Annex B Government of Canada Enterprise COMSEC Management and Accountability. to the

Transcription

1 Annex B Government of Canada Enterprise COMSEC Management and Accountability to the IT Security Directive for the Control of COMSEC Material in the Government of Canada (ITSD-03A) April 2015

2 Foreword The Annex B Government of Canada Enterprise COMSEC Management and Accountability to the IT Security Directive for the Control of COMSEC Material in the Government of Canada (ITSD-03A) is an publication issued under the authority of the Chief, Communications Security Establishment in accordance with the Treasury Board of Canada Secretariat Policy on Government Security. General inquiries and suggestions for amendments are to be forwarded through departmental COMSEC channels to COMSEC Client Services at the Communications Security Establishment. The Communications Security Establishment will notify users of changes to this publication. Effective Date This annex takes effect on date of signature. Original signed by Toni Moffa Deputy Chief, IT Security April 2015 Reproduction and Distribution It is permissible to reproduce or make physical or electronic copies of this publication, in part or in whole, for official Government of Canada use only. April 2015 B-ii

3 Table of Contents Foreword... B-ii Annex B Enterprise COMSEC Management and Accountability... B-1 B.1 Introduction... B-1 B.1.1 Purpose... B-1 B.2 Enterprise COMSEC Service Model in the National COMSEC Material Control System... B-2 B.3 Enterprise COMSEC Roles and Authorities... B-2 B.3.1 Enterprise Services Organization... B-2 B.3.2 Enterprise Security Officer... B-3 B.3.3 Enterprise COMSEC Authority... B-3 B Enterprise COMSEC Authority Operations... B-3 B Enterprise COMSEC Authority Program... B-3 B.3.4 Departmental Security Officer and Departmental COMSEC Authority... B-4 B.4 The Enterprise COMSEC Account... B-4 B.4.1 Establishing an Enterprise COMSEC Account... B-4 B.4.2 Enterprise COMSEC Account Roles and Responsibilities... B-5 B.4.3 Enterprise Controlling Authority for Enterprise Cryptographic Networks... B-7 B.5 Managing an Enterprise COMSEC Account... B-7 B.5.1 Enterprise COMSEC Service Request... B-7 B.5.2 Distribution and Receipt of Accountable COMSEC Material... B-8 B.5.3 COMSEC Account Audit... B-8 B.5.4 COMSEC Incidents... B-8 B.6 References... B-9 B.6.1 List of Abbreviations and Acronyms... B-9 B.6.2 Glossary... B-10 B.6.3 Bibliography... B-12 List of Figures Figure 1 National COMSEC Material Control System (NCMCS) Authority Infrastructure, Including the Enterprise COMSEC Service Model... B-2 Figure 2 Departmental and Enterprise COMSEC Service Models... B-4 Figure 3 Appointment of an Enterprise Local Element Manager to be an Alternate Enterprise Local Element Manager to one or more Enterprise Local Elements... B-6 Figure 4 Appointment of Alternate Enterprise Local Element Managers to be an Alternate Enterprise Local Element Manager to one or more Enterprise Local Elements... B-6 April 2015 B-iii

4 Annex B Enterprise COMSEC Management and Accountability B.1 Introduction The Communications Security Establishment (CSE) has established a new Communications Security (COMSEC) service model known as the Enterprise COMSEC Service Model. It is designed to perform COMSEC services for Government of Canada (GC) operations to allow for cross-departmental accountability chains. The Enterprise COMSEC Service Model is designed on a proxy accounting format, whereby a central GC department (known as an enterprise services organization ) is authorized to establish a COMSEC accountability chain that allows COMSEC assets and services to be provided across departmental boundaries. B.1.1 Purpose This Annex describes the Enterprise COMSEC Service Model, its related roles and responsibilities and its minimum security requirements for the management and accountability of COMSEC material. This Annex must be read in conjunction with the IT Security Directive for the Control of COMSEC Material in the Government of Canada (ITSD-03A), as it supports the minimum security requirements authorized for the control and management of Accountable COMSEC Material (ACM) in the Enterprise COMSEC Service Model. Consequently, enterprise COMSEC personnel must continue to follow ITSD-03A requirements for: selection of COMSEC personnel; COMSEC management training; management of COMSEC Accounts; identification of COMSEC material; accounting forms, reports and notices; special access requirements; access to ACM; physical security; distribution and receipt of ACM; COMSEC Account inventory functions; COMSEC emergency planning; and COMSEC incident reporting. April 2015 B-1

