CHAPTER 4. SAFEGUARDING COMSEC FACILITIES                    

                             SECTION 1.  GENERAL                               

      50.  PURPOSE.  National Communications Security Instruction
      (NACSI) 4008, Safeguarding COMSEC Facilities, dated March 4,
      1983, prescribes standards for safeguarding COMSEC Facilities.
      NACSI 4008 is implemented for all USAF supported COMSEC accounts
      by Air Force Regulation AFR 56-6, same subject, dated November 3,
      1986, all FAA COMSEC accounts are required to comply with the
      policies and procedures established in these directives.  This
      chapter identifies specific requirements for which compliance is
      mandatory.                                                               

      51.  REFERENCED PUBLICATIONS.  Appendix 5, to this order contains
      a reference listing of NACSI'S, NTISSI'S, and AFR's that are to
      be maintained by all FAA COMSEC accounts.  The publications
      listed below pertain specifically to areas covered in this
      chapter.                                                                 

           a.  NACSI No. 4005, Safeguarding and Control of
      Communications Security Material, dated October 12, 1979.  This
      NACSI is implemented in USAF publication AFR 56-13, same subject,
      dated July 28, 1987.                                                     

           b.  NACSI No. 4009, Protected Distribution Systems, dated
      December 30, 1981.  Implemented by USAF publication AFR 56-19,
      same subject, dated November 3, 1986.                                    

           c.  NTISSI No. 4004, Routine Destruction and Emergency
      Destruction of COMSEC Material, dated March 11, 1987.
      Implemented by USAF publication AFR 56-5, same subject, dated
      August 28, 1987.                                                         

           d.  NCSC-9, National COMSEC Glossary, dated September 1,
      1982.                                                                    

      52.  BACKGROUND.                                                         

           a.  National standards for safeguarding COMSEC facilities
      are necessary to ensure the integrity of the classified COMSEC
      material contained therein.                                              

           b.  The principal threats which such safeguards must defend
      against are:                                                             

               (1)  Unauthorized access to or observation of classified
      COMSEC material.                                                         

               (2)  Tampering with or TEMPST exploitation of, COMSEC
      and associated telecommunications equipment.                             

               (3)  Clandestine exploitation of sensitive
      communications within a secure telecommunications
      facility (e.g. "bugging").                                               

                   SECTION 2.  PHYSICAL SECURITY STANDARDS                     

      53.  PHYSICAL SECURITY STANDARDS FOR FIXED COMSEC FACILITIES.            

           a.  Application.  For the purposes of this order, unless
      specifically stated otherwise, all FAA COMSEC facilities are
      considered as "fixed."  Should questions arise concerning the
      application of the physical security standards prescribed by this
      order to a specific facility they shall be addressed through the
      servicing security element to Manager, Investigations and
      Security Division, ACO-300, Washington, D.C., for resolution.            

           b.  Standards.  All FAA COMSEC secure telecommunications
      facilities will be designated as CLOSED Areas in accordance with
      Order 1600.2C and will comply with the physical security
      standards specified in this section and Appendix 3.                      

           c.  Special Security Requirements.  Users of COMSEC
      equipment should be aware of special security requirements that
      may apply to the system they are using.  NSA publishes these
      special doctrinal guidance documents as NACSI's in the 8000
      series.  The USAF implements the 8000 series NACSI's as AFSAL's
      and publishes and distributes them as specialized COMSEC
      publications in the COMSEC Material Control System (CMCS).  These
      documents are indexed in AFKAG-13 and are available on request to
      all COMSEC custodians.                                                   

           d.  Security/Engineering Approval.                                  

               (1)  The manager of the office or activity in which a
      secure telecommunications facility is located is responsible for
      ensuring that design and construction plans are coordinated
      through the servicing security element with ANC-120 and ACO-300
      prior to implementation.  This includes engineering and
      construction plans and specifications for proposed secure
      telecommunications facilities and ancillary terminal equipments,
      as well as plans for the reengineering or modification of
      existing facilities.  Failure to do this will result in automatic
      loss of certification for the secure telecommunications facility.
               (2)  Specifications and associated drawings must be
      submitted through the servicing security element to ACO-300 and
      to ANC-120.  Subsequent to a review of the plans and
      specifications, a joint determination will be made by ANC-120 and
      ACO-300 either approving the plans or identifying corrective
      actions that must be taken.                                              

      54.  INSTALLATION CRITERIA.  FAA facilities which generate,
      process, or transfer unencrypted classified information by
      electrical, electronic, electromechanical, or optical means shall
      conform to the guidance and standards in NACSI 4009, NACSIM
      5100A, and NACSIM 5203 with regard to protected wireline
      distribution systems.  Questions concerning security requirements
      shall be addressed through the servicing security element to
      ACO-300 for resolution.  Questions relevant to engineering and
      construction standards should be coordinated through the
      appropriate regional/center Airway Facilities channel and
      forwarded in writing to ANC-120, with an information copy to
      ACO-300 and the servicing security element.                              

      55.  FACILITY APPROVALS, INSPECTION, AND TESTS.                          

           a.  Approval to Hold Classified COMSEC Material.  Each FAA
      facility must be approved by the servicing security element
      before the facility may hold classified COMSEC material.  Such
      approval shall be based on an inspection by the servicing
      security element which determines that the facility meets the
      physical safeguarding and other requirements of this order.              

                (1)  The servicing security element will advise the
      facility manager by letter of the approval or disapproval of the
      facility with an information copy to ACO-300.  The facility will
      retain a copy of the approval letter in its COMSEC file.                 

                (2)  After initial approval, each FAA facility holding
      classified COMSEC material shall be reinspected in accordance
      with provisions of FAA Order 1650.7B as they pertain to Category
      1 facilities.  The facility shall also be reinspected and the
      approval reviewed, when:                                                 

                (a)  There is evidence of penetration or tampering,            

                (b)  Alterations are made which significantly change
      the physical characteristics of the facility,                            

                (c)  The facility is relocated or the facility is
      reoccupied after being temporarily abandoned.                            

           b.  Approval to Operate Secure Telecommunication Facilities.
      In addition to the requirement for physical security approval to
      hold classified COMSEC material, FAA secure telecommunications
      facilities require the following inspections and tests:                  

                (1)  General COMSEC Inspection.  ACO-300 is responsible
      for conducting a general COMSEC inspection of secure
      telecommunications facilities prior to initial activation where
      practicable, but in any case within 90 days after activation.
      Thereafter reinspection is required at intervals of no greater
      than 18 months.  At a minimum, the inspection shall assess secure
      operating procedures and practices, handling and storage of
      COMSEC material, routine and emergency destruction capabilities,
      compliance with installation (Red/Black) criteria, and obvious
      technical security hazards.
                (2)  Technical Surveillance Countermeasures
      Inspections.  TSCM inspections are conducted by ACO-300 in
      accordance with provisions of Order 1600.12C.                            

                     (a)  COMSEC custodians shall send requests for
      TSCM inspections of new secure telecommunications facilities
      through the appropriate servicing security element to ACO-300 in
      accordance with procedures required by Order 1600.12C.  Requests
      will be appropriately classified and should be submitted at least
      90 days before the projected activation date for the facility.           

                     (b)  After the initial TSCM survey ACO-300 will
      schedule subsequent surveys.                                             

                     (c)  Requests for TSCM support shall be submitted
      when any of the conditions exist that are described in
      subparagraphs 5b(2)(a), (b), and (c), Annex A to NACSI 4008/AFR
      56-6.                                                                    

                (3)  TEMPEST Inspections and Tests.  Visual TEMPEST
      inspections and, where determined to be necessary by ANC-120,
      instrumented TEMPEST tests shall be conducted at secure
      telecommunications facilities in accordance with requirements
      specified in subparagraphs 4b(3)(a) and (b), Annex A to NACSI
      4008/AFR 56-6.                                                           

      Written requests for instrumented TEMPEST test support should be
      submitted by the office or activity manager or COMSEC custodian
      through appropriate region/center channels to ANC-120 with an
      information copy to ACO-300.                                             

           c.  Daily Security Check.                                           

               (1)  Continuously Manned Facility.  In a continuously
      manned facility, a security check shall be made at least once
      every 24-hours.  This shall be a visual check to ensure that all
      classified COMSEC information is properly safeguarded, and that
      physical security protection system/devices (e.g., door locks and
      vent covers) are functioning properly.                                   

                (2)  Facilities that are Not Continuously Manned.  In a
      facility which is not continuously manned, the security check
      shall be conducted at least every 24 hours if the facility is in
      operation for 24 hours or more and prior to departure of the last
      person and shall include additional checks to ensure that the
      facility entrance door is locked and that, where installed,
      intrusion detection systems are activated.  Where a facility is
      unmanned for periods greater than 24 hours (e.g., during weekends
      and holidays) and the facility is not protected by an intrusion
      detection system that has been approved by ACO-300, a check shall
      be made at least once every 24 hours to ensure that all doors to
      the facility are locked and that there have been no attempts at
      forceful entry.                                                          

           d.  Activity Security Checklist.  FAA secure
      telecommunications facilities will use Standard Form (SF) 701,
      Activity Security Checklist, to record the daily security check.
      The national stock number for the SF 701 is 7540-01-213-7899.
      The form is available from the GSA.  In facilities which operate
      continuously, at the end of each shift, the person responsible
      (shift supervisor, for example) makes the security check.  The
      daily security check may be a part of, but not a substitute for,
      the daily (or shift) inventory of COMSEC material.
      NOTE:  If in a continuously operating facility the security
      container is not unlocked it will not be opened solely to
      inventory the contents.  An inventory will be conducted when the
      container is opened.                                                     

      56.  INTRUSION DETECTION SYSTEMS.  Intrusion detection systems
      used to protect COMSEC information must be specifically approved
      for that purpose by ACO-300 prior to installation.  When approved
      alarm systems replace permanent guards, they must be used with an
      immediate guard response which will not exceed 5 minutes under
      any condition.                                                           

      57.-60.  RESERVED.                                                       

                SECTION 3.  ACCESS RESTRICTIONS AND CONTROLS                   

      61.  UNESCORTED ACCESS.                                                  

           a.  General.  Unescorted access to FAA offices/activities
      handling, storing, or processing classified COMSEC material will
      be limited to:                                                           

                (1)  FAA government civilian or military personnel who
      are U.S. citizens and whose duties require such access and, if
      the material is classified, who have been granted a security
      clearance equal to or higher than the classification of the
      COMSEC material involved.                                                

                (2)  Normally, these individuals will have regular duty
      assignments in the facility.  The individuals must meet all
      requirements of the FAA Formal Cryptographic Access (FCA) Program
      as specified on Chapter 2 of this order.                                 

                (3)  The names of all such individuals shall appear on
      a posted formal access list.                                             

                (4)  Official visitors whose names do not appear on the
      access list may also be granted unescorted access by the COMSEC
      custodian or the facility manager having responsibility and
      authority for the COMSEC operations, provided the visitors
      require such access and meet the access requirements of NACSI
      4005 and this order to include verification of the fact that the
      individuals have received a cryptographic access briefing and
      have a current signed cryptographic access authorization.  All
      such visits shall be recorded on the visitor register (FAA Form
      1600.8 or equivalent).                                                   

                (5)  No individual will be allowed unescorted access to
      an FAA COMSEC facility who has not received a cryptographic
      access briefing and signed a cryptographic access authorization.         

           b.  Access Controls and Procedures for Secure
      Telecommunications Facilities.  The following controls and
      procedures will be used to control access to secure
      telecommunications facilities:                                           

                (1)  Entrance controls will be established to prevent
      entry by persons not listed on the authorized entrance list.
      Facilities using the locked-door system must have a buzzer system
      and a way to challenge and identify persons before they enter.           

                (2)  Entrance doors to FAA facilities shall be equipped
      with a fish-eye viewing device to permit identification of
      persons seeking admittance.                                              

                (3)  If guards are assigned, station them immediately
      outside the entrance.  Regardless of the control system used,
      entry procedures must ensure identification of persons seeking
      entry so as to prevent viewing of activities within the facility
      before entry is permitted.                                               

                (4)  Unrestricted entry to the secure
      telecommunications center will be limited to persons whose names
      appear on an official posted entrance list.  The authorized
      entrance list must contain the names of all persons regularly
      assigned duties within the secure telecommunications facility and
      those others whose duties require them to have frequent access.
      All personnel on the authorized entrance list must have received
      a cryptographic access briefing and must have a current signed
      Cryptographic Access Certificate on file which is verified by the
      custodian or the manager having responsibility for the COMSEC
      operation.  In addition, each individual on the list must have a
      valid clearance equal to or higher than the COMSEC information
      being given access to.  It is the COMSEC custodian's
      responsibility to verify the clearance for each individual on the
      authorized entrance list.  Custodians should consult with the
      servicing security element to determine the most effective method
      to verify clearance information and cryptographic access
      authorization data for each facility.                                    

                (5)  The following statement will be placed on the
      authorized entrance list, certifying that all persons listed
      thereon have been granted access to classified COMSEC information
      and that a security clearance is on file for each person:  "ALL
      PERSONNEL LISTED HEREON HAVE BEEN GRANTED ACCESS TO CLASSIFIED
      COMSEC INFORMATION AND APPROPRIATE DOCUMENTATION IS ON FILE."  By
      affixing his or her signature to this statement the custodian
      affirms that he or she has personally verified with the facility
      or activity personnel officer, or the servicing element, that
      each individual on the authorized access list has:                       

                     (a)  A current Form 1600.54, Notification of
      Personnel Security Action, on file;                                      

                     (b)  A clearance equal to the highest
      classification level of COMSEC material to which he/she will have
      access.                                                                  

                     (c)  Received a cryptographic access briefing and
      has signed a current Cryptographic Access Certification as
      required by this order.                                                  

                (6)  On the authorized entrance list, the COMSEC
      custodian will specifically designate those persons, by name, who
      may authorize admittance to others not on the list.  The number
      of persons authorized to admit others in this manner shall be
      kept to a minimum.  Usually, the facility manager having
      responsibility and authority over the COMSEC operation, and the
      custodian may authorize admittance.                                      

                (7)  The authorized entrance list will be signed and
      dated by the COMSEC custodian.  It is the custodian's
      responsibility to ensure that the list is current at all times.          

                (8)  An FAA Form 1600-8, Visitor Register, will be
      maintained to record the arrival and departure of all persons
      whose names do not appear on the authorized entrance and access
      list.  Completed FAA Form 1600-8, shall be maintained on file by
      the custodian for a period of two calendar years, after which
      they may be destroyed.                                                   

           c.  Access Control for Administrative/Monitor Accounts.  FAA
      administrative and monitor accounts do not require the stringent
      security measures required for secure telecommunications
      facilities.                                                              

                (1)  Administrative/monitor accounts are those which
      hold only general COMSEC publications or serve as issue points
      for codes and authentication systems.  This type of account
      requires adequate storage facilities and inventory controls.
      However, they may be located within general office space if
      measures are taken to exclude unauthorized and uncleared
      personnel and prevent viewing of COMSEC material when in use.            

                (2)  The custodian must closely control access to an
      administrative account's holdings; access must be limited to
      persons within the immediate working area who have a need-to-know
      and others whose duties require frequent access.  The
      requirements for granting access and certification or
      verification thereof are the same as for secure
      telecommunications facilities.                                           

      62.  ESCORTED ACCESS.
           a.  Uncleared visitors.  Uncleared visitors may be
      authorized admittance by the custodian, or the manager having
      operational responsibility for the COMSEC facility, provided
      effective security precautions are taken to preclude unauthorized
      access to classified information.  These visitors shall be under
      continuous escort by an individual whose name appears on the
      access list.  All such visits shall be recorded in the visitor
      register.                                                                

           b.  Repairmen.  When uncleared repairmen are admitted to
      perform maintenance on commercially contracted information-
      processing equipment which is connected to circuits protected by
      cryptographic equipment, the escort shall be a cryptorepair
      person or other technically qualified individual who is capable
      of recognizing acceptable and proper repair procedures for that
      type of equipment.  This is a means to control attempts at
      malicious action against the involved COMSEC equipment or
      installation.                                                            

      63.  VISITOR REGISTER.                                                   

           a.  Requirement.  A visitor register, FAA Form 1600.8, will
      be maintained at the COMSEC facility entrance area to record the
      arrival and departure of authorized visitors.                            

           b.  Procedure.  The visitor register shall contain the
      following information for each individual.                               

                (a)  Date and time of arrival and departure.                   

                (b)  Printed name and signature of visitor.                    

                (c)  Purpose of visit.                                         

                (d)  Signature of individual admitting visitor.                

           c.  Disposition.  Records of authorized visitors shall be
      retained in the custodian's files for a period of two calendar
      years, after which they may be destroyed.                                

      64.  NO-LONE ZONES.                                                      

           a.  Facilities which produce or generate key (in any form)
      distribution centers, and depots and other logistic activities
      which store or distribute large quantities of keying material
      shall employ no-lone-zone restrictions within all areas in which
      these activities take place.                                             

           b.  Refer to AFR 56-1, paragraph 3-5, for restrictions on
      single person access.                                                    

           c.  The majority of FAA COMSEC facilities handling or
      processing COMSEC material at the SECRET level or below will not
      have a need for institution of no-lone-zone measures.  Custodians
      having questions concerning no-lone-zone applications should
      direct them to ACO-300 through their servicing security element.         

      65.  GUARD SERVICES.                                                     

           a.  Purpose.  FAA facilities requiring the services of a
      secure telecommunications facility may for various reasons not be
      able to have a COMSEC resource in-house.  This would be the case
      for example, if a secure telecommunications facility were being
      reengineered and it was necessary to take the facility off-line
      for a period of time.  When this situation occurs, the FAA
      facility may enter into an agreement with another U.S. Government
      or military secure telecommunications facility to receive and
      transmit their classified and operational messages until the
      facility circuits are operational.  This is referred to as
      "guarding."                                                              

           b.  Requirement.  The FAA manager having operational
      authority and responsibility for a secure telecommunications
      facility will inform ANC-120 and ACO-300, through appropriate
      regional channels to include the servicing security element, of a
      requirement for "guard" service prior to making arrangements for
      such support.  Only secure telecommunications facilities operated
      by U.S. Government or military personnel will be used for
      guarding for classified FAA telecommunications.  Contractor
      operated secure telecommunications facilities will not be used.          

      66.-70.  RESERVED.                                                       

            SECTION 4.  PROTECTION OF UNATTENDED COMSEC EQUIPMENT              

      71.  GENERAL.                                                            

           a.  Noncontinuously Manned Facility.  In a noncontinuously
      manned facility, unattended COMSEC equipment shall be protected
      as prescribed in this section during periods when the facility is
      not manned.                                                              

           b.  Construction.  A facility which meets the construction
      requirements of Appendix 6 provides sufficient protection, under
      normal circumstances, for unattended, unkeyed COMSEC equipment
      installed in an operational configuration.  The requirements for
      the protection of COMSEC equipment in secure telecommunications
      facilities which normally operate unmanned for extended periods
      of time are covered in Annex C, NACSI 4008/AFR 56-6, under
      "Unattended, Fixed Secure Telecommunications Facilities."                

      72.  PROTECTION REQUIREMENTS.                                            

           a.  General.  In some situations there may be significant
      technical or operational reasons to locate communications and
      associated COMSEC equipments in unattended sites.  Any
      requirement for FAA activities to locate COMSEC equipment at
      unattended sites must be submitted through the servicing security
      element to ACO-300 for approval prior to implementation.  The
      request for approval will be submitted in writing, by the
      custodian or facility manager having authority over the COMSEC
      assets and will include the measures to be taken to satisfy the
      safeguarding requirements listed in subparagraph b, below.               

           b.  Safeguards.  Paragraph IID, Annex C to NACSI 4005/AFR
      56-13 establishes the following safeguard requirements:                  

                (1)  The site must be located in an area firmly under
      U.S. control.                                                            

                (2)  Cryptonets whose keying variables are held in
      COMSEC equipments located at unattended sites must be kept as
      small as possible, with unique keying material used on each link
      terminated at an unattended site where feasible.                         

                (3)  COMSEC equipment not in use may not be stored at
      an unattended site.  All COMSEC equipments located at unattended
      sites must be operationally required as on-line, standby or
      back-up items to terminate an active circuit.                            

                (4)  Keying material other than that which is
      electrically or physically held in the COMSEC equipments may not
      be stored at unattended sites.
                (5)  The FAA manager responsible for operation of the
      unattended site must arrange for timely guard force response to
      investigate incidents involving threats to the COMSEC equipment
      at the site.  Response planning should be conducted in
      coordination with the servicing security element.  The servicing
      security element will advise the manager on effective security
      planning and will provide investigative support when necessary.
      The FAA custodian responsible for the COMSEC material must be
      knowledgeable of these arrangements.                                     

