ITSD-03
ITSD-03
ITSD-03
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
UNCLASSIFIED<br />
Directive<br />
for the<br />
Control of COMSEC Material<br />
in the<br />
Government of Canada<br />
<strong>ITSD</strong>-<strong>03</strong><br />
October 2011
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
October 2011
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Foreword<br />
The Directive for the Control of COMSEC Material in the Government of Canada is an<br />
unclassified publication issued under the authority of the Chief, Communications Security<br />
Establishment Canada (CSEC) in accordance with the Policy on Government Security.<br />
This directive takes effect on the date of signature and supersedes the COMSEC Material<br />
Control Manual (ITSG-10) dated July 2006.<br />
CSEC will issue appropriate direction, as required, to notify users of changes to this directive.<br />
General inquiries and suggestions for amendments must be forwarded through departmental<br />
COMSEC channels to COMSEC Client Services at CSEC by e-mail at<br />
comsecclientservices@cse-cst.gc.ca or call (613) 991-8495.<br />
____________________________________________________<br />
Toni Moffa<br />
Deputy Chief, Information Technology Security<br />
October 31, 2011<br />
______________________________<br />
Date<br />
© Government of Canada, Communications Security Establishment Canada, 2011<br />
It is permissible to reproduce or make extracts from this publication provided it is used for<br />
Government of Canada departmental use. Reproduction of multiple copies of this publication for<br />
the purpose of commercial redistribution is prohibited except with written permission from the<br />
Government of Canada’s copyright administrator, Public Works and Government Services<br />
Canada.<br />
Foreword October 2011 i
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
ii October 2011 Foreword
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Record of Amendments<br />
Amendment No. Date Authority<br />
Record of Amendments October 2011 iii
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
iv October 2011 Record of Amendments
UNCLASSIFIED<br />
Table of Contents<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Foreword ......................................................................................................................... i<br />
Record of Amendments ............................................................................................... iii<br />
List of Tables ............................................................................................................... xv<br />
List of Figures ............................................................................................................. xv<br />
List of Abbreviations and Acronyms ....................................................................... xvii<br />
1 Introduction ........................................................................................................... 1<br />
1.1 Purpose ....................................................................................................... 1<br />
1.2 Authority ..................................................................................................... 1<br />
1.3 Scope ........................................................................................................... 1<br />
1.4 Definitions ................................................................................................... 1<br />
1.5 Application .................................................................................................. 2<br />
1.6 Compliance ................................................................................................. 2<br />
1.7 Expected Results ........................................................................................ 3<br />
1.8 Consequence .............................................................................................. 3<br />
1.9 Requests for Exceptions ........................................................................... 3<br />
1.10 Points of Contact ........................................................................................ 3<br />
1.11 COMSEC User Portal .................................................................................. 4<br />
1.12 Communications Security Establishment Canada – Web Site ............... 4<br />
2 National COMSEC Material Control System ....................................................... 5<br />
2.1 Structure and Organization Overview ...................................................... 5<br />
2.2 National Central Office of Record ............................................................. 6<br />
2.2.1 Overview ............................................................................................ 6<br />
2.2.2 Registration Authority ........................................................................ 6<br />
2.2.3 COMSEC Account Manager .............................................................. 6<br />
2.2.4 Key Processor Privilege Certificate Manager ..................................... 7<br />
2.3 Central Office of Record ............................................................................ 7<br />
2.4 National Distribution Authority ................................................................. 7<br />
2.5 COMSEC Accounts .................................................................................... 8<br />
2.6 COMSEC Sub-Accounts ............................................................................ 8<br />
2.7 Local Elements ........................................................................................... 9<br />
3 Personnel ............................................................................................................. 11<br />
3.1 Roles and Responsibilities ...................................................................... 11<br />
3.1.1 Deputy Head .................................................................................... 11<br />
3.1.2 Departmental Security Officer .......................................................... 11<br />
3.1.3 Departmental COMSEC Authority ................................................... 11<br />
3.1.4 COMSEC Custodian ........................................................................ 12<br />
3.1.5 Alternate COMSEC Custodian ......................................................... 12<br />
Table of Contents October 2011 v
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
3.1.6 COMSEC Sub-Account Custodian .................................................. 12<br />
3.1.7 Alternate COMSEC Sub-Account Custodian ................................... 12<br />
3.1.8 Local Element .................................................................................. 12<br />
3.1.9 Controlling Authority ........................................................................ 13<br />
3.1.10 Other Authorized Users ................................................................... 13<br />
3.1.11 Key Ordering Personnel ................................................................... 13<br />
3.1.12 Witness ............................................................................................ 14<br />
3.2 Personnel Selection and Training ........................................................... 14<br />
3.2.1 Selection of COMSEC Custodians/Alternate COMSEC<br />
Custodians, COMSEC Sub-Account Custodians/Alternate<br />
COMSEC Sub-Account Custodians ................................................. 14<br />
3.2.2 COMSEC Training ........................................................................... 14<br />
4 Management of COMSEC Accounts .................................................................. 17<br />
4.1 Establish COMSEC Account .................................................................... 17<br />
4.1.1 Request Establishment of COMSEC Account ................................. 17<br />
4.1.2 Approve Establishment of COMSEC Account ................................. 17<br />
4.1.3 Establish COMSEC Sub-Accounts .................................................. 18<br />
4.1.4 Register Local Elements .................................................................. 18<br />
4.2 Establish COMSEC Account Files and Records .................................... 18<br />
4.2.1 Administrative Files .......................................................................... 18<br />
4.2.2 Accounting Files .............................................................................. 19<br />
4.2.3 Communications Security Establishment Canada-Approved<br />
Accounting Sub-Systems ................................................................. 19<br />
4.2.4 Retention/Disposition of Records and Files ..................................... 19<br />
4.2.5 Classification of Records and Files .................................................. 19<br />
4.2.6 Access to Records and Files ........................................................... 20<br />
4.3 Changes to COMSEC Accounts .............................................................. 20<br />
4.3.1 Changes to COMSEC Account Registration Information ................. 20<br />
4.3.2 Changes to the COMSEC Signing Authority Form<br />
(CSEC/CSTC-599) .......................................................................... 20<br />
4.3.3 Change of Personnel ....................................................................... 20<br />
4.3.4 Scheduling the COMSEC Custodian Changeover ........................... 20<br />
4.3.5 Conversion of a COMSEC Sub-Account to a COMSEC Account .... 21<br />
4.3.6 Change of Classification Level of a COMSEC Account ................... 21<br />
4.3.7 Absence of COMSEC Custodial Staff .............................................. 21<br />
4.4 Closing a COMSEC Account ................................................................... 22<br />
4.5 Closing a COMSEC Sub-Account ........................................................... 22<br />
4.6 Suspension of a COMSEC Account ........................................................ 23<br />
4.6.1 General ............................................................................................ 23<br />
4.6.2 Suspension ...................................................................................... 23<br />
4.6.3 Lifting Suspension ........................................................................... 23<br />
vi October 2011 Table of Contents
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
5 Identification of COMSEC Material .................................................................... 25<br />
5.1 Long Title .................................................................................................. 25<br />
5.2 Short Title .................................................................................................. 25<br />
5.3 Edition ....................................................................................................... 25<br />
5.4 Accounting Number ................................................................................. 25<br />
5.4.1 Assignment of Accounting Number .................................................. 25<br />
5.4.2 Local Accounting Identifier ............................................................... 25<br />
5.4.3 Unique Accounting Numbers for Electronic Key .............................. 26<br />
5.5 Accounting Legend Code ........................................................................ 26<br />
5.5.1 Description ....................................................................................... 26<br />
5.5.2 Entry of COMSEC Material into National COMSEC Material<br />
Control System ................................................................................ 26<br />
5.5.3 Accounting Legend Code 1 COMSEC Material ............................... 26<br />
5.5.4 Accounting Legend Code 2 COMSEC Material ............................... 27<br />
5.5.5 Accounting Legend Code 4 COMSEC Material ............................... 27<br />
5.5.6 Accounting Legend Code 6 COMSEC Material ............................... 27<br />
5.5.7 Accounting Legend Code 7 COMSEC Material ............................... 28<br />
5.6 Types of COMSEC Material...................................................................... 28<br />
5.6.1 Key Material ..................................................................................... 28<br />
5.6.2 COMSEC Equipment ....................................................................... 28<br />
5.6.3 COMSEC Publications ..................................................................... 28<br />
5.7 CRYPTO Marking ...................................................................................... 29<br />
5.8 Controlled Cryptographic Item Marking ................................................. 29<br />
5.9 Classification or Protected Marking ....................................................... 29<br />
6 Accounting Forms, Reports and Notices .......................................................... 31<br />
6.1 COMSEC Material Report ......................................................................... 31<br />
6.2 Local Accounting Records and Logs ..................................................... 31<br />
6.2.1 Handling Instructions/Disposition Record Card ................................ 31<br />
6.2.2 Local Accounting Logs ..................................................................... 31<br />
6.3 COMSEC Material Reports ....................................................................... 32<br />
6.3.1 Preparation and Distribution of COMSEC Material Reports ............. 32<br />
6.3.2 Transfer Report ................................................................................ 32<br />
6.3.3 Hand Receipt ................................................................................... 33<br />
6.3.4 Possession Report ........................................................................... 35<br />
6.3.5 Key Generation Report .................................................................... 36<br />
6.3.6 Conversion Report ........................................................................... 37<br />
6.3.7 Relief from Accountability Report ..................................................... 37<br />
6.3.8 Destruction Report ........................................................................... 38<br />
6.3.9 Consolidated Destruction Report ..................................................... 38<br />
6.3.10 Inventory Report .............................................................................. 40<br />
6.4 Accounting Notices .................................................................................. 41<br />
6.4.1 Tracer Notice – Transfers ................................................................ 41<br />
Table of Contents October 2011 vii
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
6.4.2 Tracer Action by the COMSEC Custodian ....................................... 41<br />
6.4.3 Tracer Action by National Central Office of Record/Central Office<br />
of Record ......................................................................................... 42<br />
7 Special Accounting Requirements .................................................................... 43<br />
7.1 Drop Accounting of North Atlantic Treaty Organization and<br />
International COMSEC Material .............................................................. 43<br />
7.1.1 General Requirement ...................................................................... 43<br />
7.1.2 North Atlantic Treaty Organization Funded Units ............................. 43<br />
7.1.3 North Atlantic Treaty Organization COMSEC Material Requiring<br />
Two-Person-Integrity Control ........................................................... 43<br />
7.2 Canadian Controlled COMSEC Material Outside of the National<br />
COMSEC Material Control System .......................................................... 43<br />
7.3 Criteria for Release of COMSEC Material to the Private Sector ........... 44<br />
7.4 Government Furnished Equipment ......................................................... 44<br />
7.4.1 Government Furnished Equipment for Canadian Industry ............... 44<br />
7.4.2 Government Furnished Equipment for Allied Contractors ................ 45<br />
7.5 COMSEC Material under Contract ........................................................... 45<br />
8 Access to COMSEC Material .............................................................................. 47<br />
8.1 Prerequisite for Access to COMSEC Material ........................................ 47<br />
8.1.1 Access by Government of Canada Employees and Contractors ..... 47<br />
8.1.2 Access by Foreign Nationals ........................................................... 47<br />
8.2 COMSEC Briefing and COMSEC Briefing Certificate ............................ 47<br />
8.2.1 Requirements .................................................................................. 47<br />
8.2.2 Retention of COMSEC Briefing Certificates ..................................... 48<br />
8.2.3 COMSEC Debriefings/Updates ........................................................ 48<br />
8.3 Two Person Integrity ................................................................................ 48<br />
8.4 No Lone Zone ............................................................................................ 48<br />
9 Physical Security ................................................................................................. 49<br />
9.1 COMSEC Facilities ................................................................................... 49<br />
9.1.1 Requirement .................................................................................... 49<br />
9.1.2 Planning and Establishing a COMSEC Facility ................................ 49<br />
9.1.3 Access Controls and Restrictions .................................................... 49<br />
9.1.4 COMSEC Facility Approval .............................................................. 50<br />
9.2 Secure Storage ......................................................................................... 51<br />
9.2.1 Security Containers ......................................................................... 51<br />
9.2.2 Segregation of COMSEC Material in Storage .................................. 51<br />
9.2.3 Opening of Security Containers in Emergency Situations ................ 51<br />
9.2.4 Incidents Involving Security Containers ........................................... 52<br />
9.2.5 Protecting Lock Combinations and Lock Keys ................................. 52<br />
9.3 Storage of Physical Key Material ............................................................ 54<br />
9.3.1 Storage Requirements ..................................................................... 54<br />
viii October 2011 Table of Contents
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
9.3.2 Key Material Held in Reserve .......................................................... 54<br />
9.4 Storage of Electronic Key Material ......................................................... 56<br />
9.5 Storage of COMSEC Equipment .............................................................. 56<br />
9.5.1 General Requirement ...................................................................... 56<br />
9.5.2 Preparation for Storage ................................................................... 56<br />
9.5.3 Spare or Standby Equipment ........................................................... 56<br />
9.6 Storage of COMSEC Publications ........................................................... 56<br />
10 Distribution and Receipt of COMSEC Material ................................................. 57<br />
10.1 Distributing COMSEC Material ................................................................ 57<br />
10.2 Distributing Electronic Key on Magnetic or Optical Media ................... 58<br />
10.3 Tracking the Shipment of COMSEC Material ......................................... 59<br />
10.4 Packaging Physical COMSEC Material ................................................... 59<br />
10.4.1 Overview .......................................................................................... 59<br />
10.4.2 Inner Wrapping ................................................................................ 59<br />
10.4.3 Outer Wrapping ............................................................................... 60<br />
10.4.4 Types of Packaging ......................................................................... 60<br />
10.4.5 Wooden Crates or Transit Cases ..................................................... 61<br />
10.5 Authorized Modes of Transportation ...................................................... 61<br />
10.5.1 Overview .......................................................................................... 61<br />
10.5.2 North Atlantic Treaty Organization and Foreign COMSEC Material 62<br />
10.6 Authorized Couriers of COMSEC Material ............................................. 64<br />
10.6.1 Canadian Government Diplomatic Courier Service ......................... 64<br />
10.6.2 Authorized Departmental Couriers ................................................... 64<br />
10.6.3 Contractor’s Authorized Couriers ..................................................... 65<br />
10.6.4 Commercial Carriers ........................................................................ 65<br />
10.7 Receiving COMSEC Material ................................................................... 66<br />
10.7.1 Preparation before Receiving COMSEC Material ............................ 66<br />
10.7.2 Inspection of Packages .................................................................... 67<br />
10.7.3 Validation of Content ....................................................................... 67<br />
11 Handling and Use ................................................................................................ 69<br />
11.1 Accountable Key Material ........................................................................ 69<br />
11.1.1 Purpose and Use ............................................................................. 69<br />
11.1.2 Labels .............................................................................................. 69<br />
11.1.3 Protective Packaging ....................................................................... 69<br />
11.1.4 Key Tape in Canisters...................................................................... 69<br />
11.1.5 Electronic Key Material on Magnetic or Optical Media ..................... 70<br />
11.1.6 Electronic Key on a Key Storage Device ......................................... 70<br />
11.1.7 Copies of Key .................................................................................. 70<br />
11.1.8 Two Person Integrity Controls .......................................................... 71<br />
11.2 Accountable COMSEC Equipment .......................................................... 71<br />
11.2.1 Sight Verification .............................................................................. 71<br />
Table of Contents October 2011 ix
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
11.2.2 Equipment Labels ............................................................................ 71<br />
11.2.3 Modification ...................................................................................... 72<br />
11.2.4 Equipment Installed for Operational Use ......................................... 72<br />
11.2.5 Key Storage/Fill Equipment Containing Key Material....................... 72<br />
11.2.6 Equipment Audit Trails ..................................................................... 72<br />
11.3 Accountable COMSEC Publications ....................................................... 73<br />
11.3.1 Reproduction ................................................................................... 73<br />
11.3.2 Frequency of Page Checks .............................................................. 73<br />
11.3.3 Conducting Page Checks ................................................................ 74<br />
11.3.4 Amendments to Accountable COMSEC Publications ...................... 74<br />
11.4 Local Tracking of Other Associated Material ......................................... 76<br />
11.4.1 Local Tracking System..................................................................... 76<br />
11.4.2 Control and Protection of Crypto Ignition Keys ................................ 76<br />
11.4.3 Record of Personal Identification Numbers and Passwords ............ 76<br />
11.4.4 Change of Personal Identification Numbers and Passwords ........... 77<br />
11.4.5 Storage of Personal Identification Numbers and Passwords ........... 77<br />
11.4.6 Configuration Disks .......................................................................... 77<br />
11.4.7 Software Upgrades .......................................................................... 77<br />
12 Destruction/Disposal of Accountable COMSEC Material ................................ 79<br />
12.1 General Requirement ............................................................................... 79<br />
12.2 Destruction of Key Material ..................................................................... 79<br />
12.2.1 Scheduling Destruction of Key Material ........................................... 79<br />
12.2.2 Unavailability of Destruction Devices ............................................... 79<br />
12.2.3 Conditions Affecting Destruction of Key Material ............................. 79<br />
12.2.4 Key Material Issued for Use ............................................................. 79<br />
12.2.5 Sealed Key Material ......................................................................... 80<br />
12.2.6 Emergency Supersession ................................................................ 80<br />
12.2.7 Defective Key Material ..................................................................... 80<br />
12.3 Destruction/Disposal of COMSEC Equipment ....................................... 81<br />
12.4 Destruction of COMSEC Publications .................................................... 81<br />
12.5 Performing Routine Destruction ............................................................. 81<br />
12.5.1 Personnel ......................................................................................... 81<br />
12.5.2 Training ............................................................................................ 82<br />
12.5.3 Performing Physical Destruction ...................................................... 82<br />
12.6 Routine Destruction Methods .................................................................. 83<br />
12.6.1 Paper COMSEC Material ................................................................. 83<br />
12.6.2 Non-Paper COMSEC Material ......................................................... 84<br />
12.7 Approved Routine Destruction Devices ................................................. 85<br />
12.8 Emergency Destruction Priorities ........................................................... 85<br />
12.8.1 Priorities within Categories .............................................................. 85<br />
12.8.2 Priorities for Combined Categories .................................................. 87<br />
12.9 Emergency Destruction Methods ............................................................ 87<br />
x October 2011 Table of Contents
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
12.10 Reporting Emergency Destruction ......................................................... 87<br />
13 COMSEC Account Inventory .............................................................................. 89<br />
13.1 Reasons for Inventory .............................................................................. 89<br />
13.2 Types of Inventory .................................................................................... 89<br />
13.2.1 Annual Inventory .............................................................................. 89<br />
13.2.2 Change of COMSEC Custodian Inventory ....................................... 89<br />
13.2.3 Special Inventory ............................................................................. 90<br />
13.3 Inventory Reports ..................................................................................... 90<br />
13.3.1 National Central Office of Record/Central Office of Record-<br />
Initiated Inventory Report ................................................................. 90<br />
13.3.2 COMSEC Account Inventory Report ................................................ 90<br />
13.3.3 Amendment to Inventory Report ...................................................... 91<br />
13.4 Inventory Process .................................................................................... 91<br />
13.4.1 Scheduling the Sight Inventory ........................................................ 91<br />
13.4.2 Conducting the Sight Inventory ........................................................ 92<br />
13.4.3 Reconciling the COMSEC Account Inventory Report ...................... 92<br />
14 COMSEC Emergency Plan .................................................................................. 95<br />
14.1 Preparing the COMSEC Emergency Plan ............................................... 95<br />
14.1.1 Requirement .................................................................................... 95<br />
14.1.2 Development of the Plan .................................................................. 95<br />
14.1.3 Maintaining and Testing the Plan ..................................................... 95<br />
14.1.4 Emergency Destruction Plan ........................................................... 95<br />
14.2 Planning for Emergency Events .............................................................. 96<br />
14.2.1 Best Practices .................................................................................. 96<br />
14.2.2 Natural Disasters and Accidental Emergencies ............................... 96<br />
14.2.3 Hostile Activity ................................................................................. 97<br />
15 COMSEC Account Audit ..................................................................................... 99<br />
15.1 Planning the Audit .................................................................................... 99<br />
15.1.1 Delegation of Authority..................................................................... 99<br />
15.1.2 Purpose of an Audit ......................................................................... 99<br />
15.1.3 Frequency of Audits ......................................................................... 99<br />
15.1.4 Scheduling the Audit ........................................................................ 99<br />
15.2 Conducting the Audit ............................................................................. 100<br />
15.2.1 Access to COMSEC Account Holdings .......................................... 100<br />
15.2.2 Scope of the Audit ......................................................................... 100<br />
15.2.3 Exit Interview ................................................................................. 100<br />
15.3 Audit Reporting ...................................................................................... 101<br />
15.3.1 COMSEC Account Audit Report .................................................... 101<br />
15.3.2 Statement of Action Form .............................................................. 101<br />
15.3.3 Failure to Return a Statement of Action Form ................................ 101<br />
15.4 COMSEC Sub-Account Audits .............................................................. 101<br />
Table of Contents October 2011 xi
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
15.4.1 Requirement .................................................................................. 101<br />
15.4.2 Communications Security Establishment Canada Participation ..... 101<br />
16 COMSEC Incidents ............................................................................................ 1<strong>03</strong><br />
16.1 General .................................................................................................... 1<strong>03</strong><br />
16.2 Classes of COMSEC Incidents .............................................................. 1<strong>03</strong><br />
16.2.1 Compromising Incidents ................................................................ 1<strong>03</strong><br />
16.2.2 Practices Dangerous to Security .................................................... 1<strong>03</strong><br />
16.3 Categories of COMSEC Incidents ......................................................... 104<br />
16.3.1 Cryptographic Incidents ................................................................. 104<br />
16.3.2 Personnel Incidents ....................................................................... 105<br />
16.3.3 Physical Incidents .......................................................................... 106<br />
16.4 Handling of Incidents ............................................................................. 107<br />
16.4.1 Departmental Procedures .............................................................. 107<br />
16.4.2 COMSEC Custodian Responsibility ............................................... 107<br />
16.4.3 Departmental COMSEC Authority Responsibility .......................... 107<br />
16.4.4 Reporting COMSEC Incidents ....................................................... 108<br />
16.5 Recovery of COMSEC Material .............................................................. 109<br />
16.6 Post-Incident Evaluation ........................................................................ 109<br />
16.7 COMSEC Incidents Involving North Atlantic Treaty Organization<br />
COMSEC Material ................................................................................... 110<br />
16.8 COMSEC Incidents Involving In-Process COMSEC Material .............. 110<br />
16.9 Disciplinary Action ................................................................................. 110<br />
Glossary ..................................................................................................................... 111<br />
Bibliography .............................................................................................................. 125<br />
Annex A – Control of In-Process COMSEC Material .............................................. 127<br />
A.1 Introduction ............................................................................................ 127<br />
A.1.1 Purpose ......................................................................................... 127<br />
A.1.2 Scope............................................................................................. 127<br />
A.1.3 Content of Annex ........................................................................... 127<br />
A.2 In-Process Plan ....................................................................................... 128<br />
A.2.1 Content of the In-Process Plan ...................................................... 128<br />
A.2.2 Approval of an In-Process Plan ..................................................... 129<br />
A.2.3 Approving Authority ....................................................................... 129<br />
A.2.4 Changes to an In-Process Plan ..................................................... 129<br />
A.3 Accounting for In-Process COMSEC Material...................................... 131<br />
A.3.1 Automated In-Process Accounting System .................................... 131<br />
A.3.2 In-Process Accounting Records ..................................................... 131<br />
A.3.3 Reconciliation of In-Process Accounting Records ......................... 132<br />
A.3.4 In-Process Accounting Reports ..................................................... 132<br />
A.3.5 Retention and Disposition of In-Process Records and Reports ..... 135<br />
xii October 2011 Table of Contents
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A.3.6 Audit of In-Process COMSEC Accounts ........................................ 135<br />
A.4 Control of In-Process COMSEC Equipment ......................................... 135<br />
A.4.1 Integrated Circuits .......................................................................... 135<br />
A.4.2 Controlled Cryptographic Items ..................................................... 136<br />
A.4.3 Breakage, Waste and Scrap In-Process COMSEC Material .......... 139<br />
A.4.4 Loss of In-Process COMSEC Material ........................................... 140<br />
A.5 COMSEC Equipment under Repair and Maintenance Contract .......... 140<br />
A.5.1 Transfer to/from the Contractor ...................................................... 140<br />
A.5.2 Accountability within the Repair and Maintenance In-Process<br />
Facility ............................................................................................ 140<br />
A.5.3 Sources of Spare COMSEC Parts, Components and Assemblies . 140<br />
A.5.4 Non-Serviceable In-Process Parts, Components and Assemblies 141<br />
A.5.5 Non-repairable COMSEC Equipment ............................................ 142<br />
A.6 Accountable COMSEC Publications under Development ................... 142<br />
A.6.1 In-Process Manuscripts ................................................................. 142<br />
A.6.2 Working Papers ............................................................................. 142<br />
A.6.3 Release of In-Process Manuscripts before Government of<br />
Canada Acceptance ...................................................................... 142<br />
A.6.4 Government of Canada Acceptance of a Final Manuscript ............ 144<br />
A.6.5 Destruction of In-Process Manuscripts .......................................... 144<br />
A.7 Accountable COMSEC Publications under Reproduction or<br />
Translation Contract .............................................................................. 145<br />
A.7.1 In-Process Manuscripts ................................................................. 145<br />
A.7.2 COMSEC Publications Controlled within the National COMSEC<br />
Material Control System................................................................. 145<br />
A.7.3 Destruction of In-Process Material Surplus to Contract<br />
Requirement .................................................................................. 145<br />
Table of Contents October 2011 xiii
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
xiv October 2011 Table of Contents
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
List of Tables<br />
Table 1 – Contact Information ......................................................................................... 3<br />
Table 2 – Key Material Held in Reserve ........................................................................ 54<br />
Table 3 – Storage of Physical Key Material ................................................................... 55<br />
Table 4 – Authorized Modes of Transportation for COMSEC Material .......................... 63<br />
Table 5 – Approval of IP Plans .................................................................................... 129<br />
Table 6 – Labelling CCI ............................................................................................... 139<br />
List of Figures<br />
Figure 1 – National COMSEC Material Control System (NCMCS).................................. 5<br />
Figure 2 – Example of Magnetic or Optical Media Label ............................................... 59<br />
Figure 3 – IP Hand Receipt Required Information ....................................................... 134<br />
Figure 4 – Return of Issued IP COMSEC Material ...................................................... 134<br />
Figure 5 – IP COMSEC Material Label ........................................................................ 144<br />
List of Tables and October 2011 xv<br />
List of Figures
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
xvi October 2011 List of Tables and<br />
List of Figures
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
List of Abbreviations and Acronyms<br />
ACM<br />
ACMCA<br />
ALC<br />
CA<br />
CARDS<br />
CCD<br />
CCF<br />
CCI<br />
CD<br />
CFCSU<br />
CICA<br />
CIK<br />
CKL<br />
CMAC<br />
COMSEC<br />
COR<br />
CSC<br />
CSEC<br />
CSO<br />
CUP<br />
DCA<br />
DDSM<br />
DIAS<br />
DND<br />
DSC<br />
DSO<br />
DVD<br />
EKMS<br />
FAA<br />
FOUO<br />
FSC<br />
FSU<br />
GC<br />
GFE<br />
HI/DR<br />
IC<br />
ICMCM<br />
ID<br />
Accountable COMSEC Material<br />
Accountable COMSEC Material Control Agreement<br />
Accounting Legend Code<br />
Controlling Authority<br />
COMSEC Accounting, Reporting and Distribution System<br />
Canadian Cryptographic Doctrine<br />
Canadian Central Facility<br />
Controlled Cryptographic Item<br />
Compact Disk<br />
Canadian Forces COMSEC Support Unit<br />
CSEC Industrial COMSEC Account<br />
Crypto-Ignition Key<br />
Compromise Key List<br />
Crypto Material Assistance Centre<br />
Communications Security<br />
Central Office of Record<br />
COMSEC Safeguarding Capability<br />
Communications Security Establishment Canada<br />
Company Security Officer<br />
COMSEC User Portal<br />
Departmental COMSEC Authority<br />
Directive on Department Security Management<br />
Distributed INFOSEC Accounting System<br />
Department of National Defence<br />
Document Safeguarding Capability<br />
Departmental Security Officer<br />
Digital Versatile Disk<br />
Electronic Key Management System<br />
