UNCLASSIFIED March 2014 IT Security Directive for the Control of COMSEC Material in the Government of Canada ITSD-03A
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
UNCLASSIFIED
March 2014
IT Security Directive for the
Control of COMSEC Material in the Government of Canada
ITSD-03A
UNCLASSIFIED
ITSD-03A
Foreword March 2014 ii
Foreword
The IT Security Directive for the Control of COMSEC Material in the Government of Canada
(ITSD-03A) is an UNCLASSIFIED publication issued under the authority of the Chief,
Communications Security Establishment, in accordance with the Treasury Board of Canada
Secretariat Policy on Government Security.
General inquiries and suggestions for amendments are to be forwarded through departmental
communications security channels to COMSEC Client Services at the Communications Security
Establishment.
This directive supersedes the following standards that must be destroyed in accordance with
departmental procedures governing sensitive information:
Directive for the Control of COMSEC Material in the Government of Canada (ITSD-03),
October 2011.
Canadian Cryptographic Doctrine for the Disposal of Accountable COMSEC Equipment
(CCD-49), February 2008.
Minimum National Security Requirements for Managing and Distributing Key in a BLACK
State (ITSB-55), August 2013.
Communications Security Establishment will notify users of changes to this publication.
Effective Date
This directive takes effect on date of signature.
Originally signed by
Toni Moffa
Deputy Chief, IT Security
March 2014
© Government of Canada, Communications Security Establishment, 2014
Physical or electronic copies of this publication, in part or in whole, may be made for official
Government of Canada use only.
UNCLASSIFIED
ITSD-03A
Summary of Changes March 2014 iii
Summary of Changes
With the introduction of several new Information Technology Security Directives recently
published by the Communications Security Establishment to support Communications Security
in the Government of Canada, several chapters, articles and annexes of the original Directive for
the Control of COMSEC in the Government of Canada (ITSD-03), dated October 2011, have
been re-organized, removed or updated, as indicated below.
Removed
Annex A Control of In-Process COMSEC Material moved to new ITSD-08.
Added
New Annex A Managing and Distributing Key in a BLACK State.
Article 1.9 Conflict Resolution.
Article 1.11 Added reference to Canadian Controlled Goods Program (CGP)
and United States International Traffic in Arms Regulations
(ITAR) requirements.
Articles 2.6, 12.6.3,
Fig. 1
Defined the new CSE Industrial COMSEC Account (CICA),
which has been authorized to manage Canadian Private Sector
COMSEC Sub-Accounts (previously the purview of PWGSC/
ITSD).
Article 2.8.1 Introduction of cryptographic key states (RED and BLACK) that is
detailed in Annex A.
Article 7.3.2 Special Marking and Warning Caveat “Eyes Only”.
Articles 10.5 – 10.7 Access Controls for COMSEC Visits.
Modified
Article 1.5 Amended to include Other Levels of Government (OLG).
Articles 2.2.3, 13.2.6.4,
15.2.1, 15.2.2.1, 15.4.1
Changed the name of the regularly scheduled inventory from
“annual” to “periodic” and extended its schedule to 18 months
from 12 months.
Article 6.1.1 Amended Appointment Certificate requirements for renewal.
Article 6.2.3 Amended to include manual accounting sub-systems.
Article 6.3.2 Amended requirement for Custodians to provide confirmation of
changes to the COMSEC Signing Authority Form.
UNCLASSIFIED
ITSD-03A
Summary of Changes March 2014 iv
Article 6.3.7 Amended the time line for continuity of COMSEC Account
service to reflect immediacy of appointment of new personnel and
forwarding updated Appointment Certificates to NCOR/COR.
Article 8.2.3 Amended secondary Tracer Notice action to include DCA
involvement.
Article 9.5 Amended Drop Accounting to introduce doctrine for handling
COMSEC material acquired from international sources outside of
normal COMSEC channels.
Article 10.2.3 Amended to provide a requirement for COMSEC Briefing updates
(every five years) for active COMSEC personnel.
Chapter 11 Amended Physical Security requirements to include fixed and
mobile COMSEC facilities, point to TRA requirements and RCMP
Physical Security Zoning standards in establishing COMSEC
facilities at home and abroad.
Article 12.2, 13.2.5.3,
13.2.5.4, 13.2.5.5
Amended to introduce control and management direction for
magnetic or optical Removable Storage Media (RSM) as detailed
in the new Annex A.
Article 12.4.5.3 Modified the preparation and packaging criteria for CCI.
Article 13.4.7 Amended to include requirement for confirmation that upgrade has
been completed (including audit requirements).
Chapter 14 Amended the disposal (destruction) of accountable COMSEC
material requirements to include the direction formerly provided in
the Doctrine for the Disposal of Accountable COMSEC Equipment
(CCD-49).
Chapter 16 Amended the COMSEC Emergency Protection Planning criteria.
Article 17.3.2 Amended the requirement to report “MUST” be corrected
observations within 10 days, and a negotiable correction period for
less impacting observations.
Article 17.3.3 Modified tracer action for missing documentation to provide
escalated oversight. Where applicable, a 2nd
tracer will be sent
directly to the DCA vice COMSEC Account Custodian.
UNCLASSIFIED
ITSD-03A
Table of Contents March 2014 v
Table of Contents
Foreword ........................................................................................................................ ii
Summary of Changes .................................................................................................. iii
List of Tables .............................................................................................................. viii
List of Figures ............................................................................................................ viii
List of Abbreviations and Acronyms .......................................................................... ix
1 Introduction ......................................................................................................... 1
1.1 Purpose ..................................................................................................... 1
1.2 Authority ..................................................................................................... 1
1.3 Scope ........................................................................................................ 1
1.4 Context ...................................................................................................... 2
1.5 Application ................................................................................................. 2
1.6 Expected Results ....................................................................................... 3
1.7 Compliance ................................................................................................ 3
1.8 Consequence of Non-Compliance ............................................................. 3
1.9 Conflict Resolution ..................................................................................... 3
1.10 Requests for Exception or Waiver ............................................................. 3
1.11 Canadian Controlled Goods Program and United States International Traffic in Arms Regulations ........................................................................ 3
1.12 Contact Information ................................................................................... 4
1.13 COMSEC User Portal ................................................................................ 4
1.14 Communications Security Establishment Web Site ................................... 4
2 National COMSEC Material Control System ..................................................... 5
2.1 Structure and Organization Overview ........................................................ 5
2.2 National Central Office of Record .............................................................. 6
2.3 Central Office of Record ............................................................................ 7
2.4 National Distribution Authority.................................................................... 7
2.5 COMSEC Accounts ................................................................................... 8
2.6 COMSEC Sub-Accounts ............................................................................ 8
2.7 Local Elements .......................................................................................... 9
2.8 Accountable COMSEC Material................................................................. 9
3 Major COMSEC Roles and Responsibilities ................................................... 11
3.1 General .................................................................................................... 11
4 Selection of COMSEC Personnel .................................................................... 14
4.1 COMSEC Custodial Personnel ................................................................ 14
4.2 Local Element .......................................................................................... 14
UNCLASSIFIED
ITSD-03A
Table of Contents March 2014 vi
5 Training ............................................................................................................. 16
5.1 General .................................................................................................... 16
6 Management of COMSEC Accounts ............................................................... 18
6.1 Establishing COMSEC Accounts ............................................................. 18
6.2 Files and Records .................................................................................... 19
6.3 Changes to COMSEC Accounts .............................................................. 21
6.4 Closing a COMSEC Account ................................................................... 23
6.5 Closing a COMSEC Sub-Account ............................................................ 23
6.6 Suspension of a COMSEC Account ........................................................ 24
7 Identification of Accountable COMSEC Material ........................................... 25
7.1 General .................................................................................................... 25
7.2 Identification ............................................................................................ 25
7.3 Special Marking and Warning Caveats .................................................... 27
8 Accounting Forms, Reports and Notices ....................................................... 29
8.1 COMSEC Material Reports ...................................................................... 29
8.2 Tracer Notices ......................................................................................... 37
9 Special Accounting Requirements ................................................................. 39
9.1 Canadian Controlled COMSEC Material Outside of the National COMSEC Material Control System .......................................................... 39
9.2 Release of Accountable COMSEC Material to the Private Sector ........... 39
9.3 Government Furnished Equipment .......................................................... 39
9.4 COMSEC Material under Contract ........................................................... 39
9.5 Drop Accounting – COMSEC Material Received from a Foreign Entity ... 40
10 Access to Accountable COMSEC Material ..................................................... 42
10.1 Prerequisite for Access ............................................................................ 42
10.2 COMSEC Briefing and COMSEC Briefing Certificate .............................. 42
10.3 Two-Person Integrity ................................................................................ 43
10.4 No-Lone Zone .......................................................................................... 43
10.5 Access Control – COMSEC Visits ........................................................... 44
10.6 Foreign Government Organizations Visiting a Government of Canada Department .............................................................................................. 45
10.7 Foreign Private Sector Companies Visiting a Government of Canada Department .............................................................................................. 45
11 Physical Security .............................................................................................. 46
11.1 COMSEC Facilities .................................................................................. 46
11.2 Secure Storage ........................................................................................ 48
12 Distribution and Receipt of Accountable COMSEC Material ........................ 53
12.1 Distributing Accountable COMSEC Material ............................................ 53
UNCLASSIFIED
ITSD-03A
Table of Contents March 2014 vii
12.2 Distributing Electronic Key on Magnetic or Optical Removable Storage Media ....................................................................................................... 54
12.3 Tracking the Shipment of Accountable COMSEC Material ...................... 54
12.4 Packaging Accountable COMSEC Material ............................................. 55
12.5 Authorized Modes of Transportation ........................................................ 58
12.6 Authorized Couriers of Accountable COMSEC Material .......................... 60
12.7 Receiving Accountable COMSEC Material .............................................. 62
13 Handling and Use of Accountable COMSEC Material ................................... 64
13.1 Cryptographic Key ................................................................................... 64
13.2 Cryptographic Equipment ........................................................................ 66
13.3 COMSEC Publications ............................................................................. 68
13.4 Local Tracking of Non-Accountable COMSEC Material .......................... 71
14 Disposal of Accountable COMSEC Material................................................... 74
14.1 General .................................................................................................... 74
14.2 Destruction of Key ................................................................................... 74
14.3 Destruction of COMSEC Publications...................................................... 75
14.4 Destruction of Cryptographic Equipment ................................................. 75
14.5 Performing Routine Destruction ............................................................... 78
14.6 Routine Destruction Methods .................................................................. 80
15 COMSEC Account Inventory ............................................................................ 82
15.1 Reasons for Inventory .............................................................................. 82
15.2 Types of Inventory ................................................................................... 82
15.3 Inventory Reports .................................................................................... 83
15.4 Inventory Conduct .................................................................................... 84
16 COMSEC Emergency Protection Planning ..................................................... 87
16.1 Requirement ............................................................................................ 87
16.2 Planning for Natural Disasters and Accidental Emergencies ................... 87
16.3 Planning for Emergencies in High Risk Environments ............................. 88
16.4 The Emergency Plan ............................................................................... 89
17 COMSEC Account Audit................................................................................... 92
17.1 Planning the Audit .................................................................................... 92
17.2 Conducting the Audit ............................................................................... 92
17.3 Audit Reporting ........................................................................................ 93
17.4 COMSEC Sub-Account Audits ................................................................ 94
18 COMSEC Incidents ........................................................................................... 95
18.1 General .................................................................................................... 95
18.2 Classes of COMSEC Incidents ................................................................ 95
18.3 Handling, Reporting and Evaluating COMSEC Incidents ........................ 95
Glossary ....................................................................................................................... 96
UNCLASSIFIED
ITSD-03A
Table of Contents March 2014 viii
Bibliography .............................................................................................................. 103
Annex A - Managing and Distributing Key in a BLACK State ................................ A-1
A.1 Accounting and Handling Principles .......................................................A-1
Appendix A – Key Distribution Methods ................................................................. A-4
A.A.1 Key Distribution Methods ........................................................................A-4
Appendix B – Requirements for Key in a RED, BLACK or Benign Fill States ...... A-6
A.B.1 RED, BLACK or Benign Fill Key States ..................................................A-6
Appendix C – Foreign Produced BLACK Key ......................................................... A-9
List of Tables
Table 1 – Contact Information for COMSEC Offices ....................................................... 4
Table 2 – Key Held in Reserve...................................................................................... 51
Table 3 – Authorized Modes of Transportation for Accountable COMSEC Material ..... 59
Table 4 – Key States .................................................................................................... A-6
List of Figures
Figure 1 – National COMSEC Material Control System (NCMCS) .................................. 5
Figure 2 – Example of Magnetic or Optical Removable Storage Media Label .............. 54
Figure 3 – Accountability Concept for Key in a BLACK State ...................................... A-2
Figure 4 – Key Distribution Methods for Key in a BLACK State ................................... A-4
UNCLASSIFIED
ITSD-03A
List of Abbreviations and Acronyms March 2014 ix
List of Abbreviations and Acronyms
ACM Accountable COMSEC Material ACMCA Accountable COMSEC Material Control Agreement AEHF Advanced Extremely High Frequency AFU Approval for Use ALC Accounting Legend Code ATU Authorization to Use
BET Bulk Encryption Transaction
CA Controlling Authority CAN Canada CCD Canadian Cryptographic Doctrine CCI Controlled Cryptographic Item CCF Canadian Central Facility CD-ROM Compact Disk Read-Only Memory CFCSU Canadian Forces Crypto Support Unit CGP Controlled Goods Program CHVP Cryptographic High Value Product CICA CSE Industrial COMSEC Account CIK Cryptographic Ignition Key CISD Canadian Industrial Security Directorate CKL Compromised Key List CMAC Crypto Material Assistance Centre COMSEC Communications Security COR Central Office of Record Cryptonet Cryptographic Network CSE Communications Security Establishment CSMI Classified Security Management Infrastructure CUAS Common User Application Software CUP COMSEC User Portal
DCA Departmental COMSEC Authority DDSM Directive on Departmental Security Management DND Department of National Defence DSO Departmental Security Officer DVD Digital Versatile Disk
EDP Emergency Destruction Procedure EKMS Electronic Key Management System
FAA Financial Administration Act FOUO For Official Use Only (U.S.) FSU Field Software Upgrade
UNCLASSIFIED
ITSD-03A
List of Abbreviations and Acronyms March 2014 x
GC Government of Canada GFE Government Furnished Equipment
HTTPS Hypertext Transfer Protocol Secure
IC Integrated Circuit ID Identifier IFF Identification Friend or Foe IP In-Process ISDN Integrated Services Digital Network ISP Industrial Security Program IT Information Technology ITAR International Traffic in Arms Regulations ITS AFU Information Technology Security Approval For Use ITSA Information Technology Security Alert ITSB Information Technology Security Bulletin ITSC Information Technology Security Coordinator ITSD Information Technology Security Directive ITSG Information Technology Security Guidance ITSLC Information Technology Security Learning Centre
KEK Key Encryption Key KMID Key Material Identifier KMSP Key Material Support Plan KP Key Processor KSD Key Storage Device
LCMS Local COMSEC Management Software
MITS Management of Information Technology Security MOA Memorandum of Agreement MOU Memorandum of Understanding
NATO North Atlantic Treaty Organization NCAT National COMSEC Audit Team NCER National Cryptographic Equipment Reserve NCIO National COMSEC Incidents Office NCMCS National COMSEC Material Control System NCOR National Central Office of Record NDA National Distribution Authority NLZ No-Lone Zone NMT Navy Multi-band Terminal
OLG Other Levels of Government ORR Operational Rekey Report OTAD Over-the-Air Distribution OTAR Over-the-Air Rekey
UNCLASSIFIED
ITSD-03A
List of Abbreviations and Acronyms March 2014 xi
PC Personal Computer PCB Polychlorinated Biphenyls PDS Practice Dangerous to Security PGS Policy on Government Security PIN Personal Identification Number PKI Public Key Infrastructure PROM Programmable Read-Only Memory PSTN Public Switched Telephone Network PWA Printed Wiring Assembly PWGSC Public Works and Government Services Canada
RCMP Royal Canadian Mounted Police RSM Removable Storage Medium
SA&A Security Assessment and Authorization SCIP Secure Communication Interoperability Protocol SDNS Secure Data Network System SKCR Seed Key Conversion Report SMART-T Secure Mobile Anti-Jam Reliable Tactical Terminal SPIRS Secure Data Network System (SDNS) Public Switched Telephone
Network (PSTN)-Integrated Services Digital Network (ISDN) Rekey Subsystem
T3MD Tier 3 Management Device TBS Treasury Board of Canada Secretariat TEK Traffic Encryption Key TPI Two-Person Integrity TRA Threat and Risk Assessment TRI Transfer Report Initiating TRR Transfer Report Receipt
U//FOUO UNCLASSIFIED//For Official Use Only (U.S.) U.S. United States UK United Kingdom USB Universal Serial Bus
UNCLASSIFIED
ITSD-03A
Introduction March 2014 1
1 Introduction
The Government of Canada (GC) has established a program known as Communications Security
(COMSEC) to assist in the protection of classified information and data. The COMSEC program
involves the application of cryptographic security, transmission and emission security, physical
security measures, operational practices, and controls. The objective of COMSEC is to deny
unauthorized access to information derived from telecommunications and to ensure the
authenticity of such telecommunications.
“COMSEC material” is designed to secure or authenticate telecommunications information.
COMSEC material includes cryptographic key, devices, hardware, and firmware or software that
embodies or describes cryptographic logic. It also includes the documents that describe and
support these items.
NOTE: Throughout the remainder of this document (except in the glossary), the term
“cryptographic key” will be referred to as “key”. The term “key” will include all
forms of physical or electronic key and will be used to refer to both singular and
multiple quantities of key.
1.1 Purpose
This directive provides the minimum security requirements for the control and management of
COMSEC material authorized by the Communications Security Establishment (CSE) for use by
the GC.
1.2 Authority
This directive is promulgated pursuant to the Policy on Government Security (PGS) that
delegates CSE as the lead security agency and national authority for COMSEC. CSE is
responsible for the development, approval and promulgation of COMSEC policy instruments and
for the development of guidelines and tools related to Information Technology (IT) security.
1.3 Scope
The methods for the control and management of Accountable COMSEC Material (ACM) vary
and are determined by the nature of the material itself. The scope of this directive includes:
ACM, which requires control and accountability within the National COMSEC Material
Control System (NCMCS); and
NOTE: The term “accountable” in ACM is meant to define the CSE-approved control and
management requirements associated with ACM asset management within the
NCMCS.
COMSEC material (other than above), which requires control and local tracking by the
COMSEC Custodian through a manual or electronic tracking system outside of the NCMCS.
UNCLASSIFIED
ITSD-03A
Introduction March 2014 2
COMSEC material under development, which requires local accounting and control within an
In-Process (IP) COMSEC accounting system, is not within the scope of this directive (refer to the
IT Security Directive for the Control and Management of In-Process COMSEC Material
[ITSD-08], for details on management of IP COMSEC material).
1.4 Context
This directive supports the PGS, the Operational Security Standard: Management of Information
Technology Security (MITS), and the Directive on Departmental Security Management (DDSM).
It should be read in conjunction with the following publications:
IT Security Directive for the Application of Communications Security Using CSE-Approved
COMSEC Solutions (ITSD-01A), December 2013;
Directive for the Use of CSEC-Approved COMSEC Equipment and Key on a
Telecommunications Network (ITSD-04), November 2011;
Directive for Reporting and Evaluating COMSEC Incidents Involving Accountable COMSEC
Material (ITSD-05), April 2012;
Directive for the Control of COMSEC Material in the Canadian Private Sector (ITSD-06),
March 2013;
IT Security Directive for the Control of CSE-Approved Cryptographic High Value Products
(CHVP) (ITSD-07), in development; and
IT Security Directive for the Control and Management of In-Process COMSEC Material
(ITSD-08), in development.
1.5 Application
This directive and the supporting directives identified in Article 1.4 apply to GC departments,
Other Levels of Government (OLG) and private sector companies that are authorized to handle,
control and safeguard CSE-approved COMSEC material to protect classified and
PROTECTED C information and data for the GC.
For the purpose of this directive, the term:
“GC department” includes any federal institution (e.g. department, agency, organization)
subject to PGS and to Schedules I, I.1, II, IV and V of the Financial Administration
Act (FAA), unless excluded by specific acts, regulations or Orders in Council;
“Other Levels of Government” includes provincial, municipal and local government
organizations (e.g. law enforcement agencies); and
UNCLASSIFIED
ITSD-03A
Introduction March 2014 3
“private sector company” includes Canadian companies, organizations or individuals that do
not fall under the FAA or are not subordinate to a provincial or municipal government. It also
includes Canadian-based industries (or other non-government organizations) where security
is administered by the Industrial Security Program (ISP) of Public Works and Government
Services Canada (PWGSC).
1.6 Expected Results
Implementation of this directive will help ensure control, safeguard and accounting for ACM in
departmental communications operations.
1.7 Compliance
Compliance with these minimum security requirements is the responsibility of each organization
identified in Article 1.5; however, it does not preclude individual organizations from applying
more stringent security measures. Organizational directives that exceed the minimum security
requirements of this directive take precedence within that organization and associated network
connectivity with respect to Security Assessment and Authorization (SA&A) requirements.
1.8 Consequence of Non-Compliance
Failure to comply with this directive may result in escalated administrative controls being placed
on a COMSEC Account and possible suspension of key delivery.
1.9 Conflict Resolution
When a conflicting national-level COMSEC directive (e.g. ITSD series) is encountered, this
directive will take precedence. Any conflict between the requirements contained in this directive
and any other national (e.g. PGS, DDSM and MITS) or international (e.g. International Traffic in
Arms Regulations [ITAR]) requirements are to be submitted to COMSEC Client Services for
resolution.
1.10 Requests for Exception or Waiver
Requests for an exception (substitution) or a waiver (a temporary exemption from a specific
requirement) must be submitted by the DCA in writing and with a justification, to COMSEC
Client Services for approval.
1.11 Canadian Controlled Goods Program and United States
International Traffic in Arms Regulations
In addition to the direction provided in this directive for ACM assets, GC departments, OLG and
private sector companies must comply with the Canadian Controlled Goods Program (CGP) and
United States (U.S) ITAR requirements.
UNCLASSIFIED
ITSD-03A
Introduction March 2014 4
1.12 Contact Information
The following table contains contact information for offices within CSE that provide COMSEC
support to users.
Unless otherwise specified, CSE’s telephone and secure fax contact numbers listed below are
attended from 8 a.m. to 4 p.m. Eastern Time, Monday to Friday.
Table 1 – Contact Information for COMSEC Offices
COMSEC Client Services
Telephone: 613-991-8495
Secure Fax: 613-991-8565
Crypto Material Assistance Centre (CMAC) and National Central Office of Record (NCOR)
Telephone: 613-991-8600
Fax: 613-991-7440
Secure Fax: 613-998-5686
National COMSEC Incidents Office (NCIO)
Telephone: 613-991-8175
Fax: 613-991-7588
Secure Fax: Call 613-991-8175 for set up
After office hours:
Telephone: 613-991-8762
Secure Fax: 613-991-8766
1.13 COMSEC User Portal
Authorized users may access the CSE COMSEC User Portal (CUP) at
https://comsecportal.cse-cst.gc.ca. The CSE CUP provides COMSEC-related UNCLASSIFIED
and PROTECTED A information, as well as Field Software Upgrades (FSUs) associated with
CSE-approved high assurance products, systems and services. For information on becoming an
authorized user of the CSE CUP, contact CMAC.
1.14 Communications Security Establishment Web Site
COMSEC publications and information (UNCLASSIFIED only) associated with CSE-approved
high assurance products, systems and services are available on the CSE web site at
http://www.cse-cst.gc.ca/en/group-groupe/high-assurance-technologies.
1.14.1 COMSEC Forms and Report Templates
COMSEC control and management forms and report templates identified in this directive are
available in the CSE CUP or through CMAC.
UNCLASSIFIED
ITSD-03A
National COMSEC Material Control System March 2014 5
2 National COMSEC Material Control System
2.1 Structure and Organization Overview
The NCMCS is a CSE-approved centralized national control system which includes the
personnel, training, and procedures that enable GC departments to ensure positive control and
effectively handle ACM. The NCMCS provides for the control of ACM through:
National Central Office of Record (NCOR)
Central Office of Record (COR)
National Distribution Authority (NDA)
COMSEC Accounts
COMSEC Sub-Accounts, and
Local Elements.
Figure 1 – National COMSEC Material Control System (NCMCS)
National Central Office
of
Record (NCOR)
GC Department
COMSEC Accounts
Department of National
Defence (DND)
Central Office of Record (COR)
Local
Elements
COMSEC
Sub-accounts
DND
COMSEC Accounts
COMSEC
Sub-accounts
Local
Elements
Local
Elements
Local
Elements
National Distribution
Authority (NDA)
CSE Industrial
COMSEC Account
(CICA)
COMSEC
Sub-accounts
UNCLASSIFIED
ITSD-03A
National COMSEC Material Control System March 2014 6
2.2 National Central Office of Record
2.2.1 Overview
NCOR is the entity at CSE which is responsible for overseeing the management and accounting
of ACM produced in, or entrusted to Canada. NCOR is not a COMSEC Account and never holds
ACM. NCOR responsibilities are assigned to three distinct roles: Registration Authority,
COMSEC Accounts Manager, and Key Processor (KP) Privilege Certificate Manager. These
roles are centrally administered by CMAC. Refer to Article 1.12 for contact information.
