9 July 1998
Source: Anonymous

From Joel McNamara's The Complete, Unofficial TEMPEST Information Page:

"Chapter 16 of the Navy's AUTOMATED INFORMATION SYSTEMS SECURITY GUIDELINES manual is devoted to emanations security (X-excellent source). Probably the most interesting section in this chapter deals with conducting a TEMPEST Vulnerability Assessment Request (TVAR). Completing the TVAR questionnaire provides some common sense clues as to how electronic security could be compromised.


This document was once available at:

http://www.cs.nps.navy.mil/curricula/tracks/security/AISGuide/navch16.txt

Currently that URL returns a "Permission denied."


                                  Chapter 16

                              EMANATIONS SECURITY

                               TABLE OF CONTENTS 


Paragraph                                                               Page  


16.1       General . . . . . . . . . . . . . . . . . . . . . . . . . .  16-1 

16.2       Roles and Responsibilities  . . . . . . . . . . . . . . . .  16-1
   16.2.1     Fleet Commanders . . . . . . . . . . . . . . . . . . . .  16-2 
   16.2.2     TEMPEST Control Officer (TCO)  . . . . . . . . . . . . .  16-2 
   16.2.3     COMNAVSECGRU . . . . . . . . . . . . . . . . . . . . . .  16-3 
   16.2.4     NAVELEXSECCEN  . . . . . . . . . . . . . . . . . . . . .  16-3 

16.3       Procedures  . . . . . . . . . . . . . . . . . . . . . . . .  16-3 
   16.3.1     Commands . . . . . . . . . . . . . . . . . . . . . . . .  16-3 
   16.3.2     Contractor . . . . . . . . . . . . . . . . . . . . . . .  16-3 
   16.3.3     TVAR for Contractor  . . . . . . . . . . . . . . . . . .  16-4 
   16.3.4     Users TVARs  . . . . . . . . . . . . . . . . . . . . . .  16-7 

16.4       Supplemental Documentation  . . . . . . . . . . . . . . . .  16-10
   16.4.1     Special Instructions . . . . . . . . . . . . . . . . . .  16-10 
   16.4.2     Reminders  . . . . . . . . . . . . . . . . . . . . . . .  16-10
   16.4.3     TEMPEST Vulnerability Assessment Request (Sample). . . .  16-11

16.5       References. . . . . . . . . . . . . . . . . . . . . . . . .  16-14 


                                   Chapter 16

                               EMANATIONS SECURITY 


16.1  General.  In order to defeat the problem of compromising emanations the
United States Government established the TEMPEST program.  Begun in the mid
1950's, this program focuses on evaluating and screening companies and
equipment to ensure that electromagnetic radiation from information-handling
devices are eliminated or controlled.  Any Classified Information Processing
System (CLIPS) can emit Compromising Emanations (CE).  Regardless of the type,
an ordinary electric typewriter or a large data processor, CE's are emanated
and the existence and study of the nature of the CE's are referred to as
TEMPEST.  Foreign governments continually engage in attacks against U.S.
secure communications and information processing facilities for the sole
purpose of exploiting CE.

     Current national TEMPEST policy is embodied in National Communications
Security Committee Directive 4, dated January 16, 1981, which instructs
federal agencies to protect classified information against compromising
emanations.  The National Communications Security Instruction (NACSI) 5004
(classified Secret), published in January 1984, provides procedures for
departments and agencies to use in determining the safeguards needed for
equipment and facilities which process national security information in the
United States.  National Security Decision Directive 145, dated September 17,
1984, designates the National Security Agency (NSA) as the focal point and
national manager for the security of government telecommunications and
Automated Information Systems (AISs).  NSA is authorized to review and approve
all standards, techniques, systems and equipment for AIS security, including
TEMPEST.  In this role, NSA makes recommendations to the National
Telecommunications and Information Systems Security Committee for changes in
TEMPEST polices and guidance.

