Here at Ignyte, we talk a lot about various overarching information security frameworks, like FedRAMP, CMMC, and ISO 27001. Within these overall frameworks exist a range of smaller and narrower standards, including COMSEC.
If you’ve seen COMSEC as a term, you may be passingly familiar with what it is, but if you need to know the details, it’s surprisingly muddy to identify with specificity. So, we decided to talk about it.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontCOMSEC, short for Communications Security, consists of procedures and technology to protect communications from unauthorized access and ensure authenticity. It applies to military, government, and business communications because all types of information can be sensitive. Key elements include encryption, secure devices, frequency changes, and incident response plans. The focus is on human behavior and training within frameworks like CMMC and FedRAMP. Regular audits ensure effectiveness, while monitoring detects and addresses incidents quickly.
What is COMSEC?
COMSEC is simply an abbreviation – not an acronym – for Communications Security. It applies to a range of different departments and institutions, and many of them publish their own definitions, though they’re all largely identical. For example:
“COMSEC is the name for measures taken to deny unauthorized access to information transmitted by the U.S. Government and to ensure the authenticity of such communications. While there are several COMSEC accounts within the Department of Commerce, the Information and Personnel Security Division is responsible for management oversight of the overall program. The COMSEC program provides guidance and oversight for the proper communication of national security information (NSI).”
“Communications Security (COMSEC) is defined as the measures taken to deny unauthorized persons information derived from telecommunications of the U.S. government concerning national security, and to ensure the authenticity of such telecommunications. The U.S. Department of Labor (DOL) has the legal obligation to provide the necessary security surrounding the use of communication devices. The Emergency Management Center (EMC) manages DOL’s COMSEC program. DOL’s COMSEC policies and procedures include those involving the use of cryptographic security measures, emissions security, transmission security, and physical security of COMSEC aids and hardware used to encrypt and protect sensitive or classified communications.”
“COMSEC refers to the measures taken to protect military communications from interception and exploitation by adversaries. This includes encryption of sensitive data, protection of keying material, and strict adherence to secure communication procedures. It’s a discipline that involves both cutting-edge technology and rigorous training.”
In short, COMSEC is the steps and standards used to secure communications against various attacks that could compromise communications channels.
What’s interesting about COMSEC is that, unlike frameworks like CMMC, it does not just apply to certain types of information, like CUI. It applies to all communications because even non-sensitive or non-controlled information could provide clues or operational information that could be dangerous in the wrong hands.
The stakes vary, of course. Department of Labor operations having their communications leaked could cause a scandal; U.S. Army operations being leaked can cause deaths.
On top of all of this, COMSEC is not just limited to governmental agencies and departments. It’s good practice for businesses to avoid security breaches, user data breaches, or loss of trade secrets. COMSEC is even something individuals should practice on a personal level. It affects us all.
That said, institutional COMSEC and individual communications security practices are somewhat different. For one thing, at the business and government level, there are specific definitions, frameworks, standards, and audits to follow.
COMSEC On a Practical Level
What is COMSEC on a practical level rather than on an informational level?
COMSEC is made up of policies, procedures, training, and technology, all aimed at securing communications. It can include things like using encryption for data in transit or secure airwaves for communications that could be intercepted. But, more importantly, it centers around the human behaviors that engage with communications.
- Managing encryption keys, passwords, and authentication practices.
- Regularly changing communications frequencies as necessary.
- Properly securing devices, both digitally and physically.
- Teaching people not to talk in unsecured venues about secure information.
- Adopting a “trust but verify” attitude to validate security in communications.
- Creating and maintaining robust incident response plans.
The difficulty in discussing COMSEC comes primarily from the fact that it’s something that applies to so many different entities in so many different ways. And, unlike frameworks like CMMC, FISMA, or FedRAMP, it doesn’t have a nice and easy document of guidelines to follow.
In fact, COMSEC is a component part of many different frameworks stemming from many different sources. Some parts of CMMC fall under the banner of COMSEC. Some parts of FISMA are centered around COMSEC. Some parts of the U.S. Army regulations stem from AR 380-40, which is the Army’s rules and procedures for COMSEC.
So, to discuss what COMSEC actually encompasses, you need to know your starting point. Which framework are you working under, and what does it define as COMSEC?
To further muddle the discussion, COMSEC can vary depending on whether or not the communications in question are classified or not. Many COMSEC principles are the same, but the practicalities of dealing with unclassified information versus classified information can be very different.
COMSEC Training
One commonality with COMSEC is that a huge amount of it focuses on training. Training for employees, partners, contractors, and others involved in your organization generally comes from a COMSEC-fluent manager. While not everyone in your organization needs to pass a COMSEC course from the government, your managers might and can pass down what they learn in the form of policies and procedures backed by employee training.
The National Initiative for Cybersecurity Careers and Studies, or NICCS, offers training for COMSEC. For example, you have:
Communications Security Fundamentals, a Tier 1 basic proficiency course for COMSEC principles and procedures. This course encompasses learning the basics of COMSEC, identifying common threats, understanding encryption and authentication, looking at emerging technologies, and the ethical and legal concerns surrounding COMSEC.