2.2.2 Registration Authority
As the national Registration Authority for all GC COMSEC Accounts, NCOR personnel:
manage the Electronic Key Management System (EKMS) Identifiers (IDs) (i.e. COMSEC
Account numbers) used in Canada;
assign a unique COMSEC Account Number (also known as EKMS ID) to each COMSEC
Account;
collect and maintain account registration data in the EKMS Directory Service;
provide registration data to COMSEC Accounts that do not have access to the EKMS
Directory Service;
confirm the appointment or termination of appointment of the DCA, COMSEC Custodian
and Alternate COMSEC Custodian(s);
open and close COMSEC Accounts for the GC;
temporarily deactivate COMSEC Accounts for GC departments;
register NCOR with allied COMSEC material control systems; and
register COMSEC Accounts with allied COMSEC material control systems when those
accounts are authorized to exchange ACM with allied countries.
2.2.3 COMSEC Accounts Manager
As National COMSEC Account Manager, NCOR personnel:
maintain a master inventory of all centrally accountable ACM for those COMSEC Accounts
under their purview;
process COMSEC Material Reports, including validation of signature(s) against signature
specimens;
perform periodic (sometimes called annual inventory in other documentation) inventory
reconciliations with COMSEC Accounts;
UNCLASSIFIED
ITSD-03A
National COMSEC Material Control System March 2014 7
monitor the effective dates of key to ensure it is destroyed and reported as destroyed in a
timely manner;
support the evaluation and recovery from compromise or potential compromise of COMSEC
material; and
liaise with COMSEC Account custodial staff and provide guidance and assistance on all
COMSEC accounting matters.
2.2.4 Key Processor Privilege Certificate Manager
As the KP Privilege Certificate Manager, NCOR personnel:
accept and validate requests for KP Privilege Certificate;
create, sign and distribute KP Privilege Certificates; and
maintain configuration control of KP Privilege Certificates.
2.3 Central Office of Record
A COR is an entity within a GC department that is responsible for overseeing the management
and accounting of ACM held by COMSEC Accounts subject to its oversight. NCOR will
establish a COR in a GC department upon approval from COMSEC Client Services. A COR can
only be established by receiving delegated authorities from the NCOR to administer the
regulatory processes of this directive within its own department.
NOTE: CSE has established the Department of National Defence (DND) Canadian Forces
Crypto Support Unit (CFCSU) as a COR. Throughout this directive, the combined
term NCOR/COR will mean NCOR (or COR if applicable).
2.4 National Distribution Authority
The NDA is the entity at CSE responsible for the movement (receipt and distribution) of ACM in
and out of the country. It is also responsible for:
storing a limited amount of ACM for eventual distribution;
storing contingency key, in the event of system failure;
holding the National Cryptographic Equipment Reserve (NCER);
receiving ACM for disposal, or out-of-country repair or transfer;
receiving and redistributing allied ACM;
receiving damaged or defective ACM being returned to CSE for technical evaluation; and
generating and distributing electronic key, as required.
UNCLASSIFIED
ITSD-03A
National COMSEC Material Control System March 2014 8
2.5 COMSEC Accounts
GC departments must establish a CSE-approved COMSEC Account before receiving ACM.
Normally, only one COMSEC Account is established at each GC department. However, if
sufficient justification exists, COMSEC Client Services may approve the establishment of
additional COMSEC Account(s) within a GC department. COMSEC Accounts may establish
COMSEC Sub-Accounts and may register Local Elements. Each COMSEC Account is assigned
a unique COMSEC Account number by a NCOR/COR.
The minimum COMSEC Account personnel requirements include:
a DCA (refer to Article 3.1.3)
a COMSEC Custodian, and
at least one Alternate COMSEC Custodian.
NOTE 1: More than one Alternate COMSEC Custodian is recommended for COMSEC
Accounts requiring Two-Person Integrity (TPI) or No Lone Zone (NLZ) controls.
NOTE 2: Refer to Chapter 3 for requirements applicable to personnel roles and responsibilities
and Chapter 6 for information on establishing COMSEC Accounts.
2.6 COMSEC Sub-Accounts
GC departments may establish COMSEC Sub-Accounts to help facilitate control over a large
inventory or dispersed ACM. A COMSEC Sub-Account:
will be assigned a unique COMSEC Sub-Account number by the parent COMSEC Account
Custodian;
must have a COMSEC Sub-Account Custodian and at least one Alternate COMSEC
Sub-Account Custodian;
must exchange ACM and accounting transactions only with its own parent COMSEC
Account;
must not hold COMSEC material to which the parent COMSEC Account cannot have access;
and
must register Local Elements.
NOTE: The CSE Industrial COMSEC Account (CICA) is responsible for establishing
COMSEC Sub-Accounts for the private sector and has a unique COMSEC
management relationship (Refer to the Directive for the Control of COMSEC
Material in the Canadian Private Sector [ITSD-06]).
UNCLASSIFIED
ITSD-03A
National COMSEC Material Control System March 2014 9
2.7 Local Elements
Local Elements are individuals who are authorized to hold, store and use ACM. Local Elements
share the COMSEC Account number of the COMSEC Account or COMSEC Sub-Account at
which they are registered. Local Elements are authorized to exchange ACM only with the
COMSEC Account or COMSEC Sub-Account at which they are registered. Local Elements are
not authorized to re-loan ACM.
Local Elements are not normally permitted to be registered at more than one COMSEC Account
or COMSEC Sub-Account at the same time; however, in cases where a GC department may have
more than one COMSEC Account or COMSEC Sub Account, Local Elements of that GC
department may be registered at each of the department’s COMSEC Account/Sub-Accounts.
NOTE: Local Elements are typically departmental employees, embedded (to the department)
contractors, or personnel on assignment or integral to that department.
2.8 Accountable COMSEC Material
The NCMCS is approved to account for three types of ACM:
Key
Cryptographic equipment, and
COMSEC publications.
2.8.1 Key
The term key (also known as keying material or keymat in other documentation) refers to
information used to set-up and periodically change the operations performed in cryptographic
equipment for the purpose of encrypting and decrypting electronic signals and digital signatures,
determining electronic countermeasures patterns, or producing other key. Key is normally
accounted for by its short title. Throughout the remainder of this directive, the term key will refer
to singular or plural form. Refer to the IT Security Guidance on Cryptographic Key Ordering
Manual (ITSG-13) for additional detail.
Key is generated and delivered in one of two states:
RED (unencrypted), which is accounted for within NCMCS, or
BLACK (encrypted), which is not accounted for within NCMCS.
NOTE: Annex A provides the minimum security requirements for the management of key in a
safe/protected (BLACK) state.
UNCLASSIFIED
ITSD-03A
National COMSEC Material Control System March 2014 10
2.8.2 Cryptographic Equipment
Cryptographic equipment is normally identified and accounted for by one short or long title,
rather than by individual components or sub-assemblies. Whenever a component or sub-assembly
that has been assigned a NCMCS Accounting Legend Code (ALC) is removed from its host
equipment, the item must be accounted for as a separate item within NCMCS and must be
identified separately by its individual short title. Refer to the Canadian Cryptographic
Doctrine (CCD) series for further information on specific cryptographic equipment.
2.8.2.1 Controlled Cryptographic Item
The CCI marking indicates a type of cryptographic equipment that must always be accounted for
and controlled within the NCMCS. The CCI category applies to specific unclassified, secure
communications and information handling equipment, as well as associated cryptographic
components and assemblies.
In many cases, COMSEC material in the CCI category will not be assigned a short title, but will
instead bear the manufacturer’s commercial designator. This equipment will be marked
“Controlled Cryptographic Item” or “CCI”, and will bear a government serial number label.
Since CCI and associated cryptographic components employ a classified cryptographic logic, it is
only the hardware or firmware embodiment of that logic that is unclassified. The associated
cryptographic engineering drawings, logic descriptions, theory of operation, computer programs,
and related cryptographic information remain classified.
2.8.3 COMSEC Publications
COMSEC publications may include:
cryptographic maintenance manuals
sensitive pages of a cryptographic maintenance manual
cryptographic operating instructions
classified full maintenance manuals
classified depot maintenance manuals
cryptographic logic descriptions
drawings of cryptographic logics
specifications describing a cryptographic logic
other classified cryptographic and non-cryptographic operational publications
replacement pages to the above and like publications, and
extracts, supplements and addenda from accountable COMSEC publications.
UNCLASSIFIED
ITSD-03A
Major COMSEC Roles and Responsibilities March 2014 11
3 Major COMSEC Roles and Responsibilities
3.1 General
All COMSEC Account personnel and other personnel requiring access to ACM must be
Canadian citizens (including those of dual nationality). Except for Canadian private sector
COMSEC Sub-Accounts (refer to ITSD-06), COMSEC Account personnel must be employees of
the GC department registered to the COMSEC Account.
3.1.1 Deputy Head
GC Department Deputy Heads are responsible for implementing this directive.
3.1.2 Departmental Security Officer
The DSO is appointed by the department Deputy Head. Among other duties, as listed in the PGS,
the DSO’s responsibility includes managing the department’s security program. For more details
on the roles and responsibilities of the DSO, consult the DDSM.
3.1.3 Departmental COMSEC Authority
A DCA may be appointed by the DSO to act in his or her stead to manage the departmental
COMSEC program. The DCA is responsible for developing, implementing, maintaining,
coordinating and monitoring a departmental COMSEC program that is consistent with the PGS
and its operational standards. Additionally, the DCA is responsible for the overall control of
ACM that has been charged to the departmental COMSEC Account. Refer to the DCA Quick
Reference Guide for an overview of the DCA responsibilities associated with the control of
COMSEC material.
NOTE 1: A GC department may determine that the Information Technology Security
Coordinator (ITSC) will appoint the DCA.
NOTE 2: In a department where a DCA is not appointed, the DSO or the ITSC must assume the
role and responsibilities of the DCA.
3.1.3.1 Separation of Duties
The DCA, or any other individual within the GC department fulfilling the role of the DCA, may
not be appointed as a COMSEC Custodian, Alternate COMSEC Custodian, COMSEC
Sub-Account Custodian or Alternate COMSEC Sub-Account Custodian.
COMSEC Custodian personnel must not be designated to manage more than one COMSEC
Account or COMSEC Sub-Account at the same time.
UNCLASSIFIED
ITSD-03A
Major COMSEC Roles and Responsibilities March 2014 12
3.1.4 COMSEC Custodian
COMSEC Custodians are responsible for the generation, receipt, custody, distribution,
disposition or destruction, and accounting of ACM entrusted to their COMSEC Account or Sub-
Account, in accordance with this directive. COMSEC Custodians are also responsible for
providing their Local Elements and other authorized users with cryptographic equipment
troubleshooting support and guidance on the use of key.
NOTE: The COMSEC Custodian Quick Reference Guide provides an overview of the
responsibilities for the COMSEC Custodian, Alternate COMSEC Custodian,
COMSEC Sub-Account Custodian and the Alternate COMSEC Sub-Account
Custodian.
3.1.5 Alternate COMSEC Custodian
The Alternate COMSEC Custodian assists the COMSEC Custodian in the day-to-day activities
of the COMSEC Account or Sub-Account and performs the duties of the COMSEC Custodian in
the temporary absence of the COMSEC Custodian.
3.1.6 COMSEC Sub-Account Custodian
COMSEC Sub-Account Custodians are responsible for the generation, receipt, custody,
distribution, disposition or destruction, and accounting of ACM entrusted to their COMSEC Sub-
Account as detailed in this directive. COMSEC Sub-Account Custodians are also responsible for
providing their Local Elements and other authorized users with cryptographic equipment
troubleshooting support and guidance on the use of key.
3.1.7 Alternate COMSEC Sub-Account Custodian
The Alternate COMSEC Sub-Account Custodian assists the COMSEC Sub-Account Custodian
in the day-to-day activities of the COMSEC Sub-Account and performs the duties of the
COMSEC Sub-Account Custodian in the temporary absence of the COMSEC Sub-Account
Custodian.
3.1.8 Local Element
A Local Element is an individual who is authorized to hold, store and use ACM. Local Elements
are personally responsible for the control, safeguarding and disposition of ACM to which they
have been entrusted in accordance with the control and handling instructions provided by their
COMSEC Account or Sub-Account Custodian. Refer to the Local Elements Responsibilities
Form for complete detail.
UNCLASSIFIED
ITSD-03A
Major COMSEC Roles and Responsibilities March 2014 13
3.1.9 Controlling Authority for Cryptographic Networks
A cryptographic network (cryptonet) requires a DCA appointed Controlling Authority (CA) to
manage the operational use of the key assigned to the cryptonet and to develop a Key Material
Support Plan (KMSP) before the cryptonet can be given authority to operate. Refer to the
ITSD-04 for complete detail on the responsibilities of the CA and how to prepare a KMSP.
3.1.10 Other Authorized Users
In certain instances, individuals such as shift workers and technicians (hereinafter referred to as
authorized users) may require short term (immediate) access to ACM. Before allowing this
access, the COMSEC Custodian must ensure the intended authorized user meets the
requirements of Article 10.1.1, and:
signs for and maintains constant personal surveillance of the ACM until it is returned;
returns ACM for lock-up when not under positive personal possession;
does not transport the ACM to another work area or building without consent of the
COMSEC Custodian; and
understands what constitutes a COMSEC incident or potential COMSEC incident.
3.1.11 Key Ordering Personnel
The DCA is responsible for appointing key ordering personnel and establishing their privileges to
submit orders for key.
NOTE 1: The role of key ordering is a separate responsibility from COMSEC custodial duties;
however, the DCA may appoint the role of key ordering to COMSEC custodial
personnel.
NOTE 2: Refer to ITSG-13 for key ordering requirements.
3.1.12 Witness
The witness to COMSEC transactions is normally the Alternate COMSEC Custodian; however,
another individual with the pre-requisites for access to ACM and a security status at least equal
to the highest classification level of the ACM transaction being witnessed may act as a witness.
The witness must not sign any documentation without having personally sighted the ACM listed
on a transaction form.
UNCLASSIFIED
ITSD-03A
Selection of COMSEC Personnel March 2014 14
4 Selection of COMSEC Personnel
4.1 COMSEC Custodial Personnel
The DCA must carefully screen individuals who have been selected to become a COMSEC
Custodian, Alternate COMSEC Custodian, COMSEC Sub-Account Custodian or Alternate
COMSEC Sub-Account Custodian to ensure that each proposed individual:
is a Canadian citizen (including those of dual nationality);
possesses a security clearance at least equal to the highest sensitivity of the COMSEC
material held in the COMSEC Account, but never less than SECRET;
possesses a current COMSEC Briefing (refer to Article 10.2);
is a responsible individual who is qualified to assume the duties and responsibilities of
COMSEC Custodian, Alternate COMSEC Custodian, COMSEC Sub-Account Custodian or
Alternate COMSEC Sub-Account Custodian;
is in a position or level of authority, which would permit the individual to exercise proper
jurisdiction in fulfilling the responsibilities of the position;
has not previously been relieved of COMSEC Custodian, Alternate COMSEC Custodian,
COMSEC Sub-Account Custodian or Alternate COMSEC Sub-Account Custodian duties for
reasons of negligence or non-performance of duties; and
will not be assigned duties that would interfere or conflict with the duties as COMSEC
Custodian, Alternate COMSEC Custodian, COMSEC Sub-Account Custodian or Alternate
COMSEC Sub-Account Custodian.
4.2 Local Element
The COMSEC Custodian or COMSEC Sub-Account Custodian must ensure that Local Elements
are established for operational purposes where access to ACM is required. A Local Element
must:
be a Canadian citizen (including those of dual nationality);
possess a security clearance at least equal to the highest sensitivity of the COMSEC material
that will be provided;
possess a current COMSEC Briefing (refer to Article 10.2);
read and sign a Local Element Responsibilities Form;
be a responsible individual who is qualified to assume the duties and responsibilities of a
Local Element;
UNCLASSIFIED
ITSD-03A
Selection of COMSEC Personnel March 2014 15
be in a position or at a level of authority which would permit the individual to exercise proper
jurisdiction in fulfilling the responsibilities of a Local Element; and
not have been previously relieved of Local Element duties for reasons of negligence or
non-performance of duties.
UNCLASSIFIED
ITSD-03A
Training March 2014 16
5 Training
5.1 General
COMSEC Custodians require formal training. The DCA must ensure that each new COMSEC
Custodian and Alternate COMSEC Custodian attends a formal COMSEC Custodian course
before or as soon as possible following the appointment. Other departmental personnel who use
or are responsible for the control of ACM may also attend this course.
5.1.1 Schedules and Registration
Training course schedules and registration information are available from the IT Security
Learning Centre (ITSLC) at CSE.
Personnel attending training that requires access to ACM will be COMSEC briefed by the ITSLC
if the attendee does not have a current signed COMSEC Briefing Form.
NOTE: Due to technological, procedural and standards advances, COMSEC personnel who
have not performed COMSEC related duties for more than two years, must attend
formal COMSEC training.
5.1.2 Interim COMSEC Custodian Training
Where formal training is unavailable prior to appointment or when a new COMSEC Custodian
or Alternate COMSEC Custodian is unable to attend, the DCA or the COMSEC Custodian, as
applicable, must provide interim training. If interim training cannot be provided, contact NCOR
to arrange for interim training assistance.
5.1.3 COMSEC Accounting System Training
Before installing CSE-approved accounting software packages, COMSEC Custodians and
Alternate COMSEC Custodians must attend formal training. Other COMSEC Account personnel
may also attend this course.
5.1.4 Cryptographic Equipment Training
Before using cryptographic equipment, and to the extent possible, COMSEC Custodians and
Alternate COMSEC Custodians should attend formal cryptographic equipment training courses.
Local Elements may also attend these courses.
5.1.4.1 Manufacturer Provided Training
Some manufacturers of CSE-approved cryptographic equipment provide training for their
equipment. In order to attend this training, a visit clearance authorization for COMSEC access
must be requested through COMSEC Client Services.
UNCLASSIFIED
ITSD-03A
Training March 2014 17
5.1.5 Other Training Courses
CSE offers additional training that will assist COMSEC Account personnel in the use and
protection of ACM and increase their knowledge of the basic concepts of IT security and
cryptography.
5.1.6 COMSEC Sub-Account and Local Element Training
COMSEC Custodians are responsible for training their COMSEC Sub-Account personnel and
Local Elements.
NOTE: It is recommended that COMSEC Sub-Account personnel attend the formal
COMSEC Custodian training course provided by CSE.
UNCLASSIFIED
ITSD-03A
Management of COMSEC Accounts March 2014 18
6 Management of COMSEC Accounts
6.1 Establishing COMSEC Accounts
A COMSEC Account must be established at a GC department before the department will be
permitted to receive ACM.
6.1.1 Request to Establish a COMSEC Account
A GC department requiring ACM must submit its requirement to COMSEC Client Services for
the establishment of a COMSEC Account. The request must include:
written correspondence containing –
o justification for the requirement to hold ACM
o interoperability requirements (beyond department)
o highest security classification of the ACM, and
o a statement that the minimum physical security standards of this directive can be met for
the highest level of sensitivity of ACM to be held; and
the following forms –
o Account Registration, to identify the department, location and COMSEC custodial
personnel being appointed
o Appointment Certificate, for each individual to be appointed to the COMSEC Account,
including the DCA, the COMSEC Custodian and at least one Alternate COMSEC
Custodian, and
NOTE: Incumbent Appointment Certificates must be renewed every 5 years.
o COMSEC Signing Authority Form, also called the COMSEC Courier Certificate, to
provide records of COMSEC Account personnel or any additional departmental staff who
are authorized to receive and sign for ACM. Only COMSEC custodial personnel are
authorized to open parcels containing ACM and sign ACM reports.
6.1.2 Approval to Establish a COMSEC Account
Before validating a request to open a COMSEC Account, a CSE representative will visit the GC
department to verify that the physical security requirements of this directive (refer to Chapter 9)
can be met and that COMSEC Account personnel have been COMSEC briefed and trained.
Following validation of the request, NCOR/COR will provide written approval for the request
including:
the assigned COMSEC Account Number
a confirmation of the name of the DCA
UNCLASSIFIED
ITSD-03A
Management of COMSEC Accounts March 2014 19
the verification of the appointment of the COMSEC Custodian and the Alternate COMSEC
Custodian(s), and
a list of publications required to effectively manage the COMSEC Account.
6.1.3 Establishing COMSEC Sub-Accounts
The DCA may establish one or more COMSEC Sub-Accounts to assist with the control of ACM
within the department. The DCA must implement procedures for opening a departmental
COMSEC Sub-Account based upon the direction contained herein.
6.1.4 Registering Local Elements
COMSEC Custodians and COMSEC Sub-Account Custodians must register Local Elements
before authorizing their access to or use of ACM (refer to Article 8.1.2.4). The registration of
Local Elements must include a record of the full name, title or designator, location and phone
number.
6.2 Files and Records
6.2.1 Administration Files
The COMSEC Custodian must establish and maintain administrative files containing
documentation related to the COMSEC Account, including (if applicable):
courier, mail and package receipts
general correspondence
IT Security Alerts (ITSAs)
IT Security Bulletins (ITSBs)
IT Security Approvals for Use (ITS AFU)
Account Registration Forms
Appointment Certificates
Security Screening Certificates
COMSEC Briefing Certificates
COMSEC Signing Authority Forms
COMSEC Incident Initial Reports
COMSEC Account Audit Reports
related files for each COMSEC Sub-Account (if applicable), and
other relevant documentation.
UNCLASSIFIED
ITSD-03A
Management of COMSEC Accounts March 2014 20
6.2.2 Accounting Files
The COMSEC Custodian must establish and maintain accounting files (manual [paper] or
electronic) that are appropriate for the authorized accounting system being employed that
include:
copies of all accounting reports (refer to Chapter 8), records, registers and logs with
appropriate physical or digital signatures; and
copies of all Inventory Reports (refer to Chapter 15).
6.2.3 Approved Accounting Sub-Systems
CSE has approved the use of several automated and manual accounting/management systems to
accommodate the minimum security requirements of the NCMCS. These systems employ
terminology and procedures that are quite distinct from one another.
Each NCMCS-supporting system must be classified minimally to PROTECTED A with
additional appropriate classification to meet special inventory requirements (refer to
Article 6.2.4) and any other classified information stored on the system.
NOTE: Automated accounting/management systems must employ data and system back-up
procedures to mitigate system failure.
Each department is responsible for ensuring its custodial personnel are trained in the use of the
appropriate CSE-approved accounting and management system.
Contact COMSEC Client Services for the list of approved automated and manual systems or for
requests for approval of new systems.
6.2.4 Classification of Records and Files
COMSEC Account records and files must be marked “PROTECTED A” unless they contain:
classified information (e.g. effective dates, classified long titles or remarks), in which case
the record or file must be marked in accordance with the sensitivity of the content; or
a list of ACM that was provided by a United Kingdom (UK) source, in which case the list
must be classified at least to the minimum standard that the UK is handling the material.
6.2.5 Retention and Disposition of Records and Files
Unless otherwise specified within this directive, all inactive or archived COMSEC Account
records and files must be retained for a period of no less than five years by the COMSEC
Custodian (or responsible DCA), after which they may be destroyed or forwarded to NCOR/COR
for disposal.
UNCLASSIFIED
ITSD-03A
Management of COMSEC Accounts March 2014 21
6.2.6 Access to Records and Files
The COMSEC Custodian must limit access to COMSEC Account records and files to individuals
who have a need-to-know and meet the requirements for access to ACM (refer to Article 10.1.1).
Access to COMSEC Account records and files by individuals other than the COMSEC
Custodian or Alternate COMSEC Custodian must be closely monitored.
6.3 Changes to COMSEC Accounts
6.3.1 Changes to COMSEC Account Registration Information
COMSEC Custodians must promptly post changes to COMSEC Account registration
information (e.g. mailing and shipping addresses, phone numbers) to the Directory Server or
submit them to NCOR/COR. The Account Registration Form is to be used to submit these
changes.
6.3.2 Changes to the COMSEC Signing Authority Form
The COMSEC Custodian must submit a new COMSEC Signing Authority Form to NCOR/COR
whenever there is a change of personnel or other information. If there is no change to the existing
form, the COMSEC Custodian must provide confirmation annually to NCOR/COR via email.
The COMSEC Signing Authority Form contains the names, telephone numbers and signatures of
COMSEC Account personnel and any additional departmental staff who are authorized to sign
for shipments containing ACM.
6.3.3 Change of Personnel
Before the departure of currently appointed COMSEC Account personnel, the DCA must provide
NCOR/COR with an Appointment Certificate, including:
the new COMSEC Account personnel information; and
the “Termination of Appointment” section completed for the departing individual.
The DCA or COMSEC Custodian, as applicable, must ensure the new appointee receives a
COMSEC briefing and the appropriate COMSEC training.
6.3.4 Scheduling the COMSEC Custodian Changeover
The changeover of COMSEC Custodians should be scheduled at least 90 calendar days in
advance of the COMSEC Custodian’s departure date. The departing COMSEC Custodian and
the individual being appointed as the new COMSEC Custodian must conduct an inventory of the
ACM held in the COMSEC Account as detailed in Chapter 15.
The departing COMSEC Custodian will continue to be responsible for all ACM involved in any
unresolved discrepancy until all discrepancies are resolved.
