7 September 2003. Thanks to J. Converted from a PowerPoint slide show.

[23 slides.]

Defense Security Service
United States of America

DSS COMSEC Responsibilities

DSS Internal Use Only

Not for Public Release

 
 
Patrick Viscuso
Industrial Security Operations
 

Purpose

• To review background.

• To outline current responsibilities.

Overview

• Purpose of a DSS Memorandum of Understanding (MOU) with NSA
  
  We will be discussing the purpose of having an MOU; background and premises, in other words, the history and the policy that governs the relationship between DSS, NSA, and COMSEC responsibilities; and the July 2001 MOU concluded between DSS and NSA to replace a 1998 agreement.

• Background and Premises

• The July 2001 MOU

• Current Responsibilities outlined in Part 2 - Chapter 12, Industrial Security Operating Manual (ISOM)

Purpose of a DSS MOU with NSA

• A MOU delineates the responsibilities of DSS and NSA associated with:
  
  • Traditional COMSEC accounts
  • Seed Key Only COMSEC Accounts (SOCA)
    
    The Communications Security (COMSEC) Material Control System (CMCS) is a logistics system through which COMSEC material marked “CRYPTO” and other accountable COMSEC material is distributed, controlled, and safeguarded in industry and Government.
    
    As everyone here probably knows, there are two types of COMSEC accounts. The first, the traditional account, is established to hold and/or produce classified COMSEC material accountable within the CMCS. The second, the Seed Key Only COMSEC Account (SOCA), is established at a contractor facility to hold STU-IIIs (Secure Telephone Unit) and the Fortezza cards associated with their successors, the STEs (Secure Terminal Equipment).
    
    Both types of accounts are established by the NSA Central Office of Record (COR) for facilities cleared under the National Industrial Security Program (NISP).
    
    Central Offices of Record (COR) - there are many CORs throughout the US Government - each branch of the military has a COR - for industry under the NISP, the NSA COR serves most COMSEC accounts at contractor facilities - the COR is responsible for administration and oversight of COMSEC accounts.

• These are accounts established by the NSA COR for facilities cleared under the NISP

Background and Premises (I)

• COMSEC Policy/Requirements
  
  • Shared responsibilities
    
  • NSA has primary COMSEC responsibility
    
    The main point in reviewing the COMSEC responsibilities of NSA, and more particularly the NSA COR, and those of DSS is that; although both agencies currently share many COMSEC responsibilities, NSA has the primary responsibility by policy and mission. Four main policy documents outline the responsibilities of NSA and DSS.

• Policy Documents
  
  • NSTISSI 4005
    
    National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4005, Safeguarding Communications Security (COMSEC) Facilities and Materials, dated August 1997 - describes a Central of Record’s (COR) responsibility for administration and oversight of COMSEC accounts. For example - NSTISSI 4005 requires a COR establish and close COMSEC accounts; maintain a record of COMSEC Custodians and Alternates, perform COMSEC inventories and ensure audits are conducted of each of its COMSEC accounts.
    
  • DoD 5220.22-S
    
    DoD 5220.22-S, COMSEC Supplement to the Industrial Security Manual for Safeguarding Classified Information, dated March 17, 1988, makes clear that DSS and NSA may share inspection responsibilities. Several points should be noted regarding DSS’ role: 1) DSS always coordinates its examination of COMSEC accounts with the NSA COR; 2) this examination is part of a DSS industrial security review and not an independent responsibility; 3) while DSS is permitted to inspect COMSEC accounts, the COR’s or NSA’s responsibilities are mandatory. The DSS role is to augment the COR effort, to spot-check the account between NSA visits to more quickly identify any developing problems and provide assistance directly or notify NSA to provide the appropriate response (Although the NISPOM replaced the ISM, the supplement is the current binding COMSEC doctrine for DoD contractors).
    
  • NSA Industrial COMSEC Manual
    
    NSA Industrial COMSEC Manual, NSA Manual 90-1 (U) October 2001 - repeats this same delineation of responsibilities - making clear that the COR (NSA) has the responsibility, but that the Cognizant Security Office (DSS) may conduct CAVs when appropriate (Although not approved by DoD as a supplement to the NISPOM, NSA has provided this document to contractors and DSS to use as current COMSEC guidance).
    