                (6)  The FAA manager responsible for operation of the
      unattended site must ensure that inspections of the sites are
      conducted to verify that the COMSEC equipments have not been
      tampered with.  The inspections should be at random and at
      irregular intervals without excessive delay between the
      intervals.                                                               

      73.-77.   RESERVED.                                                      

                 SECTION 5.  PROTECTION OF LOCK COMBINATIONS                   

      78.  PURPOSE.                                                            

           a.  General.  The requirements of this section apply to
      combination locking devices for FAA COMSEC facility doors and
      security containers which hold classified, telecommunications
      security (TSEC) nomenclatured material.                                  

           b.  Collateral Classified Materials.  Combinations to FAA
      security containers which are used to store only collateral
      classified material that is not accountable under the COMSEC
      Material Accounting System (CMCS), may be controlled in
      accordance with this section or the requirements of Order
      1600.2C.  If a container is used to store both collateral and
      TSEC nomenclatured material the protection requirements of this
      section will apply.                                                      

      79.  PROTECTION REQUIREMENTS.                                            

           a.  Selection of Combinations.  Each lock must have a
      combination composed of randomly selected numbers.  This
      combination shall not deliberately or accidentally duplicate a
      combination selected for another lock within the facility and
      shall not be composed of successive numbers, numbers in a
      systematic sequence, nor predictable sequences (e.g., birthdates,
      social security numbers, and phone numbers).                             

           b.  Changing Combinations.  A lock combination shall only be
      changed by a cleared individual having a need-to-know for the
      information safeguarded by the lock.  Combinations must be
      changed:                                                                 

                (1)  When the lock is initially placed in use.  (The
      manufacturer's preset combination shall not be used.)                    

                (2)  When any person having authorized knowledge of the
      combination no longer requires such knowledge (e.g., through
      transfer or loss of clearance).                                          

                (3)  When the possibility exists that the combination
      has been subjected to compromise.                                        

                (4)  At least annually.
           c.  Classification of Combinations.  Lock combinations shall
      be classified the same as the highest classification of the
      information protected by the locks.  For a security container,
      this is the highest classification of the information held in the
      container; for a facility door, it is the highest classification
      of the information held in the facility to which the door
      controls access including that information stored in containers.         

      80.  ACCESS TO COMBINATIONS.                                             

           a.  Access to the combination of a lock used to protect
      COMSEC material shall be limited to individuals who are
      authorized access to the material in accordance with NACSI
      4005/AFR 56-13, and Chapter 2 of this order.                             

           b.  Where a container is used to store future editions of
      keying material, access to the combination shall be further
      restricted to the COMSEC Custodian and the Alternate
      Custodian(s).  Where this restriction cannot be applied because
      others must have access to the container for current editions of
      keying material or other material, future editions of keying
      material shall be stored separately in a locked strongbox which
      can be opened only by the Custodian and the Alternate
      Custodian(s).  The strongbox shall be kept in the security
      container.  Exceptions may be made in operational areas to allow
      shift supervisors access to the next future edition of keying
      material, but not to later future editions.                              

           c.  Access to combinations for security containers used to
      store Top Secret keying material will be controlled in accordance
      with requirements of NTISSI 4005, and Appendix 7.
      81.  RECORD OF COMBINATIONS.                                             

           a.  Standard Form 700.  The Standard Form (SF) 700, Security
      Container Information, NSN:  7540-01-214-5372, will be used to
      record the current combination to COMSEC containers.  Parts 2 and
      2A of each completed copy of SF 700 shall be classified at the
      highest level of classification of the information authorized for
      storage in the security container.  A new SF 700 must be
      completed each time the combination to the security container is
      changed.                                                                 

           b.  Emergency Access.  To provide for ready access to
      secured material in emergencies, a central record of lock
      combinations shall be maintained in a security container approved
      for storage of the highest classified combination.  The
      combination to this container shall be restricted to persons with
      proper clearance and need-to-know.  Provision must be made for
      access to the record of combinations in case of an emergency.            

           c.  Packaging Requirements.  Combinations to FAA COMSEC
      containers will be packaged and handled as follows:                      

                (1)  The SF 700 Part 2 and 2A containing the
      combination will be assigned a classification equal to the
      highest category of classified material stored within the
      container.  In addition to the classification, the SF 700 will be
      annotated to reflect the following:                                      

                     (a)  The identity of the container (reference
      paragraph 191, chapter 8, Order 1600.2C).  This will include the
      container, room, and building number.
                     (b)  The date the combination was changed.                

                     (c)  The responsible persons authorized access to
      the combination.                                                         

                (2)  Safe combination will be maintained within COMSEC
      channels.  This will not prevent storing combinations in FAA
      areas outside the secure communications facility or vault.  For
      combinations up to and including Secret a properly filled out SF
      700 should be forwarded to the servicing security element monitor
      account through COMSEC channels.  Proper packaging is required
      and delivery should be accomplished by courier.  Persons who have
      access to the security containers which house COMSEC combinations
      must have a clearance level equal to or above that required for
      access to security containers or vaults for which the
      combinations have been recorded, and must meet FAA FCA Program
      requirements specified in Chapter 2 of this order.  For storage
      outside the secure communications facility or vault the COMSEC
      custodian will require an SF 154 hand receipt for the combination
      and will maintain the current SF 154 receipt(s) in the COMSEC
      file.                                                                    

                (3)  For storage outside the secure telecommunications
      facility or vault, a combination storage location shall be chosen
      which allows ready access in an emergency but which is restricted
      to persons with proper clearance and need-to-know.  Top Secret
      combinations do not have to be recorded with the Top Secret
      Control Office (TSCO) since they are controlled within COMSEC
      channels.  Top Secret combination must be controlled however in
      accordance with NTISSI 4005, and Appendix 7.                             

           d.  Prohibition.  It is specifically prohibited for
      individuals to record and carry, or store insecurely for personal
      convenience, the combinations to facilities or containers in
      which COMSEC material is stored.  Also, records of such
      combinations may not be stored in electronic form in a computer.         

      82.-86.  RESERVED.                                                       

               SECTION 6.  NONESSENTIAL AUDIO/VISUAL EQUIPMENT                 

      87.  PERSONALLY OWNED EQUIPMENT.  Personally owned receiving,
      transmitting, recording, amplification, information-processing,
      and photographic equipment (e.g., radios, tape recorders,
      stereos, televisions, cameras, magnetic tape and film) shall not
      be permitted in FAA secure telecommunications facilities.                

      88.  GOVERNMENT OWNED EQUIPMENT.  Government-owned or leased (or
      company owned-or leased in the case of contractor-operated
      facilities) receiving, transmitting, recording, amplification,
      video, and photographic equipment (e.g., radios, music systems,
      TV monitors/cameras, and amplifiers) which are not directly
      associated with secure telecommunications operations or
      information processing activities may be used in secure
      telecommunications facilities provided approval for their use is
      granted by the FAA facility chief or manager having
      responsibility for and authority over COMSEC operations on a
      case-by-case basis, subject to the following:                            

           a.  The Government-owned equipment in FAA telecommunications
      facilities must be subjected to and pass all the same technical
      and TEMPEST security requirements that mission-essential
      equipment must pass.                                                     

           b.  Equipment must be reinspected or tested each time it is
      removed and then returned to the facility.                               

           c.  The manager responsible for approving the location of
      the equipment in the secure telecommunications facility will also
      be responsible for ensuring that a record of the latest approval
      and inspection/test is maintained in the secure
      telecommunications facility, and a copy provided to ACO-300
      through the servicing security element.                                  

           d.  The reinspection/test and record requirements do not
      apply to approved portable telephone "beepers" and two-way radios
      carried by visiting key personnel on official duty, if approved
      by the COMSEC custodian.                                                 

      89.-94.  RESERVED.                                                       

               SECTION 7.  STANDARD OPERATING PROCEDURES (SOP)                 

      95.  REQUIREMENT.                                                        

           a.  Requirement. Each FAA COMSEC secure telecommunications
      facility shall have a written COMSEC SOP.                                

           b.  Procedure.  The COMSEC custodian will prepare and
      maintain in a current status a written SOP which shall contain
      provisions for the secure conduct of facility operations and for
      the safeguarding of COMSEC material, for example the SOP should
      include procedures for:
                (1)  Cryptographic operations.                                 

                (2)  Local accountability of COMSEC material.                  

                (3)  Obtaining COMSEC maintenance support.                     

                (4)  Controlling access to the COMSEC area.                    

                (5)  Storage.                                                  

                (6)  Routine and emergency destruction.                        

                (7)  Reporting of insecurities.                                

           c.  Coordination.  The custodian will require all persons
      associated with the day-to-day operations of the secure
      telecommunications facility to familiarize themselves with the
      SOP initially and signify by their initials that they have reread
      the SOP at least once every 3 months thereafter.                         

      96.  EMERGENCY PLAN.  As an adjunct to its SOP each FAA Plan
      COMSEC facility shall have a current emergency plan prepared in
      accordance with guidance contained in NTISSI 4004/AFR 56-5.              

      The plan shall be written, and, as a minimum shall be structured
      to address the following concerns:                                       

           a.  Coordination with the overall facility/activity
      emergency contingency planning staff.  COMSEC
      emergency/contingency and destruction planning should be an
      integral part of the overall facility plan.
           b.  Fire reporting and initial fire fighting by assigned
      personnel.                                                               

           c.  Assignment of on-the-scene responsibility for ensuring
      protection of the COMSEC material held.                                  

           d.  Procedures for securing or removing classified COMSEC
      material and evacuation of the area(s).                                  

           e.  Protection of material when admission of outside
      firefighters into the secure area(s) is necessary.                       

           f.  Assessment and reporting of probable exposure of
      classified COMSEC material to unauthorized persons during the
      emergency.                                                               

           g.  Post-emergency inventory of classified COMSEC material
      and reporting of any losses or unauthorized exposure to the
      servicing security element.                                              

      97.-101.  RESERVED.

           CHAPTER 5. SAFEGUARDING AND CONTROL OF COMMUNICATIONS 
 SECURITY MATERIAL                                       

      102.  GENERAL                                                            

           a.  Purpose.  This chapter specifies minimum safeguards and
      establishes standard criteria for the protection and control of
      Communications Security (COMSEC) material in accordance with
      guidelines set forth in National Communications Security
      Committee document NCSC-1, Safeguarding COMSEC Material.  The
      NCSC has been replaced by the National Telecommunications and
      Information Systems Security Committee (NTISSC).  The U.S. Air
      Force implementing directive is AFR 56-13, Safeguarding and
      Control of Communications Security Material, dated July 28, 1986.        

           b.  Scope.  Controls for safeguarding COMSEC material apply
      to access, use, production, development, transportation, storage,
      accounting, and disposition.  Safeguards and control criteria for
      COMSEC material are specified herein in the following categories:        

                (1)  Keying material marked "CRYPTO" (e.g., key lists,
      key cards, codes, authenticators, one-time pads, CRIBS, rotors,
      keying plugs, tapes, keyed microcircuits, etc.).                         

                (2)  Crypto-equipment (including communications and
      information processing equipment with integral cryptography) and
      components thereof which embody the principles or logic of a
      cryptosystem, including COMSEC computer software and firmware.           

      NOTE:  "Firmware" refers to software that is permanently stored
      in a hardware device which allows reading and executing the
      software but not writing or modifying it.                                

                (3)  Other COMSEC material of the following types:             

                     (a)  General COMSEC instructional documents,
      TEMPEST information, COMSEC equipment operating maintenance
      manuals, changing call signs and frequency systems, brevity
      lists, and keying material not marked "CRYPTO."                          

                     (b)  Crypto-ancillary material (including
      equipment or software designed specifically to facilitate
      efficient or reliable operation of crypto-equipment, or designed
      specifically to convert information to a form suitable for
      processing by crypto-equipment).                                         

      103.  DEFINITIONS.  For the purposes of this order the following
      terms shall have the meanings set forth below:                           

           a.  Communications Security (COMSEC).  Communications
      security (COMSEC) means protective measures taken to deny
      unauthorized persons information derived from telecommunications
      of the United States Government related to national security and
      to ensure the authenticity of such communications.  Such
      protection results from the application of security measures
      (including cryptosecurity, transmission security, emissions
      security) to electrical systems generating, handling, processing,
      or using national security or national security related
      information.  It also includes the application of physical
      security measures to communications security information or
      materials.                                                               

           b.  Telecommunications.  Telecommunications means the
      transmission, communication, or processing of information,
      including the preparation of information, by electrical,
      electromagnetic, electromechanical, or electro-optical means.            

           c.  National security.  National security means the national
      defense and foreign relations of the United States.                      

      104.  HANDLING KEYING MATERIAL.  Keying material marked "CRYPTO"
      must be handled within the COMSEC Material Control System (CMCS).
      This is a unique system set up for producing, transmitting,
      storing, accounting for, and destroying COMSEC material including
      International Pact Organization (IPO) material.  All
      nomenclatured COMSEC material (except material handled through
      publication distribution channels; such as National COMSEC
      Instructions (NACSI), National COMSEC/EMSEC Information Memoranda
      (NACSEM) and National COMSEC Information Memoranda (NACSIM)), is
      controlled within the CMCS throughout its life.  The system
      requires that all COMSEC material be handled only between COMSEC
      custodians through established channels.  Classified COMSEC
      material never enters the regular document distribution and
      control system.                                                          

      105.-109  RESERVED.                                                      

                SECTION 1.  GENERAL INFORMATION APPLICABLE TO ALL
                            COMSEC MATERIAL                                    

      110.  RESPONSIBILITY FOR SAFEGUARDING COMSEC MATERIAL.                   

           a.  Managers of FAA facilities and offices which use or
      handle COMSEC material are responsible for safeguarding and
      controlling all COMSEC material provided to or produced by their
      facility or office, and for establishing procedures which include
      the following:                                                           

                (1)  A Central Office of Record (COR).  For the FAA the
      U.S. Air Force Cryptologic Support Center, AFCSC/MMIC, San
      Antonio, Texas 78243-5000, is the Central Office of Record.              

                (2)  Establishment and Disestablishment of COMSEC
      Accounts.  Directive guidance for the establishment and
      disestablishment of FAA COMSEC accounts is contained in AFKAG-2
      and this order.                                                          

           b.  COMSEC Custodian.  The COMSEC Custodian is the properly
      appointed individual who manages and controls the accountable
      COMSEC material in the CMCS charged to his/her activity.  The
      custodian's responsibilities include:                                    

                (1)  Receiving, storing, amending, accounting for
      inventorying, and issuing COMSEC material charged to his/her
      account and destroying or transferring of material when it is no
      longer required.                                                         

                (2)  Ensuring that appropriate COMSEC material is
      readily available to properly authorized individuals whose duties
      require its use.                                                         

                (3)  Advising user and supervisors, as appropriate, of
      the required protection and procedures which must be provided
      COMSEC material issued to them for use, including the authorized
      procedures for destruction or disposition of such material when
      it is no longer required.
                (4)  Reporting insecurities in accordance with AFKAG-2
      and NTISSI 4003, COMSEC insecurities fall into three categories,
      cryptographic, personnel and physical.  Specific examples of each
      type are provided in NTISSI 4003, Reporting COMSEC Insecurities.         

           c.  Individual Users.  Individuals involved in the use of
      COMSEC material are personally responsible for:                          

                (1)  Safeguarding and proper employment of all material
      he or she uses or for which he or she is responsible.                    

                (2)  Reporting to proper authorities any occurrences,
      circumstances, or acts which could jeopardize the security of
      COMSEC material.                                                         

      111.  TRANSPORT OF COMSEC MATERIAL.                                      

           a.  Department of Defense Courier Service, State Department
      Diplomatic Courier Service, or departmental couriers are the
      preferred means of transporting COMSEC material.                         

           b.  Use of commercial passenger aircraft for the
      transportation of current or superseded keying material is
      normally prohibited.                                                     

           c.  FAA employees are not authorized to transport current or
      superseded key material for any reason without specific prior
      approval of the servicing security element in regions and
      centers, and ACO-300 in Washington Headquarters.  In addition,
      the employee must have a valid courier letter in accordance with
      the provisions of Order 1600.2C.  The courier letter must be
      signed by the employee's facility or office manager.  Before
      signing the letter it is the manager's responsibility to ensure
      that the employee has received a briefing on his or her
      responsibilities as a courier as required by Order 1600.2C.              

      112.  COURIER RESPONSIBILITIES.                                          

           a.  Couriers are responsible for ensuring the integrity of
      COMSEC material in their custody at all times.  Couriers will
      retain their letter of authorization in their possession at all
      times while actually transporting key materials.                         

           b.  Couriers transporting material into foreign countries
      must ensure that material is not subject to inspection by
      unauthorized personnel.  In no case will U.S. COMSEC material be
      permitted to enter foreign distribution channels unless it has
      been authorized for release by the proper U.S. authorities.              

           c.  In cases where the bulk of the material to be
      transported, or the physical configuration of the conveyance will
      not allow for the courier to keep the material on his person or
      in view at all times, arrangements should be made with the
      carrier to effect a "last-in-first-out" procedure that will
      ensure the material is given the most protection possible, and
      not left unattended at loading docks, cargo storage areas,
      baggage areas, railways platforms, etc.                                  

      113.  OPEN DISPLAY OF COMSEC MATERIAL AND INFORMATION.  The open
      or public display of U.S. Government or foreign COMSEC material
      and information at nongovernmental symposia, meetings, open
      houses, or for other nonofficial purposes is forbidden.  This
      prohibition includes discussion, publications, or presentation of
      COMSEC information for other than official purposes.  Any
      requests for the public or nonofficial display or publications of
      COMSEC information, including Freedom of Information Act
      requests, will be referred through ACS-300 to the Director,
      National Security Agency.                                                

      114.  DESTRUCTION.  Appendix 8 Routine Distribution and Emergency
      Protection of COMSEC Material, contains criteria and procedures
      for secure destruction of COMSEC material.  FAA COMSEC custodians
      will ensure that destruction requirements set forth in this order
      and AFKAG-2 are followed.                                                

      115.  REPORTING INSECURITIES.                                            

           a.  General.  Requirements for reporting COMSEC insecurities
      are specified in NTISSI 4003.  The USAF implementing regulation
      for NTISSI 4003 is AFR 56-12.                                            

           b.  Requirements.                                                   

                (1)  Insecurities associated with FAA COMSEC activities
      will be reported in accordance with NTISSI 4003 or AFR 56-12.
      Information copies of reports of COMSEC insecurities will be
      provided through COMSEC channels to the servicing security
      element and to ACS-300.                                                  

                (2)  The servicing security element will conduct an
      investigation of reported insecurities and submit four copies of
      FAA Form 1600-32 (Report of Investigation) to the Manager,
      Investigations and Security Division, ATTN:  ACO-300.                    

           c.  Classification of Insecurity Reports.  Reports of COMSEC
      insecurities and associated investigative reports shall be
      classified according to content in accordance with provisions of
      NTISSI 4002 and NTISSI 4003.  If there is doubt about the correct
      classification assistance should be requested from the servicing
      security element or ACO-300.  If there is doubt as to whether a
      report should be classified or unclassified, handle and safeguard
      it as classified until a final determination is made in
      accordance with provisions of chapter 4 in Order 1600.2C.                

      116.  EVIDENCE OF TAMPERING.  All instances where COMSEC material
      displays evidence of tampering shall be promptly reported to
      Director, National Security Agency, ATTN:  S-213, in accordance
      with provisions of NTISSI 4003 and AFR 56-12.  Information copies
      of the report shall be provided to the servicing security element
      and ACO-300.                                                             

      117.  ALTERATION OF COMSEC MATERIAL.  No modifications or changes
      in classification or markings or alterations of any kind shall be
      made to COMSEC material without prior approval of the NSA.
      Requests of this nature from FAA COMSEC activities will be
      submitted through COMSEC channels to AFCSC, ATTN:  AFCSC/MMI,
      with information copies to the servicing security element and
      ACS-300.  AFCSC will coordinate with the NSA as required.                

      118.  CLEARANCE REQUIREMENTS FOR GUARDS.  Those guards whose
      duties include responsibility for access and protection of
      classified COMSEC material will be appropriately cleared.  Those
      guards whose duties are primarily area control (gate guards,
      building security) need not be cleared when they are used to
      supplement other security measures and will not normally have
      access to classified information.  All guards must be responsible
      and trustworthy personnel and instructed concerning their
      responsibilities.  Foreign guards may be used for control only.
      Questions concerning clearance requirements for FAA guard
      personnel should be coordinated with the appropriate servicing
      security element.                                                        

      119.  STORAGE REQUIREMENTS.                                              

           a.  General.  Storage means the use of security containers,
      vaults, alarms, guards, etc., to protect COMSEC information
      during nonworking hours or when it is not under the direct and
      continuous control of properly cleared and authorized personnel.
      FAA managers and custodians responsible for COMSEC operations
      will ensure that the requirements of this paragraph as well as
      the more detailed standards and criteria in appendix 11 of this
      order are complied with.  Servicing security elements will assist
      COMSEC custodians in implementing these requirements.                    

           b.  Storage Requirements.  For each vault or container used
      to store classified COMSEC material:                                     

                (1)  Designate the level of classified material
      authorized for storage therein but do not show this designation
      externally.                                                              

                (2)  Assign a number or symbol for identification
      purposes.  Place the number or symbol in a conspicuous location
      on the outside of the vault or container.                                

