TACN System User Guide

This guide is intended for partner agency radio management administrators or their programming vendors
 

Overview

This document provides guidance to agencies utilizing the Tennessee Advanced Communications Network (TACN) for primary daily radio communications and/or interoperability solutions, as needed.

Scope

TACN provides minimum system requirements as well as best practices and recommendations within the scope of this document. This document also provides general information on how TACN leadership works with agencies to develop fleet-maps, manages system keys, encryption, programming, talk group and radio IDs, and other network security matters. The scope of this document outlines resources TACN provides to other state agencies and local partners as well as what resources are not included.

Some management processes or guidance may reference other documents such as internal policies or industry standards. This guide is intended as a general reference and does not contain specific documentation of contractual agreements with individual entities on the network.

Terms that appear in the glossary are indicated with bold/italic print within the page.

ACTIVE EYE REMOTE SECURITY SENSOR (AERSS): Motorola’s proprietary cybersecurity monitoring system.

ADVANCED DIGITAL PRIVACY (ADP): Low level software-based encryption using a 40-bit key, not recommended by the federal government but still in widespread use. Also known as ARC4 by some vendors.

ADVANCED ENCRYPTION STANDARD (AES): Generally recognized as the strongest widely available Land Mobile Radio encryption available to Federal, State, and local public safety. Project 25 (P25) supports the AES-256-bit encryption type. This is the State recommended format for general use and is the required format for interoperable encryption.

ADVANCED SYSTEM KEY (ASK): A method to restrict radio programming from outside sources. This tool allows a level of security on all subscribers.  

ALIAS: the recognizable name or identifier associated with a radio that displays on a dispatch console or the device itself; sometimes a call-sign or badge number and/or specific role/device, such as distinguishing between a mobile and portable or a fire truck and its personnel.

BI-DIRECTIONAL AMPLIFIER (BDA): Bi-Directional Amplifiers (BDAs) and Distributed Antenna Systems (DAS) refer to the main components of an Emergency Radio Communication Enhancement System (ERCES)– an array of indoor antennas, connected to a head-end unit and an outside antenna. These systems receive signals from the public safety radio network and rebroadcast them inside a building and receive signals from responder radios inside the building to rebroadcast them onto the radio network.

CAPACITY: TACN will measure its capacity by using the Genesis Grade of Service (GoS) tool – which is the greatest service per cell, based off measurements for trunked radio systems. This tool provides TACN the ability to forecast channel expansions.

COMMON KEY REFERENCE (CKR): A decimal value between 1 and 4095 that is utilized by the radio and programming software to locate the encryption key within memory. Also known as the Storage Location Number (SLN).

CUSTOMER ENTERPRISE NETWORK (CEN): the local agency network such as Computer Assisted Dispatch (CAD) or email.

DISTRIBUTED ANTENNA SYSTEM (DAS): See definition of BDA above.

EMERGENCY RADIO COMMUNICATION ENHANCEMENT SYSTEM (ERCES): An array of indoor antennas, connected to a head-end unit and an outside antenna. These systems receive signals from the public safety radio network and rebroadcast them inside a building and receive signals from responder radios inside the building to rebroadcast them onto the radio network.

FAILSOFT: A pre-programmed failure mode for managing communications if all trunking operations fail, causing the site to revert to conventional repeaters.

FLEETMAP/FLEET-MAPPING: The fleetmap is a spreadsheet that outlines talk groups, talk group assignments/use, naming protocols, character name length, and other descriptors such as use of encryption.

GATEWAY: A device used to bridge two different radio systems to pass radio traffic.

GRADE OF SERVICE (GOS): The amount of time that a site is available – for public safety grade, the goal is 99.999%.

KEY VARIABLE LOADER (KVL): A KVL is also known as a Key Fill device and generally uses a data protocol for transferring cryptographic keys to a radio or other devices.

MULTI-KEY (ENCRYPTION): Allows a radio to store more than one encryption key; necessary if the radio is to be programmed for access to outside agency encryption (or encryption using a different key).

PHASE I (FDMA): Phase I or Frequency-Division Multiple Access (FDMA) utilizes the same frequency band 12.5kHz, allowing only one conversation at a time and is backward compatible with analog systems.

PHASE II (TDMA): Phase II or Time-Division Multiple Access (TDMA) makes more efficient use of radio spectrum by sharing a channel to allow two conversations to take place at once and is backward compatible with Phase I.

PROJECT 25 (P-25): Project 25 defines system interfaces that are utilized to build P25 communications networks. TIA-102 Standards documents define the messages and procedures required for P25 features to operate across the P25 system interfaces.

