How many and what are the categories of COMSEC incidents?

• A. 3 categories: Cryptographic, Personnel, and Physical
• B. 4 categories: Cryptographic, Personnel, Physical, Administrative
• C. 2 categories: Technical and Administrative
• D. 5 categories: Cryptographic, Personnel, Physical, Administrative, Operational

Answer: (A)

COMSEC incidents are grouped by where the risk originates: cryptographic, personnel, or physical. A cryptographic incident involves exposure or compromise of cryptographic material, keys, algorithms, or crypto equipment. A personnel incident covers misuse or disclosure by individuals—things like sharing secrets or mishandling materials. A physical incident deals with loss, theft, or damage to secure material or devices, or breaches of physical security controls. This three‑category structure focuses on the main avenues through which COMSEC can be compromised and guides the appropriate response. Administrative issues, while important, are not treated as a separate primary incident category in this framework, which is why adding Administrative isn’t used here.