Ar380 53 PDF
Ar380 53 PDF
Ar380 53 PDF
Security
Communications
Security
Monitoring
Headquarters
Department of the Army
Washington, DC
23 December 2011
UNCLASSIFIED
SUMMARY of CHANGE
AR 380–53
Communications Security Monitoring
Security
Chapter 1
Introduction, page 1
Purpose • 1–1, page 1
References • 1–2, page 1
Explanation of abbreviations and terms • 1–3, page 1
Responsibilities • 1–4, page 1
Chapter 2
Objectives and Requirements, page 2
Introduction • 2–1, page 2
Objectives • 2–2, page 3
Authorization to conduct communications security monitoring • 2–3, page 3
Prerequisites • 2–4, page 3
Training and standards for communications security monitoring • 2–5, page 4
UNCLASSIFIED
Contents—Continued
Chapter 3
Information Operations Red Team, page 10
Explanation • 3–1, page 10
Attributes of effective Red Team activities • 3–2, page 10
Authorization to conduct red teaming • 3–3, page 10
Training and standards for Red Team activities • 3–4, page 10
Red Team operations • 3–5, page 11
Red teaming reports • 3–6, page 12
Chapter 4
Computer Defense Association Program, page 12
Introduction • 4–1, page 12
Objective • 4–2, page 12
Scope • 4–3, page 12
Authorization • 4–4, page 13
Computer Defense Association Program • 4–5, page 13
Computer Defense Association Program network assistance visit • 4–6, page 14
Penetration testing scope • 4–7, page 15
Computer Defense Assistance Program persistent penetration testing • 4–8, page 15
Chapter 5
Reporting violations, page 16
Oversight • 5–1, page 16
Reporting violations • 5–2, page 16
Appendixes
A. References, page 17
B. Forms of Monitoring Notification, page 20
C. Internal Control Evaluation, page 20
Figure List
Glossary
1–2. References
Required and related publications and prescribed and referenced forms are listed in appendix A.
1–4. Responsibilities
a. General Counsel. The GC will—
(1) Review Department of the Army COMSEC monitoring policy for compliance with public law and national and
Department of Defense (DOD) policies and regulations.
(2) Review and certify, in writing, biennially, that COMSEC monitoring notification procedures in effect are
adequate throughout the Army.
(3) Review and approve COMSEC monitoring results for court use, in the event such results must be used for
criminal prosecution.
(4) Review all requests for proposed COMSEC monitoring exercises, to include requests that are not based on an
Army command (ACOM), Army service component command (ASCC), or direct reporting unit (DRU) request for
approval (granted by the Deputy Chief of Staff, G–2 (DCS, G–2)).
b. The Judge Advocate General. TJAG will review all ACOM, ASCC, and DRU requests to conduct COMSEC
monitoring exercises prior to DCS, G–2 approval.
c. The Inspector General. TIG will provide oversight of the Army’s COMSEC monitoring program to ensure
regulatory compliance.
d. Deputy Chief of Staff, G–2. As the Secretary of the Army’s single designee for COMSEC monitoring, the DCS,
G–2 will—
(1) Develop, promulgate, and maintain Army COMSEC monitoring policy.
(2) Grant waivers and exceptions to Army COMSEC monitoring policy after obtaining legal review from the GC
and TJAG.
(3) Review and approve biennial requests from ACOMs, ASCCs, and DRUs to perform COMSEC monitoring.
(4) Certify the adequacy of Army COMSEC monitoring notification procedures of other DOD agencies when the
Army monitoring elements operate jointly with DOD in support of Joint, combined, or multinational operations.
(5) Represent and defend the Army’s interests pertaining to COMSEC monitoring at national and DOD Service
meetings and working groups.
(6) Notify ACOM, ASCC, and DRU commanders before authorizing COMSEC monitoring that is not based on an
ACOM, ASCC, or DRU request.
e. Commanding General, U.S. Army Intelligence and Security Command. The CG, INSCOM will—
(1) Provide Army support to the Joint COMSEC monitoring activity according to the most current Joint COMSEC
monitoring activity memorandum of agreement.
(2) Develop and disseminate the Army’s techniques for conducting COMSEC monitoring.