Financial Administration Act<br />
For Official Use Only<br />
Facility Security Clearance<br />
Field Software Upgrade<br />
Government of Canada<br />
Government Furnished Equipment<br />
Handling Instructions/Disposition Record<br />
Integrated Circuit<br />
Industrial COMSEC Material Control Manual<br />
Identifier<br />
List of Abbreviations and October 2011 xvii<br />
Acronyms
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
IP<br />
INFOSEC<br />
ISDN<br />
IT<br />
ITS AFU<br />
ITSA<br />
ITSB<br />
<strong>ITSD</strong><br />
ITSLC<br />
KEK<br />
KMID<br />
KMSP<br />
KP<br />
MOA<br />
MOU<br />
NATO<br />
NCER<br />
NCIO<br />
NCMCS<br />
NCOR<br />
NDA<br />
NLZ<br />
NSA<br />
ORR<br />
PDS<br />
PGS<br />
PIN<br />
PSTN<br />
PWA<br />
PWGSC<br />
R&M<br />
SCIP<br />
SDNS<br />
SKCR<br />
SPIRS<br />
T3MD<br />
TBS<br />
TEK<br />
TPI<br />
TRA<br />
In-Process<br />
Information Security<br />
Integrated Services Digital Network<br />
Information Technology<br />
Information Technology Security Approvals for Use<br />
Information Technology Security Alert<br />
Information Technology Security Bulletin<br />
Information Technology Security Directive<br />
Information Technology Security Learning Centre<br />
Key Encryption Key<br />
Key Material Identifier<br />
Key Material Support Plan<br />
Key Processor<br />
Memorandum of Agreement<br />
Memorandum of Understanding<br />
North Atlantic Treaty Organization<br />
National Cryptographic Equipment Reserve<br />
National COMSEC Incidents Office<br />
National COMSEC Material Control System<br />
National Central Office of Record<br />
National Distribution Authority<br />
No Lone Zone<br />
National Security Agency<br />
Operational Rekey Report<br />
Practices Dangerous to Security<br />
Policy on Government Security<br />
Personal Identification Number<br />
Public Switched Telephone Network<br />
Printed Wiring Assembly<br />
Public Works and Government Services Canada<br />
Repair and Maintenance<br />
Secure Communications Interoperability Protocol<br />
Secure Data Network System<br />
Seed Key Conversion Report<br />
SDNS PSTN-ISDN Rekey Subsystem<br />
Tier 3 Management Device<br />
Treasury Board of Canada Secretariat<br />
Traffic Encryption Key<br />
Two-Person Integrity<br />
Threat and Risk Assessment<br />
xviii October 2011 List of Abbreviations and<br />
Acronyms
UNCLASSIFIED<br />
U//FOUO<br />
U.K.<br />
U.S.<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Unclassified//For Official Use Only<br />
United Kingdom<br />
United States<br />
List of Abbreviations and October 2011 xix<br />
Acronyms
UNCLASSIFIED<br />
1 Introduction<br />
1.1 Purpose<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This directive provides the minimum security requirements for the control of accountable<br />
Communications Security (COMSEC) material in the Government of Canada (GC).<br />
1.2 Authority<br />
This directive is promulgated pursuant to the Policy on Government Security (PGS), which<br />
delegates Communications Security Establishment Canada (CSEC) as the lead security agency<br />
and national authority for the development, approval and promulgation of COMSEC policy<br />
instruments and for the development of guidelines and tools related to Information<br />
Technology (IT) Security.<br />
1.3 Scope<br />
The methods for the control of COMSEC material vary and are determined by the nature of the<br />
material itself. The scope of this directive includes:<br />
<br />
<br />
<br />
COMSEC material, which requires control and accountability within the National<br />
COMSEC Material Control System (NCMCS);<br />
COMSEC material under development, which requires local accounting and control<br />
within an In-Process (IP) accounting system as detailed in Annex A; and<br />
COMSEC material (other than above), which requires control and local tracking by the<br />
COMSEC Custodian through a manual or electronic tracking system outside of the<br />
NCMCS.<br />
1.4 Definitions<br />
COMSEC – The application of cryptographic security, transmission and emission<br />
security, physical security measures, operational practices and controls to deny<br />
unauthorized access to information derived from telecommunications and that ensure the<br />
authenticity of such telecommunications.<br />
COMSEC Material – Material designed to secure or authenticate telecommunications<br />
information. COMSEC material includes, but is not limited to, key, equipment, modules,<br />
devices, documents, hardware, firmware or software that embodies or describes<br />
cryptographic logic and other items that perform COMSEC functions.<br />
Introduction October 2011 1
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Accountable COMSEC Material (ACM) – COMSEC material that requires control and<br />
accountability within the National COMSEC Material Control System (NCMCS) in<br />
accordance with its accounting legend code and for which transfer or disclosure could be<br />
detrimental to the national security of Canada.<br />
NCMCS – A CSEC-approved, central logistic system through which COMSEC material,<br />
including COMSEC material marked “CRYPTO” is distributed, controlled and<br />
safeguarded.<br />
Refer to the Glossary for additional definitions of terms used in this directive.<br />
1.5 Application<br />
This directive applies to:<br />
<br />
<br />
<br />
GC departments within the meaning of Schedules I, I.1, II, IV and V of the Financial<br />
Administration Act (FAA), unless excluded by specific acts, regulations or Orders in<br />
Council;<br />
GC departments not listed in the above mentioned FAA Schedules, but that have entered<br />
into a written agreement with the Treasury Board of Canada Secretariat (TBS) to adopt<br />
the requirements of the PGS. A copy of the agreement must be maintained in the CSEC<br />
National Central Office of Record (NCOR) chronological files; and<br />
Private Sector companies and organizations managing COMSEC material under the<br />
direction of the Industrial COMSEC Material Control Manual (ICMCM). If a situation<br />
arises that is not covered by the ICMCM, or a discrepancy arises between it and the<br />
content of this directive, <strong>ITSD</strong>-<strong>03</strong> takes precedence.<br />
NOTE: For the purpose of this directive, the term ‘GC departments’ includes all federal<br />
institutions (e.g. departments, agencies, organizations) subject to the FAA and PGS.<br />
1.6 Compliance<br />
All GC departments identified in Article 1.5 must comply with the baseline security<br />
requirements of the Directives for the Application of Communications Security in the<br />
Government of Canada (<strong>ITSD</strong>-01) and this directive. While compliance with these minimum<br />
security requirements is the responsibility of each GC department, this does not preclude<br />
individual departments from applying more stringent security measures. Departmental directives<br />
that exceed the minimum security requirements of <strong>ITSD</strong>-<strong>03</strong> take precedence within that<br />
department.<br />
2 October 2011 Introduction
UNCLASSIFIED<br />
1.7 Expected Results<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This directive describes courses of action which CSEC has determined are required to achieve a<br />
minimum level of control, safeguard and accounting for COMSEC material in departmental<br />
communications operations.<br />
1.8 Consequence<br />
Failure to comply with this directive may result in escalated administrative controls being placed<br />
on a COMSEC Account. In extreme circumstances, a COMSEC Account will be suspended until<br />
an external audit is conducted and the Departmental Security Officer (DSO) or DSO-delegated<br />
Departmental COMSEC Authority (DCA) has rectified any shortcomings.<br />
1.9 Requests for Exceptions<br />
Requests for exceptions or waivers to any of the direction contained herein must be submitted to<br />
COMSEC Client Services at CSEC. Requests must be submitted in writing and include<br />
justification. CSEC approval is required before implementing any exception or waiver.<br />
NOTE: Exceptions or waivers are designed to be remedial and of limited duration.<br />
1.10 Points of Contact<br />
The CSEC points of contact for topics covered by this directive are listed in Table 1 below.<br />
Table 1 – Contact Information<br />
Office Phone Number E-mail Address<br />
COMSEC Client Services 613-991-8495 comsecclientservices@cse-cst.gc.ca<br />
Crypto Material Assistance Centre<br />
(CMAC)<br />
and<br />
National Central Office of Record<br />
(NCOR)<br />
National COMSEC Incidents<br />
Office (NCIO)<br />
613-991-8600 cmac-camc@cse-cst.gc.ca<br />
613-991-8175 ncio@cse-cst.gc.ca<br />
Introduction October 2011 3
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
1.11 COMSEC User Portal<br />
Authorized users may access the CSEC COMSEC User Portal (CUP) at http://comsecportal.csecst.gc.ca.<br />
The CSEC CUP provides COMSEC-related information and Field Software Upgrades<br />
(FSUs), up to PROTECTED A, associated with high assurance products, systems and services.<br />
For information on becoming an authorized user of the CSEC CUP, contact the CMAC at CSEC.<br />
1.12 Communications Security Establishment Canada – Web Site<br />
Other COMSEC directives and information (UNCLASSIFIED only) associated with high<br />
assurance products, systems and services are available at http://www.cse-cst.gc.ca/itssti/publications/index-eng.html.<br />
4 October 2011 Introduction
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
2 National COMSEC Material Control System<br />
2.1 Structure and Organization Overview<br />
The NCMCS is a CSEC-approved logistics system which includes the personnel and procedures<br />
that enable GC departments to effectively handle and control COMSEC material. The NCMCS<br />
provides for the control of COMSEC material through:<br />
National Central Office of Record (NCOR)<br />
Central Office of Record (COR)<br />
<br />
<br />
<br />
<br />
National Distribution Authority (NDA)<br />
COMSEC Accounts<br />
COMSEC Sub-Accounts, and<br />
Local Elements (formerly referred to as Loan Holders or Authorized Users).<br />
National Central<br />
Office of<br />
Record (NCOR)<br />
National Distribution<br />
Authority (NDA)<br />
GC Department<br />
COMSEC Accounts<br />
CSEC Industrial<br />
COMSEC Account<br />
(CICA)<br />
Department of National<br />
Defence (DND)<br />
Central Office of Record<br />
(COR)<br />
Local<br />
Elements<br />
COMSEC<br />
Sub-accounts<br />
COMSEC<br />
Sub-accounts<br />
DND<br />
COMSEC Accounts<br />
Local<br />
Elements<br />
COMSEC<br />
Sub-accounts<br />
Local<br />
Elements<br />
Local<br />
Elements<br />
Figure 1 – National COMSEC Material Control System (NCMCS)<br />
National COMSEC Material October 2011 5<br />
Control System
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
2.2 National Central Office of Record<br />
2.2.1 Overview<br />
NCOR is the entity at CSEC which is responsible for overseeing the management and<br />
accounting of COMSEC material produced in, or entrusted to Canada. NCOR is not a COMSEC<br />
Account and never holds COMSEC material. NCOR responsibilities include the three distinct<br />
roles of Registration Authority, COMSEC Account Manager and Key Processor (KP) Privilege<br />
Certificate Manager. These roles are administered by the CMAC.<br />
2.2.2 Registration Authority<br />
As the national Registration Authority for GC COMSEC Accounts, NCOR personnel:<br />
manage the block of Electronic Key Management System (EKMS) Identifiers (IDs)<br />
(i.e. COMSEC Account numbers) used in Canada;<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
register NCOR with allied COMSEC material control systems;<br />
participate in the opening and closing of COMSEC Accounts for the GC;<br />
temporarily deactivate COMSEC Accounts for GC departments;<br />
confirm the appointment or termination of appointment of the DCA, COMSEC Custodian<br />
and Alternate COMSEC Custodian(s);<br />
assign a unique EKMS ID to each COMSEC Account;<br />
collect and maintain account registration data in the EKMS Directory Service;<br />
provide registration data to COMSEC Accounts that do not have access to the EKMS<br />
Directory Service; and<br />
register COMSEC Accounts with allied COMSEC material control systems when those<br />
accounts are authorized to exchange COMSEC material with allied countries.<br />
2.2.3 COMSEC Account Manager<br />
As COMSEC Account Manager, NCOR personnel:<br />
maintain a master inventory of all centrally accountable COMSEC material for those<br />
COMSEC Accounts under their purview;<br />
process COMSEC Material Reports, including validation of signature(s) against signature<br />
specimens;<br />
perform annual inventory reconciliations with COMSEC Accounts under his or her<br />
purview;<br />
6 October 2011 National COMSEC Material<br />
Control System
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
<br />
monitor the effective dates of key material to ensure key material is destroyed and<br />
reported as destroyed in a timely manner;<br />
support the evaluation and recovery from compromise or potential compromise of<br />
COMSEC material; and<br />
liaise with COMSEC Account personnel and provide guidance and assistance on all<br />
COMSEC accounting matters.<br />
2.2.4 Key Processor Privilege Certificate Manager<br />
As the KP Privilege Certificate Manager, NCOR personnel:<br />
accept and validate requests for KP Privilege Certificates;<br />
<br />
<br />
create, sign and distribute KP Privilege Certificates; and<br />
maintain configuration control of KP Privilege Certificates.<br />
2.3 Central Office of Record<br />
A COR is an entity within a GC department, which is responsible for overseeing the<br />
management and accounting of COMSEC material held by COMSEC Accounts subject to its<br />
oversight. NCOR will establish a COR in a GC department upon approval from COMSEC Client<br />
Services at CSEC that sufficient justification for a COR exists. A COR can only be established<br />
by receiving delegated authorities from the NCOR to administer the regulatory processes of this<br />
directive within its own department.<br />
NOTE: CSEC has established the Department of National Defence (DND) Canadian Forces<br />
COMSEC Support Unit (CFCSU) as a COR. Throughout this directive, the combined<br />
term NCOR/COR will mean NCOR (or COR if applicable).<br />
2.4 National Distribution Authority<br />
The NDA is the entity at CSEC responsible for the movement (receipt and distribution) of ACM<br />
in and out of the country. It is also responsible for:<br />
<br />
<br />
<br />
<br />
<br />
storing a limited amount of ACM for eventual distribution;<br />
storing contingency key material, in the event of system failure;<br />
holding the National Cryptographic Equipment Reserve (NCER);<br />
receiving ACM for disposal or out-of-country repair or transfer;<br />
receiving and redistributing allied ACM;<br />
National COMSEC Material October 2011 7<br />
Control System
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
receiving damaged or defective ACM being returned to CSEC for technical evaluation;<br />
and<br />
generating and distributing electronic key, as required.<br />
2.5 COMSEC Accounts<br />
GC departments must establish a COMSEC Account before receiving COMSEC material.<br />
Normally, only one COMSEC Account is established at each GC department. However, if<br />
sufficient justification exists, COMSEC Client Services at CSEC may approve the establishment<br />
of additional COMSEC Account(s) within a GC department. COMSEC Accounts may establish<br />
COMSEC Sub-Accounts and may register Local Elements. Each COMSEC Account is assigned<br />
by NCOR/COR a unique EKMS ID.<br />
The minimum COMSEC Account personnel requirements include:<br />
a DCA<br />
a COMSEC Custodian, and<br />
at least one Alternate COMSEC Custodian.<br />
NOTE 1: For COMSEC Accounts requiring Two-Person Integrity (TPI) or No Lone Zone<br />
(NLZ) controls, more than one Alternate COMSEC Custodian is recommended.<br />
NOTE 2: Refer to Chapter 3 for requirements applicable to personnel roles and responsibilities<br />
and Chapter 4 for information on establishing COMSEC Accounts.<br />
2.6 COMSEC Sub-Accounts<br />
GC departments may establish COMSEC Sub-Accounts to assist with the control of COMSEC<br />
material. The COMSEC Sub-Account:<br />
<br />
<br />
<br />
<br />
<br />
<br />
will be assigned a unique EKMS ID by the parent COMSEC Account Custodian;<br />
must have a COMSEC Sub-Account Custodian and at least one Alternate COMSEC<br />
Sub-Account Custodian;<br />
must exchange COMSEC material and accounting transactions only with its own GC<br />
parent COMSEC Account;<br />
must not hold COMSEC material to which the parent COMSEC Account cannot have<br />
access;<br />
must register Local Elements; and<br />
must not establish transactions with other COMSEC Sub-Accounts.<br />
NOTE: CSEC is responsible for establishing COMSEC Sub-Accounts within the private<br />
sector.<br />
8 October 2011 National COMSEC Material<br />
Control System
UNCLASSIFIED<br />
2.7 Local Elements<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Local Elements are individuals who are authorized to hold and use COMSEC material. Local<br />
Elements do not have their own EKMS ID. They share the EKMS ID of the COMSEC Account<br />
or COMSEC Sub-Account at which they are registered. Local Elements are authorized to<br />
exchange COMSEC material only with the COMSEC Account or COMSEC Sub-Account at<br />
which they are registered. Local Elements are not authorized to re-loan COMSEC material to<br />
other Local Elements except through their own COMSEC Account Custodian or COMSEC Sub-<br />
Account Custodian.<br />
National COMSEC Material October 2011 9<br />
Control System
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
10 October 2011 National COMSEC Material<br />
Control System
UNCLASSIFIED<br />
3 Personnel<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
3.1 Roles and Responsibilities<br />
All COMSEC Account personnel and other personnel requiring access to COMSEC material<br />
must be Canadian citizens (including dual nationality) (see Article 3.2.1, Article 6.3.3.4 and<br />
Chapter 8 for additional detail). Except for private sector COMSEC Sub-Accounts, COMSEC<br />
Account personnel must be an employee of the GC department registered to the COMSEC<br />
Account.<br />
3.1.1 Deputy Head<br />
Deputy Heads of GC departments are responsible for implementing this directive.<br />
3.1.2 Departmental Security Officer<br />
The DSO is appointed by the department Deputy Head. Among other duties, as listed in the PGS,<br />
the DSO is responsible to manage the departmental security program. For more detail on the<br />
roles and responsibilities of the DSO, consult the Directive on Department Security Management<br />
(DDSM).<br />
3.1.3 Departmental COMSEC Authority<br />
A DCA may be appointed by the DSO to act in his/her stead to manage the departmental<br />
COMSEC program. The DCA is responsible for developing, implementing, maintaining,<br />
coordinating and monitoring a departmental COMSEC program that is consistent with the PGS<br />
and its operational standards. Additionally, the DCA is responsible for the overall control of<br />
COMSEC material that has been charged to the departmental COMSEC Account. Refer to the<br />
DCA Quick Reference Guide for an overview of the DCA responsibilities associated with the<br />
control of COMSEC material.<br />
NOTE: In departments where a DCA is not appointed, the DSO must assume the role and<br />
responsibilities of the DCA.<br />
3.1.3.1 Separation of Duties<br />
The DCA, or any other individual within the GC department fulfilling the role of the DCA, may<br />
not be appointed as a COMSEC Custodian, Alternate COMSEC Custodian, COMSEC Sub-<br />
Account Custodian or Alternate COMSEC Sub-Account Custodian.<br />
COMSEC Custodian personnel must not be designated to more than one COMSEC Account or<br />
COMSEC Sub-Account at the same time.<br />
Personnel October 2011 11
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
3.1.4 COMSEC Custodian<br />
COMSEC Custodians are responsible for the generation, receipt, custody, distribution,<br />
disposition or destruction, and accounting of COMSEC material entrusted to their COMSEC<br />
Account or Sub-Account in accordance with this directive. COMSEC Custodians are also<br />
responsible for providing their departmental users with COMSEC equipment troubleshooting<br />
support and guidance on the use of key material. Refer to the COMSEC Custodian Quick<br />
Reference Guide for an overview of the COMSEC Custodian responsibilities.<br />
3.1.5 Alternate COMSEC Custodian<br />
The Alternate COMSEC Custodian assists the COMSEC Custodian in the day-to-day activities<br />
of the COMSEC Account or Sub-Account and performs the duties of the COMSEC Custodian in<br />
the temporary absence of the COMSEC Custodian. Refer also to the same COMSEC Custodian<br />
Quick Reference Guide mentioned in Article 3.1.4.<br />
3.1.6 COMSEC Sub-Account Custodian<br />
COMSEC Sub-Account Custodians are responsible for the generation, receipt, custody,<br />
distribution, disposition or destruction, and accounting of COMSEC material entrusted to their<br />
COMSEC Sub-Account in accordance with this directive. COMSEC Sub-Account Custodians<br />
are also responsible for providing their authorized users with COMSEC equipment<br />
troubleshooting support and guidance on the use of key material. Refer also to the same<br />
COMSEC Custodian Quick Reference Guide mentioned in Article 3.1.4.<br />
3.1.7 Alternate COMSEC Sub-Account Custodian<br />
The Alternate COMSEC Sub-Account Custodian assists the COMSEC Sub-Account Custodian<br />
in the day-to-day activities of the COMSEC Sub-Account and performs the duties of the<br />
COMSEC Sub-Account Custodian in the temporary absence of the COMSEC Sub-Account<br />
Custodian. Refer also to the same COMSEC Custodian Quick Reference Guide mentioned in<br />
Article 3.1.4.<br />
3.1.8 Local Element<br />
A Local Element is an individual who is authorized to hold and use COMSEC material. A Local<br />
Element is personally responsible for the control, safeguarding and disposition of COMSEC<br />
material entrusted to he or she, in accordance with the control and handling instructions provided<br />
by their COMSEC Account or Sub-Account Custodian.<br />
12 October 2011 Personnel
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
3.1.9 Controlling Authority<br />
Controlling Authorities (CAs) must be appointed by the DCA to establish and maintain order,<br />
supervise cryptographic logistics and respond to security issues affecting a cryptographic<br />
network (cryptonet) that has been established to protect the electronic communication of<br />
classified and PROTECTED C information.<br />
All cryptonets require an appointed CA to manage the operational use of the key material<br />
assigned to the cryptonet and to develop a Key Material Support Plan (KMSP) before it can be<br />
given authority to operate. Refer to the Directive for the Use of CSEC-Approved COMSEC<br />
Equipment and Key on a Telecommunications Network (<strong>ITSD</strong>-04) for complete detail on the<br />
responsibilities of the CA and how to prepare a KMSP.<br />
3.1.10 Other Authorized Users<br />
In certain instances, individuals such as shift workers and technicians may require short term<br />
(immediate) access to COMSEC material. Before allowing this access, the individual who is<br />
personally responsible for the COMSEC material must confirm with the DCA, COMSEC<br />
Custodian or COMSEC Sub-Account Custodian that the user requiring access:<br />
<br />
<br />
<br />
<br />
<br />
<br />
is a Canadian citizen (including dual nationality);<br />
has a need-to-know, has been COMSEC briefed and possesses the required security<br />
clearance or reliability status;<br />
signs for and maintains constant personal surveillance of the COMSEC material until it is<br />
returned (refer to Article 6.2);<br />
does not store the COMSEC material and returns it for lock-up when not under positive<br />
personal possession;<br />
does not transport the COMSEC material to another work area or building without<br />
consent; and<br />
understands what constitutes a COMSEC incident or potential COMSEC incident.<br />
3.1.11 Key Ordering Personnel<br />
The DCA is responsible to appoint key ordering personnel and establish their privileges to<br />
submit orders for key material. In addition to their regular responsibilities, COMSEC custodial<br />
staff can also be appointed to handle key ordering responsibilities.<br />
NOTE: Refer to the Cryptographic Key Ordering Manual (ITSG-13) for key ordering<br />
requirements.<br />
Personnel October 2011 13
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
3.1.12 Witness<br />
Sight inventory of COMSEC material and most types of destruction (see Article 12.5.1.3) must<br />
be witnessed. The witness would normally be an Alternate COMSEC Custodian; however,<br />
another appropriately cleared and COMSEC briefed individual may act as a witness when an<br />
Alternate COMSEC Custodian is not available. The COMSEC Custodian (or other personnel)<br />
who asks an individual to serve as a witness must ensure that the individual is fully conversant<br />
with the responsibilities of being a witness. The witness must not sign any documentation<br />
without having personally sighted the COMSEC material being inventoried or destroyed.<br />
3.2 Personnel Selection and Training<br />
3.2.1 Selection of COMSEC Custodians/Alternate COMSEC Custodians,<br />
COMSEC Sub-Account Custodians/Alternate COMSEC Sub-Account<br />
Custodians<br />
The DCA must carefully screen individuals who have been selected to become a COMSEC<br />
Custodian, Alternate COMSEC Custodian, COMSEC Sub-Account Custodian or Alternate<br />
COMSEC Sub-Account Custodian to ensure that each proposed individual:<br />
<br />
<br />
<br />
<br />
<br />
<br />
is a Canadian citizen (including dual nationality);<br />
possesses a security clearance at least equal to the highest sensitivity of the COMSEC<br />
material held in the COMSEC Account;<br />
is a responsible individual who is qualified to assume the duties and responsibilities of<br />
COMSEC Custodian, Alternate COMSEC Custodian, COMSEC Sub-Account Custodian<br />
or Alternate COMSEC Sub-Account Custodian;<br />
is in a position or level of authority which would permit the individual to exercise proper<br />
jurisdiction in fulfilling the responsibilities of the position;<br />
has not previously been relieved of COMSEC Custodian, Alternate COMSEC Custodian,<br />
COMSEC Sub-Account Custodian or Alternate COMSEC Sub-Account Custodian duties<br />
for reasons of negligence or non-performance of duties; and<br />
will not be assigned duties that would interfere or conflict with the duties as COMSEC<br />
Custodian, Alternate COMSEC Custodian, COMSEC Sub-Account Custodian or<br />
Alternate COMSEC Sub-Account Custodian.<br />
3.2.2 COMSEC Training<br />
3.2.2.1 General<br />
Appointments of COMSEC Account personnel in Article 3.2.1 require that each appointee have<br />
completed CSEC-approved training before starting the role or as soon as possible (next available<br />
course) following the appointment.<br />
14 October 2011 Personnel
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
NOTE: Training can be delayed only in extenuating circumstances (e.g. no formal course<br />
available prior to appointment). If training has to be delayed, COMSEC Client<br />
Services should be contacted for additional instruction.<br />
3.2.2.2 Schedules and Registration<br />
Course schedules and registration information are available from the IT Security Learning<br />
Centre (ITSLC), at CSEC.<br />
NOTE 1: Personnel attending courses requiring access to ACM will be COMSEC briefed by<br />
ITSLC staff at the outset of the course.<br />
NOTE 2: Due to technological, procedural and standards advances, former COMSEC staffs,<br />
who have not performed COMSEC related duties for more than two years, must<br />
attend formal COMSEC training.<br />
3.2.2.3 Formal COMSEC Custodian Course<br />
COMSEC Custodians require formal training. The DCA must ensure that each new COMSEC<br />
Custodian and Alternate COMSEC Custodian attends the formal COMSEC Custodian course<br />
before or as soon as possible following the appointment. Other departmental personnel who use<br />
or are responsible for the control of COMSEC material may also attend this course.<br />
3.2.2.4 Interim COMSEC Custodian Training<br />
Where formal training is unavailable prior to appointment or when a new COMSEC Custodian<br />
or Alternate COMSEC Custodian is unable to attend, due to extenuating circumstances, the<br />
formal COMSEC Custodian training course before the appointment, the DCA or the COMSEC<br />
Custodian, as applicable, must provide interim training. If interim training cannot be provided,<br />
contact NCOR to arrange for interim training assistance.<br />
3.2.2.5 COMSEC Accounting System Training<br />
Before installing CSEC-approved accounting software packages, COMSEC Custodians and<br />
Alternate COMSEC Custodians must attend formal training. Other COMSEC Account personnel<br />
may also attend this course.<br />
3.2.2.6 COMSEC Equipment Training<br />
Before using COMSEC equipment and to the extent possible, COMSEC Custodians and<br />
Alternate COMSEC Custodians should attend formal COMSEC equipment training courses.<br />
Local Elements may also attend these courses.<br />
Personnel October 2011 15
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
3.2.2.7 Other Training Courses<br />
CSEC offers additional training courses that will assist COMSEC Account personnel in the use<br />
and protection of COMSEC material or increase their knowledge on the basic concepts of<br />
IT security and cryptography.<br />
3.2.2.8 COMSEC Sub-Account and Local Element Training<br />
COMSEC Custodians are normally responsible for training their COMSEC Sub-Account<br />
personnel and Local Elements. However, COMSEC Sub-Account personnel and Local Elements<br />
may attend the formal COMSEC Custodian training course provided by CSEC.<br />
16 October 2011 Personnel
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
4 Management of COMSEC Accounts<br />
4.1 Establish COMSEC Account<br />
4.1.1 Request Establishment of COMSEC Account<br />
GC departments requiring COMSEC material must submit a request to COMSEC Client<br />
Services at CSEC for the establishment of a COMSEC Account. The request must include:<br />
a letter containing –<br />
o justification for the requirement to hold COMSEC material<br />
o interoperability (beyond department) requirements<br />
o highest security classification of the COMSEC material, and<br />
o statement that the minimum physical security standards of this directive can be met<br />
for the highest level of sensitivity of COMSEC material to be held; and<br />
the following forms –<br />
o Account Registration, to identify the department, location and COMSEC custodial<br />
staff being appointed<br />
o Appointment Certificate, for each individual to be appointed to the COMSEC<br />
Account, including the DCA, the COMSEC Custodian and at least one Alternate<br />
COMSEC Custodian, and<br />
o COMSEC Signing Authority Form, also called the COMSEC Courier Certificate, to<br />
provide records of COMSEC Account personnel or any additional departmental staff<br />
who are authorized to receive and sign for COMSEC material. Only COMSEC<br />
Custodial staff members are authorized to open parcels and sign COMSEC material<br />
reports.<br />
4.1.2 Approve Establishment of COMSEC Account<br />
Before validating a request to open a COMSEC Account, a CSEC representative(s) will visit the<br />
GC department to verify that the physical security requirements of this directive (refer to<br />
Chapter 9) can be met and that COMSEC Account personnel have been COMSEC briefed.<br />
Following validation of the request, NCOR/COR will provide written approval for the request<br />
including:<br />
the assigned EKMS ID<br />
confirmation of the name of the DCA<br />
<br />
verification of the appointment of the COMSEC Custodian and the Alternate COMSEC<br />
Custodian(s), and<br />
Management of COMSEC Accounts October 2011 17
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
a list of publications required to effectively manage the COMSEC Account.<br />
4.1.3 Establish COMSEC Sub-Accounts<br />
The DCA may establish COMSEC Sub-Accounts to assist with the control of COMSEC material<br />
within the department. The DCA must implement procedures for opening a departmental<br />
COMSEC Sub-Account based upon the direction contained herein.<br />
4.1.4 Register Local Elements<br />
COMSEC Custodians and COMSEC Sub-Account Custodians must register Local Elements<br />
before authorizing their access to or use of COMSEC material (refer to Article 6.3.3.4). The<br />
registration of Local Elements must include at a minimum a record of the full name, title or<br />
designator, location and phone number.<br />
4.2 Establish COMSEC Account Files and Records<br />
4.2.1 Administrative Files<br />
The COMSEC Custodian must establish and maintain administrative files containing<br />
documentation related to the COMSEC Account, including:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
courier, mail and package receipts<br />
correspondence<br />
IT Security Alerts (ITSA)<br />
IT Security Bulletins (ITSB)<br />
IT Security Approvals for Use (ITS AFU)<br />
Account Registration Forms<br />
Appointment Certificates<br />
Security Screening Certificates<br />
COMSEC Briefing Certificates<br />
COMSEC Signing Authority Forms<br />
COMSEC Incident Initial Reports<br />
COMSEC Account Audit Reports<br />
related files for each COMSEC Sub-Account (if applicable), and<br />
other relevant documentation.<br />
18 October 2011 Management of COMSEC Accounts
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
4.2.2 Accounting Files<br />
The COMSEC Custodian must establish and maintain accounting files (paper or electronic as is<br />
appropriate for the authorized accounting system being employed) that include:<br />
<br />
<br />
<br />
a copy of all accounting reports (see Chapter 6), records, registers and logs with<br />
appropriate physical or digital signatures;<br />
a copy of all inventory reports (see Chapter 13); and<br />
IP accounting records (if applicable).<br />
4.2.3 Communications Security Establishment Canada-Approved Accounting<br />
Sub-Systems<br />
CSEC has approved the use of several automated accounting/management systems to<br />
accommodate the minimum security requirements of the NCMCS. These systems employ<br />
terminology and procedures that are quite distinct from each other. Each department is<br />
responsible for ensuring that its custodial personnel are trained in the use of its CSEC-approved<br />
automated system and are familiar with the terms used by the respective software to describe the<br />
NCMCS activities detailed in this directive. Manual inventory systems (e.g. CSEC 417 cards)<br />
must not be the sole mechanism used by COMSEC Accounts for managing COMSEC Account<br />
inventories. Contact COMSEC Client Services at CSEC for list of approved systems or for<br />
requests for approval of new systems.<br />
The NCMCS and supporting sub-systems must be classified minimally to PROTECTED A with<br />
additional appropriate classification to meet special inventory requirements (see Article 4.2.5)<br />
and any other classified information stored on the system.<br />
4.2.4 Retention/Disposition of Records and Files<br />
All inactive or archived COMSEC Account records and files must be retained for a period of no<br />
less than five years by the COMSEC Custodian (or responsible DCA), after which they may be<br />
destroyed or forwarded to NCOR/COR for disposal.<br />
4.2.5 Classification of Records and Files<br />
COMSEC Account records and files must be marked “PROTECTED A” unless they contain:<br />
classified information (e.g. effective dates, classified long titles or remarks), in which case<br />
it must be marked in accordance with the sensitivity of the content; or<br />
a list containing COMSEC material that was provided by a United Kingdom (U.K.)<br />
source, in which case the list must be classified at least to the minimum standard that the<br />
U.K. is handling the material.<br />
Management of COMSEC Accounts October 2011 19
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
NOTE:<br />
Contact NCOR/COR if assistance is required in properly classifying these<br />
records, files and reports.<br />
4.2.6 Access to Records and Files<br />
The COMSEC Custodian must limit access to COMSEC Account records and files to individuals<br />
who have a need-to-know and possess the appropriate security clearance or reliability status.<br />
Access to COMSEC Account records and files by individuals other than the COMSEC<br />
Custodian or Alternate COMSEC Custodian must be closely monitored.<br />
4.3 Changes to COMSEC Accounts<br />
4.3.1 Changes to COMSEC Account Registration Information<br />
COMSEC Custodians must promptly post changes to COMSEC Account registration<br />
information (e.g. mailing and shipping addresses, phone numbers) to the Directory Server or<br />
submit them to NCOR/COR. The Account Registration form is to be used to submit these<br />
changes.<br />
4.3.2 Changes to the COMSEC Signing Authority Form (CSEC/CSTC-599)<br />
The COMSEC Custodian must submit a new COMSEC Signing Authority Form to NCOR/COR<br />
annually and whenever there is a change of personnel or other information. The COMSEC<br />
Signing Authority Form contains the names, telephone numbers and signatures of COMSEC<br />
Account personnel and any additional departmental staff who are authorized to sign for<br />
shipments containing COMSEC material.<br />
4.3.3 Change of Personnel<br />
Before the departure of currently appointed COMSEC Account personnel, the DCA must<br />
provide NCOR/COR with an Appointment Certificate, including:<br />
<br />
<br />
the new COMSEC Account personnel information completed; and<br />
the “Termination of Appointment” section completed for the individual being replaced.<br />
The DCA or COMSEC Custodian, as applicable, must ensure the new appointee receives a<br />
COMSEC briefing.<br />
4.3.4 Scheduling the COMSEC Custodian Changeover<br />
The changeover of COMSEC Custodians should be scheduled at least 40 calendar days in<br />
advance of the COMSEC Custodian’s departure date. The current COMSEC Custodian and the<br />
individual being appointed as the new COMSEC Custodian must conduct an inventory of the<br />
COMSEC material held in the COMSEC Account as detailed in Chapter 13 of this directive.<br />
20 October 2011 Management of COMSEC Accounts
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
The departing COMSEC Custodian is not relieved of responsibility for COMSEC material<br />
involved in any unresolved discrepancy until all discrepancies are resolved.<br />
4.3.5 Conversion of a COMSEC Sub-Account to a COMSEC Account<br />
The DCA must submit a letter to COMSEC Client Services at CSEC requesting the<br />
establishment of new COMSEC Account in accordance with Article 4.1.1. The letter must<br />
contain justification for the conversion of the COMSEC Sub-Account to a COMSEC Account.<br />
Upon approval of the conversion, NCOR/COR will provide accounting instructions.<br />
4.3.6 Change of Classification Level of a COMSEC Account<br />
The DCA must submit a written request to COMSEC Client Services at CSEC requesting a<br />
change in the level of classification for the COMSEC Account. The request must include a<br />
justification for the requirement and indicate the new level of classification requested.<br />
When requesting a lower level of classification, COMSEC Client Services will provide written<br />
approval once NCOR/COR has confirmed that the COMSEC Account holds COMSEC material<br />
at, or lower than, the requested classification.<br />
When requesting to upgrade the classification level of a COMSEC Account, COMSEC Client<br />
Services will provide written approval once a CSEC representative has visited the COMSEC<br />
Account to verify that the physical security requirements of this directive can be met. The<br />
COMSEC Account must not receive COMSEC material at the higher level until approval of the<br />
change of classification level has been granted.<br />
4.3.7 Absence of COMSEC Custodial Staff<br />
4.3.7.1 Temporary Absence of COMSEC Custodian<br />
In the absence of the COMSEC Custodian for a period of 60 calendar days or less, the DCA<br />
must ensure the Alternate COMSEC Custodian assumes the responsibilities and duties of the<br />
COMSEC Custodian.<br />
4.3.7.2 Temporary Absence of Alternate COMSEC Custodian<br />
In the absence of the Alternate COMSEC Custodian for a period of 60 calendar days or less, the<br />
DCA must ensure the second Alternate COMSEC Custodian assumes the responsibilities and<br />
duties. Where no second Alternate COMSEC Custodian has been appointed, the DCA must<br />
appoint one.<br />
4.3.7.3 Absence Longer then 60 Calendar Days<br />
An absence of more than 60 calendar days must be treated as a permanent absence, and the DCA<br />
must appoint a new COMSEC Custodian or Alternate COMSEC Custodian, as applicable.<br />
Management of COMSEC Accounts October 2011 21
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
4.3.7.4 Unexplainable Departure of COMSEC Custodian or Alternate COMSEC<br />
Custodian<br />
In the case of an unexplainable (does not include death, serious illness, short notice personnel<br />
transfer) sudden, indefinite or permanent departure of the COMSEC Custodian or Alternate<br />
COMSEC Custodian, the DCA must take the following steps:<br />
a. Immediately report the circumstances of any departure in accordance with Chapter 16 of<br />
