UNCLASSIFIED IT Security Directive for the Management of CSE-Approved Cryptographic Equipment and Key to Secure a Telecommunications Network

Transcription

1 UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk ITSD-04A

2 Frewrd UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) The IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) is an UNCLASSIFIED publicatin issued under the authrity f the Chief, Cmmunicatins Security Establishment in accrdance with the Treasury Bard f Canada Secretariat (TBS) Plicy n Gvernment Security. This publicatin supersedes ITSD-04, which must be destryed in accrdance with departmental prcedures fr the dispsal f gvernment infrmatin. General inquiries and suggestins fr amendments are t be frwarded thrugh departmental and enterprise cmmunicatins security channels t COMSEC Client Services at the Cmmunicatins Security Establishment. The Cmmunicatins Security Establishment will ntify users f changes t this publicatin. Effective Date This directive takes effect n date f signature. Original signed n January 30, 2017 by Sctt Jnes, Deputy Chief, Infrmatin Technlgy Security Reprductin and Distributin Physical r electrnic cpies f this publicatin, in part r in whle, may be made fr fficial Gvernment f Canada use nly. January 2017

3 Summary f Changes frm ITSD-04 t ITSD-04A UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) Althugh all users f cryptgraphic netwrks shuld read this Infrmatin Technlgy Security Directive (ITSD) in its entirety, the fllwing articles are highlighted as majr changes t the management, cntrl and use f cryptgraphic equipment and key apprved by the Cmmunicatins Security Establishment (CSE) and used t secure telecmmunicatins netwrks. Reference Thrughut directive Change Change t the title The intrductin f the fllwing: Netwrk Cmmunities Cntrlling Authrity (CnAuth) Cmmand Authrity (CmdAuth) Prduct Requester (PR) Enterprise cryptnets Cryptnet Management vs Key Management IT Security Directive fr Cryptgraphic Key Ordering (ITSD-09) (replacement fr ITSG-13) Gvernment f Canada Key Management Infrastructure (GC KMI) terminlgy Symmetric and asymmetric terminlgy t identify cryptgraphic key frmats Updated Key Material Supprt Plan (KMSP) directin Article 1.9 New article prviding clarity n the Distributin f Infrmatin and Data abut CSE-Apprved COMSEC Systems and Services. NOTE: It is the respnsibility f the user t apply all applicable security requirements identified in this ITSD. January 2017 iii

4 UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) Table f Cntents Frewrd... ii Summary f Changes frm ITSD-04 t ITSD-04A... iii 1 Intrductin Purpse Scpe Cntext Netwrk Cmmunities Cmpliance Cnflict Reslutin Requests fr Exceptin r Waiver Cntact Infrmatin Distributin f Infrmatin and Data abut CSE-Apprved COMSEC Systems and Services Rles and Respnsibilities Cmmunicatins Security Establishment Departmental COMSEC Authrity/Enterprise COMSEC Authrity Cryptgraphic Netwrk Cntrlling Authrity/Cmmand Authrity Prduct Requester Rle Assignment Restrictins Cryptgraphic Netwrk Members Cryptgraphic Netwrks General COMSEC Service Mdels Types f Cryptgraphic Netwrks Establishing and Clsing a Cryptgraphic Netwrk Establishing a Cryptgraphic Netwrk Key Material Supprt Plan Clsing a Cryptgraphic Netwrk Creating a Cmpund Cryptnet Cryptgraphic Netwrk Management General Cryptperid Extensin Supersessin Rate Cmprmise Recvery and Risk Management COMSEC Emergency Plan Audit Requirements Cryptgraphic Netwrk Supprt Training General January 2017 iv

5 UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) 8 COMSEC Incident Reprting References Abbreviatins, Acrnyms and Initialisms Glssary COMSEC User Prtal Cmmunicatins Security Establishment Web Site Bibligraphy Annex A Develping and Updating the Key Material Supprt Plan... A-1 A.1 General... A-1 A.2 Prerequisites... A-1 A.3 Rles and Respnsibilities... A-2 Appendix A t Annex A Key Material Supprt Plan Template... A-4 List f Tables Table 1 Cntact Infrmatin fr COMSEC Offices... 2 Table 2 KMSP Rles and Respnsibilities... A-2 List f Figures Figure 1 Cmpund Cryptnet January 2017 v

6 UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) 1 Intrductin 1.1 Purpse This directive prvides the minimum security requirements fr the management, cntrl and handling f cryptgraphic equipment and key apprved by Cmmunicatins Security Establishment (CSE) and used t prtect classified and PROTECTED C infrmatin and data n a telecmmunicatins netwrk. 1.2 Scpe This directive fcuses n the management and security f high-assurance cryptgraphic equipment and key used t cryptgraphically secure a telecmmunicatins netwrk fr classified and Prtected C infrmatin r data. Fr the purpse f this directive, a telecmmunicatins netwrk secured with CSE-apprved cryptgraphy will be called a cryptgraphic netwrk (cryptnet). Business intake activities (i.e. rganizatin, management and peratins) f an Infrmatin Technlgy (IT) netwrk are ut the scpe f this directive and remain the respnsibility f the netwrk s Infrmatin Technlgy Security Crdinatr (ITSC). NOTE: Thrughut this dcument, the term cryptgraphic key will be referred t as key. The term key is used t refer t all frms f physical r electrnic cryptgraphic key. It is used as a singular and plural term. 1.3 Cntext This directive supprts the Plicy n Gvernment Security (PGS) and the Directive n Departmental Security Management (DDSM) and shuld be read in cnjunctin with the fllwing publicatins: IT Security Directive fr the Cntrl f COMSEC Material in the Gvernment f Canada (ITSD-03A); IT Security Directive fr Cryptgraphic Key Ordering (ITSD-09); and Directive fr Reprting and Evaluating COMSEC Incidents Invlving Accuntable COMSEC Material (ITSD-05). 1.4 Netwrk Cmmunities Cryptnets are based upn a requirement t cmmunicate in clsed grups. Fr the purpses f this directive, a cryptnet cmmunity is a set f users with a cmmn interest and a need-t-knw wh share infrmatin securely using the same interperable cryptgraphic key. The simplest cryptnet is established servicing a single peratinal activity and is implemented using End Cryptgraphic Units (ECUs) with a specific symmetric key shrt title r asymmetric key partitin cde. In sme cmplex envirnments where Cntrlling Authrities (CnAuths) r Cmmand Authrities (CmdAuths) need t establish infrmatin sharing between tw r mre cryptnets, a third negtiated linking key can be used. This linking f cryptnets is referred t as a cmpund cryptnet and in such a case, ne f the participating members must take frmal management cntrl f the link as the CnAuth/CmdAuth. Cryptnets may als be established as telephny cryptnets where mbile r fixed vice/data exchange between individuals is required. January 2017

