21 March 2001. Thanks to BH.
[16 pages; all marked "UNCLASSIFIED/ /FOR OFFICIAL USE ONLY."]
NSTISSI No. 3003
August 2000
Operational Security Doctrine
for
KG-66/KG-66A/SO-66/
KGR-66/KGV-68/KGR-68/KGV-68B
THIS DOCUMENT PROVIDES MINIMUM STANDARDS. FURTHER
INFORMATION MAY BE REQUIRED BY YOUR DEPARTMENT OR AGENCY.
FOREWORD
1. (U//FOUO) This instruction supersedes NTISSI No. 3003, "Operational Security
Doctrine for the KG-66/KG-66A/KGR-66/KV-68" dated 27 April 1990. It updates
its predecessor and also includes requirements applicable to the KGR-68 and
the KGV-68B.
2. (U//FOUO) The COMSEC system specified in this instruction provides security
for digital telemetry transmissions between an airborne weapons system and
its receiving stations.
3. (U//FOUO) This instruction provides the minimum national standards for
this system. Please check with your agency for applicable implementing documents.
4. (U//FOUO) Representatives of the National Security Telecommunications
and Information Systems Security Committee may obtain additional copies of
this NSTISSI from:
NATIONAL SECURITY AGENCY
NSTISSC SECRETARIAT
ATTN: 142 STE 6716
FORT GEORGE G. MEADE, MD 20755-6716
5. (U//FOUO) U.S. Government contractors and vendors shall contact their
appropriate government agency or Contracting Officer Representative regarding
distribution of this document.
MICHAEL V. HAYDEN
Lieutenant General, USAF
NSTISSC Secretariat (142). National Security Agency.9800 Savage
Road STE 67 16. Ft Meade MD 20755-6716
(410) 854-6805.UFAX: (410) 854-6814
nstissc@radium.ncsc.mil
OPERATIONAL SECURITY DOCTRINE FOR THE
KG-66/KG-66A/SO-66/KGR-66/KGV-68/KGR-68/KGV-68B
SECTION
PURPOSE I
SCOPE II
REFERENCES III
DEFINITIONS IV
SYSTEM DESCRIPTION V
KEYING INFORMATION VI
CLASSIFICATION GUIDANCE VII
CONTROL REQUIREMENTS VIII
EMERGENCY PROCEDURES IX
REPORTABLE INCIDENTS X
EXCEPTIONS XI
SECTION I - PURPOSE
1. (U//FOUO) This document provides minimum security doctrine for the operational
use of the KG-66/KG-66A/SO-66/KGR-66 (KUTA), KGV-68 (NOBLEMAN), KGV-68B,
KGR-68 and associated COMSEC material.
SECTION II - SCOPE
2. (U//FOUO) This document will be made available to all U.S. Government
organizations that use or have access to the
KG-66/KG-66A/SO-66/KGR-66/KGV-68/KGV- 68B/KGR-68 and associated COMSEC material.
Promulgation may be made through issuance of this document or through its
incorporation into applicable department or agency publications.
3. (U//FOUO) When the requirements or terms of this instruction appear to
substantially conflict with the requirements or terms of any other national-level
issuance, this conflict will be identified and guidance requested, through
organizational channels, from the Director, National Security Agency, ATTN:
INFOSEC Policy, Procedures, and Insecurities Division.
SECTION III - REFERENCES
4. (U//FOUO) References cited in this doctrine are listed in ANNEX A.
SECTION IV - DEFINITIONS
5. (U//FOUO) Definitions in NSTISSI No. 4009 (Reference a.) apply to this
doctrine.
SECTION V - SYSTEM DESCRIPTION
6. (U//FOUO) This COMSEC system is comprised of an electronic key generator
(half-duplex) (KG-66 or KG-66A) telemetry data unit, the receive only unit
(KGR-66), and the receiver/maintenance test unit (SO-66). The KGR-66 consists
of the KGV-66 plug-in module and HNF-66 frame and power supply. The KUTA
(KC-66 and KG-66A operating in modes A and B) and NOBLEMAN (KGV-68 operating
in mode B only) are half-duplex encryptors, and can be used as decryptors
in approved applications. The KGV-68/KGV-68B is compatible with all KUTA
equipment operating in mode B. The KGR-68 consists of an embedded KGV-68
module and associated circuitry, and is designed to be a replacement for
the KGR-66. The KYK- 13, KOl- 18, and AN CYZ-10/10A Data Transfer Device
(DTD) fill devices are used with these systems (see paragraph 9).