Above that, you have Fundamentals of Communications Security Guidelines and Procedures for Managers. Despite the very similar name, this is an intermediate-level course aimed at COMSEC managers rather than lower-tier or less specialized employees. It covers much of the same content but in greater detail and with an aim at promoting greater responsibility for those managers.
This just touches on the surface; there is a whole range of COMSEC-focused and COMSEC-related courses offered by the NICCS. Obviously, a potential manager doesn’t need to take all of them, just a selection that suits their needs and responsibilities.
COMSEC Managers have a lot on their plate. There are many tasks they have to accomplish, including:
- Identifying the roles and responsibilities of COMSEC personnel.
- Identifying and reporting on COMSEC incidents should they occur.
- Determining the safety and operational impacts of incidents or lapses in COMSEC.
- Reviewing and auditing overall enterprise IT and COMSEC goals and objectives.
- Advising and consulting with senior management over risk levels and security postures.
- Keeping stakeholders aware of organizational COMSEC efforts.
- Evaluate the need for security improvements and implement them as necessary.
This all essentially just scratches the surface of what a dedicated COMSEC manager is responsible for in their career.
Updates to COMSEC
Information security is a constantly evolving battlefield where old technology is constantly probed for vulnerabilities, where emerging technologies can be leveraged for both security and attack, and where the human element is always both a wildcard and a weak link.
How do you keep up with the latest information with regard to COMSEC? Unfortunately, there’s no one central resource. COMSEC is such a broad and evolving field that to stay abreast of it, one must stay in tune with the latest news from a wide variety of sources.
Above, though, we’ve mentioned that COMSEC is a part of many different security frameworks. Thus, one potent source of information is the areas of expertise covered by those frameworks. When they lay out a 100-point checklist of security points, and you identify that 87 of them apply to your business, you can specifically follow updates and information related to those security points. All of that is hypothetical, of course, but it depends entirely on the actual frameworks you work under and whether those trickle down from the DoD, the military, the NSA, or another department.
COMSEC Auditing
In order for COMSEC to be functional, it needs to be audited and validated on a regular basis. COMSEC audits can be narrow and focused on specific aspects of COMSEC, like a COMSEC Account Audit, or they can be more general and encompass all of employee training, all of physical COMSEC, or another full-spectrum audit.
The first step in a COMSEC audit is understanding the scope of the audit. Where do the guidelines come from? Common sources may include the NSA, the DoD, or the Federal Information Security Management Act’s framework. Others can come from other sources and frameworks.
This gives you the opportunity to plan the audit methodology and identify tools that you’ll use to gather data. Since a sizable portion of COMSEC is about employee behavior and training, these audits may include reviewing that behavior or interviewing those employees.
Conducting audits may be an internal affair or an external process. Internal audits tend to be less stringent and less all-encompassing because they’re effectively spot-checks to make sure your COMSEC is operational. External audits often come from auditing agencies in conjunction with the annual validation of security frameworks.
Keep in mind, as well, that this can all change when certain agencies are involved. Auditing, as well as the specific processes and requirements, can be very different if the COMSEC you’re talking about comes from the military rather than the NSA or DoD.
Monitoring and Incident Reporting
Incidents can happen, which is why part of COMSEC is having a way to monitor ongoing COMSEC states, detect incidents, and respond to them.
Incidents are generally classified in a few ways:
- Administrative incidents. These are violations of procedures or practices that can be dangerous to security but are not bad enough to jeopardize the integrity of a controlled item. They do, however, require corrective action and can be reportable to stakeholders and contract holders.
- Cryptographic incidents. These are incidents where the cryptographic security (encryption) of a machine or ecosystem is jeopardized through equipment malfunction or manager error. An incident in this context is specifically an issue that has not jeopardized the cryptographic security of a system but had the potential to.
- Personnel incidents. These are potential gaps or failures in employee behavior that could jeopardize the security of communications systems.
- Physical incidents. These are the archetypal “left the radio behind” incidents, where the physical access or security of systems is jeopardized.
Incident monitoring needs to be in place to detect incidents when they happen or at the first available opportunity thereafter so as to have a proactive process in place to address incidents appropriately. This might mean anything from segmenting systems to reprimanding employees to more severe consequences.
The NSA maintains the National COMSEC Incident Reporting System or NCIRS. This is the centralized government hub for reporting incidents relating to COMSEC for government data. It allows experts within the NSA to analyze incidents, take action as necessary, and minimize any potential impact on national security. Overall, the NCIRS is made up of organizations within the national security community, including heads of various departments, authorities controlling materials, and product resource managers.
Maintaining the Best Security
When you get past all of the confusing terminology and the interlocking requirements, COMSEC really boils down to one thing: policies, procedures, and technical implementation to secure communications whenever those communications need to be secured. Understanding that and how it relates to frameworks you may have to comply with, such as FISMA, CMMC, or FedRAMP, is part of the complexity.
At Ignyte, we strive to do our best to help with all of these kinds of security. Our Assurance Platform is designed to be a multi-framework collaborative hub for documentation and record-keeping, available to anyone with a need to comply with a security framework. You can check it out directly and see how it can help just by booking a demo or by contacting us to discuss your specific needs.
So, if you need to achieve full compliance with any of these frameworks, whether it’s for a government contract, a contract with a subcontractor, or just as part of the pursuit of future contracts, we’re here to help. If you have any questions, be sure to let us know!
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.