Presentation is loading. Please wait.

Presentation is loading. Please wait.

SCIF Design Best Practices / Lessons Learned Presentation to: September 19, 2016.

Published byClarence Quinn Modified over 7 years ago

Similar presentations

Presentation on theme: "SCIF Design Best Practices / Lessons Learned Presentation to: September 19, 2016."— Presentation transcript:

1 SCIF Design Best Practices / Lessons Learned Presentation to: September 19, 2016

2 Purpose of the Presentation Overview of what a SCIF is & what comprises a SCIF Governing criteria for a SCIF Review of SCIF Stakeholders Best Practices / Lessons Learned in executing a SCIF project

3 What is a SCIF? Sensitive Compartmented Information Facility Facility which handles Confidential, Secret, Top Secret information Facility must be accredited in order to handle, process, discuss or store Sensitive Compartmented Information (SCI) Provides for operational capabilities that are critical to the supported command’s mission

4 What is a SCIF? Even though SCIF ultimately is a building (or area within a building) in which sensitive information is handled, the development of a SCIF is a process which requires collaboration between many stakeholders At the conclusion of construction, an accreditation process occurs which classifies the facility as one in which sensitive information can be handled The execution goal is for there to be “No surprises” when the accreditation process takes place.

5 Pop Quiz! Question: Why is it important that there not be surprises at the end construction?

6 Pop Quiz! Question: Why is it important that there not be surprises at the end construction? Answer: Because if the accreditation isn’t obtained, then the facility may not be able to be operated as a SCIF, thereby not fulfilling mission requirements.

7 Relevant Criteria for SCIF UFC’s UFC 4-010-01 & 02: DoD Minimum Antiterrorism Standards/Standoff Distances for Buildings UFC 4-010-05: Sensitive Compartmented Information Facilities Planning, Design and Construction Other Governing Criteria ICD/ICS 705: Technical Specifications for Construction and Management of SCIF JAFAN Manual 6/9: Joint Air Force Army Navy Manual for Physical Security Standards for Special Access Program Facilities (SAPF) DCID 6/9: Director of Central Intelligence Directive 6/9 was superseded by ICD/ICS 705 Other DoD Criteria Exists

8 SCIF Classifications Secure Working Area (SWA) An area where SCI is handled, discussed and/or processed, but not stored Temporary Secure Working Area (TSWA) Secure working area which is used less than 40 hours/month and the accreditation is limited to 12 months or less Temporary SCIF SCIF established for a limited time to meet tactical, emergency or immediate operational requirements

9 SCIF Classifications (cont’d) Closed Storage SCIF where SCI material is stored in GSA approved storage containers when not in use. This includes documents, computer hard drives and storage media Open Storage SCIF in which SCI may be openly stored or processed Continuous Operation SCIF which is staffed and operated 24/7

10 SCIF Stakeholders Accrediting Official (AO) Person designated by the Cognizant Security Authority (CSA) who is responsible for all aspects of SCIF management and operations to include security policy implementation and oversight. Site Security Manager (SSM) Person designated by the AO who is responsible for all aspects of SCIF management and operations to include security policy implementation and oversight. Certified TEMPEST Technical Authority (CTTA) US Government appointed employee who has met established certification requirements in regard to TEMPEST

11 SCIF Stakeholders (cont’d) Mission Users Persons who will work, operate, handle SCI in the facility once the facility becomes operational Architect – Engineer Design of SCIF shall be performed by US Companies utilizing US Citizens or US Persons A-E’s with past experience in SCIF planning and design provides a big benefit to the Government Construction Contractor Construction of SCIF shall be performed by US Companies utilizing US Citizens or US Persons Construction teams with past experience in SCIF construction techniques also provides a benefit to the Government

12 Purpose of a SCIF To mitigate against a forced entry, covert entry, visual surveillance, acoustic eavesdropping and electronic emanations which could compromise the operation held within the SCIF. Therefore, security requirements to protect against these actions need to be identified and implemented in order to have an accredited SCIF. Security can be a combination of building features or operational procedures.

13 Elements of a SCIF Security in Depth (SID) Multiple layers of physical security measures, such as: Site features such as a controlled perimeter (fence) Access Control Point (secured gates) Building perimeter SCIF Perimeter (either part of the building perimeter or within the building)

14 Elements of a SCIF Risk Assessment & Management AO, SSM, Supported Command (Mission), CTTA, Communications, Security Forces, amongst others must determine the minimum or enhanced security requirements based upon the SCIF classification

15 Elements of a SCIF (cont’d) Physical SCIF Perimeter Wall, floor, ceiling/roof construction Sound transmission coefficient (STC) Rating of 45 or 50 RF Shielding Door and door hardware Vault – concrete or steel construction Penetrations of the SCIF Perimeter Limited number of locations for perimeter penetrations Utilities such as mechanical, electrical, communications, etc. require special details Inspection of perimeter penetrations