UNCLASSIFIED
ITSD-03A
Management of COMSEC Accounts March 2014 22
6.3.5 Conversion of a COMSEC Sub-Account to a COMSEC Account
The DCA must submit a letter to COMSEC Client Services requesting the establishment of a
new COMSEC Account in accordance with Article 6.1.1. The letter must contain justification for
the conversion of the COMSEC Sub-Account to a COMSEC Account. Upon approval of the
conversion, NCOR/COR will provide accounting instructions.
6.3.6 Change of Classification Level of a COMSEC Account
The DCA must submit a written request to COMSEC Client Services to change the level of
classification for the COMSEC Account. The request must include a justification for the
requirement and indicate the new level of classification required.
When a lower level of classification is requested, COMSEC Client Services will provide written
approval once NCOR/COR has confirmed that the COMSEC Account holds ACM at, or lower
than, the requested classification.
When a higher level of classification level is requested, COMSEC Client Services will provide
written approval once a CSE representative has visited the COMSEC Account to verify that the
physical security requirements of this directive can be met. The COMSEC Account must not
receive ACM at the higher level until approval of the change of classification level has been
granted.
6.3.7 Absence of COMSEC Custodial Personnel
6.3.7.1 Temporary Absence of COMSEC Custodian
In the absence of the COMSEC Custodian for a period of 60 calendar days or less, the DCA must
ensure the Alternate COMSEC Custodian immediately assumes the responsibilities and duties of
the COMSEC Custodian.
6.3.7.2 Temporary Absence of Alternate COMSEC Custodian
In the absence of the Alternate COMSEC Custodian for a period of 60 calendar days or less, the
DCA must ensure the second Alternate COMSEC Custodian immediately assumes the
responsibilities and duties. Where no second Alternate COMSEC Custodian has been appointed,
the DCA must appoint one and forward the Appointment Certificate immediately to
NCOR/COR.
6.3.7.3 Absence Longer than 60 Calendar Days
An absence of more than 60 calendar days must be treated as a permanent absence, and the DCA
must immediately appoint a new COMSEC Custodian or Alternate COMSEC Custodian, as
applicable and forward the Appointment Certificate to NCOR/COR.
UNCLASSIFIED
ITSD-03A
Management of COMSEC Accounts March 2014 23
6.3.7.4 Unexplainable Departure of COMSEC Custodian or Alternate COMSEC
Custodian
In the case of an unexplainable (does not include death, serious illness, short notice personnel
transfer), sudden, indefinite or permanent departure of the COMSEC Custodian or Alternate
COMSEC Custodian, the DCA must take the following steps:
1. Immediately report the circumstances of any departure in accordance with Chapter 18.
2. Appoint a new COMSEC Custodian or Alternate COMSEC Custodian as required.
3. Ensure the combinations and the keys of containers and vaults are changed.
4. Ensure the new COMSEC Custodian or Alternate COMSEC Custodian immediately
conducts an inventory (refer to Chapter 15) with an appropriately cleared witness.
5. Ensure the COMSEC Account audit is conducted by the appropriate authority.
6.4 Closing a COMSEC Account
When a department no longer has a requirement to hold ACM, the DCA must provide COMSEC
Client Services with a written request to close the COMSEC Account and must include
Termination of Appointment Certificates for all COMSEC Account personnel.
Upon authorization from COMSEC Client Services, the COMSEC Custodian will transfer all
ACM currently held in the COMSEC Account to another COMSEC Account, or destroy it (if
authorized), and forward all accounting reports, Termination of Appointment Certificates, and a
signed “zero balance” inventory to NCOR/COR.
Once NCOR/COR has received the Termination of Appointment Certificates, confirmed that the
COMSEC Account no longer holds any ACM, and has updated the COMSEC Account status,
the NCOR/COR will issue a letter to the DCA, officially closing the COMSEC Account.
The DSO will ensure that all COMSEC Account files are retained for a period of five years and
then dispose of them in accordance with the direction at Article 6.2.5.
6.5 Closing a COMSEC Sub-Account
When it is determined that the requirement for a COMSEC Sub-Account no longer exists, the
DCA must take the following steps:
direct the COMSEC Sub-Account Custodian to return to the parent COMSEC Account, or
destroy (if authorized), all ACM held by the COMSEC Sub-Account and submit a signed
“zero balance” Inventory Report (refer to Chapter 15); and
provide the parent COMSEC Account with a Termination of Appointment Certificate for all
COMSEC Sub-Account personnel.
UNCLASSIFIED
ITSD-03A
Management of COMSEC Accounts March 2014 24
6.6 Suspension of a COMSEC Account
6.6.1 General
In rare cases, due to the severity of account infraction(s) or the effect that poor account
management could have on other government departments or allies, NCOR/COR, in consultation
with the DSO, may temporarily suspend a COMSEC Account – including key delivery.
6.6.2 Consequence of Suspension
A COMSEC Account whose status is “suspended” will cease to have ACM transferred in or out.
The custodial staff will remain in place to conduct all other normal activities within the account,
including the corrective action that would lead to the lifting of the suspension.
NOTE: NCOR/COR will inform the DSO, the DCA and the departmental COMSEC
Custodian that transfers of ACM to and from the account will be suspended. The
notification will include a list of the discrepancies that caused the suspension, the
corrective action needed to allow the lifting of the suspension and a target completion
date.
6.6.3 Lifting Suspension
Upon receipt of the Statement of Action Form, which certifies that corrective action has been
completed (or is underway), CSE may lift the suspension. Before lifting the suspension, CSE will
conduct another audit of the account to ensure that conditions have been rectified.
Upon lifting the suspension, NCOR/COR will notify other affiliated or affected organizations or
COMSEC accounts, and transfers of ACM to and from the COMSEC account will resume.
UNCLASSIFIED
ITSD-03A
Identification of Accountable COMSEC Material March 2014 25
7 Identification of Accountable COMSEC Material
7.1 General
ACM requires control and accountability within the NCMCS in accordance with its ALC and for
which transfer or disclosure outside COMSEC channels could be detrimental to the national
security of Canada and its allies.
7.2 Identification
7.2.1 Long Title
The long title provides a general description of the ACM. Long titles are normally, but not
always, UNCLASSIFIED.
7.2.2 Short Title
A short title is an identifying combination of letters or digits that consists of a maximum of
24 alphanumeric characters. A short title must be assigned to ACM at its point of origin for
accounting purposes. For some CSE-approved accounting/management systems (refer to
Article 6.2.3), special characters (e.g. /, -, * or #) are not allowed. For these systems, the special
characters that may appear on ACM short titles, cryptographic equipment nameplates and
COMSEC publications are replaced with a space. Short titles of ACM are UNCLASSIFIED. For
further details on short titles, contact COMSEC Client Services for reference to the CSE
publication IT Security Guidance on Short Title Nomenclature in Canada (ITSG-09).
7.2.3 Edition
ACM may be identified by a unique alphabetic or numeric designator. ACM may be time
sensitive and is superseded when the next edition becomes effective.
7.2.4 Accounting Numbers
7.2.4.1 Assignment of Accounting Number
ACM may be assigned a unique accounting serial or register number at the point of origin to
facilitate accounting (refer to Article 7.2.5 for a description of the relationship between
accounting numbers and the ALC). Serial numbers are used with CCI and cryptographic
equipment, while register numbers are used for any other material requiring an accounting
number.
UNCLASSIFIED
ITSD-03A
Identification of Accountable COMSEC Material March 2014 26
7.2.5 Accounting Legend Code
7.2.5.1 Description
An ALC is a numeric code assigned by the originator of the ACM to indicate its accounting and
reporting requirements. The ALC is recorded on all COMSEC Material Reports, but does not
normally appear on the ACM itself. The ALC assigned by the originator must not be changed
without authorization from COMSEC Client Services. Authorized changes to ALCs must be
managed through NCOR/COR, as noted in Chapter 8.
NOTE 1: If the accountability of the ACM is in question, contact NCOR/COR.
NOTE 2: ALC 3 and ALC 5 are not used.
7.2.5.2 Entry of COMSEC Material into the National COMSEC Material Control
System
Whenever COMSEC material is assigned an ALC, it must be entered into the NCMCS. This
ACM must be controlled in the NCMCS until it is authorized for destruction or other disposition,
or the appropriate authority removes the accountability requirement. A COMSEC Material
Report is used to enter ACM into the NCMCS in circumstances described at Article 8.1.3.
7.2.5.3 Accounting Legend Code 1
ALC 1 is assigned to physical and electronic ACM that is subject to continuous accountability to
NCOR/COR by short title and accounting (i.e. serial or register) number. ALC 1 ACM includes:
some unclassified and all classified physical key marked CRYPTO;
all cryptographic equipment (including CCI) approved for classified processing;
classified cryptographic software and firmware that are the functional equivalents of, or
emulate, cryptographic equipment operations and cryptography; and
classified full maintenance manuals and depot maintenance manuals (and their printed
amendments), which contain cryptographic information.
7.2.5.4 Accounting Legend Code 2
ALC 2 is assigned to physical ACM that is subject to continuous accountability to NCOR/COR
by short title and quantity. ALC 2 ACM may include:
classified and CCI components (e.g. modular assemblies, printed wiring assemblies [PWA],
integrated circuits [IC], microcircuits, microchips, permuters) intended for installation (but
not installed) in cryptographic equipment;
specific COMSEC devices; and
COMSEC publications.
UNCLASSIFIED
ITSD-03A
Identification of Accountable COMSEC Material March 2014 27
7.2.5.5 Accounting Legend Code 4
ALC 4 is assigned to physical ACM that, following initial receipt to the distributing COMSEC
Account, is locally accountable by the receiving COMSEC Account by short title and quantity, or
by short title and accounting number. ALC 4 ACM may include:
unclassified or classified COMSEC publications dealing with a cryptographic subject
(e.g. classified maintenance manuals);
protected and unclassified key (e.g. test, maintenance and training key); and
other unclassified or classified ACM which, due to the nature of the COMSEC information it
contains, requires accountability within the NCMCS.
7.2.5.6 Accounting Legend Code 6
ALC 6 is assigned to electronic key that is tracked by the GC EKMS and that is subject to
continuous accountability to NCOR/COR, as determined by the controlling authority for the key
and by the doctrine specific to the equipment, where applicable. ALC 6 may be assigned to
electronic key:
intended to protect information having a long-term intelligence value (e.g. TOP SECRET);
used to protect other key (e.g. Key Encryption Key [KEK]);
used for joint or combined interoperability;
marked CRYPTO;
used to generate other electronic key (e.g. Key Production Key); and
generated from ALC 1 physical key.
7.2.5.7 Accounting Legend Code 7
ALC 7 is assigned to electronic key that is tracked by the GC EKMS and that is locally
accountable to the generating COMSEC Account until final disposition.
7.3 Special Marking and Warning Caveats
7.3.1 CRYPTO Marking
The CRYPTO caveat is used to indicate the unique sensitivity of the ACM on which it appears
(or is otherwise identified). Items so marked, or identified by CSE as such, must always be
accounted for within the NCMCS. The CRYPTO marking will appear in bold letters on
classified printed circuit boards, on the covers of printed key, on disks, on individual key
variables, and (as required) on equipment and tags or labels affixed to physical storage device
(e.g. Key Storage Device [KSD-64]) containing electronic key.
UNCLASSIFIED
ITSD-03A
Identification of Accountable COMSEC Material March 2014 28
7.3.2 “Eyes Only”
Access to ACM with an “Eyes Only” caveat (e.g. CAN/EYES ONLY, CAN/US/EYES ONLY,
CAN/UK/EYES ONLY) is restricted only to those nationalities listed in the caveat. Access must
meet the ACM access control requirements listed in Article 10.1.1.
UNCLASSIFIED
ITSD-03A
Accounting Forms, Reports and Notices March 2014 29
8 Accounting Forms, Reports and Notices
8.1 COMSEC Material Reports
The primary accounting form used for the control and management of ACM is the multipurpose
COMSEC Material Report (commonly referred to as the GC-223 form). This form is used to:
report any change in the status of ACM (e.g. transfer, issue, possession, generation,
conversion, relief from accountability or destruction);
report the inventory holdings of a COMSEC Account (i.e. Inventory Report); and
provide notice of an action associated with ACM (i.e. Tracer Notice).
General instructions for the preparation of COMSEC Material Reports can be found on the back
of the GC-223 form. The following articles list the specific requirements applicable to the
preparation and distribution of each type of report. Refer to the Glossary for definitions of each
type of COMSEC Material Report.
8.1.1 Transfer Report
8.1.1.1 General
The distribution of ACM between two COMSEC Accounts is called a transfer. ACM being
transferred must be prepared and receipted for as detailed in Chapter 12. The COMSEC
Custodian who originates the transfer of ACM remains accountable for the material until the
signed receipt is returned.
COMSEC Client Services is required to approve:
all transfers of ACM by methods not pre-authorized in accordance with Article 12.5 and
Table 3; and
all transfers (includes loan) of cryptographic equipment between COMSEC Accounts in
accordance with Article 14.1.1.
8.1.1.2 Distribution
The following applies to the distribution of Transfer Reports:
along with the original, prepare sufficient copies of the Transfer Report to ensure effective
accountability:
o enclose the original with physical shipment;
UNCLASSIFIED
ITSD-03A
Accounting Forms, Reports and Notices March 2014 30
o if the report lists centrally-accountable ACM, send a copy to NCOR/COR of the receiving
COMSEC Account (COMSEC Accounts using an automated CSE-approved accounting
and management system will send an electronically-signed copy to NCOR/COR); and
o retain a copy of the original on file until it can be replaced with a receipt signed by the
receiving COMSEC Custodian; and
when a receipt for a Transfer Report cannot be provided, the Transfer Report must be
cancelled. For example, if a removable data storage device (e.g. floppy disk, compact disk,
flash drive) containing the transaction was destroyed in transit, or if physical ACM being
transferred is destroyed in-transit, or if a Transfer Report was prepared and circumstances
cancelled the need for the ACM to be distributed, the intended receiving COMSEC Account
Custodian would not return a receipt for the material. The Transfer Report may be cancelled
by:
o preparing a Cancel Distribution Transaction, and forwarding a copy to the intended
receiving COMSEC Account and NCOR/COR; or
o marking the Transfer Report as cancelled and forwarding a copy to the intended receiving
COMSEC Account and NCOR/COR.
8.1.1.3 Receipt
To relieve the originating COMSEC Account from accountability for transferred material, the
receiving COMSEC Custodian must sign the Transfer Report, make copies and distribute them
as follows:
return the signed original to the originating COMSEC Custodian;
if the report lists centrally-accountable ACM, send a copy to NCOR/COR (COMSEC
Accounts using an automated CSE-approved accounting system will send an electronically-
signed copy to NCOR/COR); and
retain a signed copy of the original receipt on file.
8.1.2 Hand Receipt
8.1.2.1 General
The distribution of ACM to a COMSEC Sub-Account or Local Element is called an issue. ACM
being issued may be packaged as a shipment or it may be hand delivered directly to an authorized
recipient. Packages wrapped for shipment must be prepared in accordance with the direction in
Chapter 12.
UNCLASSIFIED
ITSD-03A
Accounting Forms, Reports and Notices March 2014 31
8.1.2.2 Distribution
The issuance of ACM is recorded on a Hand Receipt. When distributing ACM to a COMSEC
Sub-Account or a Local Element, the COMSEC Custodian must use a Hand Receipt.
Recipients must sign the Hand Receipt to certify their acceptance of the listed material, as well as
an understanding of the handling requirements for the ACM entrusted to them. Before signing
the Hand receipt, the recipient must inspect the ACM to verify the accuracy of the document and
to establish the condition of the material (refer to Chapter 12).
Control and tracking responsibilities for issued material remains within the COMSEC Account;
therefore, Hand Receipts are not sent to NCOR/COR.
NOTE: Hand Receipts for ACM must be reviewed annually by the COMSEC Custodian to
ensure their accuracy and to verify the continued requirement for ACM by authorized
end-users.
8.1.2.3 Accountability
Accountability for issued ACM includes the issuing COMSEC Account, the COMSEC
Sub-Account (if applicable) and the Local Element. Upon signing the Hand Receipt, the recipient
assumes responsibility for the care and control of all material listed on the document; however,
the recipient’s signature on a Hand Receipt does not relieve the issuing COMSEC Custodian
from accountability for the issued material.
8.1.2.4 Confirmation before Issue
Before issuing ACM to a COMSEC Sub-Account or a Local Element, the COMSEC Custodian
must ensure the recipient meets the requirements for access to ACM (refer to Article 10.1.1):
has the appropriate storage facilities for the material listed on the Hand Receipt;
has been trained on the handling, storage, use and destruction (where authorized) of the ACM
listed on the Hand Receipt;
is aware of what constitutes a COMSEC incident;
where necessary, has established a local accounting system that maintains strict control of
each item of the ACM listed on the Hand Receipt whenever it –
o must be accounted for during shift work operations; or
o is temporarily loaned to another authorized user; and
signs the Hand Receipt acknowledging the receipt of the material and the understanding of
the responsibilities associated with handling the ACM listed on the Hand Receipt.
UNCLASSIFIED
ITSD-03A
Accounting Forms, Reports and Notices March 2014 32
8.1.2.5 Returning Accountable COMSEC Material
COMSEC Sub-Accounts and Local Elements must return ACM to the COMSEC Custodian if it
is no longer required and is not authorized for destruction.
ACM issued to a COMSEC Sub-Account must be returned to the parent account that issued the
material. The COMSEC Sub-Account Custodian must prepare a COMSEC Material Report
(annotate the “OTHER” box with “Hand Receipt”) addressed to the parent account.
Upon receipt and verification of the material, the COMSEC Custodian at the COMSEC Account
must sign the COMSEC Material Report and return it to the COMSEC Sub-Account, thereby
relieving the COMSEC Sub-Account from accountability for the returned material.
ACM issued to a Local Element must be returned to the COMSEC Account or COMSEC
Sub-Account that issued the material. The COMSEC Custodian must prepare a Hand Receipt for
material being returned from the Local Element. The COMSEC Custodian must ensure that the
Hand Receipt, which lists the material being returned from the Local Element, is addressed to the
COMSEC Account. The COMSEC Custodian’s signature on the Hand Receipt relieves the Local
Element from accountability for the returned ACM. Local Elements are not authorized to re-loan
ACM to any other Local Elements.
8.1.3 Possession Report
8.1.3.1 General
Occasionally, circumstances dictate that COMSEC material, for which a current record of
accountability within the NCMCS does not exist, be taken on charge at a COMSEC Account.
A Possession Report is used to document the entry of COMSEC material into the NCMCS in the
following circumstances when:
ACM under development or manufacturing has been accepted by the GC;
ACM received from a foreign government or international organization requires
accountability within the NCMCS;
ACM previously declared lost and removed from accountability is subsequently found;
a COMSEC publication requiring control within the NCMCS is reproduced in whole or in
part;
a Removable Storage Medium (RSM) is used to transfer or issue electronic key;
a non-automated COMSEC Account converts its inventory to an automated CSE-approved
accounting and management system; and
ACM is in the possession of a COMSEC Account and is not listed on any other COMSEC
Account inventory.
UNCLASSIFIED
ITSD-03A
Accounting Forms, Reports and Notices March 2014 33
8.1.3.2 Preparation and Distribution
Authorization from NCOR/COR is required before submitting a Possession Report. A
Possession Report may not be created by a COMSEC Sub-Account. The Sub-Account Custodian
must report the requirement to the parent COMSEC Account.
The following applies to the preparation and distribution of Possession Reports:
a brief description of why the item is being possessed must be included in either the
REMARKS column or after the “NOTHING FOLLOWS” line; and
if the report lists centrally-accountable ACM, a copy must be sent to NCOR/COR within five
working days following the creation of the report. Possession Reports listing only ALC 4 or
ALC 7 ACM must be retained locally.
8.1.4 Conversion Report
8.1.4.1 General
When it becomes necessary to change or correct a short title, an equipment modification number,
or the ALC of ACM, a Conversion Report must be raised. Conversion Reports may be initiated
by a COMSEC Custodian or by NCOR/COR. COMSEC Custodians must not initiate conversion
activities without receiving explicit instructions from NCOR/COR.
A Conversion Report may not be created at a COMSEC Sub-Account. The COMSEC
Sub-Account Custodian must report the requirement to the parent COMSEC Account.
If the COMSEC Account is using an automated accounting and management system that does
not have the capability to generate a Conversion Report, contact NCOR/COR for instructions.
8.1.4.2 Preparation and Distribution
In the preparation and distribution of Conversion Reports, the COMSEC Custodian:
may raise a Conversion Report only if the material being converted is on-hand at the
COMSEC Account;
must send a copy to NCOR/COR if the Conversion Report lists centrally-accountable ACM;
must send a copy of the Conversion Report to all COMSEC Sub-Accounts that hold ACM to
be converted; and
must retain a signed copy of the Conversion Report on file.
UNCLASSIFIED
ITSD-03A
Accounting Forms, Reports and Notices March 2014 34
8.1.5 Relief from Accountability Report
8.1.5.1 General
A COMSEC Custodian must seek relief from accountability for ACM that has been irretrievably
lost. An investigation must be conducted by the DCA to determine the injury caused by the loss
and the NCIO will issue a report on the results of the investigation.
A Relief from Accountability Report is used to document the removal of ACM from a COMSEC
Account inventory. Authorization from the NCIO is required before preparing a Relief from
Accountability Report.
If a COMSEC Account is using an automated accounting and management system that does not
have the capability to generate a Relief from Accountability Report, contact NCOR/COR for
instructions.
8.1.5.2 Preparation and Distribution
The following rules apply to the preparation and distribution of Relief from Accountability
Reports:
reference to the authority under which the ACM was removed from accountability must be
included in either the REMARKS column or after the “NOTHING FOLLOWS” line;
if the report lists centrally-accountable ACM, a copy must be sent to NCOR/COR; and
a signed copy of all Relief from Accountability Reports must be retained on file.
8.1.6 Destruction Report
8.1.6.1 General
Cryptographic material (e.g. key) must be destroyed after it is superseded. Other ACM
(e.g. equipment and publications) may be authorized for destruction after it has served its
intended purpose. A Destruction Report is used to document the physical destruction or
electronic zeroization of ACM, whether by authorized means or by accident, and serves to report
the items’ removal from accountability (refer to Chapter 14 for complete destruction
instructions).
8.1.6.2 Preparation and Distribution
The following applies to the preparation and distribution of Destruction Reports:
list, in alphanumerical order, all ACM that is scheduled for destruction;
enter the reason for the destruction (e.g. zeroized, superseded, filled in equipment [include
the short title and serial number of the equipment], obsolete) in either the REMARKS
column or after the “NOTHING FOLLOWS” line;
UNCLASSIFIED
ITSD-03A
Accounting Forms, Reports and Notices March 2014 35
if the Destruction Report lists centrally-accountable ACM, send a signed copy to
NCOR/COR; and
a signed copy of all Destruction Reports must be retained on file.
8.1.7 Consolidated Destruction Reports
8.1.7.1 General
Occasionally, ACM (e.g. superseded key) is authorized for destruction by personnel other than
the COMSEC Custodian. Except in operationally volatile situations, such destructions must be
performed in the same secure environment using the same security procedures required of the
COMSEC Custodian.
In such cases, the appropriate destruction documents, duly signed and witnessed, must be
forwarded to the COMSEC Custodian. The COMSEC Custodian must compile the documents
(e.g. Local Accountability Logs) into a single Consolidated Destruction Report for forwarding to
NCOR/COR.
8.1.7.2 Preparation and Distribution
The following applies to the preparation and distribution of Consolidated Destruction Reports:
review local destruction records for accuracy, appropriate authorizations and required
signatures;
list the ACM that was destroyed (and reported as destroyed on local accounting records)
during the month; and
annotate the report with “Consolidated Destruction Report”;
if the report contains centrally-accountable ACM, submit the report to NCOR/COR no later
than the 16th
of the month following destruction of the key; and
retain a copy of all Consolidated Destruction Reports on file.
8.1.8 Seed Key Conversion Report
The Canadian Central Facility (CCF) generates a monthly Seed Key Conversion Report (SKCR)
for Secure Communication Interoperability Protocol (SCIP) equipment that lists the Key Material
Identifier (KMID) number of the key that has been converted from seed key to operational key.
When a user initiates a secure call from authorized SCIP equipment to the Secure Data Network
System (SDNS) Public Switched Telephone Network (PSTN) Integrated Services Digital
Network (ISDN) Rekey Subsystem (SPIRS), operational key is sent to that user’s SCIP
equipment. Once the operation is completed, the user can use their equipment to place secure
calls to other SCIP users.
UNCLASSIFIED
ITSD-03A
Accounting Forms, Reports and Notices March 2014 36
A copy of the SKCR will be sent to the COMSEC Account Custodian on a monthly basis or
upon request. The COMSEC Custodian must use the SKCR to verify that a Destruction Report
has been completed for all KMIDs listed on the report.
8.1.9 Operational Rekey Report
The CCF generates a monthly Operational Rekey Report (ORR) that lists the KMID of key for
SCIP equipment that were used to place a secure call to the SPIRS. Upon initiation of a secure
call to the SPIRS, a new operational key is downloaded to the SCIP equipment along with a
Compromised Key List (CKL). A copy of the ORR will be sent to the COMSEC Account
Custodian on a monthly basis or upon request. The ORR must be used to verify that end users
conduct quarterly rekey calls to the SPIRS and ensure that they have the latest CKL. The
COMSEC Custodian must use the ORR to verify that a Destruction Report has been completed
for all KMIDs listed on the report.