                (3)  Prepare a General Services Administration/
      Information Security Oversight Office (GSA/ISOO) Form SF-700
      (Security Container Information Form) for each security container
      and vault door.  On this form identify the names, addresses and
      home telephone numbers of persons to be notified if the container
      is found insecure.  Post part 1 of the SF-700 conspicuously on
      the inside of the locking drawer of each security container, and
      on the inside of each vault door.  Refer to chapter 8 in Order
      1600.2C.  Even though more than four persons may know the
      combination, only those persons to be notified need be listed on
      part 1.  For ordering purposes the NSN for the GSA/ISOO SF-700
      form is 7540-01-214-5372.                                                

                (4)  Security containers or vaults used to store COMSEC
      information shall be located in areas not accessible to general
      traffic, which are locked or otherwise protected during
      nonworking hours.                                                        

                (5)  Security containers or vaults used to store keying
      material of any classification must never have been drilled to
      gain access unless the drilled parts are replaced with new or
      repaired combination locks or drawer heads.  This also applies to
      SECRET and TOP SECRET COMSEC material other than keying material.
      When containers have been drilled to gain access and have been
      repaired and inspected to ensure acceptable safeguarding
      capabilities/(reference chapter 8 in Order 1600.2C), they may be
      used to store COMSEC material including International Pact
      Organization (IPO) other than keying material, classified no
      higher than CONFIDENTIAL.                                                

      120.  OTHER COMSEC INFORMATION.                                          

           a.  General.  Classified COMSEC information not specifically
      covered by this order shall be safeguarded in accordance with
      requirements of Order 1600.2C, National Security Information.            

           b.  Requirement.  FAA COMSEC accounts will receive
      classified documents such as NACSIS, NTISSIs, AFRs, etc., that
      are not controlled within the CMCS.  Documents of this type are
      referred to as "collateral classified" and will not have a
      register number and will not be listed on inventories provided by
      AFCSC.  Because these documents are distributed through COMSEC
      channels they will normally be delivered directly to the
      custodian and will not be placed under control at the facility
      security control point (SCP).  It is the custodian's
      responsibility to ensure that documents of this type are placed
      under control in accordance with provisions of Order 1600.2C.
      Normally, this means returning documents classified SECRET or
      higher, to the facility/activity SCP, having them logged in, and
      then signed back to the COMSEC custodian.  Reference chapter 7,
      in Order 1600.2C.                                                        

           c.  Location of SCP.  The security control point (SCP)
      function for a facility/activity should not be collocated with
      the COMSEC secure telecommunications facility, in order to ensure
      separation between the document control functions of the SCP and
      the CMCS responsibilities of the custodian and alternate.                

      121.  DISPOSITION OF COMSEC MATERIAL.                                    

           a.  General.  After COMSEC material has been issued to an
      account or user it cannot be transferred or destroyed without
      specific prior approval.  The term "disposition" as used in this
      paragraph means the transfer (return to AFCSC or transfer to
      another FAA account or to an account of another department or
      agency) or destruction of COMSEC material.  Refer to AFKAG-2,
      chapters 5 and 6.                                                        

           b.  Requirements.  When material on hand excess to
      requirements is to be returned to AFCSC or is to be shipped to
      another account to meet operational requirements, specific
      disposition instructions must be furnished as follows:                   

                (1)  ACO-300 is the approval authority to transfer to
      another FAA account.                                                     

                (2)  AFCSC gives authority:                                    

                     (a)  To transfer to an account of another
      department or agency or return to account 616600.                        

                     (b)  For destruction.                                     

           c.  Request.  Requests for disposition instructions will be
      routed through the servicing security element with an information
      copy to ACS-300.                                                         

           d.  Exception.  The above rules do not apply to
      crypto-equipment.  AFCSC gives advance approval for all movement
      of crypto-equipment (AFKAG-2).  To meet contingencies and
      emergencies, ACO-300 in coordination with ANC-120 may approve the
      relocation of FAA assets and then notify AFCSC.                          

      122.  PAGE CHECKS OF COMSEC PUBLICATIONS.                                

           a.  General.  The integrity of COMSEC material must be
      ensured so that all material produced must be accounted for and
      maintained at the lowest possible exposure rate.  Although in
      most cases FAA COMSEC custodians have free access to the secure
      telecommunications facility (TCF) they support, keying material
      issued to the secure TCF is considered to be outside the COMSEC
      material control environment because of the exposure factor.
      When material is issued by the custodian, the receiver, whether
      the actual user or an intermediary, is considered to be a user.
      A local courier is not considered to be a user because, until
      material is sighted for by line item, the material is still
      accountable within the CMCS.                                             

           b.  Requirements.  A page check of all classified COMSEC
      publications is mandatory on certain occasions, both to satisfy
      security requirements and to ensure usability.  Page checks are
      to be made by first consulting the list of effective pages on the
      cover of the document and ensuring that each page is exactly as
      described.  The page check is recorded on the record of page
      checks page; or, if the publication has no record of page checks
      page, record the page check on the record of amendments page or
      on the front cover.  The date checked, signature, and
      organizational identification of the person making the check are
      required.  Page checks will be made:                                     

                (1)  On receipt of classified COMSEC material from any
      source.                                                                  

                (2)  During change of custodian.                               

                (3)  When entering an amendment or changes which adds,
      deletes, or replaces pages or affects page numbers (COMSEC Users
      Guide - AFR 56-10).                                                      

                (4)  At least annually.                                        

                (5)  Before destruction.  The page check conducted
      before a document is destroyed does not have to be recorded.
      Sealed keying material, whether sealed with the original
      production wrapping or sealed by the custodian according to Annex
      B, paragraph IIE3b, NACSI 4005/AFR 56-13, does not require page
      check before destruction.                                                

           c.  Exceptions to Page Check Requirements.  The following
      are exceptions to page check requirements listed in paragraph
      122b:                                                                    

                (1)  Check one-time pads that are sealed on the edges
      as individual pages are used.  No separate record of page check
      is required.  A page check of one-time pads that are not sealed
      on the edges is required only on issue to a user.                        

                (2)  Keycards and keylists enclosed in protective or
      restrictive wrappers should be retained within these wrappers for
      as long as possible.                                                     

                (3)  One-time tape does not require a segment check.           

           d.  Additional page checks.  FAA custodians are authorized
      to conduct additional page checks as needed.                             

      123.  DAILY OR SHIFT INVENTORY REQUIREMENTS.  A daily or shift
      inventory is required for:                                               

           a.  Legend 1 COMSEC material.  Equipments are identified by
      the suffix CA to the national stock number (NSN).                        

           b.  Legend 1 International Pact Organization COMSEC
      material; that is North Atlantic Treaty Organization.
           c.  Legend 2 COMSEC material.  Equipments are identified by
      the suffix CS to the NSN.                                                

           d.  Legend 3 COMSEC material.  Material whose accountability
      has been dropped between AFCSC and the FAA COMSEC account.               

           e.  Legend 5 COMSEC material.  Material which has not been
      placed into effect (reserve or contingency material).                    

      124.  COMSEC ACCOUNT RECORD FILE.  Each FAA COMSEC account shall
      maintain an account record file consisting of six folders as
      required by AFKAG-2.  A description of these files follows:              

           a.  Folder 1.  Accounting reports and an AFCOMSEC Form 14:          

                (1)  File authenticated copies of all accounting
      reports in numerical sequence by the account's voucher number.           

                (2)  Maintain an AFCOMSEC Form 14 in the front of the
      folder.                                                                  

                (3)  Classify this folder a minimum of CONFIDENTIAL.           

           b.  Folder 2.  AFCOMSEC Form 3.  This folder contains the
      current records appointing and rescinding the COMSEC custodian
      and alternate custodians for the COMSEC account.  AFCOMSEC form 9
      also shall be retained in this folder.                                   

           c.  Folder 3.  General accounting correspondence.  File
      copies of correspondence about COMSEC distribution and accounting
      (such as disposition instructions, procedure changes, and tracer
      actions).  Classify this folder equal to the highest
      classification of the correspondence therein.                            

           d.  Folder 4.  Mail and courier package receipts.  File
      package receipts for classified COMSEC material transmitted or
      received through Armed Forces Courier Service, other officially
      designated couriers, or the U.S. Postal Service.                         

           e.  Folder 5.  Hand receipts.  File signed copies of hand
      receipts for COMSEC material issued to users.  Destroy the
      receipt according to the instructions in AFKAG-2.                        

           f.  Folder 6.  Local destruction reports.  Keep reports as
      instructed in Situation E4, AFKAG-2.                                     

      125.-129.  RESERVED.                                                     

                        FOR OFFICIAL USE ONLY
                      PUBLIC AVAILABILITY TO BE
                    DETERMINED UNDER 5 U.S.C. 552

              CHAPTER 6. CONTROLLED CRYPTOGRAPHIC ITEMS (CCI)                 

      130.  PURPOSE AND BACKGROUND.                                            

           a.  The Controlled Cryptographic Item (CCI) category applies
      to specified, unclassified, secure telecommunications and
      information handling equipments and associated cryptographic
      components.  The intent is to promote the broad use of secure
      telecommunications and information handling equipments for the
      protection of national security (classified), and other sensitive
      information which should be protected in the national interest.          

           b.  Secure telecommunications and information and handling
      equipments and associated cryptographic components which are
      designated "Controlled Cryptographic Item" or "CCI" use a
      classified cryptographic logic; it is only the hardware or
      firmware embodiment of that logic which is unclassified.  The
      associated cryptographic drawings, logic descriptions, theory of
      operation, computer programs, and related cryptographic
      information remains classified.                                          

           c.  Procedures for controlling CCI secure telecommunications
      and information handling equipments and associated cryptographic
      components are required to guard against preventable losses to an
      actual or potential enemy.                                               

                (1)  In keeping with the spirit of expanded use of
      these equipments, minor lapses in carrying out control procedures
      shall be referred to the responsible manager as a matter of
      administrative discretion.  FAA employees can be held liable for
      the loss, damage, or destruction of Government property caused by
      their negligence, willful misconduct, or deliberate unauthorized
      use.                                                                     

                (2)  More serious infractions of CCI control procedures
      may constitute sabotage, loss through gross negligence, theft, or
      espionage that would be punishable under various sections of the
      United States Code or the Uniform Code of Military Justice.              

      131.  DEFINITIONS.                                                       

           a.  Controlled Cryptographic Item (CCI).  A secure
      telecommunications or information handling equipment, or
      associated cryptographic components, which is unclassified but
      controlled.  Equipments and components so designated shall bear
      the designator "Controlled Cryptographic Item" or "CCI".                 

           b.  Secure Telecommunications and Information Handling
      Equipment.  Equipment designed to secure telecommunications and
      information handling media converting information to a form
      unintelligible to an unauthorized intercepter and by reconverting
      the information to its original form for authorized recipients.
      Such equipment, employing a classified cryptographic logic, may
      be stand-alone-crypto-equipment, as well as telecommunications
      and information handling equipment with integrated or embedded
      cryptography.                                                            

           c.  Crytopgraphic Component.  The hardware or firmware
      embodiment of the cryptographic logic in a secure
      telecommunications or information handling equipment.  A
      cryptographic component may be a modular assembly, a printed
      circuit board, a microcircuit, or a combination of these items.
           d.  Access.  The ability or opportunity to obtain, modify,
      or use.  External viewing of a CCI does not constitute access.           

      132.  CONTROL REQUIREMENTS.  The following subparagraphs set
      forth the minimum requirements for controlling unkeyed CCI
      equipments and components utilized by the FAA.  Where such
      equipments and components contain classified key they shall be
      protected in accordance with the requirements of Chapter 5 of
      this Order.  Also, depending upon the application, other more
      stringent requirements may be prescribed.                                

           a.  Access.  A security clearance is not required for access
      to unkeyed CCI equipments and components.  However, access shall
      normally be restricted to U.S. citizens whose duties require such
      access.  Access may be granted to permanently admitted resident
      aliens who are U.S. Government civilian employees or active duty
      or reserve members of the U.S. Armed Forces whose duties require
      such access.  ACO-300 may grant waivers to permit non-U.S.
      citizens unescorted access to installed CCIs, regardless of the
      release status of the CCI, under conditions listed below:                

      NOTE:  The approval of the National Managers must be obtained by
      ACO-300 through AFCSC/SRMP before allowing such access by non-
      U.S. citizens in Communist block or other countries listed in the
      Attorney General Criteria Country List.  Such requests shall be
      routed through the servicing security element to ACO-300 together
      with complete justification and explanation of operational need.         

                (1)  Unkeyed CCI's:                                            

                     (a)  Such access is in conjunction with building
      maintenance, custodial duties, or other operational
      responsibilities normally performed by such personnel unescorted
      in the area now containing the CCIs before their installation;
      and                                                                      

                     (b)  The CCI is installed within a facility which
      is a U.S.-controlled facility or a combined facility with a
      permanent U.S. presence, as opposed to a host nation facility,
      even through the primary staffing is by host nation personnel;
      and                                                                      

                     (c)  The servicing security element has determined
      that the risk of tampering with the CCI which could result in
      compromise of U.S. information, classified or unclassified but
      sensitive, is acceptable in light of the local threat and
      vulnerability and the sensitivity of the information being
      protected and indicated by its classification, special security
      controls, and intelligence life; and                                     

                     (d)  Such access is not prohibited by Department
      of State policies and procedures applicable to FAA operation in a
      given geographic area.                                                   

                     (e)  The system doctrine for the CCI does not
      specifically prohibit such access.                                       

                (2)  Keyed CCI's.  In addition to all of the
      requirements for unkeyed CCIs, the following apply for unescorted
      access or use by foreign personnel:                                      

                     (a)  The foreign personnel are civilian employees
      of the U.S. Government or assigned to a combined facility; and
                     (b)  The CCI remains U.S. property, a U.S. citizen
      is responsible for it, and the presence of such installed CCIs is
      verified at least monthly; and                                           

                     (c)  The communications to be protected are
      determined to be essential to the support of FAA or combined
      operations; and                                                          

                     (d)  FAA and other U.S. users communicating with
      such terminals are made aware of the non-U.S. citizen status of
      the CCI user; and                                                        

                     (e)  Only U.S. personnel with classified U.S. keys
      may key CCI's.  Authorized foreign personnel may key CCIs with
      allied keys or unclassified keys.                                        

                (3)  Special Security Requirements.  If a CCI is to be
      installed and operated in a foreign country at a facility which
      is either unmanned or manned entirely by non-U.S. citizens,
      additional special security measures, such as vault areas,
      locking bars, safes, alarms, etc., are required.  Should an
      installation of this nature be required to support FAA operations
      it must be approved in advance by ACO-300 after coordination with
      AFCSC/SRM on a case-by-case basis.                                       

                (4)  Moving CCI's.  CCI's will not normally be moved
      from an environment where the tampering risk presented by non-
      U.S. citizen access is acceptable to a more sensitive environment
      where the risk is not acceptable.  If such action is an
      operational necessity, it must receive the prior approval of the
      FAA servicing security element and in overseas areas the
      cognizant representative of the Department of State for the
      particular geographic area.  All such CCI's must be examined for
      signs of tampering by qualified COMSEC maintenance personnel.
      Any evidence of tampering shall be reported as a COMSEC incident
      and immediate action will be taken to remove the CCI from
      operational use pending notification from the Director, National
      Security Agency.                                                         

           b.  Courier.  Authorized FAA employees and contractor
      employees (U.S. citizens) may courier CCI equipment and
      components.  Requirements for courier authorization are specified
      in FAA Order 1600.2C, National Security Information.                     

                (1)  Authorized persons may transport CCI aboard both
      Government and commercial aircraft, either handcarried or as
      checked baggage.  If it is checked as hold baggage on commercial
      airliners, it must be packaged in a container which is sealed in
      a manner that will detect unauthorized access to the enclosed
      material, such as tamper-detections tape, wire seals, etc.               

                (2)  CCI can be subjected to X-ray inspections;
      however, if airport security personnel require physical
      inspection, the inspection must be limited to external viewing
      only.  To avoid unnecessary delays and searches by airport
      personnel, prior coordination with the servicing security element
      shall be accomplished to ensure that airport personnel are
      informed in a timely manner of the transfer of CCI material.             

           c.  Storage and Transportation.                                     

                (1)  General.  Store and transfer CCI equipment and
      components in a manner that affords protection at least equal to
      that which is normally provided to weapons, computers,
      electronics equipment, etc., and ensures that access and
      accounting integrity is maintained.                                      

                (2)  Storage.  Handle CCI's in connection with
      warehouse functions provided they are under direct supervision of
      an individual who meets the access requirements of this chapter.         

                (3)   Transportation.                                          

                     (a)  General.  Ship CCI equipments and components
      by a traceable means in accordance with the following:                   

                          1  Within CONUS:                                     

                             a  Commercial carrier providing DOD
      Constant Surveillance Service (CSS)  (NOTE:  Contact the
      Transportation Officer of the nearest Defense Contract
      Administration Service Management Area (DCASMA) office for
      information concerning the carriers servicing the specific
      geographic area.  CSS is not available overseas.                         

                             b  U.S. registered mail provided the mail
      does not at any time pass out of U.S. control.                           

                             c  Authorized FAA or contractor courier.
      For contractor couriers, the authorization to act as a courier or
      escort for CCI equipment and components may be granted by the
      servicing FAA security element in accordance with FAA Order
      1600.2C.                                                                 

                             d  Diplomatic courier service.
                          2   Outside CONUS:  In foreign countries
      where there are two or more FAA facilities where FAA personnel
      are stationed, foreign nationals who are employed by the FAA may
      transport CCI's provided:                                                

                             a  There is a signature record that
      provides continuous accountability for custody of the shipment
      from pickup to ultimate destination, and                                 

                             b  There is a constant U.S. presence (for
      example, a U.S. person accompanies a foreign driver in couriering
      the material), or                                                        

                             c  The material is contained in a closed
      vehicle or shipping container which is locked and has a shipping
      seal that will prevent undetected access to the enclosed
      material.                                                                

           d.  Accounting.                                                     

                (1)  Within the FAA, CCI equipments shall be delivered
      to a primary FAA COMSEC account.                                         

                (2)  The COMSEC Custodian shall initially receipt for
      the CCI equipment, and will be responsible for ensuring that
      before further distribution is made the individual CCI items are
      entered into the Property Management System for the using
      facility, Region, or Center as appropriate.                              

      NOTE:  The custodian should coordinate with the responsible
      property management officer to ensure that the requirements of
      this order are met.                                                      

                (3)  CCI equipments shall be accounted for by serial
      number.  CCI components, installed in this equipment, do not
      require separate accountability.  Spares or other uninstalled CCI
      components shall be accounted for by quantity.                           

                (4)  The accounting system must provide the following:         

                     (a)  Establish a central point designated by the
      Property Management Officer for the using facility, region or
      center for control of CCI equipments.                                    

                     (b)  The identification of CCI equipment and
      components which are lost.                                               

                     (c)  Individual accountability in order to support
      prosecution in cases which involve infractions that would be
      punishable under the United States Code or the Uniform Code of
      Military Justice.                                                        

                (5)  The manager having property management
      responsibility for the using facility region or center shall
      ensure that procedures are followed to permit entering CCI
      equipment into the Property Management System data base in such a
      way that equipments can be accurately inventoried when necessary.        

      133.  INVENTORIES.                                                       

           a.  CCI equipments shall be inventoried at least annually.
      This includes uninstalled CCI equipments.  An inventory should
      also be accomplished whenever there is a change of personnel
      responsible for the safekeeping or accounting of an
      organization's holdings of CCI equipments and components.
      Reports of inventory shall be submitted to the central control
      point established for control of CCI equipments.  Inventory
      records shall be maintained current for as long as the using
      facility, region or center maintains CCI assets.                         

           b.  Inability to reconcile an organization's holdings of CCI
      equipments and components with the record of accountability at
      the established central control point shall be reported as an
      insecurity in accordance with this order and AFR 56-12.                  

      134.  REPORTING INSECURITIES.                                            

           a.  Users of CCI must be familiar with the criteria that
      constitutes an insecurity as specified in AFR 56-12.                     

           b.  All insecurities involving CCI equipments or components
      shall be reported through COMSEC channels in accordance with the
      following:                                                               

                (1)  Keyed equipment.  Report insecurities involving
      keying material according to AFR 56-12.                                  

                (2)  Unkeyed equipment.  Insecurities involving unkeyed
      CCI equipments shall be reported in accordance with AFR 56-12 and
      applicable FAA property management directives concerning the
      responsibilities for safeguarding and protection of high value
      U.S. Government property.                                                

      135.  ROUTINE AND EMERGENCY DESTRUCTION.                                 

           a.  The routine and emergency destruction procedures of AFR
      56-5 apply to CCI equipments and components.                             

           b.  Routine destruction of CCI equipment and components by
      FAA users is not authorized.  Equipment that is inoperative or no
      longer required shall be reported to the FAA servicing security
      element with a request for disposition instructions.  The
      servicing security element will be responsible for coordinating
      all such requests with ACO-300 prior to any disposition of the
      equipment.                                                               

      136-144.  RESERVED.                                                      

                          FOR OFFICIAL USE ONLY
                        PUBLIC AVAILABILITY TO BE
                      DETERMINED UNDER 5 U.S.C. 552

                          CHAPTER 7. SECURE VOICE                             

                             SECTION 1.  GENERAL                               

      145.  PURPOSE.  This chapter provides guidelines for use by the
      COMSEC custodian when dealing with the third generation or "user
      friendly" Secure Telephone Units; i.e., STU-III's, that are used
      to transmit classified information.                                      

      146.  TYPES AND MODELS OF STU-III.                                       

           a.  Type I.  These terminals are Controlled Cryptographic
      Items (CCI).  Type I STU-III terminals may be used to secure
      classified information, or unclassified but sensitive, voice or
      data communications when keyed with an appropriate level of
      keying material.  STU-III terminals are considered keyed when
      keying material has been loaded and an authorized Crypto Ignition
      Key (CIK) is inserted.  When keyed, Type I STU-III terminals must
      be safeguarded to the same classification level that the keying
      material being used is authorized to protect.  When the terminals
      are unkeyed, they are considered as high value property and are
      to be protected as CCI in accordance with provisions of NTISSI
      4001, Controlled Cryptographic Items, NTISSI 3013, Operational
      Security Doctrine for the secure Telephone Unit III (STU-III)
      Type 1 Terminal, AFSAL 4001A, Air Force COMSEC Publication
      Controlled Cryptographic Items and this order.                           

           b.  Type II.  Type II terminals may only be used with
      unclassified keying material.  Use of these terminals is not
      addressed in this chapter.                                               

      147.  DEFINITIONS.                                                       

           a.  Authentication Information.  Information which
      identifies a STU-III terminal.  Authentication information is
      specified for each STU-III key ordered and is included as a part
      of the key.  Each terminal's authentication information is
      displayed on the distant terminal during a secure call.
      Authentication information includes:                                     

                (1)  Classification level - the highest classification
      level authorized for an individual STU-III terminal.  During a
      secure call, the clearance level displayed on each terminal is
      the highest level common to both terminals, and is the authorized
      level for the call.                                                      

                (2)  Identification of the using organization (e.g.,
      FAA HQ, Wash. DC).                                                       

                (3)  Expiration date of the terminal's key.                    

