed. The servicing records management facility receives the transferred records and applies the appropriate disposition. C3. Electronic records a. Electronic record-keeping is a continuing challenge in the Department of Defense and the Federal sector. Until proper electronic record-keeping standards are adopted, official records may continue to be printed out on paper or microforms whenever possible. Departmental policy and procedures have not kept pace with the proliferation of computers, electronic mail, networking, and the Internet. Some of the problems and risks presented by electronic records are divers data formats, rapid technological obsolescence, and long-term media integrity. b. Electronic files are maintained until they are no longer needed, at which time they are either transferred to the records management facility or destroyed. The servicing records management facility receives the transferred records and applies the appropriate disposition. c. The absence of effective guidance and procedures to implement electronic record-keeping places an added responsibility on both decisionmakers and action officers to preserve their important electronic records. For the purpose of record-keeping, important records are defined as those long-term and permanent records that are ultimately transferred from the office of record to a records management facility. C4. Disposition action codes (user level) The Army records management system contains numerous disposition instructions. To streamline the process, only two instructions (K and T) will be applied at the user level. File folders should be marked with one of these instructions. a. K: Keep in current files area until no longer needed for conducting business but not longer than 6 years and then destroy. This instruction will normally apply to the majority of records. b. T: Keep until no longer needed for conducting business but not longer than 6 years, and then transfer to a records management facility. This instruction will apply to the long-term and permanent records described in paragraph C1b of this appendix.
AR 38040 30 June 2000
33

C5. File arrangement File folders and subfolders may be arranged alphabetically by subject or program or by any other method that facilitates their use. The following example illustrates simplified label preparation.
Figure C1. Simplified label preparation
C6. General file categories The following list contains the general file categories concerning the policies and mandated operating tasks, responsibilities, and procedures for COMSEC and SIGSEC operations functions of the Army. They document actions performed in accordance with the Armys COMSEC and SIGSEC programs. Custodians will only create those files that are necessary for their account. Empty files will NOT be created simply because the file category is shown here.
Table C1 File categories, action codes, and descriptions
FILE CATEGORY: SF 701 ACTIVITY SECURITY CHECKLIST ACTION: K DESCRIPTION: Office security, such as documents ensuring security and any covering the security classification system. FILE CATEGORY: SIGNAL SECURITY APPROVALS ACTION: K DESCRIPTION: These files accumulate in the requesting and approving offices. Requests for approval to establish, alter, expand, or relocate a facility, exceptions to provisions of regulations, and approval of protected distribution systems. Included are questionnaires, reports of approval, and related information. Event: issue or receipt of related superseding approval or after closing of account or facility. FILE CATEGORY:SIGSEC MANAGEMENT FILES ACTION: T
34
AR 38040 30 June 2000

