STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020: STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:SV-40970r3_rule
V-30928
COMSEC Account Management - Program Management and Standards Compliance
CS-01.03.02
CAT III
10
The site must have local procedures covering maintenance of COMSEC equipment and key material. Further, any inspection findings from NSA or Services issuing the account or the account sponsor (for Hand Receipt holders) must be corrected or provide evidence there is a plan of action in place and underway to correct noted deficiencies.
Ask how the COMSEC account is managed. Check for written procedures and inspection reports.
NOTES:
1. Applies in a tactical environment if the crypto equipment and key material being observed is at a location where supporting staff (IAM, SM, COMSEC Custodian) would logically be located. If it is a mobile tactical organization, responsibility for program management might simply be the identification of an individual responsible for keeping track of and maintaining COMSEC materials, but supporting documentation may not be immediately available and should not be written as a finding; however, observations and comments may still be documented.
2. Note in the report the COMSEC Account type e.g. NSA, Navy, Army, etc.
3. Note in the report the last COMSEC Inspection Date based on observed documentation. (Summarize the overall results and if the site is taking action to address/correct findings.)
4. Ensure that any COMSEC account, materials or equipment being inspected is used for encryption of DoDIN assets. COMSEC accounts or items not used with DoDIN assets should not be inspected.
5. This check is not intended to be an inspection of the COMSEC Program, rather it is a verification that a viable program is in place with NSA or oversight. The idea is to ensure that NSA or Service oversight inspection findings/deficiencies are being corrected in a timely manner by the site.
V-30928
False
CS-01.03.02
Ask how the COMSEC account is managed. Check for written procedures and inspection reports.
NOTES:
1. Applies in a tactical environment if the crypto equipment and key material being observed is at a location where supporting staff (IAM, SM, COMSEC Custodian) would logically be located. If it is a mobile tactical organization, responsibility for program management might simply be the identification of an individual responsible for keeping track of and maintaining COMSEC materials, but supporting documentation may not be immediately available and should not be written as a finding; however, observations and comments may still be documented.
2. Note in the report the COMSEC Account type e.g. NSA, Navy, Army, etc.
3. Note in the report the last COMSEC Inspection Date based on observed documentation. (Summarize the overall results and if the site is taking action to address/correct findings.)
4. Ensure that any COMSEC account, materials or equipment being inspected is used for encryption of DoDIN assets. COMSEC accounts or items not used with DoDIN assets should not be inspected.
5. This check is not intended to be an inspection of the COMSEC Program, rather it is a verification that a viable program is in place with NSA or oversight. The idea is to ensure that NSA or Service oversight inspection findings/deficiencies are being corrected in a timely manner by the site.
M
2506