this directive.<br />
b. Appoint a new COMSEC Custodian or Alternate COMSEC Custodian as required.<br />
c. Ensure the combinations and the keys of containers and vaults are changed.<br />
d. Ensure the new COMSEC Custodian or Alternate COMSEC Custodian immediately<br />
conducts an inventory (see Chapter 13) with an appropriately cleared witness,.<br />
e. Ensure the COMSEC Account audit is conducted by the appropriate authority.<br />
4.4 Closing a COMSEC Account<br />
When a COMSEC Account no longer has a requirement to hold COMSEC material, the DCA<br />
must provide COMSEC Client Services at CSEC with a written request to close the COMSEC<br />
Account and must include Termination Certificates for all COMSEC Account personnel.<br />
The COMSEC Custodian will transfer all ACM currently held in the COMSEC Account to<br />
another COMSEC Account, or destroy it (if authorized), and forward all accounting reports as<br />
well as a signed “zero balance” inventory to NCOR/COR.<br />
Once NCOR/COR has confirmed receipt of the Termination Certificates, confirmed that the<br />
COMSEC Account no longer holds any COMSEC material and has updated the COMSEC<br />
Account status in the EKMS Directory Server to “closed”, COMSEC Client Services at CSEC<br />
will issue a letter to the DCA, officially closing the COMSEC Account.<br />
The DSO will ensure that all COMSEC Account files are retained for a period of five years and<br />
then dispose of them in accordance with the direction at Article 4.2.4.<br />
4.5 Closing a COMSEC Sub-Account<br />
When it is determined that the requirement for a COMSEC Sub-Account no longer exists, the<br />
DCA must take the following steps:<br />
a. Direct the COMSEC Sub-Account Custodian to return to the parent COMSEC Account, or<br />
destroy (if authorized), all COMSEC material held by the COMSEC Sub-Account and<br />
submit a signed “zero balance” Inventory Report (refer to Chapter 13).<br />
b. Provide the parent COMSEC Account with a Termination Certificate for all COMSEC<br />
Sub-Account personnel.<br />
22 October 2011 Management of COMSEC Accounts
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
4.6 Suspension of a COMSEC Account<br />
4.6.1 General<br />
COMSEC Accounts are audited at least once every 18 months (refer to Article 15.4.1). In rare<br />
cases, due to the severity of account infraction(s) or the effect that poor account management<br />
could have on other government departments or allies, NCOR/COR, in consultation with the<br />
DSO, may authorize the DCA to temporarily suspend a COMSEC Account. NCOR/COR may also<br />
initiate an account suspension. A COMSEC Account may be suspended if:<br />
<br />
<br />
the DCA fails to take action to correct serious deficiencies reported in the COMSEC<br />
Account Audit Report or fails to submit a Statement of Action form showing that<br />
corrective action is underway; or<br />
the number of security violations or reporting and management practices at the account<br />
demonstrates a continued disregard for COMSEC policy and procedures.<br />
NOTE: Any suspension, regardless of how temporary, may severely impact the COMSEC<br />
Account activities.<br />
4.6.2 Suspension<br />
A COMSEC Account whose status is “suspended” will cease to have COMSEC material<br />
transferred in or transferred out. The custodial staff will remain in place to conduct all other<br />
normal activities within the account, including the corrective action that would lead to the lifting<br />
of the suspension.<br />
NOTE: NCOR/COR will inform the DSO, the DCA and the Departmental COMSEC<br />
Custodian that, transfers to and from the account will be suspended. The notification<br />
will include a list of the discrepancies that caused the suspension, the corrective action<br />
needed to allow the lifting of the suspension and a target completion date.<br />
4.6.3 Lifting Suspension<br />
Upon receipt of the Statement of Action form, which certifies that corrective action has been<br />
completed (or is underway), CSEC may lift the suspension. Before lifting the suspension, CSEC<br />
will conduct another audit of the account to ensure that conditions have been rectified.<br />
Upon lifting the suspension, NCOR/COR will notify other affiliated or affected organizations or<br />
accounts, and transfers of COMSEC material to and from the account will resume.<br />
Management of COMSEC Accounts October 2011 23
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
24 October 2011 Management of COMSEC Accounts
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
5 Identification of COMSEC Material<br />
5.1 Long Title<br />
The long title provides a general description of the COMSEC material. In some cases, long titles<br />
may be classified.<br />
5.2 Short Title<br />
A short title must be assigned to COMSEC material at its point of origin for accounting<br />
purposes. The short title is an identifying combination of letters or digits that consists of a<br />
maximum of 24 alphanumeric characters. For some CSEC-approved accounting/management<br />
systems (see Article 4.2.3), special characters (e.g. /, -, * or #) are not allowed. For these<br />
systems, the special characters that may appear on ACM short titles, COMSEC equipment<br />
nameplates and COMSEC publications are replaced with a space. The individual short titles of<br />
COMSEC material are UNCLASSIFIED. For further details on short titles, refer to the Short<br />
Title Nomenclature in Canada (ITSG-09) 1 .<br />
5.3 Edition<br />
COMSEC material may be identified by a unique alphabetic or numeric designator. COMSEC<br />
material may be time sensitive and is superseded when the next edition becomes effective. Refer<br />
to ITSG-13 for more information on editions.<br />
5.4 Accounting Number<br />
5.4.1 Assignment of Accounting Number<br />
COMSEC material may be assigned a unique accounting serial or register number at the point of<br />
origin to facilitate accounting (see Article 5.5 for a description of the relationship between<br />
accounting numbers and the ALC). Serial numbers are used with CCI and COMSEC equipment,<br />
while register numbers are used for any other material requiring an accounting number.<br />
5.4.2 Local Accounting Identifier<br />
The COMSEC Custodian may assign a local accounting identifier to COMSEC material that is<br />
accounted for by quantity. This local accounting identifier must not be used as an accounting<br />
number on a COMSEC Material Report. It may be entered in the remarks column of the<br />
COMSEC Material Report.<br />
1 ITSG-09 is available upon request through COMSEC Client Services at CSEC.<br />
Identification of COMSEC Material October 2011 25
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
5.4.3 Unique Accounting Numbers for Electronic Key<br />
Unique accounting numbers for electronic key are not required when:<br />
all copies of the key within a particular short title and edition are the same;<br />
each copy can be individually controlled without the use of a unique accounting number;<br />
or<br />
the CA for the short title has determined that the key does not need to be copy-controlled<br />
through the use of unique accounting numbers.<br />
5.5 Accounting Legend Code<br />
5.5.1 Description<br />
The ALC is a numeric code assigned by the originator of the COMSEC material to indicate its<br />
accounting and reporting requirements. The ALC is recorded on all COMSEC Material Reports<br />
but does not normally appear on the COMSEC material itself. The ALC assigned by the<br />
originator must not be changed without authorization from COMSEC Client Services at CSEC.<br />
Authorized changes to ALCs must be managed through NCOR/COR, as noted in Chapter 6.<br />
NOTE 1: If the accountability of the COMSEC material is in question, contact NCOR/COR.<br />
NOTE 2: ALC 3 and ALC 5 are no longer used.<br />
5.5.2 Entry of COMSEC Material into National COMSEC Material Control System<br />
Whenever COMSEC material is assigned an ALC, it must be entered into the NCMCS. This<br />
COMSEC material must be controlled in the NCMCS until it is authorized for destruction or<br />
other disposition, or the appropriate authority removes the accountability requirement. A<br />
COMSEC Material Report is used to enter COMSEC material into the NCMCS in circumstances<br />
described at Article 6.3.4.<br />
5.5.3 Accounting Legend Code 1 COMSEC Material<br />
ALC 1 is assigned to physical COMSEC material that is subject to continuous accountability to<br />
NCOR/COR by short title and accounting number. ALC 1 COMSEC material will include:<br />
some unclassified and all classified physical key material marked CRYPTO;<br />
all cryptographic equipment approved for classified processing;<br />
CCI;<br />
<br />
classified cryptographic software and firmware that are the functional equivalents of, or<br />
emulate, COMSEC equipment operations and cryptography; and<br />
26 October 2011 Identification of COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
classified full maintenance manuals and depot maintenance manuals (and their printed<br />
amendments), which contain crypto-information.<br />
5.5.4 Accounting Legend Code 2 COMSEC Material<br />
ALC 2 is assigned to physical COMSEC material that is subject to continuous accountability to<br />
NCOR/COR by short title and quantity. ALC 2 COMSEC material may include:<br />
<br />
<br />
<br />
classified and CCI components (e.g. modular assemblies, printed wiring<br />
assemblies [PWA], integrated circuits [IC], microcircuits, microchips, permuters)<br />
intended for installation (but not installed) in COMSEC equipment;<br />
specific COMSEC devices; and<br />
COMSEC publications.<br />
5.5.5 Accounting Legend Code 4 COMSEC Material<br />
ALC 4 is assigned to physical COMSEC material that, following initial receipt to the distributing<br />
COMSEC Account, is locally accountable by the receiving COMSEC Account by short title and<br />
quantity, or by short title and accounting number. ALC 4 COMSEC material may include:<br />
<br />
<br />
<br />
unclassified or classified COMSEC publications dealing with a cryptographic subject<br />
(e.g. classified maintenance manuals);<br />
protected and unclassified key material (e.g. test, maintenance and training key); and<br />
other unclassified or classified COMSEC material which, due to the nature of the<br />
COMSEC information it contains, requires accountability within the NCMCS.<br />
5.5.6 Accounting Legend Code 6 COMSEC Material<br />
ALC 6 is assigned to electronic key tracked by the GC EKMS and is subject to continuous<br />
accountability to NCOR/COR, as determined by the controlling authority for the key and by the<br />
doctrine specific to the equipment, where applicable. ALC 6 may be assigned to electronic key:<br />
intended to protect information having long-term intelligence value (e.g. TOP SECRET);<br />
used to protect other keys (e.g. key encryption key [KEK]);<br />
used for joint or combined interoperability;<br />
marked “CRYPTO”;<br />
used to generate other electronic keys (e.g. key production key); and<br />
generated from ALC 1 physical key material.<br />
Identification of COMSEC Material October 2011 27
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
5.5.7 Accounting Legend Code 7 COMSEC Material<br />
ALC 7 is assigned to electronic key tracked by the GC EKMS that is locally accountable to the<br />
generating COMSEC Account until final disposition.<br />
5.6 Types of COMSEC Material<br />
5.6.1 Key Material<br />
The term key material applies to both physical and electronic formats of key. Refer to ITSG-13<br />
for additional information on key material.<br />
5.6.2 COMSEC Equipment<br />
COMSEC equipment is normally identified and accounted for by one short or long title, rather<br />
than by individual components or sub-assemblies. Whenever a component or sub-assembly that<br />
has been assigned an ALC is removed from its host equipment, it requires accountability within<br />
the NCMCS and it must be identified separately by its individual short title. Refer to the<br />
Canadian Cryptographic Doctrine (CCD) series for further information on specific COMSEC<br />
equipment.<br />
5.6.3 COMSEC Publications<br />
COMSEC publications may include:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
crypto-maintenance manuals<br />
sensitive pages of a crypto-maintenance manual<br />
cryptographic operating instructions<br />
classified full maintenance manuals<br />
classified depot maintenance manuals<br />
cryptographic logic descriptions<br />
drawings of cryptographic logics<br />
specifications describing a cryptographic logic<br />
other classified cryptographic and non-cryptographic operational publications<br />
replacement pages to the above and like publications, and<br />
extracts, supplements and addenda from accountable COMSEC publications.<br />
28 October 2011 Identification of COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
5.7 CRYPTO Marking<br />
The CRYPTO caveat is used to indicate the unique sensitivity of the COMSEC material on<br />
which it appears (or is otherwise identified). Items so marked must always be accounted for<br />
within the NCMCS. The CRYPTO marking will appear in bold letters on classified printed<br />
circuit boards, on the covers of printed key material, on disks, on individual key variables, and<br />
(as required) on equipment and tags or labels affixed to physical storage device (e.g. KSD-64)<br />
containing electronic key.<br />
5.8 Controlled Cryptographic Item Marking<br />
The CCI marking indicates a type of COMSEC equipment that must always be accounted for<br />
and controlled within the NCMCS or within a foreign nation’s formal COMSEC channels. The<br />
CCI category applies to specific unclassified, secure communications and information handling<br />
equipment, as well as associated cryptographic components and assemblies.<br />
In many cases, COMSEC material in the CCI category will not be assigned a short title, but will<br />
instead bear the manufacturer’s commercial designator. This equipment will be marked<br />
“Controlled Cryptographic Item” or “CCI”, and will bear a government serial number label.<br />
Since CCI and associated cryptographic components employ a classified cryptographic logic, it<br />
is only the hardware or firmware embodiment of that logic that is UNCLASSIFIED. The<br />
associated cryptographic engineering drawings, logic descriptions, theory of operation, computer<br />
programs, and related cryptographic information remain classified.<br />
5.9 Classification or Protected Marking<br />
COMSEC material may be marked or otherwise identified with a classification or protected level<br />
at the time it is created to indicate its storage and handling requirements. Operational key<br />
material is classified or protected at the sensitivity level of the information that it is intended to<br />
protect.<br />
Identification of COMSEC Material October 2011 29
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
30 October 2011 Identification of COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
6 Accounting Forms, Reports and Notices<br />
6.1 COMSEC Material Report<br />
The primary accounting form used for the control of COMSEC material is the multipurpose<br />
COMSEC Material Report (commonly referred to as the GC-223 form). This form is used to:<br />
<br />
<br />
<br />
report the change in the status of COMSEC material (e.g. transfer, issue, possession,<br />
generation, conversion, relief from accountability or destruction);<br />
report the inventory holdings of a COMSEC Account (i.e. Inventory Report); and<br />
provide notice of an action associated with COMSEC material (e.g. Tracer Notice).<br />
6.2 Local Accounting Records and Logs<br />
6.2.1 Handling Instructions/Disposition Record Card<br />
The HI/DR card is used to record the issue and destruction of individual segments of an edition<br />
of key tape. The HI/DR card is to be stored with its associated canister until all segments have<br />
been issued and destroyed. Before issuing a canister of key tape, the COMSEC Custodian must<br />
enter the short title and its attributes on the HI/DR card. The HI/DR card is UNCLASSIFIED,<br />
but becomes CONFIDENTIAL once an entry is made. The individual and witness who perform<br />
the destruction of key tape segments must both initial or sign the HI/DR card beside the entry<br />
corresponding to the segment that was destroyed. The COMSEC Custodian must review each<br />
HI/DR card to confirm the destruction of each key tape segment before using the record to<br />
prepare a Consolidated Destruction Report.<br />
6.2.2 Local Accounting Logs<br />
When the distribution or re-distribution of COMSEC material or other material specified in<br />
equipment doctrine can not be automatically tracked, the COMSEC Custodian must establish a<br />
manual accounting system to locally control and account for this material. The Crypto-Ignition<br />
Key (CIK) CIK Local Accounting Log is used to record the creation and distribution of locally<br />
accountable CIKs. The COMSEC Material Local Accounting Register may be used for local<br />
tracking of redistributed material. See specific system or equipment CCD for additional detail.<br />
Accounting Forms, October 2011 31<br />
Reports and Notices
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
6.3 COMSEC Material Reports<br />
6.3.1 Preparation and Distribution of COMSEC Material Reports<br />
General instructions for the preparation of COMSEC Material Reports can be found with the<br />
GC-223 form. The following articles list the specific requirements applicable to the preparation<br />
and distribution of each type of report. Refer to the Glossary for definitions of each type of<br />
COMSEC Material Reports.<br />
6.3.2 Transfer Report<br />
6.3.2.1 General<br />
The distribution of COMSEC material between two COMSEC Accounts is called a transfer.<br />
COMSEC material being transferred must be prepared and receipted for as detailed in<br />
Chapter 10. The COMSEC Custodian who originates the transfer of COMSEC material remains<br />
accountable for the material until the signed receipt is returned to the originating COMSEC<br />
Account.<br />
Approval from the appropriate CA must be granted before COMSEC material is transferred.<br />
Whenever the transfer of COMSEC material is required for operational or contingency purposes,<br />
appropriate authorities will notify the affected COMSEC Custodians.<br />
COMSEC Client Services at CSEC are required to approve all transfers of COMSEC material by<br />
methods not pre-authorized in accordance with Article 10.5 and Table 4.<br />
6.3.2.2 Distribution<br />
The following applies to the distribution of Transfer Reports:<br />
<br />
Along with the original, prepare sufficient copies of the Transfer Report to ensure<br />
effective accountability –<br />
o Enclose the original with physical shipment.<br />
o If the report lists centrally-accountable COMSEC material, send a copy to<br />
NCOR/COR of the receiving COMSEC Account (COMSEC Accounts using an<br />
automated CSEC-approved accounting system will send an electronically-signed<br />
copy to NCOR/COR).<br />
o Retain a copy of the original on file until it can be replaced with a receipt signed by<br />
the recipient COMSEC Custodian.<br />
32 October 2011 Accounting Forms,<br />
Reports and Notices
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
When a receipt for a Transfer Report cannot be provided, the Transfer Report must be<br />
cancelled. For example, if a removable data storage device (e.g. floppy disk, compact<br />
disk, flash drive) containing the transaction was destroyed in-transit, or if physical<br />
COMSEC material being transferred is destroyed in-transit, or if a Transfer Report was<br />
prepared and circumstances cancelled the need for the COMSEC material to be<br />
distributed, the destination COMSEC Account Custodian would not return a receipt for<br />
the material. The Transfer Report may be cancelled by –<br />
o preparing a Cancel Distribution Transaction, and forwarding a copy to the intended<br />
recipient COMSEC Account and NCOR/COR; or<br />
o marking the Transfer Report as cancelled and forwarding a copy to the intended<br />
recipient COMSEC Account and NCOR/COR.<br />
6.3.2.3 Receipt<br />
To relieve the shipping COMSEC Account from accountability for the transferred material, the<br />
receiving COMSEC Custodian must sign the Transfer Report, make copies and distribute them<br />
according to the following:<br />
<br />
<br />
<br />
Return the signed original to the shipping COMSEC Custodian.<br />
If the report lists centrally-accountable COMSEC material, send a copy to NCOR/COR<br />
(COMSEC Accounts using an automated CSEC-approved accounting system will send<br />
an electronically-signed copy to NCOR/COR).<br />
Retain a signed copy of the original receipt on file.<br />
6.3.3 Hand Receipt<br />
6.3.3.1 General<br />
The distribution of COMSEC material to a COMSEC Sub-Account or Local Element is called an<br />
issue. COMSEC material being issued may be packaged as a shipment or it may be hand<br />
delivered directly to an authorized recipient. Packages wrapped for shipment must be prepared in<br />
accordance with the direction in Chapter 10.<br />
6.3.3.2 Distribution<br />
The issuance of COMSEC material is recorded on a Hand Receipt. When distributing COMSEC<br />
material to a COMSEC Sub-Account or a Local Element, the COMSEC Custodian must use a<br />
Hand Receipt.<br />
Recipients must sign the Hand Receipt to certify their acceptance of the listed material, as well<br />
as an understanding of the handling requirements for the COMSEC material entrusted to them.<br />
Accounting Forms, October 2011 33<br />
Reports and Notices
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Before signing the Hand Receipt, the recipient must inspect the COMSEC material to verify the<br />
accuracy of the document and to establish the condition of the material. See Chapter 10.<br />
Control and tracking responsibilities for issued material remains within the COMSEC Account;<br />
therefore, Hand Receipts are not sent to NCOR/COR.<br />
NOTE: Hand Receipts for COMSEC material must be reviewed annually by the COMSEC<br />
Custodian to ensure their accuracy and to verify the continued requirement for ACM<br />
by authorized end-users.<br />
6.3.3.3 Accountability<br />
Accountability for issued COMSEC material includes the issuing COMSEC Account, the<br />
COMSEC Sub-Account (if applicable) and the Local Element. Upon signing the Hand Receipt,<br />
the recipient assumes responsibility for the care and control of all material listed on the<br />
document; however, the recipient’s signature on a Hand Receipt does not relieve the issuing<br />
COMSEC Custodian from accountability for the issued material.<br />
6.3.3.4 Confirmation before Issue<br />
Before issuing COMSEC material to a COMSEC Sub-Account or a Local Element, the<br />
COMSEC Custodian must ensure the recipient:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
has a need-to-know for COMSEC material listed on the Hand Receipt;<br />
is a Canadian citizen (including dual nationality);<br />
is cleared to the security level of the COMSEC material listed on the Hand Receipt;<br />
has been COMSEC briefed and has signed a COMSEC Briefing Certificate;<br />
has the appropriate storage facilities for the material listed on the Hand Receipt;<br />
has been trained on the handling, storage, use and destruction (where authorized) of the<br />
COMSEC material listed on the Hand Receipt;<br />
is aware of what constitutes a COMSEC incident;<br />
where necessary, has established a local accounting system that maintains strict control<br />
of each item of the COMSEC material listed on the Hand Receipt whenever it –<br />
o must be accounted for during shift work operations; or<br />
o is temporarily loaned to another authorized user.<br />
signs the Hand Receipt acknowledging the receipt of the material and understanding of<br />
the responsibilities associated with handling the COMSEC material listed on the Hand<br />
Receipt.<br />
34 October 2011 Accounting Forms,<br />
Reports and Notices
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
6.3.3.5 Returning COMSEC Material<br />
COMSEC Sub-Accounts and Local Elements must return COMSEC material to the COMSEC<br />
Custodian if it is no longer required and is not authorized for destruction.<br />
COMSEC material issued to a COMSEC Sub-Account must be returned to the parent account<br />
that issued the material. The COMSEC Sub-Account Custodian must prepare a COMSEC<br />
Material Report (annotate the “OTHER” box with “Hand Receipt”) addressed to the parent<br />
account.<br />
Upon receipt and verification of the material, the COMSEC Custodian at the parent account must<br />
sign the COMSEC Material Report and return it to the COMSEC Sub-Account, thereby relieving<br />
the COMSEC Sub-Account from accountability for the returned material.<br />
COMSEC material issued to a Local Element must be returned to the COMSEC Account or<br />
COMSEC Sub-Account that issued the material. The COMSEC Custodian must prepare a Hand<br />
Receipt for material being returned from the Local Element. The COMSEC Custodian must<br />
ensure that the Hand Receipt, which lists the material being returned from the Local Element, is<br />
addressed to the COMSEC Account. The COMSEC Custodian’s signature on the Hand Receipt<br />
relieves the Local Element from accountability for the returned COMSEC material. Local<br />
Elements are not authorized to re-loan COMSEC material to any other Local Elements.<br />
6.3.4 Possession Report<br />
6.3.4.1 General<br />
Occasionally, extraordinary circumstances dictate that COMSEC material, for which a current<br />
record of accountability within the NCMCS does not exist, be taken on charge at a COMSEC<br />
Account.<br />
A Possession Report is used to document the entry of COMSEC material into the NCMCS in the<br />
following circumstances when:<br />
<br />
<br />
<br />
<br />
<br />
COMSEC material under development or manufacture has been accepted by the GC<br />
(refer to Annex A);<br />
COMSEC material received from a foreign government or international organization<br />
requires accountability within the NCMCS;<br />
COMSEC material previously declared lost and removed from accountability is<br />
subsequently found;<br />
a COMSEC publication requiring control within the NCMCS is reproduced in whole or<br />
in part;<br />
magnetic or optical media is used to transfer or issue electronic key material;<br />
Accounting Forms, October 2011 35<br />
Reports and Notices
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
a non-automated COMSEC Account converts its inventory to an automated CSECapproved<br />
accounting system; and<br />
COMSEC material is in the possession of a COMSEC Account and is not listed on any<br />
other COMSEC Account inventory.<br />
6.3.4.2 Preparation and Distribution<br />
Authorization from NCOR/COR, is required before submitting a Possession Report. A<br />
Possession Report may not be created by a COMSEC Sub-Account. The Sub-Account Custodian<br />
must report the requirement to the parent COMSEC Account.<br />
The following applies to the preparation and distribution of Possession Reports:<br />
<br />
<br />
A brief description of why the item is being possessed must be included in either the<br />
Remarks column or after the “NOTHING FOLLOWS” line.<br />
If the report lists centrally-accountable COMSEC material, a copy must be sent to<br />
NCOR/COR within five working days following the creation of the report. Possession<br />
reports listing only ALC 4 or ALC 7 COMSEC material must be retained locally.<br />
6.3.5 Key Generation Report<br />
6.3.5.1 Privileges<br />
Some automated COMSEC Accounts are granted the privilege of generating electronic keys or<br />
importing physical key material and converting it to electronic form. These privileges are<br />
granted by the Privilege Certificate Manager at NCOR/COR. Whenever an electronic key is<br />
generated at an account, a Generation Report must be raised.<br />
6.3.5.2 Preparation and Distribution<br />
The following applies to the preparation and distribution of Generation Reports:<br />
COMSEC Custodians must submit Generation Reports to NCOR/COR whenever ALC 6<br />
key material is generated. Imported ALC 1 physical key when converted to electronic<br />
form must be reported as ALC 6 key.<br />
COMSEC Custodians must retain copies of Generation Reports on file whenever ALC 7<br />
key material is generated. Imported ALC 4 physical key when converted to electronic<br />
form must be reported as ALC 7 key.<br />
<br />
<br />
COMSEC Sub-Account Custodians must submit Generation Reports to their parent<br />
COMSEC Account whenever ALC 6 or ALC 7 key material is generated, or when ALC 1<br />
or 4 physical key is imported.<br />
A signed copy of all Generation Reports must be retained on file.<br />
36 October 2011 Accounting Forms,<br />
Reports and Notices
UNCLASSIFIED<br />
6.3.6 Conversion Report<br />
6.3.6.1 General<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
When it becomes necessary to change or correct a short title, an equipment modification number,<br />
or the ALC of ACM, a Conversion Report must be raised. Conversion Reports may be initiated<br />
by a COMSEC Custodian or by NCOR/COR. COMSEC Custodians must not initiate conversion<br />
activities without receiving explicit instructions from NCOR/COR.<br />
A Conversion Report may not be created at a COMSEC Sub-Account. The COMSEC Sub-<br />
Account Custodian must report the requirement to the parent COMSEC Account.<br />
If the automated accounting system in use at the COMSEC Account does not have the capability<br />
to generate a Conversion Report, contact NCOR/COR for instructions.<br />
6.3.6.2 Preparation and Distribution<br />
In the preparation and distribution of Conversion Reports, the COMSEC Custodian:<br />
<br />
<br />
<br />
<br />
may raise a Conversion Report only if the material being converted is on-hand at the<br />
COMSEC Account;<br />
must send a copy to NCOR/COR if the Conversion Report lists centrally-accountable<br />
COMSEC material;<br />
must send a copy of the Conversion Report to all COMSEC Sub-Accounts that hold<br />
COMSEC material to be converted; and<br />
must retain a signed copy of the Conversion Report on file.<br />
6.3.7 Relief from Accountability Report<br />
6.3.7.1 General<br />
COMSEC Custodians may seek relief from accountability for COMSEC material that has been<br />
irretrievably lost. Normally, an investigation will be conducted by the DCA to determine the<br />
injury caused by the loss and the NCIO will issue a report on the results of the investigation.<br />
A Relief from Accountability Report is used to document the removal of COMSEC material from<br />
a COMSEC Account inventory. Authorization from the NCIO is required before preparing a<br />
Relief from Accountability Report.<br />
If the automated accounting system in use at the COMSEC Account does not have the capability<br />
to generate a Relief from Accountability Report, contact NCOR/COR for instructions.<br />
Accounting Forms, October 2011 37<br />
Reports and Notices
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
6.3.7.2 Preparation and Distribution<br />
The following rules apply to the preparation and distribution of Relief from Accountability<br />
Reports:<br />
<br />
<br />
<br />
Reference to the authority under which the COMSEC material was removed from<br />
accountability must be included in either the remarks column or after the NOTHING<br />
FOLLOWS line.<br />
If the report lists centrally-accountable COMSEC material, a copy must be sent to<br />
NCOR/COR.<br />
A signed copy of all Relief from Accountability Reports must be retained on file.<br />
6.3.8 Destruction Report<br />
6.3.8.1 General<br />
Cryptographic material must be destroyed after it is superseded. Other COMSEC material may<br />
be authorized for destruction after it has served its intended purpose. A Destruction Report is<br />
used to document the physical destruction or electronic zeroization of COMSEC material,<br />
whether by authorized means or by accident, and serves to report the items’ removal from<br />
accountability (see Chapter 12 for complete destruction instructions).<br />
6.3.8.2 Preparation and Distribution<br />
The following applies to the preparation and distribution of Destruction Reports:<br />
<br />
<br />
<br />
<br />
List, in alphanumerical order, all material that is scheduled for destruction.<br />
Enter the reason for the destruction (e.g. zeroized, superseded, filled in equipment<br />
[include the short title and serial number of the equipment], obsolete) in either the<br />
Remarks column or after the “NOTHING FOLLOWS” line.<br />
If the Destruction Report lists centrally-accountable COMSEC material, send a signed<br />
copy to NCOR/COR.<br />
A signed copy of all Destruction Reports must be retained on file.<br />
6.3.9 Consolidated Destruction Report<br />
6.3.9.1 General<br />
Occasionally, COMSEC material (e.g. superseded key) is authorized for destruction by<br />
personnel other than the COMSEC Custodian. Except in tactical situations (operational theatres),<br />
such destructions must be performed in the same secure environment using the same security<br />
procedures required of the COMSEC Custodian.<br />
38 October 2011 Accounting Forms,<br />
Reports and Notices
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
In such cases, the appropriate destruction documents, duly signed and witnessed, must be<br />
forwarded to the COMSEC Custodian. The COMSEC Custodian must compile the documents<br />
(e.g. HI/DR card) into a single Consolidated Destruction Report for forwarding to NCOR/COR.<br />
6.3.9.2 Preparation and Distribution<br />
The following applies to the preparation and distribution of Consolidated Destruction Reports:<br />
a. Review local destruction records (e.g. HI/DR card) for accuracy, appropriate<br />
authorizations and required signatures.<br />
b. List the COMSEC material that was destroyed (and reported as destroyed on local<br />
accounting records) during the month.<br />
c. Annotate the report with “Consolidated Destruction Report”.<br />
d. If the report contains centrally-accountable COMSEC material, submit the report to<br />
NCOR/COR no later than the 16 th of the month following destruction of the key material.<br />
e. Retain a copy of all Consolidated Destruction Reports on file.<br />
6.3.9.3 Seed Key Conversion Report<br />
The Canadian Central Facility (CCF) generates a monthly Seed Key Conversion Report (SKCR)<br />
for Secure Communications Interoperability Protocol (SCIP) equipment that lists the Key<br />
Material Identifier (KMID) number of the key that has been converted from seed key to<br />
operational key. When a user initiates a secure call from authorized SCIP equipment to the<br />
Secure Data Network System (SDNS) Public Switched Telephone Network (PSTN)-(Integrated<br />
Services Digital Network (ISDN) Rekey Subsystem (SPIRS), operational key is sent to that<br />
user’s SCIP equipment. Once the operation is completed, the user can use their equipment to<br />
place secure calls to other SCIP users. A copy of the SKCR will be sent to the COMSEC<br />
Account Custodian on a monthly basis or upon request. The COMSEC Custodian must use the<br />
SKCR to verify that a Destruction Report has been completed for all KMIDs listed on the report.<br />
6.3.9.4 Operational Rekey Report<br />
The CCF generates a monthly Operational Rekey Report (ORR) that lists the KMID of keys for<br />
SCIP equipment that were used to place a secure call to the SPIRS. Upon initiation of a secure<br />
call to the SPIRS, a new operational key is downloaded to the SCIP equipment along with a<br />
Compromised Key List (CKL). A copy of the ORR will be sent to the COMSEC Account<br />
Custodian on a monthly basis or upon request. This report must be used to verify that end users<br />
conduct quarterly rekey calls to the SPIRS and ensure that they have the latest CKL. The<br />
COMSEC Custodian must use the ORR to verify that a Destruction Report has been completed<br />
for all KMIDs listed on the report.<br />
Accounting Forms, October 2011 39<br />
Reports and Notices
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
6.3.10 Inventory Report<br />
6.3.10.1 General<br />
COMSEC Custodians are responsible for conducting inventories. During the inventory process,<br />
the COMSEC material held at the COMSEC Account is physically sighted and the actual<br />
holdings are compared to the accounting records. The inventory process is very important as it is<br />
sometimes the only means of discovering the loss of COMSEC material. For a complete<br />
description of inventories, see Chapter 13.<br />
A list of COMSEC Account’s holdings is recorded on an Inventory Report.<br />
6.3.10.2 Preparation and Distribution<br />
The following rules apply to the preparation and distribution of Inventory Reports:<br />
NCOR/COR will prepare, for distribution to each COMSEC Account, a list of all ALC 1,<br />
ALC 2 and ALC 6 COMSEC material held by a COMSEC Account. This list is called an<br />
Inventory Report and contains all the material that the COMSEC Account has reported to<br />
NCOR/COR via various COMSEC Material Reports (e.g. Transfers, Receipts,<br />
Destructions and Possessions).<br />
<br />
<br />
<br />
<br />
COMSEC Custodians must prepare an Inventory Report for each Sub-Account and Local<br />
Element. This report must contain all ACM (i.e. ALC 1, ALC 2, ALC 4, ALC 6 and<br />
ALC 7) issued to each element.<br />
Each Local Element must conduct a physical sighting of COMSEC material in his or her<br />
possession, annotate the Inventory Report as required, sign and have someone else<br />
witness and sign the report, and then return the completed report to the COMSEC<br />
Custodian. The COMSEC custodian must retain a copy of each signed Inventory Report<br />
on file.<br />
The COMSEC Custodian must verify the accuracy of each returned report, resolve<br />
discrepancies, report COMSEC incidents (for lost items) and return the signed Inventory<br />
Report along with all supplemental accounting transactions to NCOR/COR. Inventory<br />
Reports returned to NCOR/COR must contain a compilation of all ALC 1, ALC 2 and<br />
ALC 6 material held at the COMSEC Account.<br />
A copy of all signed Inventory Reports must be retained on file.<br />
40 October 2011 Accounting Forms,<br />
Reports and Notices
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
6.4 Accounting Notices<br />
6.4.1 Tracer Notice – Transfers<br />
If the signed Transfer Report (receipt) has not been received when due, tracer action must be<br />
initiated as follows:<br />
<br />
<br />
<br />
The initial tracer action may be accomplished via a documented phone call, e-mail, or by<br />
using an official tracer notice.<br />
The initiation of tracer action is dependent on the distribution method (e.g. electronic,<br />
courier) and whether the COMSEC Account or NCOR/COR is initiating the tracer<br />
action.<br />
In exceptional cases, when physical COMSEC material cannot be delivered and receipted<br />
for within the allotted time, an extension of up to 20 working days is acceptable. In such<br />
cases, a note must be added on the transfer report.<br />
6.4.2 Tracer Action by the COMSEC Custodian<br />
The COMSEC Custodian must ensure that a signed receipt has been received for every transfer<br />
initiated at the COMSEC Account as follows:<br />
<br />
Electronic Distribution. If a signed receipt for the electronic distribution of key is not<br />
received within five working days from the date of distribution of the COMSEC material,<br />
the COMSEC Custodian must initiate tracer action.<br />
<br />
If the signed receipt is not received within five working days of this initial tracer action,<br />
the COMSEC Custodian must notify NCOR/COR. NCOR/COR will assist the COMSEC<br />
Custodian in obtaining the receipt.<br />
Physical Distribution. If a signed receipt for the physical shipment of COMSEC material<br />
is not received within 10 working days from the date of shipment, the COMSEC<br />
Custodian must initiate tracer action.<br />
If the receipt is not received within 10 working days of this initial tracer action, the<br />
COMSEC Custodian must notify NCOR/COR. NCOR/COR will assist the COMSEC<br />
Custodian in obtaining the receipt.<br />
Accounting Forms, October 2011 41<br />
Reports and Notices
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
6.4.3 Tracer Action by National Central Office of Record/Central Office of<br />
Record<br />
6.4.3.1 Tracer Action for Transfer Reports<br />
If NCOR/COR has not received a signed Transfer Report (receipt) within 20 working days of the<br />
date on which the report was sent, NCOR/COR will send a Tracer Notice to the delinquent<br />
account. Up to three Tracer Notices will be sent.<br />
NCOR/COR occasionally receives signed receipts for Transfer Reports that have not been<br />
forwarded to NCOR/COR. The receipt cannot be reconciled unless the original Transfer Report<br />
has been processed. In such cases, NCOR/COR will immediately send a Tracer Notice for the<br />
missing Transfer Report.<br />
6.4.3.2 Tracer Action for Inventory Reports<br />
Tracer Notices may also be sent with respect to the Inventory process. During an inventory,<br />
NCOR/COR may discover that COMSEC Material Reports have not been forwarded for<br />
processing at NCOR/COR.<br />
Missing COMSEC Material Reports will result in an inability to reconcile a COMSEC<br />
Account’s inventory. NCOR/COR will originate tracer action for the missing COMSEC Material<br />
Reports.<br />
6.4.3.3 Failure to Respond to Tracer Notices<br />
Failure to respond to Tracer Notices could result in an immediate audit of the COMSEC<br />
Account.<br />