  • DoD Directive C-5200.5
    
    DoD Directive C-5200.5, Communications Security (U), dated April 21, 1990 - requires DSS to monitor the COMSEC practices of NISP contractors and examine these accounts as a portion of regular industrial security reviews. This document again specifies that such an examination must take place in coordination with the applicable COR. DSS’ present responsibilities will be covered in greater detail later in this presentation.

Background and Premises (II)

• DSS Responsibilities (Pre-1998)
  
  • Limited
    
    Traditional Accounts
    
    - Prior to 1994 DSS (DIS) examined traditional accounts only in connection with a facility security review in coordination with the NSA COR and never assumed full cognizance. The general rule - if DSS determined that the last traditional account audit by the NSA COR was in excess of 120 days, the IS Rep audited a minimum of 25% of the traditional COMSEC account up to a maximum of 25 items.
    
    - In July 1994 and onwards - DSS and NSA informally agreed to expand DSS audit responsibilities to selected traditional classified accounts
    
  • Gradual expansion - especially regarding SOCAs
    
    - In October 1992, DSS informally assumed full COMSEC audit responsibilities for all SOCAs (excluding accounts associated with “carve-outs”). This was eventually reflected in a NSA document, the COMSEC Annex to the NISPOM, Coordination Copy, June 1995, (which has been now superseded by the new NSA Industrial COMSEC Manual, NSA Manual 90-1, October 2001),
    
    - DSS’ assumption of this responsibility was based on the widespread introduction of STU-IIIs into cleared contractor facilities.

• The 1998 MOU
  
  - This was an agreement between NSA and DSS, which was concluded in February 1998.
  
  • Increased responsibilities
    
  • Gave formal expression to those already undertaken
    
    - Increased DSS’ responsibilities - transferring approximately 75% of traditional COMSEC accounts in industry to DSS security cognizance; and formally recognized DSS’ role in security cognizance over SOCAs.
    
    - More specifically regarding inspections, termed COMSEC Assistance Visits (CAV), DSS agreed to review SOCAs, and Traditional accounts holding 150 items or less excluding in-process and carve out accounts.
    
    - Regarding Traditional Accounts under NSA cognizance (more than 150 items) - these were examined as part of the industrial security review if it has been more than 12 months since the NSA CAV.
    
    - The 1998 MOU itself had a provision for review and evaluation by both parties every two years.

The July 2001 MOU:

• Effective Date - January 1, 2002
  
  On July 19, 2001, DSS and NSA reached agreement on a new MOU. The new 2001 MOU was implemented on January 1, 2002.

• Implementation
  
  • Operating Instruction - December 14, 2001
    
    Revised DSS ISOM Chapter
    
    Revised DSS Forms 217A and 217B
    
    Implementation was reflected in the new DSS COMSEC Operating Instruction with an attached revised Industrial Security Operating Manual (ISOM) chapter, and revised DSS Forms (217A and 217B). These are posted on the DSS Intranet and located in the COMSEC portion of the Industrial Security page.

The July 2001 MOU: Overview

• The July 2001 MOU
  
  Since early 2001, NSA and DSS discussed the revision of the current MOU with the aim at arriving at a mutual agreement.
  
  • Concentration on core mission areas
    
    The main impetus for these discussions was an increased concentration on core mission areas on the part of NSA and DSS. Discussions between the two agencies have focused on a change of emphasis that draws on the strengths of both organizations. The main provisions of the July 2001 MOU are as follows:
    
  • Redefinition of Responsibilities
    
    Traditional Accounts
    
    - DSS will relinquish COMSEC Assistance Visits (CAV) of traditional accounts to NSA and will concentrate on examining safeguarding requirements associated with classified material as part of the facility’s overall classified material control system. Specific areas, on which DSS will work with contractors, will concern safeguarding findings, areas of concern related to the protection of classified information, personnel changes, and proper return of inventories.
    
    SOCAs
    
    - DSS will continue to monitor SOCAs, but with the understanding that the NSA COR has security cognizance. If the last COR audit was not made in 180 days, DSS will conduct a sampling based on the numbers of items in the account.
    
    Exchange of Information
    
    - NSA and DSS will work closely in exchanging information that will benefit each in fulfilling its core mission responsibilities. Both agencies are committed to cooperation in assuring the proper safeguarding and protection of COMSEC material. DSS will continue to assist in the establishment of COMSEC accounts, conduct briefings, report changed conditions, and facilitate the STU-III loan program.

