UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

COMSEC Account Management - Program Management and Standards Compliance


Overview

Finding ID Version Rule ID IA Controls Severity
V-30928 CS-01.03.02 SV-40970r2_rule ECCM-1 Low
Description
Recipients of NSA or Service COMSEC accounts are responsible to properly maintain the accounts. Procedures covering security, transport, handling, etc. of COMSEC must be developed to supplement regulatory guidelines. NSA or sponsoring Services of the COMSEC accounts maintain oversight by conducting required inspections. If COMSEC accounts are not properly maintained and findings are noted during an inspection they must be addressed properly and promptly. Should this not be done, the integrity of COMSEC items may be adversely impacted resulting in the loss or compromise of COMSEC equipment or key material.
STIG Date
Traditional Security 2013-07-11

Details

Check Text ( C-39590r2_chk )
Ask how the COMSEC account is managed. Check for written procedures and inspection reports. NOTES: 1. Applies in a tactical environment if the crypto equipment and key material being observed is at a location where supporting staff (IAM, SM, COMSEC Custodian) would logically be located. If it is a mobile tactical organization, responsibility for program management might simply be the identification of an individual responsible for keeping track of and maintaining COMSEC materials, but supporting documentation may not be immediately available and should not be written as a finding; however, observations and comments may still be entered into VMS. 2. Note in the report the COMSEC Account type e.g. NSA, Navy, Army, etc. 3. Note in the report the last COMSEC Inspection Date based on observed documentation.(Summarize the overall results and if the site is taking action to address/correct findings) 4. Ensure that any COMSEC account, materials or equipment being inspected is used for encryption of DISN assets. COMSEC accounts or items not used with DISN assets should not be inspected.


Fix Text (F-34739r2_fix)
The site must have local procedures covering maintenance of COMSEC equipment and key material. Further, any inspection findings from NSA or Services issuing the account or the account sponsor (for Hand Receipt holders) must be corrected or provide evidence there is a plan of action in place and underway to correct noted deficiencies.