Regulations and Building Your COMSEC Posture
What the law actually allows, and a capstone exercise for your group
Lesson Objectives
- Identify the encryption rules that apply under FCC Part 97, Part 95, and Part 90
- Explain why most preparedness groups will build their COMSEC posture around procedure rather than encryption
- Apply the four COMSEC domains to build a simple, documented COMSEC posture for your own group
Encryption and the FCC rulebook
Before building a COMSEC posture, know what is actually legal on the frequencies most preparedness groups use. This is not a footnote — it determines which tools in this course are even usable for your group’s licensed operations. The rule is not the same single sentence repeated across every service — each service blocks encryption through a different legal mechanism, and the details matter.
Amateur Radio (FCC Part 97)
The core rule is Sec. 97.113(a)(4), which prohibits amateur stations from transmitting messages encoded for the purpose of obscuring their meaning, except as otherwise provided in the rules. This is the operative “no encryption” rule for ham radio.
Not all encoding is banned. The FCC has confirmed that the rule targets obscuring meaning specifically — it does not sweep in every form of encoding. Things like authentication or password schemes used on digital networks have not been found to run afoul of Sec. 97.113(a)(4), because their purpose is verification, not concealment of meaning. This is exactly why the authentication tools in Lesson 4 remain legal on Amateur frequencies while content encryption does not.
Why your radio’s menu has an encryption option it is illegal to use. Popular DMR radios such as the AnyTone AT-D878UV / AT-D578UV — and most DMR radios like them — ship with an encryption menu even though using it on Amateur frequencies violates Sec. 97.113(a)(4). The reason is manufacturing economics, not a loophole. The DMR (Digital Mobile Radio) standard, as defined by ETSI, includes encryption as an optional feature for the commercial and public-safety dispatch systems the standard was actually built to serve — business security, utility crews, private fleets, and similar Part 90 users where privacy is a legitimate operational need. Manufacturers build one hardware and firmware platform and sell it across every market the chipset supports: Part 90 commercial and business licensees, GMRS and equivalent personal-radio services in other countries with different rules, and Amateur operators, who receive the identical physical radio. Building a separate stripped-down “amateur-only” version without the encryption menu would cost more than it is worth, so the feature ships present in firmware and the licensing framework — not the hardware — is what governs whether using it is legal. The menu option existing on your radio is not FCC guidance about what is permitted on your license; it is a byproduct of the radio being built for a bigger market than amateur radio alone.
What’s actually in the menu: AES256 versus “ARC” encryption
A note on why this is included. The model and feature details below are provided for awareness and completeness — so you can recognize what you are looking at if you ever see these options in a radio’s menu, and understand why they are there. Nothing in this section is an endorsement or encouragement to actually enable encryption on Amateur or Part 95 frequencies. As covered throughout this lesson, doing so is not legal on those services regardless of which option a radio offers or how strong it is.
Several current AnyTone DMR models advertise AES-256 encryption as a built-in feature, including the AT-D878UV, AT-D878UVII Plus, AT-D168UV, AT-D890UV, AT-D578UV, and the AT-268. Manufacturer listings for the AT-D168UV specifically mention both AES-256 encryption and “ARC Encryption” as separate options, and the AT-D890UV listing includes AES-256 digital encryption alongside its other DMR features. Knowing the difference between these two options matters, because they are not remotely equivalent.
“ARC” (also written ARC4) refers to the RC4 stream cipher as implemented for DMR — sometimes called “Alleged RC4” because the original algorithm was proprietary and was reverse-engineered and published anonymously rather than officially released. In DMR radio programming software it commonly shows up labeled “Basic Encryption” or “Common/Extended Encryption” rather than by the ARC4 name directly. It is weak by modern standards: ARC4 has well-documented cryptographic weaknesses, is considered obsolete and broken, and can be cracked with widely available tools. It functions as a deterrent against a casual scanner listener stumbling onto a conversation — it is not a real security measure, and it should never be confused with the AES-256 option sitting in the same menu.
Neither option is legal to use on Amateur or Part 95 frequencies — regardless of strength. The distinction between AES-256 and ARC4 is a cryptographic strength question. Whether you are legally allowed to enable either one on your license is a completely separate question, governed by Sec. 97.113(a)(4) on Amateur and the equipment-certification bar plus Sec. 95.1733(a)(3) on GMRS covered earlier in this lesson. A weak cipher is not “probably fine” because it is easy to crack, and a strong cipher is not legitimized because the manufacturer built it in. If your license is Amateur or Part 95, both options in that menu are off-limits for on-air use, full stop.
Why DMR encryption mostly deters casual listeners, not analysts
Part of why ARC4 gets used at all despite being broken comes down to a practical reality: most hobbyist scanners cannot decode DMR out of the box. DMR decoding is not a standard scanner feature — it typically requires a separate add-on module or upgrade, which most casual scanner owners never buy. Amateur Radio’s 1.25-meter band is similarly absent from most consumer scanners entirely. The practical result is a kind of security through obscurity: a transmission on Amateur DMR or the 1.25-meter band is already outside what the average scanner hobbyist can hear, encrypted or not. That is a real, if limited, layer of protection against casual listeners — but it is not protection against a dedicated analyst with the right equipment, and it is certainly not a legal basis for running actual encryption. Obscurity is not a substitute for the legal analysis above.
