21 March 2001. Thanks to BH.
Source: http://www.nstissc.gov/Assets/pdf/3003.pdf

[16 pages; all marked "UNCLASSIFIED/ /FOR OFFICIAL USE ONLY."]

NSTISSI No. 3003
August 2000

Operational Security Doctrine
for
KG-66/KG-66A/SO-66/
KGR-66/KGV-68/KGR-68/KGV-68B

THIS DOCUMENT PROVIDES MINIMUM STANDARDS. FURTHER
INFORMATION MAY BE REQUIRED BY YOUR DEPARTMENT OR AGENCY.

FOREWORD

1. (U//FOUO) This instruction supersedes NTISSI No. 3003, "Operational Security Doctrine for the KG-66/KG-66A/KGR-66/KV-68" dated 27 April 1990. It updates its predecessor and also includes requirements applicable to the KGR-68 and the KGV-68B.

2. (U//FOUO) The COMSEC system specified in this instruction provides security for digital telemetry transmissions between an airborne weapons system and its receiving stations.

3. (U//FOUO) This instruction provides the minimum national standards for this system. Please check with your agency for applicable implementing documents.

4. (U//FOUO) Representatives of the National Security Telecommunications and Information Systems Security Committee may obtain additional copies of this NSTISSI from:

NATIONAL SECURITY AGENCY
NSTISSC SECRETARIAT
ATTN: 142 STE 6716
FORT GEORGE G. MEADE, MD 20755-6716

5. (U//FOUO) U.S. Government contractors and vendors shall contact their appropriate government agency or Contracting Officer Representative regarding distribution of this document.

MICHAEL V. HAYDEN
Lieutenant General, USAF

NSTISSC Secretariat (142). National Security Agency.9800 Savage Road STE 67 16. Ft Meade MD 20755-6716
(410) 854-6805.UFAX: (410) 854-6814
nstissc@radium.ncsc.mil

OPERATIONAL SECURITY DOCTRINE FOR THE KG-66/KG-66A/SO-66/KGR-66/KGV-68/KGR-68/KGV-68B

SECTION

PURPOSE I
SCOPE II
REFERENCES III
DEFINITIONS IV
SYSTEM DESCRIPTION V
KEYING INFORMATION VI
CLASSIFICATION GUIDANCE VII
CONTROL REQUIREMENTS VIII
EMERGENCY PROCEDURES IX
REPORTABLE INCIDENTS X
EXCEPTIONS XI

SECTION I - PURPOSE

1. (U//FOUO) This document provides minimum security doctrine for the operational use of the KG-66/KG-66A/SO-66/KGR-66 (KUTA), KGV-68 (NOBLEMAN), KGV-68B, KGR-68 and associated COMSEC material.

SECTION II - SCOPE

2. (U//FOUO) This document will be made available to all U.S. Government organizations that use or have access to the KG-66/KG-66A/SO-66/KGR-66/KGV-68/KGV- 68B/KGR-68 and associated COMSEC material. Promulgation may be made through issuance of this document or through its incorporation into applicable department or agency publications.

3. (U//FOUO) When the requirements or terms of this instruction appear to substantially conflict with the requirements or terms of any other national-level issuance, this conflict will be identified and guidance requested, through organizational channels, from the Director, National Security Agency, ATTN: INFOSEC Policy, Procedures, and Insecurities Division.

SECTION III - REFERENCES

4. (U//FOUO) References cited in this doctrine are listed in ANNEX A.

SECTION IV - DEFINITIONS

5. (U//FOUO) Definitions in NSTISSI No. 4009 (Reference a.) apply to this doctrine.

SECTION V - SYSTEM DESCRIPTION

6. (U//FOUO) This COMSEC system is comprised of an electronic key generator (half-duplex) (KG-66 or KG-66A) telemetry data unit, the receive only unit (KGR-66), and the receiver/maintenance test unit (SO-66). The KGR-66 consists of the KGV-66 plug-in module and HNF-66 frame and power supply. The KUTA (KC-66 and KG-66A operating in modes A and B) and NOBLEMAN (KGV-68 operating in mode B only) are half-duplex encryptors, and can be used as decryptors in approved applications. The KGV-68/KGV-68B is compatible with all KUTA equipment operating in mode B. The KGR-68 consists of an embedded KGV-68 module and associated circuitry, and is designed to be a replacement for the KGR-66. The KYK- 13, KOl- 18, and AN CYZ-10/10A Data Transfer Device (DTD) fill devices are used with these systems (see paragraph 9).

