The Communications Security Establishment (CSE) is the lead security agency and national authority for Communications Security (COMSEC) in Canada. COMSEC refers to the application of cryptographic, transmission, emission and physical security measures, and operational practices and controls, to deny unauthorized access to information that comes from telecommunications and to ensure the authenticity of that telecommunications.
About COMSEC services
CSE provides COMSEC services to the Government of Canada departments and Canada’s private industry partners including:
- approving, certifying, and providing cryptographic keys and equipment to secure the Government of Canada’s classified (up to TOP SECRET) and protected (up to PROTECTED C) information and data
- developing the related COMSEC policy instruments for the management and control of cryptographic equipment
- developing related service management procedures for the ordering, safeguarding and delivery of cryptographic key and equipment in support of cryptographic solutions
- providing advice and guidance on the management and security of cryptographic keys and equipment used to cryptographically secure a telecommunications network for classified and protected information
Formal COMSEC training
The Learning Hub (LH) provides COMSEC training to GC departments and GC-sponsored OLGs and private sectors companies. If you occupy a role within a COMSEC account, please visit the LH to discover which mandatory and recommended role-based and equipment training is offered.
The following is a list of the major families of devices that are approved by CSE:
- Secure voice devices: includes wireline and wireless devices, which communicate over conventional telephone circuits, cellular or satellite-based networks.
- Network encryptors: high-speed devices, which provide security services for Asynchronous Transfer Mode (ATM) and Internet Protocol (IP) networks by providing data confidentiality, integrity mechanisms, and authentication services.
- Link encryptors: includes devices used to encrypt information at the data link layer during data transmission between two points within a network. Unlike network encryptors, link encryptors also provide traffic-flow security (i.e. the routing information is not transmitted in clear).
- Secure remote access devices: refers to devices that allow users with laptops in remote locations to securely access centralized classified networks.
- Hard disk encryptors: refers to hardware-based disk encryption devices.
- Tier 3 management devices: refers to equipment that accepts, stores, and fills cryptographic key devices.
How to access COMSEC services
CSE provides services and guidance to GC departments who require COMSEC solutions to protect their information.
GC departments requiring COMSEC material must submit a request letter from their Chief Security Officer (CSO) to COMSEC Client Services to establish a COMSEC account.
The request must include information such as:
- a justification to hold COMSEC material
- interoperability requirements
- highest security classification of the COMSEC material and
- statement that the minimum physical security standards are in place in accordance with Treasury Board Operational Security Standard on Physical Security
GC departments must also appoint appropriate COMSEC personnel to manage their departmental COMSEC program:
- a Departmental COMSEC Authority (DCA) may be appointed by the CSO to act in their stead to develop, implement, maintain, coordinate and monitor the departmental COMSEC program
- a COMSEC custodian, who will be responsible for the generation, receipt, custody, distribution, disposition or destruction, and accounting of COMSEC material entrusted to their COMSEC Account or sub-account
CSE provides direction to Canadian private sector clients regarding how to handle COMSEC material in support of a GC government contract. These must be sponsored by a GC department that has a current COMSEC account prior to acquiring cryptographic material.
The private sector client requires a GC sponsor who is responsible for initiating coordination with the Cyber Centre. The sponsor is also responsible for seeking approval from COMSEC Client Services prior to providing any accountable cryptographic equipment to a Canadian private sector client. Such equipment is managed through the CSE Industrial COMSEC Account (CICA).
More information can be found in the Directive for the Control of COMSEC Material in the Canadian Private Sector (ITSD-06A). For a copy of this document, please contact the Contact Centre.
Reporting COMSEC incidents
A COMSEC incident is any occurrence that jeopardizes or potentially jeopardizes the security of COMSEC material, or the security of protected or classified information and data, whether it is being stored, processed, transmitted, or received during the telecommunications process.
The National COMSEC Incident Office (NCIO) is responsible for providing final assessment and closure to all COMSEC incidents. Such incidents, suspected or confirmed, must be reported within 24 hours through your COMSEC Custodian to the DCA and to the CSO. The DCA must then report it to the NCIO.
For more detailed information regarding COMSEC incidents, please refer to the Directive for Reporting and Evaluating Communications Security (COMSEC) Incidents (ITSD-05A) available on the COMSEC User Portal (CUP).
Directives and regulations
- IT Security Directive for the Control and Management of In-Process COMSEC Material (ITSD-08) (Only available inside the CUP) provides COMSEC practitioners with the minimum security requirements for the handling of COMSEC material where the normal accounting system is not possible because of board or component level integration activities.
- IT Security Directive for Cryptographic Key Ordering (ITSD-09) (Only available inside the CUP) provides the minimum requirements for the ordering of cryptographic key from CSE to support CSE-approved cryptographic solutions.
In addition to ITSDs, GCdepartments, enterprise services organizations, GC-sponsored Other Levels of Government (OLG) organizations, and GC-sponsored Canadian private sector companies requiring access to such COMSEC material must comply to both the Canadian Controlled Goods Program (CGP) and the United States (U.S.) International Traffic in Arms Regulations (ITAR).
Contact the COMSEC team
Established COMSEC accounts can direct any COMSEC related inquiries to the Client Portfolio Manager or access the COMSEC User Portal (CUP).
For access to the CUP, please speak to your Departmental Custodial Office.
If you have a requirement to establish a COMSEC account with CSE and you meet the requirements noted in the How to access COMSEC services section, contact the Cyber Centre by email at firstname.lastname@example.org for next steps.
Accessible only for COMSEC account holders.