8.1.10 Inventory Report
8.1.10.1 General
COMSEC Custodians are responsible for conducting ACM inventories. During the inventory
process, the ACM held at the COMSEC Account is physically sighted and the actual holdings
are compared to the accounting records. The inventory process is very important as it is
sometimes the only means of discovering the loss or misuse of ACM. For a complete description
of inventories, refer to Chapter 15.
A list of COMSEC Account’s holdings is recorded on an Inventory Report.
8.1.10.2 Preparation and Distribution
The following rules apply to the preparation and distribution of Inventory Reports:
NCOR/COR will prepare, for distribution to each COMSEC Account, a list of all ALC 1,
ALC 2 and ALC 6 ACM held by a COMSEC Account. This list is called an Inventory Report
and contains all the material that the COMSEC Account has reported to NCOR/COR via
various COMSEC Material Reports (e.g. Transfer, Receipt, Destruction and Possession);
COMSEC Custodians must prepare an Inventory Report for each Sub-Account and Local
Element. This report must contain all ACM (i.e. ALC 1, ALC 2, ALC 4, ALC 6 and ALC 7)
issued to each element;
each Local Element must conduct a physical sighting of ACM in his or her possession,
annotate the Inventory Report as required, sign and have someone else witness and sign the
report, and then return the completed report to the COMSEC Custodian. The COMSEC
Custodian must retain a copy of each signed Inventory Report on file;
UNCLASSIFIED
ITSD-03A
Accounting Forms, Reports and Notices March 2014 37
the COMSEC Custodian must verify the accuracy of each returned report, resolve
discrepancies, report COMSEC incidents (for lost items) and return the signed Inventory
Report along with all supplemental accounting transactions to NCOR/COR. Inventory
Reports returned to NCOR/COR must contain a compilation of all ALC 1, ALC 2 and ALC 6
material held at the COMSEC Account; and
a copy of all signed Inventory Reports must be retained on file.
8.2 Tracer Notices
8.2.1 Tracer Notices – Transfers
If the signed Transfer Report (receipt) has not been received when due, tracer action must be
initiated as follows:
the initial tracer action may be accomplished via a documented phone call, e-mail, or by
using an official Tracer Notice;
the initiation of tracer action is dependent on the distribution method (e.g. electronic, courier)
and whether the COMSEC Account or NCOR/COR is initiating the tracer action; and
in exceptional cases, when physical ACM cannot be delivered and receipted within the
allotted time, an extension of up to 20 working days is acceptable. In such cases, a note must
be added on the Transfer Report.
NOTE: If initial tracer action and NCOR/COR assistance fails to resolve the transfer,
secondary Tracer Notices must be sent to the DCA for action (including investigation
into potential COMSEC incident reporting).
8.2.2 Tracer Action by the COMSEC Custodian
The COMSEC Custodian must ensure that a signed receipt has been received for every transfer
initiated at the COMSEC Account as follows:
Electronic Distribution. If a signed receipt for the electronic distribution of key is not
received within five working days from the date of distribution of the ACM, the COMSEC
Custodian must initiate tracer action; or
If the signed receipt is not received within five working days of this initial tracer action, the
COMSEC Custodian must notify NCOR/COR. NCOR/COR will assist the COMSEC
Custodian in obtaining the receipt.
Physical Distribution. If a signed receipt for the physical shipment of ACM is not received
within ten working days from the date of shipment, the COMSEC Custodian must initiate
tracer action; or
UNCLASSIFIED
ITSD-03A
Accounting Forms, Reports and Notices March 2014 38
If the receipt is not received within ten working days of this initial tracer action, the
COMSEC Custodian must notify NCOR/COR. NCOR/COR will assist the COMSEC
Custodian in obtaining the receipt.
8.2.3 Tracer Action by National Central Office of Record/Central Office of Record
8.2.3.1 Tracer Action for Transfer Reports
If NCOR/COR has not received a signed Transfer Report (receipt) within 20 working days of the
date on which the report was sent, NCOR/COR will send a Tracer Notice to the delinquent
account. Up to three Tracer Notices may be sent.
NCOR/COR occasionally receives signed receipts for Transfer Reports that have not been
forwarded to NCOR/COR. The receipt cannot be reconciled unless the original Transfer Report
has been processed. In such cases, NCOR/COR will immediately send a Tracer Notice for the
missing Transfer Report.
8.2.3.2 Tracer Action for Inventory Reports
Tracer Notices may also be sent with respect to the inventory process. During an inventory,
NCOR/COR may discover that COMSEC Material Reports have not been forwarded for
processing at NCOR/COR.
Missing COMSEC Material Reports will result in NCOR/COR’s inability to reconcile a
COMSEC Account’s inventory. NCOR/COR will originate tracer action for the missing
COMSEC Material Reports.
8.2.3.3 Failure to Respond to Tracer Notices
Failure to respond to Tracer Notices could result in an immediate audit of the COMSEC
Account.
UNCLASSIFIED
ITSD-03A
Special Accounting Requirements March 2014 39
9 Special Accounting Requirements
9.1 Canadian Controlled COMSEC Material Outside of the National
COMSEC Material Control System
ACM, including CCI, must only exit the NCMCS via the NDA. Canadian CCI destined for use
outside of Canada must be accounted for and handled within the receiving foreign nation’s
formal COMSEC channels. Subsequent to CSE providing case-by-case authority with a foreign
nation, the NDA will initiate formal transfer to a foreign nation’s established COMSEC Account
with appropriate notification being sent to the foreign nation’s responsible COR.
NOTE 1: Where a foreign private sector company or organization is involved, the ACM,
including CCI, must be transferred to an established COMSEC Account or, in the
case of CCI under development (within established IP channels), via the appropriate
foreign nation’s NDA, in coordination with the foreign NDA’s COR (refer to
ITSD-06).
NOTE 2: COMSEC Client Services may authorize GC departments or private sector companies
or organizations to bypass this channel and ship directly if sufficient justification is
provided in writing before the distribution.
9.2 Release of Accountable COMSEC Material to the Private Sector
Refer to ITSD-06 for accounting and control direction applicable to the release of ACM to the
Private Sector.
9.3 Government Furnished Equipment
9.3.1 Government Furnished Equipment for Canadian Industry
Refer to ITSD-06 for accounting and control direction applicable to Government Furnished
Equipment (GFE) ACM being transferred to a Canadian industry COMSEC Sub-Account.
9.3.2 Government Furnished Equipment for Allied Contractors
Transfer or loan of GFE ACM to or from allied contractors is handled on a case-by-case basis.
Contact COMSEC Client Services.
9.4 COMSEC Material under Contract
Refer to ITSD-06 and equipment-specific doctrine for accounting and control direction
applicable to ACM under a maintenance or repair contract and COMSEC publications under a
reproduction or translation contract.
UNCLASSIFIED
ITSD-03A
Special Accounting Requirements March 2014 40
9.5 Drop Accounting – COMSEC Material Received from a Foreign
Entity
9.5.1 General
CSE maintains agreements with foreign authorities that allow for acquisition and accounting of
ACM from a foreign entity. This must always be through CSE.
When a GC department is entrusted with ACM by a North Atlantic Treaty Organization (NATO)
or another international authority, the ACM must be accounted for, transported, stored and
handled in accordance with the direction contained herein for Canadian ACM of equivalent
sensitivity. Similarly, Canada accepts that its allies will also account for, transport, store, and
handle Canadian ACM in accordance with their own national policies and procedures. This
arrangement is known as drop accounting. There is no requirement for GC departments to hold
the policy and procedural publications of the nation or alliance that provides the material, except
as detailed in Article 9.5.3.
9.5.2 North Atlantic Treaty Organization Funded Units
When ACM is drop accounted to a Canadian entity to support NATO sponsored activity, all
NATO ACM holdings must be accounted for, transported, stored, and handled in accordance
with the publications: Instructions for the Control and Safeguard of NATO Cryptomaterial
(SDIP 293) and NATO Crypto Distribution and Accounting Publication (AMSG 505). In
addition, COMSEC incidents involving NATO ACM must be reported to the NCIO who will
subsequently report the incident to the NATO authority, as detailed in ITSD-05.
9.5.3 North Atlantic Treaty Organization Accountable COMSEC Material
Requiring Two-Person Integrity Control
When a GC department is provided NATO ACM that requires TPI control, such items must be
accounted for, transported, stored and handled in accordance with the Policy and Procedures for
the Handling and Control of Two-Person Controlled NATO Security Material (AMSG 773). The
format of NATO ACM requiring TPI control is significantly different from Canadian TPI
material and requires different storage and handling procedures.
9.5.4 International COMSEC Material Control
COMSEC material that has been acquired through bilateral arrangement outside of regular
CSE-approved COMSEC channels requires authority and coordination from COMSEC Client
Services. COMSEC Client Services must liaise with the international authority for the release of
the COMSEC material and determine the appropriate control (accounting within NCMCS or
tracking outside of NCMCS) mechanisms and safeguarding criteria to manage the material until
no longer required, at which time the COMSEC material will be disposed of as directed by
COMSEC Client Services.
UNCLASSIFIED
ITSD-03A
Special Accounting Requirements March 2014 41
Once management criteria is acquired, COMSEC Client Services will initiate an Approval for
Use (AFU) notice or an Authorization to Use (ATU) letter identifying the minimum security
requirements for handling and using this COMSEC material.
UNCLASSIFIED
ITSD-03A
Access to Accountable COMSEC Material March 2014 42
10 Access to Accountable COMSEC Material
10.1 Prerequisite for Access
10.1.1 Access by Government of Canada Employees and Contractors
Access to ACM may be granted to Canadian citizens (including those of dual nationality) who:
possess a valid GC security clearance or reliability status commensurate with the security
classification of the material and information they will access;
have a “need-to-know”;
have been given a COMSEC Briefing;
have signed a COMSEC Briefing Certificate; and
are familiar with applicable ACM control procedures.
NOTE: Access by persons with Permanent Residence Status is not authorized.
10.1.2 Access by Foreign Nationals
Access to ACM may be granted to foreign nationals (i.e. non-Canadian citizens) upon approval
from CSE on a case-by-case basis. Requests for such access must be submitted in writing to
COMSEC Client Services.
10.2 COMSEC Briefing and COMSEC Briefing Certificate
10.2.1 Requirements
The DCA and COMSEC Custodian must ensure individuals requiring access to ACM receive a
COMSEC Briefing and sign a COMSEC Briefing Certificate. A COMSEC Briefing is required
for individuals (including COMSEC Account personnel, Local Elements, individuals attending
CSE and international COMSEC courses and COMSEC forums; and, individuals who need “user
access” or “maintainer access” during installation, troubleshooting, repair, or physical keying of
equipment) who require access to:
ACM controlled within the NCMCS;
cryptographic information, which embodies, describes or implements a classified
cryptographic logic;
cryptographic information including, but not limited to, full maintenance manuals,
cryptographic computer software (must be a continuing requirement);
UNCLASSIFIED
ITSD-03A
Access to Accountable COMSEC Material March 2014 43
classified IP COMSEC material or CCI and components at any phase during its production or
development; and
key or logic during its production or development.
10.2.2 Retention of COMSEC Briefing Certificates
A COMSEC Briefing Certificate must be retained on file by the COMSEC Custodian for a
minimum of two years after an individual’s authorization to access ACM has ended.
10.2.3 COMSEC Debriefings/Updates
COMSEC debriefings are not required when access to ACM is no longer required. Periodic or
annual briefing updates are required every five years for active COMSEC Custodians, Alternate
COMSEC Custodians and Local Elements, including other authorized users. Any individual
being re-appointed at the same or at a different COMSEC Account as a COMSEC Custodian,
Alternate COMSEC Custodian or Local Element must be given a new COMSEC Briefing and
sign a new COMSEC Briefing Certificate.
10.3 Two-Person Integrity
TPI is a security measure designed to prevent any one person from having access to specified
ACM (e.g. TOP SECRET key). Each individual granted TPI access must be capable of detecting
in the other person any incorrect or unauthorized security procedures with respect to the task
being performed. TPI-regulated storage and handling requires the use of security devices
protected by two approved locks (refer to the Royal Canadian Mounted Police [RCMP] Security
Equipment Guide [G1-001]), Personal Identification Numbers (PINs) or passwords, with no one
person having access to both sets of combinations, lock keys, PINs or passwords.
10.4 No-Lone Zone
Certain areas in a COMSEC facility may be designated as a NLZ. A minimum of two authorized
individuals must be in visual contact with each other at all times within a NLZ. If the departure
of one individual would leave a single occupant, then both individuals must leave and secure the
NLZ.
The DCA will establish a NLZ for COMSEC Accounts that:
receive, store, handle, use or destroy TOP SECRET key;
produce physical key; or
take part in the design, development, manufacture or maintenance of cryptographic
equipment.
UNCLASSIFIED
ITSD-03A
Access to Accountable COMSEC Material March 2014 44
10.5 Access Control – COMSEC Visits
10.5.1 General
Visits within and outside Canada that involve the exchange of accountable and classified
COMSEC information require COMSEC access authorization from COMSEC Client Services.
NOTE 1: Refer to ITSD-06 for details on Canadian private sector COMSEC visit access
requirements.
NOTE 2: Visits between GC departments may be arranged between the respective DCAs.
Normal access controls must be enforced.
10.5.2 GC Department Visiting a Foreign Government
A GC department visiting a foreign government must submit a visit request (refer to
Article 10.5.5) to COMSEC Client Services for COMSEC access. The request must be submitted
at least 45 days in advance of the anticipated visit.
COMSEC Client services will confirm COMSEC access with the foreign government COMSEC
authority and notify the requestor.
10.5.3 GC Department Visiting a Canadian or Foreign Private Sector Company
A GC department visiting a Canadian or foreign private sector company must submit a visit
request (refer to Article 10.5.5) to PWGSC Canadian Industrial Security Directorate (CISD),
including the requirement for COMSEC access. CISD will request COMSEC access
authorization from COMSEC Client Services. The request must be submitted at least 45 days in
advance of the anticipated visit.
COMSEC Client services will confirm COMSEC access with the foreign government COMSEC
authority and provide confirmation to CISD.
10.5.4 Visit Confirmation
Once COMSEC access authorization and visit clearance has been provided, it is the
responsibility of the requester, prior to the visit, to ensure that the visit clearance and COMSEC
access authorization are in place at final destination. This should be done at a minimum of five
working days prior to the visit to ensure any discrepancies can be resolved.
UNCLASSIFIED
ITSD-03A
Access to Accountable COMSEC Material March 2014 45
10.5.5 COMSEC Access Authorization Request Criteria
Requests submitted to COMSEC Client Services must include:
surname
all given names
date of birth (DD/MM/YYYY)
place of birth
citizenship (including dual nationality)
clearance level (verified by security staff)
copy of signed COMSEC Briefing Certificate
contract or sub-contract number associated with visit requirement
reason for visit (COMSEC access required)
name, telephone, fax, email address of security point of contact at destination
name, telephone, fax, e-mail address of point of contact or office of primary interest at
destination, and
full address of company or agency to be visited.
NOTE: For visits outside Canada, include passport number and expiry date.
10.6 Foreign Government Organizations Visiting a Government of
Canada Department
A foreign government organization may request a COMSEC visit authorization, through their
national COMSEC control office, to visit a GC department. All visits that require access to ACM
or classified COMSEC information or material must be authorized by COMSEC Client Services.
The visit authorization request must include the criteria at Article 10.5.5.
10.7 Foreign Private Sector Companies Visiting a Government of
Canada Department
A foreign private sector company may request a COMSEC visit authorization to visit a GC
department through their national industrial security authority, who will then process the request
through CISD. All visits that require access to ACM or classified COMSEC information or
material must be authorized by COMSEC Client Services.
The visit authorization request must include the criteria at Article 10.5.5.
UNCLASSIFIED
ITSD-03A
Physical Security March 2014 46
11 Physical Security
11.1 COMSEC Facilities
11.1.1 Requirement
A COMSEC facility must be established wherever ACM is generated, stored, repaired or used. A
COMSEC facility is either fixed or mobile.
NOTE: An office environment where only user-level cryptographic equipment and BLACK
key is available for individual use is not considered a COMSEC facility; however, the
office area must be protected, at a minimum, to the highest classification of the
equipment when keyed.
11.1.2 Planning and Establishing a Fixed COMSEC Facility
When planning and establishing a fixed COMSEC facility, the DCA must:
consult with COMSEC Client Services to accommodate the direction in Chapter 4 of this
directive;
ensure a Threat and Risk Assessment (TRA) is conducted before initial activation (where
practical) and periodically thereafter based on threat, physical modifications, sensitivity of
operations and COMSEC incident reports of a serious nature.
establish the COMSEC facility in an area which provides positive control over access using a
hierarchy of zones (refer to Article 6.2 of the Treasury Board of Canada Secretariat [TBS]
Operational Security Standard on Physical Security) and the RCMP Guide to the Application
of Physical Security Zones (G1-026);
construct the COMSEC facility according to the TBS Operational Security Standard on
Physical Security and the RCMP G1-026; and
produce a standard operating procedure (in conjunction with a COMSEC Emergency Plan)
containing provisions for securely conducting facility operations.
11.1.3 Access Controls and Restrictions
The COMSEC Custodian must:
ensure positive control over the COMSEC Account’s ACM; and
ensure a TRA is conducted before initial activation (where practical) and periodically
thereafter based on threat, physical modifications, sensitivity of operations and COMSEC
incident reports of a serious nature.
UNCLASSIFIED
ITSD-03A
Physical Security March 2014 47
11.1.4 Fixed COMSEC Facility Approval
11.1.4.1 Inspection of Facility for COMSEC Account Work Area
The DCA must contact COMSEC Client Services to arrange a security inspection by the National
COMSEC Audit Team (NCAT) at CSE for each new, remodeled or relocated facility. The
inspection provides assurance to the DCA and to NCOR that physical security measures and
COMSEC management measures have been established to the level necessary to begin
COMSEC Account operations.
Upon successful conclusion of the inspection, or when all inspection anomalies have been
rectified, COMSEC Client Services will provide written approval to the DCA and to NCOR to
commence COMSEC Account operations.
11.1.5 Mobile COMSEC Facilities
A COMSEC facility that can be readily moved from one location to another is called a Mobile
COMSEC facility (e.g. aircraft, ships and ground vehicles). This does not include ships that have
been classified as fixed facilities.
NOTE: If a mobile COMSEC facility is operational in a fixed location for three months or
longer, it is considered a fixed COMSEC facility, and all requirements for fixed
COMSEC facilities –except construction– apply.
11.1.5.1 Mobile Facility Security
Where a mobile COMSEC facility is contained within a solid enclosure (e.g. van or shelter), all
access points other than the entrance door must be secured from inside the facility and:
the entrance door must be secured with a lock (resistant to opening by manipulation and
surreptitious attack), as provided for in the RCMP G1-026; or
approved locking bars or other locking devices must be used on equipment racks to deter and
detect removal of, or tampering with, the cryptographic equipment.
Unattended mobile facilities containing RED key, codes, or authenticators must be guarded. If
the mobile facility is located in Canadian or allied territory, a roving guard making rounds at least
every four hours is sufficient as the host nation may be used for area control. If the mobile
facility is located in non-Canadian or non-allied territory, Canadian guards must be used and
must be situated at all times in the immediate area of the COMSEC facility, preferably within the
COMSEC facility.
UNCLASSIFIED
ITSD-03A
Physical Security March 2014 48
11.1.5.2 Aircraft Containing Accountable COMSEC Material
When aircrews lay-over in non-allied nations and Canadian guards are not available, aircrews
must attempt to have classified key transported to a Canadian facility for secure storage. If this is
not possible, ACM may remain onboard the aircraft, but the following requirements must be
strictly adhered to:
cryptographic equipment must be zeroized or contain only encrypted key. If the equipment is
filled with RED key, the equipment must be configured so that it cannot be operated by
unauthorized personnel (e.g. by removing the Cryptographic Ignition Key [CIK] or disabling
the PIN);
all key not protectively packaged must be destroyed or removed for personal custody by the
pilot or by a pilot-authorized crew member;
all remaining RED key must be secured in a department or agency-approved container
mounted in or internally secured (e.g. chained and locked) to the aircraft structure; and
the aircraft and container must be locked. If the aircraft is not lockable, an alternate method to
secure the aircraft must be implemented (e.g. more frequent inspections). The aircraft and
container must be checked by Canadian personnel (e.g. flight crew) at least daily for aircraft
parked on either military or civilian airfields within Canada, its territories and possessions.
Aircraft parked on other airfields must be checked at least every 12 hours for signs of tampering
or penetration. Any suspected tampering must be reported in accordance with the requirement of
ITSD-05.
11.1.5.3 Mobile COMSEC Facility Approval
Approval authority to establish, monitor and manage Mobile COMSEC facilities in a GC
department is delegated to the DCA.
11.2 Secure Storage
11.2.1 Security Containers
ACM must be stored in security containers (e.g. vaults, safes, file cabinets) that are approved for
the classification or protected level of the ACM and which meet the requirements of the RCMP
G1-001. Security containers used for the storage of ACM must be located in a security zone
appropriate for the level of the ACM.
NOTE: A briefcase is not considered a storage container and must not be used as such.
UNCLASSIFIED
ITSD-03A
Physical Security March 2014 49
11.2.2 Segregation of Accountable COMSEC Material in Storage
The rules for the minimum segregation of ACM in physical storage are:
effective editions, reserve editions and superseded key awaiting destruction must be stored
separately from one another in approved security containers (refer to the RCMP G1-001); and
key or CIKs must not be stored in the same security container as the equipment with which
they may be used.
NOTE: In situations where space is at a premium, segregation may be accomplished using a
locked strongbox (strongly-made metal box typically used for safeguarding valuables)
housed within a single security container.
11.2.3 Opening of Security Containers in Emergency Situations
When the COMSEC Custodian and Alternate COMSEC Custodian(s) are not available to open a
security container in an emergency, the DCA (or other DCA-designated authority) may direct the
opening of the security container under the following conditions:
at least two individuals must be present to gain access to the combination or keys and to open
the security container;
the individuals who opened the security container must prepare a written report (containing
an inventory of the entire contents and the circumstances surrounding the access requirement)
to the individual(s) in charge of the security container, after the emergency opening; and
the individual responsible for the security container must conduct a full inventory of the
ACM and change the combination(s) immediately upon their return and report any
discrepancies as a COMSEC incident to the COMSEC Custodian.
In the event of an emergency where access is required to ACM that has been previously issued to
a Local Element who is not available, the individual requiring immediate access must contact
either the COMSEC Custodian or Alternate COMSEC Custodian, or in their absence the DCA.
11.2.4 Incidents Involving Unattended Security Containers
In the event of a security incident (e.g. if a container or vault is found open and unattended
during or after normal working hours), the individual discovering the incident must notify the
COMSEC Custodian or Alternate COMSEC Custodian. If the COMSEC Custodian or Alternate
COMSEC Custodian cannot be located, one of the other individuals on the list of individuals
having knowledge of the combinations to the container must be contacted. The COMSEC
Custodian and Alternate COMSEC Custodian must conduct a full inventory of the container’s
contents and then secure the container (e.g. provides a new key lock or change the combination).
In the event of an incident relating to ACM that has been issued to a Local Element, the
individual discovering the incident must contact either the COMSEC Custodian or Alternate
COMSEC Custodian.
UNCLASSIFIED
ITSD-03A
Physical Security March 2014 50
11.2.5 Protecting Lock Combinations and Lock Keys
11.2.5.1 General
ACM held by the COMSEC Sub-Account Custodian must remain under his or her direct control
until transferred to another COMSEC Account or issued to a Local Element or authorized user.
Once the ACM is transferred or issued, it becomes the responsibility of the receiving COMSEC
Account or Local Element or authorized user to secure the ACM in an approved security
container (refer to the RCMP G1-001) until used/destroyed.
NOTE: Any sign of tampering with or suspicion of compromise of a lock or its associated
combinations, or keys, must be immediately reported to the DCA.
11.2.5.2 Locks, Combinations and Keys
The types of combination locks and key locks suitable for securing ACM are found in the RCMP
G1-001. Key locks or combinations to locks must be changed on a regular basis according to
departmental security procedures, but must be changed immediately in the following situations:
an individual ceases to require access to the security container; or
the key, combination or lock is known or suspected to have been compromised.
Combinations and spare keys must be protected and stored by the DCA (or other authorized
individual) commensurate with the highest sensitivity level of the information or material
protected by the lock.
11.2.5.3 Record of Lock and Combination Holders
The COMSEC Custodian must keep a record of the name and telephone number of the
individuals having knowledge of the combinations (or hold lock keys) to security containers in
which ACM is stored.
11.2.5.4 Combinations and Keys for Two-Person Integrity Containers and
No-Lone Zones
The COMSEC Custodian must ensure that no one person may change both combinations, will be
allowed access to both keys, or have knowledge of both combinations to a security container
used to store ACM requiring TPI control or to an area used as a NLZ.
11.2.6 Storage of Cryptographic Key
11.2.6.1 Storage Requirements
Key not under the direct continuous control of a cleared and authorized individual (or individuals
where applicable) must be stored in an area protected by security guards or by an intrusion
detection system in accordance with the classification of the key (i.e. Security Zone, High
Security Zone).
UNCLASSIFIED
ITSD-03A
Physical Security March 2014 51
11.2.6.2 Key Held in Reserve
The amount of key to be held in reserve varies with the supersession rate of the key. Table 2
provides a best practices rule that should be considered when holding key in reserve.