SELECTABLE (ENCRYPTION): Option to turn encryption on or off by the end user using a button, switch, or other radio feature selectable setting.

SITE TRUNKING: A failover method in which the affected site can no longer communicate with the zone controller or other sites around it. Units in this site coverage will only be able to communicate with other units in this coverage area. Subscribers will automatically try to avoid a site in site trunking and search for a site in wide trunking whenever possible.

STRAPPED (ENCRYPTION): Encryption for a talk group is always on, so that it cannot be turned off by the end user.

SYSTEM UPGRADE AGREEMENT (SUA): An agreement between Motorola and TACN or Motorola and a partner agency for software and system-related upgrades at a pre-defined schedule.

(DIGITAL) TRUNKED/TRUNKING: A radio system that uses a control channel to dynamically assign radio channels to users as needed, without using a dedicated channel for each conversation for more efficient use of frequencies. the authority of a partner agency and requested or managed by the partner agency.

TACN Governance  

TACN is a statewide trunked, digital P-25 radio system that provides communication connectivity infrastructure for local, state, and federal first responders. It is comprised of mobile and fixed radio transmission sites to ensure first responders have consistent communication coverage.
 
Executive Order 49 established the following: “TACN Advisory Committee" means the Tennessee Advanced Communication Network Advisory Committee and is composed of Commissioners or their designees from the Department, TDOC, TOOT, the Chief Information Officer of STS, the Director of TEMA, representative from the TVRCS, and at least one TACN User representative from each of the following local government disciplines: law enforcement, fire, emergency medical services, and emergency management agencies. The TACN Advisory Committee advises on the management and operation of the TACN. The Commissioner or his designee shall be the chair of the Committee and shall have the discretion to select TACN User representatives, add additional members, and establish working subcommittees.
 
Pursuant to Tenn. Code Ann. § 4-3-2018, the Tennessee Department of Safety & Homeland Security (TDSHS) has the authority to promulgate rules and regulations regarding access to the statewide P25 interoperable communications system. Additionally, Tenn. Code Ann. § 4-3-2018 permits the generation of revenue via leasing of the P25 towers to third parties in exchange for fees for the maintenance, improvement, and use of the system. The market rate for tower usage is generally dependent on geographic location of the tower, the local population, the amount of data used, and the critical nature of the data usage.
 
The TDOSHS ceased collecting assessments for usage of the system from local government entities in FY21-22. TDOSHS is not currently receiving any revenue related to use of the TACN system.
 

Tennessee Valley Regional Communications System (TVRCS)

TACN values its partnership with TVRCS and recognizes the importance of the shared infrastructure and architectural ties, which create a cohesive ecosystem that benefits both organizations. This interconnectedness promotes resiliency, redundancy, and seamless operation, both as part of the TACN statewide system and as a regional system within the larger framework.

TVRCS represents the following counties within the TACN/TVRCS ecosystem in Zone 2:

  • Tennessee: Hamilton, Bradley, Meigs, Rhea, McMinn, Monroe, Loudon, Roane, Anderson, Knox, and Blount
  • Georgia: Catoosa, Whitfield, Walker, and Dade

TVRCS governance structure consists of an Executive Board and an Advisory Committee. The Executive Board includes three permanent members (Hamilton County, City of Chattanooga, and Catoosa County) and two members appointed annually from the Advisory Committee. The Advisory Committee comprises one representative from each TVRCS partner county, selected by the respective county's lead partner agency.

TVRCS funding is generated through annual radio fees, charged per radio. These fees support the City of Chattanooga's Mobile Communications Department, which oversees the operation and maintenance of the Zone 2 core and sites within that area of responsibility.

Any user outside of TVRCS requiring access to TVRCS partner daily use talkgroups must obtain approval from the Executive Board and sign a Memorandum of Understanding. Upon approval and execution of the MOU, all users with access are subject to all applicable TVRCS and TACN fees and policies.

TACN collaborates with TVRCS to develop guidance documents, policies, and procedures for system use and operation. TVRCS may adapt or tighten its own guidance, policy, or procedure adopted by TACN/TVRCS.

Minimum Requirements

Minimum Requirements for devices on the system:

  • Project 25 Phase II (TDMA) compliant: more information found here: www.cisa.gov/safecom/project-25
  • Hardware System Key is required for all radios coming onto TACN 
     

Best Practices & Recommendations

These recommendations are based on industry standards, best practices, or existing Federal guidance, and are followed by TACN-managed state devices on the system.