7. (U//FOUO) This COMSEC system provides security for digital telemetry transmissions between an airborne weapons system and its receiving stations. The KG-66/KG-66A/KGV-68/KGV-68B perform on-line encryption/decryption of serial binary data from the weapons system's digital telemetry unit. The KGR-66 and KGR-68 are decryption equipment only. The KG-66/KG-66As are capable of operating at data rates between 10 Kbps and 11 Mbps. The KGR-66 and KGR-68 are capable of operating at data rates between 10 Kbps and 10 Mbps. The KGV-68 is capable of operating at data rates between 50 bps and 11 Mbps. The KGV-68B is capable of operating at data rates up to 50 Mbps.

8. (U//FOUO) When used with the appropriate keys, the KG-66/KG-66A/KGV-68/KGV-68Bs are approved for the encryption of telemetry data up to SECRET. The KGV-68/KGV-68B has an upgrade mode where the encryptor is monitored by another KGV-68/KGV-68B and some external circuitry. This permits use for higher classifications when approved on a case-by-case basis. The KGV-68B incorporates the required upgrade external circuitry within the module.

SECTION VI - KEYING INFORMATION

9. (U//FOUO) The KG-66/KG-66A/KGR-66/KGV-68/KGR-68/KGV-68B keys (ANNEX E) are produced in eight-level, standard-hole tape. The KG-66 is filled directly (or via an SO-66) from a key tape using the KOI-18 fill device. The KC-66 can also be filled with the KYK-13 when used in accordance with the instructions in KAO-182/TSEC. The KGR-66/KG-66A/KGV-68/KGR-68/KGV-68B may be filled with either the KOI-18, KYK-13, or DTD. NSTISSI No. 3021 (Reference b.) contains the systems doctrine for the DTD.

a. (U//FOUO) Operational key tapes (USKAT-series) are classified on the basis of the classification of the traffic they are intended to protect and are TOP SECRET, SECRET, or CONFIDENTIAL. These key tapes are regularly and irregularly superseded depending on system application, are packaged in plastic canisters, are marked CRYPTO NOFORN, and are serial number accountable, Accounting Legend Code 1 (ALC-1).

b. (U//FOUO) Operational key tapes (AKAT-series) are classified on the basis of the classification of the traffic they are intended to protect and are TOP SECRET, SECRET, or CONFIDENTIAL. These key tapes are regularly and irregularly superseded depending on system application, are packaged in plastic canisters, are marked CRYPTO, and are serial number accountable, ALC-1.

c. (U//FOUO) Exercise key tapes (USKXT-series) are classified CONFIDENTIAL. These key tapes are periodically superseded, are packaged in plastic canisters, are marked CRYPTO NOFORN, and are serial number accountable, ALC-1.

d. (U//FOUO) Exercise key tapes (AKXT-series) are classified CONFIDENTIAL. These key tapes are periodically superseded, are packaged in plastic canisters, are marked CRYPTO, and are serial number accountable, ALC-1.

e. (U//FOUO) Maintenance key tape (KMT-series) are classified CONFIDENTIAL but not marked CRYPTO. Maintenance key tapes are designed for back-to-back bench testing only and shall not be used for over-the-air transmissions. The maintenance key tapes are packaged in clear plastic canisters and segments may be reused until they become unserviceable. KMT- 152 Edition H and onward are compatible with the KG-66/KG-66A/ KGR- 66/SO-66/KGV-68/KGR-68/KGV-68B. KMT-152 editions prior to Edition H are not compatible with the KGR-66, KGV-68, KGR-68 or KGV-68B. These tapes are serial number accountable, ALC-1.