For contractors, the bottom line of the new 2001 MOU is that both agencies will be shifting their focus to draw on their strengths to support the fulfillment of COMSEC requirements by cleared industry.

Main Responsibilities

In accordance with the revised ISOM chapter, the IS Rep’s responsibilities are as follows:

• Confirm information
  
  To confirm information about cleared facilities and the status of their COMSEC accounts (e.g., the establishment/termination of an account, facility and personnel clearance levels, changes in facility name or address, etc.).
  
• Conduct briefings
  
  To conduct COMSEC and Cryptographic Access briefings and Cryptographic Access debriefings.
  
• Examine accounts
  
  To examine COMSEC accounts as part of an industrial security review.
  
• Report information
  
  To provide reportable information (ISOM paragraph, 2-12-601) to NSA.
  
• Notify NSA
  
  To notify NSA immediately of significant problems with the management and control of COMSEC material that could result in compromise.
  
• Facilitate transfer and disposition of STU-IIIs under the loan program
  
  To facilitate the transfer and disposition of Secure Telephone Unit IIIs (STU-IIIs) under the STU-III Loan Program.

Three Main NSA Offices

These are the main NSA offices with which the IS Rep will interface when carrying out COMSEC responsibilities. (2-12-101, ISOM):

• NSA COR Procedures and Audits Branch (Y134)
  9800 Savage Road, Suite 6574
  Ft. Meade, MD 20755-6574
  Unclassified FAX (301) 688-6132
  Secure FAX (301) 688-6264
  Audits Phone (301) 688-6904
  
• NSA COR Account Registration and Management Branch (Y131)
  9800 Savage Road, Suite 6574
  Ft. Meade, MD 20755-6574
  Unclassified FAX (301) 688-6596
  Secure FAX (301) 688-6264
  Phone (301) 688-8110
  
• NSA INFOSEC Insecurities (I413)
  ATTN: I413
  9800 Savage Road, Suite 6722
  Ft. Meade, MD 20755-6722
  Unclassified FAX (410) 854-6679
  Secure FAX (410) 854-6831
  Phone (410) 854-6811

COMSEC Doctrine and Guidance

• COMSEC Supplement and NSA Industrial COMSEC Manual
  
  DoD 5220.22 COMSEC Supplement to Industrial Security Manual for Safeguarding Classified Information, dated March 17, 1988, is applicable to DoD-cleared facilities (NISPOM, 1-105). The NSA Industrial COMSEC Manual (NICM), NSA Manual 90-1 (U), dated October 2001, is applicable to NISP contractors if mandated by contract. Although not coordinated with the NISP signatories, NSA has issued the NICM to supersede the COMSEC Annex to the NISPOM (Coordination Copy), dated June 1995, and to prescribe the most current guidance regarding COMSEC accounting policies and procedures for contractor accounts established by the NSA COR.
  
• INFOSEC Procedural and Material Control Bulletins
  
  The INFOSEC Bulletins are issued by NSA as supplementary guidance. Guidance contained in Bulletins prior to October 2001 are now incorporated into the NICM.
  
• COMSEC Guidance
  
  For additional guidance, the IS Rep should follow ISOM procedures (Part 1, Chapter 3). Y134 and Y131 may be contacted. However, the ISOM procedures should be followed first.

Establishment of Accounts

In assisting in the establishment of accounts, the basic idea is that the submission of the request occurs from the contractor through the IS Rep

• Completion of Form A or generation of letter (contractor)
  
  The contractor prepares the request either by completing NSA Form A (Annex K, NICM) OR preparing a letter on company letterhead containing the same information on the NSA Form A.
  
• Confirmation of information (IS Rep)
  
  The IS Rep confirms the information recorded by the contractor - completing Part 2 of the NSA Form A - signing the form OR prepares an attachment in cases where the contractor’s request is in the form of a letter. This attachment will contain the information listed in 2-12-300, ISOM:
  
  FCL level
  
  Safeguarding level
  
  FOCI status
  
  Personnel (FSO, COMSEC Custodian, Alt Custodian)
  
  COMSEC or Cryptographic Access briefing - as applicable - (accomplished or date scheduled)
  
  DSS Field Office - Office Symbol
  
  IS Rep Telephone
  
  Date Information confirmed
  
• Forwarding of request to Y131 (IS Rep)
  
  The IS Rep mails request to Y131.