Table C1 File categories, action codes, and descriptionsContinued DESCRIPTION:Information that is not of a routine nature or specifically covered elsewhere in this record series. These files include management information on signal security (SIGSEC) such as long-range planning, programming, and budgeting of resources; development of policy and procedures; and operational functions of the organization. FILE CATEGORY:COMSEC SUPPLY CORRESPONDENCE ACTION: K DESCRIPTION:Information on the routine supply of communication security (COMSEC) material, such as requests for status of shipment of COMSEC aids, reduction and increase in copy count, cancellation and disposition of COMSEC aids. FILE CATEGORY: ITEM REGISTERS ACTION: K DESCRIPTION: Cards kept to account for all COMSEC material and to show its receipt, movement, and final disposition. Event: all items on each card have been disposed of as evidenced by destruction or transfer reports. FILE CATEGORY:RESTRICTED AREA VISITOR REGISTERS ACTION: K DESCRIPTION: Registers used for recording pertinent information on persons entering the crypto facility. Sheets of a register involved in a security report or an investigation will become an integral part of the report or investigation. These sheets will have the same disposition as the report or investigation. These records are protected by the Privacy Act; the system notice number is A038019SAIS. FILE CATEGORY:SIGNAL SECURITY INVESTIGATION REPORTS (FELONIES) ACTION: T DESCRIPTION: These records accumulate at CSLA. Reports of investigation of a sufficiently serious nature to be classified as felonies concerning the loss or subjection to compromise of COMSEC information, transmission, physical material, and other signal security violations. FILE CATEGORY: SIGNAL SECURITY INVESTIGATION REPORTS (OTHER) ACTION: K DESCRIPTION: These records accumulate at CSLA and other offices. Reports of investigation concerning the loss or subjection to compromise of COMSEC information, transmission, physical material, and other signal security violations. FILE CATEGORY:ENCRYPTED MESSAGE TEXT ACTION: K DESCRIPTION: Cipher copies of incoming and outgoing messages and message tapes. Event: a minimum retention of 5 days and before a maximum retention of 60 days, except messages involved in an investigation will be kept until the investigation is completed FILE CATEGORY:ALLOCATIONS (ALLOCATION CARDS) ACTION: K DESCRIPTION:Information showing allocation of COMSEC material held for distribution. Event: final distribution of all material to which the form relates. FILE CATEGORY: ALLOCATIONS (ADP PRINTOUTS) ACTION: K DESCRIPTION:Information showing allocation of COMSEC material held for distribution. Event: verification of allocation record. FILE CATEGORY:HOLDER RECORDS ACTION: K DESCRIPTION: COMSEC material accounts record that serves as a unit record showing all items of COMSEC material held by each organization. Event: receipt of superseding signed destruction or transfer report. FILE CATEGORY:COMSEC MATERIAL DISTRIBUTION REPORTS ACTION: K DESCRIPTION:Information submitted to Army COMSEC Central Office of Record to report allocation, assets, and holder information for specified items of COMSEC material (equipment and associated material). FILE CATEGORY:SYSTEM STATUS FILES (INFORMATION ON COMSEC MATERIAL OTHER THAN AIDS) ACTION: K DESCRIPTION:Information kept by the COMSEC National Inventory Control Point (NICP) on the procurement and issuance of each item of COMSEC material that includes data such as production status, stocks, demand data, quantity issued, and effective date of material. Event: obsolescence of the related system. FILE CATEGORY:SYSTEM STATUS FILES (INFORMATION RELATED TO COMSEC AIDS) ACTION: K
AR 38040 30 June 2000
35

Table C1 File categories, action codes, and descriptionsContinued DESCRIPTION:Information kept by the COMSEC National Inventory Control Point (NICP) on the procurement and issuance of each item of COMSEC material that includes data such as production status, stocks, demand data, quantity issued, and effective date of material. Event: material involved is superseded or removed from the system or after 2 years, whichever is first. FILE CATEGORY:TRANSACTIONS ACTION: K DESCRIPTION:Automated records, reports and other media produced by wholesale managers, reflecting COMSEC accounting transactions. This includes receipt, issue, transfer, destruction, or adjustments (plus or minus) of COMSEC material. FILE CATEGORY: CRYPTONET MANAGEMENT FILES ACTION: K DESCRIPTION:Information relating to the establishment, operation, and overall management of a cryptonet. Included are lists of holders of keying material, routine and emergency key distribution plans, changes to cryptonet and key, cryptonet evaluation reports, and other information required to manage a cryptonet. Event: superseded, obsolete, or cryptonet is terminated. FILE CATEGORY:DAILY INVENTORIES ACTION: K DESCRIPTION:Reports of daily inventories verifying the continued protection and control of COMSEC material and made once each workday or between shifts. Event: receipt of the certificate of verification for the last inventory reported to the office of record. FILE CATEGORY:ACCOUNTING REPORTS ACTION: K DESCRIPTION: This information accumulates in ACCOR offices. Information showing COMSEC accounting and distribution transactions and relief from accountability of COMSEC material. Included are reports of transfer, possession, inventory, and destruction; document vouchers; certificates of verification; custodian appointments; signature cards (DA Form 2012); letters, messages, and other correspondence on routine COMSEC accounting and distribution; and hand receipts. The material contained in this file is generated primarily at the COMSEC account and user level. Information in this file is protected by the Privacy Act, systems notice number: A0001DAMI. FILE CATEGORY:ACCOUNTING REPORTS (CUSTODIAN APPOINTMENTS AND SIGNATURE CARDS) ACTION: K DESCRIPTION: This information accumulates in other offices. Information showing COMSEC accounting and distribution transactions and relief from accountability of COMSEC material. Included are reports of transfer, possession, inventory, and destruction; document vouchers; certificates of verification; custodian appointments; signature cards (DA Form 2012); letters, messages, and other correspondence on routine COMSEC accounting and distribution; and hand receipts. The material contained in this file is generated primarily at the COMSEC account and user level. Information in this file is protected by the Privacy Act, systems notice number: A0001DAMI. Event: supersession or obsolescence. FILE CATEGORY:ACCOUNTING REPORTS (OTHER ACCOUNTING REPORT FILES) ACTION: K DESCRIPTION: This information accumulates in other offices. Information showing COMSEC accounting and distribution transactions and relief from accountability of COMSEC material. Included are reports of transfer, possession, inventory, and destruction; document vouchers; certificates of verification; custodian appointments; signature cards (DA Form 2012); letters, messages, and other correspondence on routine COMSEC accounting and distribution; and hand receipts. The material contained in this file is generated primarily at the COMSEC account and user level. Information in this file is protected by the Privacy Act, systems notice number: A0001DAMI. Event: last transaction date, or following official clearance of the account resulting from a USACCSLA audit. FILE CATEGORY: ACCOUNTING REPORTS (INDIVIDUAL HAND RECEIPTS) ACTION: K DESCRIPTION: This information accumulates in ACCOR offices. Information showing COMSEC accounting and distribution transactions and relief from accountability of COMSEC material. Included are reports of transfer, possession, inventory, and destruction; document vouchers; certificates of verification; custodian appointments; signature cards (DA Form 2012); letters, messages, and other correspondence on routine COMSEC accounting and distribution; and hand receipts. The material contained in this file is generated primarily at the COMSEC account and user level. Information in this file is protected by the Privacy Act, systems notice number: A0001DAMI. Event: turn-in of accountable material or upon supersession. FILE CATEGORY:SIGNAL SECURITY INSPECTIONS ACTION: K DESCRIPTION: These records accumulate in the inspecting and inspected offices. Inspection reports and related correspondence, such as crypto facility inspection, control of compromising emanations (TEMPEST) tests and inspections, periodic command inspections, and COMSEC account audits. Event: after issue or receipt of related superseding inspection report or after closing of account or facility. FILE CATEGORY:SIGNAL SECURITY REPORTS ACTION: K
36
AR 38040 30 June 2000