     A TEMPEST product user must keep in mind exactly what is being protected. 
TEMPEST EQUIPMENT IN NO WAY REDUCES THE OPPORTUNITY FOR OTHER SECURITY
ASSOCIATED WITH ELECTRONIC DATA PROCESSING.  There are certainly easier ways
of obtaining information than reading the radio frequency interference (RFI)
radiation.  For example, regardless of whether the equipment is TEMPEST
approved, information can be stolen or purchased from disloyal employees or
simply intercepted by other means. 

16.2 Roles and Responsibilities.  It is everyone's responsibility to ensure
that the integrity of classified information is maintained.  However, it is of
equal importance that steps be taken to ensure that our equipment is not
guilty of allowing classified information to be compromised.  When this
possibility exists then TEMPEST becomes a part of our security program.  Under
this type program the user must keep in mind the TEMPEST equipment only after
carefully reviewing operational requirements.


16.2.1  Fleet Commanders.

      a.  Establish and maintain measures for the control of alterations,
modifications, and changes to CLIPS which are accomplished by forces afloat.

      b.  Establish and maintain a participative shipboard TEMPEST awareness
program to produce a complete appreciation of CLIPS TEMPEST profiles.

      c.  Ensure changes or modifications to shipboard CLIPS are made per
current installation criteria.

      d.  Ensure Mobile Technical Unit (MOTU), Intermediate Maintenance
Activities (both ashore and afloat), and Ship Repair Facilities have
capability to perform CLIPS installation certifications.

      e.  Establish procedures for corrections of installation deficiencies.

      f.  Request that CNO designate special ITS for ships deploying on
sensitive missions which have had unique CLIPS installed outside the metallic
hull (e.g., open deck areas).

      g.  Support the shipboard ITS program policy stated here.

16.2.2  TEMPEST Control Officer (TCO).  Each activity will assign a TCO when
TEMPEST requirements exist.  If the ADPSO does not hold a dual function as the
TCO then close coordination between the two is paramount.  The TCO is
responsible for:

      a.  Maintaining Zone Maps of the facilities under their cognizance.

      b.  Coordinating the submittal of TEMPEST Vulnerability Assessment
Request (TVARs) for CLIPS on the base/facility/command for which they are
responsible.

      c.  Monitoring all TEMPEST shielded areas to ensure proper maintenance
and operation of the shielding or shielded enclosure.

      d.  Maintaining a library of TEMPEST documents as recommended by
NAVELEXSECCEN.

      e.   Ensuring that commands implement TEMPEST requirements and
periodically checking selected subordinate organization's facilities for
compliance with TEMPEST criteria.

      f.  Providing guidance and assistance in TEMPEST matters based upon
coordination with NAVELEXSECCEN as appropriate.

      g.  Maintaining an awareness of all new procurement, development or
installation programs and ensuring that TEMPEST input/support is obtained from
NAVELEXSECCEN.

      h.  Ensuring equipment information is evaluated prior to any movement of
previously tested equipment to preclude creating a national policy violation.

16.2.3  COMNAVSECGRU.  Will coordinate with the activities TCO and provide
assistance and guidance when necessary.  The users TVARs or any update to any
TVAR will be forwarded and evaluated prior to any processing of classified
information higher than Confidential.

16.2.4  NAVELEXSECCEN.  Will assist the TCO and coordinate with the activities
commanding officer before safeguards SG1 or SG2 are implemented.  All
contractors will forward copies of the TVARs for evaluation to NAVELEXSECCEN.

16.3  Procedures.  Activities and contractors with TEMPEST requirements must
submit TVARs before processing any information higher than Confidential.

16.3.1  Commands.  A Safeguards Evaluation must be completed before any
safeguards can be incorporated.  In addition, the commanding officer must
coordinate with NAVELEXSECCEN before implementing safeguards SG1 or SG2.

      Upon completion of the installation, the user will prepare and submit
TEMPEST Vulnerability Assessment Request (TVAR) letter in accordance with
OPNAVINST C5510.93 current edition, for evaluation and the determination for
an Instrumented TEMPEST Survey (ITS).