10. (U//FOUO) Each KG-66/KG-66A/KGV-68/KGV-68B encryptor and its associated decryptors will normally be loaded with a unique TEK. If operational considerations require multi-encryptor loading of a single TEK, it will be approved on a case-by-case basis by DIRNSA (V31).

11. (U//FOUO) The cryptoperiod for the KG-66/KG-66A/KGV-68/KGV-68B is 24 hours transmission time per mission. Any application that requires a cryptoperiod greater than 24 hours per mission and/or requires more than one encryptor per mission for the same key must have prior approval by DIRNSA (V31). This request will be submitted by the end user.

SECTION VII - CLASSIFICATION GUIDANCE

12. (U//FOUO) NTISSI No. 4002 (Reference c.) contains general COMSEC classification guidance.

13. (U//FOUO) Classification and markings assigned to the KG-66/KG-66A/SO-66/KGR-66/KGR-68/KGV-68B and associated COMSEC material are included in ANNEX B of this instruction. Classification and description of supporting documentation are included in ANNEX C. The checklist for secure telemetry missile firings when filled in is a minimum classification of CONFIDENTIAL and is included as ANNEX D. Classification and description of supporting COMSEC keying material are included in ANNEX E.

SECTION VIII - CONTROL REQUIREMENTS

14. (U//FOUO) Except as specified below, control requirements for the COMSEC components and material associated with this system shall be in accordance with the safeguards and criteria of NSTISSI No. 4005 (Reference d.) and NSTISSI No. 4001 (Reference e.) as applicable.

a. (U//FOUO) Access

(1) (U//FOUO) No clearance is required for access to the SO-66 or HNF-66 when the respective unkeyed KG-66/KG-66A/KGV-66 is installed.

(2) (U//FOUO) Even though all the system equipment and the fill devices are unclassified when unkeyed, they are controlled cryptographic items (CCI) that perform sensitive cryptographic functions. Information regarding access to unkeyed CCI equipment is provided in Reference e.

b. (U//FOUO) Transportation

(1) (U//FOUO) When an unkeyed KG-66/KG-66A/KGV-68/KGV-68B is installed as an integral part of a weapons system, the weapon and the CCI may be shipped in a manner approved for the highest classification level applicable to either the CCI or the weapon. If the accountability is retained by the shipping organization, the KG-66/KG-66A/KGV-68/KGV-68B must be couriered by the shipping organization and hand receipted to the courier. A KG-66/KG-66A/KGV-68/KGV-68B shipped as a part of a weapons system must be zeroized by removal of its key hold-up battery.

(2) (U//FOUO) When an unkeyed KG-66/KG-66A/KGV-68/KGV-68B is not installed as an integral part of the weapons system, it must be transported or shipped in any manner approved for the shipment of CCI hardware. If keyed, they will be shipped in accordance with requirements set forth in Reference d.

c. (U) Test Flight History/Equipment Recovery

(1) (U//FOUO) Users must initiate procedures to ensure that a complete history of secure telemetry missile firings exists. The "Checklist for Secure Telemetry Missile Firings" (ANNEX D) provides a list of items/areas that should be included. The checklist may be expanded to include additional information to meet specific user requirements. An information copy of the checklist must be forwarded to DIRNSA (V31) by the COMSEC Custodian within 30 days after the completion of each missile launch using secure telemetry.

(2) (U//FOUO) Reasonable effort will be made to recover any KG-66/KG-66A/KGV-68/KGV-68B used in weapons system tests. However, because of the nature of the service flight test and other weapons system telemetry encryption missions associated with this equipment, it is understood that some KG-66/KG-66A/KGV-68/KGV-68B equipment may not be recoverable. (e.g., post flight recovery teams may not be able to locate impact areas, equipment may be destroyed beyond recognition, the missile may be lost in waters too deep to effect reasonable chance of recovery, etc.) This is expected, and under such conditions, the loss will not be considered a security violation but must be reported in accordance with paragraph 14.c.(1), above.

d. (U) Accountability

(1) (U//FOUO) KG-66/KG-66A/SO-66/KGR-66/KGV-68/KGR-68/KGV-68B are accountable items and must be issued on a hand receipt to users by COMSEC custodians or property book officers. Keying material is handled by COMSEC custodians for issuance to hand receipt holders. The hand receipt holders are responsible for the security, destruction, and handling of the COMSEC material.