7 1.5 Cmpliance UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) Cmpliance with this directive is the respnsibility f Gvernment f Canada (GC) departments and enterprise services rganizatins requiring CSE-prvided key in supprt f CSE-apprved cryptgraphic slutins. Nn-cmpliance may result in a delay f key delivery and supprt services. 1.6 Cnflict Reslutin Any cnflict encuntered between this ITSD and ther natinal (e.g. ther ITSDs, PGS and DDSM) r internatinal (e.g. Internatinal Traffic in Arms Regulatins [ITAR]) publicatins must be submitted t COMSEC Client Services (CCS) fr reslutin. 1.7 Requests fr Exceptin r Waiver A request fr an exceptin (substitutin) r a waiver (temprary exemptin frm a specific requirement) must be submitted by the Departmental COMSEC Authrity (DCA) r Enterprise COMSEC Authrity (ECA) in writing, and with a justificatin, t CCS fr apprval. NOTE: CCS peridically (annually, at a minimum) reviews exceptins fr peratinal suitability and risk, and assesses prgress twards the eliminatin f waivers. 1.8 Cntact Infrmatin The fllwing table cntains cntact infrmatin fr ffices that prvide COMSEC supprt t users. COMSEC Client Services Telephne: Secure Fax: Table 1 Cntact Infrmatin fr COMSEC Offices cmsecclientservices@cse-cst.gc.ca Crypt Material Assistance Centre (CMAC) and Natinal Central Office f Recrd (NCOR) Telephne: Fax: Secure Fax: cmac-camc@cse-cst.gc.ca NOTE: Unless therwise specified, CSE s telephne and secure fax cntact numbers listed are attended Mnday t Friday, frm 8 a.m. t 4 p.m. Eastern Time. 1.9 Distributin f Infrmatin and Data abut CSE-Apprved COMSEC Systems and Services Infrmatin and data, in part r in whle, abut CSE-apprved COMSEC systems and services cntrlled by the GC r by a GC spnsred rganizatin may be distributed electrnically r physically. NOTE: In all cases, distributed extracts must be labelled with the apprpriate security classificatin. January

8 1.9.1 Electrnic Distributin UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) Infrmatin and data abut CSE-apprved COMSEC systems and services must be distributed as fllws: PROTECTED C and CONFIDENTIAL up t TOP SECRET disseminated electrnically n GC netwrks using CSE-apprved encryptin capabilities. This includes secure telephny, facsimile and netwrk services where the cmmunicatins service must be accredited t a level cmmensurate with the classificatin f the infrmatin being prcessed; PROTECTED B disseminated electrnically n GC netwrks, including secure facsimile, r n a public netwrk when prtected minimally with GC Public Key Infrastructure (PKI) encryptin; PROTECTED A disseminated electrnically n GC netwrks r n a public netwrk when prtected minimally with GC PKI encryptin, r a HyperText Transfer Prtcl Secure (HTTPS) encrypted cnnectin, r unclassified pint-t-pint facsimile that riginates and terminates in an Operatins Zne Physical Distributin Physical (mail r curier) distributin f prtected and classified infrmatin and data abut CSE-apprved COMSEC systems and services must be in accrdance with the directin in ITSD-03A and ITSD-06A. 2 Rles and Respnsibilities 2.1 Cmmunicatins Security Establishment As the natinal COMSEC authrity, CSE has the mandate t apprve the certificatin, acquisitin and use f cryptgraphic equipment and key used t prtect GC classified and PROTECTED C infrmatin and data. CSE is als respnsible fr develping the related COMSEC plicy instruments fr the management and cntrl f cryptgraphic equipment as well as develping related service management prcedures fr the rdering, safeguarding and delivery f key in supprt f CSE-apprved cryptgraphic slutins. In additin t serving as CnAuth/CmdAuth fr specified key n natinal and internatinal cryptnets, CSE als perfrms the fllwing cryptnet versight functins: taking r recmmending apprpriate actins when Accuntable COMSEC Material (ACM) has been subjected t cmprmise and infrming the apprpriate authrities f thse actins (refer t Article 8); assisting CnAuths/CmdAuths in the develpment f cryptnet Key Material Supprt Plans (KMSPs), including annual KMSP reviews, when requested; advising CnAuths/CmdAuths f the lgistic impact f cmprmise, key supersessin and changever, r decisins by CnAuths/CmdAuths f ther cryptnets; prviding CnAuth, CmdAuth, and Prduct Requester (PR), key rdering training (refer t Article 7); verifying CSE s ability t supprt the KMSPs, where required (refer t Article 4.2.2); and authrizing cryptperid extensins f mre than seven days. January