16 SCIF within a SCIF (Compartmented Areas) Clarify if adjacent missions require enhanced security Access Control Systems (ACS) Intrusion Detection Systems (IDS) Communications Systems Comm Data (LAN/WAN) TEMPEST Countermeasures Fire Alarm / Mass Notification Systems HVAC DDC System Communication Protocols Elements of a SCIF (cont’d)

17 Best Practices / Lessons Learned Design Charrettes – dedicated discussions between the A-E’s design team and Gov’t security personnel on all aspects of the desired security requirements AO and SSM need to be identified for the project AO, SSM and other security stakeholders need to be available to the design team to answer questions throughout the life of the project Devil is in the Details – review of construction details and specifications by the AO and SSM to ensure security requirements have been satisfied

18 Best Practices / Lessons Learned Communication and understanding of needs is the biggest “lessons learned” that we’ve experienced

19 Best Practices / Lessons Learned Separation requirements for Compartmented Areas What STC ratings are required? Do penetrations require unique security measures? Can utilities cross one CA to serve another CA? Single Point of Penetration in SCIF Perimeter Determine interpretation of this ICD/ICS 705 requirement Alternative means to allow inspection of penetrations Access Control System (ACS) Identify zones for Compartmented Areas Secured vestibule (man trap) Types of acceptable door hardware, security system, etc. Is a sole source for a particular vendor necessary to tie into existing systems?

20 Best Practices / Lessons Learned Ceiling Inspection Panels

21 Best Practices / Lessons Learned Intrusion Detection System Partial design with delegated design responsibility to contractor and manufacturer Construction Documentation Include ICD/ICS 705 or JAFAN 6/9 Manual as part of the Division 01 Specs Highlight specific contractor responsibilities such as: Construction photographs as documentation Manner in which to phase/tie-in to existing systems Inspections prior to concealing construction Greater importance to phasing needs, tie-ins, existing system operability, SCIF functionality during construction A detailed Construction Security Plan (CSP) becomes even more critical for a renovation project.

22 Best Practices / Lessons Learned Justification & Authorizations (J & A’s) Avoid change orders for sole source situations Examples are for ACS, IDS, Door Hardware Consider Procurement Method Qualified Design-Build Team Traditional Design-Bid-Build Avoid contractors who may not have depth of experience or sophistication to execute a SCIF project Construction Phase Services For large SCIF projects, consider oversight required during construction Full time Resident Engineer/Architect

23 Best Practices / Lessons Learned AO, SSM, CTTA and Users (Mission) need to collaborate in order to develop the Construction Security Plan (CSP) Starts with well developed understanding of security measures required or contemplated Chapter 2 of UFC 4-010-05 has well developed checklist for planning a SCIF project and the required project documentation. For example, What is the SCIF Classification? Are there multiple SCIF’s (Compartmented Areas) needed within a particular building? Has the required security been included in the project budget?

24 Summary Successful SCIF project execution requires active involvement by project stakeholders who have a vested interest in the security of the facility Classification and development of the required security measures identified by the Government Charrette or other design meetings to collaborate on project security requirements Active review of design documents to ensure needs are met Sufficient oversight during construction to ensure details are constructed in accordance with the design “No Surprises” should be the desired goal when it’s time to obtain the SCIF accreditation

25 SCIF Facility Design Best Practices / Lessons Learned Thank you for your attention! George Fragulis PE, BEMP, CEM, PMP, LEED AP fragulisg@Pondco.com 404-748-4846

Download ppt "SCIF Design Best Practices / Lessons Learned Presentation to: September 19, 2016."

Similar presentations

Barhale Procedure for Site Establishment

Barhale Procedure for Site Establishment
Sensitive Compartmented Information Facilities (SCIF)

Sensitive Compartmented Information Facilities (SCIF)
Unclassified//FOUO Unclassified//FOUO.

Unclassified//FOUO Unclassified//FOUO.
Sensitive Compartmented Information (SCI) Policy Office

Sensitive Compartmented Information (SCI) Policy Office
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
UNIT PHYSICAL SECURITY PLAN

UNIT PHYSICAL SECURITY PLAN
Department of the Navy Information Security Program

Department of the Navy Information Security Program
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
SAE AS9100 Quality Systems - Aerospace Model for Quality Assurance

SAE AS9100 Quality Systems - Aerospace Model for Quality Assurance
“Who’s In Charge?” “THE COMMAND SECTION”. The Incident/Unified Commander Incident/Unified Commander(s) provides direction and guidance through:  Key.

“Who’s In Charge?” “THE COMMAND SECTION”. The Incident/Unified Commander Incident/Unified Commander(s) provides direction and guidance through:  Key.
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Information Systems Security Officer

Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
1 Performance Management Presentation Access Control Team Members: Major Billy Alford, Team Leader Bill Brosius, Alex Salah, Cassandra Harris ORS National.

1 Performance Management Presentation Access Control Team Members: Major Billy Alford, Team Leader Bill Brosius, Alex Salah, Cassandra Harris ORS National.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)

Similar presentations

Ads by Google