(3) Through the commander, 1st Information Operations Command (1st IO CMD), develop and disseminate for the
Army, techniques and procedures for conducting Information System (IS) security penetration and verification testing
as it pertains to applicable phases of CDAP (see chap 4).
f. Commanding General, U.S. Army Training and Doctrine Command. The CG, TRADOC will—
(1) Develop, produce, and maintain an exportable standardized COMSEC monitoring training package to address the
provisions of this regulation.
(2) Coordinate with the CG, INSCOM to incorporate results outlined in paragraphs 1–4e(2) and 1–4e(3) into the
standardized training package.
g. Chief Information Officer/G–6. The CIO/G–6 maintains overall responsibility and oversight for policy and
management of the Army computer emergency response team (ACERT) program. The CIO/G–6 will—
Chapter 2
Objectives and Requirements
2–1. Introduction
a. DOD telecommunications systems are provided for official Government communications. When these systems are
used by the Army components, they are subject to COMSEC monitoring, IO Red Team activities, and penetration
testing as explained in this regulation.
b. COMSEC monitoring, IO Red Team activities, and penetration testing will be completed in a manner that
satisfies the legitimate needs of the Army. Activities will be conducted to minimize the monitoring (purposely or
inadvertently) of telecommunications not related to security objectives and will be performed in a manner that protects
to the greatest degree possible the privacy and civil liberties of individuals whose telecommunications are subject to
monitoring.
c. COMSEC monitoring, IO Red Team activities, and penetration testing are vulnerability assessment techniques
that provide essential information not available through other sources for evaluating security within the Army.
d. COMSEC monitoring as discussed in this regulation does not pertain to the following:
(1) The interception of wire and oral communications for law enforcement (LE) purposes as described in AR
190–53.
(2) Operations center communications monitoring as described in AR 190–30.
(3) Electronic surveillance as described in AR 381–10.
(4) Technical surveillance countermeasures.
(5) TEMPEST (see glossary, sec II) as described in AR 380–27.
(6) Counterintelligence (CI) investigations.
(7) Radio communications monitoring by net control stations to enforce net discipline.
2–2. Objectives
COMSEC monitoring is undertaken to—
a. Collect operational signals needed to measure the degree of security being achieved by encryption, cryptographic
equipment and devices, COMSEC techniques, and operations security (OPSEC) countermeasures.
b. Provide a basis from which to assess the type and value of information subject to loss through intercept and
exploitation of official Government telecommunications.
c. Provide an empirical basis for improving the security of Army telecommunications against signals intelligence
and other data exploitation.
d. Assist in determining the effectiveness of electronic attack; electronic protect, cover, and deception actions;
electronic warfare support; and OPSEC measures.
e. Identify Army telecommunications signals that exhibit unique external signal parameters, signal structures,
modulation schemes, radio fingerprints, and so forth that could provide adversaries the capability to identify specific
targets for subsequent geopositioning and exploitation purposes.
f. Provide empirical data to properly train users of Army telecommunications systems on COMSEC techniques and
measures.
g. Evaluate the effectiveness of Army COMSEC education and training programs.
h. Support defensive IO by identifying, verifying, and evaluating Army telecommunications and IS to exploit,
degrade, or neutralize susceptibilities attempts.
2–4. Prerequisites
The following must occur before COMSEC monitoring, IO Red Team activities, and penetration testing can take place:
a. Users of official DOD telecommunications will be given notice that—
(1) Passing classified information over nonsecure DOD telecommunications systems (other than protected distribu-
tion systems or automated information systems accredited for processing classified information) is prohibited.
(2) Official DOD telecommunications systems are subject to monitoring at all times.