      However, for all other CLIPS requiring testing, they will be prioritized
based on information sensitivity, location, CS available, CS required and
Equipment Zone Number (EZN).

16.3.2  Contractor.  Contractors shall comply with either the TEMPEST
safeguard required by the Navy implementation of NACSI Instructions 5004/5005
(NOTAL) or a more limited safeguard imposed by a Navy Cognizant TEMPEST
Authority (CTA).

      However, the contractor should not expend any funds to achieve
compliance until a TVAR has been submitted (see paragraph 16.4) evaluated and
a response received.

      a.  Prior to actual processing and within 30 days of contract award, the
contractor shall submit a TVAR, or an update to any TVAR previously submitted
as part of the bidding process to:


              Commander, Naval Security and Investigative Command
              Code 26T
              Building 111, WNY
              Washington D.C.  20388-5000

              Commanding Officer, Naval Electronic Systems Security 
              Engineering Center
              Attn: Code 04
              3801 Nebraska Ave., N.W.
              Washington, D.C.  20390-5270


     Also, a copy shall be submitted to the following: 

            (1) The Program/Project Manager listed in items 12b and 12c of the
DD 254.

            (2) The cognizant Security Office listed in item 7c of the DD 254.

16.3.3  TVAR for Contractor.  The request, by a contractor, for TEMPEST
Vulnerability Assessment Request (TVAR) should contain the following.

      a.  The identification and location of the organization submitting the
request.

      b.  The contract number(s) and duration, name of contractor and facility
location.

      c.  A general description of the contract(s) and classified data
processing requirements.

      d.  A point-of-contact, room number, phone number for both the
requester/sponsor and contractor.

      e.  A listing and a description of the equipment and systems, including
individual system component nomenclature and model numbers of stand-alone
equipment, which will process classified information in the performance of the
contract.  This listing and description should include a statement describing
the TEMPEST posture of the system/equipment (i.e., off-the-shelf, built or
modified to meet NACSIM 5100.  Equipment Zone Number (EZN), unknown, etc.). 
Include the total volume of data handled and the period over which such a
volume is handled.  Volume should be in terms of the type of processing done
(e.g. "messages" for a communication center," pages" for a printing facility
or "screens" if the processing is done primarily on video terminals). 
Additionally, a breakout, in percentages, of the volume at each classification
level should be made and a listing provided of the types of compartmented
data, if any, that are processed.  For any lists of equipment required,
identify those equipment which will process only collateral information rather
than compartmented data.  Identify specific equipment or systems deleted,
added relocated since the last Instrumented TEMPEST Survey (ITS).  The volume
of data and breakout of classification should be cumulative for all contracts
which utilize the equipment and each applicable contract number should be
identified.  This data may be presented as a tabular listing.

      f.  Has the specific equipment or facility been TEMPEST accredited by a
government agency?  (yes or no) 

     If so, provide a copy of the last completed checklist and accreditation
letter or sufficient identification of the event.

      g.  Will the equipment be installed within an RF shielded (yes or no)?

     If yes, please provide the following information: 

            (1) Manufacturer of enclosure 

            (2) Date installed 

            (3) Installing activity

            (4) When was the enclosure last tested for RF attenuation?  Attach
a copy of the test report.

            (5) Have any penetrations been made to the enclosure since the
last RF attenuation test?  (yes or no)

     If yes explain.

            (6) Is the RF shielding (e.g., fingerstock) in good repair? (yes
or no)

      h.  Provide as many drawings as are needed to show clearly:

            (1) Outline of the building containing the
classified/compartmented data processing equipment and its surrounding outside
area, including roadways, loading zones, parking lots, etc. 

            (2) If applicable, areas outside the building which are protected
with approved alarm systems or which are under continuous surveillance by
personnel with at least a U.S. SECRET clearance.

            (3) The boundaries (and room numbers) of the classified or
compartmented processing area(s) and the boundaries of the Controlled Space
(CS) if they differ from the boundaries of the areas.

            (4) The classification level of the areas surrounding, above, and
below the CS.