                (4)  Foreign access to the terminal, where appropriate
      (e.g. CAN, US/KOR, US/NATO).                                             

           b.  Authorized Person.  A person who meets the access
      requirements of NTISSI/AFSAL No. 4001, Controlled Cryptographic
      Items, (AFR 56-20 when published), and this directive, and who
      has adequate clearance if classified material is involved.               

           c.  Crypto-Ignition Key (CIK).  A key storage device (KSD)
      which contains a portion of STU-III key(s) in encrypted form.
      Insertion of the CIK into the terminal(s) for which it was
      created allows the terminal(s) to be used in the secure mode;
      withdrawal disables the secure mode.                                     

           d.  CIK Information.  Split portions of an encrypted STU-III
      key, a part of which resides in the CIK, the other in the
      terminal.                                                                

           e.  Interoperable CIK.  A single CIK which may be programmed
      to work in more than one terminal.                                       

           f.  Key.  Information (usually a sequence of random binary
      digits) used to initially set up and to periodically change the
      operations performed in a crypto-equipment for purposes of
      encrypting or decrypting electronic signals; for determining
      electronic counter countermeasures (ECCM) patterns (e.g., for
      frequency hopping or spread spectrum); or for producing other
      keys.                                                                    

      NOTE:  Key replaces the terms "variable," "key(ing) variable,"
      and "cryptovariable".                                                    

           g.  Keyed Terminal.  A terminal which has been keyed, in
      which the CIK is inserted.                                               

           h.  Key Encryption Key (KEK).  A key that is used in the
      encryption and/or decryption of other keys for transmission
      (rekeying) or storage.                                                   

           i.  Key Storage Device (KSO).  The name given to the
      physical device that can be used as a fill device and also as a
      CIK for all Type 1 terminals.  It is a small device shaped like a
      physical key and contains passive memory.  When it is used to
      carry key to Type 1 terminals it is termed a fill device; when it
      is used to protect key that has been loaded into Type 1
      terminals, it is termed a CIK.                                           

           j.  Master CIK.  A CIK which may be used to create
      additional CIKs for a terminal as they are required, up to the
      terminal's maximum.                                                      

           k.  Micro-KMODC.  An MS-DOS compatible personal computer
      with a custom hardware/software configuration which, when
      connected to a Type 1 terminal, may be used to electronically
      order and receive STU-III keys.                                          

           1.  Unkeyed Terminal.  A terminal which contains no keys or
      one which has been keyed but from which the CIK has been removed
      and properly secured.                                                    

           m.  User Representative.  A person formally designated to
      order keys for STU-III terminals.                                        

           n.  U.S. Controlled Space.  An area, access to which is
      physically controlled by authorized U.S. Government personnel.           

      148.-150.  RESERVED.                                                     

                           SECTION 2.  EXCEPTIONS                              

      151.  REQUESTS FOR EXCEPTION.  Requests for exception to any of
      the provisions of this chapter must be submitted prior to
      implementation to the Emergency Operations Staff, ADA-20, who is
      Controlling Authority for the FAA STU-III Program.                       

      152.-153.  RESERVED.                                                     

          SECTION 3.  COMSEC CUSTODIAN DUTIES AND RESPONSIBILITIES             

      154.  GENERAL.  The COMSEC Custodian handling STU-III key
      performs those responsibilities normally associated with handling
      and controlling other COMSEC material as specified in this order.
      The COMSEC Custodian is responsible for initial receipt of key,
      for storage until issued to a user, and for all accounting until
      the key is "destroyed."  Although the COMSEC Custodian may be
      the person who actually keys terminals and creates the associated
      CIK's, he or she may instead issue the key to authorized users,
      who load the key and create CIK's.  COMSEC Custodians are also
      responsible for the preparation of a number of control and
      accountability reports.                                                  

      155.  RECEIPT OF KEY.  The COMSEC Custodian will receive the key
      from the Key Management System (KMS) in the form of a key storage
      device, KSD-64A, used as a fill device.  The following applies:          

           a.  Fill Device Labels.  Each fill device will have an
      attached card label.  The card label will be removed by the
      COMSEC Custodian when the key in the fill device is loaded into a
      terminal.  The fill device card label contains space for the
      COMSEC Custodian to write the serial number of the terminal, the
      name of the each user, and the serial number of each KSD-64A that
      is used as a CIK for the terminal.  It is important that a local
      record be maintained of the terminal serial number as it relates
      to the key material identification (KMID) number (or Registration
      Number) binding.                                                         

            b.  Fill Device Packaging.  Fill devices will be shipped
      from the KMS packaged in heat sealed plastic bags.  Packaged fill
      devices will be placed in boxes with shipping papers (SF-153
      COMSEC Material Report).  The boxes will be double wrapped in
      accordance with appropriate COMSEC standards.  A copy of the
      SF-153 COMSEC Material Report must be signed by the COMSEC
      Custodian and returned as the receipt for the key.                       

           c.  Incoming Inspection.  The procedures for incoming
      inspection are as follows:                                               

                (1)  Inspect the package.  If any tampering is evident,
      submit a COMSEC incident report.                                         

                (2)  Take inventory of the package contents against the
      shipping papers.                                                         

                (3)  If all is in order, fill in the appropriate
      blocks, sign the enclosed receipt and return it to the
      KMS/Central Accounting Office (CAO).                                     

                (4)  If all is not in order, call the KMS immediately,
      note the discrepancy on the SF-153, and send it to the KMS/CAO.          

           d.  Storage and Protection of Key.  Fill devices stored by a
      COMSEC Custodian prior to loading into a terminal should remain
      sealed in the plastic bag.  The storage of the fill devices must
      be in accordance with procedures prescribed by this order for the
      storage of classified COMSEC keying material.                            

      156.  ACCOUNTING FOR KEY.  The COMSEC Custodian plays a critical
      role in accounting for STU-III key.  The Custodian is supported
      by the STU-III CAO and the cognizant Central Office of Record
      (COR).                                                                   

           a.  STU-III Type I Key.  The STU-III Type I operational and
      Type I seed key is accounted for by registration number
      Accounting Legend Code 1 (ALC-1).  All test key is unclassified
      and assigned ALC-4 (i.e. after receipt at the user COMSEC
      account, they are locally accountable).                                  

      NOTE:  TOP SECRET Type I operational key requires two person
      integrity handling in accordance with National doctrine, unless a
      specific exemption has been granted by the controlling authority
      (ADA-20) with approval of the National Manager (NSA).                    

           b.  Reports.  In addition to complying with all cognizant
      COR rules and requirements, the COMSEC Custodian is responsible
      for submitting the following reports directly to the KMS/CAO:            

                (1)  Key Receipts.  An SF-153 COMSEC Material Report
      will be included in each key order shipped from the KMS.  The
      Custodian must verify that all listed devices were received and
      then fill in the appropriate blocks, sign the SF-153, and return
      the original to the KMS/CAO.                                             

                (2)  Transfer Reports.  The sending COMSEC Custodian
      must generate an SF-153 Transfer Report whenever STU-III key is
      shipped between COMSEC accounts.  A copy of the report must be
      sent to the KMS/CAO.  The receiving Custodian must receipt for
      the keys and send a copy of the receipt to the KMS/CAO.                  

      Only STU-III key should be listed on Transfer Reports sent to the
      KMS/CAO.  Transfer reports for other types of key and for COMSEC
      equipment should be sent to the appropriate COR (for FAA accounts
      the COR for COMSEC materials other than STU-III is normally the
      US Air Force Cryptologic Support Center (USAFCSC), Kelly Air
      Force Base, TX).                                                         

                (3)  Destruction Reports.  The COMSEC Custodian must
      generate and submit an SF-153 Destruction Report to the KMS/CAO
      when Type I operational key is loaded into a terminal or
      zeroized.  Destruction Reports generated for key loaded in a
      terminal will contain the signature of the Custodian or alternate
      and the serial number of the STU-III terminal in the Remarks
      Column (Block 13).  Destruction Reports for TOP SECRET Type I
      operational key require two signatures, that of the Custodian or
      alternate and a witness.  Destruction Reports for zeroized key
      require two signatures.  Do not mix STU-III key destruction
      reports with other key transactions.  Destruction Reports are not
      required for Type I seed key successfully loaded into a STU-III
      terminal since the electronic conversion call to the KMS results
      in the automatic generation of a Key Conversion Notice (KCN)
      which serves as the Destruction Report.  The KSD-64A should not
      be physically destroyed by breaking or smashing the device as
      this does not guarantee destruction of the key material in the
      device.  For approved destruction procedures refer to the current
      STU-III Key Management Plan and the servicing security element.          

                (4)  Possession Reports.  Possession Reports are used
      when a shipment of key material is received without any
      accompanying paperwork.  The receiving Custodian should generate
      an SF-153 Possession Report and submit it to the KMS/CAO and
      other locations as directed by his COR.  Do not mix STU-III key
      Possession Reports with other key Possession Reports.                    

      157.  NOTICES FROM THE KMS/CAO.                                          

           a.  Key Conversion Notices.  When Type 1 seed key is loaded
      into a terminal, the user must call the KMS to obtain (convert it
      to) the Type I operational key.  The KMS/CAO generates a Key
      Conversion Notice which is sent to the accountable COMSEC
      Custodian informing him or her of the KMID numbers of seed key
      converted to operational key.  This notice indicates the serial
      number of the terminal into which the seed was loaded, the KMID,
      and the date of conversion.  The Custodian should verify that
      this is the terminal in which the key was loaded in order to
      maintain accurate records.  Additionally, this notice must be
      used by the COMSEC Custodian to ensure that all seed keys listed
      have, in fact, been converted.  Any discrepancies must be
      immediately reported as a COMSEC incident.  Delay in reporting
      constitutes a reportable COMSEC incident.  The KCN also documents
      any Type 1 operational key that has been rekeyed before
      notification of a destruction is received at the KMS/CAO.                

           b.  Tracers.  When a key shipment has been sent via
      registered mail to a COMSEC account and the SF-153 key receipt is
      not returned to the KMS/CAO within 30 days, or when key is sent
      by DCS to a COMSEC account and the SF-153-30 key receipt is not
      returned within 45 days, the KMS/CAO will send a Tracer Report to
      the Custodian to determine if the key has been received.  If the
      Custodian has received the key, the key receipt should have the
      applicable blocks filled in and should be submitted to the
      KMS/CAO.  If the key has not been received, the Custodian should
      immediately contact the KMS/CAO for instructions.                        

      158.-160.  RESERVED.
                       SECTION 4.  KEYING OF TERMINALS                         

      161.  INITIAL KEYING OF TERMINALS.                                       

           a.  Procedures for the initial keying of terminals differ
      slightly depending on the type of key.  A separate procedure for
      each type of key (seed and operational) is described below.
      These procedures may vary if a master CIK is desired and may vary
      among terminal vendors.  For detailed information on the specific
      key loading procedures for terminals, see the vendor's key
      loading instructions.                                                    

           b.  CIK's are created for a terminal during the key loading
      procedure.  Therefore, the user organization must decide if a
      master CIK should be created to allow CIK's to be programmed at a
      later time, or decide the number of regular CIKs needed for each
      terminal prior to loading the key.  The STU-III permits creation
      of a master CIK, which allows additional CIKs to be created at a
      later time.                                                              

      162.-163.  RESERVED.                                                     

                         SECTION 5.  ACCOUNTABILITY                            

      164.  CRYPTO IGNITION KEY HANDLING AND LOCAL ACCOUNTING.  To
      operate in the secure mode, a CIK must be inserted into a
      terminal and turned.  This paragraph discusses the accountability
      requirements prescribed for CIK's in terms of guidance in the
      STU-III doctrine and factors that affect both the accounting
      procedures and the number of CIK's required for an organization.
      It is understood that each user organization will disseminate any
      detailed or clarifying doctrinal guidance.                               

           a.  Local Accountability Requirements.                              

                (1)  CIK's are locally accountable.  This means that a
      local record of the CIK's and the persons to whom CIK's for each
      terminal are issued should be maintained.  The COMSEC Custodian
      or an authorized user should record the serial number of the
      STU-III terminal, the KSD-64A serial numbers, and the name of
      each terminal user in the appropriate spaces on the back of the
      fill device card.  Each card is perforated so that it can be
      detached and retained by the Custodian or an authorized user in a
      3x5 card file.                                                           

                (2)  Taking a periodic inventory of the CIK's for each
      terminal is encouraged.                                                  

                (3)  When loss of a CIK is locally reported, the
      Custodian or the authorized user can disable use of that CIK on
      the appropriate terminal.                                                

                (4)  Local guidance to terminal users concerning CIK
      accountability should be formulated and distributed
      appropriately.                                                           

           b.  Crypto Ignition Key Management.  There are a number of
      factors that affect the management and control of CIK's to
      include those listed below.                                              

                (1)  Multiple Terminal Users.  Each user activity or
      office must determine how many people will be allowed to use a
      terminal, which method(s) of multiple use will be allowed, and
      how many CIK's are required.  The methods for supporting multiple
      users of a terminal are as follows:                                      

                     (a)  Shared CIK'S.  A single CIK can be shared
      among a number of users.  During normal duty hours, this CIK can
      be left in the terminal if the terminal is located in a secure
      area where no unauthorized person could gain access to the
      terminal.                                                                

                     (b)  Multiple CIK'S.  STU-III terminals will
      support up to eight CIK's for each key.  The identification
      information displayed during a secure call will be the same for
      each of the eight CIK'S, and any of the eight CIK's can be used
      to operate the terminal.  These CIK's can be issued to several
      users.                                                                   

                     (c)  Multiple Key Sets per Terminal.  STU-III
      vendors offer terminals which can be filled with more than one
      key at a time.                                                           

                (2)  Multiple Terminals per Crypto Ignition Key.
      STU-III vendors offer a feature which will allow a single CIK to
      be associated with more than one terminal (an "interoperable"
      CIK).  This feature requires a single CIK to be programmed by
      each terminal with which it is to be used.  The use of multiple
      terminals per CIK complicates local accountability and security
      procedures, but permits greater flexibility for the user.                

                (3)  Master Crypto Ignition Keys.  STU-III's contain a
      master CIK feature which allows additional CIK's to be created at
      a later date.  However, the total number of CIK's per key stored
      in a terminal may never exceed eight.                                    

      165.-166.  RESERVED.                                                     

                            SECTION 6.  REKEYING                               

      167.  ELECTRONIC REKEYING.  The STU-III KMS provides for
      electronic rekeying of Type I terminals through a rekey call to
      the KMS.  (The Type 2 terminals cannot be electronically
      rekeyed.)  During this process, the terminals identification
      information is not changed.  Only the terminal's cryptographic
      information is changed.  The KMS supports electronic rekey over
      the public telephone networks (1-800 service and regular
      commercial networks) and the DOD AUTOVON network.  The situations
      in which electronic rekeying is performed are:                           

           a.  Initial Keying.  When a terminal is physically keyed
      with Type 1 seed key, a call to obtain Type I operational key is
      necessary.  When a terminal is physically keyed with Type I
      operational key, a call to the KMS rekey number is strongly
      recommended to obtain a current copy of the Compromised Key List
      (CKL) and the Compromise Information Message (CIM).                      

           b.  Scheduled Rekeying.  The terminal user is required to
      call the KMS for an electronic rekey at least once each year.
      Some terminals display the key expiration date automatically each
      time the CIK is inserted.                                                

           c.  When Rekey Notification is Received from the KMS.  A
      universal rekey notification to call for a rekey will be
      promulgated by mail or AUTODIN to all COMSEC Custodians.  The
      COMSEC Custodians will be responsible for directing each of their
      terminal users to call for a rekey.  In addition, the STU-III KMS
      has the capability to use the CIM message to notify STU-III
      terminals via the terminal display to call for a rekey.  (In
      those circumstances where a terminal user cannot call for an
      electronic rekey when such a notice is received, the terminal
      will have to be physically rekeyed.)                                     

      NOTE:  Electronic rekeying is performed by placing a secure call
      to the KMS through toll-free 800 service, AUTOVON, or direct dial
      lines.  The rekey telephone numbers are listed in the STU-III
      User's Manual.                                                           

      168.-170.  RESERVED.                                                     

                        SECTION 7.  PHYSICAL SECURITY                          

      171.  UNKEYED TERMINAL - TYPE 1.  In the unkeyed mode, the
      terminal can be used to place only unsecured, unclassified calls
      which are not sensitive.  An unkeyed terminal must be protected
      in accordance with the requirements of NTISSI/AFSAL 4001, and
      chapter 6 of this order.                                                 

      172.  KEYED TERMINAL.  When the terminal is keyed, it may be used
      in the secure mode by authorized persons only.  The terminal must
      be afforded protection commensurate with the classification of
      the key it contains as required by NACSI 4005/AFR 56-13, and
      Chapter 5, of this order.  When persons in an area are not
      cleared to the level of the keyed terminal, it must be under the
      operational control and within view of at least one appropriately
      cleared, authorized person.
      173.  TERMINAL DISPLAY.  Proper use requires strict attention to
      the authentication information displayed on the terminal during
      each secure call.  When two terminals communicate in the secure
      mode, each terminal automatically displays authentication
      information of the distant terminal.  The information displayed
      indicates the system capacity, and does not authenticate the
      person using the terminal.  Therefore, users must use judgement
      in determining need-to-know when communicating sensitive but
      unclassified or classified information.  If the display fails the
      terminal must not be used in the secure mode.                            

           a.  Authentication.  Authentication information is
      representative of the distant terminal and should match the
      distant user.  If there is question as to the validity of this
      information, sensitive but unclassified and classified
      information should not be communicated, even though voice
      recognition may be possible.                                             

           b.  Display.  When the display indicates that the distant
      terminal's key has expired, this could be an indication of
      unauthorized system access.  If the period is excessive (e.g.
      more than two months), users should not exchange sensitive
      unclassified or classified information.                                  

           c.  Classification Level.  Users must adhere to the
      classification level indicated on the terminal display.  Because
      of the interoperability among terminals of different
      classification levels, the display may indicate a level less than
      the actual classification of either terminal's own key(s) (e.g.,
      when a SECRET terminal calls a CONFIDENTIAL terminal,
      "CONFIDENTIAL" is displayed on both terminals as the approved
      level for the call).  Therefore users must observe the display
      with each call and limit the level of information accordingly.           

           d.  System Testing.  During system testing, authentication
      information on the display may vary, as required for the test;
      however, the display will always indicate that the call is for
      TEST purposes only.  Classified information may not be
      transmitted during system tests.                                         

      174.  USE BY OTHER U.S. PERSONNEL.                                       

           a.  Keyed Type 1 terminals may be used by or under the
      direct supervision of authorized persons only.  When
      operationally required, authorized persons may permit others not
      normally authorized to use the keyed terminal (e.g., persons not
      assigned to the FAA office, service or facility identified in the
      display and persons whose clearance does not meet the level
      indicated on the display) under the following conditions:                

                (1)  The call must be placed by an authorized person.          

                (2)  After reaching the called party, the caller must
      identify the party on whose behalf the call is being made,
      indicating their level of clearance.  Again, the maximum
      classification level may not exceed that level which appears on
      the terminal display.                                                    

           b.  Uncleared or otherwise unauthorized persons must not be
      permitted to overhear classified conversations or to have access
      to classified or sensitive information transmitted over the
      terminal.                                                                

      175.  USE BY FOREIGN NATIONALS.  NTISSI 4001/AFR 56-20 and
      Chapter 6 of this order, limit access to CCI equipments to U.S.
      citizens and permanently admitted resident aliens who are
      employees of the U.S. Government.  For the FAA prior approval of
      the Manager, Emergency Operations Staff, ADA-20, is required for
      any exception to this policy.                                            

      176.  STORAGE.  Type 1 terminals must be stored as specified in
      NTISSI/AFSAL 4001, and Chapter 6, of this order.  Foreign
      nationals who are employed by the U.S. Government at locations
      described in paragraph 179 below, may handle Type 1 terminals in
      connection with warehouse functions, provided they are under the
      direct supervision of an individual who meets the access
      requirements of NTISSI/AFSAL 4001, and Chapter 6.                        

      177.  USE OF THE SECURE DATA MODE.  During data transmissions,
      each Type I terminal must be manned by authorized persons.  The
      data must be sent only after the sending and receiving parties
      have observed the terminal display and have assured themselves of
      the appropriateness of the information transfer (i.e., is the
      sending/receiving party's organization level in the terminal
      display?).  If the terminal is attached to a computer, computer
      security and system issues should be addressed separately with
      the servicing security element prior to start of operations.
      Additional assistance in the area of computer security is
      available if needed from ACO-340, Washington, D.C.  It is
      important that these issues be addressed because of the inherent
      interoperability of all STU-III terminals.                               