Briefings

Briefing requirements are stipulated in paragraph 9, NSA Manual 90-1. Please note that a COMSEC briefing is not required for contractor employees who only insert a STU-III Crypto-Ignition Key and use the STU-III in a secure mode or a KOV-14 (User Card) in a Secure Terminal Equipment (STE) terminal. However, these individuals must receive security training as specified in Paragraph 77 of NSA Manual 90-1.

• COMSEC Briefings
  
  IS Rep provides COMSEC briefing to the FSO if the FSO has not received a COMSEC briefing. As an administering official, the FSO provides the briefings to the custodial and other contractor personnel. The briefing is found in Annex A of NICM and Enclosure 9, ISOM. The contractor maintains a record of all personnel who are COMSEC briefed. The employee is not required to execute a briefing form, but the record must include name of person briefed, person providing briefing, and briefing date.
  
• COMSEC Debriefings
  
  No COMSEC debriefings are required.
  
• Cryptographic Access Briefings
  
  IS Rep provides Cryptographic Access briefing to FSO if not already briefed. As an administering official, the FSO provides this briefing to custodial and other contractor personnel. The briefing is found in Annex A of NICM and Enclosure 10, ISOM. The employee executes Section of SD Form 572 “Cryptographic Access Certification and Termination” (ISOM Enclosure 10). The IS Rep completes Section I.2 of this form.
  
• Cryptographic Access Debriefings
  
  As an administering official, the FSO provides Cryptographic debriefing to custodial and other contractor personnel. IS Rep provides this debriefing to FSO. The employee executes section 2 of SD Form 572 and the IS Rep completes Section II.4 of this form.
  
• Retention of Briefing Records and Forms - Three Years
  
  COMSEC briefings are retained for a minimum of 3 years from termination of employee’s clearance, access, and/or employment termination. Cryptographic Access briefing/debriefing for a minimum of 3 years from debriefing date.

Examination of Accounts - Overview

• Review previous audit results
  
  The IS Rep reviews the previous COMSEC audit results at the facility (report, letter, checklist provided to the contractor by NSA). On the DSS Intranet, NSA is making certain information available. Currently, the IS Rep is able to check a list of facilities that have not returned inventories, which often indicates more broad problems in accountability to include the classified material control system. This information is found on the Industrial Security page under the COMSEC section.
  
• Examine the account
  
  • Traditional Accounts
    
  • SOCAs
    
    The IS Rep does not conduct a COMSEC audit. However, examinations of Traditional Accounts and SOCAs are made using the DSS Forms 217A (Jan 2002) and 217B (Jan, 2002). These forms capture the requirements for information contained in 2-12-601, ISOM. They have been thoroughly revised from previous versions.
    
• Complete and forward reports to NSA
  
  The 217A and 217B should be forwarded to NSA per the instructions on the forms themselves (mailed, faxed, or emailed as attachments) within 30 days of the completion of the industrial security review.
  
• Report significant problems
  
  Significant problems should be reported to the Chief Y134 and Chief I413 9 (see the contact information contained in two more slides and also in 2-12-701, ISOM). Significant problems are those that deal with the management and control of material in the account that result in the jeopardy of compromise. Missing STU-IIIs should be likewise reported. Other significant areas of concern should also be reported.

DSS COMSEC Report - DSS Form 217A for SOCAs

• Structure:
  
  -- Updated account information
  
  -- Thirteen questions
  
      Five are identical to the report form for Traditional Accounts
  
      Eight additional are used when examining an account that NSA
      has not visited within 180 days of the industrial review.
  
  -- Sampling table
  
  -- Additional comments

Explanation of the 217A (and by extension the 217B)

• Questions 1 and 2 - assist NSA to determine whether account is still necessary (Same for 217A and 217B)
  
  NSA is using this information to assess the account, the currency of the COR’s records, and whether there is a requirement for the account.
  
• Question 3 - Statement of Findings (Same for 217A and 217B)
  
  A certificate of action contains a list of findings resulting from a NSA audit and requires a certification that appropriate corrections or actions have taken place. Normatively, the certificate is returned to the the COR within thirty (30) days of the NSA audit.
  
• Question 4 - Review rating (Same for 217A and 217B)
  
  NSA will use an Unsatisfactory or Marginal rating as an indicator for prioritizing its examination of COMSEC accounts - the IS Rep will provide a copy of the review report to NSA in these cases.
  