            (5) Areas within the building where personnel with less the U.S.
SECRET clearance can obtain access without being properly escorted or under
continuous surveillance.

            (6) Location of CLIPS.

            (7) Identification of lines, cables, and other metallic conductors
which leave the CS, including telephone, power, signal, and alarm lines,
pipes, air conditioning ducts, etc.

            (8) Location of telephone instruments, telephone line filters,
power line filters, signal ground points, etc.

            (9) Are telephone lines:
                (a) Shielded? (yes or no)

                (b) In conduit? (yes or no)

                (c) Filtered? (yes or no) If yes, are filtered grounded within
the controlled space? (yes or no)

                (d) Distributed separately from all classified signal lines? 
(yes or no)
                (e) A minimum of one meter from any CLIPS?  (yes or no)

            (10) Description of power source (i.e., commercial, government,
filtered, unfiltered, etc. 4).

            (11) Identification of installing activity.

            (12) Has a RED/BLACK inspection been performed to determine
compliance of the facility with appropriate RED/BLACK engineering criteria
(e.g. MIL HKBK 232, NACSIM 5203 (NOTAL))? (yes or no)

     If yes, provide a copy of the inspection report and describe corrective
measures implemented if discrepancies were identified.

            (13) Has an ITS been performed for this specific system? (yes or
no)

     If yes, describe corrective measures if CE were found outside the CS, and
forward a copy of the last ITS report of identify the date and tester.

     If no, indicate if an ITS has been requested, providing a scheduled date,
if available, and indicate who will do the survey.

            (14) If the facility is Zoned, submit the following:

                  (a) Facility Zoning maps.

                  (b) List of CLIPS to be used in each Zone.

                  (c) Identification of organization which performed Zoning
test.
                  (d) A copy of the Zoning data, if available and the zoning
that was not performed by the U.S. Navy.

            (15) Will signal lines carrying unencrypted classified or
compartmented information be routed into areas of lower classification or
compartmentalization or into uncontrolled areas?  If so, describe TEMPEST and
physical security protective measures. Will compartmented data be transmitted
outside the compartmented area?  If so, identify organization, location,
building, and room number of distant end for each circuit.

            (16) Identify the classified processing schedule that will be
used, e.g., scheduled, irregular, sporadic, cyclical, random.  Assess the
probability of the exact hours of classified use being pinpointed by
unauthorized personnel.  Describe any facts or circumstances which would make
such determinations difficult.

            (17) Give the safeguard determined by the contractor to be
required, based on the contractor's evaluation of the Navy implementation of
NACSI Instruction 5004/5005 (NOTAL).  Provide details of the evaluation
process as outlined in reference (a).  Describe the steps which have been or
will be taken to comply with the required safeguard.  Provide target dates for
completion.  Identify the total cost of the contract and the estimated cost of
the TEMPEST modification.

16.3.4  Users TVARs.  TVA Requests, from users, shall include the following:

      a.  Identification of both the command possessing the CLIPS and
responsible for its security and the command submitting the TVAR.  Provide the
short title for both and the name and phone number of points-of-contact at
both. 

      b.  General description of data being processed (e.g. messages,
radar/sonar, telemetry).

      c.  Listing and description of the equipment and systems, including
individual system component nomenclature and model numbers of stand-alone
equipment which will process classified information.  Include statement
concerning TEMPEST posture of system/equipment (i.e., off-the-shelf, built or
modified to meet NACSIM 5100, EZN, etc.).  Include the total volume of data
handled and the period over which such a volume is handled.  Volume should be
in terms of the type of processing done (e.g. "messages" for a communication
center, "pages" for a printing facility or "screens" it the processing is done
primarily on video terminals).  Additionally, a breakout, in percentages, of
the volume at each classification level should be made and a listing provided
of types of compartmented data, if any, that are processed.  Identify specific
equipment deleted, added or relocated since last ITS of this system.

      d.  Indicate if the equipment will be installed within a shielded
enclosure which provides a minimum of 60 db of attenuation.  If so, provide
the following:

            (1) Manufacture of enclosure.