9 UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) 2.2 Departmental COMSEC Authrity/Enterprise COMSEC Authrity A DCA/ECA may be appinted (COMSEC Staff Appintment r Terminatin f Appintment Certificate [CSE/CST ITS-012]) by the Departmental Security Officer (DSO) r Enterprise Security Officer (ESO) t act in his r her stead t manage the departmental r enterprise COMSEC prgram. The DCA/ECA is respnsible fr develping, implementing, maintaining, crdinating and mnitring a departmental COMSEC prgram cnsistent with the PGS and its peratinal standards. The DCA/ECA s cryptnet respnsibilities include: appinting a departmental r enterprise CnAuth/CmdAuth (Cryptnet Staff Appintment r Terminatin f Appintment Certificate [CSE/CST ITS-032]) fr each cryptnet managed by the department r enterprise services rganizatin; NOTE: While the DCA/ECA must appint the CnAuth/CmdAuth, the CSE/CST ITS-032 frm must nly be submitted t CMAC after the KMSP has been cmpleted and validated. apprving the departmental r enterprise cryptnet KMSP; ensuring adherence t the measures put int place by the CnAuth/CmdAuth where the department r enterprise services rganizatin is an utstatin n the netwrk and nt the managing authrity; appinting PRs (Cryptnet Staff Appintment r Terminatin f Appintment Certificate [CSE/CST ITS- 032]), in cnsultatin with the respnsible CnAuth/CmdAuth, which are then submitted t CMAC t rder key fr cryptnets; appinting PRs (Nn-Cryptnet Prduct Requester Appintment r Terminatin f Appintment Certificate CSE/CST ITS-037) which are submitted t CMAC t rder key fr nn-cryptnet requirements as fllws: fr Secure Cmmunicatins Interperability Prtcl (SCIP) netwrk requirements the DCA must, in additin t the ITS-037 frm, assign the PR key rdering privileges, which are submitted t CMAC as Privilege Establishment Requests (PERs); NOTE: The SCIP PER is called the SCIP Privilege Establishment/Terminatin f Privilege Request Secure Cmmunicatins Interperability Prtcl (SCIP) Key CSE/CST ITS-034. fr In-Line Netwrk Encryptrs (INE) test, training, maintenance and labratry requirements the DCA must, in additin t the ITS-037 frm, assign the PR key rdering privileges, which are submitted t CMAC as PERs; NOTE: The INE PER is called the INE/LEF Privilege Establishment/Terminatin f Privilege Request Secure Data Netwrk System (SDNS) In-Line Netwrk Encryptr and Link Encryptin Family (INE/LEF) CSE/CST ITS-003. fr symmetric test, training, maintenance and labratry requirements the DCA must, in additin t the ITS-037 frm, assign the PR key rdering privileges, which are submitted t CMAC as PERs; and NOTE: The Symmetric PER is called the Symmetric Key Privilege Establishment Request CSE/CST ITS-014. fr ther nn-cryptnet requirements (e.g. Data at Rest [DAR], Message Signature Key [MSK]), PERs are nt required in additin t the ITS-037 frm. January

10 UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) ensuring that appintment/terminatin frms (CSE/CST ITS-032) are cmpleted whenever there is a change in persnnel perfrming the rles f CnAuth r CmdAuth. Fr detailed infrmatin n the rles and respnsibilities f the DCA and ECA, refer t ITSD-03A. 2.3 Cryptgraphic Netwrk Cntrlling Authrity/Cmmand Authrity The appinted CnAuth/CmdAuth, including their alternates, must have a reprting relatinship t the DCA r ECA which permits the individual t exercise prper jurisdictin in fulfilling his r her CnAuth/CmdAuth respnsibilities, including: identifying the cryptgraphic equipment and key requirements; identifying and requesting partitin cdes (refer t Article ); each CmdAuth has PR privileges fr all cryptnets under his/her cntrl; hwever, in cnsultatin with the DCA/ECA, he/she can request that additinal PRs be appinted by the DCA/ECA; each CnAuth has PR privileges fr all cryptnets under his/her cntrl; hwever, in cnsultatin with the DCA/ECA, he/she can request ne ther PR besides himself/herself be appinted by the DCA/ECA; NOTE: Symmetric key rdering requires that nly ne PR can rder key fr a specific cryptnet; therefre, crdinatin is essential where a CnAuth and an additinal PR has been appinted t the same cryptnet. assigning cryptnet key rdering privileges (PERs) t appinted PRs and submitting the PERs t CMAC; maintaining registratin f ECUs and netwrk architecture infrmatin necessary t manage the cryptnet utstatins, including: the Security Assessment and Authrizatin (SA&A) letter, the Threat and Risk Assessment (TRA), and the telecmmunicatins security Cncept f Operatin (CONOP); managing the cryptnet activities as fr Article 5 f this publicatin; develping and maintaining the KMSP (Annex A and Appendix A); liaising with ther departmental technical supprt ffices (e.g. change management, cnfiguratin management and infrmatin system security management ffices); cnsulting with PRs and COMSEC Custdians t ensure key is prvided in sufficient quantities t supprt missin requirements; ensuring COMSEC incident reprting prcedures are fllwed, as detailed in ITSD-05; assisting the DSO, ESO, DCA, ECA and COMSEC Custdian in evaluating the security impact f a cmprmise; ensuring that the minimum key is prvided in high risk peratinal envirnments (e.g. a gegraphical area r specific lcatin in which there is insufficient security t fully ensure the safeguarding f installed cryptsystems); and clsing the cryptnet t which the CnAuth/CmdAuth has been appinted. January

11 UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) NOTE 1: Thrughut this directive, the terms, rles and respnsibilities identified fr the CnAuth/CmdAuth will include the Alternate (A)/CnAuth and A/CmdAuth when perfrming any f the identified duties. NOTE 2: The natinal DCA at CSE will appint the CmdAuth fr SCIP secure telephny services. 2.4 Prduct Requester The primary rle f the PR is t rder key frm CMAC in supprt f a specific cryptnet, as described in the KMSP. Refer t ITSD-09 fr further infrmatin n key rdering. Refer t Article 7 fr required PR training. A PR may als be appinted by the DCA/ECA t manage key rdering requirements fr mre than ne cryptnet; hwever, separate appintment certificates and PERs are required fr each cryptnet. 2.5 Rle Assignment Restrictins T ensure the highest level f cmmand and cntrl separatin within the cryptnet, current COMSEC Custdians, Lcal Element Managers, r their alternates wh supprt a specific cryptnet must nt cncurrently be appinted the rle f CnAuth r CmdAuth. Private sectr cmpanies r Other Levels f Gvernment (OLGs) must nt be assigned the rle f CnAuth, CmdAuth r PR fr any cryptnet. 2.6 Cryptgraphic Netwrk Members Cryptnet members must be authrized (within the KMSP) by a CnAuth/CmdAuth t belng t a specific cryptnet. While the cryptnet members must adhere t the minimum security requirements fr accessing, handling, safeguarding and using ACM, they must als fllw the directin f the CnAuth/CmdAuth and cmply with the cryptnet KMSP. A cryptnet member is an entity (e.g. individual, GC department r enterprise services rganizatin, OLG, private sectr cmpany, freign gvernment department r agency) that meets the access requirements fr ACM (refer t ITSD-03A). 3 Cryptgraphic Netwrks 3.1 General A GC cryptnet is a telecmmunicatins netwrk fr which a department r enterprise services rganizatin has full technical and peratinal authrity and is thereby respnsible fr the management f the SA&A (refer t Article 1.2). The cryptnet als requires specific appinted persnnel (refer t Article 2) and uses CSE-apprved cryptgraphic equipment, which is detailed and managed using a department/enterprise KMSP (refer t Article 5, Annex A and Appendix A). 3.2 COMSEC Service Mdels The GC perates cryptnets using ne f tw COMSEC service mdels: departmental and enterprise. In the departmental mdel, COMSEC services and cryptgraphic assets are the respnsibility f each f the individual departments. In the enterprise mdel, COMSEC services and cryptgraphic assets are the cmplete respnsibility f the enterprise services rganizatin. Refer t ITSD-03A fr specific detail fr each mdel. All cryptnets must be cntrlled using ne f these COMSEC service mdels. January

