5 June 1997
26 NOV 1996
NRaD INSTRUCTION 2280.1A
From: Commanding Officer, Naval Command, Control
Surveillance Center RDT&E Division
To: All Codes
Subj: PROCEDURES FOR CONTROL AND OPERATION
TELEPHONE UNIT--THIRD GENERATION (STU-III) TERMINALS
Ref: (a) CMS 6
(b) EKMS-702.01 Key Management Plan, dtd October 89
1. Purpose. To establish procedures for control and operation of STU-III Communication Security (COMSEC) material charged to NRaD's STU-III COMSEC account (SCA) for NRaD, tenant, and contractor personnel.
2. Cancellation. NRaDINST 2280.1
3. Information. STU-III COMSEC material is used to protect sensitive and classified U.S. Government voice and data transmissions. STU-III COMSEC materials consist of a specially designed telephone called the STU-III terminal which is loaded with COMSEC keying material. STU-III terminals and software are cryptographic controlled items and are accountable under Communications Security (CMS) system requirements per reference (a).
In the secure mode, each STU-III terminal displays authentication information of the distant STU-III terminal. The unit's secure mode is activated and deactivated using a device called a crypto ignition key (CIK). Lockheed-Martin (formally GE), Lucent Technologies (formally AT&T) and Motorola manufacture the STU-III under the direction of the National Security Agency (NSA). Each terminal differs slightly in size and operation procedures, but each incorporates the basic STU-III telephone security features. This instruction provides guidelines for NRaD STU-III administration, accountability, and user responsibilities per references (a) and (b).
4. Background. STU-III terminals and CIKs are subject to annual inventory. The terminals are to be treated as high value equipment by the Users. A STU-III is unclassified when the CIK is removed. The security of the CIK and the terminal are paramount. When the CIK is inserted in the STU-III, the terminal is classified to the highest level authorized by the keying material. When the CIK is not inserted, it should be safeguarded per paragraph 16 requirements to prevent loss, unauthorized use, or tampering. Subsequent rekeying is accomplished by remote rekeying from NSA's key management system.
There are 3 types of STU-III key:
a. Operational key doesn't require an initial conversion call. This key requires two person integrity (TPI) prior to loading.
b. Seed key requires an initial conversion call to convert the key. Both Operational and Seed key require a yearly update to use the key. NSA, Electronic Key Management System (EKMS) Central Facility (CF) has requested the key be updated quarterly.
c. Test key is an unclassified key used for on- and off-line testing, terminal maintenance, non-operational system exercises, and demonstrations. Terminals containing test key will not communicate in the secure mode with terminals that contain operational key or converted seed key. Test key will always be unclassified CRYPTO. Therefore, classified information may not be transmitted during system tests.
The User Representative orders STU-III keying material that identifies a STU-III terminal.
a. Commanding Officer. Per reference (a), the Commanding Officer has ultimate responsibility for the proper administration of the SCA Account, ensuring compliance with established policies and procedures for handling and safeguarding SCA equipment. Specific responsibilities of the Commanding Officer include appointing a qualified SCA Custodian and alternate custodians.
b. SCA Custodian. The SCA Custodian is the Commanding Officer's primary advisor concerning the physical security and handling of SCA material. The SCA Custodian is the User Representative, ordering STU-III type keying material. The SCA Custodian is responsible to the Commanding Officer for the proper administration of the SCA account. Reference (a) provides for specific duties of the SCA Custodian including:
(1) Providing the Commanding Officer and other officers with current STU-III policy and procedures and their impact on the Command.
(2) Acquiring, monitoring, and maintaining the Command's STU-III COMSEC material holdings.
(3) Maintaining proper storage and adequate physical security of the STU-III COMSEC material held by the account.
(4) Keeping the Alternate Custodian(s) informed of the status of the account so that the Alternate(s) are fully capable of assuming SCA Custodian's duties.