            (2) Date Installed.

            (3) Installing Activity

            (4) When was the enclosure last tested for RF attenuation?  Attach
a copy of the last test report.

            (5) Have any penetrations been made to the enclosure since the
last RF attenuation test?  (yes or not)

            (6) Is the RF shielding (e.g., fingerstocking) in good repair? 
(yes or no)

      e.  Provide as many drawings as are needed to show clearly: 

            (1) Outline of the building containing the CLIPS and its
surrounding outside area, including roadways, loading zones, parking lots,
etc.

            (2) If applicable, areas outside the building which are protected
with alarm systems or which are under continuous surveillance by personnel
with at least a U.S. SECRET clearance.

            (3) The room numbers and the boundaries of the classified
processing and/or compartmented area(s) and the boundaries of the CS'S if they
differ from the boundaries of the areas.

            (4) The classification level of the areas surrounding, above, and
below the CS.

            (5) Areas within the facility where personnel with less the U.S.
SECRET clearance can obtain access without being properly escorted or under
continuous surveillance.

            (6) Location of CLIPS showing the minimum distance, in meters,
from CLIPS components to the boundary of the CS.  Use a separate sheet to key
all CLIPS to the listing provided under paragraph 1.c. above.


      f.  If the specific CLIPS has been previously surveyed, provide the
result, date and reference of last ITS for each CLIPS together with a listing
of the specific equipment or systems deleted, added or relocated since last
ITS.  If the system failed the previous survey, such a statement will make the
TVAR classified.

      g.  Statement as to whether CLIPS was installed following appropriate
RED/BLACK criteria.  Statement of specific CM determined to be necessary
during evaluation and whether CM was met.  If CM4 was called out and met, the
command should state here "Based upon the fact all components which process
classified information are installed properly, we will consider this
installation an acceptable risk unless otherwise notified". 

      h.  Description of power source (i.e., commercial, government, filtered,
unfiltered, motor generator, etc.) 

      i.  Will signal lines carrying unencrypted classified/compartmented
information be routed into areas of lower classification/compartmentalization
or into uncontrolled areas?  If so, describe TEMPEST and physical security
protective measures. Will compartmented data be transmitted outside the
compartmented area? If so, identify organization, location, building, and room
number of distant end for each circuit. 

      j.  For compartmented processors identify lines, cables, and other
metallic conductors which leave e the CS, including telephone, power, signal,
and alarm lines, pipes, air conditioning ducts, etc.

      k.  For Compartmented processors indicate the location of telephone
instruments, telephone line filters, power line filters, signal ground points,
etc. on the drawing provided under item E. above.

      l.  For Compartmented processors are telephone lines:

            (1) Shielded? (yes or no) 

            (2) In conduit? (yes or no) 

            (3) Filtered? (yes or no) If yes, are filtered grounded within the
controlled space (yes or no)

            (4) Distributed separately from all classified signal lines? (yes
or no)

            (5) A minimum of one meter from any CLIPS?  (yes or no) 

      m.  Remarks:  Include any amplifying information that could assist in
determining hazard probabilities and subsequent TEMPEST survey schedule.


16.4  Supplemental Documentation.  Provided in this is an outline of a letter
for submitting a TVAR (TEMPEST VULNERABILITY ASSESSMENT REQUEST) in accordance
with OPNAVINST C5510.93.  The TVAR should be submitted to COMNISCOM by the
operating command upon completion of the installation phase of any NEEACT PAC,
GUAM or JAPAN project involving classified information processors, or when any
change occurs in the configuration of classified information processors in an
existing facility.  (The request may be delayed to include RED processors of
other projects that are expected to be completed shortly.)  There are no
TEMPEST prohibitions against processing classified data as long as the TVAR
has been submitted and the system complies with the safeguards called out in
OPNAVINST C5510.93.  Upon completion of the Vulnerability Assessment by
COMNISCOM, either an ITS (Instrumented TEMPEST Survey) will be assigned for
the vulnerable equipment or the system will be considered an acceptable risk.