• Question 5 - Areas of concern (Same for 217A and 217B)
  
  This is a broad question involving the entire security posture of the facility. A facility with a Marginal or Unsatisfactory rating would fall into a “yes” category. On the other hand, specific access and storage issues may also result in a “yes” response. The IS Rep will exercise professional judgement.
  
• Question 6 - Security education (217A only)
  
  The Facility is required to administer security education for the STU-III (NSA Manual 90-1, 77). The education can be provided using briefings, guides, or other materials.
  
• Questions 7, 8, and 9 - Rekeying, User CIKs, Master CIKs (217A only)
  
  Safeguarding requirements for Master CIKs are found in NSA Manual 90-1, 73b. These requirements differ significantly from those for User CIKs.
  
• Question 10 - User Representative (217A only)
  
  The User Representative is the person who can order key. In the case of SOCAs, the User Representative is often also the Custodian.
  
• Questions 11 and 12 - Hand receipts (217A only)
  
  A hand receipt is used to record the acceptance of and responsibility for COMSEC material issued to a user by a COMSEC custodian (NSA Manual 90-1, 37c).
  
  A remote holder is a user located 25 miles or more from the account (39b). If located less, then the hand receipt would only be updated if the item or the person controlling the item changed (39f).
  
• Question 13 - Excess COMSEC material (217A only)
  
  Excess material are items no longer required (e.g., a STU-III no longer used - in which case the IS Rep follows procedures outlined in 2-12-903, ISOM).
  
• Sampling Table - Additional Comments (217A only)
  
  Sampling Table (self-explanatory) - Additional Comments (discretionary - information that might be useful to NSA in its assessment of whether COMSEC material is being properly safeguarded and protected).

Submission of the Reports

The COMSEC report must be e-mailed, mailed, or faxed to the NSA COR Procedures and Audits Branch (Y134) within thirty (30) days of the completion of the industrial security review.

If e-mailed, the form shall be an attachment. The subject line shall be “DSS Report.”

It should be emphasized that the IS Rep must notify the Chief Y134 (301-688-5495) and Chief I413 (410-854-6811) within one working day of the completion of the industrial security review if he or she identifies such significant problems with the management and control of material in the account that the accountable material is jeopardy of compromise. If the Chief Y134 is not available, the IS Rep must contact the Y134 Audit Team (301-688-6904).

• FAX, mail, or e-mail
  
  National Security Agency
  ATTN: Y134
  9800 Savage Road, STE 6574
  Fort Meade, MD 20755-6574
  FAX - (301) 688-6132
  Phone - (301) 688-6904

• E-mail - dssaudits@radium.ncsc.mil

Reporting Changed Conditions

In addition to examining accounts through use of the forms 217A and 217B, the role of the IS Rep is to also ensure that the contractor reports changed conditions to Y131, many which are identical to those normally required for core data updates in accordance with the ISOM. Changed conditions reportable to NSA include the following:

• Report of account status changes
  
  • Safeguarding or FCL level
    
  • Termination of FCL or account
    
    Changes in account status changes are reported using NSA Form B (Annex K, NICM) or on company letterhead recording the same information. The IS Rep completes Part of NSA Form B and forwards the form to Y131. If the contractor is using a letter, the IS Rep prepares a supplemental letter listing the information contained in 2-12-801, ISOM, and forward both to Y131. The information to be included consists of the following:
    
    FCL level
    
    Safeguarding level
    
    FOCI status
    
    DSS Field Office/Symbol
    
    IS Rep phone number
    
• Report of account location/personnel changes
  
  • Facility name, address, FSC
    
  • FSO, Custodian, Alternate Custodian
    
    Changes in account location/personnel are reported using NSA Form C (Annex K, NICM) or on company letterhead recording the same information - IS Rep completes Part of NSA Form C and forwards the form to Y131. If the contractor is using a letter, the IS Rep prepares a supplemental letter listing the information contained in 2-12-802, ISOM, and forward both to Y131. The information includes:
    
    FSO, COMSEC Custodian, Alt COMSEC Custodian
    
    COMSEC or Cryptographic Access briefings (accomplished or date scheduled)
    
    DSS Field Office
    
    DSS Office Symbol
    
    IS Rep phone number
    

STU-III Loan Program: Overview

• Background
  
  • 1990 - DSS and NSA distribute approximately 5,700 STU-IIIs to DoD contractors
    
  • NSA procures terminals/DSS manages and administratively controls
    
    Y131 continues to establish SOCAs for STU-IIIs and Y18 (NSA Key Management System [EKMS] Central Facility) will continue to issue STU-III key material at least through 2009.
    
