COMSEC

1
COMSEC
Security Solutions Group

• Awareness Training

2
Why Are You Here?

• You are here because your current position has
  a bearing on the safeguarding of Communications
  Security (COMSEC) Equipment, Systems, or
  Materials.

3
Elements of COMSEC
4
Transmission Security

• Transmission Security or TRANSEC is the part of
  COMSEC that includes all measures taken to
  protect information from interception and
  exploitation while being electronically
  transmitted.

5
Types of Transmissions
Radio The most widely used form of electronic
transmission. No matter the type of end
equipment in use, in most cases at some time
between transmittal and receipt, radio signals
are used for delivery.
Because radio signals are sent out through the
open air, they are one of least secure forms of
transmission.
6
Types of Transmissions
Telephone One of the most widely used, and
most convenient forms of communication. Not only
are telephone lines used for voice
communications, but data is also transferred over
these lines.
Telephone lines are easily tapped, making the
phone a very unsecure form of communication.
7
Types of Transmissions
Cell Phones Very popular and widely used today.
However they are even less secure than regular
phones because their transmissions can be picked
up just like radio signals.
8
Types of Transmissions
Email This has become one of the most widely
used forms of communications, and one of the
greatest risks to the security of classified and
sensitive information.
9
Types of Transmissions
Messages sent via email can be easily intercepted
or can be found stored on servers and copied.
There are some methods for protecting emails but
currently none are approved for protecting
classified data.
10
Types of Transmissions
Face to Face This is when two or more parties
meet and talk with each other.
Hand Delivery This is when data in written or
hardcopy form is hand carried from point of
transmission to point of receipt.
NOTE The security of face to face and hand
delivery transmissions is totally dependent on
the parties communicating.
11
Types of Transmissions
US Postal Courier Services This is when data
or materials are transferred through certified
mail or hand delivered by bonded couriers. In
most cases this is a very secure means of
communication, but is not useful when time
constraints exist.
12
Cryptographic Security
Cryptographic Security or Cryptosecurity is the
part of COMSEC that includes the design,
implementation, protection and use of technically
sound cryptographic systems.
13
Cryptographic Security
Cryptographic Security includes correctly
applying encryption equipment to protect voice
and data communications.
When properly applied, encryption can secure all
electronic transmission.
14
Cryptographic Security
Includes the development of Key Management Plans
and Procedures that provide instructions for the
operation and protection of the Cryptographic
devices and their key material.
15
Cryptographic Security
Includes all measures taken to ensure only
authorized personnel install, operate and perform
maintenance on cryptographic devices.
16
Physical Security

• Physical security is the part of COMSEC that
  results from
• taking all measures necessary to physically
  safeguard all
• COMSEC classified and sensitive materials and
  information.

17
Physical Security
Includes Storage Facilities
And Security Containers
18
Physical Security
Storage of Classified Materials
The storage requirement for items classified as
Secret and Confidential is preferably a Class B
vault.
When necessary, such items can be stored in a GSA
approved security container
19
Physical Security
Storage of FOUO and SBU
These items may be stored using the same methods
as classified materials.
When other methods are not available, a filing
cabinet equipped with a locking bar and GSA
changeable combination lock is the most
preferable.
However, in most cases it is acceptable to use
any lockable container or room, but you should
check with your RCO.
20
Physical Security
It includes applying methods to ensure only
authorized persons have access to classified,
sensitive and COMSEC materials and information.
These methods include but are not limited to
Badges,
Guards
And Alarm Systems
21
Physical Security
It includes the proper handling and accounting
for all classified, sensitive or COMSEC
information/materials on a continuous basis.
Inventories of these materials must be taken once
per shift, whenever the storage container is
opened, or at a minimum of once a week, when the
container remains closed.
22
Physical Security
Whenever classified, sensitive or COMSEC
materials are remove from storage, the person
removing these materials or information must
maintain constant control or surveillance over
them.
23
Physical Security
No matter how important a task may be, if it
involves classified, sensitive or COMSEC
materials or information
You may NEVER take it home or away from its
secure area to be completed.
24
Physical Security
Includes the proper disposal of classified and
sensitive materials and information no longer
needed.
Some approved methods of destruction are
25
Physical Security
The proper disposal of classified and sensitive
materials and information in electronic form is
some what different.
Two methods are
26
Physical Security
Most of you will not be performing the
destruction of the materials.
Most of you will place them in either a Burn Bag
or a Classified/Sensitive Trash Receptacle.
27
Physical Security
The destruction of COMSEC materials is even more
strict than those of other classified materials.
For this reason, there are even fewer personnel
authorized to perform this destruction.
For more information contact your RCO.
28
Emissions Security
Emissions Security is the part of COMSEC that
denies unauthorized persons the ability to derive
classified/ sensitive information from the
interception of unintentional emanations.
29
Emissions Security
All electronic equipment produces and radiates RF
signals.
30
Emissions Security
How do we control these radiated RF signals from
being intercepted by unauthorized parties?
TEMPEST Rated
1. We use TEMPEST rated equipment.
2. We use Red/Black separation.
3. We shield and filter our facilities and
sensitive areas.
31
Information Classifications

• Information is classified based on the amount of
  damage it could cause if disclosed to the wrong
  parties.