5 B.2 Enterprise COMSEC Service Model in the National COMSEC Material Control System ITSD-03A delineates and describes the integral components of the National COMSEC Material Control System (NCMCS) infrastructure. introduces the Enterprise COMSEC Service Model to the departmental NCMCS hierarchy, using a similar model, but with a different terminology. Figure 1 shows the addition of the Enterprise COMSEC Service Model to the NCMCS hierarchy: Figure 1 National COMSEC Material Control System (NCMCS) Authority Infrastructure, Including the Enterprise COMSEC Service Model B.3 Enterprise COMSEC Roles and Authorities New enterprise COMSEC roles and authorities are introduced in this model, and are described in the following articles. B.3.1 Enterprise Services Organization An enterprise services organization is a GC department that has been assigned the lead role to provide COMSEC control and management services to one or more departments that are outside of the enterprise services organization s traditional COMSEC accountability chain, or that are of a comparable complexity where it is deemed advantageous to implement an enterprise approach. The enterprise services organization assignment must be officiated under the Financial Administration Act (FAA) (refer to ITSD-03A) or other Order-in-Council decision. The deputy head of the enterprise services organization is responsible for implementing ITSD-03A and its delegations of authority. April 2015 B-2

6 B.3.2 Enterprise Security Officer The Enterprise Security Officer (ESO) is appointed by the deputy head at the enterprise services organization. It is the ESO s responsibility to manage the enterprise security program. If not appointed to a new individual, the ESO role may be incorporated into the enterprise services organization s existing Departmental Security Officer (DSO) role. For more information on COMSEC roles, refer to ITSD-03A. B.3.3 Enterprise COMSEC Authority The ESO may appoint another office to manage the COMSEC portion of the enterprise security program. In so doing, the ESO may appoint a single Enterprise COMSEC Authority (ECA) to handle the responsibilities of the entire enterprise COMSEC program, or appoint two separate offices: ECA-Operations (ECA-O) and ECA-Program (ECA-P). NOTE: The ECA-O will handle the Departmental COMSEC Authority (DCA) responsibilities noted in ITSD-03A, along with the responsibilities in Article B The ECA-P will handle the responsibilities noted in Article B B Enterprise COMSEC Authority Operations An ECA-O may be appointed by the ESO to act in his or her stead to manage the operations component of the enterprise COMSEC program. In addition to the DCA responsibilities in ITSD-03A, the ECA-O is responsible for: managing enterprise COMSEC incidents; approving GC departmental Enterprise COMSEC Service Requests for mandated enterprise COMSEC services; providing authority to submit enterprise COMSEC procurement requests to COMSEC Client Services at CSE; coordinating enterprise service requirements with the DSO/DCA; appointing enterprise COMSEC Controlling Authorities (ConAuths), enterprise custodial staff and Enterprise Local Element Managers (ELEMs) and their alternates; and auditing (refer to Article B.5.3) voice, FAX, and other mandated client-side enterprise COMSEC services. B Enterprise COMSEC Authority Program An ECA-P may be appointed by the ESO to act in his or her stead to manage the enterprise COMSEC program. The ECA-P is responsible for: providing signing authority for enterprise COMSEC capital project requirements; prioritizing authority for the enterprise equipment program (Approval for Use [AFU]) and capital project activities; coordinating with sponsored projects; and providing strategic planning for enterprise network COMSEC services. April 2015 B-3