(3) Use of official DOD telecommunications systems constitutes consent by the user to monitoring at any time.
b. The GC has certified the adequacy of the notification procedures in effect, and the GC and TJAG have given
favorable legal review of any proposed COMSEC monitoring that is not based on an ACOM, ASCC, or DRU request.
c. The DCS, G–2 has authorized monitoring to be conducted within the ACOM, ASCC, or DRU involved.
d. Monitoring telecommunications systems of U.S. Government contractors at their own facilities require the express
written approval of the chief executive officer or designee of the company. Requests for such monitoring will include a
statement from the chief executive officer or designee outlining the notification procedures that have been implemented
within the contractor’s organization to afford notice to the contractor’s employees (see para 2–4a). Such requests will
be forwarded through command channels to the DCS, G–2 (DAMI–CDS) for action. The DCS, G–2 (DAMI–CDS) will
obtain a legal review from TJAG and GC prior to taking any action. Requests must arrive at the DCS, G–2 a minimum
of 45 days prior to the date the monitoring is desired. The contractor’s chief executive officer’s approval is not required
to monitor contractors who are performing duties in U.S. Government-controlled facilities.
e. Monitoring will not be conducted by Army personnel (Soldiers, civilians, or contractors employed by the Army)
on the telecommunications of another DOD component without the express written approval of the head (or designee)
of that department or agency, unless the other DOD component is conducting the monitoring and Army personnel are
serving only in a subordinate role.
f. One ACOM, ASCC, or DRU will not monitor the telecommunications or conduct IS penetration testing of another
ACOM, ASCC, or DRU without the consent of that ACOM, ASCC, or DRU. The exception to this restriction is when
the activity is directed by the DCS, G–2.
2–10. Conduct of communications security monitoring, information operations Red Team activities,
and Computer Defense Assistance Program
a. COMSEC monitoring, IO Red Team activities, and CDAP may be conducted only for certified ACOMs, ASCCs,
or DRUs that have notification procedures in place and approved by the GC, and when authorized by the DCS, G–2.
b. COMSEC monitoring, IO Red Team activities, and CDAP will be conducted only in support of security
objectives. COMSEC monitoring, IO Red Team activities, and CDAP will not be performed to support LE, criminal, or
CI investigations.
c. COMSEC monitoring, IO Red Team activities, and CDAP will be conducted in—
(1) The least-intrusive manner possible.
(2) A way that minimizes the monitoring of communications not relevant to security objectives.
(3) A manner that ensures maximum privacy consistent with monitoring objectives.
d. COMSEC monitoring, IO Red Team activities, and CDAP conducted by Army elements in support of Joint or
combined operations and activities will be conducted in accordance with Joint or combined COMSEC monitoring and
information assurance procedures, as long as those procedures have been reviewed and approved by the appropriate
legal counsel.
Chapter 3
Information Operations Red Team
The procedures in this chapter apply to IO Red Team activities on official DOD information systems within the Army.
3–1. Explanation
An IO Red Team is an independent, threat-based, simulated opposition force that uses passive, active, technical, and
nontechnical capabilities on a formal, time-bounded basis to expose and identify the vulnerabilities of friendly forces
from an IO threat perspective. Red Team operations expose an organization’s vulnerabilities and challenge its readiness
by focusing on the identification of critical and classified information.
Chapter 4
Computer Defense Association Program
4–1. Introduction
The CDAP provides technical support for mitigating identified vulnerabilities to the following:
a. Requesting individual units and activities.
b. The DCS, G–3/5/7 or CND service providers.
4–2. Objective
a. Evaluate the CND posture and CND response actions of the Army LWN resources by testing and attempting to
circumvent Army networks by emulating the methods of hostile actors. Identified deficiencies will be evaluated to
determine the depth and degree of potential compromise to provide the appropriate assistance in securing the LWN.
This may include, but is not limited to, recommending modifications of methods, techniques and configuration
modifications; training of users and system administrators, and/or providing subject matter experts to assist. The CDAP
teams evaluate installations and leverage lessons learned to improve local organizations’ abilities and influence CND
operations across the Army.
b. The major objectives are to—
(1) Confirm and demonstrate methods of intrusion and compromise that could be accomplished by unauthorized
users.
(2) Confirm and demonstrate the depth and degree of intrusion.
(3) Assess the network’s ability to detect and respond to intrusions.
(4) Evaluate non-user data files such as system-level files, user identification, and login/logoff scripts. User data
files (including email) will not be examined, read, modified, recorded, or deleted as part of the penetration testing
effort.
4–3. Scope
The CDAP is executed to protect and defend all unclassified and classified information systems used to plan, direct,
coordinate, control, and support Army forces operating on the Army LWN for active Army, U.S. Army Reserve, and
Army National Guard.