Table C1 File categories, action codes, and descriptionsContinued DESCRIPTION:Reports (including messages and related correspondence) regarding electronic security, crypto security and transmission security analysis, violations, and summary reports; reports of physical, cryptographic, and personnel insecurities and compromise notifications not specifically covered in other parts of the 380 series; and related information. Note: Reports that are the subject of a formal investigation will be filed with the investigation reporting files.
Appendix D Physical Security Standards

D1. General This appendix provides the general construction standards and special controls unique to fixed COMSEC facilities other than GSA approved security containers. Work areas not considered COMSEC facilities that contain COMSEC equipment (for example, STUIII, KG84s, data transfer devices, and so forth) must be protected in a manner that affords protection at least equal to what is normally provided to other high value/sensitive material, and ensures that access and accounting integrity is maintained. D2. Vaults Vaults used as storage facilities for COMSEC keying material must be constructed in accordance with the following standards: a. Reinforced concrete construction. Walls, floors and ceilings will be a minimum thickness of 8 inches of reinforced concrete. The concrete mixture will have a comprehensive strength rating of at least 2,500 psi. Reinforcing will be accomplished with steel reinforcing rods, a minimum of 5/8 inch in diameter, positioned centralized in the concrete pour and spaced horizontally and vertically 6 inches on center; rods will be tied or welded at the intersections. The reinforcing is to be anchored into the ceiling and floor to a minimum depth of one-half the thickness of the adjoining member. b. Steel-lined construction. Where unique structural circumstances do not permit construction of a concrete vault, construction will be of steel alloy-type of 14 inch thickness, having characteristics of high yield and tensile strength. The metal plates are to be continuously welded to load-bearing steel members of a thickness equal to that of the plates. If the load-bearing steel members are being placed in a continuous floor and ceiling of reinforced concrete, they must be firmly affixed to a depth of one-half the thickness of the floor and ceiling. If the floor and/or ceiling construction is less than 6 inches of reinforced concrete, a steel liner is to be constructed the same as the walls to form the floor and ceiling of the vault. Seams where the steel plates meet horizontally and vertically are to be continuously welded together. c. Vault door. All vaults will be equipped with a GSA-approved Class 5 or Class 8 vault door. Within the U.S., a Class 6 vault door is acceptable. Normally within the U.S. a vault will have only one door that serves as both entrance and exit from the facility in order to reduce costs. D3. Secure rooms All secure rooms used for COMSEC facilities must be constructed of material that will deter and detect covert penetration. Facilities must be constructed so that classified information cannot be overheard through walls, doors, windows, ceilings, air vents, and ducts when secure areas border on unsecure areas. The following requirements are not applicable to continuously attended bulk encryption facilities. Alternate construction standards may be approved when supplemental security systems (for example, intrusion alarms, armed guards, video cameras, and so forth) are used. Requests for approval of alternate construction standards will be forwarded through command channels to HQDA (DAMICHS), with a copy furnished to USACSLA (SELCLKPAU). a. Walls, floors, and ceilings. Outer walls, floors, and ceilings of the building must be permanently constructed and attached to each other. All construction must be done in such a manner as to provide visual evidence of unauthorized penetration. All openings will provide sufficient sound attenuation to preclude inadvertent disclosure of conversations. Appendix E to DCID 1/21 will be referred to as the national standard for acoustical control and sound masking techniques. b. Main entrance door. Only one door should be used for regular entrance to the facility. The door must be strong enough to resist forceful entry. In order of preference, examples of acceptable doors are GSA-approved vault doors; standard 134 inch, internally reinforced, hollow metal industrial doors; and metal-clad or solid hardwood doors at least 134-inch thick. The door frame must be securely attached to the facility and fitted with a heavy-duty/high-security strike plate and hinges installed with screws long enough to resist removal by prying. The door must be installed to
AR 38040 30 June 2000
37