  • Lost or stolen radios: Partner Agency personnel should immediately report a lost or stolen radio to their system manager or directly to TACN/TVRCS Administration. It is imperative to ensure the radio is disabled to prevent unauthorized access to radio communications.  
    • The reporting agency/individual’s supervisor will notify TACN at: https://www.tn.gov/safety/tacn/report-lost-stolen-radio.html  
    • A service ticket will be created to document the process for managing the device’s access to the network and any restoration efforts.
    • The radio will be inhibited from operating on the network until it has been verified as recovered by the agency.
    • A supervisor with the partner agency may request that a recovered radio be reinstated using the same process at: https://www.tn.gov/safety/tacn/report-lost-stolen-radio.html
    • As an added security measure, system administrators will verify the request before disabling or enabling a device.     
  • Encryption is optional, but AES-256 is recommended. AES-256 is a requirement for Federal grants. 
  • Multi-key encryption is recommended, if using encryption.

    Use of single-key encryption eliminates the ability to receive shared encrypted talk groups from other agencies.


Infrastructure Maintenance & Services

  • This section outlines what maintenance is and is not included when joining TACN:

    Maintenance for shared infrastructure is defined as RF equipment and connectivity and is typically monitored and managed by TACN/TVCS unless otherwise specified by the system owners
  • TACN/TVRCS will provide system updates as prescribed in the System Upgrade Agreement (SUA) with the vendor
  • Partner agencies are responsible for their IP connected equipment (consoles, CAD, logging recorders, etc.) and must have a (SUA) and Managed Detection and Response (MDR)
  • Notices and schedule of updates is the responsibility of TACN/TVRCS and will be made via distribution letter to users as soon as practical
  • Partner agency SUA schedules should coincide with the TACN/TVRCS schedule to ensure the same version updates are adopted system-wide at the same time

The following diagrams illustrate the areas of responsibility for both TACN/TVRCS and Partner Agencies.

Dispatch Centers without their own Customer Enterprise Network (CEN) are recommended to have Active Eye Node Protection, or similar protection, but do not require Active Eye Remote Security Sensor (AERSS) server protection.  This scenario could include analog audio recording from the VPN connection only. In the following configuration, without a control room firewall present, an AERSS server is not required.

Dispatch Centers with their own Customer Enterprise Network (CEN) are required to have Active Eye AERSS server on location and Active Eye Node protection.

Graphic showing how Partner Agency SUA interacts with TACN SUA and MDR. Radio consoles go to console site equipment to backhaul (fiber, microwave, etc.) to the TACN Master Site to towers.

Dispatch Centers with their own Customer Enterprise Network (CEN) are required to have Active Eye AERSS server on location and Active Eye Node protection.

Graphic showing how Partner Agency SUA and MDR interacts with TACN SUA and MDR. Partner Agency control room firewall, CEN, voice logger, and CAD go to radio consoles or go straight to console site equipment to backhaul (fiber, microwave, etc.) to the TACN Master Site and then to towers.

Recommended Procedures for Programming

  • Recommend strapped encryption, as a safety feature
  • Portable orange button should be programmed either as emergency or left blank
    - It is recommended that agencies understand the emergency alert options
  • All partner agencies should maintain standard Interop Zones
  • Devices should be set to the default ability to inhibit
  • Subscribers should have the ability to use the ASK (or similar technology) to limit programming capabilities for trunked systems.
  • If partner agencies want to utilize Failsoft, they will need to request a frequency from TACN/TVRCS.
  • It is the responsibility of the partner agencies to ensure their firmware and programming software is maintained for optimal performance and system security.

For Encryption guidelines see Encryption Section.

Recommended procedures for handling emergency button activation:

It is recommended that agencies adopt a uniform procedure for verifying and clearing the status of an end user who has activated their emergency button.

  • The monitoring dispatch center will call the end user by call sign/alias (if known) and verify their appropriate response.
  • The dispatching home agency will respond according to their internal procedures for a distress call, to include the option to notify nearby agencies who may assist in verifying the well-being of the end user of the adjoining or overlapping jurisdiction.
  • When the dispatching home agency is uncertain of the identity of the end user who activated the emergency button, they may also contact the radio system owner for assistance in determining to whom the radio has been assigned.
  • Clearing the alarm at the console level should only be performed by the home dispatching agency and only after verifying the status of the end user.
 