16.4.1  Special Instructions.  Joint/Tri-Service organizations such as
COMUSFORCES KOREA and JCIS should address their request to JCS (Joint Chiefs
of Staff) Washington D.C.  If the facility wants the Navy TEMPEST team to
conduct the survey, this should be stated in the request and COMNISCOM should
be informed.

16.4.2  Reminders.

    a.  All TVARs must be submitted by letter.

    b.  Provide sketches as required by paragraph 6 in Sample Letter.

    c.  Provide an estimate of the total volume of data processed.  The volume
should be listed in a physical form such as total pages processed, total
number of messages processed, hours of operation or number of new screenfulls
of VDT data viewed.  The volume estimate should take into account only unique
data.  That is, if a single document of 50 pages is being reproduced 1,000
times, it represents only 50 pages of classified data not 50,000 pages. 

    d.  The estimate should list the percentage of data which is processed at
each level of classification (TOP SECRET, SECRET, CONFIDENTIAL, UNCLASSIFIED). 
Indicate if compartmented data is processed.

    e.  Also, ensure that all non-TEMPEST security requirements (e.g., AIS
accreditation in accordance with SECNAVINST 5239.2, and physical security in
accordance with latest version of OPNAVINST 5510.1) are met.  AISs under the 
purview of COMNAVCOMTELCOM advises that TEMPEST requirements are met when the
command has submitted a TVAR and received a response from COMNISCOM indicating
no TEMPEST objections to classified processing.


16.4.3  TEMPEST VULNERABILITY ASSESSMENT REQUEST (SAMPLE).

From:  ______________________________________________
              [Command]

To:    Commander, Naval Investigative Service Command

Subj:  TEMPEST VULNERABILITY ASSESSMENT REQUEST

Ref:   (a) OPNAVINST C5510.93E
       (b) ________________________________________________
           [Report of last Instrumented TEMPEST Survey]

Encl:  (1) Facility Layout and Floor Plans

1.  (U) In accordance with reference (a), we are submitting a TVAR (TEMPEST
Vulnerability Assessment Request) for
__________________________________________________________ located
         [System/Equipment]

at ____________________________________________________.  The following
   [Building No., Base, City, State, Country]
information is provided in accordance with Section I, enclosure (4) of
reference (a).

2.  (U) Command responsible for CLIPS (Classified Information Processing
System):

Command: _____________________________________________
Command NTP-3 Short Title: ___________________________
Point of Contact: ____________________________________
Phone Number: ________________________________________

         Command submitting the TVAR (if different):

Command: _____________________________________________
Command NTP-3 Short Title: ___________________________
Point of Contact: ____________________________________
Phone Number: ________________________________________

3.  (U) General Description of data processed: _________________
_________________________________________________________________
      [messages, text, radar, video, sonar, telemetry, etc]


4.  (U) List and description  of equipment/system:

[Include system and individual component nomenclature and model numbers of
equipment which process classified information, TEMPEST posture of the       
equipment/system (e.f., off the shelf, built or modified to meet NACSIM 5100,
TEMPEST Zoned equipment, etc), total volume of data handled (e.g., "messages"
for a communication center, "pages" for a printing facility, or "screens of
unique data" for video terminals), percentage of classified at each
classification level (including whether data is at a compartmented level), and
whether the equipment has been added, deleted or relocated since the last
ITS.]                                                                
5.  (U) The equipment/system will be installed in a shielded enclosure which
provides a minimum of 60 Db of attenuation:  [Delete this paragraph is not
applicable.]

    a.  (U) Manufacturer of Enclosure: ________________________________________

    b.  (U) Date Installed: _______________________________

    c.  (U) Installing Activity: ______________________________________________

    d.  (U) Date enclosure last tested for RF attenuation: ____________________
            (Attach a copy of the test report)

    e.  (U) Have any penetrations been made to the enclosure since the last RF
attenuation test: ___________ [Yes or No]

    f.  (U) Is the RF shielding (e.g., Fingerstocking) in good
repair: ___________ [Yes or No]

6.  (U) Equipment/System and Controlled Space Sketches:  Enclosure (1)
contains the equipment/system floor plans and CS sketches.