      178.  AFTER HOURS PROTECTION.  When authorized persons are not
      present, the CIK must be removed from the terminal and properly
      protected as specified in this chapter.  Area controls must be
      sufficient to ensure access and accounting integrity of the
      terminal.                                                                

                         SECTION 8.  TRANSPORTATION                            

      179.  TYPE I TERMINALS.                                                  

           a.  Type 1 terminals must be unkeyed during shipment.  In no
      instance may KSDs containing seed or operational KEK's or CIK's
      be included in the same container or shipment as Type 1
      terminals.                                                               

           b.  Type I terminals may be transported by any means that
      provides continuous accountability and protection against losses
      and unauthorized access while in transit.  These criteria are
      satisfied by any of the following:                                       

                (1)  FAA courier authorized in accordance with
      provisions of Order 1600.2C.                                             

                (2)  FAA authorized contractor/company, U.S. citizen
      courier.                                                                 

                (3)  U.S. Registered Mail provided it does not at any
      time pass out of U.S. control and does not pass through a foreign
      postal system or any foreign inspection.                                 

                (4)  Commercial carriers under constant surveillance
      service (CSS) in CONUS only.  FAA elements may obtain information
      concerning these services from the General Services
      Administration (GSA), ATTN:  Traffic and Travel Services.
                (5)  U.S. military or military-contractor air service
      (e.g., Military Airlift Command, LOGAIR, QUICKTRANS) provided the
      requirements for CSS are observed.                                       

                (6)  U.S. Diplomatic Courier Service (overseas service
      only).  FAA STU-III units intended for overseas installation in
      FAA facilities or office spaces will be transferred to the
      Department of State for transportation to the overseas location.
      All movements of this type will be coordinated through the
      Manager, Emergency Operations Staff, ADA-20, Washington, D.C.            

                (7)  Armed Forces/Defense Courier Service (ARFCOS)
      outside the 48 contiguous states when no other means of secure
      transportation is available.                                             

      180.-182.  RESERVED.                                                     

                          SECTION 9.  INSTALLATION                             

      183.  GENERAL.  Type 1 terminals may be installed in U.S.
      controlled spaces (including vehicles) and in residences of U.S.
      Government officials.  The fundamental purpose of the Type 1
      terminal is to provide a readily available, easy to use secure
      telephone capability for all personnel who have a need to discuss
      classified or sensitive information.                                     

           a.  Acoustic Security.  Local acoustic security is an
      important consideration.  The greatest security threat to
      telephone conversations is where they are most vulnerable to
      hostile intercept and exploitation -- during transmission over
      the telephone network.  Therefore, a common-sense approach should
      be followed on acoustic security for the Type 1 installation.            

           b.  Servicing Security Element.  Specific provisions for
      achieving acoustical security should be determined in
      coordination with the servicing security element for each FAA
      using organization prior to STU-III installation.  The manager or
      supervisor having responsibility for the STU-III terminal is
      responsible for ensuring that acoustical security measures are
      enforced to preclude unauthorized overhearing of classified or
      sensitive but unclassified telephonic discussions.                       

      184.  RESIDENCES.  Type 1 terminals installed in residences may
      be used only by the persons for whom they are installed.  All of
      the security requirements for preventing unauthorized access to
      classified and sensitive information, and to the keyed terminal
      must be observed.                                                        

           a.  The terminal must be located in an area of the home
      where family members or other unauthorized persons will not
      overhear or view classified or sensitive information.                    

           b.  The CIK must be removed from the terminal following each
      use and kept in the personal possession of the user, or properly
      stored.                                                                  

           c.  If the CIK is stored in the residence and the associated
      terminal is used to protect classified information, the CIK must
      be protected in a GSA-approved security container.                       

           d.  When the terminal is used in the data mode, classified
      information that is viewed on the screen should be removed as
      soon as possible, and should not be printed out unless there is
      appropriate classified storage.                                          

           e.  Installation of STU-III equipments in residences will
      require the prior approval of the servicing security element and
      the responsible COMSEC custodian.                                        

      185.-186.  RESERVED.                                                     

                          SECTION 10.  MAINTENANCE                             

      187.  GENERAL.  NTISSI/AFSAL 4001 contains the training
      requirements which apply to all persons who maintain COMSEC
      equipment, to include the Type 1 terminal.  Authorized
      maintenance personnel need not be cleared unless they require
      access to classified COMSEC information to perform terminal
      maintenance.                                                             

      188.  ACCESS.  Maintenance personnel may not have access to a
      terminal which has been keyed for normal operations.  Therefore,
      any terminal which will be removed or disassembled for repair
      should first be zeroized.  However, if terminal malfunction
      prevents zeroization, the terminal may be returned, minus the
      CIK, which must be retained in appropriate storage by authorized
      persons.  When an FAA terminal is removed from an operational
      area by maintenance personnel the associated KEK's will be
      zeroized.                                                                

      189.-190.  RESERVED.                                                     

               SECTION 11.  PROTECTION OF KEY STORAGE DEVICES                  

      191.  GENERAL.  When they contain KEK's or CIK information, KSD's
      must be protected against unauthorized access.  When they contain
      none of the above information, KSDs require no special handling
      or protection, and their loss is not a reportable insecurity.            

      192.  FILL DEVICES.  Fill devices containing KEK's must be
      safeguarded in accordance with Annex B of NACSI 4005/AFR 56-13,
      and Chapter 5 of this order.                                             

           a.  Access.  An appropriate clearance is required for access
      to a fill device when it contains a classified operational KEK.
      Although seed KEK's are handled as UNCLASSIFIED CRYPTO, COMSEC
      Custodians and users must also be appropriately cleared to
      receive seed KEK's with classified data.                                 

           b.  Classification and Accountability.  See Section 3, of
      this Chapter.                                                            

           c.  Transportation.                                                 

                (1)  Within the U.S.  Fill devices containing
      classified operational KEK's should routinely be transported by
      cleared designated courier or ARFCOS.  However, if distribution
      is to a location which cannot reasonably be served by the above
      means, or the urgency for delivery precludes their use,
      operational KEK's classified up through SECRET may be transported
      by U.S. Registered Mail.  Seed KEK's and unclassified operational
      KEK's may be transported by any means prescribed for transporting
      classified COMSEC material or by U.S. Registered Mail.                   

                (2)  Outside of the U.S.  Fill devices containing
      operational KEK's, regardless of classification, must be
      transported in accordance with arrangements made with the U.S.
      Department of State Office of Communications Security.  Seed
      KEK's, regardless of clearance data may be transported by any
      means prescribed for operational KEK'S.                                  

                (3)  Quantity.  Normally, up to 50 operational and/or
      seed KEK's may be shipped in a single package.  However, when for
      emergency reasons classified operational KEK's must be
      transported by U.S. Registered Mail within the U.S., no more than
      25 may be included in a single package.                                  

           d.  Reserve Key.  Although there is no prohibition against a
      COMSEC Custodian holding some level of seed or operational key in
      reserve for emergency use (e.g., if a terminal fails), that level
      should be kept to a minimum consistent with operational
      requirements, in order to limit the exposure of keys in long-term
      storage.                                                                 

                (1)  COMSEC Custodians must notify the KMS of damaged,
      broken, or otherwise unusable fill devices and return them to the
      KMS for disposition.  The devices must be returned at their
      original classification.                                                 

                (2)  A seed or operational key is considered destroyed
      after it has been loaded in a terminal.  Seed KEK's are
      automatically dropped from central accountability once the
      terminal has been rekeyed through a call to the KMS.  A formal
      destruction report is not required.                                      

                     (a)  COMSEC Custodians must submit a formal
      destruction report for operational KEKs which have been manually
      loaded into the terminal, where a call is not made to the KMS for
      rekeying (a witness to the destruction is not required since the
      terminal records the identification of the key loaded).                  

                     (b)  Manually loaded operational KEK's not
      replaced through a call to the KMS or reported destroyed by a
      destruction report will appear on the COMSEC Custodian's next
      scheduled inventory.                                                     

           f.  Unused KEK(s).  An unused KEK which has passed its
      expiration date should be zeroized (in a Type I terminal) by the
      COMSEC Custodian.  Zeroization must be witnessed by another
      authorized person (e.g., the alternate custodian) who must also
      sign the destruction report submitted to the KMS by the COMSEC
      custodian.  Once zeroized, the KSD may then be used as a CIK.            

      193.  CRYPTO-IGNITION KEYS (CIKS).                                       

           a.  General.  At least one CIK must be created immediately
      following the manual loading of a KEK into a terminal.
      Additional CIK'S, up to the terminal's maximum, may be created at
      this time; or, if the terminal design supports it, the first CIK
      may be designated as a master CIK, allowing subsequent creation
      of additional CIK's as they are required.  Since CIK's permit the
      terminal to be used in the secure mode, they must be protected
      against unauthorized access and use.  The number of CIK's created
      should be kept to the minimum required for operational necessity.        

           b.  Access.  CIK's may normally be retained in the personal
      custody of authorized persons, who must protect them as valuable
      personal property.  Any person who may have unrestricted access
      to the keyed terminal may retain the CIK.                                

           c.  Accountability.  CIK's should be accounted for locally
      to minimize insecurities associated with their use.  Local
      accounting includes maintaining a record of all CIK's created
      along with the names, organizations/locations of the persons to
      whom they are issued.  In addition, the user should verify at
      least once a year to the COMSEC Custodian that he or she still
      holds the CIK.  Verification of CIK holdings should be in writing
      from user to COMSEC account in accordance with procedural
      instruction published by the respective user organizations or the
      Controlling Authority.                                                   

           d.  Transportation.  CIK's may be transported by any means
      prescribed for seed KEKs, or on the person of an authorized user.
      CIKs must always be shipped separately from terminals.                   

           e.  Protection in Use.  During operational hours the CIK may
      be left in the terminal so long as authorized persons are present
      and the terminal is under the continuous visual supervision and
      physical control of an authorized user.  If the area is left
      unattended, authorized persons are not present, or if for any
      reason it is not possible for an authorized user to maintain
      constant visual surveillance and physical control over the
      terminal, the CIK will be removed from the terminal and
      maintained in the personal possession of an authorized user.  In
      the event that the CIK is to be kept in the same room as the
      terminal, the CIK must be afforded protection commensurate with
      the classification of the keyed terminal (e.g., in a GSA-approved
      security container for CONFIDENTIAL, SECRET and TOP SECRET).             

           f.  Losses.
                (1)  Loss of a CIK must be promptly reported to the
      responsible COMSEC Custodian, who must initiate immediate action
      to delete that CIK from all terminals with which it was
      associated.  All losses shall be reported within 72 hours of the
      loss to the responsible FAA COMSEC Custodian.                            

                (2)  In the event of the loss of an unkeyed terminal,
      the associated CIK(s) must be protected at the classification
      level of the key.  Absence of the terminal prevents the erasure
      of the CIK information in the terminal; therefore, the CIK must
      be zeroized, or protected at the level of the terminal when
      keyed.                                                                   

           g.  Disposition.  Once a CIK has been disassociated from a
      terminal (either through deletion of the CIK from the terminal,
      or zeroization of the associated seed or operational KEK in the
      terminal), the CIK requires no special controls and may be
      retained for further use in the same or other terminals.                 

           h.  Master CIK.  The master CIK should be subject to
      additional controls to prevent its loss or use to make
      unauthorized CIK's or unauthorized secure calls.  Master CIK's
      should be kept under the personal control of an authorized person
      who has been briefed on its sensitivity and the requirements for
      its control.                                                             

                (1)  The master CIK should be maintained in a GSA
      approved security container except when it is required to create
      other CIK's or to place secure calls.                                    

                (2)  Storage of the master CIK must be commensurate
      with the classification of the associated KEK.                           

           i.  Interoperable CIK.  An interoperable CIK may be created
      for concurrent use with one of the keys in up to four Type 1
      terminals.  Authentication information associated with the
      interoperable CIK (i.e., organization and clearance level) must
      be representative of every person with access to this CIK.  If
      the clearance level varies between terminals, any person with
      access to the interoperable CIK must be cleared to the highest
      level of the associated key.  While use of an interoperable CIK
      provides users operational flexibility, COMSEC Custodians should
      assure that the appropriate accounting is maintained and that
      losses are acted upon promptly.  It is important that the
      custodian be aware of the status of an interoperable CIK since
      the terminals in which it is used will probably not be colocated
      and each terminal may also have other CIK's associated with it.
      For these reasons, it is recommended that an interoperable CIK
      remain at all times in the personal possession of a single
      individual assigned responsibility for its use.                          

      194.  PROTECTION AND USE OF THE MICRO-KMODC.  The micro-KMODC may
      be used to electronically order and receive keys.  User
      representatives may order keys, but only appropriately cleared
      COMSEC Custodians may receive keys.  The following guidelines
      apply:                                                                   

           a.  Location.  There are no restrictions on where the
      micro-KMODC may be installed.  However, during use, controls must
      be instituted to prevent unauthorized access to the system and
      its keys.                                                                

           b.  Classifications.  All classifications of key may be
      ordered through a micro-KMODC.  However, only unclassified
      operational KEKs, and all seed KEKs regardless of their clearance
      data, may be received at the micro-KMODC.                                

           c.  Disks.  Floppy disks containing seed and operational
      KEK's received at the micro-KMODC must be labelled and handled as
      UNCLASSIFIED CRYPTO material, and must remain under the local
      control of the COMSEC Custodian.  Each KEK on the disk is
      centrally accountable to the KMS.  A receipt is automatically
      generated for these keys between the micro-KMODC and the KMODC,
      and the appropriate COR notified.  Therefore, a separate
      possession report is not required.  KEK's which remain in the
      COMSEC Custodian's account, whether on the disk or in a fill
      device, will be subject to continuous central accounting until
      converted (seed KEK's) or reported destroyed (operational KEK's).        

           d.  Destruction.  When the floppy disks will no longer be
      used for storage of keys, they must be destroyed in accordance
      with NTISSI 4004/AFR 56-5.                                               

      195.-198.  RESERVED.                                                     

              SECTION 12.  DESTRUCTION AND EMERGENCY PROTECTION                

      199.  GENERAL REQUIREMENT.  The provisions of NTISSI 4004/AFR
      56-5, must be followed in the disposal and emergency protection
      of Type 1 terminals and KSD's used as fill devices and CIK'S.            

      200.  RESERVED.                                                          

                    SECTION 13.  REPORTABLE INSECURITIES                       

      201.  INSECURE PRACTICE/COMSEC INCIDENT HANDLING.                        

           a.  General.  With any secure communications system,
      incidents and compromises of terminals and key are possible.  The
      design of the STU-III terminals and keying concept minimizes the
      threat of compromised traffic; therefore, compromise recovery is
      focused on preventing an adversary from posing as a valid user
      (e.g. a keyed terminal is lost and someone is pretending to be
      the individual identified by the terminal's key).  This paragraph
      provides an introduction into the compromise recovery feature for
      Type I terminals.  For Type 2 terminals, there is no compromise
      recovery capability available.                                           

           b.  Compromise Types.  The terminal users and COMSEC
      Custodians are primarily responsible for detecting potential
      compromises and following through with necessary reporting
      procedures.  These potential compromises are broken into two
      classes:  insecure practices/locally reportable events; and,
      COMSEC incidents/centrally reportable events.                            

                (1)  Insecure Practices/Locally Reportable Events.
      Insecure practices are not in and of themselves COMSEC incidents,
      but could lead to loss of integrity of the user's information as
      well as information of other system users.  For this reason,
      insecure practices should be managed locally.  Examples of
      locally reportable events are the loss of a CIK, and failure to
      rekey a terminal within two months of the end of the
      cryptoperiod.  STU-III doctrine contains a complete listing of
      insecure practices.  Incidents of this type shall be reported to
      the servicing security element for the region or center
      concerned.                                                               

                (2)  COMSEC Incidents/Centrally Reportable.  Centrally
      reportable events are reported to the NSA by secure phone,
      AUTODIN, or registered mail.  The AUTODIN reports should be sent
      to:  DIRNSA FT GEO G MEADE MD//S2// (Reports of insecurities
      involving KEK's must include the assigned KEK identification
      number, whether or not there were any CIK's involved, and whether
      they were under protection when the insecurity occurred.)  The
      following are examples of centrally reportable incidents:                

                     (a)  Loss of a master CIK.                                

                     (b)  Failure to zeroize CIK information from a
      Type I terminal within 72 hours of the loss of a CIK.                    

                     (c)  Failure of the COMSEC Custodian to notify the
      KMS that a seed KEK listed on the conversion notice still exists
      in his or her COMSEC account.                                            

                     (d)  Use in the secure mode of a terminal whose
      display is inoperable.                                                   

                     (e)  Failure to adequately protect or zeroize a
      CIK that is associated with an unkeyed terminal which is lost.           

                     (f)  Indication in the terminals display that the
      distant terminal contains compromised key.                               

      202.-204.  RESERVED.                                                     

                       SECTION 14.  RECORDS RETENTION                          

      205.  General.  In addition to the normal records which are
      retained for accounting purposes, certain information must be
      kept to facilitate the automated Federal Secure Voice System
      compromise recovery mechanism.  The following information must be
      maintained for each KEK until it is truly destroyed (i.e.,
      finally zeroized from the terminal or overwritten by a new KEK):         

           a.  The identification of the terminal into which each KEK
      was loaded.                                                              

           b.  The identification of all CIK's associated with each KEK
      by terminal.                                                             

           c.  The identification of all terminals associated with each
      CIK, by CIK.                                                             

      NOTE:  This information may be recorded on the card which
      accompanies each fill device or it may be computerized.                  

      206.-208.  RESERVED.                                                     

                       FOR OFFICIAL USE ONLY
                     PUBLIC AVAILABILITY TO BE
                   DETERMINED UNDER 5 U.S.C. 552

                   APPENDIX 1. REQUIRED FORMS AND REPORTS                     

          Form Number          Unit of             Title
                               Issue                                           

      1.  AFCOMSEC Form 3      Sheet          Record of Custodian              

      2.  AFCOMSEC Form 9      Sheet          Cryptographic Access
                                              Certificate                      

      3.  AFCOMSEC Form 14     Sheet          COMSEC Material Voucher
                                              and Package Register             

      4.  AFCOMSEC Form 16     Sheet          COMSEC Account Daily-
                                              Shift Inventory                  

      5.  FAA Form 1600.8      Sheet          Visitor Register
                                              (Stock No. 0052-00-91
                                              -2000)                           

      6.  FAA Form 1600.54     Sheet          Notification of Personnel
                                              Security Action
                                              (Stock No. 0052-00-869
                                              -4000)                           

      7.  SF-153               Sheet          COMSEC Material Report           

      8.  SF-700               Sheet          Security Container
                                              Information
                                              (NSN:  7540-01-214-5372)         

      9.  SF-701               Sheet          Activity Security Check
                                              - list.
                                              (NSN:  7540-01-213-7899)         

      10.  SF-702              Sheet          Security Container Check
                                              Sheet NSN 7540-01-213
                                              -7900                            

                                              (NSN:  7540-01-213-7900)
      11.  SF-703              Sheet          TOP SECRET Cover Sheet
                                              (NSN:  7540-01-213-7901)         

      12.  SF-704              Sheet          SECRET Cover Sheet
                                              (NSN:  7540-01-213-7902)         

      13.  SF-705              Sheet          CONFIDENTIAL Cover Sheet
                                              (NSN:  7540-01-213-7903)         

      14.  SF-706              Pack           TOP SECRET Label
                                              (NSN:  7540-01-207-5536)         

      15.  SF-707              Pack           SECRET Label
                                              (NSN:  7540-01-207-5537)         

      16.  SF-708              Pack           CONFIDENTIAL Label
                                              (NSN:  7540-01-207-5538)         

      17.  SF-709              Pack           CLASSIFIED Label
                                              (NSN:  7540-01-207-5540)         

      NOTE:  Ordering information for the above forms is as follows:           

                a.  FAA Forms:  Orders for additional copies of FAA
      forms should be submitted to the FAA Depot, Mike Monroney
      Aeronautical Center, ATTN:  AAC-434, P.O. Box 25082, Oklahoma
      City, Oklahoma 73125.                                                    

                b.  AFCOMSEC forms should be ordered by letter request
      60 days before current supply is depleted.  Letter request should
      be sent to HQ ESC/DAPD, San Antonio, TX 78243-5000.  Request an
      estimated 6 month supply.                                                

                c.  Standard forms (SF) should be ordered through
      normal document acquisition channels from the GSA.  If any
      difficulty is encountered obtaining specific SFs contact the
      servicing security element for assistance.                               

                         FOR OFFICIAL USE ONLY
                   Public Availability to be Determined
                           Under 5 U.S.C. 552

              APPENDIX 2. SAMPLE CRYPTOGRAPHIC ACCESS BRIEFING                

      1.  You have been selected to perform duties that will require
      access to U.S. classified cryptographic information.  It is
      essential that you be made aware of certain facts relevant to the
      protection of this information before access is granted.  You
      must know the reason why special safeguards are required to
      protect U.S. classified cryptographic information.  You must
      understand the directives which require these safeguards and the
      penalties you will incur for the unauthorized disclosure,
      unauthorized retention, or negligent handling of U.S. classified
      cryptographic information.  Failure to properly safeguard this
      information could cause serious to exceptionally grave damage, or
      irreparable injury, to the national security of the United States
      or could be used to advantage by a foreign nation.                       