Device Management

Device requirements and management:

  • Personally owned devices are strictly prohibited on the system. Any device added to the system must be under the authority of a partner agency and requested or managed by the partner agency.
    • The partner agency will make the request to add device/s to the system via the appropriate format as defined by TACN/TVRCS
  • ALL Radio ID's will be assigned by TACN/TVRCS. No agency will assume the use of a Radio ID and each agency is responsible for ensuring that their IDs are not duplicated in their fleet. If the agency is using a service shop for the programming, it is the agency's responsibility to ensure that IDs are not duplicated by their service shop. Radio IDs MUST be unique in the system.
  • Audits of devices on system may be conducted annually or as needed. The partner agency will be provided a list of radio IDs/devices assigned to affiliate with the agency. The partner agency is responsible for verifying the devices are authorized and should remain on the system.
  • Managing radio IDs and eliminating duplicates is part of the radio audit process. When a device cannot be verified after reasonable attempts, it should be temporarily disabled until the partner agency can verify it is authorized.
  • Alias updates may be maintained by the partner agency. For the best solution, contact your console vendor. Solutions provided by the console vendor are at the agency’s expense.
  • Radio IDs are provided by TACN/TVRCS in a generic format to identify county/agency designator/radio ID. Example: HC HCSO_202111 (radio aliases cannot exceed 14 characters including spaces).   

Talkgroup Management

  • Fleet-mapping is conducted in consultation with either TACN or TVRCS system administration. Vendors will not create fleet maps on the system.
  • Talk group management is assessed and assigned at the discretion of either TACN or TVRCS system administration in coordination with the requesting partner agency. This includes a comprehensive assessment of capacity, agency needs, and system impacts (see section on Capacity below)
  • Audits of talk groups on the system will be conducted annually or as needed. Talk groups with minimal usage could be subject to removal upon coordination with the user agency
  • Required permissions for agency to agency sharing of talk groups can be submitted by letter of permission between the agencies and will be kept on file by TACN/TVRCS
  • Any user fees assessed by TVRCS are the responsibility of the agency requesting shared talk groups
     

Capacity

System capacity will be monitored by TACN/TVRCS.  Reports will monitor the Grade of Service (GoS) for each site.  If the GoS reaches an unacceptable level, TACN/TVRCS will make efforts to mitigate the capacity issues.
 

System Key Management

TACN/TVRCS are the only master key holders for system ID 2A5, regardless of radio manufacturer. Partner agencies will sign an ASK license agreement annually upon renewal of system key.

  • Distribution and use of software system keys is prohibited
  • Advanced System Key (ASK) management is provided by TACN/TVRCS system administrators. Normally, ASKs are only restricted by talkgroup ID and radio ID.
  • The partner agency is responsible for procuring the physical daughter key
  • Daughter key programming will be provided by TACN/TVRCS
  • System keys will be set to expire annually on June 30
  • System keys will be PIN protected
  • Lost or stolen daughter keys should be reported immediately to TACN/TVRCS administrators
     

Encryption

The State of Tennessee Encryption Plan provides detailed guidance for the use of encryption. The plan is provided upon request to partner agencies, but is for official use only, and is subject to Tenn Code Ann. 10-7-504(i).

  • AES-256 is the Federal standard for encryption
  • Use of ADP is at the discretion of the partner agency but does not meet best practices or Federal standards for secure communications and is used solely at the risk of the partner agency  
  • Only AES-256, the current Federal standard encryption, will be utilized after July 1, 2029 (as outlined in the Tennessee Advanced Communications Network Encryption Plan)
  • Only TACN/TVRCS can create and maintain encrypted talkgroups
  • TACN/TVRCS managers will maintain the master Key Variable Loader (KVL) for the system and will issue Common Key Reference (CKR) and key variable to user agencies. Encryption key variables will only be updated upon agency request or a known compromise.
     

Land Mobile Radio (LMR) to Long-Term Evolution (LTE)

NOTE: Public safety broadband interfaced devices should not be used as replacement for P-25 radios for mission-critical public safety communications
 

Cellular-Based PTT – Critical Connect

TACN will use Motorola WAVE Critical Connect to facilitate the cellular-based push-to-talk (PTT) connectivity. Agencies that want to use cellular PTT will be responsible for contracting with Motorola for their WAVE connection.  Agencies will be responsible for all connection fees/subscriptions to Motorola.

The use of the Motorola WAVE app allows the flexibility for agencies to manage their own fleet of devices, while TACN maintains system control over which devices have access to LMR talk groups. This also allows agencies the flexibility to use whichever cell provider best suits their coverage needs.

Chart showing how agencies can interact with the TACN Motorola Critical Connect and WAVE CAT?WRG Patch Portal
WAVE PTX Talkgroup Sharing Chart – Critical Connect Patch Portal and WAVE PTX Portal flow into 1. CC Admin patches BB Fire 1 to LMR Fire 1. Or Critical Connect Patch Portal and WAVE PTX Portal flow into 2. Wave Admin Shares WAVE TG with Portals BB Fire 1 and 3. Portal Admins can now add BB Fire 1 to WAVE subscribers
 

Only TACN System Administration is permitted to approve public safety broadband interfaces. Any other attempt at interfacing TACN talkgroups to a public safety broadband interface/gateway will result in TACN System Administration action, including inhibiting radios and/or devices. For example, a donor radio interfaced with an IP connection is a “gateway” and is not permitted.

