TABLE OF CONTENTS
Topics | Sections |
3.1 What is the purpose of this chapter? 3.2 What are the scope, authorities, and terms you need to know to understand this chapter? | |
3.3 How do employees obtain and track mechanical keys, electronic keys, and key cards? 3.4 How do employees obtain and track locks? 3.5 How does the Service ensure accountability for keys, locks, and locking devices? 3.6 How does the Service protect combinations? | |
3.7 How do employees report lost or stolen keys? |
OVERVIEW
3.1 What is the purpose of this chapter? This chapter establishes a uniform standard throughout the U.S. Fish and Wildlife Service (Service) to track electronic and mechanical keys, locks, and combinations.
3.2 What are the scope, authorities, and terms you need to know to understand this chapter? See 432 FW 1 for information about scope, authorities, and definitions of terms for all the chapters in Part 432, Physical Security.
ISSUING AND TRACKING DEVICES
3.3 How do employees obtain and track mechanical keys, electronic keys, and key cards?
A. Key issuance:
(1) Only the Designated Official (DO), Facility Security Officer (FSO), or individual designated by the DO may approve the issuance of Government keys for facilities, vehicles, and sites under their control. This includes all locking mediums, such as hard keys, cardkeys, key fobs, and vehicle keys. It does not include the issuance of Personal Identity Verification (PIV) cards (see 432 FW 1), which are tracked separately.
(2) With the appropriate approval, keys may be signed out to authorized employees, contractors, and volunteers, as needed, using FWS Form 3-2384, Key Control Register and Inventory. All keys that are not issued must be stored in a secure location with the DO and FSO limiting access. Any special keys that are not building or office-specific keys (e.g., gates, emergency valves, fire panels) must have the same control procedures applied.
(3) Personnel may only get a key or code for an office or facility they regularly access for business purposes. The FSO or DO must only issue vehicle keys as needed. If an FSO or DO needs to issue a vehicle key on an ongoing basis, they must scrutinize the issuance, which must not be for convenience.
(4) When an employee is suspended, resigns, or is terminated, the immediate supervisor is responsible for collecting all Service keys and locks that were issued to the employee and returning them to the FSO. If those items cannot be collected, the supervisor or FSO must notify law enforcement, and the FSO must ensure that the locks are changed for the areas to which the person had access.
(5) All keys remain the property of the Government. Keys that are no longer required must be returned to the FSO. Any keys or locks that are found unattended must be turned over to the FSO for investigation.
(6) No employee may knowingly receive, borrow, or possess any key for any space without receiving permission from a person who has the authority to give permission to possess the key (see section 3.3A(1).
(7) No employee may knowingly alter, duplicate, copy, or make a facsimile of any key to a lock for a facility, building, or property without receiving permission from the FSO.
(8) Keyholders must protect and safeguard facility keys issued to them or in their name. Keyholders must not loan their facility key(s) to anyone.
(9) Keyholders must not use their key(s) to grant access to non-authorized individuals.
(10) Keyholders must immediately report any lost, damaged, missing, or stolen keys to the FSO (also see section 3.7). When a keyholder reports keys or access media as lost, compromised, or stolen, the FSO must ensure they are deactivated and the locks changed.
(11) Keyholders must not store keys issued to them in unlocked desk drawers or other unsecured areas.
(12) Keyholders must never store vehicle keys inside the vehicle.
B. Master keys: FSOs and DOs must keep issuance of building master keys to the absolute minimum. They should only issue master keys to security, maintenance personnel, and those who have the need to access multiple areas of the facility for emergency purposes.
C. Contractor cores: The DO or FSO must ensure all “contractor core” keyways are removed from any newly constructed facility prior to acceptance and that the contractor replaces all cores using General Service Administration (GSA)-approved lock cores.
D. Key depository:
(1) To secure keys, facilities must maintain a lockable container such as a safe, filing cabinet, or a key depository that is:
(a) Made of at least 26-gauge steel,
(b) Equipped with a tumbler-type or touchpad locking device,
(c) Permanently affixed to a wall, and
(d) Has a slot available for after-hours key drop.
(2) The key depository must be in a room that is locked when unoccupied.
E. Facility Physical Access Control System (PACS) access:
(1) Only the FSO or DO may approve access to facility PACS card readers.
(2) The FSO or DO should only grant personnel access to PACS card readers for business purposes.
(3) When an employee or contractor is suspended, resigns, or is terminated, the immediate supervisor is responsible for collecting the PIV card from the employee or contractor and notifying the FSO to revoke access to PACS card readers.
(4) Personnel must not loan their PIV cards or share their PIN.
(5) Personnel must not use their PIV cards to grant access to non-authorized individuals.
(6) Personnel must report lost or stolen PIV cards immediately to the FSO and servicing Human Resources office.
3.4 How do employees obtain and track locks?
A. The FSO must manage master key systems and multiple key systems.
B. The GSA provides or contracts coring and keying services for their owned or leased facilities. In a GSA-leased space, the FSO may use outside vendors only when they use locks that meet or exceed GSA standards.