resist the removal of the hinge pins by locating the hinge pins inside the facility or by set screwing/welding the pins in place. c. Other doors. Other doors may exist for emergency exit and for moving bulky items. These doors must meet the construction criteria of the main entrance door and must be designed so that they can be opened only from inside the facility. Approved panic hardware, intrusion detection, and locking devices (lock bars, dead bolts, knobs, or handles) may be placed only on the interior surfaces of other doors to the facility. Emergency escape mechanisms that bypass the built-in combination lock should be double-latched. All doors must remain closed during facility operations and must be opened only for passage of authorized personnel or material. d. Door locks. The main entrance door to facilities that are not continuously attended must be equipped with a GSAapproved electro-mechanical lock meeting Federal Specification FFL2740. A built-in lock is not required for facilities continuously attended; however, the door must be able to accommodate the above lock, and a dead bolt, should it ever become necessary to lock the facility from the outside. An electronically actuated lock (for example, cipher lock or keyless push button lock) may be used on the entrance door to facilitate the admittance of authorized personnel when the facility is attended. However, these locks do not afford the required degree of protection and may not be used to secure the facility when it is not attended. Facility occupants must maintain positive control of the entrance at all times while attended regardless of the locking mechanism. e. Windows. COMSEC facilities should not contain windows. Where windows exist that might reasonably afford visual surveillance of personnel, documents, materials, or activities within the facility, the window will be made opaque or equipped with blinds, drapes, or other coverings to preclude such visual surveillance. Windows that are less than 18 feet above the ground (measured from the bottom of the window) or are easily accessible by means of objects directly beneath the window will be constructed from or covered with materials that will provide protection from forced entry. Facilities located within fenced and guarded U.S. Government compounds or equivalent may eliminate this requirement if the windows are made inoperable by either permanently sealing them or equipping them on the inside with a locking mechanism. f. Other openings. Air vents, ducts, or any similar openings that breach the walls, floor, or ceiling of the facility must be appropriately secured to prevent penetration. Openings less than 96 square inches must have approved baffles installed to prevent an audio or acoustical hazard. If the opening exceeds 96 square inches, acoustical baffles must be supplemented by either hardened steel bars or an approved intrusion detection system.
Appendix E Risk Management Values

The following risk values (table E1) will be used in determining which accounts to audit or inspect in a given period. The higher the composite number assigned to an account, the more likely that account is to be inspected or audited.
Table E1 Risk management value
Description TYPE OF ACCOUNT AKMS Non-AKMS, ACCLAIMS Non AKMS, Non-ACCLAIMS LOCATION CONUS Germany Korea South West Asia South America SIZE OF ACCOUNT (Line items) 10 or Fewer 1150
Value
0 5 10
0 10 15 15 10
0 5
38
AR 38040 30 June 2000

Table E1 Risk management valueContinued 51100 101 or more TIME SINCE LAST AUDIT Less than 2 years 24 years More than 4 years TIME SINCE LAST COMMAND INSPECTION Less than 2 years 24 years More than 4 years None on File RESULTS OF LAST COMMAND INSPECTION/CSLA AUDIT Satisfactory Unsatisfactory 0 15 0 5 10 15 0 5 15 10 15
NUMBER OF COMSEC INCIDENTS WITH A FINDING OF COMPROMISE OR COMPROMISE CANNOT BE RULED OUT None One Two or more CHANGE OF CUSTODIAN SINCE LAST AUDIT None One Two Three or more 0 5 10 15 0 5 15
Appendix F Cryptographic Access Briefing