42 October 2011 Accounting Forms,<br />
Reports and Notices
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
7 Special Accounting Requirements<br />
7.1 Drop Accounting of North Atlantic Treaty Organization and<br />
International COMSEC Material<br />
7.1.1 General Requirement<br />
When GC departments are entrusted with COMSEC material by a North Atlantic Treaty<br />
Organization (NATO) or other international authority, it must be accounted for, transported,<br />
stored and handled in accordance with the directive contained herein for Canadian COMSEC<br />
material of equivalent sensitivity. Similarly, Canada accepts that our allies will also account for,<br />
transport, store, and handle Canadian COMSEC material in accordance with their own national<br />
policy and procedures. This arrangement is known as drop accounting. There is no requirement<br />
for GC departments to hold the policy and procedural publications of the nation or alliance that<br />
provides the material, except as detailed in the following two articles.<br />
7.1.2 North Atlantic Treaty Organization Funded Units<br />
When NATO funded units such as Satellite Ground Terminals are located on Canadian territory,<br />
the COMSEC holdings will be entirely of NATO origin and must be accounted for, transported,<br />
stored, and handled in accordance with the current editions of Instructions for the Control and<br />
Safeguard of NATO Cryptomaterial (SDIP 293) and NATO Crypto Distribution and Accounting<br />
Publication (AMSG 505).<br />
7.1.3 North Atlantic Treaty Organization COMSEC Material Requiring Two-<br />
Person-Integrity Control<br />
Where GC departments are issued with NATO COMSEC material that requires TPI control,<br />
such items must be accounted for, transported, stored, and handled in accordance with the<br />
current edition of Policy and Procedures for the Handling and Control of Two-Person-<br />
Controlled NATO Security Material (AMSG 773). The format of NATO COMSEC material<br />
requiring TPI control is significantly different from its national equivalent and requires different<br />
storage and handling procedures.<br />
7.2 Canadian Controlled COMSEC Material Outside of the National<br />
COMSEC Material Control System<br />
COMSEC material, including CCI, must exit the NCMCS only via the NDA at CSEC. Canadian<br />
CCI destined for use outside of Canada must be accounted for and handled within the receiving<br />
foreign nation’s formal COMSEC channels. Subsequent to CSEC providing case-by-case<br />
authority with a foreign nation, the NDA will initiate formal transfer to a foreign nation’s<br />
established COMSEC Account with appropriate notification being sent to the foreign nation’s<br />
responsible COR.<br />
Special Accounting Requirements October 2011 43
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
NOTE 1:<br />
NOTE 2:<br />
Where a foreign private sector company or organization is involved, the COMSEC<br />
material, including CCI, must be transferred to an established COMSEC Account or,<br />
in the case of CCI under development (within established IP channels), via the<br />
appropriate foreign nation’s NDA, in coordination with the foreign NDA’s COR.<br />
COMSEC Client Services at CSEC may authorize GC departments or private sector<br />
companies or organizations to by-pass this channel if sufficient justification is<br />
provided in writing before the distribution.<br />
7.3 Criteria for Release of COMSEC Material to the Private Sector<br />
Private sector companies or organizations (including those in Canadian industry,<br />
universities, etc.) that require COMSEC material must have a COMSEC Sub-Account<br />
established by the CICA. Before the establishment of a COMSEC Sub-Account at a private<br />
sector institution or organization, the institution or organization must:<br />
<br />
<br />
<br />
<br />
have a legal agreement with the GC (i.e. a contract or pre-contractual agreement, or be a<br />
member of a CSEC program which requires the production or support of COMSEC<br />
material);<br />
have been granted a Facility Security Clearance (FSC) by CSEC. The FSC, which<br />
includes a Document Safeguarding Capability (DSC) and COMSEC Safeguarding<br />
Capability (CSC), must be equal to or higher than the classification or protected level of<br />
the COMSEC material being issued or produced;<br />
have a Company Security Officer (CSO), and a trained COMSEC Custodian and Alternate<br />
COMSEC Custodian, all approved by CSEC; and<br />
if receiving or producing COMSEC material items, sign an Accountable COMSEC<br />
Material Control Agreement (ACMCA) with CSEC. A copy of the ACMCA is found in<br />
<strong>ITSD</strong>-01.<br />
7.4 Government Furnished Equipment<br />
7.4.1 Government Furnished Equipment for Canadian Industry<br />
When transferring Government Furnished Equipment (GFE) to a Canadian industry COMSEC<br />
Sub-Account, the COMSEC Custodian must ensure that:<br />
the COMSEC material is identified as GFE on the Transfer Report;<br />
<br />
<br />
the contract number and Memorandum of Understanding (MOU) or Memorandum of<br />
Agreement (MOA), which must be identified by the client GC department’s contract<br />
authority, is included on the Transfer Report; and<br />
an appropriate ACMCA is in place for each contract.<br />
44 October 2011 Special Accounting Requirements
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
7.4.2 Government Furnished Equipment for Allied Contractors<br />
Transfer of GFE to or from allied contractors is handled on a case-by-case basis. Contact<br />
COMSEC Client Services at CSEC.<br />
7.5 COMSEC Material under Contract<br />
Refer to Annex A – Control of IP COMSEC Material for accounting and control direction<br />
applicable to COMSEC material under a maintenance or repair contract and COMSEC<br />
publications under a reproduction or translation contract.<br />
Special Accounting Requirements October 2011 45
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
46 October 2011 Special Accounting Requirements
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
8 Access to COMSEC Material<br />
8.1 Prerequisite for Access to COMSEC Material<br />
8.1.1 Access by Government of Canada Employees and Contractors<br />
Access to COMSEC material may be granted to Canadian citizens (including dual nationality)<br />
who:<br />
<br />
<br />
<br />
<br />
<br />
possess a valid GC security clearance or reliability status commensurate with the security<br />
classification of the material and information they will access;<br />
have a “need-to-know”;<br />
have been given a COMSEC Briefing;<br />
have signed a COMSEC Briefing Certificate; and<br />
are familiar with applicable COMSEC material control procedures.<br />
NOTE: Access by persons with Permanent Resident Status is not authorized.<br />
8.1.2 Access by Foreign Nationals<br />
Access to COMSEC material may be granted to foreign nationals (i.e. non-Canadian citizens)<br />
upon approval from CSEC on a case-by-case basis. Requests for such access must be submitted<br />
in writing to COMSEC Client Services at CSEC.<br />
8.2 COMSEC Briefing and COMSEC Briefing Certificate<br />
8.2.1 Requirements<br />
The DCA and COMSEC Custodian must ensure individuals requiring access to COMSEC<br />
material receive a COMSEC Briefing and sign a COMSEC Briefing Certificate. A COMSEC<br />
Briefing is required for individuals (includes, but is not limited to, COMSEC Account personnel,<br />
Local Elements, individuals attending CSEC and international COMSEC courses and COMSEC<br />
forums; and, individuals who need “user access” or “maintainer access” during installation,<br />
troubleshooting, repair, or physical keying of equipment) who require access to:<br />
COMSEC material controlled within the NCMCS;<br />
<br />
<br />
crypto-information which embodies, describes or implements a classified cryptographic<br />
logic;<br />
crypto-information including, but not limited to full maintenance manuals, cryptographic<br />
computer software (must be a continuing requirement);<br />
Access to COMSEC Material October 2011 47
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
classified IP COMSEC material or CCI and components at any phase during its<br />
production or development; and<br />
cryptographic key or logic during its production or development.<br />
8.2.2 Retention of COMSEC Briefing Certificates<br />
A COMSEC Briefing Certificate must be retained by the COMSEC Custodian for a minimum of<br />
two years after an individual’s authorization to access COMSEC material has ended.<br />
8.2.3 COMSEC Debriefings/Updates<br />
COMSEC debriefings are not required when access to COMSEC material is no longer required.<br />
Periodic or annual briefing updates are not required for active COMSEC Custodians, Alternate<br />
COMSEC Custodians and Local Elements. Any individual being re-appointed at the same or at a<br />
different COMSEC Account as a COMSEC Custodian, Alternate COMSEC Custodian or Local<br />
Element must be given a new COMSEC Briefing and sign a new COMSEC Briefing Certificate.<br />
8.3 Two Person Integrity<br />
TPI is a security measure designed to prevent any one person from having access to specified<br />
COMSEC material (e.g. TOP SECRET key material). Each individual having such access must<br />
be capable of detecting incorrect or unauthorized security procedures with respect to the task<br />
being performed. TPI-regulated storage and handling requires the use of security devices<br />
protected by two approved locks, Personal Identification Numbers (PINs) or passwords, with no<br />
one person having access to both sets of combinations, keys, PINs or passwords.<br />
8.4 No Lone Zone<br />
Certain areas in a COMSEC facility may be designated as a NLZ. A minimum of two authorized<br />
individuals must be in visual contact with each other at all times within a NLZ. If the departure<br />
of one individual would leave a single occupant, then both individuals must leave and secure the<br />
NLZ.<br />
The DCA will establish a NLZ for COMSEC Accounts that:<br />
receive, store, handle, use or destroy TOP SECRET key material;<br />
produce physical key material; or<br />
<br />
take part in the design, development, manufacture or maintenance of crypto equipment.<br />
48 October 2011 Access to COMSEC Material
UNCLASSIFIED<br />
9 Physical Security<br />
9.1 COMSEC Facilities<br />
9.1.1 Requirement<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A COMSEC facility must be established wherever COMSEC material is generated, stored,<br />
repaired, used or operations warrant (e.g. COMSEC Custodian work area, key distribution<br />
centre, repair facility). COMSEC Custodian work areas outside of established COMSEC<br />
facilities (e.g. temporary structures, mobile vehicles) that are not considered COMSEC facilities<br />
must provide the maximum possible protection from theft, compromise, damage and<br />
deterioration of COMSEC material and ensure access and accounting integrity is maintained.<br />
9.1.2 Planning and Establishing a COMSEC Facility<br />
When planning and establishing a COMSEC facility, the DCA should:<br />
<br />
<br />
<br />
establish the COMSEC facility in an area which provides positive control over access<br />
using a hierarchy of zones (refer to Article 6.2 of the TBS’ Operational Security Standard<br />
on Physical Security);<br />
produce a standard operating procedure (in conjunction with the COMSEC Emergency<br />
Plan) containing provisions for securely conducting facility operations; and<br />
ensure a Threat and Risk Assessment (TRA) is conducted before initial activation (where<br />
practical) and periodically thereafter based on threat, physical modifications, sensitivity of<br />
operations and COMSEC incident reports of a serious nature.<br />
9.1.3 Access Controls and Restrictions<br />
The COMSEC Custodian must:<br />
<br />
<br />
<br />
establish an access list for authorized individuals who have regular duty assignments in<br />
the COMSEC facility;<br />
limit unescorted access to individuals who are Canadian citizens (including dual<br />
nationality), whose duties require such access, and who meet the access requirements of<br />
Chapter 8;<br />
ensure all visits are recorded in a visitor log and retain the log for at least one year after<br />
the date of the last entry. The visitor log must contain, at a minimum:<br />
o date/time of arrival and departure<br />
o printed name<br />
o signature of visitor<br />
o purpose of visit, and<br />
Physical Security October 2011 49
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
<br />
<br />
<br />
o signature, including printed name, of authorized individual admitting the visitor;<br />
ensure visitors are continuously escorted by an individual whose name is on the access<br />
list;<br />
prohibit unauthorized personally owned devices and equipment capable of receiving and<br />
recording intelligible images, sound recording devices and equipment, radio transmitting<br />
and receiving equipment and microphones and television receivers from the COMSEC<br />
facility;<br />
post a sign to identify the area as a RESTRICTED ACCESS area;<br />
establish and document a daily security check procedure to ensure COMSEC material is<br />
properly safeguarded, and that approved physical security protection devices (e.g. door<br />
locks, alarm system) are functioning properly; and<br />
ensure unmanned facilities in areas posing a high risk of compromise are protected by an<br />
approved intrusion detection system and that physical checks are conducted at least once<br />
every 24 hours to ensure that all doors to the facility are locked and that there have been<br />
no attempts at forceful entry.<br />
9.1.4 COMSEC Facility Approval<br />
9.1.4.1 Initial Inspection of Facility for COMSEC Custodian Work Area<br />
The facility for the COMSEC Custodian work area must be approved by CSEC before the GC<br />
department is authorized to establish a COMSEC Account and hold COMSEC material. The<br />
approval will be based on a security inspection to determine if the facility meets the<br />
requirements for safeguarding COMSEC material as detailed in this directive, the Operational<br />
Security Standard on Physical Security and the applicable RCMP Physical Security Guide.<br />
9.1.4.2 Other Departmental COMSEC Facilities<br />
Where a departmental Threat and Risk Assessment (TRA) indicates the requirement for other<br />
COMSEC facilities (e.g. COMSEC Sub-Account, telecommunications facility, maintenance or<br />
repair depot), the DCA is responsible for ensuring these COMSEC facilities are established and<br />
approved.<br />
9.1.4.3 Re-inspection of COMSEC Facilities<br />
CSEC representatives will re-inspect the facility for the COMSEC Custodian work area during<br />
the audit of the COMSEC Account. The DCA must ensure other departmental COMSEC<br />
facilities are re-inspected periodically based on threat, physical modifications, past security<br />
performance and sensitivity of operations. These inspections must be conducted by individuals<br />
not directly involved in the installation, operations or maintenance of the facility.<br />
50 October 2011 Physical Security
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
9.1.4.4 Records of COMSEC Facility Inspections<br />
The inspection of a COMSEC facility must be documented and records kept on file at the<br />
COMSEC Account or CSEC, as applicable, for a minimum of five years.<br />
9.2 Secure Storage<br />
9.2.1 Security Containers<br />
COMSEC material must be stored in security containers (e.g. vaults, safes, file cabinets, etc.)<br />
that are approved for the classification or protected level of the COMSEC material and which<br />
meet the requirements of the RCMP Security Equipment Guide (G1-001). Security containers<br />
used for the storage of COMSEC material must be located in a security zone appropriate for the<br />
level of the COMSEC material. Additional information can be found at RCMP’s Physical<br />
Security Guides and Reports web page.<br />
NOTE: Brief cases are not considered storage containers and must not be used as such.<br />
9.2.2 Segregation of COMSEC Material in Storage<br />
The rules for the minimum segregation of COMSEC material in physical storage are:<br />
<br />
<br />
Effective editions, reserve editions and superseded key material awaiting destruction must<br />
be stored separately from each other in approved security containers.<br />
Key material or CIKs must not be stored in the same security container as the equipment<br />
with which they may be used.<br />
NOTE: In situations where space is at a premium, segregation may be accomplished using a<br />
locked strongbox housed within a single security container.<br />
9.2.3 Opening of Security Containers in Emergency Situations<br />
When the COMSEC Custodian and Alternate COMSEC Custodian(s) are not available to open a<br />
security container in an emergency, the DCA (or other designated authority) may direct the<br />
opening of the security container, under the following conditions:<br />
<br />
<br />
<br />
At least two individuals must be present to gain access to the combination and to open the<br />
security container.<br />
The individuals who opened the security container must prepare a written report<br />
(containing an inventory of the contents and the circumstances surrounding the access<br />
requirement) to the individual(s) in charge of the security container, after the emergency<br />
opening.<br />
The individual(s) responsible for the security container must conduct a full inventory of<br />
the COMSEC material and change the combination(s), immediately upon their return.<br />
Physical Security October 2011 51
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
In the event of an emergency where access is required to COMSEC material that has been<br />
previously issued to a Local Element who is not available, the individual requiring immediate<br />
access must contact either the COMSEC Custodian or Alternate COMSEC Custodian.<br />
9.2.4 Incidents Involving Security Containers<br />
In the event of a security incident (e.g. if a container or vault is found open after normal working<br />
hours), the individual discovering the incident must notify the COMSEC Custodian or Alternate<br />
COMSEC Custodian. If the COMSEC Custodian or Alternate COMSEC Custodian cannot be<br />
located, one of the other individuals on the list of individuals having knowledge of the<br />
combinations to the container must be contacted. The COMSEC Custodian and Alternate<br />
COMSEC Custodian must conduct a full inventory of its contents and immediately change the<br />
combination.<br />
In the event of an incident in which COMSEC material has been issued to a Local Element, the<br />
individual discovering the incident must contact either the COMSEC Custodian or Alternate<br />
COMSEC Custodian.<br />
9.2.5 Protecting Lock Combinations and Lock Keys<br />
9.2.5.1 Security Measure<br />
Any sign of tampering with or suspicion of compromise of a lock or its associated combinations<br />
(or keys) must be immediately reported to the DCA.<br />
9.2.5.2 Change of Combinations<br />
The COMSEC Custodian must ensure that combinations for locks used for the secure storage of<br />
COMSEC material are changed when:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the lock is first put into use by the COMSEC Custodian (i.e. the manufacturer’s preset<br />
combination) must not be used;<br />
an individual knowing the combination ceases to have authorized access to the storage<br />
facility or the security container;<br />
an unauthorized individual has had access to the written record of the combination;<br />
the combination is known or suspected to have been compromised;<br />
the lock has been repaired, serviced or inspected by a person not having authorized access<br />
to storage facility or the security container;<br />
the combination has not been changed in the last 12 months; or<br />
the lock is temporarily or permanently taken out of use.<br />
52 October 2011 Physical Security
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
9.2.5.3 Selection of Combinations<br />
Each lock must have a combination composed of randomly selected numbers based on the<br />
manufacturer’s specifications. The combination must not be a duplicate of another lock<br />
combination within the facility.<br />
9.2.5.4 Change of Key Operated Locks<br />
The COMSEC Custodian must ensure that key-operated locks used to secure COMSEC material<br />
are replaced and not re-used to secure COMSEC material when:<br />
an individual ceases to have authorized access to the security container;<br />
an unauthorized individual has had access to a key;<br />
the key or lock is known or suspected to have been compromised;<br />
<br />
<br />
the lock has been repaired, serviced or inspected by a person not having authorized access<br />
to the security container; or<br />
the lock has not been changed in the last 12 months.<br />
9.2.5.5 Protective Packaging of Combinations or Spare Keys<br />
When a combination (or key operated lock) is changed by the individual responsible for the<br />
security container, the COMSEC Custodian must ensure that the responsible individual has:<br />
a. sealed the combination numbers (or spare keys) in an opaque envelope in such a manner<br />
that tampering with the envelope is evident;<br />
b. marked the envelope with the highest classification or protected level of the material that<br />
the combinations (or keys) protect and listed the name and phone number of the<br />
individual(s) authorized access to the combinations (or keys); and<br />
c. given the envelope to the DCA (or other authorized individual) for secure storage in a<br />
storage container that meets or exceeds the classification or protected level of the material<br />
being protected by the combinations (or keys).<br />
9.2.5.6 Record of Combinations and Keys<br />
The COMSEC Custodian must keep a record of the name and telephone number of individuals<br />
having knowledge of the combinations (or hold keys) to containers in which COMSEC material<br />
is stored. Normally, the containers will be under the direct control of the COMSEC Custodian<br />
and the Alternate COMSEC Custodian(s).<br />
Physical Security October 2011 53
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
9.2.5.7 Access to and Knowledge of Combinations or Keys<br />
The COMSEC Custodian must ensure that only appropriately cleared and authorized personnel<br />
have access to, or knowledge of, combinations (or keys) that protect the COMSEC material for<br />
which they are accountable. Personnel with knowledge of combinations must not record and<br />
carry the combinations or store the records of such combinations in electronic form. Keys must<br />
not be stored in key presses that are accessible to any personnel other than the COMSEC<br />
Custodian or his/her staff.<br />
9.2.5.8 Combinations for Two-Person Integrity Containers and No Lone Zone<br />
The COMSEC Custodian must ensure that no one person may change both combinations or will<br />
be allowed access to or have knowledge of both combinations to a security container used to<br />
store COMSEC material requiring TPI control or to an area used as a NLZ.<br />
NOTE: Lock combinations must be classified and safeguarded at the highest classification of<br />
the material they protect.<br />
9.3 Storage of Physical Key Material<br />
9.3.1 Storage Requirements<br />
Key material not under the direct continuous control of a cleared and authorized individual (or<br />
individuals where applicable) must be stored in a locked, approved security container, in an area<br />
protected by security guards or by an intrusion-detection system (i.e. Security Zone, High<br />
Security Zone). Refer to Table 3 for specific requirements for the storage of key material.<br />
9.3.2 Key Material Held in Reserve<br />
The amount of key material to be held in reserve varies with the supersession rate of the key<br />
material. Table 2 provides a guide to the amount that should normally be held in reserve.<br />
Table 2 – Key Material Held in Reserve<br />
Supersession Rate<br />
Material superseded daily, ten times monthly,<br />
semi-monthly and monthly.<br />
Material superseded every two months or<br />
quarterly.<br />
Material superseded semi-annually, annually<br />
and irregularly.<br />
SDNS seed key (five year retention factor).<br />
Held in Reserve<br />
Editions effective during the current month, plus<br />
three months reserve.<br />
Effective edition plus two editions reserve.<br />
Effective edition plus one edition reserve.<br />
One seed key may be held in reserve.<br />
54 October 2011 Physical Security
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Table 3 – Storage of Physical Key Material<br />
Key Material<br />
TOP SECRET Key<br />
Material and other Key<br />
Material Requiring TPI<br />
Control<br />
SECRET,<br />
CONFIDENTIAL and<br />
PROTECTED C Key<br />
Material<br />
PROTECTED A and<br />
PROTECTED B Key<br />
Material<br />
UNCLASSIFIED Key<br />
Material<br />
Foreign Key Material<br />
Storage Requirements<br />
TOP SECRET key material must be stored under TPI controls in<br />
containers meeting the RCMP Security Equipment Guide (G1-001)<br />
standards.<br />
TOP SECRET key material that is held within a work area for<br />
intermittent use throughout the day may be kept under one lock in a<br />
NLZ. Knowledge of the combination or access to the key used to<br />
secure the lock must be restricted to the supervisor on duty.<br />
TOP SECRET key material in tactical environments, may be:<br />
stored in a standard, approved field safe;<br />
stored in a similar container secured by a combination lock meeting<br />
the RCMP Security Equipment Guide (G1-001) standards; or<br />
kept under personal custody if adequate storage facilities are not<br />
available.<br />
SECRET, CONFIDENTIAL and PROTECTED C key material must<br />
be stored :<br />
in any manner approved for TOP SECRET key material; or<br />
in a container approved for SECRET, CONFIDENTIAL or<br />
PROTECTED C material, as applicable, with an approved<br />
combination lock.<br />
PROTECTED A and PROTECTED B key material must be stored in<br />
any manner approved for classified key material.<br />
UNCLASSIFIED key material must be stored by the most secure<br />
means available to the authorized user provided that it will reasonably<br />
preclude theft, sabotage, tampering or use by unauthorized individuals.<br />
Foreign key material must be stored in accordance with the<br />
instructions for Canadian COMSEC material of equivalent sensitivity.<br />
UNCLASSIFIED, RESTRICTED and UNCLASSIFIED/For Official<br />
Use Only (U//FOUO) foreign key material marked “CRYPTO” must<br />
be stored as PROTECTED A (or higher) COMSEC material.<br />
Physical Security October 2011 55
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
9.4 Storage of Electronic Key Material<br />
Electronic key material must be stored in accordance with the applicable system or equipment<br />
doctrine.<br />
9.5 Storage of COMSEC Equipment<br />
9.5.1 General Requirement<br />
All COMSEC equipment must be stored in a manner consistent with its classification or<br />
protected level and security markings (e.g. CRYPTO, CCI) when not under the direct and<br />
continuous control of appropriately cleared and authorized personnel. COMSEC equipment may<br />
require special storage procedures or storage facilities. Refer to the applicable equipment<br />
doctrine.<br />
NOTE: UNCLASSIFIED COMSEC equipment and unkeyed CCI require storage that must<br />
provide reasonable protection from compromise, theft, tampering and damage.<br />
9.5.2 Preparation for Storage<br />
COMSEC equipment must never be stored in a keyed state, unless:<br />
<br />
<br />
operational requirements mandate it and no practical alternative exists; or<br />
keyed equipment cannot be zeroized due to malfunction or damage.<br />
When COMSEC equipment is stored in a keyed state, it must be stored in accordance with the<br />
highest classification of key loaded in the equipment.<br />
NOTE 1: CCI that utilize a CIK are considered keyed whenever the CIK is inserted and<br />
unkeyed with the CIK removed and not accessible for use by unauthorized persons.<br />
NOTE 2: CCI that utilize a PIN to unlock the secure mode are considered keyed whenever the<br />
PIN is entered.<br />
9.5.3 Spare or Standby Equipment<br />
Spare or standby COMSEC equipment that is located within a secure work area may be<br />
considered installed for operation. The storage requirements in the previous articles are not<br />
applicable to such equipment.<br />
9.6 Storage of COMSEC Publications<br />
COMSEC publications must be stored in accordance with their security classification and any<br />
caveat(s) or other security markings.<br />
56 October 2011 Physical Security
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
10 Distribution and Receipt of COMSEC Material<br />
10.1 Distributing COMSEC Material<br />
To meet secure communications requirements, COMSEC Custodians may be directed to<br />
distribute COMSEC material to other NCMCS elements. It is a COMSEC Custodian’s<br />
responsibility to ensure that individual shipments of COMSEC material are kept to the minimum<br />
required to support operational requirements (including contingency operations).<br />
When preparing COMSEC material for distribution, the COMSEC Custodian must:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
verify the receiving COMSEC Account, COMSEC Sub-Account or Local Element is<br />
authorized to hold the COMSEC material;<br />
verify the security classification of the receiving COMSEC Account, COMSEC Sub-<br />
Account or Local Element;<br />
perform page checks, equipment checks and inspection of protective packaging<br />
immediately (no earlier than 48 hours) before packaging;<br />
zeroize or remove CIKs from all CCI before transportation (or, when circumstances<br />
warrant, keyed devices may be hand-carried by authorized GC couriers or contractor<br />
couriers);<br />
package operational and seed key material separately from its associated COMSEC<br />
equipment (including CCI) and transport in different vehicles on different days, unless –<br />
o the application or design of the equipment is such that the corresponding key material<br />
cannot be physically separated from it;<br />
o the key material is an UNCLASSIFIED maintenance key (which may be shipped in<br />
the same container as its associated COMSEC equipment); or<br />
o there are no other means available to effect delivery to support an immediate<br />
operational requirement;<br />
NOTE: When COMSEC equipment must be shipped in a keyed state or with its<br />
associated key material, ship the package in accordance with the<br />
classification of the key material or the COMSEC equipment, whichever is<br />
higher.<br />
dispatch the list of effective dates of editions of key material separately, and on different<br />
days, from the key material;<br />
package each Traffic Encryption Key (TEK) separately from its associated KEK;<br />
Distribution and Receipt of October 2011 57<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
<br />
<br />
package components which, as a whole, comprise a cryptographic system (i.e. the<br />
cryptographic equipment, ancillaries, associated documentation and key variables)<br />
separately and transport in different shipments;<br />
apply TPI controls to the TOP SECRET key material during its transit unless it is<br />
enclosed in protective packaging and is double-wrapped, in which case only one courier is<br />
required;<br />
ensure that electronic key material is transmitted in accordance with the applicable system<br />
or equipment doctrine; and<br />
prepare a COMSEC Material Report in accordance with Chapter 6 of this directive.<br />
10.2 Distributing Electronic Key on Magnetic or Optical Media<br />
In addition to the criteria at Article 10.1, when electronic key is distributed (i.e. transferred or<br />
issued) on magnetic or optical media, the selected media must be controlled as a separate<br />
COMSEC item within NCMCS as ALC 1. The COMSEC Custodian must affix a label to the<br />
media similar to the example label depicted at Figure 2. The accounting number is taken from a<br />
“next in sequence” number log maintained by the COMSEC Custodian to record the sequential<br />
serial numbers of the media. The originating COMSEC Custodian must prepare and process a<br />
Possession Report in accordance with Chapter 6 to enter the new COMSEC material into the<br />
NCMCS before distributing the media (and the electronic key material).<br />
Two GC-223 Transfer Reports must be generated: one to account for the physical transport<br />
media; and, the second to account for the transfer of the electronic key that is being transported<br />
by the media. Both reports are signed and returned to the originating COMSEC Account.<br />
If unencrypted key is being transported by magnetic or optical media, the label must also display<br />
the CRYPTO marking and highest classification of key being transported (minimum SECRET).<br />
NOTE: Magnetic or optical media used for distribution of electronic key is not authorized for<br />
re-use. The electronic key being transported by the media must be processed and<br />
reconciled, and along with the transporting medium, be physically destroyed within<br />
three working days of receipt.<br />
Classification:<br />
SECRET (CRYPTO if applicable)<br />
Accounting Legend Code: ALC 4<br />
Short Title:<br />
CAKAE 4005 (+ EKMS ID)<br />
Accounting Number: (Unique next in sequence number)<br />
58 October 2011 Distribution and Receipt<br />
of COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Figure 2 – Example of Magnetic or Optical Media Label<br />
10.3 Tracking the Shipment of COMSEC Material<br />
Following the shipment of COMSEC material, the COMSEC Custodian must:<br />
notify the recipient, within 24 hours of shipment, of the details of the shipment and the<br />
estimated time of delivery;<br />
ensure the telephone numbers of both the shipping and the receiving COMSEC Accounts<br />
are listed on the waybill when COMSEC material is shipped by commercial carrier or<br />
Canada Post Priority Courier;<br />
keep a local record of the shipment; and<br />
<br />
follow-up to ensure the COMSEC material is delivered to the authorized recipient<br />
according to schedule and –<br />
o if a shipment is not received within 48 hours of expected delivery, initiate shipment<br />
tracer action with the carrier to determine the last known location of the shipment;<br />
and<br />
o if the location is not determined and the shipment is not recovered within 24 hours of<br />
the shipment tracer initiation, assume that the shipment is lost in transit and<br />
immediately report the loss as a COMSEC incident as detailed in Chapter 16.<br />
10.4 Packaging Physical COMSEC Material<br />
10.4.1 Overview<br />
Packaging used for the distribution of physical COMSEC material will depend upon the<br />
material’s size, weight, shape and intended method of transport. All COMSEC material must be<br />
double-wrapped or otherwise encased in two opaque containers, and securely sealed (including<br />
seams) before its transportation.<br />
10.4.2 Inner Wrapping<br />
The inner wrapping for package(s) must be secure enough to detect tampering, guard against<br />
damage and be marked as follows:<br />
<br />
<br />
<br />
full addresses of both the shipping and receiving COMSEC Accounts<br />
highest classification or protected level of the contents<br />
caveat “CRYPTO” if any of the contents are so marked, and<br />
Distribution and Receipt of October 2011 59<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
notation “TO BE OPENED ONLY BY THE COMSEC CUSTODIAL STAFF”.<br />
The sealed envelope containing the copies of the COMSEC Material Report may be enclosed<br />
inside the package or affixed to the external surface of the inner wrapping of the package. When<br />
more than one package is required, the envelope may be enclosed or affixed to the first package<br />
of the series.<br />
10.4.3 Outer Wrapping<br />
The outer wrapping must:<br />
be secure enough to prevent damage to the contents or inadvertent or accidental<br />
unwrapping;<br />
not bear any indication that the package contains classified or protected COMSEC<br />
material;<br />
be marked with the –<br />
<br />
o full addresses of both the shipping COMSEC Account and the receiving COMSEC<br />
Account<br />
o shipment number or authorized courier number, and<br />
o package number, followed by a forward slash (“/”), followed by the total number of<br />
the packages in the shipment (e.g. 1/3, 2/3, 3/3); and<br />
have all required customs documentation clearly identified and affixed to it.<br />
10.4.4 Types of Packaging<br />
10.4.4.1 Envelopes<br />
Double official envelopes may be used for the shipment of COMSEC material by mail or by<br />
courier. If the inner envelope contains cryptographic material (of any classification) or<br />
COMSEC material classified SECRET or above, both the inner and outer envelope flap must be<br />
sealed with reinforced or tamper-evident tape in addition to the envelope gum seal.<br />
If the inner envelope contains COMSEC material classified CONFIDENTIAL or below, both the<br />
inner and outer envelopes require gum sealing only. However, envelopes should be sealed with<br />
reinforced or tamper-evident tape if, in the opinion of the COMSEC Custodian, the envelopes<br />
may tear during transportation.<br />
10.4.4.2 Parcels<br />
Good quality brown wrapping paper and fibre-reinforced paper tape should be used when<br />
preparing COMSEC parcels. Such parcels must be packaged and bound as follows:<br />
60 October 2011 Distribution and Receipt<br />
of COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
<br />
All seams of the inner wrapping must be bound with fibre-reinforced paper tape.<br />
Sharp corners must be reinforced or bound with cardboard to prevent damage to the inner<br />
wrapping while in transit.<br />
Outer wrapping must consist of paper and fibre-reinforced tape heavy enough to ensure a<br />
suitably sturdy parcel.<br />
10.4.4.3 Cartons<br />
Cartons may be used as the inner or outer container for a shipment. Used cartons must be in good<br />
condition, with all previous markings obliterated. Additional packing must be used within the<br />
carton to prevent movement of the contents. Fibre-reinforced paper tape must be used to seal all<br />
seams and to reinforce edges and corners.<br />
10.4.5 Wooden Crates or Transit Cases<br />
Wooden crates or transit cases should normally be used only as outer wrapping for shipments,<br />
except when specially designed and authorized to be used as inner wraps. The outer crate or case<br />
must be strapped with a minimum of one strap lengthwise and one width-wise, both centred. The<br />
clamp securing the strap running lengthwise must be positioned above the strap running widthwise.<br />
10.4.5.1 Canvas Bags<br />
A canvas bag may be used as the outer wrapping of a parcel. The bag must be sealed with a lever<br />
lock and a plik. The identification number on each plik is a tamper evident security control that<br />
must be used to detect unauthorized access to the bag. The user must take note of the plik’s<br />
unique ID/serial number when the plik is used to seal the bag. Later, when the bag is to be<br />
opened, the user must verify that the ID number of the plik on the bag has not changed. This<br />
verification of the ID number confirms that the bag has not been opened by someone else and<br />
then re-sealed using a different plik. The seams of the bag must be on the inside. Damaged or<br />
repaired bags must not be used.<br />
10.4.5.2 Briefcases<br />
Within Canada, a briefcase with a GC-approved lock is an appropriate outer wrapper for<br />
COMSEC material carried by authorized departmental couriers. See the RCMP Security<br />
Equipment Guide (G1-001) for details.<br />
10.5 Authorized Modes of Transportation<br />
10.5.1 Overview<br />
The approved modes of transportation for Canadian COMSEC material are listed in Table 4.<br />
Distribution and Receipt of October 2011 61<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
10.5.2 North Atlantic Treaty Organization and Foreign COMSEC Material<br />
10.5.2.1 Classified COMSEC Material and UNCLASSIFIED Key Material Marked<br />
CRYPTO<br />
The approved modes of transportation listed in this chapter do not apply to NATO or foreign<br />
classified COMSEC material or unclassified key material marked CRYPTO. This COMSEC<br />
material must be transported in accordance with NATO and foreign national manuals, such as:<br />
<br />
<br />
Communications Security and Cryptography (IS-4) – Part 1: Management of<br />
Cryptographic Systems, U.K.<br />
Communications Security and Cryptography (IS-4) – Part 2: Forms and Instructions,<br />
U.K.<br />
Instructions for the Control and Safeguarding of NATO Cryptomaterial (SDIP 293).<br />
NATO Crypto Distribution and Accounting Publication (AMSG 505).<br />
<br />
Control of Communications Security (COMSEC) Material (NSA/CSS Policy Manual<br />
No. 3-16), United States (U.S.).<br />
NOTE: Contact COMSEC Client Services at CSEC for information regarding these<br />
publications.<br />
10.5.2.2 UNCLASSIFIED, RESTRICTED and U/FOUO COMSEC Material<br />
(other than Key Material marked CRYPTO)<br />
UNCLASSIFIED, RESTRICTED and U/FOUO foreign and NATO COMSEC material (other<br />
than key material marked CRYPTO) must be shipped by the modes listed in Table 4 as approved<br />
for PROTECTED “A” COMSEC material of the same type. CCI, whether of foreign or national<br />
origin, must always be shipped by approved modes listed in Table 4.<br />
62 October 2011 Distribution and Receipt<br />
of COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Table 4 – Authorized Modes of Transportation for COMSEC Material<br />