Chapter 5
Reporting violations
5–1. Oversight
All activities, materials, and records covered in this regulation are subject to IG, intelligence, and security oversight
inspections at any time.
Section I
Required Publications
AR 25–2
Information Assurance (Cited in paras 1–4g(1), 2–6b(1)(c), 2–7b(2), 3–4a(2), 4–4b, 4–5j, and 4–8c.)
AR 25–55
The Department of the Army Freedom of Information Act Program (Cited in para 3–4a(3).)
AR 25–400–2
The Army Records Information Management System (ARIMS) (Cited in para C–4d.)
AR 190–30
Military Police Investigations (Cited in para 2–1d(2).)
AR 190–53
Interception of Wire and Oral Communications for Law Enforcement Purposes (Cited in para 2–1d(1).)
AR 340–21
The Army Privacy Program (Cited in para 3–4a(4).)
AR 380–5
Department of the Army Information Security Program (Cited in paras 2–1d(11), 2–7a, and 2–13a(1).)
AR 380–27
Control of Compromising Emanations (FOUO)( (Cited in para 2–1d(5).)
AR 380–67
The Department of the Army Personnel Security Program (Cited in para 2–9b(2).)
AR 381–10
U.S. Army Intelligence Activities (Cited in paras 2–1d(3), 2–5a(2), 3–4a(5), and 5–2b.)
AR 381–12
Threat Awareness and Reporting Program (Cited in para 2–5a(3).)
AR 530–1
Operations Security (OPSEC) (Cited in para 1–4k(3).)
DODI 8560.01
Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing (Cited in paras
1–1, 3–5c(2).) (Available at http://www.dtic.mil/whs/directives/.)
NTISSD 600
Communications Security (COMSEC) Monitoring (Cited in paras 1–1, 2–14a(2).) (Available at http://www.cnss.gov/.)
Section II
Related Publications
A related publication is a source of additional information. The user does not have to read it to understand this
regulation.
AR 25–1
Army Knowledge Management and Information Technology
AR 381–14
Technical Counterintelligence (TCI) (U)
AR 381–143
Nonstandard Material Policies and Procedures (U)
CJCSI 6510.01F
Information Assurance (IA) and Support to Computer Network Defense (CND) (Available at http://www.dtic.mil/
cjcs_directives/.)
CNSSI 4009
National Information Assurance (IA) Glossary (Available at http://www.cnss.gov/.)
DODD 3600.01
Information Operations (IO) (Available at http://www.dtic.mil/whs/directives/.)
EO 096–08
Project Labor Agreements (Available at http://www.gpoaccess.gov/uscode.)
EO 12333
United States intelligence activities (Available at http://www.gpoaccess.gov/uscode.)
PL 90–351
Law Enforcement Assistance (Available at http://thomas.loc.gov/bss/.)
PL 99–508
Electronic Communications Privacy Act of 1986 (Available at http://thomas.loc.gov/bss/.)
PL 100–235
Federal Computer System Security Training (Available at http://thomas.loc.gov/bss/.)
PL 104–106
National Defense Authorization Act for Fiscal Year 1996 (Available at http://thomas.loc.gov/bss/.)
PL 107–347
E–Government Act of 2002 (Available at http://thomas.loc.gov/bss/.)
18 USC(b)(1)
Crimes and Criminal Procedure (Available at http://www.gpoaccess.gov/uscode.)
18 USC 107
Intelligence activities: intercept encrypted or other official communications of United States executive branch entities
or United States Government contractors for communications security purposes (Available at http://www.gpoaccess.
gov/uscode.)
18 USC 2511
Interception and disclosure of wire, oral, or electronic communications prohibited (Available at http://www.gpoaccess.
gov/uscode.)
Section III
Prescribed Forms
Except where otherwise indicated below, the following forms are available as follows: DA Forms are available on the
APD Web site (http://www.apd.army.mil); DD Forms are available on the Office of the Secretary of Defense Web site
(http://www.dtic.mil/whs/directives/infomgt/forms/formsprogram.htm).
Section IV
Referenced Forms
Except where otherwise indicated below, the following forms are available as follows: DA Forms are available on the
APD Web site (http://www.apd.army.mil); DD Forms are available on the Office of the Secretary of Defense Web site
(http://www.dtic.mil/whs/directives/infomgt/forms/formsprogram.htm).