F1. Indoctrination briefing The following briefing must be used verbatim to indoctrinate individuals for cryptographic access. a. You have been selected to perform duties that will require access to classified cryptographic information. It is essential that you be made aware of certain facts relevant to the protection of this information before access is granted. You must know the reason why special safeguards are required to protect classified cryptographic information. You must understand the directives that require these safeguards and the penalties you will incur for the unauthorized disclosure, unauthorized retention, or negligent handling of classified cryptographic information. Failure to properly safeguard this information could cause serious or exceptionally grave damage or irreparable injury to the national security of the United States or could be used to advantage by a foreign nation. b. Classified cryptographic information is especially sensitive because it is used to protect other classified information. Any particular piece of cryptographic key and any specific cryptographic technique may be used to protect a large quantity of classified information during transmission. If the integrity of a cryptographic system is breached at any point, all information protected by the system may be compromised. The safeguards placed on classified cryptographic information are a necessary component of U.S. Government programs to ensure that our Nations vital secrets are not compromised. c. Because access to classified cryptographic information is granted on a strict need-to-know basis, you will be given access to only that cryptographic information necessary in the performance of your duties. You are required to become familiar with AR 38040 as well as those publications referenced therein. d. Especially important to the protection of classified cryptographic information is the timely reporting of any known or suspected compromise of this information. If a cryptographic system is compromised, but the compromise is
AR 38040 30 June 2000
39

not reported, the continued use of the system can result in the loss of all information protected by it. If the compromise is reported, steps can be taken to lessen an adversarys advantage gained through the compromise of the information. e. As a condition of access to classified cryptographic information, you must acknowledge that you may be subject to a counterintelligence scope polygraph examination. This examination will be administered in accordance with DOD 5210.48R and applicable law. The relevant questions in this polygraph examination will only encompass questions concerning espionage and sabotage or questions relating to unauthorized disclosure of classified information or unreported foreign contacts. If you do not, at this time, wish to sign such an acknowledgment as a part of executing a cryptographic access certification and termination memorandum, this briefing will be terminated at this point, and the briefing administrator will so annotate the memorandum. Such refusal will not be cause for adverse action but will result in your being denied access to classified cryptographic information. f. You should know that intelligence services of some foreign governments prize the acquisition of classified cryptographic information. You must understand that any personal or financial relationship with a foreign governments representative could make you vulnerable to attempts at coercion to divulge classified cryptographic information. You should be alert to recognize those attempts so that you may successfully counter them. The best personal policy is to avoid discussions that reveal your knowledge of or access to, classified cryptographic information and thus avoid highlighting yourself to those who would seek the information you possess. Any attempt, either through friendship or coercion, to solicit your knowledge regarding classified cryptographic information must be reported immediately to (insert the name and phone number of the supporting counterintelligence unit). g. In view of the risks noted above, if unofficial foreign travel becomes necessary, it is essential that you notify (insert appropriate security office) and receive the appropriate travel briefing. h. Finally, you must know that should you willfully or negligently disclose to any unauthorized persons any of the classified cryptographic information to which you will have access, you may be subject to administrative and civil sanctions, including adverse personnel actions, as well as criminal sanctions under the Uniform Code of Military Justice (UCMJ) and/or the criminal laws of the United States, as appropriate. F2. Crytographic access certification and termination memorandum Section I of this memorandum must be executed before an individual may be granted access to U.S. classified cryptographic information. Section II will be executed when the individual no longer requires such access. Until cryptographic access is terminated and Section II is completed, the cryptographic access granting official will maintain the certificate in a legal file system that will permit expeditious retrieval. Further retention of the certificate will be as specified in appendix C.
40
AR 38040 30 June 2000
Figure F1. Authroizaiton for access to classified cryptographic information
AR 38040 30 June 2000
41
Figure F2. Simplified label preparation
Figure F3. Simplified label preparation
42
AR 38040 30 June 2000