Destination<br />
Classification or Protected Level of COMSEC Material<br />
(see COMSEC Material Legend)<br />
1, 2 3, 4, 5 6, 7 8 9<br />
Within Canada<br />
A, B, C<br />
(Notes I, II, IV)<br />
A, B, C, D<br />
(Notes I, II, IV)<br />
A, B, C, D, E, F<br />
(Notes I, II, IV)<br />
A, B, D, E, F<br />
A, B, C, D, E, F<br />
(Notes I, II)<br />
Between Canadian Addressees<br />
Outside of Canada (see Note V)<br />
A, B, C<br />
(Notes I, II, IV)<br />
A, B, C, D<br />
(Notes I, II, IV)<br />
A, B, C, D<br />
(Notes I, II, IV)<br />
A, B, D, E, F<br />
A, B, C, D, E, F<br />
(Notes I, II)<br />
To or From Non-Canadian<br />
Addressees (see Note VI)<br />
A, B, C<br />
(Notes I, II, IV)<br />
A, B, C, D<br />
(Notes I, II, III, IV)<br />
A, B, C, D<br />
(Notes I, II, III, IV)<br />
A, B, D, E<br />
A, B, C, D<br />
(Notes I, II, III)<br />
UNCLASSIFIED COMSEC material may be shipped by any means intended to assure safe arrival at its destination.<br />
UNCLASSIFIED COMSEC material marked with “CRYPTO” caveat must be shipped as per PROTECTED A (Note IV).<br />
COMSEC Material Legend:<br />
Authorized Mode Legend:<br />
1 All TOP SECRET and PROTECTED C COMSEC material<br />
A Canadian Government Diplomatic Courier Service<br />
2 All Crypto Keying Material not in Protective Packaging B Authorized Departmental Couriers<br />
3 Classified Crypto-Information (not TOP SECRET)<br />
C<br />
Electronic Transfer<br />
4 Classified Crypto Equipment D Contractor’s Authorized Couriers<br />
5 SECRET Crypto Keying Material in Protective Packaging<br />
6<br />
7<br />
PROTECTED B, CONFIDENTIAL and SECRET COMSEC<br />
Information<br />
CONFIDENTIAL and PROTECTED B Crypto Keying Material in<br />
Protective Packaging<br />
8 UNCLASSIFIED CCI and UNCLASSIFIED CRYPTO Material<br />
9 PROTECTED A COMSEC Material<br />
Notes:<br />
E<br />
F<br />
Authorized Commercial Carriers<br />
Canada Post Priority Courier Service<br />
I<br />
II<br />
III<br />
Systems for electronic transfer of COMSEC material are authorized by CSEC on a case-by-case basis.<br />
Electronic transfer of keying material when authorized by CSEC and in accordance with system operational doctrine.<br />
Departmental and Contractor’s couriers authorized by CSEC for urgent requirements only.<br />
IV<br />
V<br />
NATO and foreign COMSEC material (including Crypto key) may require additional considerations (see also SDIP-293, AMSG-505,<br />
NSA/CSS Policy Manual 3-16, IS-4, etc. for details).<br />
Refers to those addressees outside of Canada, where mail and shipment of material, once delivered, are handled and opened by<br />
Canadian citizens (including dual nationality), e.g. Canadian Forces Base, Canadian Embassies, consular offices.<br />
VI Refers to any other foreign addressee not covered in Note V.<br />
Instructions: Locate the correct classification/protected level of the COMSEC material from the COMSEC Material Legend. Find the<br />
destination in the upper left hand column. The authorized modes of transportation are indicated by letters, which correspond to letters listed<br />
in the Authorized Mode Legend. Refer to the notes for additional information.<br />
Distribution and Receipt of October 2011 63<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
10.6 Authorized Couriers of COMSEC Material<br />
10.6.1 Canadian Government Diplomatic Courier Service<br />
The Canadian Diplomatic Mail Services of Foreign Affairs and International Trade Canada<br />
provides all authorized diplomatic courier services for the GC.<br />
10.6.2 Authorized Departmental Couriers<br />
10.6.2.1 Requirements<br />
Before authorizing the appointment of a departmental courier for the transport of COMSEC<br />
material, the DCA must ensure the courier:<br />
<br />
<br />
<br />
<br />
<br />
<br />
is a Canadian citizen (including dual nationality);<br />
is appointed for a specific period of time;<br />
carries an authorized COMSEC Courier Certificate;<br />
is cleared to a security level equal to or higher than the highest classification or protected<br />
level of the COMSEC material that is being carried;<br />
has been appropriately briefed regarding responsibilities upon appointment; and<br />
is provided with COMSEC Signing Authority Forms (refer to Article 4.3.2), as required.<br />
10.6.2.2 COMSEC Courier Certificate<br />
The COMSEC Courier Certificate attests to all concerned individuals (e.g. air carrier security<br />
agents, customs officials) that the sealed container or package transported by the courier holds<br />
only official matter. Presentation of the courier certificate should extend immunity from search<br />
or examination of the official material carried or escorted by the courier. When further<br />
verification is needed regarding the authenticity of a COMSEC Courier Certificate, the courier<br />
will direct the concerned individual to contact the nearest Canadian Military or Diplomatic<br />
representative, as appropriate.<br />
10.6.2.3 Courier Instructions<br />
The DCA must brief the courier and provide written instructions regarding his or her<br />
responsibilities to personally safeguard the COMSEC material until the package has been<br />
delivered to and signed for by the authorized recipient. The courier instructions must include, at<br />
a minimum, what actions to take:<br />
<br />
before the start of the trip (e.g. contacting airline security or customs officials to make<br />
arrangements for clearance without inspection);<br />
64 October 2011 Distribution and Receipt<br />
of COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
<br />
during the pre-boarding security screening or customs inspection to ensure the COMSEC<br />
material is not compromised or damaged (e.g. requirement to show the COMSEC Courier<br />
Certificate when requested to do so by appropriate authorities);<br />
for alternate storage arrangements and whom to contact in the event of emergency<br />
situations, lengthy delays or stopovers en route; and<br />
in the event of loss, compromise or possible compromise of COMSEC material and know<br />
who to contact in such a case.<br />
10.6.2.4 Customs and Pre-Boarding Inspections<br />
In cases where customs officials request or demand to view (X-ray is authorized if<br />
requested/demanded) the contents of a COMSEC shipment, the authorized courier, or the<br />
COMSEC Custodian if called, will request an interview with the Chief of Customs or Air<br />
Transport Security Authority. The courier may agree to limited inspection as a means of assuring<br />
customs officials that the shipment contains nothing other than what is described on the<br />
documentation. Whenever COMSEC packages are subjected to increased scrutiny, the<br />
authorized courier will request that the inspection:<br />
<br />
<br />
<br />
take place in a private location;<br />
be conducted by duly authorized individuals in the presence of the authorized courier;<br />
and<br />
be restricted only to the external viewing of the COMSEC material.<br />
The courier may be obliged to discontinue the courier run and return to the point of departure<br />
with the COMSEC material if an arrangement regarding the extent of customs clearance<br />
examination required cannot be reached.<br />
10.6.3 Contractor’s Authorized Couriers<br />
Appropriately cleared contractor personnel who have been appointed by CSEC may be<br />
employed as couriers. Contact CICA for details on the requirements that must be met by<br />
personnel appointed as contractor couriers. A COMSEC Courier Certificate is required.<br />
10.6.4 Commercial Carriers<br />
A commercial carrier service (including Canada Post Priority Courier Service) may be used as a<br />
courier service for COMSEC material (at the levels specified in Table 4) provided the carrier can<br />
ensure a continuous chain of accountability and custody for the material while in transit. The<br />
courier must offer speed of service (e.g. overnight delivery), physical protection and track-andtrace<br />
capabilities.<br />
Distribution and Receipt of October 2011 65<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A commercial carrier (non-military contracted aircraft) may be used to transport CCI providing<br />
the carrier warrants in writing that the carrier:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
provides door-to-door service and guarantees delivery within a reasonable number of<br />
days based on the distance to be travelled;<br />
possesses a means of tracking individual packages within its system (i.e. manual or<br />
electronic) to the extent that should a package become lost, the carrier can, within<br />
24 hours following notification, provide information regarding the last known location of<br />
the package(s);<br />
guarantees the integrity of the transporters’ contents at all times;<br />
guarantees the integrity of package contents, including protection against damage,<br />
tampering and theft;<br />
has the capability to store in-transit COMSEC packages in a securely locked facility<br />
(e.g. security cage) that is accessible solely to authorized carrier personnel, should it<br />
become necessary for the carrier to make a prolonged stop at a carrier terminal (during<br />
overnight stopovers);<br />
obtains manual or electronic signatures, whenever a shipment changes hands within the<br />
carrier company; and<br />
obtains date-timed signatures upon pickup and delivery.<br />
10.7 Receiving COMSEC Material<br />
10.7.1 Preparation before Receiving COMSEC Material<br />
Before receipt of any COMSEC material, the COMSEC Custodian must:<br />
notify the departmental mailroom or shipping area of –<br />
<br />
<br />
o the name of the departmental COMSEC Account that has been established<br />
o the name and internal address of the COMSEC Custodian, and<br />
o the requirement to deliver mail and packages addressed to the COMSEC Account to<br />
the COMSEC Custodian unopened;<br />
provide the departmental mailroom or shipping area with up-to-date copies of the<br />
COMSEC Signing Authority Form; and<br />
ensure other individuals who are authorized to sign for packages can provide appropriate<br />
secure storage for the received package(s) (when the COMSEC Custodian or Alternate<br />
COMSEC Custodian is not available).<br />
66 October 2011 Distribution and Receipt<br />
of COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
10.7.2 Inspection of Packages<br />
On receipt of a shipment, the COMSEC Custodian must:<br />
a. carefully inspect the outer wrapping and inner wrapping of the shipment for signs of<br />
damage or tampering before removing each wrapping;<br />
b. check the addresses on both outer and inner wrapping to confirm the shipment has been<br />
sent to the intended recipient;<br />
c. immediately report any evidence of possible tampering with either the inner or outer<br />
wrappings or unauthorized access to the contents as a possible COMSEC incident in<br />
accordance with Chapter 16 and –<br />
o pending investigation of a possible compromise, discontinue unwrapping the package<br />
and quarantine the package; and<br />
o notify the shipping COMSEC Custodian to annotate all COMSEC material involved<br />
as “Pending Investigation”.<br />
10.7.3 Validation of Content<br />
When satisfied that the packaging has not been tampered with, the COMSEC Custodian must:<br />
a. open the package (with TPI control in place if the shipment contains TOP SECRET key<br />
material or other key material requiring TPI control);<br />
b. unpack the contents and confirm that the items listed on the enclosed COMSEC Material<br />
Report match the items shipped by confirming the –<br />
o short title, edition and quantities of all items, and<br />
o accounting numbers, where applicable;<br />
c. report any discrepancies to the shipping COMSEC Custodian and, if required, contact<br />
NCOR/COR for assistance with reconciliation of the discrepancy;<br />
d. inspect the protective packaging on each item of COMSEC material, where applicable;<br />
NOTE: Certain items of COMSEC material are protectively packaged at the time of<br />
production and must not be opened until they are to be issued to the authorized<br />
user.<br />
e. check key tape canisters and confirm that the first segment shown displays the proper short<br />
title, register number and segment number;<br />
f. page check all copies of accountable COMSEC publications;<br />
Distribution and Receipt of October 2011 67<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
g. if applicable, process and reconcile electronic key received on magnetic or optical media<br />
and destroy the media within three working days of receipt; and<br />
h. if no discrepancies are found, sign the three copies of the COMSEC Material Report and<br />
distribute in accordance with instructions found at Article 6.3.2.3.<br />
68 October 2011 Distribution and Receipt<br />
of COMSEC Material
UNCLASSIFIED<br />
11 Handling and Use<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
11.1 Accountable Key Material<br />
11.1.1 Purpose and Use<br />
Key material may be used only for its intended purpose and only in the equipment for which it<br />
was produced, unless otherwise directed by the CA for the key. Refer to the ITSG-13 for more<br />
information on the purpose and use of key material.<br />
11.1.2 Labels<br />
Except for the labels affixed to protective packaging at a production facility and the CSEC<br />
authorized barcode labels approved for the COMSEC Accounting, Reporting and Distribution<br />
System (CARDS), no other labels may be affixed to the protective packaging of any key<br />
material.<br />
11.1.3 Protective Packaging<br />
Certain items of COMSEC material are protectively packaged at the time of production and will<br />
not, in most cases, be opened until issued to an authorized user. The protective packaging must<br />
be inspected for signs of tampering upon initial receipt, during inventory, before transfer or issue<br />
and before destruction of sealed key material. Protective packaging applied to individual items of<br />
TOP SECRET key must be removed under TPI controls.<br />
11.1.4 Key Tape in Canisters<br />
11.1.4.1 Sealed Key Tape<br />
Key material in its original canister is considered to be protectively packaged and sealed. The<br />
following applies to key tape in canisters:<br />
<br />
<br />
<br />
Do not segment check punched key tape in sealed plastic canisters.<br />
Issue the entire canister to the Local Element and annotate the HI/DR card with the short<br />
title, edition, register number and classification of the key material. However, when<br />
warranted and approved by the CA, before the effective date of use, individual segments<br />
may be issued using the HI/DR card. Remove the label containing the short title, edition<br />
and registration number from the outside of the canister before distribution.<br />
Seal individual segments which were authorized for pre-exposure in an envelope, along<br />
with a copy of the CA approval, and stored in the plastic bag containing the associated<br />
key tape canister.<br />
Handling and Use October 2011 69
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
Do not remove more segments than required for current use and, as each segment is<br />
removed, appropriately initial and date the HI/DR card.<br />
11.1.4.2 Unauthorized Removal of Key Tape<br />
When a segment(s) of key tape is unintentionally removed from its protective packaging before<br />
its effective period, the removal of the segment must be reported to the CA for disposition<br />
instructions. Disposition instructions may include destruction of the pre-exposed segment or<br />
resealing the segment. The documentation of unintentional removal must include:<br />
a statement that the segment was unintentionally removed<br />
identity of segment(s) actually removed<br />
date of removal<br />
<br />
<br />
signature(s) of the individual(s) who removed the segment, and<br />
reference to CA approval.<br />
Key discovered removed from its protective packaging before its effective date, with no<br />
documentation validating that the removal was unintentional, must be reported as a COMSEC<br />
incident in accordance with Chapter 16.<br />
11.1.5 Electronic Key Material on Magnetic or Optical Media<br />
The COMSEC Custodian must ensure that protective packaging on magnetic or optical medium<br />
used for the distribution of electronic key material is not opened until required for use.<br />
11.1.6 Electronic Key on a Key Storage Device<br />
The COMSEC Custodian must ensure that protective packaging for electronic seed or<br />
operational key material received on a key storage device is not opened before operational use.<br />
The key storage device will normally be attached to a label bearing the identification information<br />
for the electronic key and will be sealed in a plastic bag or in thermoplastic film.<br />
11.1.7 Copies of Key<br />
11.1.7.1 Operational Symmetric Key<br />
Operational key may be copied, in whole or in part, as authorized by the CA for the key and in<br />
accordance with equipment doctrine (see also Article 11.1.7.3). The following rules apply:<br />
<br />
<br />
Retain the short title of the key being copied.<br />
Safeguard the copies according to their classification and CRYPTO caveat (if<br />
applicable).<br />
70 October 2011 Handling and Use
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
<br />
Do not retain the copies beyond the destruction date for the key from which they were<br />
copied (they may be destroyed before this date).<br />
Destroy the copies before destroying the original key from which the copies were made.<br />
Locally account for the copies using a manual tracking system when equipment or system<br />
audit trails are not available.<br />
11.1.7.2 Test Symmetric Key<br />
Test key may be copied and locally accounted for within a COMSEC Account. If the test key is<br />
transferred to another COMSEC Account, all copies must be destroyed.<br />
11.1.7.3 Asymmetric Key<br />
Copying of any asymmetric key is absolutely forbidden.<br />
11.1.8 Two Person Integrity Controls<br />
TPI controls must be applied to unencrypted TOP SECRET key material and other specified key<br />
material from the time of production to destruction unless:<br />
<br />
<br />
the TOP SECRET key is resident in the crypto-equipment that is built to preclude access<br />
by an individual to the TOP SECRET key; or<br />
the key material has been issued for use in tactical situations.<br />
11.2 Accountable COMSEC Equipment<br />
11.2.1 Sight Verification<br />
The COMSEC Custodian must verify the completeness of COMSEC equipment upon initial<br />
receipt, during inventory, and before transfer or issue.<br />
11.2.2 Equipment Labels<br />
Manufacturing labels (includes the equipment nomenclature plate, the CCI label, anti-tamper<br />
labels, and any other labels attached by the manufacturer that identify the equipment for<br />
accounting purposes) must not be removed or covered, unless specifically authorized to do so by<br />
CSEC. Unauthorized labels inhibit scrutiny of equipment for evidence of tampering; therefore,<br />
except for the labels affixed to protective packaging at a production facility and the CSEC<br />
authorized barcode labels approved for CARDS, no other labels are to be placed on COMSEC<br />
equipment unless specifically authorized by CSEC. Contact COMSEC Client Services at CSEC<br />
for additional detail. Visible signs of tampering of labels must be reported as detailed in<br />
Chapter 16.<br />
Handling and Use October 2011 71
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
11.2.3 Modification<br />
Modification of any kind (includes unauthorized labelling) to COMSEC equipment may only be<br />
made upon before approval of COMSEC Client Services at CSEC. Approved modifications to<br />
COMSEC equipment must be done by authorized and qualified personnel.<br />
11.2.4 Equipment Installed for Operational Use<br />
The COMSEC Custodian must ensure that:<br />
equipment installed for operational use is protected based on the classification of the<br />
equipment or the key material, whichever is higher; and<br />
authorized procedures have been put in place to prevent unauthorized use of the<br />
equipment or extraction of its key.<br />
11.2.5 Key Storage/Fill Equipment Containing Key Material<br />
11.2.5.1 Common Fill Devices Containing Unencrypted Key<br />
Common Fill Devices (e.g. KYK-13) that store key in unencrypted form and provide no record<br />
of transactions must not be used for long term storage of key. Key may be held in this device no<br />
longer than 12 hours after the end of the applicable cryptoperiod. This type of device must be<br />
marked to show the highest classification of the key contained and must be kept under TPI<br />
controls whenever it holds TOP SECRET key.<br />
11.2.5.2 Tier 3 Management Devices Containing Encrypted Key<br />
Tier 3 Management Devices (T3MD) that store key in encrypted form must be used in<br />
accordance with the applicable equipment doctrine.<br />
11.2.5.3 Magnetic or Optical Media Containing Key<br />
Magnetic or optical media containing unencrypted electronic key must be returned to secure<br />
storage after the key or associated data has been loaded into the end equipment. Removable<br />
magnetic or optical storage media holding key material must be marked to show the highest<br />
classification of the key held and where applicable display the CRYPTO marking.<br />
11.2.6 Equipment Audit Trails<br />
11.2.6.1 Responsibility for Reviewing<br />
The audit trails for COMSEC equipment must be reviewed as specified in equipment doctrine.<br />
11.2.6.2 Reviewing Audit Trails<br />
The individual authorized to monitor the audit trail data must:<br />
72 October 2011 Handling and Use
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
<br />
<br />
<br />
<br />
not be the primary COMSEC equipment user;<br />
be a Canadian citizen (including dual nationality), be COMSEC briefed and hold a valid<br />
GC security clearance equal to the classification level of the audit trail data being<br />
reviewed;<br />
have sufficient knowledge concerning the authorized use of the applicable COMSEC<br />
equipment and the key material stored or filled in the COMSEC equipment;<br />
confirm only authorized copies of key material are made;<br />
be able to detect any anomalies in the audit trail data; and<br />
send a record of the conduct of the audit trail review to the COMSEC Custodian.<br />
11.2.6.3 Retention of Audit Logs<br />
Audit logs must be retained as detailed in Article 4.2.4, or as detailed in the applicable<br />
equipment doctrine if different from this directive.<br />
11.2.6.4 Retention of Records of Audit Trail Reviews<br />
The COMSEC Custodian must retain a record of the completion of audit trail reviews until the<br />
COMSEC Account receives an Annual Inventory Reconciliation Notification letter attesting that<br />
the account inventory has been reconciled. Any previous audit trail data can then be destroyed.<br />
11.3 Accountable COMSEC Publications<br />
11.3.1 Reproduction<br />
Accountable COMSEC publications may be reproduced upon specific written authorization from<br />
the originator. Instructions for reproduction of extracts will be contained in the publication’s<br />
handling instructions. Publications that are authorized for reproduction must be reproduced by<br />
the COMSEC Custodian unless they are authorized for reproduction under a Private Sector<br />
contract. Refer to Annex A of this directive for information on the reproduction of accountable<br />
COMSEC publications under a Private Sector contract.<br />
11.3.2 Frequency of Page Checks<br />
Unsealed key material (i.e. not protectively packaged), accountable COMSEC publications and<br />
amendments to accountable COMSEC publications must be page checked:<br />
during each COMSEC Account inventory<br />
upon receipt<br />
before transfer and issue<br />
Handling and Use October 2011 73
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
before routine destruction, and<br />
after posting any amendment (includes removal of pages and/or replacement of pages).<br />
11.3.3 Conducting Page Checks<br />
11.3.3.1 Requirement<br />
The COMSEC Custodian (or other authorized individual) must conduct a page check of unsealed<br />
COMSEC material to ensure the presence of all required pages. To conduct the page check, the<br />
presence of each page must be verified against the “List of Effective Pages” or the “Handling<br />
Instructions”, as appropriate.<br />
11.3.3.2 No Missing Pages<br />
If there are no missing pages, the “Record of Page Checks” page must be signed and dated. If the<br />
COMSEC material has no “Record of Page Checks” page, the notation must be placed on the<br />
cover.<br />
11.3.3.3 Missing Pages<br />
If any pages are missing, the “Record of Page Checks” page must be annotated accordingly and a<br />
COMSEC Incident Report must be submitted in accordance with Chapter 16. When pages are<br />
missing upon initial receipt of COMSEC material from a production facility, the COMSEC<br />
Custodian must notify the issuing authority and request disposition instructions (e.g. transfer<br />
back for replacement, destroy, use with missing page).<br />
11.3.3.4 Duplicate Pages<br />
In the case of duplicate pages, the COMSEC Custodian must prepare a Possession Report in<br />
accordance with Chapter 6 and notify NCOR/COR for disposition instructions of the duplicate<br />
page(s). The Possession Report must list the page number as part of the short title<br />
(e.g. AMSG 600, page 3) and list the accounting number assigned to the COMSEC material. A<br />
notation of the duplicate page(s), and the resultant disposition of the duplicate page(s), must be<br />
entered on the “Record of Page Checks” page.<br />
11.3.4 Amendments to Accountable COMSEC Publications<br />
11.3.4.1 Printed Amendments<br />
The COMSEC Custodian must account for the printed amendment as an accountable COMSEC<br />
publication in accordance with its respective ALC until the printed amendment has been posted<br />
and its residue destroyed. Care should be taken when preparing the Destruction Report to ensure<br />
that the short title, edition, and accounting number of the amendment are reported (rather than<br />
that of the publication). Printed amendments must be entered in sequence. If one is received and<br />
74 October 2011 Handling and Use
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
the previous amendment(s) have not been entered they must be entered (or acquired and entered)<br />
before processing the latest amendment.<br />
11.3.4.2 Message Amendments<br />
A message amendment is used to announce information that must be immediately entered into an<br />
accountable COMSEC publication. Post the amendment and note the entry on the “Record of<br />
Amendments” page, then file the message amendment according to its security classification or<br />
protected level and ALC. Message amendments must be entered in sequence. If one is received<br />
and the previous amendment(s) have not been entered they must be entered (or acquired and<br />
entered) before processing the latest amendment.<br />
11.3.4.3 Posting Amendments<br />
The following applies to the posting of amendments:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The COMSEC Custodian (or other authorized individual) must post the amendment as<br />
soon as possible after its receipt (or effective date).<br />
Personnel who is authorized to post amendments must be appropriately trained.<br />
Specific instructions contained in the letter of promulgation or handling instructions must<br />
be read and understood before posting amendments.<br />
Entire amendments must be posted at one time, and not extended over a period of time.<br />
If replacement pages are included in an amendment, page checks of both the publication<br />
and the residue of the amendment must be made before destruction of the residue.<br />
Inadvertent destruction of the effective portions of publications along with the residue<br />
from amendments must be reported as a COMSEC incident in accordance with<br />
Chapter 16.<br />
Personnel posting amendments must annotate the posting of the amendment on the<br />
“Record of Amendments”. If pages were added to or removed from the publication, date<br />
and sign the “Record of Page Checks” page.<br />
Personnel, other than the COMSEC Custodian, posting amendments must return all<br />
residue of the amendment (including any pages removed from the publication) to the<br />
COMSEC Custodian for destruction.<br />
Amendment residue must be placed in a sealed envelope marked with the short title,<br />
accounting number, and the classification of the amendment.<br />
Amendment residue must be destroyed within five working days after entry of the<br />
amendment.<br />
Handling and Use October 2011 75
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
11.4 Local Tracking of Other Associated Material<br />
11.4.1 Local Tracking System<br />
Certain material (e.g. CIKs, PINs, configuration disks) associated with COMSEC equipment,<br />
which cannot be controlled within NCMCS, must be controlled by the COMSEC Custodian<br />
through a local tracking and control system. It is the responsibility of the originating authority to<br />
identify this material. Control and handling of this material will be according to this directive,<br />
unless otherwise specified by the applicable equipment doctrine or the originator.<br />
11.4.2 Control and Protection of Crypto Ignition Keys<br />
The COMSEC Custodian must locally track CIKs using departmental procedures that will<br />
minimize any potential for compromise associated with their use. Local tracking procedures for<br />
CIKs will include:<br />
<br />
<br />
<br />
<br />
<br />
<br />
maintaining a record of each CIK created, including the serial number of the CIK (if<br />
possible), the serial number of the associated equipment, location of the equipment, date<br />
equipment was keyed, and name of each authorized user;<br />
ensuring each CIK is signed for and held by the authorized user to whom it has been<br />
issued and verifying, at least annually, that all authorized users still hold their CIK;<br />
shipping CIKs (separately from their associated equipment) in a COMSEC channel<br />
approved by CSEC;<br />
providing adequate storage for a CIK when it is not held under the personal control of the<br />
authorized user;<br />
zeroizing or destroying CIKs that are no longer required; and<br />
developing procedures for detecting potential compromises.<br />
11.4.3 Record of Personal Identification Numbers and Passwords<br />
When a written record of PINs or passwords is required, the COMSEC Custodian must ensure:<br />
the record contains of the name and telephone number of individual(s) having knowledge<br />
of the PIN or password, the serial number of the associated equipment, location of the<br />
equipment, and the date the PIN or password was changed;<br />
the record of PINs or passwords is safeguarded as directed by its classification or the<br />
classification of the associated equipment, whichever is higher;<br />
access to individual PINs or passwords is restricted to the individual to whom it is<br />
assigned, unless an emergency situation dictates otherwise; and<br />
76 October 2011 Handling and Use
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
the record of PINs and passwords or individual PINs and passwords are distributed via<br />
COMSEC channels or via approved methods for classified material.<br />
11.4.4 Change of Personal Identification Numbers and Passwords<br />
The COMSEC Custodian must ensure that PINs and passwords for COMSEC equipment are<br />
changed as detailed in the specific equipment doctrine. Where direction is not otherwise<br />
provided, the PIN or password must be changed when:<br />
the equipment is first put into use by the COMSEC Custodian;<br />
<br />
<br />
<br />
<br />
an individual knowing the PIN or password ceases to have authorized access to the<br />
equipment;<br />
an unauthorized individual has had access to the written record of the PIN or password;<br />
the PIN or password is known or suspected to have been compromised; and<br />
the PIN or password has not been changed in the last six months.<br />
11.4.5 Storage of Personal Identification Numbers and Passwords<br />
When records of PINs or passwords, or a list of PINs and passwords need to be maintained, they<br />
must be safeguarded and managed by an appropriate DCA or COMSEC Custodian who must<br />
mark and protect the record in accordance with the minimum classification level of the highest<br />
classification of the material being protected by the PIN or password.<br />
11.4.6 Configuration Disks<br />
The COMSEC Custodian must ensure the label on the equipment configuration disk identifies<br />
the equipment to which it belongs, the date it was created, and its classification. Local tracking<br />
includes recording the information on the label, the name of the individual responsible for the<br />
control of the disk and the location of the associated equipment.<br />
11.4.7 Software Upgrades<br />
All software upgrades must be approved by COMSEC Client Services at CSEC. The COMSEC<br />
Custodian must control the equipment software upgrade process to ensure that all operational<br />
COMSEC equipment, and those held in reserve, are compatible. All mandatory software<br />
upgrades must be completed by the date authorized by CSEC.<br />
Handling and Use October 2011 77
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
78 October 2011 Handling and Use
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
12 Destruction/Disposal of Accountable COMSEC Material<br />
12.1 General Requirement<br />
COMSEC material must never be destroyed without specific authorization, unless the risk of<br />
compromise in a hazardous situation or in an emergency is greater than the security in place to<br />
prevent the compromise. It is imperative that routine destruction of COMSEC material be<br />
performed promptly, in order to keep to a minimum the amount of COMSEC material that would<br />
require destruction in an emergency.<br />
12.2 Destruction of Key Material<br />
12.2.1 Scheduling Destruction of Key Material<br />
Superseded key is normally authorized for destruction when the next edition becomes effective,<br />
unless directed otherwise by the CA for the key material.<br />
12.2.2 Unavailability of Destruction Devices<br />
COMSEC material that can not be zeroized or destroyed at the COMSEC Account must be<br />
transferred to the NDA at CSEC for destruction.<br />
12.2.3 Conditions Affecting Destruction of Key Material<br />
Destruction requirements for key material will vary depending on whether the key:<br />
<br />
<br />
<br />
<br />
<br />
is marked CRYPTO<br />
has been issued for use<br />
remains sealed in secure storage<br />
is involved in an emergency supersession, or<br />
is defective.<br />
12.2.4 Key Material Issued for Use<br />
Superseded key material, whether regularly or irregularly superseded, must always be destroyed<br />
within 12 hours of supersession except in the following circumstances:<br />
<br />
In the case of an extended holiday period or when special circumstances prevent<br />
compliance with the 12-hour rule (e.g. destruction facility not operational), key material<br />
must be destroyed as soon as possible and should not be held longer than 72 hours<br />
following supersession.<br />
Destruction/Disposal of October 2011 79<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
<br />
<br />
Where authorized destruction devices are not available, superseded key must be<br />
destroyed as soon as practicable upon completion of operations.<br />
Magnetic or optical media which contained electronic key must be destroyed within three<br />
working days of receipt.<br />
The destruction of KEK must be accomplished as soon as it is filled into the COMSEC<br />
equipment unless specific equipment or systems doctrine allows retention.<br />
Key material involved in compromised situations must be destroyed within 72 hours after<br />
disposition instructions are received and the Destruction Report sent to NCOR/COR<br />
immediately following destruction.<br />
12.2.5 Sealed Key Material<br />
Superseded segments of sealed key material (whether issued or unissued) need not be destroyed<br />
until the entire edition is superseded or the segment is unsealed – whichever occurs first. When<br />
retained until the entire edition is superseded, destroy:<br />
<br />
<br />
key marked CRYPTO no later than five working days after supersession; and<br />
other key no later than five working days after the first of the month in which the<br />
supersession occurs.<br />
“Sealed” key material is key that either remains unopened in its original protective packaging or<br />
which has been resealed in accordance with Article 11.1.4. Canister packaged key material is<br />
considered sealed even if one or more segments have been removed for use provided the<br />
removed individual segments have been resealed and stored in accordance with Article 11.1.4.1.<br />
12.2.6 Emergency Supersession<br />
Key material involved in an emergency supersession must be destroyed in accordance with the<br />
CA instructions.<br />
12.2.7 Defective Key Material<br />
Damaged or defective key material must not be destroyed at the COMSEC Account. The<br />
COMSEC Custodian must immediately report the matter to the appropriate CA for instructions.<br />
Defective key material must be transferred to the NDA at CSEC for evaluation and destruction<br />
as authorized (i.e. physical destruction, zeroization or making the key useless).<br />
80 October 2011 Destruction/Disposal of<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
12.3 Destruction/Disposal of COMSEC Equipment<br />
COMSEC equipment, including CCI, must not be destroyed, dismantled or cannibalized without<br />
specific authorization from COMSEC Client Services at CSEC. Requests for destruction of<br />
COMSEC equipment will be evaluated on a case-by-case basis. Refer to the Canadian<br />
Cryptographic Doctrine for the Disposal of Accountable COMSEC Equipment (CCD-49) for<br />
information on the disposal of surplus, obsolete or unserviceable COMSEC equipment.<br />
12.4 Destruction of COMSEC Publications<br />
COMSEC publications must be destroyed within 15 working days following the date of<br />
supersession or the authorized date of destruction. COMSEC publications must be page checked<br />
no more than 48 hours before their destruction.<br />
12.5 Performing Routine Destruction<br />
12.5.1 Personnel<br />
12.5.1.1 COMSEC Custodian and Alternate COMSEC Custodian<br />
The COMSEC Custodian and the Alternate COMSEC Custodian will normally perform routine<br />
destruction of COMSEC material. However, granting the authority to destroy superseded<br />
COMSEC material to other appropriately cleared and COMSEC briefed individuals (who then<br />
verify the destruction to the COMSEC Custodian) is preferable to delaying destruction, even for<br />
a short time.<br />
12.5.1.2 Local Element<br />
A Local Element may be granted the authority to destroy key material in the presence of an<br />
appropriately cleared and COMSEC briefed witness, if an approved destruction device is<br />
available. If an approved destruction device is not available, the key material must be returned to<br />
the COMSEC Custodian for destruction.<br />
12.5.1.3 Witness<br />
The destruction of all physical material and electronic key on physical media must be witnessed.<br />
Two authorized individuals must personally witness the complete destruction or zeroization of<br />
the COMSEC material. The zeroization (i.e. destruction) of electronic key may or may not<br />
require a witness depending on whether the system records an audit trail. Refer to the specific<br />
equipment doctrine for direction.<br />
Destruction/Disposal of October 2011 81<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
12.5.2 Training<br />
The COMSEC Custodian must ensure that the individuals whom they authorize to destroy<br />
COMSEC material are:<br />
cleared to the highest classification of the COMSEC material being destroyed;<br />
briefed on the correct procedures and methods of destruction; and<br />
trained in the use of authorized destruction devices.<br />
12.5.3 Performing Physical Destruction<br />
The following steps must be carried out by the two individuals performing the destruction:<br />
a. Verify that the material to be destroyed is authorized for destruction before listing the<br />
material on the Destruction Report.<br />
b. Perform equipment verification and page checking before destruction (normally, no earlier<br />
than 48 hours before the scheduled destruction).<br />
c. List all material to be destroyed on the Destruction Report in accordance with Article<br />
6.3.8. Use the (unsigned) Destruction Report (or HI/DR card or other local destruction log)<br />
as a “check list” during the destruction process to ensure that the correct COMSEC<br />
material will be destroyed.<br />
d. If sufficient destruction facilities are not available and the individuals carrying out the<br />
destruction have been authorized to transport the COMSEC material –<br />
i Place the material listed for destruction in burn bags or other destruction containers.<br />
ii Seal and mark the containers in accordance with the appropriate classification or<br />
protected level (if there is more than one container they must be individually<br />
numbered (e.g. 1 of 2, 2 of 2, etc.).<br />
iii Transport the material directly to the location where the destruction is to take place.<br />
e. Immediately before destruction, verify the material being destroyed (short title, edition,<br />
accounting number, and quantity for each item) against the Destruction Report (or HI/DR<br />