Table 2 – Key Held in Reserve
Supersession Rate Held in Reserve
Key superseded daily, ten times monthly, semi-
monthly and monthly.
Key effective during the current month, plus
three months reserve.
Key superseded every two months or quarterly. Effective key plus two in reserve.
Key superseded semi-annually, annually and
irregularly. Effective key plus one in reserve.
SDNS seed key (five year retention factor). One seed key may be held in reserve.
11.2.7 Storage of Cryptographic Equipment
11.2.7.1 General
All cryptographic equipment must be stored in a manner consistent with its classification and
security markings (e.g. CRYPTO, CCI) when not under the direct and continuous control of
appropriately cleared and authorized personnel. Cryptographic equipment may require special
storage procedures or storage facilities. Refer to the equipment-specific doctrine for additional
direction.
NOTE: UNCLASSIFIED cryptographic equipment and unkeyed CCI require storage that
must provide reasonable protection from compromise, theft, tampering and damage.
11.2.7.2 Preparation for Storage
Cryptographic equipment must never be stored in a keyed state, unless:
operational requirements mandate it and no practical alternative exists; or
keyed equipment cannot be zeroized due to malfunction or damage.
When cryptographic equipment is required to be stored in a keyed state, it must be stored in
accordance with the highest classification of key loaded in the equipment.
NOTE 1: CCI that use a CIK are considered unlocked whenever the CIK is inserted and locked
with the CIK removed and not accessible for use by unauthorized persons.
NOTE 2: CCI that use only a PIN to unlock the secure mode are considered unlocked whenever
the PIN is entered.
UNCLASSIFIED
ITSD-03A
Physical Security March 2014 52
NOTE 3: CCI that use a CIK and password/PIN combination are considered unlocked
whenever the CIK is inserted and the proper password authenticated.
11.2.7.3 Spare or Standby Cryptographic Equipment
Spare or standby cryptographic equipment that is located within a secure work area may be
considered installed for operation. The storage requirements in the previous articles are not
applicable to such equipment.
11.2.8 Storage of Accountable COMSEC Publications
Accountable COMSEC publications must be stored in accordance with their security
classification and any caveat(s) or other security markings.
UNCLASSIFIED
ITSD-03A
Distribution and Receipt of Accountable COMSEC Material March 2014 53
12 Distribution and Receipt of Accountable COMSEC
Material
12.1 Distributing Accountable COMSEC Material
It is a COMSEC Custodian’s responsibility to ensure that individual shipments of ACM are kept
to the minimum required to support operational requirements (including contingency operations).
When preparing ACM for distribution, the COMSEC Custodian must:
ensure the receiver meets the requirements for storage of the shipped material;
perform page checks, equipment checks and inspection of protective packaging before
packaging;
zeroize or remove CIKs from all CCI before transportation (or, when circumstances warrant,
keyed devices may be hand-carried by authorized GC couriers or contractor couriers);
package operational and seed key separately from their associated cryptographic equipment
(including CCI) and transport in different vehicles on different days, unless –
o the application or design of the equipment is such that the corresponding key cannot be
physically separated;
o the key is an UNCLASSIFIED maintenance key (which may be shipped in the same
container as its associated cryptographic equipment); or
o there are no other means available to effect delivery to support an immediate operational
requirement;
NOTE: When cryptographic equipment (e.g. ECU) must be shipped in a keyed state
or with its associated key, ship the package in accordance with the
classification of the key or the cryptographic equipment, whichever is higher.
dispatch the list of effective dates of editions of key separately, and on different days, from
the key;
package each Traffic Encryption Key (TEK) separately from its associated KEK;
package components, which, as a whole comprise a cryptographic system (i.e. the
cryptographic equipment, ancillaries, associated documentation and key variables), separately
and transport in different shipments;
apply TPI controls to TOP SECRET key during transit unless the key is enclosed in
protective packaging and is double-wrapped (in which case only one courier is required);
UNCLASSIFIED
ITSD-03A
Distribution and Receipt of Accountable COMSEC Material March 2014 54
ensure that electronic key is transmitted in accordance with the applicable system or
equipment-specific doctrine; and
prepare a COMSEC Material Report in accordance with Chapter 10 of this directive.
12.2 Distributing Electronic Key on Magnetic or Optical Removable
Storage Media
In addition to the criteria at Article 12.1, when electronic key is distributed (i.e. transferred or
issued) on magnetic or optical RSM, the selected RSM must be controlled as a separate
COMSEC item within NCMCS as ALC 4. The COMSEC Custodian must affix a label to the
RSM similar to the example label depicted in Figure 2. The accounting number is taken from a
“next in sequence” number log maintained by the COMSEC Custodian to record the sequential
serial numbers of the RSM. The originating COMSEC Custodian must prepare and process a
Possession Report in accordance with Chapter 8 to enter the new ACM into the NCMCS before
distributing the RSM (and the electronic key).
A Transfer Report is required to account for the physical transport of RSM and another Transfer
Report is required to account for the transfer of the electronic key that is being transported by the
RSM. Both reports must be signed and returned to the originating COMSEC Account.
If RED key is being transported on a magnetic or optical RSM, the label must also display the
CRYPTO marking and the highest classification of key being transported (minimum SECRET).
Classification: SECRET (CRYPTO if applicable)
Accounting Legend Code: ALC 4
Short Title: CAKAE 4005 (+ EKMS ID)
Accounting Number: (Unique next in sequence number)
Figure 2 – Example of Magnetic or Optical Removable Storage Media Label
12.3 Tracking the Shipment of Accountable COMSEC Material
Following the shipment of ACM, the COMSEC Custodian must:
notify the recipient, within 24 hours of shipment, of the details of the shipment and the
estimated time of delivery;
ensure the telephone numbers of both the shipping and the receiving COMSEC Accounts are
listed on the waybill when ACM is shipped by commercial carrier or Canada Post Priority
Courier;
keep a local record of the shipment; and
UNCLASSIFIED
ITSD-03A
Distribution and Receipt of Accountable COMSEC Material March 2014 55
follow-up to ensure the ACM is delivered to the authorized recipient according to schedule,
and
o if a shipment is not received within 48 hours of expected delivery, initiate shipment tracer
action with the carrier to determine the last known location of the shipment; and
o if the location is not determined and the shipment is not recovered within 24 hours of the
shipment tracer initiation, assume that the shipment is lost in transit and immediately
report the loss as a COMSEC incident as detailed in Chapter 18.
12.4 Packaging Accountable COMSEC Material
12.4.1 Overview
The packaging used for the distribution of physical ACM will depend upon the size, weight,
shape of the material and the intended method of transport. All ACM must be double-wrapped or
otherwise encased in two opaque containers and securely sealed (including seams) before it is
transported.
12.4.2 Inner Wrapping
The inner wrapping must:
be secure enough to detect tampering;
guard against damage; and
be marked as follows:
o full addresses of both the shipping and receiving COMSEC Accounts;
o highest classification or protected level of the contents;
o caveat “CRYPTO” if any of the contents are so marked; and
o notation “TO BE OPENED ONLY BY THE COMSEC CUSTODIAL PERSONNEL”.
The sealed envelope containing the copies of the COMSEC Material Report may be enclosed
inside the package or affixed to the external surface of the inner wrapping of the package. When
more than one package is required, the envelope may be enclosed or affixed to the first package
of the series.
NOTE: Manufacturer’s protective packaging (e.g. key canisters) is not considered an inner
wrapping when preparing items for shipment (refer to Article 13.1.4).
UNCLASSIFIED
ITSD-03A
Distribution and Receipt of Accountable COMSEC Material March 2014 56
12.4.3 Outer Wrapping
The outer wrapping must:
be secure enough to prevent damage to the contents or inadvertent or accidental unwrapping;
not bear any indication that the package contains classified or protected ACM;
be marked as follows:
o full addresses of both the shipping and the receiving COMSEC Accounts;
o shipment number or authorized courier number; and
o package number, followed by a forward slash (“/”) and by the total number of packages in
the shipment (e.g. 1/3, 2/3, 3/3); and
have all required customs documentation clearly identified and affixed to the wrapping.
12.4.4 Types of Packaging
12.4.4.1 Envelopes
Double envelopes may be used for the shipment of ACM by mail or by courier. If the inner
envelope contains cryptographic material (of any classification) or ACM classified SECRET or
above, both the inner and outer envelope flap must be sealed with reinforced or tamper evident
tape in addition to the envelope gum seal.
If the inner envelope contains ACM classified CONFIDENTIAL or below, both the inner and
outer envelopes require gum sealing only. However, envelope flaps should be sealed with
reinforced or tamper evident tape if, in the opinion of the COMSEC Custodian, the envelopes
may tear during transportation.
12.4.4.2 Parcels
Good quality brown wrapping paper and fibre-reinforced paper tape should be used when
preparing COMSEC parcels. Such parcels must be packaged and bound as follows:
all seams of the inner wrapping must be bound with fibre-reinforced paper tape;
sharp corners must be reinforced or bound with cardboard to prevent damage to the inner
wrapping while in transit; and
outer wrapping must consist of paper and fibre-reinforced tape heavy enough to ensure a
suitably sturdy parcel.
UNCLASSIFIED
ITSD-03A
Distribution and Receipt of Accountable COMSEC Material March 2014 57
12.4.4.3 Cartons
Cartons may be used as the inner or outer container for a shipment. Used cartons must be in good
condition, with all previous markings obliterated. Additional packing must be used within the
carton to prevent movement of the contents. Fibre-reinforced paper tape must be used to seal all
seams and to reinforce edges and corners.
12.4.5 Wooden Crates and Transit Cases
Wooden crates or transit cases should be used only as outer wrapping for shipments, except when
specially designed and authorized to be used as inner wraps. The outer crate or case must be
strapped with a minimum of one strap lengthwise and one widthwise, both centred. The clamp
securing the strap running lengthwise must be positioned above the strap running widthwise.
12.4.5.1 Canvas Bags
A canvas bag may be used as the outer wrapping of a parcel. The bag must be sealed with a lever
lock and security fastener (e.g. disposable plik seal). The identification number on each security
fastener is a tamper evident security control that must be used to detect unauthorized access to
the bag. The user must take note of the security fastener’s unique ID/serial number of the security
fastener is used to seal the bag. Later, when the bag is to be opened, the user must verify that the
ID number of the security fastener on the bag has not changed. This verification of the ID number
confirms that the bag has not been opened by anyone and then resealed using a different security
fastener. The seams of the bag must be on the inside. Damaged or repaired bags must not be
used.
12.4.5.2 Briefcases
Within Canada, a briefcase with a GC-approved lock is an appropriate outer wrapper for ACM
carried by authorized departmental couriers. Refer to the RCMP G1-001 for details.
12.4.5.3 Controlled Cryptographic Items
CCI must be prepared and packaged as follows:
Unkeyed CCI must be packaged for shipment in any manner that:
o provides sufficient protection from damage, and
o provides evidence of any attempt to penetrate the package while the material is in transit.
In order to conceal the sensitive nature of the shipment, packages containing CCI must not be
externally marked as CCI or show the item description (nomenclature) of the equipment
being shipped. For exterior container documentation purposes, CCI are considered controlled
and sensitive items.
UNCLASSIFIED
ITSD-03A
Distribution and Receipt of Accountable COMSEC Material March 2014 58
CCI must only be shipped to authorized activities. Packages must be addressed in a manner
that will ensure delivery of the material to an organization with an individual designated to
accept custody for it at the recipient activity. An individual’s name should not be used in the
address; rather a functional designator should be used (e.g. an office symbol or an NCMCS
COMSEC Account number).
12.5 Authorized Modes of Transportation
12.5.1 General
The approved modes of transportation for Canadian ACM are listed in Table 3.
12.5.2 North Atlantic Treaty Organization and Foreign COMSEC Material
12.5.2.1 Classified COMSEC Material and UNCLASSIFIED Key Marked CRYPTO
The approved modes of transportation listed in this chapter do not apply to NATO or foreign
classified ACM or UNCLASSIFIED key marked CRYPTO. This ACM must be transported in
accordance with NATO and foreign national manuals, such as:
Communications Security and Cryptography (IS-4) – Part 1: Management of Cryptographic
Systems, UK.
Communications Security and Cryptography (IS-4) – Part 2: Forms and Instructions, UK.
Instructions for the Control and Safeguarding of NATO Cryptomaterial (SDIP 293).
NATO Crypto Distribution and Accounting Publication (AMSG 505).
Control of Communications Security (COMSEC) Material (NSA/CSS Policy Manual
No. 3-16), United States (U.S.).
NOTE: Contact COMSEC Client Services for information regarding these publications.
12.5.2.2 UNCLASSIFIED, RESTRICTED and U/FOUO Accountable COMSEC
MATERIAL (other than key marked CRYPTO)
UNCLASSIFIED, RESTRICTED and U/FOUO foreign and NATO ACM (other than key
marked CRYPTO) must be shipped by the modes listed in Table 3 as approved for
PROTECTED A ACM of the same type. CCI, whether of foreign or national origin, must always
be shipped by the modes listed in Table 3.
UNCLASSIFIED
ITSD-03A
Distribution and Receipt of Accountable COMSEC Material March 2014 59
Table 3 – Authorized Modes of Transportation for Accountable COMSEC Material
Destination
Classification or Protected Level of ACM
(refer to COMSEC Material Legend)
1, 2 3, 4, 5 6, 7 8 9
Within Canada A, B, C
(Notes I, II, IV)
A, B, C, D
(Notes I, II, IV)
A, B, C, D, E, F
(Notes I, II, IV) A, B, D, E, F
A, B, C, D, E, F
(Notes I, II)
Between Canadian Addressees
Outside of Canada (Note V)
A, B, C
(Notes I, II, IV)
A, B, C, D
(Notes I, II, IV)
A, B, C, D
(Notes I, II, IV) A, B, D, E, F
A, B, C, D, E, F
(Notes I, II)
To or From Non-Canadian
Addressees (Note VI)
A, B, C
(Notes I, II, IV)
A, B, C, D
(Notes I, II, III, IV)
A, B, C, D
(Notes I, II, III, IV) A, B, D, E
A, B, C, D
(Notes I, II, III)
UNCLASSIFIED ACM may be shipped by any means intended to assure safe arrival at its destination.
UNCLASSIFIED ACM marked with “CRYPTO” caveat must be shipped as per PROTECTED A (Note IV).
COMSEC Material Legend:
Authorized Mode Legend:
1 All TOP SECRET and PROTECTED C ACM A Canadian Government Diplomatic Courier Service
2 All key not in protective packaging B Authorized departmental couriers
3 Classified cryptographic Information (not TOP SECRET) C Electronic transfer
4 Classified cryptographic equipment D Contractor’s authorized couriers
5 SECRET key in protective packaging E Authorized commercial carriers
6 PROTECTED B, CONFIDENTIAL and SECRET COMSEC Information F Canada Post Priority Courier Service
7 CONFIDENTIAL and PROTECTED B key in protective packaging
8 UNCLASSIFIED CCI and UNCLASSIFIED cryptographic material
9 PROTECTED A ACM
Notes:
I Systems for electronic transfer of ACM are authorized by CSE on a case-by-case basis.
II Electronic transfer of key when authorized by CSE and in accordance with system or equipment operational doctrine.
III Departmental and Contractor’s couriers authorized by CSE for urgent requirements only.
IV NATO and foreign COMSEC material (including key) may require additional considerations (refer also to SDIP-293, AMSG-505,
NSA/CSS Policy Manual 3-16, IS-4, etc. for details).
V Refers to those addressees outside of Canada, where mail and shipment of material, once delivered, are handled and opened by
Canadian citizens (including those of dual nationality), e.g. Canadian Forces bases, Canadian embassies, consular offices.
VI Refers to any other foreign addressee not covered in Note V.
Instructions: Locate the correct classification/protected level of the ACM from the COMSEC Material Legend. Find the destination in the
upper left hand column. The authorized modes of transportation are indicated by letters, which correspond to letters listed in the
Authorized Mode Legend. Refer to the notes for additional information.
UNCLASSIFIED
ITSD-03A
Distribution and Receipt of Accountable COMSEC Material March 2014 60
12.6 Authorized Couriers of Accountable COMSEC Material
12.6.1 Canadian Government Diplomatic Courier Service
The Canadian Diplomatic Mail Services of Foreign Affairs, Trade and Development Canada
provides all authorized diplomatic courier services for the GC.
12.6.2 Authorized Departmental Couriers
12.6.2.1 Requirements
Before authorizing the appointment of a departmental courier for the transport of ACM, the DCA
must ensure the courier:
is a Canadian citizen (including those of dual nationality);
is appointed for a specific period of time;
carries an authorized COMSEC Courier Certificate;
is cleared to a security level equal to or higher than the highest classification or protected
level of the ACM that is being carried;
has been appropriately briefed regarding responsibilities upon appointment; and
is provided with COMSEC Signing Authority Forms (refer to Article 6.3.2), as required.
12.6.2.2 COMSEC Courier Certificate
The COMSEC Courier Certificate attests to all concerned individuals (e.g. air carrier security
agents, customs officials) that the sealed container or package transported by the courier holds
only official matter. Presentation of the courier certificate should extend immunity from search or
examination of the official material carried or escorted by the courier. When further verification
is needed regarding the authenticity of a COMSEC Courier Certificate, the courier will direct the
concerned individual to contact the nearest Canadian military or diplomatic representative, as
appropriate.
12.6.2.3 Courier Instructions
The DCA must brief the courier and provide written instructions regarding his or her
responsibilities to personally safeguard the ACM until the package has been delivered to and
signed for by the authorized recipient. The courier instructions must include, at a minimum, what
actions to take:
before the start of the trip (e.g. contacting airline security or customs officials to make
arrangements for clearance without inspection);
UNCLASSIFIED
ITSD-03A
Distribution and Receipt of Accountable COMSEC Material March 2014 61
during the pre-boarding security screening or customs inspection, to ensure the ACM is not
compromised or damaged (e.g. requirement to show the COMSEC Courier Certificate when
requested to do so by appropriate authorities);
for alternate storage arrangements and whom to contact in the event of emergency situations,
lengthy delays or stopovers en route; and
in the event of loss, compromise or possible compromise of ACM and know whom to contact
in such a case.
12.6.2.4 Customs and Pre-Boarding Inspections
In cases where customs officials request or demand to view the contents of a COMSEC
shipment, the authorized courier, or the COMSEC Custodian if called, will request an interview
with the Chief of Customs or Air Transport Security Authority. The courier may agree to limited
inspection as a means of assuring customs officials that the shipment contains nothing other than
what is described on the documentation (e.g. X-ray is authorized). Whenever COMSEC packages
are subjected to increased scrutiny, the authorized courier will request that the inspection:
take place in a private location;
be conducted by duly authorized individuals in the presence of the authorized courier; and
be restricted only to the external viewing of the ACM.
The courier may be obliged to discontinue the courier run and return to the point of departure
with the ACM if an arrangement regarding the extent of customs clearance examination required
cannot be reached.
12.6.3 Contractor’s Authorized Couriers
Appropriately cleared contractor personnel who have been appointed by CSE may be employed
as couriers. Contact CICA for details on the requirements that must be met by personnel
appointed as contractor couriers. A COMSEC Courier Certificate is required.
12.6.4 Commercial Carriers
A commercial carrier service (including Canada Post Priority Courier Service) may be used as a
courier service for ACM (at the levels specified in Table 3) on the condition that the carrier can
ensure a continuous chain of accountability and custody for the material while in transit. The
courier must offer speed of service (e.g. overnight delivery), physical protection and track-and-
trace capabilities.
A commercial carrier (non-military contracted aircraft) may be used to transport CCI providing
the carrier warrants in writing that the carrier:
provides door-to-door service and guarantees delivery within a reasonable number of days
based on the distance to be travelled;
UNCLASSIFIED
ITSD-03A
Distribution and Receipt of Accountable COMSEC Material March 2014 62
possesses a means of tracking individual packages within its system (i.e. manual or
electronic) to the extent that should a package become lost, the carrier can, within 24 hours
following notification, provide information regarding the last known location of the
package(s);
guarantees the integrity of the transporters’ contents at all times;
guarantees the integrity of package contents, including protection against damage, tampering
and theft;
has the capability to store in-transit COMSEC packages in a securely locked facility
(e.g. security cage) that is accessible solely to authorized carrier personnel, should it become
necessary for the carrier to make a prolonged stop at a carrier terminal (during overnight
stopovers);
obtains manual or electronic signatures, whenever a shipment changes hands within the
carrier company; and
obtains date-timed signatures upon pickup and delivery.
12.7 Receiving Accountable COMSEC Material
12.7.1 Preparation before Receiving Accountable COMSEC Material
Before receipt of any ACM, the COMSEC Custodian must:
notify the departmental mailroom or shipping area of –
o the name of the departmental COMSEC Account that has been established
o the name and internal address of the COMSEC Custodian, and
o the requirement to deliver mail and packages addressed to the COMSEC Account to the
COMSEC Custodian unopened;
provide the departmental mailroom or shipping area with up-to-date copies of the COMSEC
Signing Authority Form; and
ensure other individuals who are authorized to sign for packages can provide appropriate
secure storage for the received package(s) (when the COMSEC Custodian or Alternate
COMSEC Custodian is not available).
12.7.2 Inspection of Packages
On receipt of a shipment, the COMSEC Custodian must:
carefully inspect the outer wrapping and inner wrapping of the shipment for signs of damage
or tampering before removing each wrapping;
UNCLASSIFIED
ITSD-03A
Distribution and Receipt of Accountable COMSEC Material March 2014 63
check the addresses on both outer and inner wrapping to confirm the shipment has been sent
to the intended recipient;
immediately report any evidence of possible tampering with either the inner or outer
wrappings or unauthorized access to the contents as a possible COMSEC incident in
accordance with Chapter 18 and –
o pending investigation of a possible compromise, discontinue unwrapping the package and
quarantine the package; and
o notify the shipping COMSEC Custodian to annotate all ACM involved as “Pending
Investigation”.
12.7.3 Validation of Content
When satisfied that the packaging has not been tampered with, the COMSEC Custodian must:
open the package (with TPI control in place if the shipment contains TOP SECRET key or
other key requiring TPI control);
unpack the contents and verify that the items listed on the enclosed COMSEC Material
Report match the items shipped by confirming:
o the short title, edition and quantities of all items, and
o accounting numbers, where applicable;
report any discrepancies to the shipping COMSEC Custodian and, if required, contact
NCOR/COR for assistance with reconciliation of the discrepancy;
inspect the protective packaging on each item of ACM, where applicable;
NOTE: Certain items of ACM are protectively packaged at the time of production and
must not be opened until they are to be issued to the authorized user.
page check all copies of accountable COMSEC publications;
if applicable, process and reconcile electronic key received on magnetic or optical RSM and
destroy the RSM within three working days of receipt; and
if no discrepancies are found, sign the three copies of the COMSEC Material Report and
distribute in accordance with instructions found at Article 8.1.1.3.
UNCLASSIFIED
ITSD-03A
Handling and Use of Accountable COMSEC Material March 2014 64
13 Handling and Use of Accountable COMSEC Material
13.1 Cryptographic Key
13.1.1 Purpose and Use
Key may be used only for its intended purpose and only in the equipment for which it was
produced, unless otherwise directed by the responsible cryptonet CA for the key.
13.1.2 Key States (RED and BLACK)
Key is developed, distributed and handled in one of two states: RED (unencrypted) key state or
BLACK (encrypted) key state. RED key is accounted for in the NCMCS and BLACK key is
tracked outside of the NCMCS while in the BLACK state.
13.1.3 Labels
Except for labels affixed to protective packaging at a production facility, no other labels may be
affixed to the protective packaging of any key unless authorized by COMSEC Client Services.
13.1.4 Protective Packaging
Some key are protectively packaged at the time of production and will not, in most cases, be
opened until issued to an authorized user. The protective packaging must be inspected for signs
of tampering upon initial receipt, during inventory, before transfer or issue and before destruction
of sealed key.
NOTE 1: Protective packaging applied to individual TOP SECRET key must be removed under
TPI controls.
NOTE 2: Manufacturer’s protective packaging (e.g. key canisters) is not considered an inner
wrapping when preparing items for shipment (refer to Article 12.4.2).
13.1.4.1 Electronic Key on a Key Storage Device
The COMSEC Custodian must ensure that protective packaging for electronic seed or
operational key received on a key storage device is not opened before operational use. The key
storage device will normally be attached to a label bearing the identification information for the
electronic key and will be sealed in a plastic bag or in thermoplastic film.
UNCLASSIFIED
ITSD-03A
Handling and Use of Accountable COMSEC Material March 2014 65
13.1.5 Copies of Key
13.1.5.1 Operational Symmetric Key
Operational key may be copied, in whole or in part, as authorized by the CA for the key and in
accordance with equipment-specific doctrine (refer also to Article 13.1.5.3). The following rules
apply:
retain the short title of the key being copied;
safeguard the copies according to their classification and CRYPTO caveat (if applicable);
do not retain the copies beyond the destruction date for the key from which they were copied
(they may be destroyed before this date);
destroy the copies before destroying the original key from which the copies were made; and
locally account for the copies using a manual tracking system when equipment or system
audit trails are not available.
13.1.5.2 Test Symmetric Key
Test key may be copied and accounted for within a COMSEC Account as ALC 4 or ALC 7. If
the test key is transferred to another COMSEC Account, all copies must be destroyed.
13.1.5.3 Asymmetric Key
Copying of any asymmetric key is forbidden.