Appendix G Management Control Evaluation Checklist
G1. Function The function covered by this checklist is safeguarding and controlling communications security (COMSEC) material. G2. Purpose The purpose of this checklist is to assist commanders of units with COMSEC accounts in evaluating their key management controls. It is not intended to cover all controls. G3. Instructions Answers must be based on the actual testing of key management controls such as document analysis, direct observation, interviewing, sampling, and simulation. Answers that indicate deficiencies must be explained and corrective action indicated in supporting documentation. These management controls must be evaluated at least once every 5 years. Certification that this evaluation has been conducted must be accomplished on DA Form 112R (Management Control Evaluation Certification Statement). A copy of DA Form 112R is located at the back of this regulation. G4. Test questions a. Are key management controls identified in the governing Army Regulation? (HQDA functional proponent only) b. Is a custodian appointed for each unit having a COMSEC account as required by AR 38040? c. Is the COMSEC custodian a graduate of the Standardized COMSEC Custodian Course? d. Are required publications, as shown in appendix A, AR 38040, available to COMSEC personnel? They do NOT have to be maintained in the COMSEC Account. e. Is COMSEC material being accounted for in compliance with procedures in AR 38040 and TB 38041? f. Is two-person integrity (TPI) utilized for TOP SECRET key operations in accordance with AR 38040? g. Are exceptions to TPI approved by the MACOM commander? h. Do the COMSEC custodians other duties permit sufficient time to adequately discharge COMSEC custodial duties? i. Is the Controlling Authority performing those functions required by AR 38040 and TB 38041? j. Is the COMSEC custodian complying with Army COMSEC incident reporting procedures? k. Does the unit have COMSEC basic emergency plans that address procedures to be used during natural disasters and hostile actions? l. Are emergency plans rehearsed and the rehearsals documented, as required by AR 38040? m. Are unit COMSEC emergency plans compatible with higher Command, Installation, or activity plans? n. Is there a COMSEC facility approval (CFA) on file in the parent account for each sub-account as required by AR 38040? o. Have discrepancies noted in the most recent COMSEC audit/inspection or Command COMSEC Inspection been corrected. p. Are records created and managed in accordance with appendix C. G5. Supersession This checklist replaces the Internal Control Review Checklist (AR 38040) previously published in AR 38040, 1 September 1994. G6. Comments Help make this a better tool for evaluating management controls. Submit comments to Deputy Chief of Staff for Intelligence, ATTN: DAMICHS, 1000 Army Pentagon, Washington, DC 203101000.
AR 38040 30 June 2000
43

Glossary
Section I Abbreviations ACCLAIMS Army COMSEC Commodity Logistics Accounting and Information Management System ACCOR Army COMSEC Central Office of Record AKMS Army Key Management System ALC account legend code AMC Army Materiel Command AMS auto-manual cryptosystem ARNG Army National Guard BEP basic emergency plan C3 command, control, and communications CCF central clearance facility CCI controlled cryptographic item CCISP CCI Serialization Program CECOM Communications-Electronics Command CEOI Communications-electronics operating instruction CFA COMSEC facility approval CFAR COMSEC facility approval request CI counterintelligence CIK cryptographic ignition key CJCSI Chairman, Joint Chiefs of Staff instruction
44 AR 38040 30 June 2000

CLSF COMSEC Logistics Support Facility CMCS COMSEC Material Control System CMO COMSEC Management Offices COMINT communications intelligence CONAUTH control authority CONUS continental United States CRYPTO cryptographic CSA COMSEC Servicing Account CSLA CECOM COMSEC Logistics Activity CSP counterintelligence screening polygraph CSS Constant Surveillance Service DA Department of the Army DA Pam Department of the Army pamphlet DACAP Department of the Army Cryptographic Access Program DCS Defense Courier Service DCSINT Deputy Chief of Staff for Intelligence DES digital encryption standard DIRNSA Director, National Security Agency DOD Department of Defense DODD Department of Defense directive
AR 38040 30 June 2000
45

DTD data transfer device FIS foreign intelligence service FOA field operating agency FOIA Freedom of Information Act FOUO For Official Use Only GS General Schedule HRH hand-receipt holder HUMINT human intelligence ICP Intertheater COMSEC Package INSCOM U.S. Army Intelligence and Security Command ISS information systems security ISSPM information systems security program manager JCEOI joint communications-electronics operating instruction JCS Joint Chiefs of Staff KAG cryptographic operational general publication KAM cryptographic operational maintenance manual KAO cryptographic operational operating manual KDC key distribution center KEK key encryption key KGC key generation center
46
AR 38040 30 June 2000