12 3.3 Types f Cryptgraphic Netwrks There are typically five types f netwrks: natinal interdepartmental departmental internatinal, and Canadian private sectr Natinal UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) A natinal cryptnet is established t fulfil secure cmmunicatins requirements fr either f tw CSE-cntrlled cmmunities: GC Electrnic Key Management System (EKMS); and Secure Telephny: SCIP. The natinal CnAuth/CmdAuth at CSE is respnsible fr the develpment f the KMSP fr these natinal cryptnets Interdepartmental An interdepartmental cryptnet is established t fulfil secure cmmunicatins requirements between tw r mre independent federal rganizatins. The department/rganizatin that is the peratinal authrity fr the netwrk must als appint the CnAuth/CmdAuth fr the supprting cryptnet Departmental A departmental cryptnet is established t fulfil secure cmmunicatins requirement specific t a single federal rganizatin. A departmental cryptnet may include the spnsrship f links t nn-federal r OLG and private sectr partners. Specific OLG and private sectr partner cryptnet requirements are detailed in ITSD-01A, ITSD-03A and ITSD-06A Internatinal An internatinal cryptnet is established t fulfil secure cmmunicatins requirements fr a cryptnet between a GC department and an allied natin. The use f any encryptin capabilities, dmestic r freign, that carry classified r PROTECTED C traffic must be crdinated with CCS. In the case f internatinal cryptnets, this is especially imprtant since the Natinal Authrity must brker the transfer f any equipment r key thrugh the Natinal Distributin Authrity (NDA) at CSE (refer t Article fr additinal infrmatin regarding key rdering). Where an internatinal cryptnet is established by a freign natin, the freign natinal cryptnet authrities will be respnsible fr crdinating Canadian membership. Hwever, crdinatin and management f the ACM supprt fr such cryptnets must be dne with CCS t ensure delivery f material frm the freign CnAuth/CmdAuth. January

13 3.3.5 Canadian Private Sectr UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) Any freign r dmestic private sectr cmpany that has a requirement fr membership in a GC-cntrlled cryptnet must have a GC cntract in place and have a federal spnsr befre CCS will be able t apprve the transfer f ACM. Private sectr cmpanies must als meet the requirements t hld and manage ACM, as detailed in ITSD-06A. The spnsring GC department s DCA r enterprise services rganizatin s ECA must be the authrity that appints the CnAuth/CmdAuth and the PR; hwever the private sectr cmpany persnnel must nt be assigned the CnAuth/CmdAuth r PR rle (refer t Article 2.5). 4 Establishing and Clsing a Cryptgraphic Netwrk 4.1 Establishing a Cryptgraphic Netwrk All cryptnets must have a CnAuth/CmdAuth appinted by the DCA r ECA f the department r enterprise services rganizatin managing the netwrk. Cryptnets are based upn cmmn cmmunities f interest (refer t Article 1.4) Cryptgraphic Netwrk Planning Cnsideratins The CnAuth/CmdAuth requires accurate infrmatin n all aspects f the cryptnet and must have the capability t cmmunicate with all f its members. The CnAuth/CmdAuth must be familiar with all requirements fr managing their cryptnet s cryptgraphic equipment and key. Befre cntacting CCS t establish a cryptnet, the specific items t cnsider include: Cncept f Operatins (CONOP); SA&A requirements: TRA, Statement f Sensitivity classificatin f the infrmatin t be transmitted ver the cryptnet, and cryptnet security requirements (e.g. cnfidentiality, integrity and availability); general netwrk characteristics: cryptnet size number f members, cryptnet gegraphical ftprint, risk envirnments fr the deplyment f the COMSEC material (e.g. a gegraphical area r specific lcatin in which there is insufficient security t ensure the safeguarding f installed cryptsystems), expected services required, vice, netwrk, data at rest, perating envirnment dmestic, internatinal, static, mbile, austere, bandwidth demands, etc., cryptgraphic interperability requirements with membership cryptgraphic equipment mandatry sftware releases, and limitatins in physical access that may affect cryptperids fr rekey, supersessins, and changevers; cryptgraphic equipment and key distributin lgistical issues; expeditius means f infrming cryptnet members f bth administrative requirements and emergency key supersessin; requirement fr cntingency key and equipment t deal with peratinal needs t expand the cryptnet; January