C. Whenever practicable, the FSO should use restricted keyways for locks to reduce the chance for duplication of keys and increase overall security of Service facilities.
D. When safeguarding unclassified and non-sensitive Service supplies and equipment, locks must be key-operated, American National Standards Institute (ANSI) Grade 1 locks or deadbolts or tumbler-type padlocks. For classified material storage requirements, see 442 DM.
(1) The FSO must base selection of the type of lock on the value of items protected, how essential the items are to the mission, and vulnerability to threats.
(2) If employees have any questions about approved locks and locking devices, they should contact the FSO or their servicing Geographic Emergency Management and Physical Security Manager (GEMPS).
E. Electronic strikes and magnetic locks must meet the standards in the FWS Standardized Physical Security Countermeasure Handbook.
F. The FSO must ensure that door locking and closing hardware is regularly inspected for operation, maintenance, and tampering.
3.5 How does the Service ensure accountability for keys, locks, and locking devices?
A. Personnel and managers must, at all times, be able to account for the keys and combinations to locks for which they are responsible.
B. Personnel must not duplicate or loan out individually issued keys to offices or buildings.
C. The FSO must assign a serial number to high-security padlocks and keys that do not have one. This number must be inscribed on the lock or key.
D. The FSO must inventory keys, locks, and locking devices at least annually, maintain a written record of the inventory (see FWS Form 3-2384, Key Control Register and Inventory) for 5 years, and provide a copy of the inventory to the DO.
(1) For GSA-approved padlocks and their keys, the FSO must perform a semiannual inventory.
(2) For all other (non-GSA) padlocks and keys, the FSO must perform an annual inventory.
E. The inventory must include the following:
(1) Electronic keys,
(2) Mechanical keys,
(3) Locks,
(4) Padlocks,
(5) Key serial numbers for those keys that require them,
(6) Lock serial numbers for those locks that require them,
(7) Location of locks, and
(8) The number of keys maintained for each lock.
F. The FSO must keep this list in a secure location.
G. Discrepancies that require rekeying and re-coring of facilities include:
(1) Control and accountability of keys have been compromised;
(2) Requests for replacement of lost keys that are equal to or greater than 25 percent of the total issued keys for that facility or doors in the facility. The program responsible for the facility is responsible for the costs of rekeying or re-coring, or both; or
(3) The facility is vacated, and keys have not been recovered.
H. When a key to a high-security padlock is lost or missing, the FSO must conduct an inquiry and replace or rekey the padlock immediately.
3.6 How does the Service protect combinations?
A. The FSO must change combinations to locks on all security containers used for storage of Classified National Security Information (CNSI) or vaults, such as Sensitive Compartmented Information Facilities (SCIF), when the container (or lock) is first put into service. CNSI includes all documents that are marked “Confidential” or with another, higher marking (e.g., Top Secret) in accordance with the Classified National Security Information Protection Act.
B. The FSO must also change combinations for the types of locks in section 3.6A in the following situations:
(1) When a person who knows the combination leaves their position, when there is compromise or suspected compromise of a container or its combination, or the FSO discovers that a container was left unlocked or unattended; or
(2) When a person who knows the combination has been terminated or their clearance has been withdrawn, suspended, or revoked.
C. The FSO, DO, or the servicing GEMPS may determine it is necessary to change a combination at any other time.
D. The FSO must record and maintain combinations. To do this, the FSO must:
(1) Use Standard Form (SF) 700, Security Container Information, sealed in the envelope provided (order SF 700 forms and envelopes online from the GSA Forms Library), marked with the highest classification of material authorized for storage in the container, and safeguarded in accordance with the highest classification of the material stored in the container or SCIF. Do not use other methods to record the combinations unless they are appropriately marked and handled in accordance with the highest classification of the material authorized for storage in the container or SCIF.
(2) Either keep the SF 700 in a container that is approved to store the same classification level as material stored in the original container or SCIF, or give it to a person who has the appropriate clearance and facility to properly store the form.
(3) Establish controls to ensure that the envelopes containing combinations to locks are not made available to unauthorized personnel.
REPORTING LOST OR STOLEN KEYS
3.7 How do employees report lost or stolen keys?
A. Employees must report keys that are lost or stolen to the FSO so mitigation measures can be put in place to secure the locked areas and so that the FSO can take steps to replace the affected locks. Employees should use the most expeditious method of reaching the FSO (e.g., phone, text, in-person, via email, etc.).
B. Employees or their FSOs must also report stolen keys to the Regional Chief of Refuge Law Enforcement and to the Office of Emergency Management and Physical Security in Headquarters.
C. If a lost or stolen key is for a facility that multiple employees use, the FSO or their designee must notify the other employees of the potential compromise so that they can take measures to protect any classified or Controlled Unclassified Information (CUI) at those locations.