      2.  U.S. classified cryptographic information is especially
      sensitive because it is used to protect classified information.
      Any particular piece of cryptographic keying material and any
      specific cryptographic technique may be used to protect a large
      quantity of classified information during transmission.  If the
      integrity of a cryptographic system is breached at any point, all
      information protected by the system may be compromised.  The
      safeguards placed on U.S. classified cryptographic information
      are a necessary component of government programs to ensure that
      our Nation's vital secrets are not compromised.                          

      3.  Because access to U.S. classified cryptographic information
      is granted on a strict need-to-know basis, you will be given
      access to only that cryptographic information necessary to
      perform your duties.  You are required to become familiar with
      Order 1600.8C, as well as AFRs 56-10 and 56-13.  Sections 641,
      793, 794, 798, and 952, Title 18, U.S. Code are contained in
      attachments 1 through 6 of this appendix.  Cited directives and
      Executive Order 12356 are attached in a briefing book for your
      review at this time.                                                     

      4.  Especially important to the protection of U.S. classified
      cryptographic information is the timely reporting of any known or
      suspected compromise of this information.  If a cryptographic
      system is compromised, but the compromise is not reported, the
      continued use of the system can result in the loss of all
      information protected by it.  If the compromise is reported,
      steps can be taken to lessen an adversary's advantage gained
      through the compromise of the information.                               

      5.  You should know that intelligence services of some foreign
      governments prize the acquisition of U.S. classified
      cryptographic information.  They will go to extreme lengths to
      compromise U.S. citizens and force them to divulge cryptographic
      techniques and materials that protect the nation's secrets around
      the world.  You must understand that any personal or financial
      relationship with a foreign government's representative could
      make you vulnerable to attempts at coercion to divulge U.S.
      classified cryptographic information.  You should be alert to
      recognize those attempts so that you may successfully counter
      them.  The best personal policy is to avoid discussions that
      reveal your knowledge of, or access to, U.S. classified
      cryptographic information and thus avoid highlighting yourself to
      those who would seek the information you possess.  Any attempt,
      either through friendship or coercion, to solicit your knowledge
      regarding U.S. classified cryptographic information must be
      reported immediately to your servicing security element, or to
      ACO-300, ATTN:  ACO-320, Headquarters, Federal Aviation
      Administration, 800 Independence Avenue, S.W., Washington, D.C.,
      telephone 202-267-3961.                                                  

      6.  In view of the risks noted above, unofficial travel to
      certain communist or other designated countries will require the
      prior approval of your manager and the servicing security
      element, or ACO-300.  It is essential that you contact your
      manager and the region/center security office, or ACO-300, if
      such unofficial travel becomes necessary.                                

      7.  Finally, you must know that, should you willfully or
      negligently disclose to any unauthorized persons any of the U.S.
      classified cryptographic information to which you will have
      access, you will be subject to administrative and civil
      sanctions, sanctions, including adverse personnel actions, as
      well as criminal sanctions under the Uniform Code of Military
      Justice or the criminal laws of the United States, as
      appropriate.                                                             

                                 APPENDIX 2
                                Attachment 1                                   

                  Title 18, United States Code Section 641.
                     Public Money, Property or Records.                        

      "Whoever embezzles, steals, purloins or knowingly converts to his
      use or the use of another, or without authority, sells, conveys
      or disposes of any records, voucher, money, or thing of value of
      the United States or of any department or agency thereof, or any
      property made or being made under contract for the United States
      or any department or agency therefor;                                    

      "Whoever receives, conceals, or retains the same with intent to
      convert it to his use or gain, knowing it to have been embezzled,
      stolen, purloined or converted - shall be fined not more than
      $10,000 or imprisoned not more than ten years or both; but if the
      value of such property does not exceed the sum of $100, he shall
      be fined not more than $1,000 or imprisoned not more than one
      year or both.                                                            

      "The word 'value' means face, par, or market value, or cost
      price, either wholesale or retail, whichever is greater."                

                                 APPENDIX 2
                                Attachment 2                                   

                  Title 18, United States Code Section 793.
           Gathering, Transmitting or Losing Defense Information.              

      "(a) Whoever, for the purpose of obtaining information respecting
      the national defense with intent or reason to believe that the
      information is to be used to the injury of the United States, or
      to the advantage of any foreign nation, goes upon, enters, flies
      over, or otherwise obtains information concerning any vessel,
      aircraft, work of defense, navy yard, naval station, submarine
      base, fueling station, fort, battery, torpedo station, dockyard,
      canal, railroad, arsenal, camp, factory, mine, telegraph,
      telephone, wireless, or signal station, building, office,
      research laboratory or station or other place connected with the
      national defense owned or constructed, or in progress of
      construction by the United States or under the control of the
      United States, or of any of its officers, departments, or
      agencies, or within the exclusive jurisdiction of the United
      States, or any place in which any vessel, aircraft, arms,
      munitions, or any other materials or instruments for use in time
      of war are being made, prepared, repaired, stored, or are the
      subject of research or development, under any contract or
      agreement with the United States, or any department or agency
      thereof, or with any person on behalf of the United States, or
      otherwise on behalf of the United States, or any prohibited place
      so designated by the President by proclamation in time of war or
      in case national emergency in which anything for the use of the
      Army, Navy, or Air Force is being prepared or constructed or
      stored, information as to which prohibited place the President
      has determined would be prejudicial to the national defense; or          

      (b) Whoever, for the purpose aforesaid, and with like or reason
      to believe, copies, takes, makes, or obtains, or attempts to
      copy, take, make, or obtain, any sketch, photograph, photographic
      negative, blueprint, plant map, model, instrument, appliance,
      document, writing, or note of anything connected with the
      national defense; or                                                     

      (c) Whoever, for the purpose aforesaid, receives or obtains or
      agrees or attempts to receive or obtain from any person, or from
      any source whatever, any document, writing, code book, signal
      book, sketch, photograph, photographic negative, blueprint, plan,
      map, model, instrument, appliance, or note, of anything connected
      with the national defense, knowing or having reason to believe,
      at the time he receives or obtains, or agrees or attempts to
      receive or obtain it, that it has been or will be obtained, taken
      made or disposed of by any person contrary to the provisions of
      this chapter; or                                                         

      (d) Whoever, lawfully having possession of, access to, control
      over, or being entrusted with any document, writing, code book,
      signal book, sketch, photograph, photographic negative,
      blueprint, plan, map, model, instrument, appliance, or note
      relating to the national defense, or information relating to the
      nation defense which information the possessor has reason to
      believe could be used to the injury of the United States or to
      the advantage of any foreign nation, willfully communicates,
      delivers, transmits or causes to be communicated, delivered or
      transmitted or attempts to communicate, deliver transmit or cause
      to be communicated, delivered or transmitted to receive it, or
      willfully retains the same and fails to deliver it on demand to
      the officer or employee of the United States entitled to receive
      it; or                                                                   

      (e) Whoever having unauthorized possession of, access to, or
      control over any documents, writing, code book, signal book,
      sketch, photograph, photographic negative, blueprint, plan, map,
      model, instrument, appliance, or note relating to the national
      defense, or information relating to the national defense which
      information the possessor has reason to believe could be used to
      the injury of the United States or the advantage of any foreign
      nation, willfully communicates, delivers, transmits, or causes to
      be communicated, delivered, or transmitted, or attempts to
      communicate, deliver, transmit or cause to be communicated,
      delivered, or transmitted the same to any person not entitled to
      receive it, or willfully retains the same and fails to deliver it
      to the officer of employee of the United States entitled to
      receive it; or                                                           

      (f) Whoever, being entrusted with or having lawful possession of
      control of any document, writing, code book, signal book, sketch,
      photograph, photographic negative, blueprint, plan, map, model,
      instrument, appliance, note, or information relating to the
      national defense, (1) through gross negligence permits the same
      to be removed from its proper place of custody or delivered to
      anyone in violation of his trust, or to be lost, stolen,
      abstracted, or destroyed, or (2) having knowledge that the same
      has been illegally removed from its proper place of custody or
      delivered to anyone in violation of its trust, or lost, or
      stolen, abstracted, or destroyed, and fails to make prompt report
      of such loss, theft, abstraction, or destruction to his superior
      officer -- shall be fined not more than $10,000 or imprisoned not
      more than ten years, or both, or                                         

      (g) If two or more persons conspire to violate any of the
      foregoing provisions of this section, and one or more of such
      persons do any act to effect the object of the conspiracy, each
      of the parties to such conspiracy shall be subject to the
      punishments provided for the offense which is the object of such
      conspiracy."                                                             

                                 APPENDIX 2
                                Attachment 3                                   

                  Title 18, United States Code Section 794.                    

                       Gathering or delivering defense
                   information to aid foreign government.                      

      "(a) Whoever, with intent or reason to believe that it is to be
      used to the injury of the United States or to the advantage of a
      foreign nation, communicates, delivers, or transmits, or attempts
      to communicate, deliver, or transmit, to any foreign government,
      or to any fraction or party or military or naval force within a
      foreign country, whether recognized or unrecognized by the United
      States, or to any representative, officer, agent, employee,
      subject, or citizen thereof, either directly or indirectly any
      document, writing, code book, signal book, sketch, photograph,
      photographic negative, blueprint, plan, map, model, note,
      instrument, appliance, or information relating to the national
      defense, shall be punished by death or imprisonment for any term
      of years or for life.                                                    

      (b) Whoever, in time of war, with intent that the same shall be
      communicated to the enemy, collects, records, publishes, or
      communicates or attempts to elicit any information with respect
      to the movement, numbers, description, condition, or disposition
      of any of the Armed Forces, ships, aircraft, or war materials of
      the United States or with respect to the plans or conduct, or
      supposed plans or conduct of any naval or military operations, or
      with respect to any works or measures undertaken for or connected
      with, or intended for the fortification or defense of any place,
      or any other information relating to the public defense, which
      might be useful to the enemy, shall be punished by death or by
      imprisonment for any term of years or for life.                          

      (c) If two or more persons conspire to violate this section, and
      one or more of such persons do any act to effect the object of
      the conspiracy, each of the parties to such conspiracy shall be
      subject to the punishment provided for the offense which is the
      object of such conspiracy."                                              

                                 APPENDIX 2
                                Attachment 4                                   

                  Title 18, United States Code Section 798.
                    Disclosure of classified information.                      

      "(a) Whoever knowingly and willfully communicates, furnishes,
      transmits, or otherwise makes available to an unauthorized
      person, or publishes, or uses in any manner prejudicial to the
      safety of interest of the United States or for benefit of any
      foreign government to the detriment of the United States and
      classified information -                                                 

           (1)  concerning the nature, preparation, or use of any code,
      cipher, or cryptographic system of the United States or any
      foreign government; or                                                   

           (2)  concerning the design, construction, use, maintenance,
      or repair of any device, apparatus, or appliance used or prepared
      or planned for use by the United States or any foreign government
      for cryptographic or communication intelligence purposes; or             

           (3)  concerning the communication intelligence activities of
      the United States or any foreign government; or                          

           (4)  obtained by the process of communications intelligence
      from the communications of any foreign government, knowing the
      same to have been obtained by such processes - shall be fined not
      more than $10,000 or imprisoned not more than ten years, or both.        

      (b) As used in subsection (a) of this section -- The term
      'classified information' means information which, at the time of
      a violation of this section, is for reasons of national security,
      specifically designated by a United States Government Agency for
      limited or restricted dissemination or distribution; the terms
      'code,' 'cipher,' and 'cryptographic system' include in their
      meanings, in addition to their usual meanings, any method of
      secret writing and any mechanical or electrical device or method
      used for the purpose of disguising or concealing the contents,
      significance, or meanings of communications; the term 'foreign
      government' includes in its meaning any person or persons acting
      or purporting to act for or on behalf of any faction, party,
      department, agency, bureau, or military force of or within a
      foreign government, or for or on behalf of any government or any
      person or persons purporting to act as a government within a
      foreign country, whether or not such a government is recognized
      by the United States.  The term 'communications intelligence'
      means all procedures and methods used in the interception of
      communications and the obtaining of information from such
      communications by other than intended recipients; The term
      'unauthorized person' means any person who, or agency which, is
      not authorized to receive information of the categories set forth
      in subsection (a) of this section, by the President, or by the
      head of a department or agency of the United States Government
      which is expressly designated by the President to engage in
      communication intelligence activities for the United States.             

      (c) Nothing in this section shall prohibit the furnishing, upon
      lawful demand, of information to any regularly constituted
      committee of the Senate or House of Representatives of the United
      States of America, or joint committee thereof."                          

                                  APPENDIX 2
                                 Attachment 5                                  

                  Title 18, United States Code Section 952.
                    Diplomatic codes and correspondence.                       

      "Whoever, by virtue of this employment by the United States,
      obtains from another or has or has had custody of or access to,
      any official diplomatic code, and without authorization or
      competent authority, willfully publishes or furnishes to another
      any such code or matter, or any matter which was obtained while
      in the process of transmission between any foreign government and
      its diplomatic mission in the United States, shall be fined not
      more than $10,000 or imprisoned not more than ten years, or
      both."                                                                   

                                 APPENDIX 2
                                Attachment 6                                   

                  Title 50, United States Code Section 783
                                  Offenses.                                    

      "Communications of classified information by Government officer
      or employee.  It shall be unlawful for any officer or employee of
      the United States or any department or agency thereof, or of any
      corporation the stock of which is owned in whole or in major part
      by the United States or any department or agency thereof, to
      communicate in any manner or by any means, to any person whom
      such officer or employee knows or has reason to believe to be an
      agent or representative of any foreign government or member of
      any Communist organization as defined in paragraph (5) of section
      782 of this title, any information of a kind which shall have
      been classified by the President (or by the head of any such
      department, agency, or corporation with approval of the
      President) as affecting the security of the United States,
      knowing or having reason to know that such information has been
      so classified, unless such officer or employee shall have been
      specifically authorized by the President, or by the head of the
      department, agency, or corporation by which this officer or
      employee is employed, to make such disclosure of such
      information."                                                            

                       FOR OFFICIAL USE ONLY
                        PUBLIC AVAILABILITY TO BE
                      DETERMINED UNDER 5 U.S.C. 552

                APPENDIX 3. CRYPTOGRAPHIC ACCESS CERTIFICATE                  

                      CRYPTOGRAPHIC ACCESS CERTIFICATE
              (This form is covered by the Privacy Act of 1974)                

      Privacy Act Statement:  Authority.  Executive Order 9397.
      Routine and sole use of the SSN is to identify the individual
      precisely when necessary to certify access to US cryptographic
      information.  While disclosure of your SSN is voluntary, your
      failure to do may delay certification, and in some cases, prevent
      original access to US cryptographic information.                         

                            Section 1 (Type Only)
      _________________________________________________________________
      | Installation    | Unit/Office Symbol    | Supporting COMSEC   |
      |                 |                       | Account Number      |
      |                 |                       |                     |
      |_________________|_______________________|_____________________|        

      Instructions:  Section 2 of this certificate must be accomplished
      before an individual may be granted access to US cryptographic
      information.  Section 3 will be accomplished when the individual
      no longer requires such access.  This certificate (original) will
      be made a permanent part of the official records of the person
      concerned.                                                               

                     Section 2.  Authorization for Access to US
                                 Cryptographic information                     

        A.  I understand that I am being granted access to US
      cryptographic information.  I understand that my being granted
      access to cryptographic information involves me in a position of
      special trust and confidence concerning matters of national
      security.  I hereby acknowledge that I have been briefed
      concerning my obligation with respect to such access.                    

        B.  I understand that safeguarding US cryptographic information
      is of the utmost importance and that the loss or compromise of
      such information could lead to irreparable damage to the US and
      its allies.  I understand that I am obligated to protect US
      cryptographic information and I have been instructed in the
      special nature of this information and the principle for the
      protection of such information.  I acknowledge that I have also
      been instructed in the rules requiring that I report any
      unofficial foreign contacts and travel to my appropriate security
      officer and that, before this briefing, I reported any
      unauthorized foreign travel or foreign contacts I may have had in
      the past.  I understand that I am subject to and consent to an
      aperiodic, counterintelligence security polygraph examination.           

        C.  I understand fully the information presented at the
      briefing I have received and am aware that any disclosure of US
      cryptographic information to unauthorized persons may make me
      subject to prosecution under the criminal law of the US.  I have
      read this certificate and my questions, if any, have been
      answered.  I acknowledge that the briefing officer has made
      available to me the provisions of Sections 641, 793, 794, 798,
      and 952, Title 18, US Code and Executive Order 12356.  I
      understand that, if I disclose to any unauthorized person any of
      the cryptographic information to which I have access, I may be
      subject to prosecution under the Uniform Code of Military Justice
      and/or the criminal laws of the US.  I understand and accept that
      unless I am released in writing by an authorized representative
      of my appropriate security office, the terms of this certificate
      and my obligation to protect all cryptographic information to
      which I may have access apply during the time of my access and at
      all times thereafter.                                                    

      ACCESS GRANTED THIS ____________ DAY OF _________________ 19 ____        

      SIGNATURE ______________________ NAME, GRADE, SSN, DOB __________
                                                            (Type Only)        

      ________________________________ ________________________________
      SIGNATURE OF ADMINISTERING       NAME, GRADE,         (Type Only)
      OFFICIAL                         OFFICIAL POSITION                       

                     SECTION 3.  TERMINATION OF ACCESS TO US
                                 CRYPTOGRAPHIC INFORMATION                     

      I am aware that my authorization for access to cryptographic
      information is being withdrawn.  I fully appreciate and
      understand that the preservation of the security of US
      cryptographic information is of vital importance to the welfare
      and defense of the US.  I certify that I will never divulge any
      US cryptographic information I acquired, nor discuss with any
      person any of the US cryptographic information to which I have
      had access, unless and until freed from this obligation by
      unmistakable or categorical official notice from competent
      authority.  I have read this agreement carefully and my
      questions, if any, have been answered to my satisfaction.  I
      acknowledge that the briefing officer has made available to me
      Sections 641, 793, 794, 798, and 952 of Title 18, US Code,
      Section 783(b) of Title 50, US Code; and Executive Order 12356.          

                                       () Administrative
      REASONS FOR WITHDRAWAL           () Suspension
      (Check One:)                     () Revocation
      ACCESS WITHDRAWN THIS __________ DAY OF _________________ 19 ____        

      SIGNATURE ______________________ NAME, GRADE, SSN, DOB __________
                                                            (Type Only)        

      ________________________________ ________________________________
      SIGNATURE OF ADMINISTERING       NAME, GRADE,     (Type or Stamp)
      OFFICIAL                         OFFICIAL POSITION                       

                     FOR OFFICIAL USE ONLY
                  Public Availability to be Determined
                        Under 5 U.S.C. 552

             APPENDIX 4. SECURE TELECOMMUNICATIONS FACILITY AND 
 COMSEC ACCOUNT CHECKLIST                             

      1.  All items in the checklist apply to COMSEC accounts and
      COMSEC user facilities unless considered not applicable by the
      servicing security element or ACS-300 due to specific
      circumstances.  Only those items preceded with an asterisk in
      parentheses (*) apply to administrative accounts.                        

      (*)  2.  (Some questions are self contained that is, good
      management practice dictates an affirmative response to the
      question, but the question itself is the only authority.                 

                                   General                                     

      (*)  1.  Is a semiannual (or upon change of custodian) inventory
      of the COMSEC account being performed as required?
      (AFR 56-10)                                                              

      (*)  2.  Have all discrepancies indicated on previous inspection
      reports (regional/center servicing security element inspections
      and Headquarters ACS-300 inspections) been corrected?
      (AFKAG-1)                                                                

      (*)  3.  If the answer to (2) is "no" what discrepancies still
      exist and what action has been taken to correct them?  Have
      timely follow-up actions been taken? (AFKAG-1)                           

      (*)  4.  Has the COMSEC custodian verified the final clearance of
      all personnel listed on the COMSEC accounts authorized
      entrance/access list each month?  (AFR 56-6/NACSI 4008)
      (*)  5.  Has the custodian verified that each person on the
      authorized entrance/access list has complied with all
      requirements of FAA's Formal Cryptographic Access (FCA) Program
      to include having received a briefing and having a signed,
      current Cryptographic Access Certificate on file?  (AFSSI 4000,
      Order 1600.8C)                                                           

      (*)  6.  Has the facility manager having responsibility for
      COMSEC or the COMSEC custodian validated the authorized
      entrance/access list on a monthly basis?  (AFR 56-6/NACSI 4008)          

      (*)  7.  Do the COMSEC storage areas of the COMSEC account meet
      minimum physical security requirements established by National
      COMSEC Instruction (NACSI) 4008 and Order 1600.8C?                       