(5) Ensuring alternate custodians, local holders, material control users and SCA users understand their responsibilities and are sufficiently trained to carry out their duties.
c. Alternate Custodians. The alternate SCA custodians shall assist in the proper administration of the SCA. The Primary Alternate Custodian shall remain fully informed of the status of the SCA and should always be ready to assume the duties of the SCA Custodian. The Secondary Alternate SCA Custodian shall be kept abreast of SCA matters by the SCA Custodian and Primary Alternate and be prepared to assume the custodial duties if required.
d. Local Holder (LH). The Commanding Officer or Officer in Charge of a command or detachment desiring to be supported by NRaD's STU-III COMSEC account shall designate a LH Custodian and alternates in accordance with reference (a). Reference (a) requires that a Letter of Agreement be executed to formalize a LH relationship between NRaD and any other command. LH Custodians are responsible to their own Commanding Officer for proper management of the SCA material held by the Command, and responsible to the SCA Custodian for the proper safeguarding, control, and destruction of the SCA material received.
e. Department/Major Staff Office Heads. Must be aware of and require adherence to the control and operation requirements of SCA policy. Assign a department coordinator as appropriate to assist with proper installation and operation of the STU-III terminals.
f. SCA Users. SCA Users are responsible for the proper security, control, and accountability of the material, whether they have or have not personally signed for STU-III materials which they are authorized to use per reference (a).
g. Material Control (MC) User. When circumstances warrant, the appointment of a MC User, will be authorized. The MC User is responsible to the SCA Custodian as a central point of contact for the issuing account, and assumes greater responsibility for the materials issued on local custody to the User level. Reference (a) provides for specific duties.
h. Information Security Group. The Information Security Group will coordinate with the SCA User to insure each computer or facsimile machine connected to a STU-III meets specific TEMPEST regulations.
i. Special Security Technical Support and Communications Section. All requirements for STU-III voice and/or data communications in Sensitive Compartmented Information Facilities will be coordinated with the Special Security Technical Support and Communications Section, and will follow established sensitive compartmented information procedures.
j. Operations Network Branch. The Operations Network Branch will ensure that the authorized telephone lines are located in the spaces in which the STU-IIIs will be placed.
a. All program information exchanged over the telephone is subject to intercept by hostile intelligence organizations and under Operations Security (OPSEC) guidelines must be considered sensitive. Protecting sensitive information, whether classified or not, is the responsibility of all personnel. When properly used the STU-III secure telephone system provides appropriate security for classified and unclassified sensitive information. STU-III terminals will be used in the keyed mode for sensitive unclassified and classified telephone discussions.
b. All personnel having access to SCA material shall have a security clearance equal to, or greater than, the classification of the material involved. A Top Secret clearance is the minimum requirement for the Command's SCA Custodian and Alternates.
c. Direct purchase of STU-III terminals for program support is not authorized. All procurements of STU-III equipment for program use must be coordinated with the NRaD SCA Custodian.
7. Local Custody Defined. Local custody is the acceptance of responsibility for the proper handling, safeguarding, and accounting of SCA material issued by the account custodians, LH account custodians, or MC User, as appropriate. Every person to whom STU-III material is issued must complete the STU-III CIK Holder Listing.
8. STU-III Insecure Practices/Incidents.
a. Reportable Insecure Practices are to be reported to and evaluated by the SCA custodian for possible follow-up action. The following are considered Insecure Practices unique to the STU-III program:
(1) Failure to rekey a terminal within two months of the key expiration date.
(2) Loss of a master CIK or user CIK.
Lost CIKs: If you lose your User CIK notify the SCA Custodian or alternates immediately. Give circumstances regarding loss, i.e. approximate location of loss, date of loss. Once actual loss is determined, your CIK will be zeroized from your STU-III and a new CIK will be installed. The SCA Custodian will prepare the Insecure Practice report to the Commanding Officer.
(3) Transmission of classified information using a terminal whose display has failed.