card or other local destruction log) ensuring that all accounting information is correct.<br />
f. Immediately destroy the material using approved destruction methods.<br />
g. Examine the destruction device and the surrounding area to ensure that all material has<br />
been destroyed.<br />
h. Thoroughly inspect the residue to ensure that the destruction was complete.<br />
i. Sign and witness the Destruction Report (or HI/DR card or other local destruction log)<br />
unless the specific equipment doctrine specifies that a witness is not required. The<br />
Destruction Report must not be signed until the complete destruction of the listed material<br />
is confirmed.<br />
82 October 2011 Destruction/Disposal of<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
12.6 Routine Destruction Methods<br />
12.6.1 Paper COMSEC Material<br />
12.6.1.1 Overview<br />
The destruction criteria listed in the following articles apply to classified COMSEC key material,<br />
and to media which embody, contain, describe, or implement a classified cryptographic logic.<br />
Other paper COMSEC material may be destroyed by any means approved for the destruction of<br />
paper COMSEC material of equal classification or protected level.<br />
NOTE:<br />
Where possible, burning or pulverizing should be used as the preferred method for<br />
ensuring the terminal destruction of COMSEC material.<br />
12.6.1.2 Incineration<br />
The burning of paper COMSEC material must be complete (so that all COMSEC material is<br />
reduced to white ash) and contained (so that no unburned pieces escape). Ashes must be<br />
inspected and, if necessary, broken up.<br />
12.6.1.3 Pulverizing, Chopping or Pulping<br />
Pulverizing, chopping or pulping devices used to destroy paper COMSEC material must reduce<br />
the COMSEC material to bits no larger than five millimeters (1/5 inch) in any dimension.<br />
NOTE: DO NOT PULP paper-Mylar-paper key tape or high wet strength paper (map stock)<br />
and durable-medium paper substitute (e.g. TYVEC olefin, polyethylene fibre). These<br />
materials will not reduce to pulp and must be destroyed by burning, pulverizing,<br />
chopping or cross-cut shredding.<br />
12.6.1.4 Cross-cut Shredding<br />
In GC departments where burning or pulverizing are not feasible, approved Type II shredders<br />
may be used as a first step in the destruction process. However, the residue from the shredders<br />
must not be considered as a “terminal” destruction. Where cross-cut shredding is used as the first<br />
step, the waste from the shredders must be:<br />
<br />
<br />
retained and stored as classified waste and securely transported to a facility that is<br />
capable of burning or pulverizing the shredded residue; or<br />
dispersed in a method that will prevent or preclude collection of all portions of a key<br />
segment such as –<br />
o separating into small amounts (handfuls) and mixing with other shredded material of<br />
the same color and texture and then transferring it to multiple and random trash<br />
containers;<br />
Destruction/Disposal of October 2011 83<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
o flushing mixed shredded residue down a toilet to prevent reconstruction; or<br />
o dispersing (loosely) the shredded residue overboard (for ships at sea with limited<br />
storage).<br />
NOTE 1: Type II shredders must reduce the material to shreds not more than 1.0 mm wide and<br />
14.3 mm long. Type II shredders must be highly maintained and free of any defect<br />
that would output larger waste size.<br />
NOTE 2: Because coloured material has the added vulnerability of instant recognition, it<br />
should be held over for burning or pulverizing after shredding.<br />
12.6.2 Non-Paper COMSEC Material<br />
12.6.2.1 Microforms<br />
Microfilm, microfiche, or other reduced-image photo negatives may be destroyed by burning, or<br />
by chemical means. When destroying by chemical means, film sheets must be separated, and roll<br />
film must be unrolled. Chemical destruction may be performed by immersing (for approximately<br />
five minutes or more) silver film masters in household bleach and by immersing diazo<br />
reproductions in acetone or methylene chloride.<br />
NOTE: Health and safety requirements must be adhered to and caution must always be<br />
exercised when using chemical methods of destruction. Read and follow all warning<br />
and cautionary labels on chemical containers.<br />
12.6.2.2 Magnetic and Optical Media<br />
The method of disposal (e.g. degaussing, overwriting, zeroization or physical destruction) for<br />
magnetic media (e.g. floppy disks, hard drives and back-up tapes) and optical media<br />
(e.g. compact disks [CD] and digital versatile disks [DVD]) must be consistent with the<br />
individual system and equipment doctrine, CSEC Clearing and Declassifying Electronic Data<br />
Storage Devices (ITSG-06) and the RCMP Security Equipment Guide (G1-001). General<br />
guidelines include:<br />
<br />
<br />
<br />
<br />
Magnetic backup tapes, when no longer required or unserviceable, may be destroyed by<br />
disintegration, incineration or shredding.<br />
Magnetic cores may be destroyed by incineration or smelting.<br />
Magnetic disks, disk packs and drums may be destroyed by incinerating or by removal of<br />
the entire recording surface by means of an emery wheel or disc sander.<br />
Floppy disks may be destroyed by shredding, in accordance with regulations for<br />
shredding a floppy disk which contains classified data.<br />
84 October 2011 Destruction/Disposal of<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
12.6.2.3 Hardware Keying Material<br />
Contact COMSEC Client Services at CSEC for authorization for destruction (or disposal) of<br />
hardware key material, such as Programmable Read Only Memories, and permuting plugs and<br />
their associated manufacturing aids.<br />
12.6.2.4 Electronic Key Material<br />
The destruction of electronic key is accomplished by zeroization or overwriting of the key.<br />
For specific instructions on the destruction or zeroization of electronic key loaded in equipment<br />
refer to the appropriate equipment doctrine.<br />
12.6.2.5 Plastic Canisters<br />
Empty canisters must be fractured or smashed to ensure all key segments have been removed,<br />
and then disposed of as unclassified waste. The unauthorized retention of intact key tape<br />
canisters is a COMSEC incident.<br />
12.7 Approved Routine Destruction Devices<br />
Information regarding routine destruction devices which have been tested and approved by<br />
CSEC may be obtained from COMSEC Client Services at CSEC.<br />
12.8 Emergency Destruction Priorities<br />
12.8.1 Priorities within Categories<br />
12.8.1.1 General<br />
When sufficient personnel and destruction facilities are available, different individuals should be<br />
made responsible for destroying the COMSEC material in each of the following three categories<br />
(Key Material, COMSEC Publications and COMSEC Equipment).<br />
12.8.1.2 Key Material<br />
Emergency destruction priorities for key material are:<br />
a. superseded key material marked CRYPTO<br />
b. currently effective key material marked CRYPTO (to include the zeroization of key<br />
variables stored electrically in crypto-equipment and fill devices)<br />
c. future editions of TOP SECRET key material marked CRYPTO<br />
d. future editions of SECRET and CONFIDENTIAL key material marked CRYPTO, and<br />
e. training and maintenance key.<br />
Destruction/Disposal of October 2011 85<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
12.8.1.3 COMSEC Publications<br />
In deteriorating conditions, consideration must be given to destroying all full maintenance<br />
manuals (i.e. those containing cryptographic logic information) that are not absolutely essential<br />
to continued mission accomplishment. When there is insufficient time under emergency<br />
conditions to completely destroy such manuals, every reasonable effort must be made to remove<br />
and destroy their sensitive pages (i.e. those containing cryptographic logic).<br />
Emergency destruction priorities for classified COMSEC publications and other classified<br />
publications are:<br />
a. COMSEC publications marked CRYPTO<br />
b. status documents showing the effective dates for key material<br />
c. complete crypto-equipment maintenance manuals (or the sensitive pages thereof)<br />
d. the remaining classified pages of crypto-equipment maintenance manuals<br />
e. classified cryptographic and general (non-cryptographic) publications<br />
f. cryptographic operating instructions<br />
g. the remaining classified COMSEC publications, and<br />
h. national and departmental doctrinal guidance publications.<br />
12.8.1.4 COMSEC Equipment<br />
In deteriorating conditions, all reasonable efforts must be made to evacuate COMSEC<br />
equipment. During an actual emergency, when evacuation may not be possible, the immediate<br />
goal is to render COMSEC equipment unusable and irreparable. Consequently, when there is<br />
warning of hostile intent, consideration must be given to discontinue secure communications to<br />
allow for the thorough destruction of COMSEC equipment. Emergency destruction priorities for<br />
COMSEC equipment are:<br />
a. zeroization of equipment, if the keying element (e.g. key card, permuter plug) cannot be<br />
physically withdrawn<br />
b. destruction of removable classified and CCI components (e.g. printed circuit boards), and<br />
c. destruction of remaining classified and CCI components.<br />
The hulks (bodies or casings) of equipment, and unclassified devices not marked CCI, need not<br />
be destroyed.<br />
86 October 2011 Destruction/Disposal of<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
12.8.2 Priorities for Combined Categories<br />
When personnel or destruction facilities are limited, the three categories of COMSEC material<br />
must be combined, in which case the destruction priorities are:<br />
a. all key material marked CRYPTO, in the following order –<br />
i superseded key, in descending order of classification or protected level from<br />
TOP SECRET<br />
ii currently effective key, in descending order of classification or protected level from<br />
TOP SECRET, and<br />
iii future key material, in descending order of classification level from TOP SECRET;<br />
b. COMSEC publications marked CRYPTO and status documents showing the effective<br />
dates for key material;<br />
c. classified pages from classified maintenance manuals (or the entire manual if classified<br />
pages are not separately identified);<br />
d. classified and CCI components of classified equipment and CCI;<br />
e. any remaining classified COMSEC material or other classified material; and<br />
f. any other COMSEC material.<br />
12.9 Emergency Destruction Methods<br />
Any of the methods approved for the routine destruction of classified COMSEC material may be<br />
used for emergency destruction. Incendiary destruction devices may be available at certain<br />
locations outside Canada. Information concerning these devices is available from COMSEC<br />
Client Services at CSEC. Basic hand tools (e.g. hammer, cold chisel, screwdrivers, pliers,<br />
crowbar, fire axe, sledge hammer) should be readily available for the emergency destruction of<br />
COMSEC equipment.<br />
12.10 Reporting Emergency Destruction<br />
Accurate and timely reporting of emergency destruction is essential in order to evaluate the<br />
severity of an emergency, and is second in importance only to ensuring that the COMSEC<br />
material is thoroughly destroyed. A report must be submitted to NCOR/COR as soon as possible.<br />
The report must clearly indicate, for the destroyed COMSEC material, the method(s) of<br />
destruction, and the degree of destruction. This report must also identify any items that were not<br />
destroyed and which may be presumed compromised. In such cases, a COMSEC Incident Report<br />
must be submitted, as detailed in Chapter 16.<br />
Destruction/Disposal of October 2011 87<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
88 October 2011 Destruction/Disposal of<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
13 COMSEC Account Inventory<br />
13.1 Reasons for Inventory<br />
An inventory is the verification of a COMSEC Account’s holdings. NCOR/COR maintains a<br />
database that reflects all ALC 1, ALC 2 and ALC 6 COMSEC material charged to the COMSEC<br />
Account. The data is taken from COMSEC Material Reports (e.g. Destruction, Possession) that<br />
COMSEC Accounts submit to NCOR/COR. COMSEC Material Reports that were processed by<br />
the account but were not entered in NCOR/COR database will result in a discrepancy between<br />
NCOR/COR database and the COMSEC Account records.<br />
Inventories serve to ensure that:<br />
<br />
<br />
<br />
<br />
COMSEC Account records are up-to-date;<br />
NCOR/COR database is up-to-date by verifying that all COMSEC Material Reports have<br />
been forwarded to NCOR/COR and have been processed by NCOR/COR;<br />
COMSEC material charged to a COMSEC Account is actually on-hand and sighted by<br />
authorized personnel; and<br />
COMSEC material charged to a COMSEC Account is still required for use by the<br />
account.<br />
13.2 Types of Inventory<br />
13.2.1 Annual Inventory<br />
The COMSEC Custodian and the Alternate COMSEC Custodian must conduct an annual sight<br />
inventory of all ACM in their COMSEC Account (including all Local Elements and COMSEC<br />
Sub-Accounts).<br />
NCOR/COR will distribute an Inventory Report annually that lists all accountable material<br />
charged to the COMSEC Account as of the date of printing. A sight inventory must be conducted<br />
to verify the presence of all –and only– material listed on the report. The COMSEC Custodian<br />
must return the signed Inventory Reports to NCOR/COR no later than 10 working days after the<br />
initial receipt of that report.<br />
13.2.2 Change of COMSEC Custodian Inventory<br />
In cases of sudden (indefinite or permanent) departure of the COMSEC Custodian, a newlyappointed<br />
COMSEC Custodian must conduct a sight inventory of all COMSEC material in the<br />
COMSEC Account before the formal COMSEC Custodian handover.<br />
COMSEC Account Inventory October 2011 89
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Upon completion of the inventory, the new COMSEC Custodian must sign the Inventory Report<br />
as the Custodian. The new COMSEC Custodian, except for discrepancies being resolved,<br />
assumes responsibility for all ACM in the account.<br />
13.2.3 Special Inventory<br />
The COMSEC Custodian must complete a special inventory when directed to do so by<br />
NCOR/COR and DCA. Special inventories may be requested for reasons such as the suspected<br />
loss of COMSEC material or frequent deviation from accounting procedures.<br />
The procedures used for an annual inventory must be used for a special inventory.<br />
13.3 Inventory Reports<br />
13.3.1 National Central Office of Record/Central Office of Record-Initiated<br />
Inventory Report<br />
NCOR/COR-initiated Inventory Reports are distributed to COMSEC Accounts to announce the<br />
beginning of the inventory process. Each Inventory Report lists all ALC 1, ALC 2 and ALC 6<br />
COMSEC material that have been recorded in the NCOR/COR database for the respective<br />
COMSEC Account as of the date of the printing of the Inventory Report.<br />
NOTE: CSEC has approved the use of several automated accounting/management systems<br />
with terminology and procedures that are quite distinct from each other. Each GC<br />
department is responsible for ensuring that its custodial personnel is trained in the use<br />
of its automated system and are familiar with the terms used by the respective software<br />
to describe activities during the inventory process.<br />
13.3.2 COMSEC Account Inventory Report<br />
Inventory Reports produced by the COMSEC Custodian at a COMSEC Account may be directed<br />
at two different audiences:<br />
<br />
<br />
Within the COMSEC Account, where they may be distributed for use during the physical<br />
sighting of on-hand material.<br />
At NCOR/COR, in order to report the complete holdings of the COMSEC Account.<br />
13.3.2.1 Distribution within the COMSEC Account<br />
The COMSEC Custodian prepares Inventory Reports for internal distribution to Sub-Account(s)<br />
and Local Elements. These Inventory Reports list all ALC 1, ALC 2, ALC 4, ALC 6 and ALC 7<br />
COMSEC material that the COMSEC Custodian has issued to elements within the COMSEC<br />
Account and which are still out on loan. Instructions for the completion of an Inventory Report<br />
can be found with the GC-223 form.<br />
90 October 2011 COMSEC Account Inventory
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
13.3.2.2 Distribution to National Central Office of Record/Central Office of<br />
Record<br />
The COMSEC Custodian compiles the results of all Inventory Reports that were distributed<br />
within the account and return an Inventory Report to NCOR/COR. This report contains all<br />
ALC 1, ALC 2 and ALC 6 COMSEC material held by the COMSEC account.<br />
13.3.3 Amendment to Inventory Report<br />
The Amendment to Inventory Report is used to report any discrepancies between the COMSEC<br />
Account’s inventory and NCOR/COR-initiated Inventory Report. For example, if the COMSEC<br />
Account failed to submit a Destruction Report to NCOR/COR, all the material destroyed by the<br />
account, which was listed on the Destruction Report, would not be recorded in NCOR/COR<br />
database. Consequently, NCOR/COR-initiated Inventory Report would list that material as being<br />
on-hand at the COMSEC Account. An Amendment to Inventory Report would provide the details<br />
of the missing Destruction Report. When submitting the Amendment to Inventory Report, the<br />
COMSEC Custodian must attach all supplemental accounting reports in order for NCOR/COR to<br />
proceed with the inventory reconciliation.<br />
13.4 Inventory Process<br />
13.4.1 Scheduling the Sight Inventory<br />
The COMSEC Custodian must ensure that a sight inventory of the entire COMSEC Account is<br />
carried out during an inventory. Before the expected receipt of the annual NCOR/COR-initiated<br />
Inventory Report, the COMSEC Custodian must:<br />
<br />
<br />
<br />
<br />
Generate a COMSEC Account Inventory Report.<br />
Conduct a sight inventory of COMSEC material that has been issued to Local Elements<br />
or direct the Local Element to do so with an appropriate witness.<br />
Direct each COMSEC Sub-Account Custodian to conduct a sight inventory of COMSEC<br />
Sub-Account holdings in the same manner as described for a COMSEC Account<br />
inventory.<br />
Conduct a sight inventory of the COMSEC material on-hand, under the direct custody of<br />
the COMSEC Custodian.<br />
COMSEC Account Inventory October 2011 91
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
13.4.2 Conducting the Sight Inventory<br />
The COMSEC Custodian will provide an Inventory Report for personnel conducting a sight<br />
inventory of COMSEC material. The following applies when conducting a sight inventory of<br />
COMSEC material:<br />
<br />
<br />
<br />
<br />
<br />
<br />
The sight inventory must be conducted by two individuals who are appropriately cleared<br />
and who have been COMSEC briefed.<br />
The two individuals conducting the sight inventory must verify that the COMSEC<br />
material on-hand agrees with the COMSEC Account Inventory Report.<br />
Unsealed COMSEC publications and key material must be page checked.<br />
COMSEC equipment in use does not need to be opened to verify it contains all the<br />
required subassemblies and elements.<br />
Removable assemblies that are listed separately on an inventory report and are not listed<br />
on the equipment’s chassis must be physically sighted unless the equipment is<br />
undergoing tests or is in operation.<br />
Electronic key, which is stored in equipment that has a verifiable audit trail, may be<br />
inventoried without a witness.<br />
COMSEC Custodians are responsible to NCOR/COR for only the original ALC 6<br />
electronic key distributed to the account or generated by the account. Copies of electronic<br />
key are locally accountable.<br />
13.4.3 Reconciling the COMSEC Account Inventory Report<br />
13.4.3.1 Local Element Inventory Reconciliation<br />
Persons conducting Local Element inventories may mark-up the Inventory Report to indicate<br />
that material is on-hand or, conversely, that it is lost, missing or contains extra material. They<br />
must both sign the Inventory Report before returning it to the COMSEC Custodian.<br />
The COMSEC Custodian must reconcile the Inventory Reports returned from all Local Elements<br />
with the COMSEC Account Inventory Report.<br />
13.4.3.2 COMSEC Sub-Account Inventory Reconciliation<br />
The COMSEC Sub-Account Custodian must return their signed Inventory Reports to the<br />
COMSEC Account Custodian for reconciliation. If discrepancies are noted in any COMSEC<br />
Sub-Account Inventory Report, the COMSEC Custodian must direct the custodian of that<br />
COMSEC Sub-Account to take corrective action within 48 hours of receipt of such notice,<br />
advise the COMSEC Custodian of the action taken and submit any substantiating reports<br />
required.<br />
92 October 2011 COMSEC Account Inventory
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
The COMSEC Custodian must reconcile the Inventory Reports returned from all COMSEC<br />
Sub-Accounts with the COMSEC Account Inventory Report.<br />
13.4.3.3 COMSEC Account Inventory Reconciliation<br />
Upon receipt of NCOR/COR-initiated Inventory Report, the COMSEC Custodian must reconcile<br />
the COMSEC Account holdings with NCOR/COR-initiated Inventory Report. This is<br />
accomplished by conducting a sight inventory of all COMSEC material held by all elements<br />
within the account and returning a signed Inventory Report to NCOR/COR.<br />
13.4.3.4 Completion and Submission of Inventory Report and Supplements<br />
Upon completion of the COMSEC Account inventory, the COMSEC Custodian and the witness<br />
must sign and date the Inventory Report. The number of supplemental accounting reports and<br />
pages of amendments must be entered on the last page of the Inventory Report. The Inventory<br />
Report and the Amendment to Inventory Report with all supplemental COMSEC Material<br />
Reports (if required) must be sent to NCOR/COR no later than 10 working days after receipt of<br />
NCOR/COR-initiated Inventory Report. A signed copy of the Inventory Report must be retained<br />
on file.<br />
13.4.3.5 National Central Office of Record/Central Office of Record<br />
Reconciliation of COMSEC Account Inventory Report<br />
NCOR/COR will process Inventory Reports submitted by COMSEC Accounts.<br />
If NCOR/COR notifies the COMSEC Account of discrepancies between the COMSEC Account<br />
Inventory Report and NCOR/COR Inventory Report, the COMSEC Custodian must attempt to<br />
resolve the discrepancies.<br />
If the discrepancies are the result of missing COMSEC Material Reports, the COMSEC<br />
Custodian must prepare and submit, within 48 hours, an Amendment to Inventory Report with all<br />
supplemental COMSEC Material Reports to update NCOR/COR database.<br />
If the sight inventory of the COMSEC Account is correct, and there are no missing COMSEC<br />
Material Reports, NCOR/COR will issue an Inventory Reconciliation Report, which certifies the<br />
inventory as being correct.<br />
If the sight inventory reveals lost or missing COMSEC material or other discrepancies, a<br />
COMSEC incident must be reported as detailed in Chapter 16. An Inventory Reconciliation<br />
Report will not be issued until all discrepancies have been resolved or an investigation into the<br />
incident has been completed and disposal instructions issued.<br />
COMSEC Account Inventory October 2011 93
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
94 October 2011 COMSEC Account Inventory
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
14 COMSEC Emergency Plan<br />
14.1 Preparing the COMSEC Emergency Plan<br />
14.1.1 Requirement<br />
Every GC department that holds COMSEC material must prepare a COMSEC Emergency Plan.<br />
Consideration must be given to incorporating this plan into the Business Continuity Plan<br />
established for the entire GC department. Procedures must emphasize maintaining security<br />
control over the COMSEC material until order is restored without endangering life.<br />
14.1.2 Development of the Plan<br />
The DCA, in coordination with the COMSEC Custodian is responsible for the preparation,<br />
implementation and annual re-evaluation of the COMSEC Emergency Plan. Coordination with<br />
appropriate security, fire and safety personnel will ensure that the plan is realistic, workable, and<br />
accomplishes the goals for which it is prepared. The duties under the plan must be clearly<br />
described and the contact information for all individuals with duties under the plan must be<br />
documented. Refer to the COMSEC Emergency Plan template for an outline and an emergency<br />
destruction plan.<br />
14.1.3 Maintaining and Testing the Plan<br />
The COMSEC Custodian must ensure that:<br />
<br />
<br />
<br />
<br />
<br />
all individuals are aware of the existence of the plan and how alerts and warnings to an<br />
emergency event will be communicated;<br />
each individual who has duties assigned under the plan receives detailed instructions on<br />
how to carry out these duties when the plan is put into effect;<br />
all individuals are familiar with all duties, so changes in assignment can be made if<br />
necessary;<br />
training exercises are conducted periodically, to ensure that all personnel (especially new<br />
personnel) can carry out their duties; and<br />
the plan is revised based on experience gained in the training exercises (if necessary).<br />
14.1.4 Emergency Destruction Plan<br />
If the COMSEC Emergency Plan calls for destroying COMSEC material, an emergency<br />
destruction plan must be included. Refer to Chapter 12 for emergency destruction priorities and<br />
methods of destruction.<br />
COMSEC Emergency Plan October 2011 95
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
14.2 Planning for Emergency Events<br />
14.2.1 Best Practices<br />
14.2.1.1 COMSEC Accounts Operating in Normal Conditions<br />
The COMSEC Custodian will organize normal operating routines such that the number and<br />
complexity of the activities that must be taken during an emergency are minimized. The<br />
COMSEC Custodian must ensure that:<br />
<br />
<br />
<br />
<br />
<br />
only the minimum amount of COMSEC material necessary for operational and<br />
contingency requirements are held by the COMSEC Account (see Table 2 in Chapter 9);<br />
COMSEC material is stored in a manner that will facilitate emergency evacuation or<br />
destruction;<br />
routine destruction is always conducted promptly upon authorization;<br />
excess COMSEC material is promptly disposed of in accordance with any disposition<br />
instructions; and<br />
COMSEC material prepared for use in an emergency is distributed without delay.<br />
14.2.1.2 COMSEC Accounts Operating in Hazardous Conditions<br />
COMSEC Accounts operating in hazardous conditions, where the risk of loss of key material due<br />
to accident or capture is high must hold only the minimum amount of key material deemed<br />
necessary to support mission requirements. Plans for the prompt re-supply of such COMSEC<br />
Accounts, in the event of an emergency supersession, must be prepared and readily implemented<br />
whenever needed.<br />
14.2.2 Natural Disasters and Accidental Emergencies<br />
Planning for a natural disaster or accidental emergency (e.g. fire, flood, tornado, or earthquake)<br />
must provide for:<br />
safety of all personnel;<br />
notification of emergency event during normal business hours and after hours;<br />
assignment of on-scene responsibility for ensuring the protection of COMSEC material;<br />
<br />
<br />
<br />
protection or removal of COMSEC material in the event that the admission of<br />
unauthorized individuals into the secure area(s) becomes necessary;<br />
evacuation of the area(s);<br />
assessment and reporting of the probable exposure of COMSEC material to unauthorized<br />
individuals during the emergency;<br />
96 October 2011 COMSEC Emergency Plan
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
<br />
<br />
<br />
post-emergency inventory of COMSEC material and reporting of the loss or unauthorized<br />
exposure of COMSEC material to the DCA;<br />
identification of primary and secondary recovery sites, when recovery will not be<br />
possible at the current location;<br />
identification of critical resources required to support the recovery;<br />
off-site storage facilities; and<br />
business continuity during and business resumption following the emergency event.<br />
14.2.3 Hostile Activity<br />
14.2.3.1 Assessment of situations<br />
Planning for potential hostile activity (e.g. enemy attack, civil uprising, riot) must concentrate on<br />
the activities necessary to safely evacuate or securely destroy the COMSEC material (without<br />
endangering life). It must take into consideration all possible situations which could occur, such<br />
as those in which:<br />
<br />
<br />
<br />
an orderly withdrawal could be conducted over a specified period of time;<br />
a volatile environment exists such that destruction must be performed discretely in order<br />
to avoid triggering hostilities; or<br />
invasion or capture is imminent.<br />
14.2.3.2 Consideration Factors<br />
Some important factors to be considered when planning for hostile activity:<br />
<br />
<br />
<br />
<br />
<br />
Likelihood of the various types of hostile actions and the threats that those actions pose.<br />
Availability and adequacy of physical security protection (e.g. perimeter controls,<br />
strength of guard forces, physical defences at locations which hold COMSEC material).<br />
Availability of transportation and adequate storage facilities for emergency evacuation<br />
and an assessment of the probable risks associated with emergency evacuation.<br />
Availability and adequacy of facilities for emergency destruction of COMSEC material,<br />
including approved destruction devices, electrical power, location, personnel, etc.<br />
Requirement for, and availability of, external communications during emergency<br />
situations. Unless there is an urgent need to restore communications after relocation, key<br />
material should be destroyed rather than evacuated.<br />
COMSEC Emergency Plan October 2011 97
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
14.2.3.3 External Communications<br />
External communications during an emergency situation should be limited to contact with a<br />
single remote point. This point will act as a distribution centre for outgoing message traffic and<br />
as a filter for incoming queries and guidance, thus relieving site personnel from multiple<br />
activities during the emergency. When there is a warning of hostile intent and the physical<br />
protection is inadequate to prevent overrun of the facility, secure communications should be<br />
discontinued in time to allow for thorough destruction of all COMSEC material.<br />
14.2.3.4 Protecting COMSEC Material<br />
The three options for the control of COMSEC material in an emergency due to hostile activity<br />
are:<br />
securing COMSEC material;<br />
<br />
<br />
removing COMSEC material from the scene of the emergency; and<br />
destroying COMSEC material.<br />
Planners must consider which of the above options (singly or in combination) are applicable to<br />
particular situations, and to their facilities. The option(s) from which to choose in various<br />
situations should be clearly stated in the plan. The following two scenarios are provided as<br />
examples:<br />
<br />
<br />
If it appears that a civil uprising is to be short-lived and that the COMSEC facility is to<br />
be only temporarily abandoned, the actions to take could be as follows –<br />
o Ensure that all superseded key material has been destroyed.<br />
o Gather up current and future key material and take it along if adequate security<br />
protection is available or destroy it using approved methods.<br />
o Zeroize the key from all keyed operational or on-standby equipment.<br />
o Remove all classified and CCI components from crypto-equipment and lock them,<br />
along with other classified COMSEC material, in approved storage containers.<br />
o Secure the facility door(s) and leave.<br />
o Upon return, conduct a complete inventory.<br />
If it appears that the facility is likely to be overrun, the emergency destruction plan should<br />
be put into effect.<br />
98 October 2011 COMSEC Emergency Plan
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
15 COMSEC Account Audit<br />
15.1 Planning the Audit<br />
15.1.1 Delegation of Authority<br />
The PGS mandates that CSEC report to the TBS on the state of COMSEC in the GC when<br />
requested. Compliance with this mandate requires CSEC to audit COMSEC Accounts on a<br />
regular basis. In concert with international partnership agreements, the audit is also required to<br />
ensure continued access to foreign COMSEC material. The COMSEC Account audit will<br />
hereafter be referred to as simply an audit.<br />
15.1.2 Purpose of an Audit<br />
The audit provides an independent review of a COMSEC Account’s records and activities to<br />
ensure COMSEC material produced by or entrusted to the COMSEC Account is controlled as<br />
detailed in this directive.<br />
15.1.3 Frequency of Audits<br />
A CSEC representative will audit COMSEC Accounts at least once every 18 months. Audits<br />
may be conducted more frequently based on:<br />
<br />
<br />
<br />
<br />
<br />
<br />
previous audit findings;<br />
size of the COMSEC Account inventory;<br />
volume of COMSEC Material Reports;<br />
frequency of deviation from COMSEC directive;<br />
abnormal number of COMSEC Custodian changes; or<br />
type of automated accounting system in use at the COMSEC Account.<br />
15.1.4 Scheduling the Audit<br />
Three weeks advance notice is normally provided. However, the audit may occur on short notice<br />
when irregularities of a serious nature have occurred. The CSEC representative conducting the<br />
audit will:<br />
<br />
<br />
<br />
contact the COMSEC Account Custodian (usually via a phone call or e-mail) to schedule<br />
the audit;<br />
confirm the date and time of the audit, in writing; and<br />
provide an audit check list that will be used as a guide during the audit.<br />
COMSEC Account Audit October 2011 99
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
15.2 Conducting the Audit<br />
15.2.1 Access to COMSEC Account Holdings<br />
The CSEC representative(s) is (are) authorized to have supervised access to all COMSEC<br />
Account reports, records and files, including electronic files and databases, upon presentation of<br />
their CSEC identification badge and copy of their COMSEC Briefing Certificate.<br />
NOTE: The CSEC representative(s) may require supervised access to COMSEC Sub-Account<br />
and Local Element sites. COMSEC Sub-Account and Local Element audits must be<br />
coordinated by the COMSEC Account Custodian (see Article 15.4.2).<br />
15.2.2 Scope of the Audit<br />
The audit must be sufficient in scope to determine the accuracy of COMSEC accounting records<br />
and to confirm that COMSEC material control procedures have been, and continue to be,<br />
correctly applied. The audit includes:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
verification that accounting reports, records and files are complete and accurate;<br />
verification of compliance with packaging, marking and distribution procedures;<br />
verification of the consistent application of procedures and processes (including physical<br />
security) related to the control, storage and use of COMSEC material;<br />
assessment of the adequacy of automated accounting system controls;<br />
a detailed audit of IP accounting records, if applicable;<br />
verification of the completion of COMSEC Sub-Account audits, if applicable; and<br />
discussion with the COMSEC Custodian regarding any problems encountered with the<br />
control of COMSEC material or the maintenance the COMSEC Account.<br />
15.2.3 Exit Interview<br />
Upon conclusion of the COMSEC Account audit, the CSEC representative(s) will hold an exit<br />
interview with the DSO, the DCA (if designated) and the COMSEC Custodian to advise them of<br />
any situations that require immediate corrective action(s) and to brief them on the audit findings<br />
and recommendations.<br />
NOTE: If neither the DSO, nor the DCA is available, the CSEC representative(s) will<br />
reschedule the exit interview.<br />
100 October 2011 COMSEC Account Audit
UNCLASSIFIED<br />
15.3 Audit Reporting<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
15.3.1 COMSEC Account Audit Report<br />
The COMSEC Account Audit Report will document all observations, recommendations and<br />
required corrective actions. CSEC will provide the DCA with a copy of the COMSEC Account<br />
Audit Report (in both English and French) within 15 working days of completion of the audit. If<br />
corrective actions are required, a Statement of Action form will be included with the COMSEC<br />
Account Audit Report.<br />
15.3.2 Statement of Action Form<br />
The COMSEC Custodian must complete the corrective actions stated in the COMSEC Account<br />
Audit Report and return a signed Statement of Action form to CSEC within 10 working days of<br />
receipt of the COMSEC Account Audit Report. If due to operational requirements, the required<br />
corrective actions cannot be completed before the due date, CSEC may grant an extension to this<br />
period.<br />
15.3.3 Failure to Return a Statement of Action Form<br />
CSEC will send a tracer notice to the DCA if the signed Statement of Action form is not received<br />
when due. If a signed Statement of Action form is not returned to CSEC at the end of an<br />
additional 10 working days following dispatch of the initial tracer notice, a second tracer notice<br />
will be sent. After another five working days, following the second tracer, if the signed<br />
Statement of Action has not yet been received by CSEC, the matter will be treated as a<br />
COMSEC incident and forwarded to the NCIO for action.<br />
15.4 COMSEC Sub-Account Audits<br />
15.4.1 Requirement<br />
The COMSEC Custodian must audit COMSEC Sub-Accounts(s), at least once every 18 months,<br />
using the same considerations, and in the same manner, as detailed in this chapter.<br />
15.4.2 Communications Security Establishment Canada Participation<br />
Although COMSEC Custodians are normally responsible for conducting audits of their<br />
COMSEC Sub-Accounts, CSEC may conduct an audit of a COMSEC Sub-Account, including<br />
Local Elements, when irregularities of a serious nature have occurred.<br />
NOTE: COMSEC Sub-Account and Local Element irregularities notwithstanding, CSEC may<br />
request to collaborate with the COMSEC Account Custodian during routine audits.<br />
COMSEC Account Audit October 2011 101
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
102 October 2011 COMSEC Account Audit
UNCLASSIFIED<br />
16 COMSEC Incidents<br />
16.1 General<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A COMSEC incident occurs whenever there is a situation or activity that jeopardizes the<br />
confidentiality, integrity or availability of COMSEC information, material or services.<br />
Prompt and accurate reporting of COMSEC incidents minimizes the potential for compromise of<br />
COMSEC material and the classified information that it protects. Unless all personnel who<br />
handle or manage COMSEC material immediately report all occurrences that are specifically<br />
identified as COMSEC incidents, corrective action cannot be implemented in a timely manner to<br />
mitigate or eliminate their impact.<br />
It is vitally important that all suspected COMSEC incidents be promptly reported to the<br />
responsible DCA.<br />
16.2 Classes of COMSEC Incidents<br />
16.2.1 Compromising Incidents<br />
Compromising incidents may have serious consequences for operational security. Investigation<br />
of compromising incidents helps to determine if sensitive records were irretrievably lost by the<br />
rightful owners or accessed by an unauthorized individual. It is important to note that the<br />
compromise of sensitive information or asset(s) may have implications far beyond the local<br />
authorized user or GC department. Compromising incidents are reportable at the national level<br />
(report to COMSEC Custodian, DCA and NCIO).<br />
16.2.2 Practices Dangerous to Security<br />
Practices Dangerous to Security (PDS) are incidents that are considered minor violations of<br />
administrative requirements and do not result in the loss of control, unauthorized access or<br />
unauthorized viewing of COMSEC material. PDS are considered administrative infractions<br />
and are not reportable at the national level. PDS do not result in a compromise of<br />
information, assets or functionality, but create situations where exploitation is possible unless<br />
action is taken to correct the practice. Even minor violations may warrant an evaluation.<br />
Therefore, PDS must be handled locally by the DCA in accordance with departmental directives.<br />
PDS include:<br />
<br />
<br />
premature or out-of-sequence use of keying material without the approval of the CA<br />
(report to CA, Custodian and DCA only)<br />
inadvertent destruction of keying material without authorization of the CA, as long as the<br />
destruction was properly performed and documented (only report to the CA, the<br />
COMSEC Custodian and the DCA)<br />