      (*)  8.  Is there documented approval on file certifying that the
      COMSEC account has been inspected and approved for the storage of
      classified COMSEC information by the servicing security element
      for regions/center and by ACS-300 for Washington Headquarters?
      (AFR 56-6/NACSI 4008, AFR 56-13/NACSI 4005)                              

      (*)  9.  Are SF 700, Security Container Information, prepared and
      affixed to the inside of vault doors and the locking drawer of
      GSA approved safes and containers? (AFR 56-13/NACSI 4005)                

      (*)  10.  Are safe/vault combinations changed in accordance with
      Order 1600.2C to include at least every 12 months or when a
      person knowing the combination is relieved, transferred, or
      terminated? (AFR 56-6/NACSI 4008)
      (*)  11.  Does the COMSEC facility have an emergency plan which
      provides adequate instructions for implementing
      safeguarding/destruction procedures in the event of an emergency?
      (AFR 56-10/COMSEC User's Guide, AFR 56-5/NTISSI 4004)                    

      (*)  12.  Have all assigned personnel including COMSEC custodian
      and alternates, reviewed and participated in quarterly tests (dry
      runs) of the emergency plans?  (AFR 56-5/NTISSI 4004)                    

      (*)  13.  Have the COMSEC emergency plans been coordinated with
      the contingency plans or the facility both initially and whenever
      significant changes are made?  (AFR 56-5/NTISSI 4004, AFR
      56-10/COMSEC User's Guide)                                               

      (*)  14.  Have adequate destruction equipment and materials been
      provided or suitable arrangements made for emergency destruction?
      (AFR 56-5/NTISSI 4004)                                                   

      (*)  15.  Does the account report file contain transfer,
      destruction, and inventory reports?  Are they filed in numerical
      order by voucher Number? (AFKAG-2)                                       

      (*)  16.  Is the account report file properly classified, with a
      minimum of CONFIDENTIAL? (AFKAG-2)                                       

      (*)  17.  Does the account properly maintain the AFCOMSEC Form
      14, COMSEC Material-Voucher and Package Register?  (AFKAG-2)             

      (*)  18.  Is the AFCOMSEC Form 3 current and maintained in the
      account report file?  (AFKAG-2)                                          

      (*)  19.  Is the proper disposition made of all COMSEC files and
      records?  (AFKAG-1, AFR 56-10/COMSEC User's Guide)                       

                              Physical Security                                

      (*)  20.  Were correct procedures used to identify and admit
      inspection personnel?  Was each person in the inspection party
      required to sign the FAA Form 1600.8, Visitor Register, upon
      admittance?  (AFR 56-6/NACSI 4008)                                       

      NOTE:  All personnel not listed on the access list must be signed
      in on FAA Form 1600.8 prior to being granted access to the COMSEC
      area.                                                                    

           21.  Has a way been provided so that persons seeking entry
      may be identified prior to admission or viewing of COMSEC
      operations?  (AFR 56-6/NACSI 4008, AFR 56-13/NACSI 4005)                 

           22.  Are all secure telecommunications facility doors
      solidly constructed and fitted with approved secure locks?
      (AFR 56-6/NACSI 4008, AFR 56-13/NACSI 4005)                              

           23.  Is the secure telecommunications facility sound proofed
      and have measures been taken to prevent acoustic interception?
      (AFR 56-6/NACSI 4008)                                                    

           24.  Is an authorized entrance list posted inside the
      facility or inside the COMSEC security container (for an
      administrative facility)?  (AFR 56-6/NACSI 4008)                         

           25.  Is the authorized entrance list limited to persons
      assigned and others whose duties may require frequent admittance?
      (AFR 56-6/NACSI 4008)                                                    

           26.  Are specific persons designated by name to authorize
      admittance to those persons not on the authorized entrance and
      access list?  (AFR 56-6/NACSI 4008)                                      

           27.  Are visitors being processed in and escorted within the
      facility?  (AFR 56-6/NACSI 4008)                                         

           28.  Is a copy of the most current TSCM survey on file?
      (AFKAG-1, Order 1600.12C)                                                

      (*)  29.  Have the operational STU-III terminals located in
      offices and residences been inspected within the previous 6
      months by technically competent personnel?                               

      (*)  30.  Is strict accountability maintained for all accountable
      COMSEC material held?  (AFKAG-2, AFR 56-10/COMSEC User's Guide,
      and AFR 56-13/NACSI 4005)                                                

      (*)  31.  During the periodic inventories prescribed in AFKAG-2,
      is the material physically sighted, including material on hand
      receipts to users?  (AFKAG-2)                                            

      (*)  32.  Are written directives in effect that ensure all
      persons who have classified COMSEC material on hand receipt are
      relieved from accountability before permanent departure?
      (AFKAG-2)                                                                

      (*)  33.  Is a daily or shift inventory made for all COMSEC
      materials and equipments where applicable?  (AFR 56-10/COMSEC
      User's Guide, AFR 56-13/ NACSI 4005)                                     

      (*)  34.  Is an inventory performed of COMSEC materials stored in
      a locked safe or other container before closure or locking of the
      container?  (AFR 56-13/NACS1 4005)                                       

           35.  (U)  Is COMSEC and keying material at user activities
      being destroyed immediately, but no later than 12 hours after
      supersession?  (AFR 56-5/NTISSI 4004)                                    

           36.  (U)  Are COMSEC materials at the COMSEC account being
      destroyed as soon as possible after supersession, but within the
      time requirements of AFR 56-5?  (AFR 56-5/NTISSI 4004)                   

      (*)  37.  (U)  Is proper documentation being maintained locally
      for accountable COMSEC materials destroyed before normal
      reporting to the central office of record (COR)?  (AFR
      56-5/NTISSI 4004, AFR 56-10/COMSEC User's Guide)                         

      (*)  38.  (U)  Are all assigned personnel familiar with the
      procedures for reporting possible physical compromises?  (AFR
      56-10/COMSEC User's Guide, AFR 56-12/NTISSI 4003)                        

      (*)  39.  (U)  Have page checks been made and properly recorded
      in COMSEC documents as required?  (AFR 56-10/COMSEC User's Guide,
      AFR 56-13/NACSI 4005)                                                    

      (*)  40.  (U)  Are security checks being performed at the end of
      each shift or on a daily basis as required?  (AFR 56-10/COMSEC
      User's Guide)                                                            

      (*)  41.  (U)  Are adequate authorized facilities available to
      destroy classified waste and are they convenient to each facility
      or account?  (AFR 56-5/NTISSI 4004)                                      

      (*)  42.  (U)  Are there appropriate signs displayed to designate
      the secure telecommunications facility as a CLOSED Area?  (Order
      1600.8C, Order 1600.2C)                                                  

      NOTE:  This item applies to administrative accounts only if
      operations codes or authentication systems are held for issue to
      users.                                                                   

      (*)  43.  (U)  Are users given adequate guidance on effective
      dates, accounting, supersession, destruction, physical security,
      and reporting of COMSEC insecurities?  (AFR 56-10/COMSEC User's
      Guide, AFR 56-11/COMSEC Duties and Responsibilities)                     

           44.  (U)  Has the account developed written standard
      operating procedures (SOP), on handling, controlling and
      protecting COMSEC assets including inventory and destruction?
      (AFKAG-1, AFR 56-6/NACSI 4008)                                           

           45.  (U)  Have user accounts developed in coordination with
      the COMSEC custodian their own written SOPs on the handling,
      controlling and safeguarding of COMSEC assets to include
      inventory and destruction?  (AFR 56-10/COMSEC User's Guide, AFR
      56-6/NACSI 4008)                                                         

           46.  Are all applicable TOP SECRET keying material being
      handled and protected under Two Person Integrity or is an AFCSC
      approved waiver on file?                                                 

                           Cryptographic Security                              

           47.  Are the referenced directives used with appropriate
      SOPs to report insecurities?  (AFR 56-12/NTISSI 4003)                    

           48.  Has a training program been initiated to ensure
      proficiency in all phases of COMSEC operation.  Is this training
      documented?  (AFR 56-10/COMSEC User's Guide, AFR 56-11/COMSEC
      Duties and Responsibilities)                                             

           49.  Has a specified time been established for circuit
      changes and is a record kept of the time of last change to ensure
      the cryptoperiod is not exceeded?  (AFKAG-1.  AFR 56-5/NTISSI
      4004, AFR 56-10/COMSEC User's Guide, AFR 56-13/NACSI 4005)               

           50.  Does the operations section maintain SOPs which list
      current SPECAT codewords and outline specific procedures for
      processing and safeguarding these types of messages?  (AFKAG-1)          

           51.  If appropriate, have persons been briefed on any
      special handling procedures required by the originator or
      recipient of SPECAT messages?  (AFKAG-1)                                 

                              COMSEC Management                                

      (*)  52.  Are all COMSEC materials (initial and resupply) and
      amendments thereto being received and posted on a timely basis?
      (AFKAG-2 and AFR 56-11/COMSEC Duties and Responsibilities)               

      (*)  53.  When permissible, are extracts made from COMSEC
      publications rather than requesting increased allowance?  (AFR
      56-9/NACSI 4004)                                                         

      (*)  54.  With reference to 54, above - was controlling authority
      approval obtained to make extracts?  (AFR 56-9/NACSI 4004)               

      (*)  55.  Are all items and amounts of COMSEC materials limited
      to those which are absolutely essential to the efficient
      operation and mission of the FAA facility being supported?
      (AFKAG-1, AFKAG-2, AFR 56-10/COMSEC User's Guide, AFR
      56-11/COMSEC Duties and Responsibilities, AFR 56-13/NACSI 4005)          

      (*)  56.  Are COMSEC holdings surveyed on a continuing basis to
      determine if items are no longer required or are being received
      in quantities in excess of requirements?  (AFKAG-1, AFKAG-2, AFR
      56-10/COMSEC User's Guide, AFR 56-11/COMSEC Duties and
      Responsibilities, AFR 56-13/NACSI 4005)                                  

      (*)  57.  Has required annual COMSEC indoctrination or training
      been administered to FAA contractors having access to COMSEC
      materials or information (training identical to that provided for
      FAA personnel)?  (AFKAG-1, AFR 56-12/NTISSI 4003)                        

      (*)  58.  Are both the custodian and the alternates familiar with
      and actively performing their assigned duties and
      responsibilities?  (AFR 56-11/COMSEC Duties and Responsibilities)        

      (*)  59.  Are all insecurity reports thoroughly reviewed for
      accuracy by the COMSEC custodian and the facility or office
      manager having responsibility for COMSEC before being forwarded
      through official channels?  (AFR 56-12/NTISSI 4003)                      

      (*)  60.  Has corrective action been taken to prevent the
      recurrence of COMSEC insecurities?  (AFR 56-12/NTISSI 4003)              

      (*)  61.  Are insecurity reports being processed in a timely
      manner? (AFR 56-12/NTISSI 4003)                                          

      (*)  62.  Is the COMSEC custodian conducting user training prior
      to issue of COMSEC materials and at least annually?  (AFR
      56-10/COMSEC User's Guide, AFR 56-11/COMSEC Duties and
      Responsibilities)                                                        

      (*)  63.  Is there training documentation available at the
      account?  (AFR 56-10/COMSEC User's Guide, AFR 56-11/COMSEC Duties
      and Responsibilities)                                                    

      (*)  64.  Has the COMSEC custodian made maximum use of the
      Qualification Training Package (QTP) 491X1-30E, COMSEC Account
      Management, for training of all assigned personnel not attending
      the formal COMSEC training course.  Is documentation of training
      on hand in the COMSEC account?  (AFR 56-11/COMSEC Duties and
      Responsibilities)                                                        

           65.  Have all applicable personnel been granted Formal
      Cryptographic Access (FCA)?  Have procedures been established to
      debrief personnel upon departure (PCS, termination or
      retirement), and for suspension or revocation of access.  (Order
      1600.8C)                                                                 

           66.  Are all waivers granted to COMSEC accounts or COMSEC
      responsible personnel current?                                           

                               FOR OFFICIAL USE ONLY
                             PUBLIC AVAILABILITY TO BE
                           DETERMINED UNDER 5 U.S.C. 552

           APPENDIX 5. PUBLICATIONS TO BE MAINTAINED BY ALL FAA COMSEC 
 ACCOUNTS                                               

      1.  General.  The publications listed in paragraph 3, below, are
      to be maintained in each FAA COMSEC operational and monitor
      account.                                                                 

      2.  Abbreviations.  The following abbreviations are used in this
      Appendix with the associated meanings as shown below.                    

           a.  AFR - Air Force Regulation.  This is an Air Force policy
      document.  The 56-series of AFRs are directives implementing the
      national COMSEC policy as established by the National Security
      Agency (NSA).                                                            

           b.  NACSI - National Communications Security Instruction.
      The NACSI is an NSA publication that establishes national COMSEC
      policies and procedures.                                                 

           c.  NTISSI - National Telecommunications And Information
      Systems Security Instruction.  The NTISSI is also an NSA
      document.  NTISSIs are used to promulgate current COMSEC doctrine
      and frequently will supersede an older NACSI.                            

           d.  NACSI/AFR or NTISSI/AFR.  When the AFR number is also
      provided on a NACSI or NTISSI it indicates that the Air Force has
      added its own guidance and interpretation to the basic NSA
      document.                                                                

      3.  Publication Listing.                                                 

      _________________________________________________________________
      Item          AFR NO.     NSA Reference          Subject
      _________________________________________________________________
      01             56-1                          Signal Security             

      02             56-2        NCSC-9         Communications Security
                                                  Glossary                     

      03             56-3        NTISSI 4002    Classification Guide
                                                  for COMSEC                   

      04             56-4        NACSI 6002     Security of Defense
                                                  Contractor
                                                    Telecommunications         

      05             56-5        NTISSI 4004    Routine Destruction and
                                                  Emergency Protection
                                                    of COMSEC Material         

      06             56-6        NACSI 4008     Safeguarding COMSEC
                                                  Facilities                   

      07             56-7        NACSI 4007     Management of Manual
                                                  Cryptosystems                

      08             56-9        NACSI 4004     Controlling Authorities
                                                  for COMSEC Material          

      09             56-10       .....          COMSEC User's Guide            

      10             56-11       .....          COMSEC Duties and
                                                  Responsibilities
      11             56-12       NTISSI 4003    Reporting COMSEC
                                                  Insecurities                 

      12             56-13       NACSI 4005     Safeguarding and
                                                  Control of COMSEC
                                                    Material                   

      13             56-19       NACSI 4009     Protected Distribution
                                                  Systems                      

      14             56-20       NACSI 4001     Controlled
                                                  Cryptographic Items          

      15             .....       NTISSI 4005    Control of TOP SECRET
                                                  Keying Material              

      16             AFSAL 4001  NTISSI 4001    Controlled
                                                  Cryptographic Items          

      17             .....       NTISSI 3013    Operational Security
                                                  Doctrine for the
                                                    Secure Telephone
                                                    Unit III (STU-III)
                                                    Type 1 Terminal            

                       FOR OFFICIAL USE ONLY
                       PUBLIC AVAILABILITY TO BE
                      DETERMINED UNDER 5 U.S.C. 552

             APPENDIX 6. PHYSICAL SECURITY STANDARDS FOR FIXED 
 COMSEC FACILITIES                                

      1.  INTRODUCTION.  This appendix sets forth the standards for the
      physical security safeguarding of fixed FAA COMSEC facilities.
      It implements the provisions of Annex A, NACSI No. 4008/AFR 56-6.
      These standards apply to fixed FAA facilities which contain
      classified COMSEC material and which are devoted principally to
      normal activities involving these materials (e.g., secure
      telecommunications, manufacturing, training, maintenance, and
      storage).  Unless reference is made to a specific facility type,
      these standards apply equally to all FAA fixed COMSEC facilities.        

      2.  LOCATION.  FAA fixed COMSEC facilities will be located in an
      area which provides positive control over access, and is as far
      as possible from areas which are difficult or impossible to
      control (e.g., parking lots, ground floor exterior walls,
      multiple corridors or driveways, or surrounded by other
      uncontrolled buildings or offices).                                      

      3.  CONSTRUCTION.  A fixed COMSEC facility must be constructed of
      solid, strong materials to prevent unauthorized penetration and
      to show evidence of attempts at unauthorized penetration.  It
      must provide adequate attenuation of internal sounds which could
      divulge classified information through walls, doors, windows,
      ceilings, air vents and ducts.  Maximum physical security is
      achieved when these facilities are of vault-type construction as
      specified in Annex E to NACSI No. 4005/AFR 56-13.  As a minimum,
      construction or modification of an area containing a FAA fixed
      COMSEC facility shall conform to the following requirements.             

           a.  Walls, Floor, and Ceilings.  Walls, floors, and ceilings
      shall be of sufficient structural strength to prevent, or show
      evidence of attempts at, unauthorized penetration.  Walls shall
      be constructed from true floor to true ceiling.  Where false
      ceilings are used, additional safeguards are required to resist
      unauthorized entry (e.g., installation of an approved intrusion
      detection system in the area above the false ceiling).                   

           b.  Doors and Entrance Areas.  Only one door shall be used
      for regular entrance to the facility.  Other doors may exist for
      emergency exit and for entry or removal of bulky items.  All
      doors shall remain closed during facility operations and will
      only be opened to admit authorized personnel or material.  The
      following standards apply to FAA COMSEC facility doors and
      entrance areas.                                                          

                (1)  Main Entrance Door.                                       

                     (a)  Design and Installation.  The door must have
      sufficient strength to resist forceful entry.  In order of
      preference, examples of acceptable doors are:                            

                          1  GSA-approved vault doors.                         

                          2  Standard 1-3/4-inch, internally
      reinforced, hollow metal industrial doors.                               

                          3  Metal-clad or solid hardwood doors with a
      minimum thickness of 1-3/4-inches.                                       

      The door frame must be securely attached to the facility and must
      be fitted with a heavy-duty/high-security strike plate and hinges
      installed with screws long enough to resist removal by prying.
      The door shall be hung so that the hinge pins cannot be removed
      from the exterior side of the door.                                      

                     (b)  Door Lock.  The main entrance door to FAA
      fixed C0MSEC facilities must be equipped with a GSA-approved,
      built-in, Group 1-R lock. (Note:  A GSA-approved Group 1-R lock
      is a three-position combination lock with a changeable
      combination, is manipulation proof, and is radiation resistant.)
      When FAA COMSEC facilities are continuously manned, an
      electronically actuated lock (e.g., cipher lock or keyless
      pushbutton lock) may be used on the entrance door to facilitate
      the admittance of authorized personnel when the facility is
      operationally manned.  Electronic locks do not afford the
      required physical security protection and may not be used as a
      substitute for the Group 1-R lock required to secure the facility
      when it is not manned.                                                   

                          1  If a cipher lock is used, it must be one
      of the following:                                                        

                             a  Federal Stock Number (FSN) 6350-957-
      4190.  This lock is being produced by several manufacturers.  FSN
      5340-757-0691, manufacturers' part number 152, electric latch
      release, is also needed.                                                 

                             b  Simplex Pushbutton Combination Lock,
      Model NL-A-200-S.  This lock is manufactured by Simplex Security
      Systems, Inc., Collinsville, CT.                                         

      Note:  The knowledge of the combination must be strictly
      controlled and released only to persons assigned regular duties
      within the secure telecommunications facility.  It is emphasized
      that this type of lock is used only as a convenience feature and
      affords no protection from forced or surreptitious manipulation.
      Pushbuttons must be cleaned at least weekly.                             

                          2  A key-operated, pin-and-tumbler,
      night-latch-type lock may be used for personnel access control
      during periods when the facility is operationally manned if the
      following conditions are met:
                             a  The lock must be mounted so that it
      cannot be removed from the outside.                                      

                             b  The lock must have a spring-load
      locking feature.                                                         

                             c  All keys must be numbered and issued
      only on hand receipts to provide a written record of all keys.
      Extra keys will be maintained within the FAA COMSEC facility and
      will be accounted for on the daily inventory.                            

                (2)  Other Doors.  Other doors (e.g., emergency exit
      doors and doors to loading docks) must meet the same installation
      requirements as facility entrance doors but must be designed so
      that they can only be opened from inside the facility.  Approved
      panic hardware and locking devices (lock bars, dead bolts, knobs,
      or handles) may be placed only on the interior surfaces of other
      doors to the facility.                                                   

                (3)  Entrance Areas.  Entrances to FAA COMSEC
      facilities shall be equipped with a device which affords
      personnel desiring admittance the ability to notify personnel
      within the facility of their presence.  A method shall be
      employed to establish positive visual identification of a visitor
      before entrance is granted.  Additionally, the entrance area
      shall be designed in such a manner that an individual cannot
      observe classified activities until access requirements are
      completed.                                                               

           c.  Windows.  COMSEC facilities should not contain windows.
      Where windows exist they will be secured in a permanent manner to
      prevent them from being opened.  Windows will be alarmed and/or
      barred to prevent their use as an access point.                          

      Observation of internal operations of the facility shall be
      denied to outside viewing by covering the windows from the inside
      or otherwise screening the secure area from external viewing.            

                (5)  Other Openings.  Air vents, ducts, or any similar
      openings which breach the walls, floor or ceiling of the facility
      shall be appropriately secured to prevent penetration.  Openings
      which are less than 90 square inches shall have approved baffles
      installed to prevent an audio or acoustical hazard.  If the
      opening exceeds 90 square inches, acoustical baffles shall be
      supplemented by either hardened steel bars or an approved
      intrusion detection system.  All holes, cracks, and other
      openings in walls, floors, and ceilings will be permanently
      filled in or sealed to prevent insertion of surveillance devices.        

                               FOR OFFICIAL USE ONLY
                                PUBLIC AVAILABILITY TO BE
                              DETERMINED UNDER 5 U.S.C. 552

           APPENDIX 7. STANDARDS FOR SAFEGUARDING KEYING MATERIAL             

              SECTION 1.  PHYSICAL ACCESS, STORAGE AND CONTROLS                

      1.  Basis for Protection.  The cryptographic security of
      transmitted information is based primarily on the proper use of
      uncompromised keying material.  The safeguarding and control of
      keying materials used to protect national security information
      are of paramount importance.  To ensure that these keying
      materials are provided the most rigorous and comprehensive
      handling and protection, they must be distributed through the
      COMSEC Material Control System.  Safeguarding of keying material
      is achieved procedurally through restrictions and controls
      governing access, distribution, storage, accounting, use, and
      disposition.                                                             

      2.  Controls.                                                            

           a.  Application.                                                    

                (1)  The requirements of this Appendix apply to all
      hard-copy keying material intended for use to protect
      telecommunications carrying national security information, or to
      ensure their authenticity.  Such keying material, both classified
      and unclassified, will be marked "CRYPTO."                               