(4) Failure to adequately secure a CIK or to remove a CIK from an unattended terminal.
b. STU-III COMSEC Material Incidents. A STU-III COMSEC Incident is any occurrence that has the potential to jeopardize the security of COMSEC material or the secure transmission of classified or sensitive government information. Once an incident has been determined the SCA Custodian is to make a report to NSA, with information copies to Commander, Space Warfare Systems Command (COMSPAWARSYSCOM), Commander, Naval Computer Telecommunications Command (COMNAVCOMTELCOM), and the Director, Communications Security Material System (DCMS) via the chain of command. If there is a suspected STU-III COMSEC Material Incident, report it to the SCA Custodian immediately. Examples of COMSEC Material Incidents unique to the STU-III Program:
(1) Any instance in which the authentication information display during a secure call is not representative of the distant terminal.
(2) Any instance in which the display indicates that the distant terminal contains a compromised key.
(3) Physical loss of COMSEC material.
9. Obtaining STU-III COMSEC Materials.
a. Send electronic mail or a memo to the SCA Custodian with the following information to request STU-III material: code, full name, extension, location to place STU-III, command title if NCCOSC or COMSPAWARSYSCOM, extension if different from User, and type of key, i.e. confidential, secret, etc. If the STU-III is needed to transmit data, specify so.
b. Each STU-III is issued with a Users manual which is to be accounted for with the STU-III. The Emergency Action Plan will be posted near the STU-III. The Emergency Action Plan can be found in the NRaD Security homepage.
c. The STU-III will be signed for on the COMSEC Material Report, Standard Form 153. All CIKs will be signed for on a Crypto Ignition Key Log, Form L3794. All personnel holding either a STU-III or a CIK will be designated as a STU-III user.
10. Safety. In a power outage all STU-IIIs lose power with one exception. The Motorola STU-III has a feature which allows the users to press the "clear" button and the telephone will give you a dial tone. Anyone attempting to use the STU-III should be made aware of these restrictions.
11. Access Requirements to Contractors. When there is a valid requirement, and when it is clearly in the best interest of the Navy, Contractor personnel can be granted access to STU-III COMSEC material. The DD Form 254 must reflect the Contractor has permission to access COMSEC material. It is the responsibility of the Contracting Officer Representative (COR) to determine the need of the Contractor to have access to COMSEC information. Once the contract reflects the need for access, the sponsoring Code can make their request for support via email or memorandum to the SCA Custodian. The request must include the full name, social security number, and contract number for the Contractor.
12. Opening Policy for STU-III COMSEC Material Shipments. All STU-III keying material and STU-III shipments must be opened by the SCA Custodian or alternates. All personnel who regularly receive and process mail and packages addressed to the Commanding Officer are not to open packages specifically marked for the SCA account or custodian.
13. STU-III Material Transfers. A transfer is the physical movement of STU-III material (keying material or terminals) between two CMS accounts, a CMS account and a SCA, a CMS account and a vendor, two SCA accounts, or a SCA account and a vendor.
a. A STU-III User is not authorized to transfer STU-III terminals or keying materials as mentioned above.
b. A STU-III User must inform the SCA Custodian when the STU-III equipment or User CIK is no longer required, i.e. User is retiring, transferring from the Command, leaving on extended TDY for over 6 months or transferring to another code. The User can either request a transfer of the STU-III equipment to another User or turn the equipment into the STU-III office.
14. Request To Travel With A STU-III. Traveling with a STU-III to another Command will be authorized only if the STU-III equipment is not available on the other end and only with good justification. The request is to be made in writing (or email) to the SCA Custodian and approved by the Commanding Officer prior to traveling.
a. The STU-III can be couriered aboard a commercial aircraft provided the unit is stowed in the cabin where the courier can maintain continuous control of the terminal. When the size of the terminal shipment is too large for in-cabin stowage and cannot be in constant view, the entire shipment may be packaged in a suitable container which is secured and sealed in such a manner so that any unauthorized access to the enclosed terminals can be detected. The sealed container may then be placed in the baggage hold, applying the "last-on, first-off" rule.
b. Containers are subject to certain security inspections by airport personnel, including x-ray examination. This is permissible, but only in the presence of the courier. Content inspections are also permissible. However, these inspections will be restricted to exterior examinations of terminals only. To preclude required examinations by airport personnel, couriers should carry their current orders, courier letter, and identification cards indicating they are appointed couriers.