7. (U//FOUO) This COMSEC system provides security for digital telemetry
transmissions between an airborne weapons system and its receiving stations.
The KG-66/KG-66A/KGV-68/KGV-68B perform on-line encryption/decryption of
serial binary data from the weapons system's digital telemetry unit. The
KGR-66 and KGR-68 are decryption equipment only. The KG-66/KG-66As are capable
of operating at data rates between 10 Kbps and 11 Mbps. The KGR-66 and KGR-68
are capable of operating at data rates between 10 Kbps and 10 Mbps. The KGV-68
is capable of operating at data rates between 50 bps and 11 Mbps. The KGV-68B
is capable of operating at data rates up to 50 Mbps.
8. (U//FOUO) When used with the appropriate keys, the
KG-66/KG-66A/KGV-68/KGV-68Bs are approved for the encryption of telemetry
data up to SECRET. The KGV-68/KGV-68B has an upgrade mode where the encryptor
is monitored by another KGV-68/KGV-68B and some external circuitry. This
permits use for higher classifications when approved on a case-by-case basis.
The KGV-68B incorporates the required upgrade external circuitry within the
module.
SECTION VI - KEYING INFORMATION
9. (U//FOUO) The KG-66/KG-66A/KGR-66/KGV-68/KGR-68/KGV-68B keys (ANNEX E)
are produced in eight-level, standard-hole tape. The KG-66 is filled directly
(or via an SO-66) from a key tape using the KOI-18 fill device. The KC-66
can also be filled with the KYK-13 when used in accordance with the instructions
in KAO-182/TSEC. The KGR-66/KG-66A/KGV-68/KGR-68/KGV-68B may be filled with
either the KOI-18, KYK-13, or DTD. NSTISSI No. 3021 (Reference b.) contains
the systems doctrine for the DTD.
a. (U//FOUO) Operational key tapes (USKAT-series) are classified on the basis
of the classification of the traffic they are intended to protect and are
TOP SECRET, SECRET, or CONFIDENTIAL. These key tapes are regularly and
irregularly superseded depending on system application, are packaged in plastic
canisters, are marked CRYPTO NOFORN, and are serial number accountable,
Accounting Legend Code 1 (ALC-1).
b. (U//FOUO) Operational key tapes (AKAT-series) are classified on the basis
of the classification of the traffic they are intended to protect and are
TOP SECRET, SECRET, or CONFIDENTIAL. These key tapes are regularly and
irregularly superseded depending on system application, are packaged in plastic
canisters, are marked CRYPTO, and are serial number accountable, ALC-1.
c. (U//FOUO) Exercise key tapes (USKXT-series) are classified CONFIDENTIAL.
These key tapes are periodically superseded, are packaged in plastic canisters,
are marked CRYPTO NOFORN, and are serial number accountable, ALC-1.
d. (U//FOUO) Exercise key tapes (AKXT-series) are classified CONFIDENTIAL.
These key tapes are periodically superseded, are packaged in plastic canisters,
are marked CRYPTO, and are serial number accountable, ALC-1.
e. (U//FOUO) Maintenance key tape (KMT-series) are classified CONFIDENTIAL
but not marked CRYPTO. Maintenance key tapes are designed for back-to-back
bench testing only and shall not be used for over-the-air transmissions.
The maintenance key tapes are packaged in clear plastic canisters and segments
may be reused until they become unserviceable. KMT- 152 Edition H and onward
are compatible with the KG-66/KG-66A/ KGR- 66/SO-66/KGV-68/KGR-68/KGV-68B.
KMT-152 editions prior to Edition H are not compatible with the KGR-66, KGV-68,
KGR-68 or KGV-68B. These tapes are serial number accountable, ALC-1.
10. (U//FOUO) Each KG-66/KG-66A/KGV-68/KGV-68B encryptor and its associated
decryptors will normally be loaded with a unique TEK. If operational
considerations require multi-encryptor loading of a single TEK, it will be
approved on a case-by-case basis by DIRNSA (V31).