13.1.6 Two-Person Integrity Controls
TPI controls must be applied to RED TOP SECRET key and other CA-identified key from the
time of production to destruction unless:
the TOP SECRET key is loaded into a cryptographic equipment that is built to preclude
access to the TOP SECRET key; or
the TOP SECRET key has been issued for tactical mission use only.
NOTE: In this instance the term “tactical” refers to data or information that requires
protection from disclosure and modification for a limited duration, as
determined by the originator or information owner.
UNCLASSIFIED
ITSD-03A
Handling and Use of Accountable COMSEC Material March 2014 66
13.2 Cryptographic Equipment
13.2.1 Sight Verification
The COMSEC Custodian must verify the completeness of cryptographic equipment upon initial
receipt, during inventory, and before transfer or issue.
NOTE: The term cryptographic equipment includes classified and unclassified COMSEC
equipment and CCI.
13.2.2 Equipment Labels
The only approved labels that may be attached to cryptographic equipment or to its protective
packaging are:
a manufacturer label;
an equipment nomenclature plate;
a CCI label;
one or more tamper-evident labels; and
any other CSE-authorized labels.
An approved label must not be removed or covered by another label unless specifically
authorized by CSE.
Visible signs of label tampering must be reported as detailed in Chapter 18.
13.2.3 Modification
Modification of any kind (including labelling) to cryptographic equipment may only be made
upon approval of COMSEC Client Services. Approved modifications to cryptographic
equipment must be done by authorized and qualified personnel.
13.2.4 Cryptographic Equipment, including Controlled Cryptographic Items,
Installed for Use in Attended, Unattended or Residential Operations
Use of cryptographic equipment, whether in attended or unattended operation (including
residences) requires the COMSEC Custodian to ensure that:
users of the equipment meet the requirements for COMSEC access as referred to in
Article 10.1.1;
have read and understood the equipment-specific doctrine;
equipment installed for operational use is protected based on the classification of the
equipment or the key, whichever is higher; and
UNCLASSIFIED
ITSD-03A
Handling and Use of Accountable COMSEC Material March 2014 67
authorized procedures have been put in place to prevent unauthorized access to, or
unauthorized use of, the equipment or its associated key.
13.2.5 Key Storage and Fill Equipment Containing Key
13.2.5.1 Common Fill Devices Containing Key
Common Fill Devices (e.g. KYK-13) that store key in RED form and provide no record of
transactions must not be used for long term storage of key. Key may be held in this device no
longer than 12 hours after the end of the applicable cryptoperiod. This type of device must be
marked to show the highest classification of the key contained and must be kept under TPI
controls whenever it holds TOP SECRET key.
13.2.5.2 Tier 3 Management Devices Containing Key
Tier 3 Management Devices (T3MD) that store key in encrypted form must be used in
accordance with the equipment-specific doctrine. Additional direction is detailed in Annex A.
13.2.5.3 Magnetic and Optical Removable Storage Media
Magnetic and optical RSM containing RED key must be returned to secure storage after the key
or associated data has been loaded into the end equipment. RSM holding key must be marked to
show the highest classification of the key held and, where applicable, must display the CRYPTO
marking. Additional direction is detailed in Annex A.
NOTE: RSM includes CD-ROMs, DVDs and all other optical media, Universal Serial Bus
(USB) flash drives, memory storage cards and all other magnetic media.
13.2.5.4 Re-use of Accountable Magnetic and Optical Removable Storage Media
Accountable RSM that has been used to transfer key directly between GC EKMS LMD/KP
platforms may only be re-used within the GC EKMS, and for the same purpose, once the key it
contained has been removed.
Accountable RSM that has been used for other than the GC EKMS key transfer above is not
authorized for re-use and once the RSM and the key being transported has been processed and
reconciled, the RSM must be physically destroyed within three working days of receipt.
13.2.5.5 Re-use of Non-Accountable Magnetic and Optical Removable Storage
Media
Non-accountable RSM used in the transfer of BLACK key may be re-used once the BLACK key
has been removed and once the RSM has been appropriately sanitized (refer to Clearing and
Declassifying Electronic Data Storage Device [ITSG-06] for details on RSM declassifying and
sanitization).
UNCLASSIFIED
ITSD-03A
Handling and Use of Accountable COMSEC Material March 2014 68
13.2.6 Equipment Audit Trails
13.2.6.1 Responsibility for Reviewing
The audit trails for cryptographic equipment must be reviewed as specified in the
equipment-specific doctrine.
13.2.6.2 Reviewing Audit Trails
The individual authorized to monitor the audit trail data must:
not be the primary cryptographic equipment user;
meet the access requirements in Article 10.1.1;
have sufficient knowledge concerning the authorized use of the applicable cryptographic
equipment and the key stored or filled in the equipment;
confirm only authorized copies of key are made;
be able to detect any anomalies in the audit trail data; and
send a record of the conduct of the audit trail review to the COMSEC Custodian.
13.2.6.3 Retention of Audit Logs
Audit logs must be retained as detailed in Article 6.2.5, or as detailed in the equipment-specific
doctrine if different from this directive.
13.2.6.4 Retention of Records of Audit Trail Reviews
The COMSEC Custodian must retain a record of the completion of audit trail reviews until the
COMSEC Account receives a Periodic Inventory Reconciliation Notification letter attesting that
the account inventory has been reconciled.
13.3 COMSEC Publications
13.3.1 Reproduction
Accountable COMSEC publications may be reproduced upon specific written authorization from
the originator. Instructions for reproduction of extracts will be contained in the publication’s
handling instructions. Publications that are authorized for reproduction must be reproduced by
the COMSEC Custodian unless they are authorized for reproduction under a Private Sector
contract. Refer to ITSD-06 for information on the reproduction of accountable COMSEC
publications under a GC contract for Private Sector services procured through PWGSC.
UNCLASSIFIED
ITSD-03A
Handling and Use of Accountable COMSEC Material March 2014 69
13.3.2 Frequency of Page Checks
Accountable COMSEC publications and associated amendments must be page checked:
during each COMSEC Account inventory
upon receipt
before transfer and issue
before routine destruction, and
after posting any amendment (includes removal of pages or replacement of pages).
13.3.3 Conducting Page Checks
13.3.3.1 Requirement
The COMSEC Custodian (or other authorized individual) must conduct a page check of unsealed
ACM to ensure the presence of all required pages. To conduct the page check, the presence of
each page must be verified against the “List of Effective Pages” or the “Handling Instructions”,
as appropriate.
13.3.3.2 No Missing Pages
If there are no missing pages, the “Record of Page Checks” page must be signed and dated. If the
accountable COMSEC publication has no “Record of Page Checks” page, the notation must be
placed on the cover.
13.3.3.3 Missing Pages
If any pages are missing, the “Record of Page Checks” page must be annotated accordingly and a
COMSEC Incident Report must be submitted in accordance with Chapter 18. When pages are
missing upon initial receipt of accountable COMSEC publications from a production facility, the
COMSEC Custodian must notify the issuing authority and request disposition instructions
(e.g. transfer back for replacement, destroy, use with missing page).
13.3.3.4 Duplicate Pages
In the case of duplicate pages, the COMSEC Custodian must prepare a Possession Report in
accordance with Chapter 8 and notify NCOR/COR for disposition instructions of the duplicate
page(s). The Possession Report must list the page number as part of the short title
(e.g. AMSG 600, page 3) and list the accounting number assigned to the ACM. A notation of the
duplicate page(s), and the resultant disposition of the duplicate page(s), must be entered on the
“Record of Page Checks” page.
UNCLASSIFIED
ITSD-03A
Handling and Use of Accountable COMSEC Material March 2014 70
13.3.4 Amendments to Accountable COMSEC Publications
13.3.4.1 Printed Amendments
The COMSEC Custodian must account for the printed amendment as an accountable COMSEC
publication in accordance with its respective ALC until the printed amendment has been posted
and its residue destroyed. Care should be taken when preparing the Destruction Report to ensure
that the short title, edition, and accounting number of the amendment are reported (rather than
that of the publication). Printed amendments must be entered in sequence. If one is received and
the previous amendment(s) have not been entered, the previous amendment(s) must be entered
(or acquired and entered) before the latest amendment can be processed.
13.3.4.2 Message Amendments
A message amendment is used to announce information that must be immediately entered into an
accountable COMSEC publication. Post the amendment and note the entry on the “Record of
Amendments” page, then file the message amendment according to its security classification or
protected level and ALC. Message amendments must be entered in sequence. If a message
amendment is received but the previous amendment(s) were not entered, the previous
amendments must be entered before the new amendment can be entered.
13.3.4.3 Posting Amendments
The following applies to the posting of amendments:
the COMSEC Custodian (or other authorized individual) must post the amendment as soon
as possible after its receipt (or effective date);
personnel who is authorized to post amendments must be appropriately trained;
specific instructions contained in the letter of promulgation or handling instructions must be
read and understood before posting amendments;
entire amendments must be posted at one time, and not extended over a period of time;
if replacement pages are included in an amendment, page checks of both the publication and
the residue of the amendment must be made before destruction of the residue. Inadvertent
destruction of the effective portions of publications, along with the residue from
amendments, must be reported as a COMSEC incident in accordance with Chapter 18;
personnel posting amendments must annotate the posting of the amendment on the “Record
of Amendments”. If pages were added to or removed from the publication, date and sign the
“Record of Page Checks” page;
UNCLASSIFIED
ITSD-03A
Handling and Use of Accountable COMSEC Material March 2014 71
personnel, other than the COMSEC Custodian, posting amendments must return all residue
of the amendment (including any pages removed from the publication) to the COMSEC
Custodian for destruction;
amendment residue must be placed in a sealed envelope marked with the short title,
accounting number and the classification of the amendment;
amendment residue must be destroyed within five working days after entry of the
amendment; and
after an amendment has been entered, the publication must be page checked by a member of
the custodial staff other than the person who entered the amendment.
13.4 Local Tracking of Non-Accountable COMSEC Material
13.4.1 Local Tracking System
Certain material associated with cryptographic equipment (e.g. CIKs, PINs, configuration disks),
which is not controlled within NCMCS, must be controlled by the COMSEC Custodian through
a local tracking and control system separate from the NCMCS. It is the responsibility of the
originating authority to identify this material. Control and handling of this material will be
according to this directive, unless otherwise specified by the applicable equipment-specific
doctrine or the originator.
13.4.2 Control and Protection of Cryptographic Ignition Keys
The COMSEC Custodian must locally track CIKs using departmental procedures that minimize
any potential for compromise associated with their use. Local tracking procedures for CIKs will
include:
maintaining a record of each CIK created, including the serial number of the CIK (if
possible), the serial number of the associated equipment, location of the equipment, date the
equipment was keyed, and the name of each Local Element authorized to use the CIK;
ensuring each CIK is signed for and held by the Local Element to whom it has been issued
and verifying, at least annually, that all Local Elements hold their CIK;
shipping CIKs (separately from their associated equipment) in a COMSEC channel approved
by CSE;
providing adequate storage for a CIK when it is not held under the personal control of the
Local Element; and
zeroizing or destroying CIKs that are no longer required.
UNCLASSIFIED
ITSD-03A
Handling and Use of Accountable COMSEC Material March 2014 72
13.4.3 Record of Personal Identification Numbers and Passwords
When a written record of PINs or passwords is required, the COMSEC Custodian must ensure:
the record contains the name and telephone number of the individual(s) having knowledge of
the PIN or password, the serial number of the associated equipment, the location of the
equipment, and the date the PIN or password was changed;
the record of PINs or passwords is safeguarded as directed by its classification or the
classification of the associated equipment, whichever is higher;
access to individual PINs or passwords is restricted to the individual to whom it is assigned,
unless an emergency situation dictates otherwise; and
the record of PINs and passwords or individual PINs and passwords are distributed via
COMSEC channels or via approved methods for classified material.
13.4.4 Change of Personal Identification Numbers and Passwords
The COMSEC Custodian must ensure that PINs and passwords for cryptographic equipment are
changed as detailed in the equipment-specific doctrine. Where direction is not provided, the PIN
or password must be changed when:
the equipment is first put into use by the COMSEC Custodian;
an individual knowing the PIN or password ceases to have authorized access to the
equipment;
an unauthorized individual has had access to the written record of the PIN or password;
the PIN or password is known or suspected to have been compromised; and
the PIN or password has not been changed in the last six months.
13.4.5 Storage of Personal Identification Numbers and Passwords
When records of PINs or passwords, or a list of PINs and passwords, need to be maintained, they
must be safeguarded and managed by an appropriate authority (DCA or COMSEC Custodian)
who must mark and protect the list in accordance with the minimum classification level of the
highest classification of the material being protected by the PIN or password.
13.4.6 Configuration Disks
The COMSEC Custodian must ensure the label on the equipment configuration disk identifies
the equipment to which it belongs, the date it was created, and its classification. Local tracking
includes recording the information on the label, the name of the individual responsible for the
control of the disk and the location of the associated equipment.
UNCLASSIFIED
ITSD-03A
Handling and Use of Accountable COMSEC Material March 2014 73
13.4.7 Software Upgrades
All software upgrades must be approved by COMSEC Client Services. The COMSEC Custodian
must control the equipment software upgrade process to ensure that all operational cryptographic
equipment, including the equipment held in reserve, is compatible. All mandatory software
upgrades must be completed by the date directed by CSE.
NOTE: Completion of mandatory software upgrades must be confirmed to COMSEC Client
Services and is auditable.
UNCLASSIFIED
ITSD-03A
Disposal of Accountable COMSEC Material March 2014 74
14 Disposal of Accountable COMSEC Material
14.1 General
While COMSEC Client Services must promulgate disposal instructions for obsolete
cryptographic equipment and associated ACM, GC departments are responsible for the process
of disposing surplus, obsolete, superseded or unserviceable ACM in accordance with the
minimum standards set forth in this directive.
Disposal of ACM may be accomplished in one of three ways: transfer, sale or destruction.
14.1.1 Disposal Action – Transfer or Sale
DSOs or DCAs must contact COMSEC Client Services to facilitate the transfer or sale of ACM
to another authorized department.
14.1.2 Disposal Action – Destruction
Except for regularly superseded key or publications, the DSO or DCA must contact COMSEC
Client Services to facilitate the destruction of ACM.
14.1.2.1 Routine Destruction
It is imperative that authorized destruction of ACM be performed promptly, in order to keep to a
minimum the amount of ACM held in inventory.
14.1.2.2 Emergency Destruction
Where the risk of compromise in a hazardous situation or in an emergency is greater than the
security in place to prevent the compromise, emergency destruction must be considered. Refer to
Chapter 16 for details.
14.2 Destruction of Key
14.2.1 General
Superseded key is normally authorized for destruction when the next edition becomes effective
unless directed otherwise by the CA for the key.
14.2.2 Unavailability of Destruction Devices
Key that cannot be zeroized or destroyed at the COMSEC Account due to unavailability of
destruction devices must be transferred to the NDA for destruction.
UNCLASSIFIED
ITSD-03A
Disposal of Accountable COMSEC Material March 2014 75
14.2.3 Key Issued for Use
Superseded key, whether regularly or irregularly superseded, must always be destroyed within
12 hours of supersession except in the following circumstances:
in the case of an extended holiday period or when special circumstances prevent compliance
with the 12-hour rule (e.g. destruction facility not operational), key must be destroyed as soon
as possible and should not be held longer than 72 hours following supersession;
where authorized destruction devices are not available, superseded key must be destroyed as
soon as practicable upon completion of operations;
the destruction of KEK must be accomplished as soon as the key is filled into the
cryptographic equipment unless specific equipment or systems doctrine allows retention; or
key involved in compromised situations must be destroyed within 72 hours after disposition
instructions are received and the Destruction Report sent to NCOR/COR immediately
following destruction.
14.2.4 Emergency Supersession
Key involved in an emergency supersession must be destroyed in accordance with the CA’s
instructions.
14.2.5 Defective Key
Damaged or defective key must not be destroyed at the COMSEC Account. The COMSEC
Custodian must immediately report the matter to the appropriate CA for instructions. Defective
key must be transferred to the NDA at CSE for evaluation and destruction (i.e. physical
destruction, zeroization or rendering the key unuseable).
14.3 Destruction of COMSEC Publications
Accountable COMSEC publications must be destroyed within 15 working days following the
date of supersession or the authorized date of destruction. COMSEC publications must be page
checked no more than 48 hours before their destruction.
14.4 Destruction of Cryptographic Equipment
Accountable cryptographic equipment, including CCI, must not be destroyed, dismantled or
cannibalized without specific authorization from COMSEC Client Services.
UNCLASSIFIED
ITSD-03A
Disposal of Accountable COMSEC Material March 2014 76
14.4.1 Destruction Facilities
Destruction facilities vary as to the level of destruction they can accommodate. Therefore, all
destruction facilities must be approved by CSE prior to the destruction of cryptographic
equipment. Currently, only CSE possesses the capability to destroy all types of cryptographic
assemblies, components and integrated circuits.
When cryptographic equipment has been designated for destruction, COMSEC Client Services
will issue specific instructions in regards to the dismantling of the equipment and the transferring
of specific items to CSE for destruction.
If a department has CSE-approved COMSEC destruction facilities available on site, the
COMSEC Custodian may undertake the destruction process once written authorization is
provided by COMSEC Client Services.
14.4.2 Dismantling Cryptographic Equipment
Cryptographic equipment must be dismantled before destruction. CSE is responsible for
determining the necessary dismantling procedures for cryptographic equipment.
The general dismantling procedures includes the removal of cryptographic assemblies,
components and integrated circuits, hazardous assemblies and components, as well as all name
plates, labels and other identifying affixtures that could identify a piece of equipment as being an
COMSEC item.
Destruction procedures may differ from device to device. CSE is also responsible for determining
which dismantling processes are to be completed by CSE and which processes may be effected
by specifically trained and authorized departmental personnel.
14.4.3 Expense of Destruction
Under normal circumstances, the expense of the entire destruction process (cost and logistics) is
the responsibility of the GC department disposing the equipment. Departments should contact
COMSEC Client Services for current information on the financial responsibilities related to the
destruction of accountable cryptographic equipment.
14.4.4 Destruction Procedure
Cryptographic equipment that is authorized for destruction must be destroyed within a controlled
environment.
The destruction process includes, but may not be limited to:
removal and disposal of accountable COMSEC assemblies, components and integrated
circuits;
removal and disposal of hazardous assemblies, components and integrated circuits;
UNCLASSIFIED
ITSD-03A
Disposal of Accountable COMSEC Material March 2014 77
removal and disposal of non-accountable, non-hazardous assemblies and components;
removal and disposal of name plates, labels and other identifying affixtures;
disposal of chassis and other remaining non-accountable parts; and
accounting for removed accountable cryptographic assemblies, components and integrated
circuits.
14.4.5 Removal and Disposal of Accountable Cryptographic Assemblies,
Components and Integrated Circuits
The removal of accountable cryptographic assemblies, components and integrated circuits must
be performed by authorized personnel. The destruction of accountable cryptographic assemblies,
components and integrated circuits must be performed by the COMSEC Custodian and must be
witnessed by an authorized and properly cleared and COMSEC briefed individual. A Destruction
Report must be prepared.
NOTE: Although destruction can be achieved by incineration, disintegration or pulverization,
the incineration of assemblies, components and integrated circuits is not
environmentally friendly and is no longer practiced. CSE is responsible for
determining the particulate size to which components must be pulverized or
disintegrated.
14.4.6 Disposal of Hazardous Assemblies, Components and Integrated Circuits
All assemblies, components and integrated circuits that are deemed to be hazardous waste must
be removed and disposed of in accordance with federal and provincial environmental and
hazardous waste regulations.
All Polychlorinated Biphenyls (PCB) must be removed and disposed of separately in accordance
with federal and provincial environmental and hazardous waste regulations.
Equipment may have lithium batteries that are hardwired into the circuitry. Prior to the removal
of the lithium batteries, the authorized personnel dismantling the equipment should contact their
respective departmental safety officer for advice and guidance with respect to the safety and
environmental regulations specific to disposal of lithium batteries.
NOTE: Contact COMSEC Client Services for guidance if there is uncertainty as to whether or
not an assembly or component is hazardous to the environment.
14.4.7 Removal and Disposal of Non-Accountable, Non-Hazardous Assemblies
and Components
Non-accountable equipment assemblies and components, including PWs and other parts that are
deemed non-hazardous may be disposed of in accordance with departmental regulations for
normal waste.
UNCLASSIFIED
ITSD-03A
Disposal of Accountable COMSEC Material March 2014 78
14.4.8 Removal and Disposal of Name Plates, Labels and Other Identifying
Affixtures
As part of the disposal process, all name plates, labels and other affixtures that could identify a
piece of equipment as being accountable cryptographic equipment must be removed from the
chassis and physically destroyed beyond recognition to ensure that it cannot be reused. Name
plates, labels and other affixtures that are marked with a classification marking
(CONFIDENTIAL, SECRET or TOP SECRET) must be destroyed as classified waste in
accordance with local procedures.
14.4.9 Destruction of Chassis and Other Remaining Non-Accountable Parts
The chassis and remaining parts may be disposed of through commercial destruction or recycling
facilities once all accountable cryptographic assemblies, components and integrated circuits,
hazardous waste, as well as name plates, labels and other identifying affixtures are removed.
Departments are to contact COMSEC Client Services for a current listing of approved
commercial destruction facilities.
14.4.10 Accounting for Removed Assemblies, Components and Integrated
Circuits
COMSEC Client Services will identify which removed cryptographic assemblies, components
and integrated circuits require control and accountability within the NCMCs prior to their
destruction. This material will be accounted for as ALC 2 and will be entered into the NCMCS
by Possession Report.
NOTE: Once the authorized assemblies, components, integrated circuits, name plates, labels
and other identifying affixtures have been removed from the original cryptographic
equipment, the original equipment is considered to be non-accountable at which time
a Destruction Report must be prepared to remove it from NCMCS accountability. The
now non-accountable chassis must be disposed of as indicated in Article 14.4.9.
14.5 Performing Routine Destruction
14.5.1 Personnel
14.5.1.1 COMSEC Custodian and Alternate COMSEC Custodian
The COMSEC Custodian and the Alternate COMSEC Custodian normally perform the routine
destruction of ACM. However, granting the authority to destroy superseded ACM to other
appropriately cleared and COMSEC-briefed individuals is preferable to delaying destruction,
even for a short time.
UNCLASSIFIED
ITSD-03A
Disposal of Accountable COMSEC Material March 2014 79
14.5.1.2 Local Element
A Local Element may be granted the authority by the COMSEC Custodian to destroy key in the
presence of an appropriately cleared and COMSEC briefed witness, if an approved destruction
device is available. If an approved destruction device is not available, the key must be returned to
the COMSEC Custodian for destruction.
14.5.1.3 Witness
The destruction of all physical material and electronic key on physical media must be witnessed.
Two authorized individuals must sight the ACM being destroyed and then witness the complete
destruction or zeroization of the ACM. The zeroization (i.e. destruction) of electronic key may or
may not require a witness depending on whether the equipment records an audit trail. Refer to the
equipment-specific doctrine for direction.
14.5.2 Training
The COMSEC Custodian must ensure that the individuals whom they authorize to destroy ACM:
meet the requirements for access (refer to Article 10.1.1) to the ACM being destroyed;
are briefed on the correct procedures and methods of destruction; and
are trained in the use of authorized destruction devices.
14.5.3 Destruction Steps
The following steps must be carried out by the two individuals performing the destruction:
1. verify that the material to be destroyed is authorized for destruction before listing the
material on the Destruction Report;
2. perform equipment verification and page checking before destruction (normally, no earlier
than 48 hours before the scheduled destruction);
3. list all material to be destroyed on the Destruction Report in accordance with Article 8.1.6.
Use the (unsigned) Destruction Report (or other local destruction log) as a “check list”
during the destruction process to ensure that the correct ACM will be destroyed;
4. if sufficient destruction facilities are not available and the individuals carrying out the
destruction have been authorized to transport the ACM:
a. place the material listed for destruction in burn bags or other destruction containers
b. seal and mark the containers in accordance with the appropriate classification or
protected level (if there is more than one container they must be individually
numbered (e.g. 1 of 2, 2 of 2), and
c. transport the material directly to the location where the destruction is to take place.
UNCLASSIFIED
ITSD-03A
Disposal of Accountable COMSEC Material March 2014 80
5. immediately before destruction, verify the material being destroyed (short title, edition,
accounting number, and quantity for each item) against the Destruction Report (or other
local destruction log) ensuring that all accounting information is correct;
6. immediately destroy the material using approved destruction methods;
7. examine the destruction device and the surrounding area to ensure that all material has been
destroyed;
8. thoroughly inspect the residue to ensure that the destruction was complete; and
9. sign and witness the Destruction Report (or other local destruction log) unless the
equipment-specific doctrine specifies that a witness is not required. The Destruction Report
must not be signed until the complete destruction of the listed material is confirmed.
14.6 Routine Destruction Methods
14.6.1 Paper Accountable COMSEC Material
14.6.1.1 General
The destruction criteria listed in the following articles apply to classified key and to media which
embody, contain, describe or implement a classified cryptographic logic. Paper ACM may be
destroyed by any means approved for the destruction of paper ACM of equal classification or
protected level.
NOTE: Where possible, burning or pulverizing should be used as the preferred method for
ensuring complete destruction.
14.6.1.2 Incineration
The burning of paper ACM must be complete (so that all material is reduced to white ash) and
contained (so that no unburned pieces escape). Ashes must be inspected and, if necessary,
broken up.