14 UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) emergency infrmatin and executin f cmprmise and recvery plans; and in additin t equipment-specific Canadian Cryptgraphic Dctrines (CCDs), CSE prvides additinal assistance in develping secure netwrks in the fllwing IT Security Guidance publicatins: Emissin Security (EMSEC) Guidance (ITSG-11A), Gvernment f Canada Facility Evaluatin Prcedures (ITSG-12), IT Security Risk Management: A Lifecycle Apprach (ITSG-33), and High Assurance Netwrk-Layer Encryptin Security Slutins (ITSG-52) Security Segregatin Using Cryptnets A cryptnet is a netwrk that allws members t use the same cryptgraphic key t cmmunicate with each ther. Cryptnets can be divided int smaller interperable cmmunities r sub-cmmunities. The methd f segregatin is based n the type f key used within the cryptnet. A cryptnet secured with symmetric key is segregated frm ther cryptnets by using a specific key shrt title and editin. Symmetric key may als be used t encrypt nn-netwrk key (e.g. Transfer Key Encryptin Key [TrKEK]) r t prtect DAR (e.g. ECLYPT key). A cryptnet secured with asymmetric key is segregated frm ther cryptnets by using an pen r clsed partitin cde: An pen partitin cde allws an authrized PR t rder Secure Data Netwrk System (SDNS) key fr all users with the same partitin cde t cmmunicate with each ther. Open partitin cdes are typically used in SCIP and als in Type 0 key distributin fr EKMS Key Prcessrs (KPs). A clsed partitin cde allws an authrized PR t rder SDNS key fr a select set f users, as determined by the CmdAuth, t cmmunicate within the netwrk (e.g. used in In-Line Netwrk Encryptr/Link Encryptin Family [INE/LEF] netwrks). A clsed partitin cde can be further segregated with access cntrls (refer t equipment-specific dctrine fr mre infrmatin). NOTE: A KMSP is submitted by the CmdAuth t CCS fr validatin. Once validated, CCS prvides the CmdAuth with a new partitin cde, which must then be included in the KMSP. 4.2 Key Material Supprt Plan General A primary respnsibility f the CnAuth/CmdAuth is the preparatin and maintenance f the KMSP. A KMSP is develped and maintained in rder t prvide a high degree f assurance that the ACM used n a cryptnet is prperly managed thrughut its lifecycle. A KMSP must cntain sufficient infrmatin t enable cryptnet members t supprt cryptnet lgistics (e.g. equipment rdering, key rdering, requesting partitin cdes, PR recrding, distributing, fault finding, system recvery, string and accunting). Instructins fr the develpment f a KMSP are prvided in Annex A and Appendix A Cryptgraphic Netwrks Requiring Key Material Supprt Plans Except fr the directin in Article , a KMSP must be develped fr all cryptnets that use classified key t secure a telecmmunicatins netwrk (peratins, training r functinal testing). January

15 UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) Cryptgraphic Netwrks Nt Requiring Key Material Supprt Plans A KMSP is nt required fr: nn-peratinal cryptnets that use UNCLASSIFIED key (i.e. lab envirnments); nn-persistent, shrt term requirements f less than 90 days using a lcally generated key, unless specifically directed by the DCA r ECA; r Canadian utstatins n internatinal cryptnets where the CnAuth/CmdAuth is a freign authrity. Hwever, the DCA/ECA f the Canadian utstatins must appint a PR t rder the freign key frm CMAC Legacy Cryptgraphic Netwrks Whereas all cryptnets are required t be registered and have a valid KMSP, there are cryptnets that have been established withut a KMSP prir t the publicatin date f this directive. In rder t mitigate any incnsistency in sustaining cryptgraphic key delivery fr these cryptnets, CCS will engage thse GC departments withut KMSPs, n a case-by-case basis, as time permits, t assist in reslving the deficiency Develpment and Validatin Regardless f the key rigin (svereign, freign r lcal), a KMSP must be develped fr the use f classified and PROTECTED C key (refer t Annex A). The KMSP must be submitted t CCS fr validatin f the key requirement and crdinatin with the natinal key management practices befre the cryptnet is activated. In cases where the client is a member f a freign netwrk, the KMSP can be significantly abridged since the member is nt the CnAuth/CmdAuth Classificatin The minimum security classificatin f a KMSP must be CONFIDENTIAL. Hwever, higher security classificatin and handling restrictins may be required based n the TRA r the KMSP s cntent Review Requirement CCS, in crdinatin with the CnAuth/CmdAuth, must review the KMSP annually frm the date f registratin. The annual review must include items listed in Article 4.1.1, as well as any changes t: appintments and privileges and required pint f cntact infrmatin; key requirements; equipment and sftware versins; and key classificatin. January

16 4.2.5 KMSP Change Cntrls UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) The KMSP can be mdified inside f its annual review cycle (refer t Article 4.2.4) by submitting the apprpriate frms and appending a cpy t the main KMSP file. The fllwing frms and plicy instruments must be used by the CnAuths/CmdAuths t mdify the KMSP inside the review cycle: fr changes f CnAuth/CmdAuth, PR INE/LEF Privilege Establishment r Terminatin f Privilege (PER) Request Secure Data Netwrk System (SDNS) fr In-Line Netwrk Encryptr (INE) and Link Encryptin Family (LEF) f Cryptgraphic Equipment (CSE/CST ITS-003), and Symmetric Key Privilege Establishment r Terminatin f Privilege Request (PER) (CSE/CST ITS-014); an IT Security Apprval fr Use (ITS AFU) fr mandatry cryptgraphic sftware r hardware upgrade is required; r fr changes f security classificatin f the key r partitin cde: CSE/CST ITS-003, INE/LEF Key Order Request Secure Data Netwrk System (SDNS) fr In-Line Netwrk Encryptr (INE) and Link Encryptin Family (LEF) f Cryptgraphic Equipment (CSE/CST ITS-002), CSE/CST ITS-014, and Symmetric Key Order Request (CSE/CST ITS-009). The CnAuths/CmdAuths are expected t lcally track the fllwing and validate with the KMSP during cyclical review: the additin, deletin r change in a cryptnet member status; and changes t the type r specificatins f cryptgraphic equipment being used at terminal sites. All ther changes such as adding r remving key types require cmmunicatin with CCS and a reissue f the KMSP. 4.3 Clsing a Cryptgraphic Netwrk With DCA/ECA authrity, the CnAuth/CmdAuth is respnsible fr clsing a cryptnet. The CnAuth/ CmdAuth must prvide written ntice f the cryptnet clsure t all cryptnet members and CCS. The ntice must include the: effective date f clsure; date when the cryptnet members must prvide cnfirmatin t the CnAuth/CmdAuth that the instructins utlined in the ntice have been cmpleted; prcedures t be fllwed fr cancelling key rdering privileges fr key identified in the KMSP; COMSEC accunting and destructin prcedures fr key that must be destryed, zerized r deleted; and instructins fr the dispsal r redistributin f cryptgraphic equipment. January