7 B.3.4 Departmental Security Officer and Departmental COMSEC Authority The DSO and DCA of a GC department that also fulfils the role of an enterprise services organization are not authorized to be an ESO or an ECA of that organization. However, they have the responsibility to identify their department s requirement for enterprise COMSEC services to the organization s ECA. B.4 The Enterprise COMSEC Account Within the Enterprise COMSEC Service Model, there are no COMSEC Sub-Accounts. The model is based on one or more Enterprise COMSEC Accounts, plus any number of subordinate Enterprise Local Elements (ELEs), and any number of subordinate Enterprise Loan Holders (ELHs), as depicted in Figure 2: B.4.1 Figure 2 Departmental and Enterprise COMSEC Service Models Establishing an Enterprise COMSEC Account An enterprise services organization must establish a CSE-approved Enterprise COMSEC Account before receiving ACM. An Enterprise COMSEC Account is assigned a unique COMSEC Account number by National Central Office of Record (NCOR) or by a Central Office of Record (COR). An Enterprise COMSEC Account must register ELEs, as indicated at Article B The minimum Enterprise COMSEC Account personnel requirements include: an ECA, which must be appointed by an ESO. This responsibility may be split into two separate offices: an ECA-O an ECA-P an Enterprise COMSEC Custodian; and at least one Enterprise Alternate COMSEC Custodian. B Enterprise Local Element An ELE is an administrative entity established by an Enterprise COMSEC Account to assist in the control of the COMSEC material produced by, or entrusted to, the ELE. The Enterprise COMSEC Custodian assigns each ELE a unique account number, which is directly associated to its Enterprise COMSEC Account. April 2015 B-4

8 NOTE 1: This identifier is only visible at the Enterprise COMSEC Account level; it is not visible outside of the account. NOTE 2: In certain cases, the ECA may authorize the Enterprise COMSEC Account to also be established as an ELE. ELE personnel requirements below would be handled by the Enterprise COMSEC Custodian. The minimum ELE personnel requirements include: an ELEM; and one Alternate ELEM. B Enterprise Loan Holder An ELH, also called Hand Receipt holder in other COMSEC publications, is an individual who is registered to an ELE. B.4.2 Enterprise COMSEC Account Roles and Responsibilities All Enterprise COMSEC Account and ELE personnel, including ELHs, requiring access to enterprise ACM must be Canadian citizens (including those of dual nationality) and must refer to ITSD-03A, Chapter 10, for the complete list of access requirements. Enterprise COMSEC Account and ELE personnel must be employees of the enterprise services organization. All ELHs registered to an ELE must be employees of the GC department that is supported by the enterprise services organization (hereinafter referred to as client department). B Enterprise COMSEC Custodian An Enterprise COMSEC Custodian and Alternate Enterprise COMSEC Custodian(s) are appointed by, and report directly to, the ECA. The Enterprise COMSEC Custodian is responsible to adhere to ITSD-03A for the receipt, custody, distribution, disposition or destruction, and accounting of enterprise ACM entrusted to his or her Enterprise COMSEC Account. An Enterprise COMSEC Custodian is also responsible for establishing the ELEs of his or her Enterprise COMSEC Account, and for providing them with cryptographic troubleshooting support and guidance on the use of cryptographic equipment and key. An Enterprise COMSEC Custodian is responsible to provide COMSEC Briefings to ELEs before enterprise ACM can be distributed to them. A copy of the COMSEC Briefing Certificate must be held at the Enterprise COMSEC Account and the ELE. NOTE: The COMSEC Custodian Quick Reference Guide provides an overview of custodial responsibilities. B Alternate Enterprise COMSEC Custodian The Alternate Enterprise COMSEC Custodian performs the duties of the Enterprise COMSEC Custodian during his or her temporary absences, and may assist the Enterprise COMSEC Custodian in the day-to-day activities of the Enterprise COMSEC Account. B Enterprise Local Element Manager An ELEM is an individual responsible for the generation, receipt, custody, distribution, disposition or destruction, and accounting of ACM entrusted to their ELE. ELEMs are also responsible for registering ELHs and other authorized users to their ELE and providing them with cryptographic equipment troubleshooting support and guidance on the use of key. April 2015 B-5