11. (U//FOUO) The cryptoperiod for the KG-66/KG-66A/KGV-68/KGV-68B is 24
hours transmission time per mission. Any application that requires a cryptoperiod
greater than 24 hours per mission and/or requires more than one encryptor
per mission for the same key must have prior approval by DIRNSA (V31). This
request will be submitted by the end user.
SECTION VII - CLASSIFICATION GUIDANCE
12. (U//FOUO) NTISSI No. 4002 (Reference c.) contains general COMSEC
classification guidance.
13. (U//FOUO) Classification and markings assigned to the
KG-66/KG-66A/SO-66/KGR-66/KGR-68/KGV-68B and associated COMSEC material are
included in ANNEX B of this instruction. Classification and description of
supporting documentation are included in ANNEX C. The checklist for secure
telemetry missile firings when filled in is a minimum classification of
CONFIDENTIAL and is included as ANNEX D. Classification and description of
supporting COMSEC keying material are included in ANNEX E.
SECTION VIII - CONTROL REQUIREMENTS
14. (U//FOUO) Except as specified below, control requirements for the COMSEC
components and material associated with this system shall be in accordance
with the safeguards and criteria of NSTISSI No. 4005 (Reference d.) and NSTISSI
No. 4001 (Reference e.) as applicable.
a. (U//FOUO) Access
(1) (U//FOUO) No clearance is required for access to the SO-66 or HNF-66
when the respective unkeyed KG-66/KG-66A/KGV-66 is installed.
(2) (U//FOUO) Even though all the system equipment and the fill devices are
unclassified when unkeyed, they are controlled cryptographic items (CCI)
that perform sensitive cryptographic functions. Information regarding access
to unkeyed CCI equipment is provided in Reference e.
b. (U//FOUO) Transportation
(1) (U//FOUO) When an unkeyed KG-66/KG-66A/KGV-68/KGV-68B is installed
as an integral part of a weapons system, the weapon and the CCI may be
shipped in a manner approved for the highest classification level applicable
to either the CCI or the weapon. If the accountability is retained by the
shipping organization, the KG-66/KG-66A/KGV-68/KGV-68B must be couriered
by the shipping organization and hand receipted to the courier. A
KG-66/KG-66A/KGV-68/KGV-68B shipped as a part of a weapons system must be
zeroized by removal of its key hold-up battery.
(2) (U//FOUO) When an unkeyed KG-66/KG-66A/KGV-68/KGV-68B is not installed
as an integral part of the weapons system, it must be transported or
shipped in any manner approved for the shipment of CCI hardware. If keyed,
they will be shipped in accordance with requirements set forth in Reference
d.
c. (U) Test Flight History/Equipment Recovery
(1) (U//FOUO) Users must initiate procedures to ensure that a complete history
of secure telemetry missile firings exists. The "Checklist for Secure Telemetry
Missile Firings" (ANNEX D) provides a list of items/areas that should be
included. The checklist may be expanded to include additional information
to meet specific user requirements. An information copy of the checklist
must be forwarded to DIRNSA (V31) by the COMSEC Custodian within 30 days
after the completion of each missile launch using secure telemetry.
(2) (U//FOUO) Reasonable effort will be made to recover any
KG-66/KG-66A/KGV-68/KGV-68B used in weapons system tests. However, because
of the nature of the service flight test and other weapons system telemetry
encryption missions associated with this equipment, it is understood that
some KG-66/KG-66A/KGV-68/KGV-68B equipment may not be recoverable. (e.g.,
post flight recovery teams may not be able to locate impact areas, equipment
may be destroyed beyond recognition, the missile may be lost in waters too
deep to effect reasonable chance of recovery, etc.) This is expected, and
under such conditions, the loss will not be considered a security violation
but must be reported in accordance with paragraph 14.c.(1), above.
d. (U) Accountability
(1) (U//FOUO) KG-66/KG-66A/SO-66/KGR-66/KGV-68/KGR-68/KGV-68B are accountable
items and must be issued on a hand receipt to users by COMSEC custodians
or property book officers. Keying material is handled by COMSEC custodians
for issuance to hand receipt holders. The hand receipt holders are responsible
for the security, destruction, and handling of the COMSEC material.