17 4.4 Creating a Cmpund Cryptnet UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) A cmpund cryptnet is a cryptnet (referred t as main in Figure 1 Cmpund Cryptnet) that has a secure cnnectin t a separate cryptnet segregated by its wn key and managed under a separate KMSP. This separately-managed cryptnet is designated in the KMSP as the assciated cryptnet. The key that is used t cnnect t the assciated cryptnet is referred t as the Link Key. In drafting the KMSP, the CnAuth/CmdAuth is respnsible t track these cnnectins by the use f a Cryptnet Link Register, as detailed in Article A.A.4. This prvides the clarity necessary t manage and crdinate changes within the cmpund cryptnet. The Cryptnet Link Register prvides COMSEC staff (f the cmpund cryptnet) the minimum infrmatin necessary t cnduct crdinatin between the wner r authrity f the Link Key and the CnAuth/CmdAuth f the assciated cryptnets. Where a Link Key frms a separate netwrk cnnecting multiple secure enclaves r cryptnets, the Link Cryptnet frms its wn unique cryptnet and requires its wn KMSP (managed by a CnAuth/CmdAuth) that is nrmally ne f the assciated enterprise partner rganizatins. Fr example, in Figure 1 Cmpund Cryptnet, there are five unique cryptnets, requiring five separate KMSPs. Figure 1 Cmpund Cryptnet 5 Cryptgraphic Netwrk Management 5.1 General Cryptgraphic equipment and key identified in the KMSP will be managed and distributed as detailed in the KMSP and ITSD-03A. Additinally, key identified in the KMSP must be rdered as directed in ITSD Dcumentatin Alng with the KMSP, the CnAuth/CmdAuth must maintain the fllwing dcumentatin thrughut the lifecycle f the cryptnet: cryptnet member register a lcal management dcument designed t keep track f the names f each cryptnet member, their lcatins and hw t cntact them; privilege management register a lcal management dcument designed t keep track f the names f each appinted cryptnet PR, their lcatins and hw t cntact them. The register must include the privilege prtcls (e.g. key rdering threshlds, partitin cde restrictins) that each can execute; January

18 UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) lcal tracking key management distributin register a lcal management dcument designed t keep track f distributin pints (e.g. COMSEC Accunts and Lcal Elements) and hw much key each f the distributin pints is entitled t receive, stre and distribute; and Cryptnet Link Register (if required) a lcal management dcument held by the CnAuth/CmdAuth wh has been appinted t the link cryptnet (i.e. cmpund cryptnet) by the department r enterprise services rganizatin assigned as lead agency f the linked cryptnet. This dcument prvides the link cryptnet CnAuth/CmdAuth with the cntact infrmatin f individual clsed cryptnets within the linked netwrk cmmunity (refer als t Article 1.4). NOTE: The linked cryptnet requires clse cllabratin between the individual cryptnet CnAuths/CmdAuths and the CnAuth/CmdAuth respnsible fr the linked cryptnet. 5.2 Cryptperid Extensin A cryptperid is the time span during which each key setting remains in effect. Cryptperid extensins are restricted t cryptnets using symmetric key. Where a cryptperid extensin is peratinally required, the fllwing factrs need t be cnsidered in determining the length f the extensin: cryptnet size A key used n a large cryptnet is usually mre vulnerable t cmprmise than key used n a small cryptnet because it is available at mre lcatins and t mre peple. Als, large cryptnets generally carry higher vlumes f traffic than small cryptnets. The cmprmise f a key used t secure a large cryptnet culd make mre intelligence available t an adversary. Fr this reasn, CnAuths and CmdAuths must keep their cryptnets as small as peratinally feasible. cryptnet member lcatin and perating envirnment Cryptnet members lcated in Canada are nrmally expsed t less risk than thse in ther lcatins. Cryptnet members lcated in high risk envirnments (e.g. gegraphical areas r specific lcatins in which there is insufficient security t ensure the safeguarding f installed cryptsystems) have an increased risk f physical cmprmise. Mbile cryptnet members and cryptnet members in hstile envirnments (smetimes referred t as tactical envirnments ) have a greater pprtunity fr lss (particularly undetected lss) than d fixed plant cryptnet members. In such cases, segregatin f higher risk envirnments must be cnsidered. traffic sensitivity and perishability The CnAuth shuld cnsider the classificatin f the prtected infrmatin, and whether the infrmatin is f lng r shrt term intelligence value. Cmprmise f key used t secure upper level strategic cmmunicatins wuld have a mre devastating effect n natinal security than wuld the cmprmise f a key used t secure highly perishable r lwer level tactical (hstile envirnment) cmmunicatins. emergency supersessin plan CnAuths must have a plan fr replacing cmprmised key (refer t Article 5.3.2) Hstile Envirnment Situatins When cryptperid extensins are necessary t maintain critical cmmunicatins in hstile envirnment situatins, the fllwing guidance shuld be cnsidered: begin all preplanned cryptperids with a new key setting; and rekey all affected cryptnets as sn as there is a break in activity. January