9 An ELEM may be appointed, by the ECA-O, to be an Alternate ELEM to one or more other ELEs within the same Enterprise COMSEC Account, as depicted in Figure 3. Such an appointment accepts that the Alternate ELEM may require additional travel to the other ELEs in order to administer the ELEs day-to-day responsibilities. Figure 3 Appointment of an Enterprise Local Element Manager to be an Alternate Enterprise Local Element Manager to one or more Enterprise Local Elements B Alternate Enterprise Local Element Manager The Alternate ELEM performs the duties of the ELEM during his or her temporary absences, and may assist the ELEM in the day-to-day activities of the ELE. An Alternate ELEM may be appointed, by the ECA-O, to be an Alternate ELEM to one or more ELEs within the same Enterprise COMSEC Account, as depicted in Figure 4. Such an appointment accepts that the Alternate ELEM may require additional travel to the other ELEs in order to administer the ELEs day-to-day responsibilities. Figure 4 Appointment of Alternate Enterprise Local Element Managers to be an Alternate Enterprise Local Element Manager to one or more Enterprise Local Elements April 2015 B-6

10 B Enterprise Loan Holder An ELH is an individual of a client department who is registered to an ELE. As an ELH, the individual is authorized to hold, store and use ACM, and, consequently, is personally responsible for the control, safeguarding and disposition of ACM to which he/she has been entrusted, in accordance with the control and handling instructions provided by his or her ELEM. ELHs must be registered with a single ELE, be COMSEC-briefed, and have signed the COMSEC Loan Holders Responsibilities form before any enterprise ACM is distributed to them. ELHs must not be registered to more than one ELE, nor registered to any other departmental COMSEC Account. B.4.3 Enterprise Controlling Authority for Enterprise Cryptographic Networks Each enterprise Cryptographic Network (cryptonet) requires an ECA-appointed enterprise ConAuth to manage the operational use of the key assigned to the cryptonet and to develop a Key Material Support Plan (KMSP) before the cryptonet can be given authorization to operate. Refer to the Directive for the Use of CSEC-Approved COMSEC Equipment and Key on a Telecommunications Network (ITSD-04) for information on the responsibilities of the ConAuth and how to prepare a KMSP. B Enterprise Key Ordering Personnel The ECA is responsible for appointing enterprise key ordering personnel and establishing their privileges to submit key orders. The key ordering responsibility is separate from COMSEC custodial duties; however, the ECA may appoint the responsibility of enterprise key ordering to COMSEC custodial personnel. Refer to ITSD-03A and the Cryptographic Key Ordering Manual (ITSG-13) for more information. B Other Authorized Users In certain circumstances, individuals such as shift workers and technicians (hereinafter referred to as authorized users) that may require short term (immediate) access to enterprise ACM must meet the selection requirements of ITSD-03A, Chapter 10, and be authorized by the ECA to temporarily share an ELH s ACM. NOTE: B Witness The lowest level to which the ECA may delegate responsibility to assign authorized user responsibility is the ELEM. Formal witnesses to COMSEC transactions (e.g. destruction, inventory sighting) must meet the prerequisites for access to enterprise ACM and hold a security status at least equal to the highest classification level of the enterprise ACM transaction being witnessed. The witness must not sign any documentation without having personally sighted the ACM listed on a transaction form. B.5 Managing an Enterprise COMSEC Account B.5.1 Enterprise COMSEC Service Request ITSD-03A provides the criteria for establishing, approving and maintaining a COMSEC Account; however, the requirements for COMSEC services in an Enterprise COMSEC Service Model are first identified through the Enterprise COMSEC Service Request. April 2015 B-7