    Secure Terminal Equipment (STE) is the next generation of secure voice and data equipment and is compatible with the STU-III. There is no STE loan program. The STE Program Office can be contacted at 1-800-328-7883. L-3 Communications manufactures the STE. The L-3 web site is www.l-3com.com/ste.
    
• Basic Points
  
  • Contractor - signs Loan Agreement for GFE
    
    Prior to obtaining a STU-III under the Loan Program, the contractor must have a COMSEC account established and must complete a Loan Agreement (Enclosure 20, ISOM). The Loan Agreement is forwarded to the DSS Industrial Security Operations Branch.
    
  • IS Rep facilitates transfer and disposition
    
    The IS Rep assists the contractor in obtaining a STU-III by inquiring within the FO or Region; or through the Web Board on the DSS Intranet under Rep-to-Rep by posting an announcement that a contractor is need of a STU-III. The contractor can initiate a search for a STU-III furnished under the program through the Extranet for Security Professionals site (www.xsp.org)
    
    The IS Rep assists the contractor in the disposition of a STU-III being returned under the Loan Program by facilitating its transfer to another contractor (inquiries in FO or Region, posting on Web Board under Rep-to-Rep) or instructing the contractor to demilitarize the STU-III (the most recent procedures are contained in NSA INFOSEC Bulletins), see 2-12-95, ISOM
    
    The IS Rep never takes possession of the STU-III or instructs the contractor to transfer it to a DSS COMSEC account, except in an emergency situation (e.g., total shutdown of company imminent).
    
  • Jan 2000 - STU-IIIs no longer manufactured but Loan Program continues
    

STU-III Loan Program: Confirmation of Loan STU-III

Reference, 2-12-904, ISOM.

If the contractor is disposing of a STU-III that was not obtained under the loan program, whether contractor owned or GFE, the IS Rep should direct the contractor to follow the disposition instructions contained in the most current INFOSEC Bulletins.

• Confirmation STU-III originated from Loan Program
  
  • Must be done cases of disposition
    
  • Review of records for Memorandum of Loan Agreement
    
• Memorandum of Loan Agreement may be located in:
  
  • Facility folder
    
  • Contractor
    
  • DSS Operations Branch
    

STU-III Loan Program: Transfers of STU-IIIs

• Confirm that STU-III was obtained under Loan Program
  
• Identify contractor returning STU-III to FO, Region, or on Web Board
  
• IS Rep confirms COMSEC account and has Loan Agreement executed on part of receiving contractor
  
  1. Until another contractor is identified in need of the equipment, the possessing contractor should maintain the STU-III for a specified period of time. If another contractor cannot be located, the IS Rep should instruct the contractor to demilitarize the STU-III.
  
  2. Copies of a Loan Agreement should be retained by the contractor and the FO in addition to that forwarded to Industrial Security Operations.
  
  3. During normal transfers, the IS Rep will not take possession of the STU-III or instruct the contractor to transfer the STU-III to a DSS COMSEC account.
  
  4. When the STU-III is transferred from one contractor to another, the Loan Agreement should be terminated if no other equipment is being retained.

STU-III Loan Program: Emergency Disposition

• Circumstances - total shutdown of company imminent
  
• Written notification provided by contractor
  
  The IS Rep should request that the contractor provide written notification of its desire to return the equipment and terminate the Loan Agreement. If another contractor in need of the equipment cannot be identified in time, the IS Rep should take possession of the STU-III only and not any keying material. The STU-III should be stored at the FO for up to 30 calendar days.
  
• 30 day window for transfer
  
  Within that 30 days, if another contractor is located, the IS Rep will not have to prepare paperwork. The gaining facility will prepare a SF 153 (Possession Report) and include the remark that the terminal was received without appropriate paperwork due to a sudden facility closure and will record the name, CAGE, and COMSEC account number of the losing contractor.
  
• After 30 days - demilitarization
  
  After 30 days, if another contractor cannot be located, the IS Rep will demilitarize the STU-III (2-12-907, ISOM), complete a SF 153 (Transfer Report) with the remark that the terminal was recovered without appropriate paperwork due to sudden facility closure and record the name, CAGE, and COMSEC number of the losing contractor. The IS Rep may contact the Industrial Security Operations Branch for guidance.

QUESTIONS?