KOK cryptographic multipurpose keying permuting equipment LAA local area authorization LCMS Local COMSEC Management Software LOGSA USAMC Logistics Support Activity LPI low probability-of-intercept MACOM major Army command MCN management control number MILSTD military standard MSC major subordinate command NACSI national COMSEC instructions NAG non-cryptographic operational general publication NICP National Inventory Control Point NSA National Security Agency NSTISSI National Security Telecommunications and Information Systems Security instructions NTISSP national telecommunications and information systems security policy OCONUS outside continental United States ODCSINT Office of the Deputy Chief of Staff for Intelligence OSD Office of the Secretary of Defense OTAR over-the-air-rekeying PBO property book officer
AR 38040 30 June 2000
47

PDS protected distribution systems POC point of contact PSS protective security services RCS requirement control symbol RESDAT restricted data ROTC Reserve Officers Training Corps SAIR semiannual inventory report SCCC Standardized COMSEC Custodian Course SDNS Secure Data Network System SOI signal operating instructions TB technical bulletin TPI two-person integrity TRADOC U.S. Army Training and Doctrine Command TSCM technical surveillance countermeasures UCMJ Uniform Code of Military Justice USACSLA U.S. Army Communications-Electronics Command, Communications Security Logistics Activity USAMC U.S. Army Materiel Command USAR U.S. Army Reserve Section II Terms Administrative incident Administrative incidents are infractions of established COMSEC policies and procedures that are not as serious as those cited as reportable COMSEC incidents in this regulation, but are considered actions that jeopardize the integrity
48
AR 38040 30 June 2000

of COMSEC material. Administrative incidents are insecure practices dangerous to security, and violations of procedures that require corrective action to ensure the violation does not recur. Compatible key Keying material, of a specific short title, that can be obtained in both physical form (to be used in the traditional system) and electronic form (to be used with the AKMS) to enable the hard-copy key holders to communicate with the electronic key holders. COMSEC account Administrative entity, identified by an account number, used to maintain accountability, custody and control of COMSEC material. Army COMSEC accounts are established when the ACCOR, after receiving notification of COMSEC facility approval from CSLA, issues a COMSEC account number. COMSEC compromise Occurs when the COMSEC material is irretrievably lost or when available information clearly proves that the material was made available to an unauthorized person. COMSEC equipment Equipment designated to provide security to telecommunications by converting information to a form unintelligible to an unauthorized interceptor and, subsequently, by reconverting such information to its original form for authorized recipients; also, equipment designed specifically to aid in or be an essential element of, the conversion process. Note: COMSEC equipment includes crypto equipment, crypto-ancillary equipment, crypto production equipment, and authentication equipment. Much of todays COMSEC equipment is designated CCI. COMSEC facility A COMSEC facility is a space employed primarily for the purpose of generating, storing, repairing, or using COMSEC material. COMSEC incident Occurrence that potentially jeopardizes the security of COMSEC material or the secure electrical transmission of national security information. COMSEC insecurity COMSEC incident that has been investigated, evaluated, and determined to jeopardize the security of COMSEC material or the secure transmission of information. COMSEC material Item designated to secure or authenticate telecommunications. Note: COMSEC material includes, but is not limited to, key, equipment, devices, documents, firmware or software that embodies or describes cryptographic logic and other items that perform COMSEC functions. COMSEC sub-account A COMSEC account that is subordinate to and established by the commander of, a parent account. A COMSEC subaccount receives its account number from the custodian of the primary account, rather than from the ACCOR. Subaccounts report to their primary account. They DO NOT report to the ACCOR. Cryptosystem Associated COMSEC items interacting to provide a single means of encryption or decryption. Electronically generated key Key produced only in non-physical form. Note: Electronically generated key stored magnetically (for example, on a floppy disc) is not considered hard copy key. Embedded cryptography Cryptography that is engineered into an equipment or system the basic function of which is not cryptographic. Key Information (USUALLY a sequence of random or pseudo random binary digits) used initially to set up and periodically change the operations performed in a crypto equipment for the purpose of encrypting or decrypting electronic signals,
AR 38040 30 June 2000
49