Public safety broadband-interfaced devices should not be used as replacement for P-25 radios for mission-critical public safety communications.

TACN cannot guarantee performance levels or coverage for these systems and offers these services as an additional level of service. There are additional charges that the agency will need to take into consideration that are not part of the TACN services and will be paid directly by the participating agency as required by the service provider.

TACN partner agencies seeking to connect Broadband LTE to support PTT functionality or use of an IP gateway to the TACN/TVRCS network must obtain approval from TACN/TVRCS System Administration regardless of the Broadband PTT service or application(s) utilized.

Streaming live radio traffic to the internet is strictly prohibited.

Interoperability Onboarding process for Talkgroup Sharing:

The following steps outline the process and requirements to enable interoperability between ASTRO25 (LMR) and WAVE PTX (broadband) Talkgroups.  

Prerequisites:

  • The target ASTRO25 System (TACN) must have an active WAVE Safeguard subscription.
  • The Partner Agency/customer purchasing WAVE PTX Safeguard must complete fleet planning in the WAVE PTX Portal. 

Involved Entities:

  • WAVE PTX Partner Agency - Customer purchasing WAVE PTX that wishes to access TACN LMR via broadband.
  • Critical Connect (LMR) Administrator (CC LMR Admin) - Agency managing the Critical Connect Patch Portal for the LMR system (TACN is the CC LMR Admin)
  • WAVE PTX Admin (WAVEPTX.admin@motorolasolutions.com) - Motorola Critical Connect Operations Team

Steps:

Step One: Obtain approval

Requesting WAVE PTX Partner Agency obtains interop approval from CC LMR Admin (TACN) – In this step both Requesting WAVE PTX Partner Agency and CC LMR Admin discuss capacity and impact of request and whether incremental talk paths are required for the order.  Incremental talk paths can be purchased by Requesting Partner Agency or CC LMR Admin. 
 
Linked is an example Interop Request Form (IRF) that can be used to submit the Interop Request to LMR ADMIN for approval. The IRF can be modified to fit LMR ADMIN purpose, but this example captures the basic information required by all parties (Requesting Partner Agency, CC LMR Admin & MSI WAVE PTX Admin).
 
Step Two: Requesting Partner Agency purchases WAVE PTX Safeguard

Step Three: Order Processing & Fulfillment Once the order is received and processed the WAVE PTX licenses will be fulfilled in the MSI Customer Hub
instance on motorolasolutions.com.  The subscriptions in Customer Hub will contain a link to the WAVE PTX portal where the subscriber can fleetmap the WAVE PTX subscriptions.
 
Step Four: Broadband Fleet Planning The Partner Agency will access the WAVE PTX Portal and complete fleet planning. LXP training classes are
needed for self-service configuration of the devices and talkgroups. Free training can be accessed below:

  1. Customer Hub training
  2. WAVE PTX Portal training   
  3. WAVE PTX Portal User Guide

Step Five: Linking the WAVE PTX instance to an LMR System Once the WAVE PTX Partner Agency completes fleet planning, complete the form requesting a TRUST MATRIX between TACN WAVE and the agency WAVE instance.  This is a request to have the WAVE PTX Portal is associated (linked)
with the LMR system WAVE Portal.  WAVE PTX Admin will send WAVE PTX Partner Agency an email confirmation that the work has been completed.
 
Step Six: Check the Interop Group Once WAVE PTX Admin associates the WAVE PTX portal with the System WAVE instance, any broadband talkgroup where the interop group is checked (see below) will show in the WAVE talkgroup list.    

Screenshot of the WAVE PTX portal with the Interop Group checkbox highlighted
Step Seven: Go live

 

ERCES – Emergency Radio Communication Enhancement Systems

In-building coverage is not guaranteed as part of the TACN/TVRCS coverage system design.

If a Partner Agency requires in-building coverage to meet building codes, they will be required to follow the FCC mandates for frequency management. If the Agency is using a Class A BDA, they will be required to have a license agreement with the frequency license holder and said license agreement MUST be on file with TACN/TVRCS and the frequency license holder prior to commissioning the system.

Class B BDAs are not authorized for use.

Information on BDA frequency coordination can be found on the Emergency Radio Communication Enhancement System (ERCES) page: www.tn.gov/safety/tacn/erces.html.