    [Provide as many drawings as necessary to show the following clearly:

    a.  (U) Outline of the building containing the CLIPS (Classified
Information Processing System) and its surrounding outside area, including
roadways, loading zones, parking lots, etc.

    b.  (U) If applicable, areas outside the building which are protected by
alarm systems or which are under continuous surveillance by personnel with at
least a U.S. SECRET clearance.

    c.  (U) The room numbers and the boundaries of the classified processing
and/or compartmented area(s) and the boundaries of the CS's if they differ
from the boundaries of the areas.

    d.  (U) The classification level of the areas surrounding, above, and
below the CS.


   e.  (U) Areas within the facility where personnel with less than a U.S.
SECRET clearance can obtain access without being properly escorted or under
continuous surveillance. 

    f.  (U) Location of CLIPS showing the minimum distance, in meters, from
the CLIPS components to the boundary of the CS.  Use a separate sheet to key
all CLIPS to the listing provided under paragraph 4 above.]

7.  (?) Data on last ITS:  This is the first survey request for the newly
installed equipment.

    or

The system was last tested during _______ and the survey results were reported
                                  [Date]
by reference (b).

[If the specific CLIPS have been previously surveyed, provide the results,
date and reference of the last ITS for each CLIPS together with a listing of
the specific equipment of systems deleted, added, or relocated since the last
ITS.  If the system failed the previous survey such a statement will make the
TVAR classified SECRET.]

8.  (U) Data as to whether the CLIPS were installed according to the
appropriate RED/BLACK criteria:  [Statement of specific CM (Safeguards)
determined to be necessary during the evaluation using Enclosure (3) of
reference (a) and whether the CM was met.  If CM4 was called out and met, the
command should state here "Based upon the fact that all components which
process classified information are installed properly, we will consider this
installation an acceptable risk unless otherwise notified."]

9.  (U) Power Source:  The equipment/system is fed by a 
_______________________________________________________________________ AC
[filtered/unfiltered/motor generator]   [commercial/government]
power system.
The power transformer is located ________________________ the CS.
                                      [inside/outside]

10.  (U) Will signal lines carrying unencrypted classified/compartmented
information be routed into areas of lower classification/compartmentalization
or into uncontrolled areas? __________ [Yes or No]  [If yes, describe TEMPEST
and physical security protective measures.  Will compartmented data be
transmitted outside the compartmented area?  If so, identify the organization,
location, building, and room number of the distant end for each circuit.]

11.  (U) [For compartmented systems identify lines, cables, and other metallic
conductors which leave the CS, including telephone, power, signal, and alarm
lines, pipes, air conditioning ducts, etc.]


12.  (U) For Compartmented processors are telephone lines:

      a.  (U) Shielded? __________ [Yes or No]

      b.  (U) In Conduit? __________ [Yes or No]

      c.  (U) Filtered? ___________ Yes or No]  If Yes, are filters grounded
within the CS? __________ [Yes or No]

      d.  (U) Distributed separately from all classified signal lines? ________
[Yes or No]

      e.  (U) Minimum of one meter from any CLIPS? __________ [Yes or No]

13.  (U) Remarks:  [Include any amplifying information that could assist in
determining hazard probabilities and subsequent TEMPEST survey schedule.]


Copy to:  NAVELEXSECCEN
          NEEACT PAC
          NEEACT [Guam, Japan, or Philippines as applicable]

Notes:

1.  Statements in [ ] are comments for providing information on the respective
items.

2.  The TVAR is normally not classified.  If information included in the
request is classified for other reasons, classify the document accordingly.

16.5  References:

    a.  OPNAVINST C5510.93E, "Navy Implementation of National Policy on
Control of Compromising Emanations."

    b.  NACSIM 5100 (NOTAL), "National COMSEC/Information Memorandum."

    c.  SECNAVINST 5239.2, "Department of the Navy Automated Information
Systems (AISs) Security Program."