15. Security Operating and Safeguarding Procedures.
a. STU-III Assistance. Assistance for all STU-III problems can be obtained by contracting the STU-III Staff on ext. 3-4740 or 3-6855.
b. STU-III Key Updates. When you update your STU-III key, you are updating the key internal to your STU-III, not the User CIK which you use. Your CIK is only programmed to unlock the key information which is passed during a secure call. You are to update your key every three months and when you receive a message "CKL ERROR CALL KMC" or "CALL KMC" in your window. (NOTE: EACH USER WHO HAS TWO KEYS LOADED INTO THE STU-III, i.e. CONFIDENTIAL & SECRET, SECRET & SECRET, MUST UPDATE BOTH KEYS.)
c. Security Operating Procedures.
(1) Your STU-III User CIK must be identified by the STU-III before you can make a secure call. On the AT&T brand STU-III the key is identified when you insert and turn your CIK. Your CIK must be identified in the window (i.e. CIK 2 of 2 or 2 of 3 INTEROP etc.) in order to perform a secure call. On the other brand STU-IIIs you will receive a message "Invalid CIK" as you try and go secure if you are having problems with your CIK. If you receive the message "Invalid CIK" in your STU-III window, clean your User CIK, then retry your secure call.
(2) To perform a secure call each STU-III User must insert and turn the CIK in their STU-III. (Note: There is only one way to insert the User CIK. If the CIK is inserted wrong and turned, the key receptacle will break.) Only one person should press the "Secure" button. (If each person presses the secure button the call will fail.) Observe the window, specific information to the far end User will appear in the window, i.e. Security clearance of the far end STU-III, Command title, and Organization. During the secure call you can rescroll for further information, i.e. expiration date of key, registration number, and Department Agency Organization (DAO) code of the far end STU-III.
(3) You should be aware of the expiration date of the far end key. If the far end key is expired you must end the secure call immediately. Inform the far end user their key is expired. When a key is expired you must contact your SCA Custodian.
(4) Motorola SECTEL 1000, 1500 or Cellular unit. Press the "SCROLL" button during the secure call. Each time you press scroll you will receive new information, i.e. Command title, DAO Code, Class of Key, Registration number, Expiration date, and Branch service. The security level of the key will stay in the window.
(5) AT&T 1100, SDD 1900 or 1910. Press the "NEXT" button one time. This unit will scroll the entire key, i.e. Edition, Registration number, type of key, class of key, expiration date, Security level, DAO Code, Branch of Service, Command title, and if there is a secondary title, i.e. STU-III Staff, this will be listed last.
(6) AT&T CELP/SACS or older. Press "Prgm" "202" and "#" in order. The Window will scroll all data on the key as shown in (b).
(7) GD 9600, RCA. Press the "Menu/Delete" button. The window will prompt you with questions, answer "yes." Each time you press "yes," the terminal will give you additional information, i.e. edition, Key ID (Registration number), terminal type, key class, expiration date, security classification of key, DAO code, branch of service, Command title, and any additional information, i.e. STU-III Staff. At the end of the information listed answer "No" to the next question, then press the "Menu/Delete" button to exit.
d. Visitors are authorized to use the STU-IIIs as long as they meet the security requirements. If the clearance of the Visitor does not meet the classification of the STU-III, i.e. STU-III keyed to Secret level and the Visitor's clearance is Confidential, the NRaD User must perform the secure call for the Visitor with the far end User. The NRaD User must verbally convey the Visitor's security clearance to the far end User and that the clearance level shown in the STU-III display is not valid for this call. Both parties must make sure that the conversation stays at the appropriate clearance level prior to turning the phone over to the Visitor with the lower security clearance. The NRaD User is required to continuously supervise the Visitor during the call.
e. When you complete the secure portion of your secure call and still want to continue your conversation, both Users need to press their clear button. On the AT&T model STU-IIIs the clear button is labeled "Voice"; Motorola is "Clear"; GE & RCA units use "Non-secure."