11 The Enterprise COMSEC Service Request is the mechanism whereby a client department or potential client department DSO/DCA submits, to the ECA, a formal request form (which must be retained on the Enterprise COMSEC Account chronological file for audit purposes) for a COMSEC service, for example: joining a specific Enterprise COMSEC Service Model for SECRET voice, FAX, and other client-side COMSEC services; attestation statements for ELH appointments; procurement of CSE-approved cryptographic products; and coordination of sponsored projects. The Enterprise COMSEC Service Request must be submitted to the ECA who will ensure formal progression of the request and responses back to the client-side department. This process must provide sufficient evidence of positive control such that the process is auditable. B.5.2 Distribution and Receipt of Accountable COMSEC Material ITSD-03A provides the criteria for distributing and receipting ACM; however, the Enterprise COMSEC Service Model is structured on the concept of proxy accounting. B Proxy Accounting As referred to in Article B.1, proxy accounting authorizes Enterprise COMSEC Accounts and their ELEs to distribute ACM directly to ELHs. ELHs, in response, must acknowledge these transactions directly to their ELE. NOTE: B.5.3 Proxy accounting specifically prohibits ELEs and ELHs from re-loaning or providing further distribution to any other departmental or enterprise local element or loan holder. COMSEC Account Audit Enterprise COMSEC Accounts are subject to CSE-initiated COMSEC audits as a means of validating the assurance of confidentiality, integrity and availability of the COMSEC service. The CSE audit is an independent review of a COMSEC Account s records and activities to ensure ACM produced by or entrusted to that account is controlled and managed as detailed in ITSD-03A and in this Annex. The ECA and the Enterprise COMSEC Custodian must collaborate with client department DCAs, Loan Holders and the CSE National COMSEC Audit Team (NCAT) to accommodate audit visitation protocols, inspection routine, inventory validation, and exit interview. The ECA and the Enterprise COMSEC Custodian must provide the results of exit interviews with client departments as appropriate. The ECA must provide an auditable process for COMSEC service requests to ensure that there is intrinsic positive control on the COMSEC management chain. For more information on conducting COMSEC Account audits, Enterprise COMSEC Custodians and ELHs must follow the direction in ITSD-03A. B.5.4 COMSEC Incidents Due to the diversity of the Enterprise COMSEC Services Model, heightened vigilance must be exercised in reporting promptly and accurately all COMSEC incidents or potential COMSEC incidents. Refer to ITSD-03A and the Directive for Reporting and Evaluating COMSEC Incidents Involving Accountable COMSEC Material (ITSD-05). April 2015 B-8

12 COMSEC incidents must be reported by the ELH to his or her DSO/DCA and to the Enterprise COMSEC Custodian (within 24 hours) who will in turn report the COMSEC incident to the ECA. The ECA must coordinate, with the client department s DSO/DCA, the completion of the initial COMSEC Incident Report that will be submitted to the National COMSEC Incidents Office (NCIO), including any immediate mitigation factors. This includes initial and follow-up (tracer) activity. B.6 References B.6.1 List of Abbreviations and Acronyms ACM AFU CICA COMSEC ConAuth COR Cryptonet CSE DCA DND DSO ECA ECA-O ECA-P ELE ELEM ELH ESO FAA GC KMSP LE LH NCAT NCIO NCMCS NCOR PGS Accountable COMSEC Material Approval for Use CSE Industry COMSEC Account Communications Security Controlling Authority Central Office of Record Cryptographic Network Communications Security Establishment Departmental COMSEC Authority Department of National Defence Departmental Security Officer Enterprise COMSEC Authority Enterprise COMSEC Authority Operations Enterprise COMSEC Authority Program Enterprise Local Element Enterprise Local Element Manager Enterprise Loan Holder Enterprise Security Officer Financial Administration Act Government of Canada Key Material Support Plan Local Element Loan Holder National COMSEC Audit Team National COMSEC Incidents Office National COMSEC Material Control System National Central Office of Record Policy on Government Security April 2015 B-9