                (2)  Additional or differing guidance for certain types
      of keying material may appear in the handling or operating
      instructions of affected systems, and will take precedence over
      the provisions of this appendix and the basic order.                     

                (3)  Specific guidance concerning controls for keying
      variables in electronic form will appear in NSA-published system
      NACSIs and USAF AFSALS.                                                  

                (4)  Guidance on handling of maintenance and test key
      is contained in Annex D, NACSI 4005/AFR 56-13, and in specific
      handling instructions for the material.  In cases of conflict,
      specific handling instructions for the material will take
      precedence.                                                              

           b.  Access.                                                         

                (1)  Government Civilian or Military Personnel Who Are
      U.S. Citizens.  Access to COMSEC keying material other than TOP
      SECRET may be granted to U.S. citizens whose duties require such
      access and, if the material is classified, who have been granted
      a security clearance equal to or higher than the classification
      of the keying material involved.  Access to TOP SECRET COMSEC
      keying material will be governed by requirements of NTISSI 4005.         

                (2)  Contractors and Foreign Nationals.  Access by U.S.
      contractor personnel and by noncitizens is governed by national
      COMSEC policy directives.  Questions concerning such access
      should be directed to ACS-300 through the servicing security
      element.                                                                 

                (3)  Immigrant Aliens.  Refer to Annex B, NACSI
      4005/AFR 56-13.                                                          

                (4)  Need-to-Know.  Clearance or rank does not, in
      itself, entitle any individual to have access to keying material.
      Each person having access to keying materials must need the
      material in the performance of his or her duties or
      responsibilities and be familiar with his or her responsibilities
      for its protection, use and disposition.                                 

           c.   Storage.  Unless appropriately cleared persons are
      using or otherwise safeguarding keying material, it will be
      stored in the most secure facilities available.  As a minimum,
      the following storage requirements apply:                                

                (1)  TOP SECRET.  (Refer to NTISSI 4005)                       

                     (a)  TOP SECRET material will be stored in an
      approved steel security container meeting requirements for
      two-person integrity controls as specified in NTISSI 4005.  The
      container will be physically located in a room or vault that has
      an Intrusion Detection System (IDS) installed, and which has been
      inspected and approved by the servicing security element for TOP
      SECRET storage.                                                          

                     (b)  As an alternative to (a) above, TOP SECRET
      material may be stored in an area that has been approved by the
      servicing security element as a secure area, and is manned
      continuously 24-hours a day by personnel holding final clearances
      authorizing them access to the highest classification of material
      stored.  Two-person integrity controls apply.                            

                     (c)  A Class "A" vault constructed in accordance
      with the specifications outlined in Annex E, NACSI 4005/AFR
      56-13.                                                                   

                     (d)  At user locations, TOP SECRET keying material
      shall be stored under two-person integrity controls employing two
      different GSA approved Group 1R combination locks, with no one
      person authorized access to both combinations.  Storage can be in
      a strongbox within a security container, in a security container
      within a vault, or in a security container with two combination
      locks.  At least one of the combination locks must be built-in,
      as in a vault door or in a security container drawer.  If a
      requirement exists for an approved combination padlock the lock
      selected must be a changeable, three position combination padlock
      meeting Federal Specification FF-P-110.                                  

                (2)  SECRET.  SECRET keying material shall be stored
      in:                                                                      

                     (a)  Any manner approved for TOP SECRET.                  

                     (b)  An approved steel security safe procured from
      the General Services Administration (GSA) Federal Supply
      Schedule.                                                                

                     (c)  A Class "B" vault constructed in accordance
      with the specifications outlined in Annex E, NACSI 4005/AFR
      56-13.                                                                   

                (3)  CONFIDENTIAL.  CONFIDENTIAL keying material shall
      be stored in:                                                            

                     (a)  Any manner approved for TOP SECRET or SECRET.        

                     (b)  An approved steel security container having a
      built-in Group 1R, three position, changeable combination lock.          

                (4)  UNCLASSIFIED.  Unclassified keying material shall
      be stored in:                                                            

                     (a)  The same manner as required for TOP SECRET,
      SECRET, or CONFIDENTIAL.                                                 

                     (b)  In the most secure manner available to the
      user.                                                                    

      3.  Supplementary Controls and Older Containers.  Supplementary
      controls such as guard forces, alarms, etc., shall be used as
      determined necessary by the servicing security element to protect
      security containers and areas against unauthorized access.
      Security containers which do not meet the prescribed standards
      may continue to be used until approved containers can be
      procured, in accordance with provisions of chapter 8, Order
      1600.2C.  If a nonapproved container is used or open area storage
      is unavoidable, the classified keying material must be under
      protection of a guard force, or protected by an alarm system
      approved by ACO-300, with immediate guard response capability.
      Frequent and irregular checks should be made of the area.                

      4.  Keyed Equipments.  Equipments which must be stored in a keyed
      condition must be protected in a manner consistent with the
      classification of the keying variable they contain.  Protection
      provided may never be less than for the classification of the
      unkeyed condition of the equipment.                                      

      5.  Split Variables.  Security procedures for equipments
      utilizing split variables will normally be addressed in the
      handling and security doctrine for the specific system.  In most
      cases, removal of part of a split variable permits the equipment
      to be handled as if it were unkeyed.
                          SECTION 2.  DISTRIBUTION                             

      1.  General.  COMSEC custodians are responsible for ensuring that
      keying materials are properly prepared for shipment, that only
      authorized means of shipment are used, that accounting and
      transfer reports are submitted on a timely basis, and that
      packages are examined upon receipt for signs of tampering and
      possible tampering reported.                                             

           a.  Preparation for Shipment.                                       

                (1)  Wrapping:  Keying material will be double-wrapped
      and securely sealed prior to shipment.                                   

                (2)  Markings:                                                 

                     (a)  Inner wrapping will be marked with the
      security classification of the material, "TO" and "FROM"
      addressees, the COMSEC account number, and the instruction "ATTN:
      COMSEC Custodian", or "To Be Opened Only By COMSEC Custodian" or
      equivalent, and the "CRYPTO" marking.                                    

                     (b)  Outer wrappings will contain the "TO" and
      "FROM" addressees and any other notations to facilitate delivery.
      The outer wrapping of the package shall not reveal whether the
      package contains classified information or keying material.
      Material transmitted by State Department diplomatic pouch must
      indicate that "Courier Accompaniment is Required."                       

           b.  Methods of Transmittal.                                         

                (1)  Keying materials must be moved in the custody of
      authorized, and, if classified material is involved, cleared
      department, service, agency, or contractor couriers, U.S.
      Diplomatic Courier Service, or Department of Defense Courier
      Service.  Refer to Annex B, NACSI 4005/AFR 56-13.                        

                (2)  For TOP SECRET keying material, two-person
      integrity controls shall apply whenever local couriers are used
      to transport TOP SECRET key material from a user COMSEC account
      to another user account or location.  Refer to NTISSI 4005.
      Controls shall apply whenever local couriers are used to
      transport TOP SECRET key material from a user COMSEC account to
      another user account or location.  Refer to NTISSI 4005.                 

                        FOR OFFICIAL USE ONLY
                      PUBLIC AVAILABILITY TO BE
                    DETERMINED UNDER 5 U.S.C. 552

               APPENDIX 8. ROUTINE DESTRUCTION AND EMERGENCY 
 PROTECTION OF COMSEC MATERIAL                      

      1.  INTRODUCTION.  This appendix implements the provisions of
      NTISSI Number 4004/AFR 56-5, and establishes standards and
      procedures for the routine and emergency destruction of COMSEC
      materials within the FAA.  The security that is achieved through
      the proper use of contemporary U.S. cryptosystems is heavily
      dependent upon the physical protection which is afforded the
      associated keying material.  Current and superseded keying
      material is extremely sensitive, since its compromise potentially
      exposes to compromise all traffic encrypted with it.                     

      2.  POLICY.                                                              

           a.  Keying Material.  Keying material must be destroyed as
      soon as possible after it has been superseded or has otherwise
      served its intended purpose.  Destruction reports are submitted
      in accordance with AFKAG-2.                                              

           b.  Defective or Faulty Key Material.  As an exception to
      the stated policy defective or faulty key will not be destroyed.
      Instead material in these categories will be reported to
      AFCSC/MMIA, through COMSEC channels, with information copies to
      DIRNSA/S042, and ACS-300.  The material will be held for
      disposition instructions.                                                

           c.  Superseded or Obsolete Cryptoequipment.  Destruction of
      superseded or obsolete cryptoequipment and its supporting
      documentation is also required.  FAA COMSEC accounts will request
      disposition instructions from AFCSC/MMIA.
           d.  Waste Paper Material.  All waste paper material, whether
      containing classified information or not, which is removed from
      the secure telecommunications facility or from the associated
      teletypewriter equipment area, shall be safeguarded and destroyed
      as classified waste.  Teletypewriter, printer, and typewriter
      ribbons used to process classified information will also be
      safeguarded and destroyed as classified material.                        

               SECTION 1.  PROCEDURES FOR ROUTINE DESTRUCTION
                             OF COMSEC MATERIAL                                

      3.  GENERAL.                                                             

           a.  Routine Destruction.  Routine destruction will normally
      be accomplished by the COMSEC custodian and the alternate COMSEC
      custodian(s).  However, this restriction should not preclude
      granting the authority to perform destruction of superseded
      material to additional appropriately cleared persons, who then
      certify the destruction to the COMSEC custodian, if such action
      is required to avoid delay in accomplishing the destruction.  The
      terms "appropriately cleared" and "cleared" mean possession of a
      security clearance for the highest classification of material to
      be destroyed.                                                            

           b.  FAA COMSEC Activities.  In FAA facilities the COMSEC
      custodian, alternate custodian, or appropriately cleared person
      designated by the custodian, will accomplish actual destruction
      in the presence of a cleared witness.                                    

           c.  Requirements.
                (1)  Routine destruction may be accomplished at the
      using facility by a cleared individual and witness.  The issuing
      COMSEC custodian must be advised by the user, either verbally or
      in writing, that the user has destroyed the material.  Verbal
      confirmation must be followed up with written confirmation of
      destruction as soon as possible.  For accounting purposes the
      COMSEC custodian will then consider the material destroyed.  In
      such cases, the COMSEC custodian must brief the user on the
      necessity for prompt and complete destruction of superseded
      keying material, and for prompt reporting of any loss of control
      of material before destruction could be accomplished.                    

                (2)  Extreme care must be taken not to accidentally
      destroy COMSEC material.  Do not destroy COMSEC material unless
      one or more of the following conditions exists:                          

                     (a)  The COMSEC custodian has issued instructions
      to the user.  For example, the material is listed on the COMSEC
      custodian's formal monthly destruction report or in a status
      document, such as AFKAG-14, as being authorized for destruction.         

                     (b)  A superseding document authorizes, in its
      handling instructions, the superseded document to be destroyed.          

                     (c)  The controlling authority supersedes the
      document and authorizes its destruction.                                 

                     (d)  Emergency destruction plans are in effect.           

                (3)  Destruction and witnessing officials for user
      accounts must be appointed in writing and a copy provided to the
      COMSEC custodian.                                                        

                (4)  The user records destruction of legend 1 and 2
      material by preparing two copies of each destruction report (SF
      153).  Users will send one copy to the COMSEC custodian and
      retain the other in the user COMSEC account files.                       

      4.  SCHEDULING ROUTINE DESTRUCTIONS.                                     

           a.  Keying Material.  Keying material designated CRYPTO
      which has been issued for use should be destroyed as soon as
      possible after supersession.  In any event, the destruction
      should be accomplished within not more than 12 hours after
      supersession.  Where special circumstances prevent compliance
      with the 12-hour standard the FAA facility manager having
      responsibility for COMSEC operations may grant an extension of up
      to 24 hours.                                                             

           b.  Complete Editions of Key Material.  Complete editions of
      superseded keying material designated CRYPTO which are held by a
      user account shall be destroyed within 5 days after supersession.
      Every effort must be made by COMSEC personnel however, to destroy
      the superseded material within the 12 hour period established as
      the standard.                                                            

           c.  Maintenance and Sample Key Material.  Maintenance and
      sample keying material not designated CRYPTO is not regularly
      superseded and need only be destroyed when physically
      unserviceable.                                                           

           d.  Classified COMSEC Publications.  Superseded classified
      COMSEC publications which are held by a user COMSEC account shall
      be destroyed within 15 days after supersession.  Every effort
      must be made by COMSEC account personnel to destroy superseded
      material within the 12 hour standard period.                             

           e.  Amendment Residue.  The residue of entered amendments to
      classified COMSEC publications shall be destroyed within 5 days
      after entry of the amendment.                                            

           f.  Compromised Material.  Compromised material will be
      destroyed no later than 12 hours after receipt of disposition
      instructions.  DO NOT destroy the COMSEC material involved in an
      investigation unless directed by NSA or AFCSC.                           

           g.  Correspondence.  When it has no further value destroy
      correspondence concerning superseded documents and material.             

      5.  ROUTINE DESTRUCTION METHODS.                                         

           a.  General.  The authorized methods for routinely
      destroying paper COMSEC material are burning, pulverizing or
      chopping, crosscut shredding, and pulping.  Nonpaper COMSEC
      material authorized for routine destruction must be destroyed by
      burning, chopping or pulverizing, or chemical alteration.  FAA
      COMSEC custodians are responsible for ensuring that destruction
      of paper COMSEC material is accomplished using an NSA-approved
      paper destruction device (some of which are also approved for
      destruction of printed circuit boards), and employing
      NSA-approved destruction methods.  In addition to the guidance
      provided in this order, all FAA COMSEC custodians must also be
      familiar with, and abide by, the requirements for destruction
      reflected in the following references:                                   

                (1)  NSA-approved paper destruction devices are listed
      in Annex B, NTISSI 4004/AFR 56-5.                                        

                (2)  NSA-approved destruction methods are explained in
      Annex C, NTISSI 4004/AFR5 6-5.
           b.  Paper COMSEC Material.  The criteria given below apply
      to classified COMSEC keying material and media which embody,
      describe, or implement a classified cryptographic logic.  Such
      media include full maintenance manuals, cryptographic
      descriptions, drawings of cryptographic logics, specifications
      describing a cryptographic logic, and cryptographic software.
      Other paper COMSEC material may be destroyed by any means that
      are listed in Chapter 9, FAA Order 1600.2C that are approved for
      other paper material of equal classification or sensitivity.             

                (1)  When destroying paper COMSEC material by burning,
      the combustion must be complete so that all material is reduced
      to white ash, and contained so that no burned pieces escape.
      Ashes must be inspected and, if necessary, broken up or reduced
      to sludge.                                                               

                (2)  When pulping, pulverizing, or chopping devices are
      used to destroy paper COMSEC material, they must reduce the
      material to bits no larger than 5 millimeters (0.197 inches) in
      any dimension.                                                           

                (3)  DO NOT PULP paper-mylar-paper key tape or high wet
      strength paper (map stock) and durable-medium paper substitute
      (e.g., TYVEC olefin, polyethylene fiber).  These materials will
      not reduce to pulp, and must be destroyed by burning,
      pulverizing, chopping or crosscut shredding.                             

                (4)  When crosscut (double cut) shredders are used to
      destroy COMSEC material, they must reduce the material to shreds
      not more than 3/64-inch (1.2 mm) in width and not more than
      1/2-inch (13 mm) in length, or not more than 1/35-inch (0.73 mm)
      in width and not more than 7/8-inch (22.2 mm) in length.                 

           c.  Nonpaper COMSEC Material.  The authorized methods of
      routinely destroying nonpaper COMSEC material are burning,
      melting, chopping, pulverizing, and chemical alteration.  The
      material must be destroyed to the extent that there is no
      possibility of reconstructing classified information by physical,
      chemical, electrical, optical, or other means.                           

                (1)  Microforms.  Microforms (microfilm, microfiche, or
      other reduced-image photo negatives), may be destroyed by burning
      or by chemical means, such as immersion in household bleach (for
      silver film masters), or acetone or methelyne chloride (for diazo
      reproductions) for approximately 5 minutes.  When destroying by
      chemical means, film sheets must be separated and roll film must
      be unrolled.  Refer to Annex C, NTISSI 4004/AFR 56-5, for
      additional methods and guidance.  Use caution when destroying by
      chemical means to avoid potential hazards.  Protective clothing
      and goggles should be worn.                                              

                (2)  Magnetic Media.  Magnetic or electronic storage or
      recording media are handled on an individual basis.  Refer to
      Annex C, NTISSI 4004/AFR 56-5.                                           

                (3)  Plastic Canisters.  The objective in destroying
      plastic canisters used to hold keying material is to disfigure
      the two large flat surfaces (sides) of the canister.  This can be
      accomplished by inserting the canister inside a zip-lock bag and
      either puncture or smash the empty canister.  An empty canister
      will shatter.  Do not attempt to destroy an empty canister
      without the noted safety precautions included in the handling
      instructions.  Zip-lock bags are not furnished with the
      canisters.  Adequate safety precautions must be taken to prevent
      injuries that could. be caused by flying pieces of plastic when
      the canister shatters.                                                   

           d.  COMSEC Equipment and Components.  Routine destruction of
      COMSEC equipment and components is NOT AUTHORIZED.  Equipment
      which is unserviceable and cannot be repaired, or which is no
      longer required shall be reported to ANC-120, and to ACO-300
      through the appropriate region/center servicing security element.
      Custodians should review and be familiar with the procedures
      contained in AFKAG-2, USAF COMSEC Accounting Procedures, for
      returning COMSEC equipment and components.  Equipment which is
      unserviceable or no longer required will be retained until
      disposition instructions are provided.                                   

      6.  REPORTING ROUTINE DESTRUCTION.                                       

           a.  General.  FAA COMSEC accounts will report routine
      destruction in accordance with guidance in chapter 6, AFKAG-2.
      FAA accounts and users must destroy and witness all classified
      COMSEC material and record the destruction on an SF 153.                 

           b.  Legend 1 and 2 Material.  Users of keycards, keytapes,
      and keylists will:                                                       

                (1)  Use the destruction record provided with the
      material to record destruction of each day's key settings as soon
      as possible after supersession but no later than 72 hours.  FAA
      facilities which have a normal Monday through Friday operation
      are authorized superseded weekend key settings on the Monday
      following that particular weekend.  If the supersession date
      falls on a non-duty day, return the material on the first duty
      day thereafter.                                                          

                (2)  Return keycard booklet covers or keylist booklets
      or keytape canisters and records of destruction as well as unused
      emergency key settings to the issuing FAA custodian or destroy as
      directed by the custodian no later than 24 hours after monthly
      supersession.                                                            

           c.  Legend 3 or 5 Material.                                         

                (1)  Superseded legend 3 or 5 material must be
      destroyed as soon as possible after use, but no later than 12
      hours after supersession.  The 12-hour time limit is authorized
      for use only when mission requirements preclude immediate
      destruction.                                                             

                (2)  Destroy Secret and Confidential COMSEC material
      (by appropriately cleared destruction and witnessing officials)
      and certify destruction on an SF-153.                                    

                (3)  FAA users will retain certificates of destruction
      (SF 153, COMSEC Material Report, or AFCOMSEC Form 1) for all
      classified legends 3 and 5 material for a period of 2 calendar
      years.                                                                   

           d.  Disposing of Legend 4 Material.  Classified or
      unclassified material is accountable to AFCSC by the accounting
      number or by the quantity on initial receipt and must be reported
      to AFCSC when it is transferred or becomes excess.                       

                (1)  When accounting legend 4 material is no longer
      needed or superseded, users must return the material, except
      amendment residue, to the issuing COMSEC account.                        

                (2)  FAA COMSEC accounts will forward a decrease
      request for the legend 4 material according to AFKAG-2.                  

                (3)  The issuing COMSEC account must destroy and
      witness classified legend 4 COMSEC material.  Destruction is
      recorded on an SF-153.                                                   

           e.  Destruction and Witnessing Official.  Both the
      destruction and the witnessing officials must sign all
      destruction reports subject to the following rules:                      

                (1)  The FAA COMSEC custodian, or alternate COMSEC
      custodian in the absence of the custodian, must sign the
      AFCSC-prepared monthly destruction report.                               

                (2)  Within FAA COMSEC accounts grade requirements are
      as specified in chapter 2, of this directive.                            

                (3)  For FAA COMSEC users, the destruction official
      will be an appropriately cleared responsible individual.  There
      is no grade requirement specified formally for users, therefore,
      facility and activity managers having responsibility for COMSEC
      must use their discretion when appointing responsible
      individuals, and must ensure that these individuals are
      trustworthy and knowledgeable.                                           

                (4)  Clearance requirements are:                               

                     (a)  Within FAA COMSEC-accounts, the witnessing
      official must meet the clearance requirements of the COMSEC
      material being destroyed.  If, for any reason, no one is
      available who meets this requirement, the COMSEC custodian may
      waive the clearance requirement for the witnessing official, in
      which case the witnessing official's examination of the material
      to be destroyed must be confined to the front cover of the
      material.                                                                

                     (b)  For FAA users, the witnessing official must
      meet the clearance requirements of the material being destroyed.
      In an emergency, the destruction official may waive the clearance
      requirement of the witnessing official, subject to the same
      precautions noted in (a), above.                                         

                           FOR OFFICIAL USE ONLY
                         PUBLIC AVAILABILITY TO BE
                        DETERMINED UNDER 5 U.S.C. 552