19 5.2.2 Symmetric Key UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) Subject t equipment-specific dctrine, a symmetric key cryptperid may be extended beynd its effective cryptperid accrding t the fllwing authrities: cryptnet members may extend a cryptperid by up t tw hurs withut CnAuth authrity, but nly when necessary t cmplete a transmissin r cnversatin in prcess at key change ver time. CnAuth may extend cryptperids up t seven days unless prhibited by negtiated CONOPs. The CnAuth must infrm CCS when a cryptperid is extended by mre than 24 hurs; and CCS n a case-by-case basis, may extend cryptperids mre than seven days Asymmetric Key Asymmetric key may nt be extended beynd its yearly cryptperid. NOTE: Fr unfreseen circumstances, the CmdAuth must cntact CCS. 5.3 Supersessin Rate General The supersessin rate is the length f time during which an editin f a key is effective. Supersessin rates are established by CSE based n the cryptgraphic equipment type, cryptgraphic security cnsideratins, peratinal need and key generatin r re-supply cnstraints. The actual supersessin rate fr cryptgraphic key is classified, at a minimum, CONFIDENTIAL unless specified higher by the CnAuth r CmdAuth Emergency Supersessin Planning CnAuths/CmdAuths will ensure the cntinuatin f the cryptnet by planning fr key supersessin in advance f key cmprmise situatins. The Emergency Supersessin Plan (ESP) must include the fllwing: supersessin authrity identifies the cmmunicatin surce that the CnAuth/CmdAuth will use t disseminate the supersessin instructins t all cryptnet members; Hazardus Cnditin (HAZCON) message is used t warn cryptnet members that the link is pssibly cmprmised and that expsure f sensitive traffic is at risk. The HAZCON message shuld precede a supersessin when there is a delay in executing the supersessin activity; cntingency key hldings (symmetric key nly) identifies the cntingency key hlding threshlds and where the key is held; NOTE: CmdAuths f cryptnets using asymmetric key may, depending upn the type f equipment emplyed by the cryptnet, preplace symmetric cntingency key (als knwn as Pre-Placed Key [PPK]) t deply as an interim measure until full asymmetric capability can be restred. distributin identifies the prcedures fr distributing symmetric cntingency key r new asymmetric key t cryptnet members; strage (symmetric key nly) identifies the prcedures fr safeguarding and handling stred cntingency key; dispsal f key identifies the prcedures fr the dispsal (including destructin) f bth the superseded key and the cntingency key when they are n lnger required. January

20 UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) NOTE 1: In rder t btain a new key, CmdAuths must infrm CCS immediately that their cryptnet has been cmprmised. NOTE 2: CmdAuths can, depending upn the type f cryptgraphic equipment emplyed by the cryptnet and if the cmprmised cryptnet member is knwn, emply access cntrl prcedures (refer t equipment-specific CCDs) t islate the cmprmising member and cntinue interim peratins until cmplete supersessin prcedures can be implemented thrughut the cryptnet Supersessin Authrizatin CCS is the apprving authrity fr supersessin rate change. 5.4 Cmprmise Recvery and Risk Management General The actin required t recver frm a cmprmise situatin depends n the nature f the cmprmise. A knwn cmprmise r pssible cmprmise f cryptgraphic equipment r key used in a cryptnet must be reprted as a COMSEC incident, as detailed in ITSD-03A. It is paramunt that the CnAuth/CmdAuth prvides immediate and cntinuus cmmunicatin abut cmprmise recvery actins t the cryptnet members. It is equally imprtant that cryptnet members immediately infrm their CnAuth/CmdAuth when a cmprmise situatin ccurs. In all cases, cmprmise and the subsequent recvery actins must be reprted t CCS Key Cmprmise Recvery Optins Where evidence exists that key has been cmprmised, the respnsible CnAuth/CmdAuth must take immediate cmprmise recvery actin, as detailed in the KMSP and ITSD-03A. The CnAuth/CmdAuth must nt wait fr incident reprting and evaluatins befre taking actin. Immediate cmprmise recvery actin must be taken as sn as enugh infrmatin has been gathered t make an infrmed decisin. Ideally, a CnAuth/CmdAuth will annunce a precautinary supersessin and disseminate a HAZCON message t all cryptnet members. When precautinary key editin supersessin is nt feasible, several ptins are available. The CnAuth/ CmdAuth, in cnsultatin with the DCA r ECA, the telecmmunicatins netwrk authrity and CCS will cnsider the fllwing ptins: if technically pssible, extend the cryptperid f uncmprmised key currently in use; re-establish cryptnet peratins excluding thse members wh d nt hld r cannt be supplied with replacement key; suspend cryptnet peratins until key can be re-supplied; r cntinue using the cmprmised key under HAZCON prvisins. This last resrt actin is used when: nrmal supersessin f the cmprmised key will take place befre emergency supersessin can be accmplished, where cryptperid key changes have a mre serius detrimental effect n immediate peratins versus cmprmised cmmunicatins, r where n replacement key is available. January

21 UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) The CnAuth/CmdAuth must alert all cryptnet members (by ther means, if pssible) that a cmprmise has taken place and direct that members minimize transmissins using the cmprmised key. 5.5 COMSEC Emergency Plan The DCA/ECA, in crdinatin with the COMSEC Custdian, is respnsible fr the preparatin, implementatin and annual re-evaluatin f departmental r enterprise COMSEC Emergency Plans, as detailed in ITSD-03A. A CnAuth/CmdAuth must ensure the respnsible COMSEC Custdian is made aware f any unique circumstances that may affect the COMSEC Emergency Plan. The CnAuth/CmdAuth must als ensure cryptnet members are fully aware f their respnsibilities in the event f a COMSEC emergency. 6 Audit Requirements As part f a COMSEC audit, Natinal COMSEC Audit Team (NCAT) will request cnfirmatin that an up-tdate KMSP is n file fr each cryptnet that has been endrsed by CCS and that is in use by the department r enterprise services rganizatin. Additinally, NCAT will ensure that the apprpriate dcumentatin referred t in Articles 2.3 and is maintained as well as cnfirming that the appintment/terminatin certificatin and key rdering privileges fr appinted persnnel are up t date. 7 Cryptgraphic Netwrk Supprt Training 7.1 General IT security training must be an integral cmpnent f an IT security prgram. The Infrmatin Technlgy Security Learning Centre (ITSLC) at CSE is respnsible fr crdinating the develpment and prvisin f training and awareness related t IT security and COMSEC. CnAuths, CmdAuths and PRs must receive CSE training prir t being appinted t the CnAuth/CmdAuth r PR rle. If, due t departmental peratinal requirements, training cannt be prvided prir t appintment, cntact CCS fr guidance. Cntact the ITSLC at its-educatin@cse-cst.gc.ca fr current training pprtunities. 8 COMSEC Incident Reprting A COMSEC incident ccurs whenever there is a situatin r activity that jepardizes r ptentially jepardizes the cnfidentiality, integrity r availability f COMSEC infrmatin, material r services. While custdial staff prvide immediate reprting up the COMSEC channels, it is the respnsibility f the CnAuth/CmdAuth t reprt a COMSEC incident t the cryptnet members t ensure Operatins Security (OPSEC) actin can be initiated within member rganizatins. Prmpt and accurate reprting f COMSEC incidents minimizes the ptential fr lss r cmprmise f COMSEC material. All COMSEC incidents must be reprted as detailed in ITSD-05. January