COMSEC Incidents October 2011 1<strong>03</strong>
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
removing keying material from its protective packaging prior to issue for use, or removing<br />
the protective packaging without authorization, as long as the removal was documented,<br />
the exposed key material was properly protected, and there was no reason to suspect<br />
espionage (only report to the COMSEC Custodian and the DCA)<br />
receipt of a package with damaged outer wrapper, but an intact inner wrapper (only report<br />
to the COMSEC Custodian and the DCA)<br />
incidents involving unclassified, non-registered documents, unclassified equipment not<br />
marked CCI, and unclassified keying material not marked CRYPTO (only report to the<br />
COMSEC Custodian and the DCA)<br />
activation of the anti-tamper mechanism or unexplained zeroization of COMSEC<br />
equipment as long as there were no other indications of unauthorized access or penetration<br />
(only report to the COMSEC Custodian and the DCA)<br />
NOTE: When these events occur (without explanation) to a KP, report as a National<br />
COMSEC incident vice a PDS.<br />
failure to zeroize key from a common fill device or T3MD within the time limits imposed<br />
in Article 12.2.3 (only report to the COMSEC Custodian and the DCA)<br />
destruction of COMSEC material not performed within required time limits (only report<br />
to the COMSEC Custodian and the DCA)<br />
loss of audit trail data in T3MDs due to the failure to upload when the time and means are<br />
unavailable (only report to the COMSEC Custodian and the DCA)<br />
16.3 Categories of COMSEC Incidents<br />
16.3.1 Cryptographic Incidents<br />
Cryptographic incidents are directly related to the improper or unauthorized use of key material<br />
or cryptographic equipment or systems. The following examples of cryptographic COMSEC<br />
incidents are not all inclusive. Additional reportable COMSEC incidents, which are unique to a<br />
given cryptosystem or to a particular application of a cryptosystem, will be listed in the specific<br />
system or equipment doctrine.<br />
Such incidents include:<br />
the use of key material which is compromised, superseded, defective, previously used<br />
(and not authorized for reuse) or incorrectly used. For example the –<br />
104 October 2011 COMSEC Incidents
UNCLASSIFIED<br />
<br />
<br />
<br />
<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
o use of key material that was produced without CSEC authorization<br />
o unauthorized use of any key material for other than its intended purpose<br />
o unauthorized extension of a cryptoperiod, and<br />
o premature use of key material;<br />
the use of COMSEC systems, equipment, software, operational practices or maintenance<br />
practices which are not approved by CSEC. For example –<br />
o the operational use of COMSEC equipment without the completion of a required<br />
alarm-check test or after the failure of an alarm-check test<br />
o the maintenance of crypto-equipment by unauthorized or unqualified individuals, and<br />
o tampering with, or unauthorized modification of a COMSEC component, equipment<br />
or system;<br />
the operational use of COMSEC equipment having defective cryptographic logic circuitry<br />
or use of an unapproved operating procedure. For example –<br />
o plain text transmission resulting from a COMSEC equipment failure or malfunction<br />
o any transmission during a failure, or after an uncorrected failure that may cause<br />
improper operation of COMSEC equipment, and<br />
o compromising emanations from a COMSEC equipment or system while processing<br />
classified information;<br />
discussion via non-secure communications of the details of a crypto-equipment failure or<br />
malfunction; and<br />
any other unauthorized use of key material or cryptographic equipment.<br />
16.3.2 Personnel Incidents<br />
Personnel incidents are situations involving individuals who have access to COMSEC material,<br />
which could jeopardize the security of that COMSEC material. Such incidents include:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
known or suspected defection or treason;<br />
known or suspected espionage or sabotage;<br />
known or suspected subversion;<br />
theft of COMSEC material;<br />
deliberate falsification of COMSEC records or reports;<br />
known or deliberate failing to report a known or suspected COMSEC incident;<br />
unauthorized disclosure, or an attempt at disclosure, of information concerning COMSEC<br />
material; and<br />
COMSEC Incidents October 2011 105
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
accidentally or knowingly processing, storing or transmitting classified or protected<br />
information on an inappropriate COMSEC system or equipment.<br />
16.3.3 Physical Incidents<br />
Physical incidents are situations that adversely affect the physical security of COMSEC material.<br />
Such incidents include:<br />
loss of any COMSEC material or portions thereof;<br />
unauthorized access to COMSEC material;<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
discovery of COMSEC material outside of required accountability and physical control.<br />
For example –<br />
o material reflected on a destruction report as having been destroyed and witnessed, but<br />
found not completely destroyed and left unattended;<br />
o material left unsecured and unattended where unauthorized individuals could have had<br />
access;<br />
o failure to maintain required TPI or NLZ controls for TOP SECRET key; and<br />
o failure to destroy a key (including zeroizing a fill device) after use or supersession<br />
within the prescribed period of time;<br />
COMSEC material improperly packaged or shipped;<br />
receipt of classified equipment, CCI or key material marked CRYPTO with a damaged<br />
inner wrapper;<br />
destruction of COMSEC material by other than authorized means;<br />
actual or attempted unauthorized maintenance (including maintenance by unqualified<br />
individuals) or the use of a maintenance procedure that deviates from established<br />
directive;<br />
known or suspected tampering with or penetration of COMSEC material including, but<br />
not limited to, COMSEC material received in protective packaging which shows evidence<br />
of tampering and unauthorized premature opening of a sealed package of key material;<br />
unauthorized copying, reproducing or photographing of COMSEC material;<br />
discovery of a clandestine intercept or recording device in or near a COMSEC facility;<br />
and<br />
any other occurrence which jeopardizes the physical security of COMSEC material.<br />
106 October 2011 COMSEC Incidents
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
16.4 Handling of Incidents<br />
16.4.1 Departmental Procedures<br />
The DCA must establish internal COMSEC incident identification and response procedures that<br />
will ensure prompt and accurate reporting of COMSEC incidents and minimize the potential for<br />
or actual loss or compromise of COMSEC material.<br />
The COMSEC Custodian must ensure that each individual who uses, or otherwise has access to<br />
COMSEC material is capable of recognizing a COMSEC incident and understands the<br />
requirements for immediately reporting COMSEC incidents.<br />
16.4.2 COMSEC Custodian Responsibility<br />
When COMSEC material is actually or potentially compromised, the COMSEC Custodian must<br />
take the following steps:<br />
a. Immediately report the circumstances to the DCA.<br />
b. Mark all item(s) of the affected COMSEC material as “Pending Investigation” in the<br />
COMSEC material inventory file.<br />
c. Maintain accountability for the COMSEC material until the COMSEC investigation is<br />
complete and a Final Assessment and Closure Report have been received from the NCIO<br />
authorizing the disposition of the COMSEC material (e.g. transfer to CSEC for evaluation,<br />
destruction, relief from accountability for lost item).<br />
16.4.3 Departmental COMSEC Authority Responsibility<br />
Upon notification of an actual or potential COMSEC incident, the DCA must:<br />
a. conduct a preliminary investigation to verify the validity of the report and determine any<br />
immediate corrective action that is required;<br />
b. consider the impact of corrective actions or inaction on national or international security;<br />
c. inform all individuals within and outside of the GC department who have a need to be<br />
aware of the incident; and<br />
d. follow-up with a more thorough investigation, if required.<br />
Occurrences that are clearly administrative in nature and that pose no security implications<br />
(e.g. COMSEC material accounting procedural matters) may be reported to NCOR/COR as a<br />
routine matter. If any doubt exists about an occurrence, it must be treated as a COMSEC<br />
incident.<br />
COMSEC Incidents October 2011 107
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
16.4.4 Reporting COMSEC Incidents<br />
16.4.4.1 Initial Response to COMSEC Incident<br />
Immediately following the preliminary investigation, if it is determined that a reportable<br />
COMSEC incident has occurred, the DCA must, within 24 hours after discovery, forward a<br />
COMSEC Incident Initial Report to the NCIO at CSEC. The NCIO will assess the situation to<br />
determine the significance and potential impact of each case. Except in very minor cases, the<br />
NCIO will require the GC department to conduct a more thorough investigation and to submit a<br />
COMSEC Incident Evaluation Report.<br />
16.4.4.2 COMSEC Incident Initial Report<br />
The COMSEC Incident Initial Report may take the form of a verbal notification by secure<br />
telephone or informal notification by secure facsimile. A formal written report may also be<br />
requested by the NCIO to clarify details. The COMSEC Incident Initial Report must provide the<br />
following information:<br />
identification of the COMSEC Account in which the incident occurred;<br />
category of the incident (i.e. Cryptographic, Physical or Personnel);<br />
<br />
<br />
<br />
<br />
<br />
<br />
identification of all COMSEC material involved including short title(s), edition and<br />
segment of key(s) loaded in COMSEC equipment, accounting numbers (e.g. KMID),<br />
classification, responsible CA and key expiry or supersession date;<br />
identity of all individual(s) involved including name, citizenship, position and security<br />
clearance level;<br />
description of circumstances surrounding the incident including the date of incident or<br />
discovery and the date reported;<br />
name of the DCA responsible for investigating and evaluating the incident;<br />
immediate corrective action(s) taken, or planned; and<br />
an estimation of the possibility of compromise (i.e. “Certain”, “Possible”, “Unlikely” or<br />
“Impossible”) with the basis for the estimation.<br />
16.4.4.3 COMSEC Incident Evaluation Report (Letter)<br />
A COMSEC Incident Evaluation Report provides the NCIO with the required details and facts<br />
surrounding a COMSEC incident.<br />
For simple incidents, the NCIO will request a COMSEC Incident Evaluation Report in the form<br />
of a letter, which must provide:<br />
<br />
<br />
a detailed chronological account of the nature and circumstances of the COMSEC<br />
incident;<br />
an assessment of the probability of compromise; and<br />
108 October 2011 COMSEC Incidents
UNCLASSIFIED<br />
<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
a description of corrective action taken to limit damage resulting from the incident and to<br />
prevent recurrence of the incident.<br />
For more complex cases, the NCIO will provide additional direction and request a more detailed<br />
COMSEC Incident Evaluation Report.<br />
16.4.4.4 Sensitivity of COMSEC Incident Reports<br />
COMSEC incident reports must be classified and protected at a level consistent with the most<br />
sensitive information actually or potentially exposed, lost or compromised in the incident. The<br />
following additional rules apply:<br />
<br />
<br />
<br />
When deemed necessary, a GC department may classify a COMSEC incident report at a<br />
higher level. A COMSEC incident report involving COMSEC material of different levels<br />
of sensitivity must be classified at the most sensitive level applicable to the incident.<br />
In a case where the incident involves COMSEC equipment, systems or material, the<br />
incident must be handled and reported at a level at least commensurate with that of the<br />
COMSEC equipment, system or COMSEC material.<br />
In a case where the COMSEC material relates to IT systems processing information at a<br />
classification level greater than that of the COMSEC material, the incident must be<br />
handled and reported at the greater classification level (e.g. an incident involving<br />
PROTECTED A authentication key material used on an IT system processing SECRET<br />
information will be controlled and reported at the SECRET level).<br />
16.4.4.5 Dissemination of COMSEC Incident Information<br />
Dissemination of information relevant to any COMSEC incident must be limited to those with a<br />
clear need-to-know.<br />
16.5 Recovery of COMSEC Material<br />
The DCA must ensure that individuals who are responsible for recovery action are able to<br />
quickly implement the required recovery procedures and consequently minimize the impact of a<br />
COMSEC incident.<br />
16.6 Post-Incident Evaluation<br />
Following the collection and assessment of all information received or available from existing<br />
records, the NCIO will issue a COMSEC Incident Final Assessment and Closure Report for each<br />
reported COMSEC incident. The report will include recommendations to prevent a similar<br />
COMSEC incident or reduce the impact of a recurrence.<br />
COMSEC Incidents October 2011 109
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
16.7 COMSEC Incidents Involving North Atlantic Treaty Organization<br />
COMSEC Material<br />
GC departments holding NATO COMSEC material must report COMSEC incidents involving<br />
NATO material to the NCIO at CSEC. The NCIO, in coordination with DND, will provide<br />
direction with respect to the conduct of the investigation and ensure that NATO authorities are<br />
kept informed.<br />
16.8 COMSEC Incidents Involving In-Process COMSEC Material<br />
Canadian Private Sector organizations holding IP COMSEC material must report COMSEC<br />
incidents to CICA (see reporting COMSEC Incidents in the ICMCM). CICA will, in turn,<br />
immediately notify the CICA DCA who will notify the NCIO.<br />
16.9 Disciplinary Action<br />
The primary purpose of reporting COMSEC incidents is to continuously maintain the maximum<br />
possible level of protection for GC sensitive information and COMSEC material. This directive<br />
provides for administrative control measures in support of GC policy and the PGS. Disciplinary<br />
action, if deemed warranted by circumstance, is entirely in the purview of the DSO and host<br />
departmental authorities. Failure to report a COMSEC incident, or cover it up, may be<br />
considered “wilful or gross neglect” and must be evaluated accordingly.<br />
In cases of non-compliance, CSEC may escalate administrative control of a department’s<br />
COMSEC Account including suspension (refer to Article 4.6.1).<br />
110 October 2011 COMSEC Incidents
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Glossary<br />
Access<br />
Accountability<br />
Accountable COMSEC<br />
Material (ACM)<br />
Accountable COMSEC<br />
Material Control<br />
Agreement (ACMCA)<br />
Accounting Legend Code<br />
(ALC)<br />
Alternate COMSEC<br />
Custodian<br />
Audit Trail<br />
The capability and opportunity to gain knowledge or<br />
possession of, or to alter, information or material.<br />
The responsibility of an individual for the safeguard and<br />
control of COMSEC material which has been entrusted to<br />
his or her custody.<br />
COMSEC material that requires control and<br />
accountability within the National COMSEC Material<br />
Control System in accordance with its accounting legend<br />
code and for which transfer or disclosure could be<br />
detrimental to the national security of Canada.<br />
A binding agreement between Communications Security<br />
Establishment Canada and an entity (Government or<br />
Canadian private sector) not listed in Schedules I, I.1, II,<br />
IV and V of the Financial Administration Act that will<br />
permit the procurement, ownership, control and<br />
management of COMSEC material. It will also prescribe<br />
the conditions for the financing, resale and final<br />
disposition of the COMSEC material.<br />
Numeric code used to indicate the minimum accounting<br />
controls for COMSEC material which requires<br />
accountability and control within the National COMSEC<br />
Material Control System.<br />
The individual designated by the Departmental COMSEC<br />
Authority to assist the COMSEC Custodian and to<br />
perform the duties of the COMSEC Custodian during the<br />
temporary absence of the COMSEC Custodian.<br />
A chronological record of system activities to enable the<br />
construction and examination of the sequence of events or<br />
changes in an event (or both).<br />
Glossary October 2011 111
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Authorized User (AU)<br />
BLACK Key<br />
Centrally-Accountable<br />
COMSEC Material<br />
Communications Security<br />
(COMSEC)<br />
Compromise<br />
COMSEC Account<br />
COMSEC Account Audit<br />
COMSEC Courier<br />
Certificate<br />
An individual, who is required to use COMSEC material<br />
in the performance of assigned duties, possesses the<br />
required security clearance or reliability status, has been<br />
COMSEC briefed, has the need-to-know and is<br />
responsible for safeguarding COMSEC material.<br />
Encrypted key (i.e. classified keying material in<br />
encrypted format that has been encrypted with<br />
cryptography approved by Communications Security<br />
Establishment Canada).<br />
COMSEC material that has been assigned an Accounting<br />
Legend Code of 1, 2 or 6 and is continuously accountable<br />
to a Central Office of Record.<br />
The application of cryptographic security, transmission<br />
and emission security, physical security measures,<br />
operational practices and controls to deny unauthorized<br />
access to information derived from telecommunications<br />
and that ensure the authenticity of such<br />
telecommunications.<br />
Unauthorized disclosure, destruction, removal,<br />
modification, interruption or use of assets.<br />
An administrative entity identified by an Electronic Key<br />
Management System Identifier (i.e. COMSEC Account<br />
number), used to maintain accountability, custody and<br />
control of COMSEC material that has been entrusted to<br />
the entity.<br />
Independent cooperative examination of a COMSEC<br />
Account’s records and activities to ensure COMSEC<br />
material produced by or entrusted to the COMSEC<br />
Account is handled and controlled in accordance with<br />
applicable directive.<br />
A document authorizing an individual to transport<br />
COMSEC material.<br />
112 October 2011 Glossary
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
COMSEC Custodian<br />
COMSEC Equipment<br />
COMSEC Facility<br />
COMSEC Incident<br />
COMSEC Material<br />
COMSEC Material Report<br />
COMSEC Sub-Account<br />
The individual designated by the Departmental COMSEC<br />
Authority to be responsible for the receipt, storage,<br />
access, distribution, accounting, disposal and destruction<br />
of all COMSEC material that has been charged to the<br />
departmental COMSEC Account.<br />
Communications Security Establishment Canadaapproved<br />
cryptographic equipment and systems designed<br />
to protect classified or PROTECTED C information and<br />
data for the Government of Canada. It may also include<br />
crypto-ancillary, crypto-production and authentication<br />
equipment.<br />
An authorized space in a building or other location that is<br />
employed for the purpose of generating, storing, repairing<br />
or using COMSEC material.<br />
Any occurrence that jeopardizes or potentially<br />
jeopardizes the security of classified or protected<br />
Government of Canada information while it is being<br />
stored, processed, transmitted or received during the<br />
telecommunications process.<br />
Material designed to secure or authenticate<br />
telecommunications information. COMSEC material<br />
includes, but is not limited to, key, equipment, modules,<br />
devices, documents, hardware, firmware or software that<br />
embodies or describes cryptographic logic and other<br />
items that perform COMSEC functions.<br />
A general-purpose form (i.e. GC-223) used by COMSEC<br />
Custodians to report accounting transactions or to provide<br />
notice of an action involving COMSEC material.<br />
An administrative entity identified by an Electronic Key<br />
Management System Identifier (i.e. COMSEC Account<br />
number) established by a COMSEC Account to assist in<br />
the control of the COMSEC material entrusted to the<br />
COMSEC Account.<br />
Glossary October 2011 113
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Controlled Cryptographic<br />
Item (CCI)<br />
Controlled Cryptographic<br />
Item (CCI) Marking<br />
Controlling Authority (CA)<br />
Conversion Report<br />
CRYPTO<br />
Crypto Material Assistance<br />
Centre (CMAC)<br />
Cryptographic<br />
Cryptographic Logic<br />
Unclassified secure telecommunications or information<br />
handling equipment, or associated cryptographic<br />
components, that are governed by a special set of control<br />
requirements within the National COMSEC Material<br />
Control System and marked “Controlled Cryptographic<br />
Item”, or where space is limited, “CCI”.<br />
A marking applied to COMSEC material that serves as a<br />
warning that material so marked is subject to special<br />
handling and control requirements.<br />
Designated entity responsible for managing the<br />
operational use and control of key assigned to that<br />
cryptographic network.<br />
Accounting report documenting the change of an<br />
Accounting Legend Code and/or short title of physical<br />
COMSEC material, or recording the modification<br />
number(s) assigned to COMSEC equipment.<br />
A marking which is applied to key material indicating<br />
that items so marked are subject to specific controls<br />
governing access, distribution, storage, accounting,<br />
disposal and destruction (see Cryptographic below).<br />
The entity within Communications Security<br />
Establishment Canada responsible for all aspects of key<br />
ordering including privilege management, the<br />
management of the National Central Office of Record and<br />
the administration of the Assistance Centre.<br />
Pertaining to or concerned with cryptography (often<br />
abbreviated as "CRYPTO" and used as a prefix).<br />
The embodiment of one (or more) crypto-algorithm(s)<br />
along with alarms, checks, and other processes essential<br />
to effective and secure performance of the cryptographic<br />
process(es).<br />
114 October 2011 Glossary
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Cryptographic Material<br />
Cryptographic Network<br />
(cryptonet)<br />
Cryptography<br />
Crypto-Ignition Key (CIK)<br />
Cryptoperiod<br />
Departmental COMSEC<br />
Authority (DCA)<br />
Departmental Security<br />
Officer (DSO)<br />
Destruction Device<br />
Destruction Report<br />
All material, including documents, devices and<br />
equipment, which contain crypto-information and is<br />
essential to the encryption, decryption or authentication<br />
of communications.<br />
A telecommunications network (regardless of size or<br />
number of users) in which information is protected by the<br />
use of compatible cryptographic equipment using the<br />
same cryptographic key.<br />
The discipline that treats the principles, means and<br />
methods for making plain information unintelligible and<br />
reconverting the unintelligible information back into plain<br />
information.<br />
A device or electronic key that can be used to unlock the<br />
secure mode of cryptographic equipment.<br />
A specific period of time during which a cryptographic<br />
key is in effect.<br />
The individual designated by, and responsible to, the<br />
Departmental Security Officer for developing,<br />
implementing, maintaining, coordinating and monitoring<br />
a departmental COMSEC program which is consistent<br />
with the Policy on Government Security and its standards.<br />
The individual responsible for developing, implementing,<br />
maintaining, coordinating and monitoring a departmental<br />
security program consistent with the Policy on<br />
Government Security and its standards.<br />
Any device or process used to change the medium which<br />
contains classified or protected information in such a way<br />
that the classified or protected information can no longer<br />
be derived from the medium.<br />
Accounting report documenting the physical destruction<br />
or electronic zeroization of COMSEC material, whether<br />
by authorized means or by accident.<br />
Glossary October 2011 115
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Electronic Key<br />
Encryption<br />
Facility Security Clearance<br />
Fill<br />
GC-223<br />
Generation Report<br />
Government of Canada<br />
(GC) department<br />
Hand Receipt<br />
Hierarchy of Zones<br />
Key that is stored on magnetic media, optical media, or in<br />
electronic memory, transferred by electronic circuitry, or<br />
loaded into COMSEC equipment.<br />
The transformation of readable data into an unreadable<br />
stream of characters using a reversible coding process.<br />
An administrative determination that an organization is<br />
eligible, from a security viewpoint, for access to<br />
classified and protected information or assets of the same<br />
or lower classification level as the clearance being<br />
granted.<br />
The process of providing key material to an end<br />
equipment or end crypto unit for its internal use.<br />
See COMSEC Material Report.<br />
Accounting report documenting the generation or import<br />
of electronic key.<br />
Any federal department, organization, agency or<br />
institution subject to the Policy on Government Security.<br />
An accounting record that documents the issue of and<br />
acceptance of responsibility for COMSEC material.<br />
Process by which Government of Canada departments<br />
must ensure that access to, and safeguards for, protected<br />
and classified COMSEC material are based on a clearly<br />
discernable hierarchy of zones. There are five zones:<br />
Public Zone; Reception Zone; Operations Zone; Security<br />
Zone and High Security Zone.<br />
116 October 2011 Glossary
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
High Security Zone<br />
Information Technology<br />
(IT)<br />
Information Technology<br />
(IT) Security<br />
In-Process (IP) COMSEC<br />
Material<br />
Integrity<br />
Inventory Report<br />
Issue<br />
Key<br />
Key Encryption Key (KEK)<br />
Area to which access is limited to authorized,<br />
appropriately-screened personnel and authorized and<br />
properly-escorted visitors. It must be indicated by a<br />
perimeter built to the specifications recommended in the<br />
Threat and Risk Assessment, monitored continuously (i.e.<br />
24 hours a day and 7 days a week) and be an area to<br />
which details of access are recorded and audited.<br />
The acquisition, processing, storage and dissemination of<br />
vocal, pictorial, textual and numerical information by a<br />
combination of computing hardware, firmware, and<br />
software, telecommunications and automated information<br />
systems, automatic data processing equipment, and video.<br />
Safeguards to preserve the confidentiality, integrity,<br />
availability, intended use and value of electronically<br />
stored, processed or transmitted information.<br />
COMSEC material being developed, produced,<br />
manufactured or repaired.<br />
The accuracy and completeness of information and assets,<br />
and the authenticity of transactions.<br />
An accounting report listing COMSEC material charged<br />
to a COMSEC Account.<br />
The process of distributing COMSEC material from a<br />
COMSEC Account to its COMSEC Sub-Account(s) or<br />
Local Element(s).<br />
Information used to set up and periodically change the<br />
operations performed in crypto-equipment for the purpose<br />
of encrypting and decrypting electronic signals and digital<br />
signatures, determining electronic countermeasures<br />
patterns, or producing other keys.<br />
A key that encrypts or decrypts other key for transmission<br />
or storage.<br />
Glossary October 2011 117
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Key Management<br />
Key Material<br />
Key Material Support Plan<br />
(KMSP)<br />
Local Accounting<br />
Local Accounting Identifier<br />
Local Element<br />
Locally-Accountable<br />
COMSEC Material<br />
National Central Office of<br />
Record (NCOR)<br />
The procedures and mechanisms for generating,<br />
disseminating, replacing, storing, archiving, and<br />
destroying keys which control encryption or<br />
authentication processes.<br />
Key, code, or authentication information that is in<br />
physical or electronic form.<br />
A detailed description of the COMSEC requirements of a<br />
cryptographic network.<br />
The process used by the COMSEC Custodian to control<br />
and account for COMSEC material and other specified<br />
material that is not reportable to the National Central<br />
Office of Record/Central Office of Record.<br />
A unique number or alpha-numeric designator assigned<br />
locally to material that requires local accounting within a<br />
COMSEC Account.<br />
NOTE: Local accounting identifiers must not be used on<br />
the COMSEC Material Report as an accounting<br />
number. They may be included in the remarks<br />
column.<br />
Individual registered at a COMSEC Account or<br />
COMSEC Sub-Account who may receive COMSEC<br />
material from that account.<br />
COMSEC material that has been assigned an Accounting<br />
Legend Code 4 or 7 and which is continuously<br />
accountable within a COMSEC Account after initial<br />
receipt has been sent to the distributing COMSEC<br />
Account.<br />
The entity at Communications Security Establishment<br />
Canada responsible for maintaining records of<br />
accountability for all accountable COMSEC material,<br />
produced in, or entrusted to, Canada.<br />
118 October 2011 Glossary
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
National COMSEC<br />
Incidents Office (NCIO)<br />
National COMSEC<br />
Material Control System<br />
(NCMCS)<br />
Need-to-Know<br />
No Lone Zone (NLZ)<br />
Operations Zone<br />
Organization<br />
Permuter<br />
Personal Identification<br />
Number (PIN)<br />
The entity at Communications Security Establishment<br />
Canada responsible for managing COMSEC incidents<br />
through registration, investigation, assessment,<br />
evaluation, and closure.<br />
A logistic system through which COMSEC material,<br />
including COMSEC material marked “CRYPTO” is<br />
distributed, controlled and safeguarded.<br />
The requirement for someone to access and know certain<br />
information in order to perform his or her duties.<br />
An area, room, or space to which no one person is<br />
permitted to have unaccompanied access, and that when<br />
occupied must have two or more appropriately cleared<br />
individuals within, who must remain within sight of each<br />
other.<br />
Area where access is limited to personnel who work there<br />
and to properly-escorted visitors. It must be indicated by<br />
a recognizable perimeter and monitored periodically.<br />
Any institution, other than a Government of Canada<br />
department, agency or crown corporation, holding or<br />
seeking a Facility Security Clearance. The majority are<br />
commercial corporations, but other institutions are also<br />
included such as universities, partnerships, and other<br />
levels of government and their agencies.<br />
Device used in crypto-equipment to change the order in<br />
which the contents of a shift register are used in various<br />
non-linear combing circuits.<br />
A series of letters, special characters, and numbers used<br />
to unlock the secure mode of COMSEC equipment.<br />
Glossary October 2011 119
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Personnel Security<br />
Screening<br />
Physical Key<br />
Physical Security<br />
Plik<br />
Possession Report<br />
Private Sector<br />
Protected Information<br />
Protection<br />
The process of examining the trustworthiness and<br />
suitability of employees and, where national interest is<br />
concerned, their loyalty and associated reliability. When<br />
satisfactory, an employee is grated reliability status or a<br />
security clearance. Reliability status applies when only<br />
protected assets are concerned. When the employee has<br />
access to classified assets, a security clearance<br />
corresponding to the level of classified assets is issued.<br />
A security clearance includes reliability status.<br />
Hard copy key in a non-electronic format.<br />
The use of physical safeguards to prevent or delay<br />
unauthorized access to assets, to detect attempted and<br />
actual unauthorized access and to activate appropriate<br />
responses.<br />
A tamper evident, theft prevention, high security seal that<br />
is affixed to packages before shipment.<br />
Accounting report documenting the entry of COMSEC<br />
material into the National COMSEC Material Control<br />
System.<br />
Canadian companies or organizations that do not fall<br />
under the Financial Administration Act or are not<br />
subordinate to a provincial or municipal government.<br />
Information related to other than the national interest that<br />
may qualify for an exemption or exclusion under the<br />
Access to Information Act or Privacy Act.<br />
For physical security, protection means the use of<br />
physical, procedural and psychological barriers to delay<br />
or deter unauthorized access, including visual and<br />
acoustic barriers.<br />
120 October 2011 Glossary
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Protective Packaging<br />
Public Zone<br />
Reception Zone<br />
RED Key<br />
Relief from Accountability<br />
(RFA) Report<br />
Restricted Access Area<br />
Reticule<br />
Risk<br />
Risk Assessment<br />
Screening<br />
Packaging techniques for COMSEC material, which<br />
discourage penetration, and/or reveal that a penetration<br />
has occurred, or which inhibit viewing or copying of<br />
COMSEC material, before the time it is exposed for use.<br />
Area where the public has unimpeded access and<br />
generally surrounds or forms part of a government<br />
facility.<br />
Area where the transition from a public zone to a<br />
restricted access area is demarcated and controlled. It is<br />
typically located at the entry to the facility where initial<br />
contact between visitors and the department occurs.<br />
Access by visitors may be limited to specific times of the<br />
day or for specific reasons.<br />
Unencrypted key.<br />
Accounting report documenting the removal of COMSEC<br />
material from a COMSEC Account inventory.<br />
A work area where access is limited to authorized<br />
individuals. It includes Operation Zones, Security Zones<br />
and High Security Zones.<br />
A disk, or the like, with a pattern of opaque and<br />
transparent portions which can be rotated in the path of a<br />
beam of light or other radiation so as to modulate it.<br />
The chance of a vulnerability being exploited.<br />
An evaluation based on the effectiveness of existing or<br />
proposed security safeguards, of the chance of<br />
vulnerabilities being exploited.<br />
The process of verifying visitors and/or material at entry<br />
points of a facility or a restricted area for authorizing<br />
access.<br />
Glossary October 2011 121
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Security Classification<br />
Security Screening<br />
Security Zone<br />
Short Title<br />
Sight Inventory<br />
Supersession<br />
Threat<br />
Threat Assessment<br />
Tier 3 Management Device<br />
(T3MD)<br />
A category or grade assigned to information or material to<br />
indicate the degree of danger to national security that<br />
would result from its unauthorized disclosure and the<br />
standard of protection required to guard against<br />
unauthorized disclosure (e.g. TOP SECRET, SECRET<br />
and CONFIDENTIAL).<br />
The process which must be completed before an<br />
individual can be granted a security clearance.<br />
Area to which access is limited to authorized personnel<br />
and to authorized and properly-escorted visitors. It must<br />
be indicated by a recognizable perimeter and monitored<br />
continuously (i.e. 24 hours a day and 7 days a week).<br />
Identifying combination of letters and numbers assigned<br />
to COMSEC material to facilitate handling, accounting,<br />
and control.<br />
The physical verification of the presence of each item of<br />
COMSEC material charged to a COMSEC Account.<br />
Scheduled or unscheduled replacement of a key or<br />
COMSEC publication with a different edition.<br />
Any event or act, deliberate or accidental, that could<br />
cause injury to people, information, assets or services.<br />
An evaluation of the nature, likelihood and consequences<br />
of acts or events that could cause injury to people,<br />
information, assets or services.<br />
A Communications Security Establishment Canadaapproved<br />
device (e.g. AN/CYZ-10/10A, KIK-20 and<br />
AN/PYQ-10), that securely stores, transports and<br />
transfers (electronically) both COMSEC and TRANSEC<br />
key and that is programmable to support modern mission<br />
systems. Designed to be backwards compatible with<br />
previous generations of common fill devices.<br />
122 October 2011 Glossary
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Tracer Notice – Transfer<br />
Transfer<br />
Transfer Report<br />
Transmission Security<br />
(TRANSEC)<br />
Two Person Integrity (TPI)<br />
Unauthorized Access<br />
Vulnerability<br />
Zones<br />
A notice sent by a COMSEC Custodian or the National<br />
Central Office of Record/Central Office of Record when a<br />
copy of a Transfer Report or a Transfer Report Receipt is<br />
not received within a pre-determined period of time.<br />
The process of distributing COMSEC material from one<br />
COMSEC Account to another COMSEC Account.<br />
An accounting report that documents the distribution of<br />
COMSEC material from one COMSEC Account to<br />
another COMSEC Account.<br />
The application of measures designed to protect<br />
transmissions from interception and exploitation by<br />
means other than cryptanalysis.<br />
A control procedure whereby TOP SECRET key material<br />
and other specified key material is never handled or made<br />
available to one individual only.<br />
Access to assets by an individual who is not properly<br />
security screened and/or does not have a need-to-know.<br />
An inadequacy related to security that could increase<br />
susceptibility to compromise or injury.<br />
A series of clearly discernable spaces to progressively<br />
control access. See Hierarchy of Zones.<br />
Glossary October 2011 123
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Bibliography<br />
Documents available from COMSEC Client Services at CSEC:<br />
<br />
<br />
<br />
<br />
A Guide to Security Risk Management for Information Technology Systems (MG-2),<br />
January 1996.<br />
Canadian Cryptographic Doctrine for the Government of Canada Electronic Key<br />
Management System (GC EKMS) (CCD-06), November 2006.<br />
Canadian Cryptographic Doctrine for the Local Management Device/Key Processor<br />
(LMD/KP [KOK-22/22A]) (CCD-07), August 2002.<br />
Canadian Cryptographic Doctrine for the Disposal of Accountable COMSEC<br />
Equipment (CCD-49), February 2008.<br />
Industrial COMSEC Material Control (ICMCM) (<strong>ITSD</strong>-CSD-01), December 2001.<br />
<br />
Local Management Device/Key Processor (LMD/KP) Operator’s Manual,<br />
September 2000.<br />
Manual of Cryptographic Equipment and COMSEC Devices (MG-16), July 1997.<br />
<br />
<br />
NATO Crypto Distribution and Accounting Publication (AMSG 505), undated.<br />
Policy and Procedures for the Handling and Control of Two-Person-Controlled (TPC)<br />
NATO Security Material (AMSG 773), undated.<br />
Short Title Nomenclature in Canada (ITSG-09), October 2001.<br />
<br />
Control of Communications Security (COMSEC) Material (NSA/CSS Policy Manual<br />
No. 3-16), U.S., August 5, 2005.<br />
Bibliography October 2011 125
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Documents available on the Internet:<br />
Communications Security Establishment Canada<br />
Directive for the Application of Communications Security in the Government of<br />
Canada (<strong>ITSD</strong>-01), January 2005.<br />
Cryptographic Key Ordering Manual (ITSG-13), May 2006.<br />
Clearing and Declassifying Electronic Data Storage Devices (ITSG-06), July 2006.<br />
Justice Canada<br />
Financial Administration Act (FAA), 1985 (current as of April 19, 2011).<br />
Public Works and Government Services Canada<br />
Industrial Security Manual, December 11, 2009.<br />
Royal Canadian Mounted Police<br />
Control of Access (G1-024), August 2004.<br />
Protection, Detection and Response (G1-025), December 2004.<br />
Guide to the Application of Physical Security Zones (G1-026), September 2005.<br />
Security Equipment Guide (G1-001), March 2006.<br />
Treasury Board of Canada Secretariat<br />
Policy on Government Security, July 1, 2009.<br />
Operational Security Standard on Physical Security, December 1, 2004.<br />
<br />