(2) (U//FOUO) When an operationally keyed KG-66/KG-66A/KGV-68/ KGV-68B is
installed as part of a missile (i.e., the missile is completely assembled
and certified for flight), accountability and physical safeguards associated
with the KG-66/KG-66A/KGV-68/KGV-68B will continue until the missile is launched.
All labels should be removed from the KG-66/KG-66A/KGV-68/KGV-68B prior to
being installed in a missile. The removed labels will accompany the accounting
report during all transactions thereafter (i.e., destruction, transfer, etc.).
The missile serial number and launch date will be used to complete the record
of destruction. If, for any reason, the missile is not fired and requires
disassembly, the local accountable official must be notified to assure that
accounting and security procedures for the KG-66/KG-66A/KGV-68/KGV-68B are
followed. In this case, the keys should be superseded.
(3) (U//FOUO) If a missile containing a KG-66/KG-66A/KGV-68/KGV-68B previously
recorded/reported as destroyed is recovered (i.e., missile is not destroyed
by impact, is recovered from shallow water, etc.), the
KG-66/KG-66A/KGV-68/KGV-68B should be placed under the maximum physical controls
available for the classification level of the keyed equipment and the recovery
reported to V31. The situation and available resources must be taken into
consideration on such occasions. No special security containers are required
for the storage of the KC-66/KG-66A/KGV-68/KGV-68B during recovery operations.
Personnel participating in recovery operations will be briefed on the importance
of protecting the KG-66/KG-66A/KGV-68/KGV-68B until it can be turned over
to proper authority. The local accounting official will add the recovered
KG-66/KG-66A/KGV-68/KGV-68B to his/her account holdings and return it and/or
those identifiable portions, for disposition to DIRNSA (COMSEC Account 880666,
V09, Pass To: V31).
e. (U//FOUO) Follow-on Mission Processing - There may be cases when it is
necessary to retain encrypted telemetry magnetic tapes for later decryption
and processing. When such a requirement exists, the following procedures
apply:
(1) (U//FOUO) After the completion of the test (pod, flight, operations,
etc.), the key associated with the encrypted magnetic tape will be returned
to and retained by the COMSEC custodian to ensure continued accountability
and secure storage. The encrypted magnetic tape may be handled as an unclassified
item. However, cross-references to the storage media (encrypted magnetic
tape) and the key used for encryption (short title, edition, and segment)
are classified a minimum of CONFIDENTIAL and must be appropriately stored.
(2) (U//FOUO) When additional processing (decryption) is required at a later
time, the key will be retrieved from secure storage (hand receipted, if
necessary) and after use, returned to secure storage.
(3) U//FOUO) When no further processing of the encrypted magnetic tape is
necessary, the COMSEC custodian will destroy the associated key in accordance
with requirements set forth in NTISSI No. 4004 (Reference f.).
(4) (U//FOUO) Any reuse of a key from a previous cryptoperiod for encryption
of data is prohibited. This applies to both operational and exercise key.
(U//FOUO) NOTE: Encrypted magnetic tapes are unclassified and may be stored
in an unclassified area. (In the COMSEC. community, this is considered BLACK
data.) Decrypted magnetic tapes (plain text), which are classified, must
be stored in areas which are afforded physical security for classified
information. (In the COMSEC community, this is considered RED data.)
SECTION IX - EMERGENCY PROCEDURES
15. (U//FOUO) Reference f. prescribes standards for routine destruction of
COMSEC material and provides criteria and guidance for protecting COMSEC
material under emergency conditions. It also provides guidance and assigns
responsibilities for recovery of abandoned COMSEC material.
SECTION X - REPORTABLE INCIDENTS
16. (U//FOUO) COMSEC incidents are reportable in accordance with NSTISSI
No. 4003 (Reference g.) and applicable department or agency implementing
instructions. Reference g. lists general incidents. The following are incidents
specific to the KG-66/KG-66A/SO-66/KGR-66/ KGR-68/KGV-68/KGV-68B:
a. (U//FOUO) Physical Incidents - Shipment of a missile with a key other
than a shipping key installed.
b. (U//FOUO) Cryptographic Incidents
(1) (U//FOUO) Unauthorized extension of a cryptoperiod or an unauthorized
increase in the number of KG-66/KG-66A/KGV-68/KGV-68B encryptors using the
same key.
