Presentation on theme: "SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012."— Presentation transcript:
SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012
2 Services SCIF Pre- Construction Planning Phase
3 Services Step 1. Have a Need Unlike in the past, Build it and they will come is not a viable business plan. Have the appropriate written authorization. For most of us this will be a DD254 with appropriate boxes checked. Classification Level SCI COMSEC Storage Processing Correct SCIF Address/location on DD254.
4 Services Step 2. Construction Security Plan For contractor facilities ICD 705 looks very similar to DCID 6/9? – A new Requirement of ICD 705 is an Implementation is a CSP. – Each cognizant authority will approve CSPs prior to giving an approval to build. – The CSP in many cases replaces the Discovery Meetings that are routinely held prior to SCIF construction. – CSP Specifies who can build a SCIF Construction and design of SCIFs should be preformed by U.S. Companies using U.S. Citizens to reduce risk, but may be performed by U.S. companies using U.S. persons (an individual who has been lawfully admitted for permanent residence as defined. In 8. U.S.C. 1 101(a)(20) or who is a protected individual as defined by Title 8 U.S.C. 1 324b(a)(3))). The Accreditation Official shall ensure mitigations are implemented when using non-U.S. citizens. These mitigation shall be documented in the CSP.
6 Services Step 2. Construction Security Plan – Cont. Negotiating with Construction Contractors. – Require Employees and Sub-Contractors are U.S. Citizens. (Include this in your RFQ and contract language.) – Ensure that the company and its subs are U.S. Owned. – Justifications are required for any request of not using all U.S. Citizens. In these instances, your justification or exceptions should identify the non-U.S. Citizens, as well as your proposed mitigation strategy within the CSP. If you are unsure whether your contractor is U.S. owned, work with your cognizant security agencies industrial security office for assistance. – At a minimum the Information Technology Infrastructure of your SCIF MUST be installed by U.S. citizens ONLY. (Alarms, wiring, fiber, etc..)
7 Services SCIF Building A different approach: Working Backwards….
8 Services What features does my SCIF need? Alarms Doors Strong Perimeter Appropriate Windows Appropriate Storage (Paper vs Media – it may be different.) Security in Depth Lots and lots of paperwork! (logs, inventories, audits, plans, policies, accounts, methods...)
9 Services ALARMS Test all alarm points (motions and tampers), including door contacts, and alarm panel tampers. Ensure Sufficient alarm motion sensor coverage. Test alarm response and guard force response time. (Type and length of alarm emergency back up?) Primary and Secondary pathways? (ISP, POTS?) Obtain UL2050 Cert. Alarms installed by UL2050 company to UL2050 standards. Remove factory defaults from alarm Panel.
10 Services DOORS Sweeps and seals around and under door. Do a light and sound test. (Sound Generators, No discussion signs, auto closers on doors). Check locking hardware on main SCIF door, and crash bars on emergency exits. BMS and annunciators on emergency exit doors. Proper access control. (badge swipe or cipher lock) in addition to X-09.
11 Services SCIF Perimeter Walls are finished and painted above false ceiling? No holes or unfinished space above false ceiling. Check inspection ports and ensure man bars are properly affixed (to duct, not man-bar frame) with welds or metal epoxy over screws. All penetrations have non-conductive breaks or are grounded. All open pipes are capped or filled with foam. Check tempest foil (if required) extends our the proper length along ceiling. Recommend a labeling system for each Pipe, wire, duct, etc. above false ceiling. Use reflective tags to help locate inspection ports.
12 Services Windows Check for Tempest Film (if required.) Ensure Windows have blinds or curtains with hardware removed. Check coverage and functionality of red lights for un-cleared visitors. Ensure guard response time is appropriate for your building. (This may vary based on number and height to windows from ground level.)
13 Services Storage Level / Security in Depth Does the SCIF have security in Depth? If so, at what classification. (example, SCIF is located on a Millitary installation where only U.S. Cleared Secret personell can access? Or SCIF is located in a pubic building also occupied by a University? Fenced in? Control the parking lot? Open or closed storage? Are there adequate safes and safe drawers for Open/Closed storage that allows for separation of programs? What is the required alarm response time based on Open/Close and Security in depth?
14 Services Paperwork Finalized Fixed Facility Checklist (FFC). Tempest Worksheet (If required… will be Classified once filled in.) Standard Practices and Procedures (SPP SOP). Alarm Response Plan & Guard Force Posting instructions. Alarm Company Audit Logs Emergency Action Plan. SCIF Roster / Access Log / OPEN/CLOSED logs.
15 Services Paperwork – continued Visitor Logs (Cleared and un- cleared/maintenance) Safe logs (open/closed logs and Password lists.) Reproductions / Destruction logs. (Approved equipment /methods?) Classified Document/Media Control logs, Transmittals, and courier briefs (DCS account.) Equipment Maintenance Logs COMSEC Account. Automated Information Systems. (AIS) SSPs.