13 B.6.2 Glossary This glossary contains terms and definitions related to the COMSEC material identified within this annex. Accountable COMSEC Material (ACM) COMSEC material that requires control and accountability within the NCMCS in accordance with its accounting legend code and for which transfer or disclosure could be detrimental to the national security of Canada. Communications Security (COMSEC) Controlling Authority (ConAuth) Departmental COMSEC Authority (DCA) Departmental Security Officer (DSO) Enterprise COMSEC Authority (ECA) Enterprise COMSEC Authority Operations (ECA-O) The application of cryptographic, transmission, emission and physical security measures, and operational practices and controls, to deny unauthorized access to information derived from telecommunications and to ensure the authenticity of such telecommunications. The individual appointed by the DCA or ECA to manage the operational use and control of symmetric key assigned to a specific cryptographic network. The individual designated by, and responsible to, the DSO for developing, implementing, maintaining, coordinating and monitoring a departmental communications security program which is consistent with the Policy on Government Security and its standards. The individual responsible for developing, implementing, maintaining, coordinating and monitoring a departmental security program consistent with the Policy on Government Security and its standards. The individual designated by, and responsible to, the DSO/ESO for developing, implementing, maintaining, coordinating and monitoring an enterprise COMSEC program which is consistent with the Policy on Government Security and its standards. NOTE: The ECA role may be split into two separate roles (operations and program) based upon the complexity of the enterprise. The individual designated by, and responsible to, the DSO/ESO for developing, implementing, maintaining, coordinating and monitoring the operations component of an enterprise COMSEC program which is consistent with the Policy on Government Security and its standards. April 2015 B-10

14 Enterprise COMSEC Authority Program (ECA-P) Enterprise COMSEC Custodian Enterprise Local Element (ELE) The individual designated by, and responsible to, the DSO/ESO for developing, implementing, maintaining, coordinating and monitoring the programmatic component of an enterprise COMSEC program which is consistent with the Policy on Government Security and its standards. The individual designated by the ECA to be responsible for the receipt, storage, access, distribution, accounting, disposal and destruction of all COMSEC material that has been charged to an enterprise COMSEC account. An administrative entity established by an enterprise COMSEC account to assist in the control of the COMSEC material produced by or entrusted to that administrative entity. NOTE: The ELE is identified by a suffix number to its parent enterprise COMSEC account (e.g ). Enterprise Local Element Manager (ELEM) Enterprise Loan Holder (ELH) Enterprise Security Officer (ESO) Enterprise Services Organization Proxy Accounting The individual responsible for the generation, receipt, custody, distribution, disposition or destruction, and accounting of COMSEC material entrusted to his or her ELE. That individual is also responsible for registering ELHs and other authorized users to the ELE and for providing them with cryptographic equipment troubleshooting support and guidance on the use of key. An individual registered at a single ELE who is authorized to receive and use COMSEC material from the ELE. The individual responsible for developing, implementing, maintaining, coordinating and monitoring an enterprise security program consistent with the Policy on Government Security and its standards. A GC department that has been assigned the lead role to provide COMSEC management services to more than other GC departments and agencies that are outside of the organization s traditional accountability chain. The COMSEC accounting methodology that authorizes enterprise COMSEC accounts and their ELEs to distribute accountable COMSEC material directly to supported client department ELHs. April 2015 B-11

15 B.6.3 Bibliography The following source documents were used in the development of this annex. Communications Security Establishment: o Cryptographic Key Ordering Manual (ITSG-13), May o o o Directive for Reporting and Evaluating COMSEC Incidents Involving Accountable COMSEC Material (ITSD-05), April Directive for the Control of COMSEC Material in the Canadian Private Sector (ITSD-06), March Directive for the Use of CSEC-Approved COMSEC Equipment and Key on a Telecommunications Network (ITSD-04), November o Government of Canada Facility Evaluation Procedures (ITSG-12), June o o IT Security Directive for the Control of COMSEC Material in the Government of Canada (ITSD-03A), March IT Security Directive for Managing CSE-Approved Cryptographic Equipment and Key To Secure a Telecommunications Network (ITSD-04A), in development. Department of Justice: o Financial Administration Act (FAA), Treasury Board of Canada Secretariat: o Directive on Departmental Security Management (DDSM), July o Management of Information Technology Security (MITS), April o Policy on Government Security (PGS), July April 2015 B-12