(2) (U//FOUO) When an operationally keyed KG-66/KG-66A/KGV-68/ KGV-68B is installed as part of a missile (i.e., the missile is completely assembled and certified for flight), accountability and physical safeguards associated with the KG-66/KG-66A/KGV-68/KGV-68B will continue until the missile is launched. All labels should be removed from the KG-66/KG-66A/KGV-68/KGV-68B prior to being installed in a missile. The removed labels will accompany the accounting report during all transactions thereafter (i.e., destruction, transfer, etc.). The missile serial number and launch date will be used to complete the record of destruction. If, for any reason, the missile is not fired and requires disassembly, the local accountable official must be notified to assure that accounting and security procedures for the KG-66/KG-66A/KGV-68/KGV-68B are followed. In this case, the keys should be superseded.

(3) (U//FOUO) If a missile containing a KG-66/KG-66A/KGV-68/KGV-68B previously recorded/reported as destroyed is recovered (i.e., missile is not destroyed by impact, is recovered from shallow water, etc.), the KG-66/KG-66A/KGV-68/KGV-68B should be placed under the maximum physical controls available for the classification level of the keyed equipment and the recovery reported to V31. The situation and available resources must be taken into consideration on such occasions. No special security containers are required for the storage of the KC-66/KG-66A/KGV-68/KGV-68B during recovery operations. Personnel participating in recovery operations will be briefed on the importance of protecting the KG-66/KG-66A/KGV-68/KGV-68B until it can be turned over to proper authority. The local accounting official will add the recovered KG-66/KG-66A/KGV-68/KGV-68B to his/her account holdings and return it and/or those identifiable portions, for disposition to DIRNSA (COMSEC Account 880666, V09, Pass To: V31).

e. (U//FOUO) Follow-on Mission Processing - There may be cases when it is necessary to retain encrypted telemetry magnetic tapes for later decryption and processing. When such a requirement exists, the following procedures apply:

(1) (U//FOUO) After the completion of the test (pod, flight, operations, etc.), the key associated with the encrypted magnetic tape will be returned to and retained by the COMSEC custodian to ensure continued accountability and secure storage. The encrypted magnetic tape may be handled as an unclassified item. However, cross-references to the storage media (encrypted magnetic tape) and the key used for encryption (short title, edition, and segment) are classified a minimum of CONFIDENTIAL and must be appropriately stored.

(2) (U//FOUO) When additional processing (decryption) is required at a later time, the key will be retrieved from secure storage (hand receipted, if necessary) and after use, returned to secure storage.

(3) U//FOUO) When no further processing of the encrypted magnetic tape is necessary, the COMSEC custodian will destroy the associated key in accordance with requirements set forth in NTISSI No. 4004 (Reference f.).

(4) (U//FOUO) Any reuse of a key from a previous cryptoperiod for encryption of data is prohibited. This applies to both operational and exercise key.

(U//FOUO) NOTE: Encrypted magnetic tapes are unclassified and may be stored in an unclassified area. (In the COMSEC. community, this is considered BLACK data.) Decrypted magnetic tapes (plain text), which are classified, must be stored in areas which are afforded physical security for classified information. (In the COMSEC community, this is considered RED data.)

SECTION IX - EMERGENCY PROCEDURES

15. (U//FOUO) Reference f. prescribes standards for routine destruction of COMSEC material and provides criteria and guidance for protecting COMSEC material under emergency conditions. It also provides guidance and assigns responsibilities for recovery of abandoned COMSEC material.

SECTION X - REPORTABLE INCIDENTS

16. (U//FOUO) COMSEC incidents are reportable in accordance with NSTISSI No. 4003 (Reference g.) and applicable department or agency implementing instructions. Reference g. lists general incidents. The following are incidents specific to the KG-66/KG-66A/SO-66/KGR-66/ KGR-68/KGV-68/KGV-68B:

a. (U//FOUO) Physical Incidents - Shipment of a missile with a key other than a shipping key installed.

b. (U//FOUO) Cryptographic Incidents

(1) (U//FOUO) Unauthorized extension of a cryptoperiod or an unauthorized increase in the number of KG-66/KG-66A/KGV-68/KGV-68B encryptors using the same key.