32
Information Classifications
Top Secret This classification is given to
information when its loss or compromise would
cause exceptionally grave damage to the security
of United States.
Secret This classification is given to
information when its loss or compromise would
cause serious damage to the security of the
United States.
Confidential This classification is given to
information when its loss or compromise would
cause damage to the security of the United States.
33
Information Classifications
For Official Use Only This classification is
given to information when its loss or compromise
would pose a threat to the operations or missions
of the Classifying Agency.
Sensitive But Unclassified COMSEC This
classification is given to COMSEC information
that is not classified but its loss or compromise
would pose a threat to the operations or missions
of the holding agency.
34
Disclosure of Information
Disclosure of information, quite simply is when
information passes from one party to another.
When dealing with classified, sensitive or COMSEC
information, it is the responsibility of the
party possessing the information to ensure it is
not disclosed to parties who do not have a need
for or a right to the information.
35
Authorized Disclosure
Disclosure of classified, sensitive or COMSEC
information is authorized only when the party
receiving the information has the proper
clearance or background check, can be properly
identified and has a need to know.
Need to Know does not mean, because a person
holds a high management position, he or she
automatically needs access to the information.
36
Unauthorized Disclosure
Unauthorized disclosure of classified, sensitive
or COMSEC information is when the party
receiving the information does not have the
proper clearance or in most cases a need to know.
In most cases, unauthorized disclosures are
unintentional and due to poor planning or a
failure to think by the possessing party.
37
Unaware of Surroundings
One of the leading causes of unintentional
disclosures is simply people not being aware of
what is happening around them.
Discussing classified, sensitive or COMSEC
information when you are unsure or unaware of
your surroundings can quickly lead to this
information being disclosed to the wrong people.
38
Awe Of Position
We all want to please our management, and work
very hard each day to do so.
We must remember, just because they are our
supervisors, we cant always give
them the information they request.
If a higher-up requests anything that
is classified, sensitive or COMSEC in nature, we
must make sure they meet all the requirements for
access to this information just like everyone
else.
39
Trapped by Time
When ever we feel rushed, or have a deadline
that we cant see ourselves making, we tend to
cut corners.
When we are in this type of situation and working
with classified, sensitive or COMSEC information,
the corners we cut could very likely lead to an
unintentional disclosure.
We must remember when working with classified,
sensitive or COMSEC information, the job must be
done by the book, no matter how long it takes.
40
Emotional Hazard
Emotions play a very big part in our lives, and
affect each of us on a daily basis.
When we let emotions cloud our thinking, the
classified, sensitive or COMSEC information we
are working with is at risk of an unintentional
disclosure.
Note Emotions are one of the most difficult of
all the unintentional disclosure risks to
control.
41
Security Incidents
Security Incidents are events or incidents that
may jeopardize the security of any of the COMSEC
Elements, classified or sensitive information or
materials.
42
Security Incidents
Security incidents can be broken into three
categories that are
Personnel
Physical
Cryptographic
43
Personnel Security Incidents
Personnel security incidents are events or
incidents that involve acts of espionage and
sabotage, or the willful or unwillful disclosure
of information to hostile or foreign agents by
personnel having authorized access to the
information.
44
Physical Security Incidents
Physical security incidents occur when the
control over classified, sensitive, and/or COMSEC
equipment, materials or information is lost.
45
Cryptographic Security Incidents
Cryptographic security incidents are willful or
unwillful actions or inactions that place any
element of a Cryptosystem in jeopardy of
compromise.
46
Security Incidents
Also includes
Reporting the incident
Correcting the problem
Investigating the cause
Performing preventive measures
47
Reporting the Incident
Any event or incident that jeopardizes any of the
COMSEC Elements, classified or sensitive
information or materials must be reported
immediately.
48
Reporting the Incident
We must be careful when reporting an incident,
because, on most occasions, the initial report
will be made over some type of unsecure means of
communications.
Dont Report in This Manner I left the safe open
and now I cant find the Crypto Keys!
Do Report in this Manner I have an issue, could
you come see me!
49
Correcting the Problem
The first priority is to correct the problem.
This could mean anything from
Securing an unsecure area or container
To taking the affected equipment or system out of
service
50
Incident Investigation
The RCO and CAM will perform an investigation
into the cause of the incident.
All involved persons are expected to cooperate
fully with the investigation.
51
Incident Investigation
The investigation determines the severity of the
incident.
There four levels of severity
Dangerous Practice
Compromise Improbable
Compromise Not Ruled Out
COMPROMISE
52
Preventive Measures
Preventive Measures are anything performed to
help stop a reoccurrence of the same type of
incident.
Changing Procedures
Personnel Changes
Arrest and Conviction
53
Conclusion
This concludes the COMSEC Awareness Training.
If you have any further questions with regard to
the protection of COMSEC, classified and
sensitive information and materials, contact your
Responsible COMSEC Officer.