COMSEC Account Management - Equipment and Key Storage

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30837	CS-01.01.01	SV-40855r2_rule	ECCM-1 PESS-1	High

Description
Improper handling and storage of COMSEC material can result in the loss or compromise of classified cryptologic devices or classified key or unclassified COMSEC Controlled Items (CCI).

STIG	Date
Traditional Security	2013-07-11

Details

Check Text ( C-39551r4_chk )
Ask the COMSEC Custodian, COMSEC Responsible Officer (CRO), Security Manager or IAM how COMSEC equipment and materials are transported, handled and stored. Physically check that crypto equipment, keys, and keyed crypto are handled and stored properly. Reviewers must annotate all types of crypto devices observed in the finding details or comments, (e.g. TACLANE, KIV 7, etc.)

Fix Text (F-34702r4_fix)
COMSEC material must be stored in a GSA approved container such as safe, vault, or secure room IAW (NSA/CSS Policy Manual 3-16, Section XI, paragraph 89) Specific standards are: 1. Keyed crypto equipment must be housed within a proper GSA safe, vault or secure room. 2. If crypto equipment is not housed within a proper GSA safe, vault or secure room the Crypto Encryption Key must be removed and stored in a GSA approved safe or in a separate room from the crypto equipment when the equipment is not under the continuous observation and control of a properly cleared person. 3. Information Processing System (IPS) containers (safes) may be used to securely store and operate keyed equipment. 4. If unclassified crypto equipment is not operated in a safe, vault or secure room it must minimally be maintained within an approved Secret or higher Controlled Access Area (CAA) and further secured in a locked room (equipment closet) or equipment rack suitable for control of sensitive equipment to ensure only system administrator and COMSEC personnel have access to the equipment. 5. NOTES: This requirement applies to a tactical environment. Unless under continuous observation and control, Crypto Equipment Key must be removed and maintained separately from the encryption device - unless it is operated in a proper safe, vault or secure room. Ensure that any COMSEC account, materials or equipment being inspected is used for encryption of DISN assets. COMSEC items not used with DISN assets should not be inspected. Specifically, only those COMSEC items associated with the CCSDs being inspected are to be included in this check.

Fix Text (F-34702r4_fix)

COMSEC material must be stored in a GSA approved container such as safe, vault, or secure room IAW (NSA/CSS Policy Manual 3-16, Section XI, paragraph 89) Specific standards are: 1. Keyed crypto equipment must be housed within a proper GSA safe, vault or secure room. 2. If crypto equipment is not housed within a proper GSA safe, vault or secure room the Crypto Encryption Key must be removed and stored in a GSA approved safe or in a separate room from the crypto equipment when the equipment is not under the continuous observation and control of a properly cleared person. 3. Information Processing System (IPS) containers (safes) may be used to securely store and operate keyed equipment. 4. If unclassified crypto equipment is not operated in a safe, vault or secure room it must minimally be maintained within an approved Secret or higher Controlled Access Area (CAA) and further secured in a locked room (equipment closet) or equipment rack suitable for control of sensitive equipment to ensure only system administrator and COMSEC personnel have access to the equipment. 5. NOTES: This requirement applies to a tactical environment. Unless under continuous observation and control, Crypto Equipment Key must be removed and maintained separately from the encryption device - unless it is operated in a proper safe, vault or secure room. Ensure that any COMSEC account, materials or equipment being inspected is used for encryption of DISN assets. COMSEC items not used with DISN assets should not be inspected. Specifically, only those COMSEC items associated with the CCSDs being inspected are to be included in this check.