(2) (U//FOUO) Failure to change the key after a transmitting KG-66/ KG-66A/KGV-68/KGV-68B malfunction. Malfunction is defined as an alarm function that will not clear in the encryptor or failure of the decryptor to achieve cryptosynchronization.)

(3) (U//FOUO) The transmission of classified data using an SO-66, with an installed KG-66/KG-66A, that has failed the checkword verification procedures.

(4) (U//FOUO) Failure to follow procedures in KAO-182 A/TSEC when loading key into the KG-66 with a KYK-13. (This does not apply to the KG-66A.)

(5) (U//FOUO) Use of a KGV-66 without the HNF-66.

SECTION XI - EXCEPTIONS

17. (U//FOUO) Requests for exceptions to any of the provisions of this doctrine must be approved, on a case-by-case basis, prior to implementation. Each request shall include a complete operational justification and shall be submitted through appropriate department or agency channels to DIRNSA, INFOSEC Policy, Procedures, and Insecurities Division for review.

5 Encls:
ANNEX A - References
ANNEX B - Equipment Classification
ANNEX C - Documentation Description and Classification
ANNEX D - Checklist for Secure Telemetry Missile Firings
ANNEX E - COMSEC Keying Material Description and Classification

ANNEX A

References

(U//FOUO) The following national-level documents are referenced in this instruction:

NSTISSI No. 4009 (Revision 1), National Information Systems Security (INFOSEC) Glossary, dated January 1999.

NSTISSI No. 302 1, Operational Security Doctrine for the AN/CYZ-10/10A Data Transfer Device (DTD), dated September 1997.

NTISSI No. 4002, Classification Guide for COMSEC Information, dated 5 June 1986.

NSTISSI No. 4005, Safeguarding Communications Security (COMSEC) Facilities and Materials, dated August 1997.

NSTISSI No. 4001, Controlled Cryptographic Items, dated July 1996.

NTISSI No. 4004, Routine Destruction and Emergency Protection of COMSEC Material, dated 11 March 1987.

NSTISSI No. 4003, Reporting and Evaluating COMSEC Incidents, dated 2 December 1991.

ANNEX B

Equipment Classification

NOTE: KG-66/KG-66A/SO-66/KGR-66/KGV-68/KGR-68/KGV-68B are not releasable to foreign nationals without specific approval of the National Manager.

ANNEX C

Documentation Description and Classirication

ANNEX D

Checklist for Secure Telemetry Missile Firings

1 . Laboratory Checkout/Calibration

Date completed:
Location of Data:

2. Test Item:

3. Location of Test:

4. Type of Keying Material Used:

5. Short Title /Edition/Segment:

6. Holding Battery Installed (Date):

7. Keying Material Loaded (Date):

8. Test (Date):

9. KG-66/KG-66A/KGV-68/KGV-68B Serial Number (Circle One):

10. Test Item/KG-66/KG-66A/KGV-68/KGV-68B

Extended (Approx. Time):

11. Approximate Location of Impact:

12. Recovery Attempt Made (YES, NO). (If NO, provide explanation):

13. Transaction number used to relieve the COMSEC account of the accountability for the fired missile:

14. Reported to COMSEC Custodian (Date/Approx. Time):

15. Problems Encountered (If None, so state):

16. Report Submitted to DIRNSA (Date):

17. Letter and serial number or date-time-group of message used to provide requested information to DIRNSA (V31):

SIGNED:                                                         WITNESS:

NOTE: When filled in and depending on mission, a minimum classification of CONFIDENTIAL is required.

ANNEX E

COMSEC Keying Material
Description and Classification

NOTE: The above keys are compatible with the KG-66/KG-66A/SO-66/ KGR-66/KGV-68/ KGR-68/KGV-68B. KMT-152 Edition H and beyond are KGR-66/KGV-68/KGR-68/KGV-68B compatible.

Transcription and HTML by Cryptome.