14.6.1.3 Pulverizing, Chopping or Pulping
Pulverizing, chopping or pulping devices used to destroy paper ACM must reduce the ACM to
bits no larger than five millimeters (1/5 inch) in any dimension.
NOTE: DO NOT PULP paper-Mylar-paper key tape, high wet strength paper (map stock) and
durable-medium paper substitutes (e.g. Tyvek olefin, polyethylene fibre). These
materials do not reduce to pulp and must be destroyed by burning, pulverizing,
chopping or cross-cut shredding.
UNCLASSIFIED
ITSD-03A
Disposal of Accountable COMSEC Material March 2014 81
14.6.1.4 Cross-Cut Shredding
Using Type II shredders to reduce material to shreds not more than 1.0 millimeters wide and
14.4 mm long is considered complete destruction (refer to the RCMP G1-001 for details.
14.6.2 Non-Paper Accountable COMSEC Material
14.6.2.1 Removable Storage Media
The disposal of RSM (e.g. microforms, CD-ROMs, DVDs and all other optical media, USB flash
drives and all other removable flash drives) must be consistent with the individual system and
equipment-specific doctrine, CSE ITSG-06 and the RCMP G1-001.
14.6.2.2 Hardware Key
Contact COMSEC Client Services for authorization to destroy or dispose of hardware key, such
as Programmable Read Only Memories (PROMs), and permuting plugs and their associated
manufacturing aids.
14.6.2.3 Electronic Key
The destruction of electronic key is accomplished by zeroization or overwriting of the key.
For instructions on the destruction or zeroization of electronic key loaded in accountable
cryptographic equipment, refer to the appropriate equipment-specific doctrine.
UNCLASSIFIED
ITSD-03A
COMSEC Account Inventory March 2014 82
15 COMSEC Account Inventory
15.1 Reasons for Inventory
An inventory is the verification of a COMSEC Account’s holdings. NCOR/COR maintains a
database that reflects all ALC 1, ALC 2 and ALC 6 ACM charged to each COMSEC Account.
The database contains data taken from COMSEC Material Reports (e.g. Destruction, Possession)
that COMSEC Accounts submit to NCOR/COR. Any COMSEC Material Reports that were
processed by an account but were not entered in NCOR/COR database will result in a
discrepancy between NCOR/COR database and the COMSEC Account records.
Inventories serve to ensure that:
COMSEC Account records are up-to-date;
NCOR/COR database is up-to-date by verifying that all COMSEC Material Reports have
been forwarded to NCOR/COR and have been processed by NCOR/COR;
ACM charged to a COMSEC Account is actually on-hand and has been sighted by authorized
personnel; and
ACM charged to a COMSEC Account is still required for use by the account.
15.2 Types of Inventory
15.2.1 Periodic Inventory
The COMSEC Custodian and the Alternate COMSEC Custodian must conduct a periodic
(minimally every 18 months) sight inventory of all ACM in their COMSEC Account (including
all Local Elements and COMSEC Sub-Accounts) or as directed by NCOR/COR.
NCOR/COR will distributes an Inventory Report that lists all ACM charged to the COMSEC
Account as of the date of printing. A sight inventory must be conducted to verify the presence of
the material listed on the report. The COMSEC Custodian must return the signed Inventory
Report to NCOR/COR no later than 10 working days after the initial receipt of the report.
15.2.2 Change of COMSEC Custodian Inventory
In cases of sudden (indefinite or permanent) departure of the COMSEC Custodian, the
newly-appointed COMSEC Custodian must conduct a sight inventory of all ACM in the
COMSEC Account.
Upon completion of the inventory, the new COMSEC Custodian must sign the Inventory Report
as the Custodian. The new COMSEC Custodian, except for discrepancies being resolved,
assumes responsibility for all ACM in the account.
UNCLASSIFIED
ITSD-03A
COMSEC Account Inventory March 2014 83
15.2.2.1 Special Inventory
The COMSEC Custodian must complete a special inventory when directed to do so by
NCOR/COR or DCA. Special inventories may be requested for reasons such as the suspected
loss of ACM or frequent deviation from accounting procedures.
The procedures used for a periodic (sometimes called annual inventory in other documentation)
inventory must be used for a special inventory.
15.3 Inventory Reports
15.3.1 National Central Office of Record/Central Office of Record
NCOR/COR-initiated Inventory Reports are distributed to COMSEC Accounts to announce the
beginning of the inventory process. Each Inventory Report lists all ALC 1, ALC 2 and ALC 6
ACM that have been recorded in the NCOR/COR database for the respective COMSEC Account
as of the date of the printing.
NOTE: CSE has approved the use of several automated and manual accounting/management
systems to accommodate the minimum security requirements of the NCMCS. These
systems may employ terminology and procedures that are quite distinct from each
other (refer to Article 6.2.3) and any other classified information stored on the system.
15.3.2 COMSEC Account Inventory Report
Inventory Reports produced by the COMSEC Custodian at a COMSEC Account may be directed
at two different audiences:
within the COMSEC Account, where they may be distributed for use during the physical
sighting of on-hand material; and
NCOR/COR, in order to report the complete holdings of the COMSEC Account.
15.3.3 Distribution within the COMSEC Account
The COMSEC Custodian prepares Inventory Reports for internal distribution to Sub-Account(s)
and Local Elements. These Inventory Reports list all ALC 1, ALC 2, ALC 4, ALC 6 and ALC 7
ACM that the COMSEC Custodian has issued to elements within the COMSEC Account and
which are still out on loan.
15.3.4 Distribution to National Central Office of Record/Central Office of Record
The COMSEC Custodian compiles the results of all Inventory Reports that were distributed
within the account and returns a consolidated account Inventory Report to NCOR/COR. This
report contains all ALC 1, ALC 2 and ALC 6 ACM held by the COMSEC Account.
UNCLASSIFIED
ITSD-03A
COMSEC Account Inventory March 2014 84
15.3.5 Amendment of Inventory Report
The Amendment to Inventory Report is used to report any discrepancies between a COMSEC
Account’s inventory and the NCOR/COR-initiated Inventory Report. For example, if a
COMSEC Account failed to submit a Destruction Report to NCOR/COR, all the material
destroyed by the account that was listed on the Destruction Report, would not be recorded in the
NCOR/COR database. Consequently, the NCOR/COR-initiated Inventory Report would list that
material as being on-hand at the COMSEC Account. An Amendment to Inventory Report would
provide the details of the missing Destruction Report. When submitting the Amendment to
Inventory Report, the COMSEC Custodian must attach all supplemental accounting reports in
order for NCOR/COR to proceed with the inventory reconciliation.
15.4 Inventory Conduct
15.4.1 General
The COMSEC Custodian must ensure that a sight inventory of the entire COMSEC Account is
carried out during the inventory. Before the expected receipt of the periodic
NCOR/COR-initiated Inventory Report, the COMSEC Custodian must:
generate a COMSEC Account Inventory Report;
conduct a sight inventory of ACM that has been issued to Local Elements or direct the Local
Element to do so with an appropriate witness;
direct each COMSEC Sub-Account Custodian to conduct a sight inventory of COMSEC Sub-
Account holdings in the same manner as described for a COMSEC Account inventory; and
conduct a sight inventory of the ACM on-hand and under the direct custody of the COMSEC
Custodian.
15.4.2 Sight Inventory
The COMSEC Custodian will provide an Inventory Report for personnel conducting a sight
inventory of ACM. The following applies when conducting a sight inventory of ACM:
the sight inventory must be conducted by two individuals who are appropriately cleared and
who have been COMSEC briefed;
the two individuals conducting the sight inventory must verify that the ACM on-hand agrees
with the COMSEC Account Inventory Report;
unsealed accountable COMSEC publications must be page checked;
cryptographic equipment in use does not need to be opened to verify it contains all required
subassemblies and elements;
UNCLASSIFIED
ITSD-03A
COMSEC Account Inventory March 2014 85
removable assemblies that are listed separately on an Inventory Report and are not listed on
the equipment’s chassis must be physically sighted unless the equipment is undergoing tests
or is in operation;
electronic key that is stored in equipment with a verifiable audit trail may be inventoried
without a witness; and
COMSEC Custodians are responsible to NCOR/COR for only the original ALC 6 electronic
key distributed to the account or generated by the account. Copies of electronic key are
locally accountable.
15.4.3 Reconciling the COMSEC Account Inventory Report
15.4.3.1 Local Element Inventory Reconciliation
Persons conducting Local Element inventories may mark-up the Inventory Report to indicate that
material is on-hand or, conversely, that it is lost, missing or contains extra material. They must
both sign the Inventory Report before returning it to the COMSEC Custodian.
The COMSEC Custodian must reconcile the Inventory Report returned from all Local Elements
with the COMSEC Account Inventory Report.
15.4.3.2 COMSEC Sub-Account Inventory Reconciliation
The COMSEC Sub-Account Custodian must return his or her signed Inventory Reports to the
COMSEC Account Custodian for reconciliation. If discrepancies are noted in any COMSEC
Sub-Account Inventory Report, the COMSEC Custodian must direct the custodian of that
COMSEC Sub-Account to take corrective action within 48 hours of receipt of such notice, to
advise the COMSEC Custodian of the action taken and to submit any substantiating reports
required.
The COMSEC Custodian must reconcile the Inventory Reports returned from all COMSEC
Sub-Accounts with the COMSEC Account Inventory Report.
15.4.3.3 COMSEC Account Reconciliation
Upon receipt of the NCOR/COR-initiated Inventory Report, the COMSEC Custodian must
reconcile the COMSEC Account holdings with the NCOR/COR-initiated Inventory Report. This
is accomplished by conducting a sight inventory of all ACM held by all elements within the
account and returning a signed Inventory Report to NCOR/COR.
15.4.4 Completion and Submission of Inventory Report and Supplements
Upon completion of the COMSEC Account inventory, the COMSEC Custodian and the witness
must sign and date the Inventory Report. The number of supplemental accounting reports and
pages of amendments must be entered on the last page of the Inventory Report.
UNCLASSIFIED
ITSD-03A
COMSEC Account Inventory March 2014 86
The Inventory Report and the Amendment to Inventory Report with all supplemental COMSEC
Material Reports (if required) must be sent to NCOR/COR no later than ten working days after
receipt of the NCOR/COR-initiated Inventory Report. A signed copy of the Inventory Report
must be retained on file.
15.4.5 National Central Office of Record/Central Office of Record Reconciliation of
COMSEC Account Inventory Report
NCOR/COR will process Inventory Reports submitted by COMSEC Accounts.
If NCOR/COR notifies a COMSEC Account of discrepancies between the COMSEC Account
Inventory Report and NCOR/COR Inventory Report, the COMSEC Custodian must attempt to
resolve the discrepancies.
If the discrepancies are the result of missing COMSEC Material Reports, the COMSEC
Custodian must prepare and submit, within 48 hours, an Amendment to Inventory Report with all
supplemental COMSEC Material Reports to update NCOR/COR database.
If the sight inventory of the COMSEC Account is correct, and there are no missing COMSEC
Material Reports, NCOR/COR will issue an Inventory Reconciliation Report, which certifies the
inventory as being correct.
If the sight inventory reveals lost or missing ACM or other discrepancies, a COMSEC incident
must be reported as detailed in Chapter 18. An Inventory Reconciliation Report will not be
issued until all discrepancies have been resolved or an investigation into the incident has been
completed and disposal instructions issued.
UNCLASSIFIED
ITSD-03A
COMSEC Emergency Protection Planning March 2014 87
16 COMSEC Emergency Protection Planning
16.1 Requirement
Every GC department that holds ACM must maintain a current, documented emergency plan for
the protection and positive control of ACM appropriate for:
natural disasters or accidental emergencies likely to occur in their location (e.g. hurricanes,
tornadoes, earthquakes, floods or fires). Consideration must be given to incorporating this
plan into the Business Continuity Plan established for the entire GC department. Procedures
must emphasize maintaining security control over the ACM until order is restored without
endangering life; and
high risk environments (e.g. those with potential or imminent hostile situations). Emergency
Plans in high risk environments must include Emergency Destruction Procedures (EDP).
16.2 Planning for Natural Disasters and Accidental Emergencies
Planning must provide for:
safety of all personnel (or prime importance);
assignment of on scene responsibility for ensuring the protection and positive control of all
ACM;
protection or removal of ACM in the event that the admission of unauthorized individuals
into the secure area(s) becomes necessary;
evacuation of the area(s);
assessment and reporting of the probable exposure of ACM to unauthorized individuals
during the emergency;
post-emergency inventory of ACM and reporting of the loss or unauthorized exposure of
ACM to the DCA;
identification of primary and secondary recovery sites, when recovery will not be possible at
the current location;
identification of critical resources required to support the recovery;
off-site storage facilities; and
business continuity during and business resumption following the emergency event.
UNCLASSIFIED
ITSD-03A
COMSEC Emergency Protection Planning March 2014 88
16.3 Planning for Emergencies in High Risk Environments
16.3.1 Situational Assessment
Planning for potential hostile activity (e.g. enemy attack, civil uprising, riot) must concentrate on
the activities necessary to safely evacuate or securely destroy the ACM (without endangering
life). It must take into consideration all possible situations which could occur, such as those in
which:
an orderly withdrawal could be conducted over a specified period of time;
a volatile environment exists such that destruction must be performed discretely in order to
avoid triggering hostilities; or
invasion or capture is imminent.
16.3.2 Consideration Factors
Other important factors to consider when planning for potential hostile activity are:
likelihood of the various types of hostile actions and the threats that those actions pose;
availability and adequacy of physical security protection (e.g. perimeter controls, strength of
guard forces, physical defences at locations which hold ACM);
availability of transportation and adequate storage facilities for emergency evacuation and an
assessment of the probable risks associated with emergency evacuation;
availability and adequacy of facilities for emergency destruction of ACM, including approved
destruction devices, electrical power, location, personnel; and
requirement for, and availability of, external communications during emergency situations.
NOTE: Unless there is an urgent need to restore communications after relocation, key should
be destroyed rather than evacuated.
16.3.3 Protecting Accountable COMSEC Material
There are three options for the control of ACM in an emergency due to hostile activity:
securing ACM;
removing ACM from the scene of the emergency; and
destroying (or disabling) ACM (refer to equipment-specific doctrine).
Planners must consider which of the above options (singly or in combination) are applicable to
particular situations, and to their facilities.
UNCLASSIFIED
ITSD-03A
COMSEC Emergency Protection Planning March 2014 89
The option(s) from which to choose in various situations should be clearly stated in the plan. The
following two scenarios are provided as examples:
if it appears that a civil uprising is to be short lived and that the COMSEC facility is to be
only temporarily abandoned, the actions to take could be as follows:
o ensure that all superseded key has been destroyed;
o gather up current and future key and take it along if adequate security protection is
available, or destroy it using approved methods;
o zeroize the key from all keyed operational or on standby equipment;
o remove all classified and CCI components from cryptographic equipment and lock them,
along with other classified ACM, in approved storage containers;
o secure the facility door(s) and leave; and
o upon return, conduct a complete inventory; and
if it appears that the facility is likely to be overrun, the emergency destruction procedures
should be put into effect.
16.3.4 External Communications
External communications during an emergency situation should be limited to contact with a
single remote point. This point will act as a distribution centre for outgoing message traffic and
as a filter for incoming queries and guidance, thus relieving site personnel from multiple
activities during the emergency. When there is a warning of hostile intent and the physical
protection is inadequate to prevent overrun of the facility, secure communications should be
discontinued in time to allow for thorough destruction of all ACM.
16.4 The Emergency Plan
16.4.1 Development
The DCA, in coordination with the COMSEC Custodian, is responsible for the preparation,
implementation and annual re-evaluation of the COMSEC Emergency Plan. Coordination with
appropriate security, fire and safety personnel will ensure that the plan is realistic, workable, and
accomplishes the goals for which it is prepared. The duties under the plan must be clearly
described and the contact information for all individuals with duties under the plan must be
documented. Refer to the COMSEC Emergency Plan Template for an outline of the COMSEC
Emergency Plan, including emergency destruction priorities.
UNCLASSIFIED
ITSD-03A
COMSEC Emergency Protection Planning March 2014 90
16.4.2 Maintenance and Testing
The COMSEC Custodian must ensure that:
all individuals are aware of the existence of the plan and how alerts and warnings to an
emergency event will be communicated;
each individual who has duties assigned under the plan receives detailed instructions on how
to carry out these duties when the plan is put into effect;
all individuals are familiar with all duties, so changes in assignment can be made if
necessary;
training exercises are conducted periodically, to ensure that all personnel (especially new
personnel) can carry out their duties; and
the plan is revised (if necessary) based on experience gained in the training exercises.
16.4.3 Emergency Destruction Priorities
16.4.3.1 General
In deteriorating conditions, every reasonable effort should be made to remove ACM, especially
that which is not in use, to a safe place before hostile activities escalate to the point that removal
is impossible. Where loss of positive control of the ACM is imminent, the following
considerations must be entertained:
destruction or erasure of key is preferable to losing positive control of the key;
if unable to destroy every publication, destroy the sensitive pages (i.e. those containing
cryptographic logic); and
zeroize (or tamper) cryptographic equipment (refer to equipment-specific doctrine), remove
their batteries and physically destroy the equipment if no other option is available.
NOTE: When sufficient personnel and destruction facilities are available, more than one
person destroys the ACM.
16.4.3.2 Combined ACM Priorities
Due to the potentially limited availability of personnel and facilities during an emergency
situation, ACM should be destroyed according to the following priorities:
1. all key marked CRYPTO, in the following order –
a. superseded key, in descending order of classification or protected level from TOP
SECRET,
UNCLASSIFIED
ITSD-03A
COMSEC Emergency Protection Planning March 2014 91
b. currently effective key, in descending order of classification or protected level from TOP
SECRET, and
c. future key, in descending order of classification level from TOP SECRET;
2. COMSEC publications marked CRYPTO and status documents showing the effective dates
for key;
3. classified pages from classified maintenance manuals (or the entire manual if classified
pages are not separately identified);
4. classified and CCI components of classified equipment and CCI;
5. any remaining classified ACM or other classified material; and
6. any other COMSEC material.
16.4.4 Emergency Destruction Methods
Any of the methods approved for the routine destruction of classified ACM may be used for
emergency destruction. Physical destruction devices may be available at certain locations outside
Canada. Information concerning these devices is available from COMSEC Client Services. Basic
hand tools should be readily available should they become necessary for destruction of
cryptographic equipment.
16.4.5 Reporting Emergency Destruction
Accurate and timely reporting of emergency destruction is essential in order to evaluate the
severity of an emergency and is second in importance only to ensuring that the ACM is
thoroughly destroyed. A report must be submitted to NCOR/COR as soon as possible. The report
must clearly indicate, for the destroyed ACM, the method(s) of destruction, and the degree of
destruction. This report must also identify any items that were not destroyed and which may be
presumed compromised. In such cases, a COMSEC Incident Report must be submitted, as
detailed in Chapter 18.
UNCLASSIFIED
ITSD-03A
COMSEC Account Audit March 2014 92
17 COMSEC Account Audit
17.1 Planning the Audit
17.1.1 Purpose of an Audit
A CSE-initiated COMSEC audit provides an independent review of a COMSEC Account’s
records and activities to ensure ACM produced by or entrusted to the COMSEC Account is
controlled and managed as detailed in this directive.
17.1.2 Frequency of Audits
A CSE representative will audit COMSEC Accounts at least once every 18 months. Audits may
be conducted more frequently based on:
previous audit findings;
size of the COMSEC Account inventory;
types and classification of ACM in use;
volume of COMSEC Material Reports;
frequency of deviation from COMSEC directive;
abnormal number of COMSEC Custodian changes; or
type of automated accounting and management system in use at the COMSEC Account.
17.1.3 Scheduling the Audit
CSE will normally provide a three weeks advance notice of the audit. However, the audit may
occur on short notice when irregularities of a serious nature have occurred. The CSE
representative conducting the audit will:
contact the COMSEC Account Custodian (usually via a phone call or e-mail) to schedule the
audit;
confirm the date and time of the audit, in writing; and
provide an audit check list that will be used as a guide during the audit.
17.2 Conducting the Audit
17.2.1 Access to COMSEC Account Holdings
CSE representatives conducting the COMSEC audit are authorized to have supervised access to
all COMSEC Account reports, records and files, including electronic files and databases, upon
presentation of their CSE identification badge and copy of their COMSEC Briefing Certificate.
UNCLASSIFIED
ITSD-03A
COMSEC Account Audit March 2014 93
NOTE: The CSE representatives may require supervised access to COMSEC Sub-Account
and Local Element sites. COMSEC Sub-Account and Local Element audits must be
coordinated by the COMSEC Account Custodian (refer to Article 15.4.2).
17.2.2 Scope of the Audit
The audit must be sufficient in scope to determine the accuracy of COMSEC accounting records
and to confirm that ACM control procedures have been, and continue to be, correctly applied.
The audit includes:
verification that accounting reports, records and files are complete and accurate;
verification of compliance with packaging, marking and distribution procedures;
verification of the consistent application of procedures and processes (including physical
security) related to the control, storage and use of ACM;
assessment of the adequacy of automated accounting system controls;
detailed audit of IP accounting records, if applicable;
verification of the completion of COMSEC Sub-Account audits, if applicable; and
discussion with the COMSEC Custodian regarding any problems encountered with the
control of ACM or the maintenance of the COMSEC Account.
17.2.3 Exit Interview
Upon conclusion of the COMSEC Account audit, the CSE representative will hold an exit
interview with the DSO, the DCA (if designated) and the COMSEC Custodian to advise them of
any situations that require immediate corrective action and to brief them on the audit findings and
recommendations.
NOTE: If neither the DSO nor the DCA is available, the CSE representative will reschedule
the exit interview.
17.3 Audit Reporting
17.3.1 COMSEC Account Audit Report
The COMSEC Account Audit Report will document all observations, recommendations and
required corrective actions. CSE will provide the DCA with a copy of the COMSEC Account
Audit Report within 15 working days of completion of the audit. If corrective actions are
required, a Statement of Action Form will be included with the COMSEC Account Audit Report.
UNCLASSIFIED
ITSD-03A
COMSEC Account Audit March 2014 94
17.3.2 Statement of Action Form
The COMSEC Custodian must complete the corrective actions stated in the COMSEC Account
Audit Report and return a signed Statement of Action Form identifying observations that
“MUST” be corrected to CSE within ten working days of receipt of the COMSEC Account Audit
Report. If, due to operational requirements, the required corrective actions cannot be completed
before the due date, CSE may grant an extension to this period. Observations that were deemed
to impact the COMSEC Account to a minor degree may be negotiated with COMSEC Client
Services.
17.3.3 Failure to Return a Statement of Action Form
CSE will send a Tracer Notice to the DCA if the signed Statement of Action Form is not received
when due. If a signed Statement of Action Form is not returned to CSE at the end of an additional
ten working days following dispatch of the initial Tracer Notice, a second Tracer Notice will be
sent to the DCA and copy the COMSEC Custodian. After another five working days, following
the second tracer, if the signed Statement of Action Form has not yet been received by CSE, the
matter will be treated as a COMSEC incident and forwarded to the NCIO for action.
17.4 COMSEC Sub-Account Audits
17.4.1 Requirement
The COMSEC Custodian must audit COMSEC Sub-Accounts(s) at least once every 18 months,
using the same considerations and in the same manner as detailed in this chapter.
17.4.2 Communications Security Establishment Participation
Although COMSEC Custodians are normally responsible for conducting audits of their
COMSEC Sub-Accounts, CSE may conduct an audit of a COMSEC Sub-Account, including
Local Elements, when irregularities of a serious nature have occurred.
NOTE: COMSEC Sub-Account and Local Element irregularities notwithstanding, CSE may
request to collaborate with the COMSEC Account Custodian during routine audits.
UNCLASSIFIED
ITSD-03A
COMSEC Incidents March 2014 95
18 COMSEC Incidents
18.1 General
A COMSEC incident occurs whenever there is a situation or activity that jeopardizes the
confidentiality, integrity or availability of COMSEC information, material or services.
Prompt and accurate reporting of COMSEC incidents (e.g. Local Element > Custodian > DCA >
NCIO) minimizes the potential for compromise of ACM and the classified information that it
protects. Unless all personnel who handle or manage ACM immediately report all occurrences
that are specifically identified as COMSEC incidents, corrective action cannot be implemented in
a timely manner to mitigate or eliminate their impact.
It is important that all suspected COMSEC incidents be promptly reported to the responsible
DSO/DCA as detailed in the ITSD-05.
18.2 Classes of COMSEC Incidents
COMSEC Incidents fall into one of two classes: Practices Dangerous to Security (PDS) or
Compromising Incidents.
18.2.1 Practices Dangerous to Security
PDS are incidents that are considered minor violations of administrative requirements and do not
result in the loss of control, unauthorized access or unauthorized viewing of ACM. PDS are
considered administrative infractions and are not reportable at the national level. PDS do not
result in a compromise of information, assets or functionality, but create situations where
exploitation is possible unless action is taken to correct the practice. Even minor violations may
warrant an evaluation. Therefore, PDS must be handled locally by the DSO/DCA in accordance
with departmental directives.
18.2.2 Compromising Incidents
Compromising incidents may have serious consequences for operational security. Investigation
of compromising incidents helps to determine if sensitive records were irretrievably lost by the
rightful owners or accessed by an unauthorized individual. It is important to note that the
compromise of sensitive information or asset(s) may have implications far beyond the local
authorized user or GC department. Compromising incidents are reportable at the national level
(report to COMSEC Custodian, DSO/DCA and NCIO).