Personal Radio Services (FCC Part 95: GMRS, FRS, MURS, CB)
There is no single blanket clause across all of Part 95 the way Sec. 97.113(a)(4) works for Amateur. Instead, encryption is locked out through two different mechanisms depending on the service:
-
1
Equipment certification bar (applies across GMRS, FRS, MURS, and CB)
The FCC will not issue an equipment certification grant for any transmitter incorporating voice scrambling or other voice-obscuring features, for any Personal Radio Service that provides voice communications on shared channels — this has applied to applications filed on or after December 27, 2017. A “voice obscuring feature” is defined as one that alters the sound of a user’s voice so the communication is only intelligible to someone with a matching unit that reverses the process. This is a manufacturing and certification-level bar, not a distinct operating-rule sentence — but the practical effect is the same: a legally certified radio on these services cannot ship with scrambling capability at all.
-
2
GMRS-specific operating prohibition
GMRS additionally has its own explicit ban under Sec. 95.1733(a)(3): GMRS stations must not send coded messages or messages with hidden meanings. Ordinary “10-codes” are specifically carved out as permitted. FRS, MURS, and CB do not have their own standalone “no codes” operating rule the way GMRS does — they rely on the general Subpart A prohibitions in Sec. 95.333 (no illegal activity, no false or deceptive communications, no obscene language, no interference) plus the certification-level bar above, rather than a distinct “do not encrypt” sentence.
Business and Industrial Pool (FCC Part 90)
Encryption is permitted. Proprietary manufacturer encryption is common and typically weaker than AES, but adequate against casual interception. Programming-based keys remain vulnerable if a radio is physically captured.
| Service | How encryption is actually blocked (or not) |
|---|---|
| Amateur Radio (Part 97) | Direct operating rule: Sec. 97.113(a)(4) bans messages encoded to obscure meaning. Authentication/verification schemes are not swept in. |
| GMRS (Part 95) | Two layers: the cross-service equipment certification bar on voice-obscuring features, plus its own explicit operating ban on coded/hidden-meaning messages under Sec. 95.1733(a)(3) (10-codes excepted). |
| FRS, MURS, CB (Part 95) | No dedicated “no codes” operating rule. Blocked in practice by the same cross-service equipment certification bar — a certified radio cannot legally be built with scrambling capability — plus the general Subpart A prohibitions in Sec. 95.333. |
| Business/Industrial Pool (Part 90) | Encryption is permitted; no equivalent bar applies. |
The practical implication: if your group’s primary radios are Amateur, GMRS, FRS, MURS, or CB — which covers the large majority of family and MAG preparedness setups — encryption is not a legal option during routine and licensed operation, whether that is because of a direct operating rule (Amateur, GMRS) or because no certified radio on that service can legally ship with the capability at all (FRS, MURS, CB). Your COMSEC posture on those services has to be built from the other tools in this course: authentication, brevity codes, physical security of any reference material, and operational discipline about what goes out over the air. That is not a limitation of COMSEC — it is most of what COMSEC actually is for the average group.
Source: ARRL comments on RM-11699, discussing FCC guidance on Sec. 97.113(a)(4) and permitted authentication schemes.
Build your group’s COMSEC posture
Using what this course has covered, work through the following for your own group. This is meant to produce a short, written document your group can actually keep and use — not a theoretical exercise.
-
1
List your protected material
Write down every radio, codebook, authentication sheet, and set of written procedures your group actually has. If it is not on the list, it is not being protected on purpose.
-
2
Assign access on a need-to-know basis
Decide, in writing, who actually needs access to each item on that list. Fewer hands is safer, even inside a trusted group.
-
3
Set a rotation schedule
Brevity code lists, authentication word sets, and any key material need a rotation interval. Pick one and write it down — a schedule that exists only in someone’s memory will not survive that person being unavailable.
-
4
Write your lost-material procedure
Decide now, before it happens, exactly what your group does the moment any item on your protected list cannot be accounted for. Waiting to improvise a response during an actual loss is how the “assume lost equals compromised” rule gets skipped.
-
5
Confirm your legal footing
Identify which FCC service each of your group’s radios operates under, and confirm your plan does not rely on encryption where it is not legally permitted.
This five-item list, written down and kept with your other group planning documents, is a working COMSEC posture. It does not need to be complicated to be effective — it needs to actually exist and actually be followed.
Related curriculum: This posture should not be static. PLN-05, COMCON (Communications Conditions), defines escalating condition levels for your group’s communications infrastructure — as COMCON tightens, your COMSEC posture should tighten with it (shorter rotation intervals, stricter access, more disciplined content). COMCON itself nests under your group’s overall readiness level in PLN-04, PREP-CON (Readiness Conditions). Review your five-item posture any time either condition level changes.
Communications discipline is a force multiplier
Without communications discipline, coordination fails and security degrades quickly, regardless of how good any single piece of equipment is. With it, a group with modest radios and no exotic technology can still hold its own communications together under pressure. Like every other skill in this curriculum, COMSEC has to be practiced under realistic conditions — not just read about once and filed away.
Related courses: COM-04 EMCON • COM-06 Authentication & Challenge/Reply • COM-07 One-Time Pads • COM-08 Dead Drop & Courier Protocols • COM-09 Cryptographic Security • SEC-02 OPSEC • INT-02 RTSA • INT-03 SALUTE & SPOT Reporting • PLN-04 PREP-CON • PLN-05 COMCON
COM-03: Communications Security (COMSEC) Complete!
You have completed all five lessons of COM-03. Download your certificate of completion below.
| ← Lesson 4 |