(2) (U//FOUO) Failure to change the key after a transmitting KG-66/
KG-66A/KGV-68/KGV-68B malfunction. Malfunction is defined as an alarm function
that will not clear in the encryptor or failure of the decryptor to achieve
cryptosynchronization.)
(3) (U//FOUO) The transmission of classified data using an SO-66, with an
installed KG-66/KG-66A, that has failed the checkword verification procedures.
(4) (U//FOUO) Failure to follow procedures in KAO-182 A/TSEC when loading
key into the KG-66 with a KYK-13. (This does not apply to the KG-66A.)
(5) (U//FOUO) Use of a KGV-66 without the HNF-66.
SECTION XI - EXCEPTIONS
17. (U//FOUO) Requests for exceptions to any of the provisions of this doctrine
must be approved, on a case-by-case basis, prior to implementation. Each
request shall include a complete operational justification and shall be submitted
through appropriate department or agency channels to DIRNSA, INFOSEC Policy,
Procedures, and Insecurities Division for review.
5 Encls:
ANNEX A - References
ANNEX B - Equipment Classification
ANNEX C - Documentation Description and Classification
ANNEX D - Checklist for Secure Telemetry Missile Firings
ANNEX E - COMSEC Keying Material Description and Classification
ANNEX A
References
(U//FOUO) The following national-level documents are referenced in this
instruction:
NSTISSI No. 4009 (Revision 1), National Information Systems Security (INFOSEC)
Glossary, dated January 1999.
NSTISSI No. 302 1, Operational Security Doctrine for the AN/CYZ-10/10A Data
Transfer Device (DTD), dated September 1997.
NTISSI No. 4002, Classification Guide for COMSEC Information, dated 5 June
1986.
NSTISSI No. 4005, Safeguarding Communications Security (COMSEC) Facilities
and Materials, dated August 1997.
NSTISSI No. 4001, Controlled Cryptographic Items, dated July 1996.
NTISSI No. 4004, Routine Destruction and Emergency Protection of COMSEC Material,
dated 11 March 1987.
NSTISSI No. 4003, Reporting and Evaluating COMSEC Incidents, dated 2 December
1991.
ANNEX B
Equipment Classification
| EQUIPMENT |
KEYED |
UNKEYED |
| KG-66/KG-66(E1) |
Same classification as the key |
CCI ALC-1 |
| KG-66A |
Same classification as the key |
CCI ALC-1 |
| KGV-66 |
Same classification as the key |
CCI ALC-1 |
| KGV-68 |
Same classification as the key |
CCI ALC-1 |
| KGV-68/KGV-68B |
Same classification as the key |
CCI ALC-2 |
SO-66
(with KG-66 or KG-66A |
Same classification as the key |
CCI ALC-1 |
SO-66
(without KG-66 or KG-66A |
N/A |
CCI ALC-1 |
| AN CYZ-10/10A |
Same classification as the key
(with CIK inserted) |
CCI ALC-1 |
KOI-18
(General Purpose Tape Reader) |
N/A |
CCI ALC-2 |
KYK-13
(Electronic Fill Device) |
Same classification as the key |
CCI ALC-2 |
KGR-66
(HNF-66 with KGV-66) |
Same classification as the key |
CONFIDENTIAL ALC-1 |
HNF-66
(without KGV-66) |
N/A |
UNCLASSIFIED ALC-4 |
E-ECC, E-ECD
Printed Wiring Boards (PWBs) |
N/A |
CONFIDENTIAL ALC-2 |
E-ENF, E-FAH, E-FEX
and E-FEY
Pritned Wiring Assemblies (PWAs) |
N/A |
CCI ALC-2 |
U-ALP, U-KLC, U-TPN
U-KMC, U-LPC, and
U-AIZ (Microcircuits) |
N/A |
CCI ALC-2 |
NOTE: KG-66/KG-66A/SO-66/KGR-66/KGV-68/KGR-68/KGV-68B are not releasable
to foreign nationals without specific approval of the National Manager.