22 9 References UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) 9.1 Abbreviatins, Acrnyms and Initialisms A ACM CCD CCF CCI CCS CEO CFD CMAC CmdAuth COMSEC CnAuth CONOP COR Cryptnet CSE CUP DAR DCA DDSM DSO ECA ECU EMSEC ESO ESP FSU GC GC EKMS GC KMI HAZCON HTTPS IP INE IT ITAR ITS ITS AFU ITSB ITSC Alternate Accuntable COMSEC Material Canadian Cryptgraphic Dctrine Canadian Central Facility Cntrlled Cryptgraphic Item COMSEC Client Services Canadian Eyes Only Cmmn Fill Device Crypt Material Assistance Centre Cmmand Authrity Cmmunicatins Security Cntrlling Authrity Cncept f Operatins Central Office f Recrd Cryptgraphic Netwrk Cmmunicatins Security Establishment COMSEC User Prtal Data at Rest Departmental COMSEC Authrity Directive n Departmental Security Management Departmental Security Officer Enterprise COMSEC Authrity End Cryptgraphic Unit Emissin Security Enterprise Security Officer Emergency Supersessin Plan Field Sftware Upgrade Gvernment f Canada Gvernment f Canada Electrnic Key Management System Gvernment f Canada Key Management Infrastructure Hazardus Cnditin HyperText Transfer Prtcl Secure Internet Prtcl In-Line Netwrk Encryptr Infrmatin Technlgy Internatinal Traffic in Arms Regulatins Infrmatin Technlgy Security Infrmatin Technlgy Security Apprval fr Use Infrmatin Technlgy Security Bulletin Infrmatin Technlgy Security Crdinatr January

23 ITSD ITSG ITSLC KMSP KP LEF MSK NCAT NCIO NCOR NDA OLG OPSEC PER PGS PKI PPK PR SA&A SCIP SDNS TBS TRA TrKEK T3MD UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) Infrmatin Technlgy Security Directive Infrmatin Technlgy Security Guidance Infrmatin Technlgy Security Learning Centre Key Material Supprt Plan Key Prcessr Link Encryptin Family Message Signature Key Natinal COMSEC Audit Team Natinal COMSEC Incidents Office Natinal Central Office f Recrd Natinal Distributin Authrity Other Levels f Gvernment Operatins Security Privilege Establishment Request Plicy n Gvernment Security Public Key Infrastructure Pre-Placed Key Prduct Requester Security Assessment and Authrizatin Secure Cmmunicatin Interperability Prtcl Secure Data Netwrk System Treasury Bard f Canada Secretariat Threat and Risk Assessment Transfer Key Encryptin Key Tier 3 Management Device 9.2 Glssary The fllwing glssary cntains terms and definitins specific t the COMSEC material identified within this ITSD. Fr additinal definitins, refer t the Glssary f COMSEC-Related Terms Used in CSE s IT Security Directives (which can be fund n the CSE website and n the CSE COMSEC User Prtal [CUP]). Asymmetric Key Cryptgraphic Netwrk (Cryptnet) change ver Cmmand Authrity (CmdAuth) UNCLASSIFIED Tw related cryptgraphic keys, a public key and a private key that are used t perfrm cmplementary cryptgraphic peratins, such as encryptin and decryptin r signature generatin and verificatin. The time that an peratinal key is changed n a cryptgraphic netwrk. The individual appinted by the departmental COMSEC authrity r enterprise COMSEC authrity t manage the peratinal use and cntrl f asymmetric encryptin keys between members f a specific peratinal envirnment. January

24 UNCLASSIFIED IT Security Directive fr the Management f CSE-Apprved Cryptgraphic Equipment and Key t Secure a Telecmmunicatins Netwrk (ITSD-04A) Cmmunicatins Security (COMSEC) Cmpund Cryptgraphic Netwrk (Cryptnet) Cmprmise COMSEC Material Cntrlling Authrity (CnAuth) Crypt Material Assistance Centre (CMAC) Cryptgraphic Cryptgraphic Cmmunity Cryptgraphic Equipment Cryptgraphic Key Cryptgraphic Netwrk (cryptnet) Cryptgraphic Netwrk (cryptnet) Member UNCLASSIFIED The applicatin f cryptgraphic security, transmissin and emissin security, physical security measures, peratinal practices and cntrls t deny unauthrized access t infrmatin derived frm telecmmunicatins and that ensure the authenticity f such telecmmunicatins. A cmmunity f unique cryptgraphic netwrks securely cnnected tgether. The cmmunity may be segregated because f risk cnsideratins, netwrk tplgy cnstraints r t jin tw peratinal envirnments that wish t share infrmatin freely but the assciated Cntrlling Authrities r Cmmand Authrity want t maintain technical cntrl. The unauthrized access t, disclsure, destructin, remval, mdificatin, interruptin r use f COMSEC assets r infrmatin. Material designed t secure r authenticate telecmmunicatins infrmatin. COMSEC material includes, but is nt limited t key, equipment, mdules, devices, dcuments, hardware, firmware r sftware that embdies r describes cryptgraphic lgic and ther items that perfrm COMSEC functins. The individual appinted by the departmental COMSEC authrity r enterprise COMSEC authrity t manage the peratinal use and cntrl f symmetric encryptin keys between members f a specific peratinal envirnment. The entity within CSE respnsible fr all aspects f key rdering including privilege management, the management f the Natinal Central Office f Recrd and the administratin f the Assistance Centre. Pertaining t r cncerned with cryptgraphy (ften abbreviated as crypt and used as a prefix, e.g. cryptnet). The use f ne r mre cryptgraphic netwrks in rder t prvide the secure telecmmunicatins cnnectivity necessary fr a gruping f individuals deemed t be in a specific missin r peratinal envirnment. Equipment and systems that perfrm encryptin, decryptin, authenticatin r key generatin functins. A numerical value used t cntrl cryptgraphic peratins, such as decryptin, encryptin, signature generatin, r signature validatin. A telecmmunicatins netwrk in which infrmatin is prtected by the use f cmpatible cryptgraphic equipment using a cmmn cryptgraphic key. One f tw r mre statins n a specific cryptgraphic netwrk. January