DA Form 11–2
Internal Control Evaluation Certification
DA Form 2028
Recommended Changes to Publications and Blank Forms
Appendix C
Internal Control Evaluation
C–1. Function
The function covered by this evaluation is for COMSEC monitoring.
C–2. Purpose
The purpose of the evaluation is to assist unit commanders in evaluating key internal controls. It is not intended to
cover all controls.
C–3. Instructions
Answers must be based on actual testing of the key internal controls such as document analysis, direct observation,
interviewing, sampling, and simulation. Answers that indicate deficiencies must be explained and the corrective action
indicated in supporting documentation. These internal controls must be evaluated at least once every 5 years.
Certification that the evaluation has been conducted must be accomplished on DA Form 11–2 (Internal Control
Evaluation Certification).
C–5. Supersession
Not applicable.
1st IO CMD
1st Information Operations Command
AASA
Administrative Assistant to the Secretary of the Army
ACERT
Army computer emergency response team
ACOM
Army command
ASCC
Army service component command
CDAP
Computer Defense Association Program
CG
Commanding General
CI
counterintelligence
CIO/G–6
Chief Information Officer, G–6
CND
computer network defense
CNSSI
Committee on National Security Systems Instruction
COMSEC
communications security
DAR
data-at-rest
DCS, G–2
Deputy Chief of Staff, G–2
DCS, G–3/5/7
Deputy Chief of Staff, G–3/5/7
DOD
Department of Defense
DODI
Department of Defense instruction
DRU
direct reporting unit
EO
executive order
GS
general schedule
IG
inspector general
IO
information operations
INSCOM
U.S. Army Intelligence and Security Command
IS
Information System
LE
law enforcement
LWN
LandWarNet
MOS
military occupational specialty
NAV
network assistance visit
NDA
network damage assessment
NTISSD
National Telecommunications and Information Systems Security Directive
O–5
LTC lieutenant colonel
OPSEC
operations security
PL
public law
PPT
persistent penetration testing
RCERT
regional computer emergency response team
ROE
rules of engagement
TIG
The Inspector General
TJAG
The Judge Advocate General
Section II
Terms
Consent
An agreement by a person to permit DOD communications security components to monitor official communications.
Consent may be oral, written, or implied. Consent is implied when adequate notice is given that the use of official
Government communications carries with it the presumption of consent.
Content
The data contained in a telecommunications message, computer folder, or file. Telecommunication messages include,
but are not limited to, telephone (both cellular and conventional), radio, pager, and computer network traffic.
Data-at-rest
All data stored on hard drives, thumb drives, digital video disks, compact disks, floppy diskettes, and other similar
storage media.
Data-in-motion
Data that transverses a network either internally or externally, and is not in a state of storage, such as DAR. This
includes active communications via telephone (both cellular and conventional), radio, and pager, as well as computer
traffic that is transmitted between any network nodes.
Electronic surveillance
The acquisition of the contents of nonpublic communication by electronic means without the consent of a person who
is a party to the communication, but not including the use of radio direction finding equipment solely to determine the
location of a transmitter.
Government telecommunications
Telecommunications of an employee, officer, contractor, or other entity of the U.S. Government which concern an
official purpose of U.S. Government and which are transmitted over a telecommunications system owned or leased by
the U.S. Government or a U.S. Government contractor.
Keystroke monitoring
A specialized form of audit trail software or specially designed device (tool) that records every keystroke struck by a
user and every character of the response that the IS returns to the user. Keystroke monitoring on the Army’s LWN is
only authorized by RCERTS, certified Red Team members, and other official activities operating in official capacities.
Penetration testing
Security testing in which evaluators attempt to circumvent the security features of an IS based on the evaluators
TEMPEST
A name referring to the investigation, study, and control of compromising emanations from telecommunications and
automated information systems equipment (see CNSSI 4009).
Section III
Special Abbreviations and Terms
This section contains no entries.
PIN: 004092–000
DATE: 12-23-11
TIME: 13:37:41
PAGES SET: 29
SECURITY: UNCLASSIFIED
DOC STATUS: REVISION