ANNEX C
Documentation Description and Classirication
| DOCUMENTATION |
DESCRIPTION |
CLASSIFICATION |
| NAM-22A/TSEC |
SO-66 Maintenance Manual |
CONFIDENTIAL NOFORN |
| CSESD-35B |
Communications Security
Equipment System Document
for KGR-66 |
CONFIDENTIAL NOFORN |
| CSESD-45B |
Communications Security
Equipment System Document
for KGR-66/KG-66A |
CONFIDENTIAL NOFORN |
| CSESD-11I |
Communications Security
Equipment System Document
for Fill Devices |
CONFIDENTIAL |
| KAO- 182A/TSEC |
Operator's Instruction for
KG-66/SO-66 |
FOR OFFICIAL USE ONLY |
| KAM-437A/TSEC |
KGR-66 Maintenance
Manual |
CONFIDENTIAL NOFORN |
| KAO- 198A/TSEC |
Operator's Instruction
for KGR-66 |
FOR OFFICIAL USE ONLY |
| KAM-471A/TSEC |
KG-66 Maintenance
Manual |
CONFIDENTIAL NOFORN |
| KAM-553A |
KGR-68 Maintenance
Manual |
FOR OFFICIAL USE ONLY |
| 0N382425 |
Interface Specification
for KGV-68 |
FOR OFFICIAL USE ONLY |
| 0N636672 |
Interface Specification for KGV-68B |
FOR OFFICIAL USE ONLY |
ANNEX D
Checklist for Secure Telemetry Missile Firings
1 . Laboratory Checkout/Calibration
Date completed:
Location of Data:
2. Test Item:
3. Location of Test:
4. Type of Keying Material Used:
5. Short Title /Edition/Segment:
6. Holding Battery Installed (Date):
7. Keying Material Loaded (Date):
8. Test (Date):
9. KG-66/KG-66A/KGV-68/KGV-68B Serial Number (Circle One):
10. Test Item/KG-66/KG-66A/KGV-68/KGV-68B
Extended (Approx. Time):
11. Approximate Location of Impact:
12. Recovery Attempt Made (YES, NO). (If NO, provide explanation):
13. Transaction number used to relieve the COMSEC account of the accountability
for the fired missile:
14. Reported to COMSEC Custodian (Date/Approx. Time):
15. Problems Encountered (If None, so state):
16. Report Submitted to DIRNSA (Date):
17. Letter and serial number or date-time-group of message used to provide
requested information to DIRNSA (V31):
SIGNED:
WITNESS:
NOTE: When filled in and depending on mission, a minimum classification
of CONFIDENTIAL is required.
ANNEX E
COMSEC Keying Material
Description and Classification
| KEY |
CLASSIFICATION |
REMARKS |
ALC |
| KMT-152 |
CONFIDENTIAL
NOFORN |
MAINTENANCE KEY
NOT FOR-OVER-THE-AIR |
ALC-1 |
| USKAT-D50XX |
SECRET CRYPTO
NOFORN |
OPERATIONAL KEY |
ALC-1 |
| AKAT-D50XX |
SECRET CRYPTO |
OPERATIONAL KEY |
ALC-1 |
| USKAT-36XX |
CONFIDENTIAL
CRYPTO NOFORN |
OPERATIONAL KEY |
ALC-1 |
| AKAT-36XX |
CONFIDENTIAL CRYPTO |
OPERATIONAL KEY |
ALC-1 |
| USKAT-F38XX |
TOP SECRET
CRYPTO NOFORN |
OPERATIONAL KEY |
ALC-1 |
| AKAT-F38XX |
TOP SECRET CRYPTO |
OPERATIONAL KEY |
ALC-1 |
| USKXT-37XX |
CONFIDENTIAL
CRYPTO NOFORN |
EXERCISE KEY |
ALC-1 |
| AKXT-37XX |
CONFIDENTIAL CRYPTO |
EXERCISE KEY |
ALC-1 |
NOTE: The above keys are compatible with the KG-66/KG-66A/SO-66/ KGR-66/KGV-68/
KGR-68/KGV-68B. KMT-152 Edition H and beyond are KGR-66/KGV-68/KGR-68/KGV-68B
compatible.
|