18.3 Handling, Reporting and Evaluating COMSEC Incidents
For specific details on how to handle, report and evaluate COMSEC Incidents, follow the
direction in the ITSD-05.
UNCLASSIFIED
ITSD-03A
Glossary March 2014 96
Glossary
This glossary contains definitions for the terms used in this ITSD.
5-Eyes Canada, Australia, New Zealand, United Kingdom and
United States.
Access The capability and opportunity to gain knowledge or
possession of, or to alter, information or material.
Access Control Ensuring authorized access to assets within a facility or
restricted area by screening visitors and material at
entry points by personnel, guards or automated means
and, where required, monitoring their movement within
the facility or restricted access areas by escorting them.
Accountability The responsibility of an individual for the safeguard
and control of COMSEC material which has been
entrusted to his or her custody.
Accountable COMSEC Material Communications Security (COMSEC) material that
requires control and accountability within the National
COMSEC Material Control System in accordance with
its accounting legend code and for which transfer or
disclosure could be detrimental to the national security
of Canada.
Accountable COMSEC Material
Control Agreement (ACMCA)
A binding agreement between Communications
Security Establishment and an entity (Government or
Canadian private sector) not listed in Schedules I, I.1,
II, IV and V of the Financial Administration Act that
will permit the acquisition, accounting, control,
management and final disposition of communications
security material.
Accounting Legend Code (ALC) A numeric code used to indicate the minimum
accounting controls for Communications Security
(COMSEC) material within the National COMSEC
Material Control System.
UNCLASSIFIED
ITSD-03A
Glossary March 2014 97
Audit The process of conducting an independent review and
examination of system records and activities in order to
test the adequacy of system controls, to ensure
compliance with established policy and operational
procedures, and to recommend any changes in controls,
policy, or procedures.
Audit Trail A chronological record of system activities to enable
the construction and examination of a sequence of
events or changes in an event (or both).
Authorized User For the purpose of this directive, an individual (other
than the Custodian, Alternate Custodian or local
Element), who is required to use COMSEC material in
the performance of assigned duties.
BLACK Key Encrypted Key.
Canadian Central Facility The entity within Communications Security
Establishment that provides centralized cryptographic
key management.
Canadian Cryptographic Doctrine
(CCD)
The minimum security standards for the safeguard,
control and use of Communications Security
Establishment–approved cryptographic equipment and
systems.
Canadian Private Sector Canadian organizations, companies or individuals that
do not fall under the Financial Administration Act or
are not subordinate to a provincial or municipal
government.
Central Office of Record (COR) The office of a federal department or agency that keeps
records of accountable COMSEC material held by
elements subject to its oversight.
Communications Security
(COMSEC)
The application of cryptographic, transmission,
emission and physical security measures, and
operational practices and controls, to deny unauthorized
access to information derived from telecommunications
and to ensure the authenticity of such
telecommunications.
Compromise The unauthorized access to, disclosure, destruction,
removal, modification, use or interruption of assets or
information.
UNCLASSIFIED
ITSD-03A
Glossary March 2014 98
COMSEC Custodian The individual designated by the departmental
Communications Security (COMSEC) authority to be
responsible for the receipt, storage, access, distribution,
accounting, disposal and destruction of all COMSEC
material that has been charged to the departmental
COMSEC Account.
COMSEC Incident Any occurrence that jeopardizes or potentially
jeopardizes the security of classified or protected
Government of Canada information while it is being
stored, processed, transmitted or received.
COMSEC Material An item designed to secure or authenticate
telecommunications information. COMSEC material
includes, but is not limited to, cryptographic key,
equipment, modules, devices, documents, hardware,
firmware or software that embodies or describes
cryptographic logic and other items that perform
COMSEC functions.
Controlled Cryptographic Item
(CCI)
An UNCLASSIFIED secure telecommunications or
information system, or associated cryptographic
component, that is governed by a special set of control
requirements within the National COMSEC Material
Control System and marked “CONTROLLED
CRYPTOGRAPHIC ITEM” or, where space is limited,
“CCI”.
Controlling Authority (CA) The entity designated to manage the operational use and
control of key assigned to a cryptographic network.
Crypto Material Assistance Centre
(CMAC)
The entity within Communications Security
Establishment responsible for all aspects of key
ordering including privilege management, the
management of the National Central Office of Record
and the administration of the Assistance Centre.
Cryptographic Pertaining to or concerned with cryptography.
NOTE: Often abbreviated as “crypto” and used as a
prefix, e.g. cryptonet.
Cryptographic Equipment Equipment that performs encryption, decryption,
authentication or key generation functions.
UNCLASSIFIED
ITSD-03A
Glossary March 2014 99
Cryptographic Logic The embodiment of one (or more) cryptographic
algorithm(s) along with alarms, checks, and other
processes essential to effective and secure performance
of the cryptographic process(es).
Cryptographic Network
(cryptonet)
Two or more pieces of cryptographic equipment
connected together that utilize cryptographic key for the
protection of information.
Cryptoperiod A specific length of time during which a cryptographic
key is in effect.
CSE Industrial COMSEC Account
(CICA)
The entity at the Communications Security
Establishment responsible for developing,
implementing, maintaining, coordinating and
monitoring a private sector communications security
program that is consistent with the Policy on
Government Security and its related policy instruments
for the management of accountable COMSEC material.
Departmental COMSEC
Authority (DCA)
The individual designated by, and responsible to, the
departmental security officer for developing,
implementing, maintaining, coordinating and
monitoring a departmental communications security
program which is consistent with the Policy on
Government Security and its standards.
Departmental Security Officer
(DSO)
The individual responsible for developing,
implementing, maintaining, coordinating and
monitoring a departmental security program consistent
with the Policy on Government Security and its
standards.
Electronic Key A key that is stored on magnetic or optical media, or in
electronic memory, transferred by electronic
transmission, or loaded into cryptographic equipment.
Exception An authorization granted by COMSEC Client Services
for an agreed-upon deviation or divergence from a
specific minimum COMSEC requirement.
Government of Canada (GC)
Department
Any federal department, organization, agency or
institution subject to the Policy on Government
Security.
UNCLASSIFIED
ITSD-03A
Glossary March 2014 100
Issue The process of distributing COMSEC material from a
COMSEC Account to its COMSEC Sub-Account(s) or
Local Element(s).
Key Management The procedures and mechanisms for generating,
disseminating, replacing, storing, archiving, and
destroying cryptographic key.
Key Material Support Plan
(KMSP)
A detailed description of the communication security
requirements of a cryptographic network.
Keyed Refers to the state of a cryptographic equipment in
which cryptographic key has been loaded for use or
storage.
Keying Material A key, code, or authentication information in physical,
electronic or magnetic form.
Local Accounting The process by which a COMSEC Custodian records
and controls, in the National COMSEC Material
Control System, COMSEC material that is not
reportable to the Central Office of Record.
Local Element An individual registered at a COMSEC Account or
COMSEC Sub-Account who is authorized to receive
COMSEC material from that account.
Local Tracking The process used by the COMSEC Custodian to control
and monitor the movement of COMSEC-related
material outside of the National COMSEC Material
Control System.
NOTE: This process does not assign an Accounting
Legend Code number.
Locked Refers to the state of a cryptographic equipment in
which the secure mode has not been accessed (e.g. by
means of a Cryptographic Ignition Key [CIK], a
Personal Identification Number [PIN] or a combination
of CIK/PIN and password).
Modification Any change to the electrical, mechanical or software
characteristics of a piece of cryptographic equipment.
National Central Office of Record
(NCOR)
The entity at Communications Security Establishment
responsible for overseeing the management and
accounting of all accountable COMSEC material
produced in, or entrusted to, Canada.
UNCLASSIFIED
ITSD-03A
Glossary March 2014 101
National COMSEC Audit Team
(NCAT)
The entity at Communications Security Establishment
responsible for conducting COMSEC audits of
COMSEC Accounts within the National COMSEC
Material Control System.
National COMSEC Incidents
Office (NCIO)
The entity at Communications Security Establishment
responsible for managing communications security
incidents through registration, investigation,
assessment, evaluation and closure.
National COMSEC Material
Control System (NCMCS)
A centralized system, which includes personnel,
training and procedures, that enables Government of
Canada departments to effectively control and handle
accountable COMSEC material.
National Distribution Authority
(NDA)
The entity within the Canadian Communications
Security (COMSEC) community responsible for the
secure receipt, storage, distribution and disposal of
COMSEC material originating at Communications
Security Establishment or received from or destined to
foreign countries.
Other Levels of Government
(OLG)
Provincial, municipal and local government
organizations (e.g. law enforcement agencies).
Over-The-Air Rekey (OTAR) The changing of traffic encryption key or transmission
security key in remote cryptographic equipment by
sending new key directly to the equipment over the
communication path it secures.
Over-The-Air Transfer (OTAT) The electronic distribution of cryptographic key without
changing the traffic encryption key used to secure the
communications path.
Protective Packaging Packaging techniques for COMSEC material, which
discourage penetration, reveal that a penetration has
occurred, or inhibit viewing and copying of COMSEC
material, before the time it is exposed for use.
RED Key Unencrypted key.
Removable Storage Medium
(RSM)
A small device that is used to transport or store data
(e.g. disks, memory cards, flash drives).
UNCLASSIFIED
ITSD-03A
Glossary March 2014 102
Tier 3 Management Device
(T3MD)
A cryptographic equipment that securely stores,
transports and transfers (electronically) cryptographic
key and that is programmable to support modern
mission systems.
Transfer The process of distributing COMSEC material from
one COMSEC Account to another COMSEC Account.
Two-Person Integrity (TPI) A control procedure whereby TOP SECRET key and
other specified key must not be handled by or made
available to one individual only.
Unkeyed Refers to the state of a cryptographic equipment in
which no cryptographic key has been loaded for use or
storage.
Unlocked Refers to the state of a cryptographic equipment in
which the secure mode has been accessed (e.g. by
means of a Cryptographic Ignition Key [CIK], a
Personal Identification Number [PIN] or a combination
of CIK/PIN and password).
Waiver An authorization granted by COMSEC Client Services
to be excluded from the obligation of adherence to a
specific minimum COMSEC requirement.
UNCLASSIFIED
ITSD-03A
Bibliography March 2014 103
Bibliography
The following source documents were used in the development of this directive:
Communications Security Establishment
o Canadian Cryptographic Doctrine for the Disposal of Accountable COMSEC
Equipment (CCD-49), February 2008 (now superseded by this ITSD).
o Clearing and Declassifying Electronic Data Storage Devices (ITSG-06), July 2006.
o Directive for Reporting and Evaluating COMSEC Incidents Involving Accountable
COMSEC Material (ITSD-05), April 2012.
o Directive for the Control of COMSEC Material in the Canadian Private Industry
(ITSD-06), June 2013.
o Directive for the Control of COMSEC Material in the Government of Canada
(ITSD-03), October 2011 (now superseded by this ITSD).
o Directive for the Use of CSE-Approved Cryptographic Equipment and Key on a
Telecommunications Network (ITSD-04), November 2011.
o Government of Canada Facility Evaluation Procedures (ITSG-12), June 2005.
o IT Security Directive for the Application of Communications Security Using
CSE-Approved Solutions (ITSD-01A), December 2013.
o IT Security Guidance on Cryptographic Key Ordering Manual (ITSG-13), May 2006.
Department of Justice
o Controlled Goods Regulations, May 20, 2013 (updated as of November 8, 2013).
o Financial Administration Act (FAA), 1985 (updated as of November 22, 2013).
North Atlantic Treaty Organization
o Instructions for the Control and Safeguard of NATO Cryptomaterial (SDIP 293).
o NATO Crypto Distribution and Accounting Publication (AMSG 505).
o Policy and Procedures for the Handling and Control of Two-Person-Controlled NATO
Security Material (AMSG 773).
Public Works and Government Services Canada
o Industrial Security Manual (ISM), December 11, 2009.
UNCLASSIFIED
ITSD-03A
Bibliography March 2014 104
Royal Canadian Mounted Police
o Guide to the Application of Physical Security Zones (G1-026), September 2005.
o Security Equipment Guide (G1-001), March 2006.
Treasury Board of Canada Secretariat
o Directive on Departmental Security Management (DDSM), July 2009.
o Operational Security Standard: Management of Information Technology Security
(MITS), July 1, 2009.
o Operational Security Standard on Physical Security, February 18, 2013.
o Policy on Government Security (PGS), updated as of July 2009.
United Kingdom
o Communications Security and Cryptography (IS-4) – Part 1: Management of
Cryptographic Systems.
o Communications Security and Cryptography (IS-4) – Part 2: Forms and Instructions.
United States
o Control of Communications Security (COMSEC) Material (NSA/CSS Policy Manual
No. 3 -16), National Security Agency (NSA).
o International Traffic in Arms Regulations (ITAR), U.S. Department of State,
April 1, 2012.
UNCLASSIFIED
ITSD-03A
Annex A – Managing and Distributing Key in a BLACK State March 2014 A-1
Annex A - Managing and Distributing Key in a BLACK State
A.1 Accounting and Handling Principles
There are three distinct accounting and handling principles for distributing key in a BLACK
(encrypted) state:
1. Any key that must be accountable within the National COMSEC Material Control System
(NCMCS) remains accountable regardless of whether the actual key is in its original RED
(unencrypted) state, or it has been converted to a BLACK (encrypted) state. The requirement
for a key’s continuous accountability within the NCMCS remains until it is destroyed (e.g.
zeroized, filled into an End Cryptographic Unit [ECU]) and removed from COMSEC
accountability by a custodian through a Destruction Report.
2. A key in a BLACK state is treated as PROTECTED A and is NOT separately accountable
within the NCMCS because the original key remains accountable. However, a key that is in a
BLACK state should be tracked locally, outside of the NCMCS, to have assurance of
delivery.
3. If Removable Storage Media (RSM) are used in the transfer of the key in BLACK state, some
of the media may become separately accountable inside the NCMCS (refer to Appendix
A.A.1.3).
A.1.1 Accounting Concept
Figure 3 illustrates the accountability concept for a key in a BLACK state.
A Transfer Key Encryption Key (TrKEK) or Key Encryption Key (KEK) is used to convert a key
in a RED state into a key in a BLACK state. The identical TrKEK or KEK is used to reconvert
the key in a BLACK state back to a key in a RED state.
UNCLASSIFIED
ITSD-03A
Annex A – Managing and Distributing Key in a BLACK State March 2014 A-2
Figure 3 – Accountability Concept for Key in a BLACK State1
A.1.2 Network Transmission
A key in a BLACK state may be transmitted over any:
classified network
Government of Canada departmental network that has been accredited to protect
PROTECTED A or PROTECTED B information, or
public network (e.g. the Internet), as long as it is protected minimally with Public Key
Infrastructure (PKI) encryption or Hypertext Transfer Protocol Secure (https) encrypted
connection.
1 This process is further detailed in Appendix A – Key Distribution Methods.
NCMCS
Accountable
Source Device
Key in a
RED State
Convert
Transfer Key
in a BLACK State1
RSM-A, T3MD, LCMS
Key converted in a
BLACK State
Destination Device
Key in a
RED State
Key reconverted
in a BLACK State
ReConvert
Transfer Key
Accountability
(Transfer Report
Initiating [TRI], Transfer
Report Receipt [TRR],
GC-223)
RSM-B (only for Method 4)
Not
NCMCS
Accountable
NCMCS
Accountable Key
NCMCS
Accountable
Key
UNCLASSIFIED
ITSD-03A
Annex A – Managing and Distributing Key in a BLACK State March 2014 A-3
A.1.3 Physical Shipment
A key in a BLACK state may be transported using the physical shipment of RSM or a Tier 3
Management Device (T3MD).
The initial RSM (refer to RSM-A in Appendix A) containing a key in a BLACK state must
be transported using CSE-approved methods for shipment of ACM, as detailed in this
directive.
A subsequent RSM (refer to RSM-B in Appendix A) containing a key in a BLACK state may
be transported via any means authorized to safeguard physical shipment of PROTECTED A
or higher information.
The associated RED decryption TrKEK or KEK must be transported separately to the end user
using CSE-approved methods for shipment of ACM.
UNCLASSIFIED
ITSD-03A
Appendix A – Key Distribution Methods March 2014 A-4
Appendix A – Key Distribution Methods
A.A.1 Key Distribution Methods
As illustrated in Figure 4, there are four methods of distributing an Electronic Key Management
System/Classified Security Management Infrastructure (EKMS/CSMI) produced key in a
BLACK state:
Method 1 - Over the EKMS/CSMI classified network.
Method 2 - Using T3MDs.
Method 3 - Using an RSM to devices of equal or higher classification (e.g. SECRET to
SECRET, or SECRET to TOP SECRET).
Method 4 - Using an RSM over UNCLASSIFIED public networks or over PROTECTED A
or PROTECTED B departmental networks.
Figure 4 – Key Distribution Methods for Key in a BLACK State
A.A.1.1 Method 1 – Distributing EKMS/CSMI-Produced Key in a BLACK State
over the EKMS/CSMI Classified Network
Using LCMS, a key in a BLACK state can be distributed directly between an EKMS/CSMI
source to an EKMS/CSMI destination by using LCMS’ electronic key distribution functions
(e.g. Bulk Encrypted Transaction [BET]).
Destination Device #1
(SECRET) e.g. LCMS
Source
Device
Canadian
Central
Facility
(CCF),
LCMS
or
CSMI
Work-
station
(SECRET)
EKMS/CSMI
BLACK Key
Method 1
Destination Device #2
(PROTECTED A
or higher) e.g. CARDS
BLACK Key
Method 2
Destination Device #3
(SECRET or
TOP SECRET) e.g. CARDS
BLACK Key
Method 3
(new)
Destination Device #4
(PROTECTED A
or higher) e.g. Department Network
BLACK Key
Method 4
(new)
RSM-A
(SECRET)
ALC 4
RSM-A
(SECRET)
ALC 4
File Transfer
Standalone
PC
(SECRET)
BLACK Key
RSM-B
(PROTECTED A)
UNCLASSIFIED
ITSD-03A
Appendix A – Key Distribution Methods March 2014 A-5
A.A.1.2 Method 2 – Distributing EKMS/CSMI-Produced Key in a BLACK State
using a T3MD
A key in a BLACK state can be removed from the EKMS/CSMI source onto a T3MD for
distribution. The T3MD can then be physically transported to the end destination or the key can
be sent to another T3MD at a distant location via Over-the-Air Distribution (OTAD). Additional
direction can be found in equipment-specific doctrine.
A.A.1.3 Method 3 – Distributing EKMS/CSMI-Produced Key in a BLACK State
using RSM to Devices of Equal or Higher Classification (e.g. SECRET
to SECRET, or SECRET to TOP SECRET)
Using Common User Application Software (CUAS), a key in a BLACK state can be removed
from the EKMS/CSMI source onto an RSM, which can be used to distribute the key in a BLACK
state electronically over a classified (SECRET or higher) system or, the RSM with the BLACK
key can be physically transported to an end destination, as detailed in this directive.
NOTE: An RSM (RSM-A in Figure 4) that has been loaded with key via EKMS or CSMI
requires special handling: the RSM that is connected to an EKMS or CSMI terminal
must be assigned a unique short title, be classified SECRET and be handled as
ALC 4.
The key in a BLACK state resident on the RSM remains PROTECTED A. Once the
key in a BLACK state is removed from the RSM, the RSM must still be handled as
SECRET, ALC 4, and may be reused only within EKMS/CSMI or destroyed as
detailed in this directive and in ITSG-06.
A.A.1.4 Method 4 – Distributing a Key in a BLACK State using RSM over
UNCLASSIFIED Public Networks or over PROTECTED A or
PROTECTED B Departmental Networks
Using CUAS and an appropriate transfer procedure, key in a BLACK state can be transported via
RSM to UNCLASSIFIED public networks or protected departmental networks for further
electronic distribution. This procedure must be done utilizing a departmental approved File
Transfer Sanitization and Inspection application on a standalone UNCLASSIFIED PC to transfer
the key in a BLACK state from the initial RSM (RSM-A in Figure 4) onto another clean RSM
(RSM-B in Figure 4). Once Method 4 has been initiated, the stand-alone Personal Computer (PC)
will be SECRET until such time as it is downgraded (refer to ITSG-06).
NOTE 1: The RSM (RSM-A in Figure 4) must be handled as detailed in Article A.A.1.3 .
NOTE 2: The second RSM (RSM-B in Figure 4) will become PROTECTED A and will NOT
be accountable within NCMCS; however, it must be sanitized (refer to ITSG-06) after
the key in a BLACK state is removed from the RSM.
UNCLASSIFIED
ITSD-03A
Appendix B – Requirements for Key in a RED, BLACK or Benign Fill States March 2014 A-6
Appendix B – Requirements for Key in a RED, BLACK or
Benign Fill States
This appendix defines the distinct requirements for key in a RED state, a BLACK state and a
Benign Fill state.
A.B.1 RED, BLACK or Benign Fill Key States
Before key is filled into an ECU, it is either in transit or in storage. Table 4 below describes the
three possible states in which key can exist while it is in transit or in storage.
Table 4 – Key States
Key States During Transit or Storage
RED State BLACK State Benign Fill State
Definition
Unencrypted key; OR
Encrypted key that
has a decryption
mechanism that is not
protected enough to
meet the definition of
a key in a BLACK
state.
Key that has been
protected with
CSE-approved
encryption; AND
Has a decryption
mechanism (refer to
NOTE 1) that is:
o protected with
appropriate
safeguards, and
o stored and
transmitted
separately from the
encrypted key.
Key that has been
encrypted at the
point of
generation such
that it can only be
decrypted after
being filled into
the ECU.
UNCLASSIFIED
ITSD-03A
Appendix B – Requirements for Key in a RED, BLACK or Benign Fill States March 2014 A-7
Key States During Transit or Storage
RED State BLACK State Benign Fill State
Examples
TrKEK or KEK used
to convert a key from a
RED state to a
BLACK state, or from
a BLACK state to
RED state (refer to
NOTE 1).
Key in a T3MD with
the CIK/password
accessible.
BET.
TrKEK-encrypted key or
key package.
KEK-encrypted key or
key package.
SCIP Rekey.
KP Rekey.
Possible
Key State
Transitions
Can be converted to
BLACK state.
Can be reconverted to RED
state.
None. Benign Fill
key state cannot be
changed.
Accounting
A key in a RED state is
always considered to
logically exist, even after
conversion to BLACK
state, and therefore must
follow this directive’s
requirements for ACM
until the key no longer
exists in either BLACK
state or RED state.
ITSD-03A is not applicable.
Should be tracked outside of
NCMCS to have assurance
of delivery.
ITSD-03A is not
applicable.
Should be tracked
outside of NCMCS
to have assurance of
delivery.
Handling
Classification
Equal to the highest
classification of the
communication that the
key is authorized to
protect.
PROTECTED A
UNCLASSIFIED
ITSD-03A
Appendix B – Requirements for Key in a RED, BLACK or Benign Fill States March 2014 A-8
Key States During Transit or Storage
RED State BLACK State Benign Fill State
Network
Transmission
Must not be transmitted
over a network.
(refer to NOTE 2)
May be transmitted over any network authorized to
protect PROTECTED A or higher information. For
example:
Public Switched Telephone Network (PSTN)
protected with SCIP;
Internet-protected with PKI or https; and
protected or classified department networks.
Physical
Shipment
Must follow this
directive’s requirements
for physical shipment of
RED key.
May be transported via any means authorized to
safeguard physical shipment of PROTECTED A or
higher information.
NOTE 1: The decryption mechanism for a key in a BLACK state is a TrKEK or KEK key in a
RED state, which has a handling classification equal to that of the key being protected
before it is encrypted with the TrKEK or KEK.
NOTE 2: Except where necessary for emergency operations, a key in a RED state must be
converted to a BLACK state before transmission over a network.
UNCLASSIFIED
ITSD-03A
Appendix C – Foreign Produced BLACK Key March 2014 A-9
Appendix C – Foreign Produced BLACK Key
The distribution concepts and methods defined in Appendix A.A.1.3 apply equally to both
Canadian produced key and key produced by a foreign country. Following are two examples to
assist in understanding how to handle foreign produced key.
Example 1 – A U.S.-produced Identification Friend or Foe (IFF) Mode 4/5 key in a RED
state is converted in the U.S. to a key in a BLACK state using a KEK.
Upon receipt in a Canadian COMSEC Account, an IFF Mode 4/5 key in a BLACK state is
treated as PROTECTED A, non-accountable, COMSEC material. It is transferred as
described in Article A.1 and Appendix A until it is used in a benign-like fill application
directly into the ECU.
The decryption KEK is shipped separately and loaded into the ECU.
Example 2 – A U.S.-produced Advanced Extremely High Frequency (AEHF) key in a
BLACK state is distributed to Canada via Over-the-Air Rekey (OTAR) or OTAD.
During OTAD operations, the key in a BLACK state is sent to a T3MD (e.g. SKL) and is
treated as PROTECTED A, non-accountable, COMSEC material and is transferred as
described in Article A.1 until it is directly filled into AEHF Secure Mobile Anti-Jam Reliable
Tactical Terminals (SMART-T) or transferred to a CD-ROM, which is used to fill AEHF
Navy Multi-band Terminals (NMTs).
OTAR operations directly fill the ECU.
Related Documents