16. Material Safeguarding Requirements. The CIK must be removed whenever the area in which the terminal is placed is not occupied by an authorized STU-III User of that terminal. You are authorized to carry the User CIK on your person and take the key home. If the key is stored in the office where the STU-III is located, it is to be stored in a safe classified at the level of the keyed STU-III, i.e. Secret, etc. STU-IIIs keyed to the TS/SCI level must be kept in the space where the STU-III is located. The STU-III CIK is NOT to be stored in a desk drawer or file cabinet unless the STU-III is located in a space approved in writing for open storage of classified material at the level of the key installed in the unit.
17. Inventory Requirements For Issued User CIK.
a. Either a Security Activity Checklist, SF Form 701-101 (Rev 3-94), or a progressive inventory listing of all STU-III terminals held by the office or watch station must be used to inventory STU-IIIs. CIKs will also be included if they are issued to a position or location rather than to specific individual. This inventory should be verified each working day or each time a new watch section assumes the watch. When an office or watch station is being secured at the end of a work day, all STU-III terminals must be checked to ensure that the associated CIKs have been removed and properly stored.
b. While working in an office, all personnel are equally responsible for safeguarding the STU-III material listed on the inventory regardless of who signed the local custody documents for the material. If a progressive inventory is conducted, it must be conducted by an appropriately cleared and authorized individual STU-III terminal User.
18. Broken CIKs. Broken CIKs must be turned into the SCA Custodian or alternates. The Custodian will then reprogram a new CIK into the STU-III for the Users use.
19. STU-III Data Port Applications and Security Considerations.
a. Users of the data feature of the STU-III must be aware that STU-IIIs will only protect the transmission path from end to end. When a secure call is initiated, parts of the key are traded between two STU-IIIs through the "firefly" method to generate a unique key for each secure call. During this exchange, the STU-IIIs also trade authentication information which is shown on the display of each STU-III to allow the user to check the clearance level of the call and the organization of the far end STU-III. Data is authorized to be passed over the STU-IIIs. There are two means of passing data.
(1) STU-III To Secure Facsimile -- Three of the manufacturers of facsimile machines compatible with the STU-III are the Cryptic Transcript 10/12, Time in Space, or Ricoh facsimile machines.
(2) STU-IIIs To Information Systems (IS) -- STU-IIIs are permitted to transfer data via an IS as long as both are operating at the same maximum security level, i.e. secret to secret, but not secret to a confidential system. Users are required to use a communications program on the IS which is compatible with the STU-III, i.e. Procom Plus. A list of such programs is located on the NRaD Security Homepage.
b. Users are required to have the STU-III to facsimile machine or IS accredited prior to using the system. To do this contact your Information System Security Officer (ISSO) who will prepare the necessary paperwork. Operating procedures for FAX to STU-III and IS to STU-III are found in the NRaD Security Homepage.
c. Users who require the use of the STU-III in the continuous data mode are required to use to secure access control system (SACS) in the enabled mode. This feature will only be authorized in spaces approved in writing for open storage of classified material by the Information Security Group. A SACS requires the use of an access list which is programmed by the SCA Custodian/MC User or LH into the Users STU-III. The access list is comprised of the registration number, DAO code or both the registration number and DAO code of the far end user terminal. Only the terminal of the User registered on the access list will be able to communicate with the SACS enabled STU-III.
(1) When not using the SACS feature of the STU-III terminal for data transmissions, authorized persons must be present to monitor the terminal.
(2) When the SACS is not enabled, use of the STU-III terminal's auto-viewer capability is prohibited.
20. Forms Availability.
a. The following forms are stocked by the SCA Custodian.
(1) Standard Form 153, COMSEC Material Report
(2) Form L3794, Crypto Ignition Key Log
b. The following forms are stocked in the Supply Department's preexpended bins located in Bldg A33, 6th wing ground floor.
(1) NRaD 5511/2A (Rev 6-95), Courier Letter
(2) Standard Form (SF) 701 Rev 8-95; NRaD(O/P) 5500/4 (3-94), Activity Security Checklist.
21. Directive Responsibility. The SCA Custodian, Code D03531, is responsible for keeping this instruction current.
H. A. WILLIAMS