Operational Security Standard: Management of Information Technology Security (MITS),<br />
May 31, 2004.<br />
126 October 2011 Bibliography
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Annex A – Control of In-Process COMSEC Material<br />
A.1 Introduction<br />
A.1.1<br />
Purpose<br />
This annex provides the minimum security requirements for COMSEC material that requires<br />
control and accounting within an “In-Process (IP)” logistics system.<br />
A.1.2<br />
Scope<br />
IP COMSEC material includes:<br />
key material, COMSEC publications or COMSEC equipment (including CCI and<br />
sensitive IP COMSEC parts, components and assemblies) which is being developed,<br />
manufactured, assembled, disassembled, produced or reproduced before being controlled<br />
in the NCMCS (or a foreign national COMSEC system);<br />
<br />
<br />
A.1.3<br />
COMSEC equipment (controlled in the NCMCS) which is under a Repair and<br />
Maintenance (R&M) contract and includes the removal or insertion of COMSEC parts,<br />
components or assemblies; and<br />
COMSEC publications (controlled in the NCMCS) and IP manuscripts which are under<br />
contract for translation or reproduction.<br />
Content of Annex<br />
This annex contains the following sections:<br />
Section A.1 – Introduction<br />
Section A.2 – IP Plan<br />
Section A.3 – Accounting for IP COMSEC Material<br />
Section A.4 – Control of IP COMSEC Equipment<br />
Section A.5 – COMSEC Equipment under R&M Contract<br />
Section A.6 – COMSEC Publications under Development<br />
Section A.7 – COMSEC Publications under Reproduction or Translation Contract<br />
Annex A – Control of In-Process October 2011 127<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A.2 In-Process Plan<br />
A.2.1<br />
Content of the In-Process Plan<br />
The IP Plan must include:<br />
purpose of the IP plan;<br />
references and definitions used in or to develop the IP plan;<br />
name, address and account number of the IP COMSEC Account;<br />
individual responsibilities and duties;<br />
access and storage requirements, including a floor plan if possible, and any NLZ and TPI<br />
control requirements;<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
list of the item(s) to be controlled and the point in the production process at which an<br />
item becomes IP COMSEC material, and becomes subject to IP accounting;<br />
NOTE: Assistance in identifying this point and in identifying the level of security<br />
classification or protected level is available by contacting the appropriate<br />
approving authority.<br />
accounting records (with examples) that reflect an accurate accounting status of each<br />
individual IP item or portions thereof, at every stage of production at any given time;<br />
internal and external process for the reconciliation of accounting records;<br />
procedures for the control of material during all aspects of its production as well as any<br />
form of drafts, extracts, waste, scrap, etc., applicable to that production;<br />
shipment methods for transfer or issue (hand receipt) of IP material;<br />
methods of disposal of breakage, waste and scrap, as well as accounting procedures to<br />
reflect the disposal of the items;<br />
procedures for the entry of COMSEC material from the NCMCS into the IP accounting<br />
system and transition of completed items into the NCMCS;<br />
identity of subcontractors, where applicable;<br />
COMSEC incident reporting procedures;<br />
an addendum to the plan for each contract where processing of IP COMSEC material is<br />
required, identifying the COMSEC material to be produced under that contract, and<br />
describing any procedures that are specific to that contract; and<br />
any special instructions.<br />
128 October 2011 Annex A – Control of In-Process<br />
COMSEC Material
UNCLASSIFIED<br />
A.2.2<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Approval of an In-Process Plan<br />
An approved IP Plan must be in place before the release of or commencement of work on IP<br />
COMSEC material by the GC, GC contractor or subcontractors. Table 5 outlines the approval<br />
process of IP Plans for GC departments and the private sector, including subcontracts that will<br />
involve COMSEC material that is subject to IP controls.<br />
A.2.3<br />
Approving Authority<br />
CSEC is the approving authority for private sector IP Plans and GC IP Plans.<br />
A.2.4<br />
Changes to an In-Process Plan<br />
If changes to the planned development or production process are required, the IP plan must be<br />
amended in accordance with the instructions in this section. Changes to an IP plan must not be<br />
implemented before approval from the appropriate approval authority.<br />
Table 5 – Approval of IP Plans<br />
Private Sector IP Plan Approval Process<br />
Step<br />
Action<br />
The contractor must submit a draft IP Plan to CSEC ninety (90) calendar days<br />
1<br />
before the start date of the IP work.<br />
CSEC will review the draft IP Plan and provide comments, if any, to the<br />
2<br />
contractor.<br />
When the plan is acceptable to CSEC, the contractor must, if required by<br />
3 contractual agreement, submit the IP Plan formally to the GC client department’s<br />
contract coordinating office or Project Management Office, with a copy to CSEC.<br />
4 CSEC will issue formal approval to the GC client department and the contractor.<br />
Annex A – Control of In-Process October 2011 129<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Government IP Plan Approval Process<br />
Step<br />
1<br />
2<br />
3<br />
Action<br />
The GC department must submit a draft IP Plan to CSEC ninety (90) calendar<br />
days before the start of the IP work.<br />
CSEC will review the draft IP Plan and provide comments, if any, to the GC<br />
department.<br />
When the plan is acceptable to CSEC, the GC department must, if required by<br />
contractual agreement, submit the IP Plan formally to the GC client department’s<br />
contract coordinating office or Project Management Office, with a copy to CSEC.<br />
4 CSEC will issue formal approval to the GC department and the contractor.<br />
Sub-Contractor IP Plan Approval Process<br />
Step<br />
Action<br />
The primary contractor must ensure that the applicable requirements for IP Plan<br />
1<br />
(as set forth in this Annex) are specified in the contract with the subcontractor.<br />
2 The primary contractor must ensure that the subcontractor develops an IP Plan.<br />
The primary contractor will review the draft IP Plan and provide comments, if<br />
3<br />
any, to the subcontractor.<br />
The primary contractor must submit a draft IP Plan to CSEC on behalf of the<br />
4<br />
subcontractor ninety (90) calendar days before the start date of the IP work.<br />
CSEC will review the draft IP Plan and provide comments, if any, to the primary<br />
5<br />
contractor.<br />
When the plan is acceptable to CSEC, the primary contractor must, if required by<br />
contractual agreement, submit the IP Plan formally to the GC department’s<br />
6<br />
contract coordinating office or Project Management Office, with a copy to CSEC<br />
and the subcontractor.<br />
CSEC will issue formal approval to the GC department and the primary<br />
7<br />
contractor.<br />
130 October 2011 Annex A – Control of In-Process<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A.3 Accounting for In-Process COMSEC Material<br />
A.3.1<br />
Automated In-Process Accounting System<br />
The COMSEC Custodian must use a CSEC-approved IP accounting system to account for IP<br />
COMSEC material.<br />
A.3.2<br />
In-Process Accounting Records<br />
IP accounting records must contain the following information for each item:<br />
the date that the item was introduced into the IP accounting system within the facility<br />
(including IP items being returned by a subcontractor or the government, or being<br />
returned for rework);<br />
<br />
<br />
a brief, unclassified description of the items to be controlled which may include one or a<br />
combination of the following –<br />
o NATO Stock Number<br />
o U.S. Federal Stock Number<br />
o CSEC or vendor part number<br />
o short title (if applicable)<br />
o sensitivity (classification or protected level, or CCI), or<br />
o ALC (if required);<br />
quantity (when accounting by quantity is approved) or serial number (if individual item<br />
accounting is required); and<br />
disposition –<br />
o incorporated into a higher assembly (identify the higher assembly), or otherwise made<br />
a part of, another item of IP COMSEC material;<br />
o transferred or issued within IP accounting procedures;<br />
o entered into the NCMCS as an individual accountable item;<br />
o destroyed or declassified;<br />
o re-entered into the IP for rework; or<br />
o any other disposition not covered above.<br />
Annex A – Control of In-Process October 2011 131<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A.3.3<br />
Reconciliation of In-Process Accounting Records<br />
The IP COMSEC Custodian and an appropriately cleared and COMSEC briefed witness must<br />
conduct a reconciliation of IP accounting records semi-annually and at final delivery of the<br />
COMSEC material. The reconciliation must determine that every item brought into the IP<br />
accounting system or produced within the IP process is accounted for by physically sighting the<br />
COMSEC material to ensure that it:<br />
is still in the IP process or has been integrated or destroyed;<br />
is in IP COMSEC material storage;<br />
has been transferred out as a delivery of completed COMSEC material; or<br />
has been transferred or issued to a contractor, subcontractor or the GC client department.<br />
Any item that cannot be accounted for must be immediately reported as a COMSEC incident in<br />
accordance with the directive in Chapter 16.<br />
A.3.4<br />
In-Process Accounting Reports<br />
A.3.4.1<br />
Transfer before Government of Canada Acceptance<br />
Before GC acceptance, the IP COMSEC Custodian must transfer IP material from one IP<br />
COMSEC Account to another IP COMSEC Account using an IP Transfer Report with an IP<br />
transaction number. The IP Transfer Report must state that the COMSEC material is IP<br />
COMSEC material and the reason for the transfer, such as “provided to support contract (insert<br />
number)”. The IP accounting records must be annotated to reflect the transfer quoting the IP<br />
transaction number of the IP Transfer Report.<br />
NOTE: CSEC will provide IP COMSEC Account information for the transfer of IP COMSEC<br />
material to the Private Sector.<br />
A.3.4.2<br />
Transfer following Government of Canada Acceptance<br />
Following GC acceptance and purchase, the IP COMSEC Custodian must transfer IP COMSEC<br />
material from the IP COMSEC Account to the GC COMSEC Account using an IP Transfer<br />
Report. The IP Transfer Report must be annotated in the remarks column with “NEW COMSEC<br />
MATERIAL”. When received, the COMSEC Custodian must sign the IP Transfer Report and<br />
immediately enter the COMSEC material into the NCMCS via a Possession Report in<br />
accordance with Chapter 6.<br />
132 October 2011 Annex A – Control of In-Process<br />
COMSEC Material
UNCLASSIFIED<br />
A.3.4.3<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
In-Process Transfer Report Receipt<br />
The IP Transfer Report must be signed and assigned an IP transaction number by the IP<br />
COMSEC Custodian. The IP accounting records must be annotated to reflect the receipt of this<br />
material.<br />
A.3.4.4<br />
In-Process Hand Receipt<br />
When IP COMSEC material is issued to an authorized user (i.e. Local Element) before GC<br />
acceptance, the IP COMSEC Custodian must issue the material on an IP Hand Receipt. The IP<br />
Hand Receipt must be assigned an IP transaction number and contain the information in Figure<br />
2. The loan period should not exceed 90 calendar days without renewal. The IP accounting<br />
records must be annotated to reflect the issue. The IP COMSEC material must be shipped<br />
directly to the Local Element.<br />
A.3.4.5<br />
Temporary Release to Government of Canada<br />
When the IP COMSEC material is temporarily released to the GC, a copy of the Hand Receipt<br />
must be provided to the COMSEC Account at which the Local Element is registered (or to the<br />
DSO if the GC department does not have a COMSEC Account). The IP material must not be<br />
entered into NCMCS.<br />
NOTE: The IP COMSEC Custodian must contact the COMSEC Custodian or the DSO to<br />
ensure the authorized user has the appropriate security clearance, has been COMSEC<br />
briefed and has the appropriate storage for the IP COMSEC material.<br />
A.3.4.6<br />
Temporary Release to Private Sector<br />
When the IP COMSEC material is temporarily released to the Private Sector, a copy of the Hand<br />
Receipt must be provided to CSEC. The IP material must not be entered into NCMCS.<br />
NOTE: The IP COMSEC Custodian must contact CSEC to ensure the authorized user has the<br />
appropriate security clearance, has been COMSEC briefed and has the appropriate<br />
storage for the IP COMSEC material.<br />
A.3.4.7<br />
Hand Receipt Renewal<br />
The IP COMSEC Custodian must review hand receipts on a regular basis to ensure IP COMSEC<br />
material is returned before its due date. If the Hand Receipt needs to be renewed, the IP<br />
COMSEC Custodian must prepare a new IP Hand Receipt with a new IP transaction number and<br />
a reference to the previous IP Hand Receipt transaction number. The IP Hand Receipt for the<br />
renewal must include the additional information provided in Figure 2. The Local Element must<br />
sign the new Hand Receipt each time it is renewed.<br />
Annex A – Control of In-Process October 2011 133<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A.3.4.8<br />
Return of In-Process COMSEC Material<br />
When the IP COMSEC material is to be returned, the IP COMSEC Custodian must prepare an IP<br />
Hand Receipt for the Local Element. The Local Element must include this Hand Receipt with the<br />
shipment. Upon receipt of the material, the IP COMSEC Custodian will sign the IP Hand<br />
Receipt and return a copy to the Local Element. The IP Hand Receipt must include the additional<br />
information provided in Figure 3.<br />
The above listed IP COMSEC material has not been accepted by the Government of Canada<br />
and is the property of:<br />
_____________________________________________.<br />
(Name)<br />
This IP COMSEC material is being issued (on a Hand Receipt) for 90 calendar days for:<br />
_____________________________________________.<br />
(Reason for Loan)<br />
Should the length of the loan exceed 90 calendar days, the recipient must sign a new IP Hand<br />
Receipt Report provided by:<br />
_____________________________________________.<br />
(Name)<br />
THIS IP COMSEC MATERIAL MUST NOT BE ENTERED INTO THE NCMCS.<br />
Figure 3 – IP Hand Receipt Required Information<br />
The above listed IP COMSEC material has not been accepted by the Government of Canada<br />
and is the property of:<br />
_____________________________________________.<br />
(Contractor Name)<br />
This IP COMSEC material is being returned to the originator.<br />
THIS IP COMSEC MATERIAL MUST NOT BE ENTERED INTO THE NCMCS.<br />
Figure 4 – Return of Issued IP COMSEC Material<br />
134 October 2011 Annex A – Control of In-Process<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A.3.4.9<br />
In-Process Destruction Report<br />
The IP COMSEC Custodian must prepare an IP Destruction Report to report the destruction of<br />
COMSEC material and to record the removal of IP COMSEC material from the IP accounting<br />
system. The IP Destruction Report must be signed by the IP COMSEC Custodian and the<br />
witness who performed the destruction. The remarks column of the IP Destruction Report must<br />
be annotated with the authority for destruction (e.g. breakage, waste, scrap). Destruction must be<br />
carried out in accordance with the directive in Chapter 12.<br />
A.3.5<br />
Retention and Disposition of In-Process Records and Reports<br />
IP records, files and reports must be retained for a minimum of two years.<br />
A.3.6<br />
Audit of In-Process COMSEC Accounts<br />
IP COMSEC Accounts must be audited annually or more frequently if deemed necessary. An<br />
unscheduled audit of an IP COMSEC Account may be conducted if audit reports (or other<br />
sources) reveal a significant deviation from the IP Plan, resulting in a lack of control and/or<br />
accountability of IP COMSEC material.<br />
NOTE 1: CSEC will audit all GC departmental IP COMSEC Accounts.<br />
NOTE 2: CICA will audit all private sector IP COMSEC Accounts.<br />
A.4 Control of In-Process COMSEC Equipment<br />
A.4.1<br />
Integrated Circuits<br />
A.4.1.1<br />
Individual Items<br />
Individual classified or protected IP wafers, masks, reticules, masters, test samples, pattern<br />
generation tapes, etc., must be controlled on a continuous receipt system from one manufacturing<br />
process to another, and from one IP COMSEC Account to another. The accounting and control<br />
record must show the receipt or fabrication of each IP item, description and quantity of the<br />
COMSEC material and the disposition of the item and bear the signatures of the responsible<br />
individuals (e.g. production supervisor, loan holder) for each phase of fabrication.<br />
A.4.1.2<br />
Partial Items<br />
Less than a full wafer must be controlled as individual dies, in accordance with Article A.4.1.1,<br />
unless the wafer is reconstructed on an adhesive base. In that case, accountability resumes by<br />
wafer count, and the record must show the number of dies removed. An attempt should be made<br />
to determine the number of possible full dies in a wafer before dicing the wafer.<br />
Annex A – Control of In-Process October 2011 135<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
If this cannot be accomplished, the number of full dies must be established immediately after<br />
dicing the wafer. Less than a full die must be considered classified or protected scrap and<br />
controlled accordingly.<br />
A.4.1.3<br />
Broken Items<br />
Any area in which the breakage of an IP wafer, mask, reticule or die has occurred must be<br />
immediately safeguarded. Every effort must be made to reconstruct the broken item onto an<br />
adhesive base. If any chip or portion thereof cannot be accounted for, a COMSEC Incident<br />
Report must be made in accordance with Chapter 16. If the missing portion or the entire wafer,<br />
mask, reticule or die has fragmented to such a degree that reconstruction is impossible, the<br />
COMSEC Custodian must:<br />
a. remove all particles from the breakage area by vacuuming;<br />
b. mark, once the area has been vacuumed, the vacuum bag containing the residue of the item<br />
with the wafer, mask or reticule number and its sensitivity (or, where applicable, with the<br />
identification of the chip or portion thereof belonging to the wafer, mask or reticule<br />
number);<br />
c. ensure the vacuum cleaner bag is initialled by two properly cleared individuals; and<br />
d. control the vacuum bag as classified and protected COMSEC material until its contents can<br />
be destroyed using a CSEC-approved destruction method or transported to the NDA at<br />
CSEC for destruction.<br />
A.4.2<br />
Controlled Cryptographic Items<br />
A.4.2.1<br />
Development<br />
The development, manufacture or assembly of IP CCI equipment may begin with either:<br />
<br />
<br />
A.4.2.2<br />
an IP design which goes through transition during development to become an IP CCI<br />
component or assembly, which the contractor further processes into IP CCI equipment; or<br />
CCI component or assembly that the contractor receives from an authorized source and<br />
further processes into IP CCI equipment.<br />
Protection of In-Process COMSEC Functions<br />
Microcircuit chips used in hardware or firmware embodiments must be protectively coated by a<br />
CSEC-approved process that will resist attempts to:<br />
recover IP design information by reverse engineering;<br />
defeat the security features; or<br />
136 October 2011 Annex A – Control of In-Process<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
otherwise recover information in memory (e.g. by external probing), unless, as verified<br />
by the CSEC Project Manager, one of the following applies –<br />
o the protective coating is incompatible with the microcircuit chip, such that the<br />
reduced effectiveness inherent with the use of the coating is unacceptable, or<br />
o other equally protective measures have been adopted in order to resist the abovementioned<br />
threats.<br />
NOTE 1: Unless it can be demonstrated that it is not technically feasible to do so, hardware<br />
embodiments of IP COMSEC functions must be in custom microcircuit form<br />
(i.e. embodiments that are composed of discrete components or standard<br />
microcircuits are not permitted).<br />
NOTE 2: Firmware embodiments of IP COMSEC functions must be in microcircuit form<br />
(custom or standard). They must employ an irreversible security feature that prevents<br />
both readout and modification, of the programmed information in the on-board<br />
memory from external, physically accessible pins.<br />
A.4.2.3<br />
Transition from In-Process Design Status to In-Process Controlled<br />
Cryptographic Items – Hardware Embodiments<br />
For hardware embodiments, the transition from IP design status to IP CCI occurs at the<br />
microcircuit photo-mask stage. Design automation by-products leading to, and including, the<br />
reticule for each layer of the microcircuit must be handled at the same classification or protected<br />
level as the engineering drawings from which they were derived. The photo-masks ultimately<br />
used as tooling in the actual production process, as well as the resulting semiconductor wafers<br />
and its subsequent forms (e.g. individual chips) leading to sealed devices, must be controlled as<br />
IP CCI material, in accordance with Article A.4.2.5.<br />
A.4.2.4<br />
Transition from In-Process Design Status to In-Process Controlled<br />
Cryptographic Items – Firmware Embodiments<br />
For firmware embodiments, the transition from IP design status to IP CCI occurs after the<br />
IP design information has been entered into the microcircuit memory, and the security feature<br />
described in Article A.4.2.2 has been set. Thereafter, the microcircuits must be controlled as<br />
IP CCI material, in accordance with Article A.4.2.6. Software source data for firmware<br />
embodiments of IP design information remain IP and must be safeguarded in accordance with<br />
this directive.<br />
Annex A – Control of In-Process October 2011 137<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A.4.2.5<br />
Control of In-Process Microcircuit Devices<br />
Following the transition from IP design status to IP CCI, the microcircuit devices must be<br />
controlled throughout the remainder of the manufacturing and assembly process as follows:<br />
Photo masks and wafers must –<br />
o be clearly marked “CONTROLLED CRYPTOGRAPHIC ITEM” or “CCI”;<br />
o bear a serial number and be accounted for by that serial number (until the photo<br />
masks are securely destroyed and the wafers are diced); and<br />
o be accounted for by quantity after a wafer is diced.<br />
<br />
<br />
<br />
When a microcircuit is completely fabricated, purchased, accepted and transferred to the<br />
government, accountability must be in accordance with NCMCS accounting procedures.<br />
When a microcircuit is completely fabricated, and purchased and shipped to another<br />
private sector organization for use in a manufacturing process, accountability must be in<br />
accordance with the IP accounting procedures.<br />
When the microcircuit is stored for future sale or stored for contractual obligations or<br />
moves to the next level of assembly, the microcircuit must be maintained in the<br />
contractor’s IP accounting system.<br />
A.4.2.6<br />
Control of Printed Wiring Assemblies<br />
The PWAs assume IP CCI status as soon as a CCI microcircuit is installed upon it. Following<br />
this transition, the PWA must be controlled throughout the remainder of the manufacturing and<br />
assembly process as follows:<br />
<br />
<br />
<br />
<br />
<br />
At the point of transition, accountability for the microcircuit ceases, and accountability for<br />
the PWA begins.<br />
NOTE: This disposition of the microcircuit, and the subsequent accountability for the<br />
PWA, must be reflected in the IP accounting records.<br />
Completely fabricated PWAs are accountable by quantity when they fit the definition of<br />
“CCI Component” and by serial number when they fit the definition of “CCI Assembly”.<br />
During further assembly, PWAs must be accounted for by quantity.<br />
When a PWA is completely fabricated, and purchased and transferred to the government,<br />
accountability must be in accordance with NCMCS accounting procedures.<br />
When a PWA is completely fabricated, purchased and shipped to another private sector<br />
organization for use in a manufacturing process, accountability must be in accordance<br />
with the IP accounting procedures.<br />
138 October 2011 Annex A – Control of In-Process<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
When the PWA is stored for future sale or stored for contractual obligations or moves to<br />
the next level of assembly, it must be maintained in the contractor’s IP accounting system.<br />
A.4.2.7<br />
Labelling Controlled Cryptographic Item Components, Assemblies and<br />
Equipment<br />
CCI components, assemblies and equipment must be labelled, “CONTROLLED<br />
CRYPTOGRAPHIC ITEM” or “CCI” depending on the labelling space available, in accordance<br />
with standard drawings available from CSEC and with the information provided in Table 6.<br />
Table 6 – Labelling CCI<br />
CCI<br />
CCI<br />
Components<br />
CCI<br />
Assemblies<br />
CCI<br />
Equipment<br />
Labelling and Control Requirements<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Each CCI component must be labelled “CCI” at the same time as other<br />
part-specific nomenclature is applied.<br />
Each CCI assembly must bear a government serial number for<br />
accounting purposes, in accordance with criteria which will be furnished<br />
by CSEC.<br />
Labelling may be applied at any stage of the assembly process before the<br />
end of the assembly process.<br />
CCI controls applicable to a CCI assembly need not take effect until a<br />
CCI component is installed.<br />
Each item of CCI equipment must be labelled “CONTROLLED<br />
CRYPTOGRAPHIC ITEM” in a conspicuous, external location.<br />
Each item of CCI equipment must also bear a government serial number<br />
for accounting purposes, in accordance with criteria furnished by CSEC.<br />
Labelling may be applied at any stage of the assembly process before the<br />
end of the assembly process.<br />
CCI controls applicable to such equipment need not take effect until a<br />
CCI component or CCI assembly is installed.<br />
A.4.3<br />
Breakage, Waste and Scrap In-Process COMSEC Material<br />
IP COMSEC material leaving the development, production, manufacturing or assembly process<br />
due to failure, breakage or normal waste (e.g. broken wafer, partial die, broken or faulty PWAs<br />
or microcircuit devices) must be controlled until its approved destruction can be performed.<br />
When authorized methods of destruction are not available, contact COMSEC Client Services, at<br />
CSEC for disposal guidance.<br />
Annex A – Control of In-Process October 2011 139<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A.4.4<br />
Loss of In-Process COMSEC Material<br />
An extensive search must be made for any lost IP COMSEC material. Loss of such material must<br />
be documented in the IP COMSEC Account records and immediately reported as a COMSEC<br />
incident in accordance with the direction in Chapter 16.<br />
A.5 COMSEC Equipment under Repair and Maintenance Contract<br />
A.5.1<br />
Transfer to/from the Contractor<br />
The COMSEC Custodian for the GC department must transfer COMSEC equipment requiring<br />
repair or maintenance to the contractors COMSEC Account. The COMSEC Custodian will issue<br />
the COMSEC equipment to the IP COMSEC Account and annotate the Hand Receipt with an IP<br />
transaction number. When the item is ready to be returned to the GC department, the process will<br />
be reversed. Transfers of COMSEC equipment destined for the contractor’s COMSEC Sub-<br />
Account must be through the CICA unless a direct transfer has been pre-approved by CSEC.<br />
A.5.2<br />
Accountability within the Repair and Maintenance In-Process Facility<br />
Special attention must be given to ensure that the IP accounting procedures record the removal,<br />
insertion, disposal, destruction (if authorized) and conversion (if required) of all COMSEC parts,<br />
components and assemblies used in the R&M process as well as the continuous accountability of<br />
the COMSEC equipment being serviced by the contractor or maintenance depot.<br />
A.5.3<br />
Sources of Spare COMSEC Parts, Components and Assemblies<br />
A.5.3.1<br />
In-House Sources<br />
If the R&M contractor is the same as the contractor who built the COMSEC equipment, the<br />
required COMSEC parts, components and assemblies require an in-house IP Transfer Report<br />
from the manufacturing IP accounting system to the R&M IP accounting system.<br />
A.5.3.2<br />
Government Sources<br />
The COMSEC Custodian must transfer the COMSEC parts, components and assemblies to the<br />
CSEC CICA who will, in turn, transfer the material as GFE to a Canadian industrial COMSEC<br />
Account in accordance with Article 7.4.1 of this directive.<br />
Transfer of GFE to or from allied contractors is handled on a case-by-case basis. Contact<br />
COMSEC Client Services at CSEC.<br />
140 October 2011 Annex A – Control of In-Process<br />
COMSEC Material
UNCLASSIFIED<br />
A.5.3.3<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
Another Contractor<br />
COMSEC parts, component and assemblies that originate from another contractor, whether by<br />
purchase or by contractual agreement, should be transferred from the manufacturer’s IP<br />
accounting system to the R&M contractor’s IP accounting system using an IP Transfer Report.<br />
A.5.4<br />
Non-Serviceable In-Process Parts, Components and Assemblies<br />
A.5.4.1<br />
Disposition<br />
Any COMSEC part, component or assembly removed from GC COMSEC equipment and<br />
replaced with IP COMSEC material (part, component or assembly) automatically becomes nonserviceable<br />
IP COMSEC material for disposal. Disposal of these items can consist of local<br />
destruction or transfer for destruction. The IP disposition records must show the disposition, and<br />
if required, replacement of non-serviceable COMSEC parts, components and assemblies. IP<br />
disposition must be detailed in the IP Plan.<br />
A.5.4.2<br />
Local Destruction<br />
When local destruction is authorized by CSEC, the IP COMSEC Custodian must prepare an<br />
IP Destruction Report for the local destruction of non-serviceable parts, components and<br />
assemblies. The destruction must be carried out in accordance with the direction in Chapter 12.<br />
A.5.4.3<br />
Transfer to Private Sector Destruction Facility<br />
If non-serviceable items are to be moved out of the R&M IP accounting system for disposal at a<br />
private sector destruction facility, the destruction facility requires an IP Plan. The IP COMSEC<br />
Custodian must transfer the items from the R&M contractor’s IP accounting system to the<br />
destruction facility’s IP accounting system using an IP Transfer Report. Disposition records must<br />
reflect this transfer. Upon destruction, the destruction facility must originate an IP Destruction<br />
Report and their IP disposition records must reflect the destruction.<br />
A.5.4.4<br />
Transfer to Government of Canada for Destruction<br />
If non-serviceable items are to be moved out of the R&M IP accounting system for disposal at a<br />
GC destruction facility, the IP COMSEC Custodian must transfer the items from the R&M<br />
contractor’s IP accounting system to CSEC using an IP Transfer Report. Disposition records<br />
must reflect this transfer. CSEC will prepare a Possession Report to enter the items into the<br />
NCMCS and initiate final transfer for disposal.<br />
Annex A – Control of In-Process October 2011 141<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A.5.5<br />
Non-repairable COMSEC Equipment<br />
Non-repairable COMSEC equipment under an R&M contract must be returned to the GC<br />
department for disposal. The R&M contractor may only dispose of a GC department’s COMSEC<br />
equipment by returning it to that GC department. The GC department is responsible for the<br />
disposition of their COMSEC equipment in accordance with the Canadian Cryptographic<br />
Doctrine for the Disposal of Accountable COMSEC Material (CCD-49).<br />
A.6 Accountable COMSEC Publications under Development<br />
A.6.1<br />
In-Process Manuscripts<br />
Manuscripts that will eventually become accountable COMSEC publications within the NCMCS<br />
must be categorized as “IP Manuscripts”. An IP manuscript is an item that in any form<br />
(e.g. computer printout, artwork, magnetic or optical media) provides information relative to<br />
COMSEC management, design, operability or repair and maintenance and is used as input to the<br />
development of an accountable COMSEC publication.<br />
A.6.2<br />
Working Papers<br />
Material drafted in support of IP manuscripts must be handled as “working papers” (including<br />
hand written or electronic notes) in accordance with the classification or protected level of the<br />
source information. Working papers held by a writer for a period of thirty (30) calendar days<br />
must, at that time, become accountable under the IP accounting system. Once entered into the IP<br />
accounting system, records must be maintained of its existence, location, quantity, and<br />
disposition. This process must continue until all portions of the manuscript are developed, and<br />
are entered into the IP system. When fully developed, the manuscript must remain in the IP<br />
accounting system until final disposition.<br />
A.6.3 Release of In-Process Manuscripts before Government of Canada<br />
Acceptance<br />
A.6.3.1<br />
Release of In-Process Manuscripts Portions<br />
When it is necessary to release portions of an IP manuscript outside of the organization<br />
responsible for its creation, the following rules apply:<br />
<br />
<br />
<br />
The IP accounting records must reflect the number of pages comprising the initial<br />
release;<br />
The number of pages must also be annotated on the IP manuscript’s cover;<br />
When the release is in a form other than physical copy, the label identifying the contents<br />
must also be annotated with the number of pages contained therein; and<br />
142 October 2011 Annex A – Control of In-Process<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
<br />
Whenever manuscripts are released in parts, the pages of all parts must be numbered<br />
consecutively (e.g. if 50 textual pages are released first, the second-portion of the release<br />
must be numbered beginning with page 51).<br />
A.6.3.2<br />
Draft of In-Process Manuscripts<br />
When it is necessary to release a completed draft of an IP manuscript outside of the organization<br />
responsible for its creation, the following rules apply:<br />
The IP accounting records must reflect the number of pages comprising the release.<br />
<br />
<br />
A.6.3.3<br />
The pages must be numbered consecutively and the number of pages must be annotated<br />
on the IP manuscript’s cover.<br />
When the release is in a form other than physical copy, the label identifying the contents<br />
must also be annotated with the number of pages contained therein.<br />
Marking In-Process Manuscripts for Release before Government of<br />
Canada Acceptance<br />
The cover page of an IP manuscript must be marked with a short title (CSEC is the authority for<br />
all short titles), edition (if applicable), copy number and classification or protected level. Each<br />
section, part, paragraph or similar portion of an IP manuscript must be marked to reflect the<br />
highest level of its classification or protected level. The IP manuscript must bear the marking<br />
“COMSEC MATERIAL” as illustrated in Figure 4.<br />
NOTE 1: If release to U.K. or U.S. contractors has been authorized by CSEC, the above<br />
marking must be modified to indicate “U.K./CANADIAN CITIZENS” or<br />
“U.S./CANADIAN CITIZENS”, as appropriate.<br />
NOTE 2: If release to a GC department has been authorized by the originator, the above<br />
marking must be modified to indicate the name of the GC department instead of<br />
contractor and MOU or LOA instead of contract number.<br />
A.6.3.4<br />
Printing In-Process Manuscripts before Government of Canada<br />
Acceptance<br />
If the IP Plan calls for the printing of copies of IP manuscripts within the IP developer’s facility,<br />
the IP COMSEC Custodian must ensure that all copies are accounted for within the IP COMSEC<br />
Account. If the IP Plan calls for the printing of copies of IP manuscripts outside the IP<br />
developer’s facility under a reproduction contract, refer to Section A.7 of this annex.<br />
Annex A – Control of In-Process October 2011 143<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A.6.4<br />
Government of Canada Acceptance of a Final Manuscript<br />
An IP manuscript must remain under IP accounting system controls until such time as it reaches<br />
a final state for acceptance by the GC. At that time, the manuscript will be brought into the<br />
NCMCS, as specified in Section A.3.4 of this annex.<br />
A.6.5<br />
Destruction of In-Process Manuscripts<br />
The IP COMSEC Custodian should destroy IP manuscripts and working papers as soon as a<br />
requirement for the material no longer exists. Once the IP manuscript has been delivered and<br />
accepted by the GC, the COMSEC Custodian must prepare an IP Destruction Report and destroy<br />
all copies of the manuscript and associated working papers. The destruction must be carried out<br />
in accordance with the directive in Chapter 12.<br />
IP COMSEC MATERIAL<br />
THE ENCLOSED COMSEC INFORMATION HAS BEEN RELEASED TO<br />
_____________________________________________.<br />
(Name of Contractor)<br />
BY THE GOVERNMENT OF CANADA FOR CONTRACT<br />
_____________________________________________.<br />
(Contract Number)<br />
ACCESS BY CONTRACTOR PERSONNEL MUST BE RESTRICTED TO CANADIAN<br />
CITIZENS (INCLUDING DUAL NATIONALITY) WITH A “NEED-TO-KNOW” WHO<br />
HOLD A VALID SECURITY CLEARANCE AND HAVE BEEN COMSEC BRIEFED. ANY<br />
OTHER DISCLOSURE OR RELEASE WITHOUT SPECIFIC CSEC APPROVAL, AS<br />
APPLICABLE, IS STRICTLY PROHIBITED.<br />
Figure 5 – IP COMSEC Material Label<br />
144 October 2011 Annex A – Control of In-Process<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
A.7 Accountable COMSEC Publications under Reproduction or<br />
Translation Contract<br />
A.7.1<br />
In-Process Manuscripts<br />
IP manuscripts provided to a contractor for reproduction or translation must originate from either<br />
the GC department or a private sector contractor who wrote the IP manuscript. The IP COMSEC<br />
Custodian must transfer the manuscript from the originator’s IP COMSEC Account to the<br />
contractor’s IP COMSEC Account using an IP Transfer Report. On completion of the translation<br />
or reproduction contract, the original IP manuscript and all physical and electronic copies must<br />
be transferred back to the originating IP COMSEC Account using an IP Transfer Report. All<br />
items going to the private sector must be through CICA unless pre-approval for direct transfer<br />
has been granted by the COMSEC Client Services at CSEC.<br />
A.7.2<br />
COMSEC Publications Controlled within the National COMSEC Material<br />
Control System<br />
When existing COMSEC publications controlled within the NCMCS are authorized for<br />
reproduction under a reproduction contract, the COMSEC Custodian will issue a copy to the<br />
contractor’s IP COMSEC Custodian in accordance with Section A.3.4 of this directive. The<br />
COMSEC Custodian must review and renew the hand receipt every ninety (90) calendar days<br />
until the COMSEC publication is returned.<br />
On completion of the translation or reproduction contract, the IP COMSEC Custodian must<br />
return the original copy and transfer the reproduced copies (electronic or physical) to the<br />
originating IP COMSEC Account using an IP Transfer Report. On receipt, the COMSEC<br />
Custodian must sign for the copies on the Transfer Report and prepare a Possession Report to<br />
enter the copies into the NCMCS.<br />
NOTE: Accountable COMSEC publications may only be reproduced upon specific written<br />
authorization from the originator. Instructions for reproduction of extracts will be<br />
contained in the publication’s handling instructions.<br />
A.7.3<br />
Destruction of In-Process Material Surplus to Contract Requirement<br />
Once the copies have been delivered and accepted by the GC, the IP COMSEC Custodian must<br />
prepare an IP Destruction Report and destroy all start up runs, additional electronic copies,<br />
partial electronic copies, over runs, misprints, misfeeds, etc. The destruction must be carried out<br />
in accordance with the direction in Chapter 12.<br />
Annex A – Control of In-Process October 2011 145<br />
COMSEC Material
UNCLASSIFIED<br />
Directive for the Control of COMSEC Material in the Government of Canada (<strong>ITSD</strong>-<strong>03</strong>)<br />
This page intentionally left blank.<br />
146 October 2011 Annex A – Control of In-Process<br />
COMSEC Material