for determining electronic counter-countermeasures patterns (for example, frequency hopping or spread spectrum) or for producing other key. Need-to-know Access to or knowledge or possession of, specific information required to carry out official duties. Open storage Storage of classified information within an approved COMSEC facility (for example, a secure room) but not locked in a GSA approved security container, during periods of time when the facility is unoccupied by authorized personnel. Physical key Also known as hard-copy key. Keying material such as printed key lists; punched or printed key tapes; or programmable, read only memories. Note: Electronically generated key stored magnetically (for example, on a floppy disc) is not considered physical key. Premature exposure of key The removal of key from its protective packaging prior to the effective date of the key. Note: Key that has been removed from its protective packaging in order to be loaded into a data transfer device (DTD) is NOT considered to be prematurely exposed. Primary account Also known as a Parent account. A COMSEC account is a primary account if it received its approval from CSLA and its account number was issued by the ACCOR. Primary accounts report directly to the ACCOR. Protected Distribution System (PDS) Wire-line or fiber optic telecommunications system that includes terminals and adequate acoustic, electrical, electromagnetic, and physical safeguards to permit its USE for the unencrypted transmission of classified information. Sensitive compartmented information facility (SCIF) An area, room, group of rooms, or installation that has been accredited by authority of the references for storage, discussion and/or processing of sensitive compartmented information. Superseded key A key that has been replaced with a different edition or segment. The scheduled supersession of key is based on its crypto period. The unscheduled supersession of key is directed by the CONAUTH. So-called used key (for example, key tape segments that have been loaded into a data transfer device) is NOT superseded simply because it has been loaded into an electronic fill device. It remains current operational (or in some cases, future) until it reaches the end of its crypto period. User representative Person authorized by an organization to order COMSEC keying material and to interface with the keying system to provide information to key USERS, ensuring that the correct type of key is ordered. Zeroize To remove or eliminate the key from a crypto-equipment or fill device. Section III Special Abbreviations and Terms This publication uses the following terms not contained in AR 31050. These include use for safeguarding and controlling COMSEC material. Cryptographic key Cryptographic key is referred to as key. The CRYPTO designation will be assumed unless otherwise stated. Cryptographic equipment Cryptographic equipment is referred to as COMSEC equipment. This includes CCI. Classified cryptographic information Classified cryptographic information, as used in the DA Cryptographic Access program, is specified as1. Key and authenticators that are classified TOP SECRET and are designated CRYPTO. 2. Cryptographic media that embody, describe, or implement a classified cryptographic logic to include, but not be limited to, full maintenance manuals,
50 AR 38040 30 June 2000

cryptographic descriptions, drawings of cryptographic logic, specifications describing a cryptographic logic, and cryptographic computer software. Access Access means the capability and opportunity to obtain detailed knowledge through uncontrolled physical possession. External viewing of or being in the controlled proximity to classified cryptographic information does not constitute access. Counterintelligence scope polygraph (CSP) Counterintelligence scope polygraph (CSP) is a non-lifestyle polygraph examination. Its purpose is to deter and detect espionage and sabotage. It is limited to counterintelligence (CI) areas of interest and includes questions pertaining to 1. Involvement in espionage against the United States. 2. Involvement in sabotage against the United States. 3. Unauthorized foreign contacts. 4. Unauthorized disclosure of classified information.
AR 38040 30 June 2000
51

PIN 004087000
USAPD
ELECTRONIC PUBLISHING SYSTEM OneCol FORMATTER WIN32 Version 212 PIN: DATE: TIME: PAGES SET: DATA FILE: DOCUMENT: 004087000 02-22-05 10:02:28 55 C:\wincomp\r380-40.fil AR 38040 SECURITY: FOR OFFICIAL USE ONLY DOC STATUS: REVISION

r380 40

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

r380 40

Uploaded by

Copyright:

Available Formats

FOR OFFICIAL USE ONLY

Army Regulation 38040

Policy for Safeguarding and Controlling Communications Security (COMSEC) Material

Headquarters Department of the Army Washington, DC 30 June 2000

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

*Army Regulation 38040

Policy for Safeguarding and Controlling Communications Security (COMSEC) Material

*This publication supercedes AR 38040, 1 September 1994.

AR 38040 30 June 2000

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

(Listed by paragraph and page number)

AR 38040 30 June 2000

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

G. Management Control Evaluation Checklist, page 43

AR 38040 30 June 2000

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

AR 38040 30 June 2000

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

AR 38040 30 June 2000

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

AR 38040 30 June 2000

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

Chapter 2 Physical Protection and Accountability of COMSEC Material

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

AR 38040 30 June 2000

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

AR 38040 30 June 2000

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

Chapter 3 Emergency Protection of COMSEC Material

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

AR 38040 30 June 2000

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

Chapter 4 COMSEC Facilities

AR 38040 30 June 2000

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY