3Step 1. Have a NeedUnlike in the past, “Build it and they will come” is not a viable business plan.Have the appropriate written authorization.For most of us this will be a DD254 with appropriate boxes checked.Classification LevelSCICOMSECStorageProcessingCorrect SCIF Address/location on DD254.
4Step 2. Construction Security Plan For contractor facilities ICD 705 looks very similar to DCID 6/9?A new Requirement of ICD 705 is an Implementation is a CSP.Each cognizant authority will approve CSP’s prior to giving an “approval to build.”The CSP in many cases replaces the “Discovery Meetings” that are routinely held prior to SCIF construction.CSP Specifies who can build a SCIF“Construction and design of SCIFs should be preformed by U.S. Companies using U.S. Citizens to reduce risk, but may be performed by U.S. companies using U.S. persons (an individual who has been lawfully admitted for permanent residence as defined. In 8. U.S.C (a)(20) or who is a protected individual as defined by Title 8 U.S.C b(a)(3))). The Accreditation Official shall ensure mitigations are implemented when using non-U.S. citizens. These mitigation shall be documented in the CSP.”
6Step 2. Construction Security Plan – Cont. Negotiating with Construction Contractors.Require Employees and Sub-Contractors are U.S. Citizens.(Include this in your RFQ and contract language.)Ensure that the company and it’s subs are U.S. Owned.Justifications are required for any request of not using all U.S. Citizens.In these instances, your justification or exceptions should identify the non-U.S. Citizens, as well as your proposed mitigation strategy within the CSP.If you are unsure whether your contractor is U.S. owned, work with your cognizant security agencies industrial security office for assistance.At a minimum the Information Technology Infrastructure of your SCIF MUST be installed by U.S. citizens ONLY. (Alarms, wiring, fiber, etc..)
7SCIF Building A different approach: Working Backwards….
8What features does my SCIF need? AlarmsDoorsStrong PerimeterAppropriate WindowsAppropriate Storage (Paper vs Media – it may be different.)Security in DepthLots and lots of paperwork! (logs, inventories, audits, plans, policies, accounts, methods...)
9ALARMSTest all alarm points (motions and tampers), including door contacts, and alarm panel tampers.Ensure Sufficient alarm motion sensor coverage.Test alarm response and guard force response time. (Type and length of alarm emergency back up?)Primary and Secondary pathways? (ISP, POTS?)Obtain UL2050 Cert.Alarms installed by UL2050 company to UL2050 standards.Remove factory defaults from alarm Panel.
10DOORSSweeps and seals around and under door. Do a light and sound test. (Sound Generators, No discussion signs, auto closers on doors).Check locking hardware on main SCIF door, and crash bars on emergency exits.BMS and annunciators on emergency exit doors.Proper access control. (badge swipe or cipher lock) in addition to X-09.
11SCIF Perimeter Walls are finished and painted above false ceiling? No holes or unfinished space above false ceiling.Check inspection ports and ensure man bars are properly affixed (to duct, not man-bar frame) with welds or metal epoxy over screws.All penetrations have non-conductive breaks or are grounded.All open pipes are capped or filled with foam.Check tempest foil (if required) extends our the proper length along ceiling.Recommend a labeling system for each Pipe, wire, duct, etc. above false ceiling. Use reflective tags to help locate inspection ports.
12Windows Check for Tempest Film (if required.) Ensure Windows have blinds or curtains with hardware removed.Check coverage and functionality of red lights for un-cleared visitors.Ensure guard response time is appropriate for your building. (This may vary based on number and height to windows from ground level.)
13Storage Level / Security in Depth Does the SCIF have security in Depth? If so, at what classification. (example, SCIF is located on a Millitary installation where only U.S. Cleared Secret personell can access? Or SCIF is located in a pubic building also occupied by a University? Fenced in? Control the parking lot?Open or closed storage? Are there adequate safes and safe drawers for Open/Closed storage that allows for separation of programs?What is the required alarm response time based on Open/Close and Security in depth?
14Paperwork Finalized Fixed Facility Checklist (FFC). Tempest Worksheet (If required… will be Classified once filled in.)Standard Practices and Procedures (SPP SOP).Alarm Response Plan & Guard Force Posting instructions.Alarm Company Audit LogsEmergency Action Plan.SCIF Roster / Access Log / OPEN/CLOSED logs.
15Paperwork – continuedVisitor Logs (Cleared and un- cleared/maintenance)Safe logs (open/closed logs and Password lists.)Reproductions / Destruction logs. (Approved equipment /methods?)Classified Document/Media Control logs, Transmittals, and courier briefs (DCS account.)Equipment Maintenance LogsCOMSEC Account.Automated Information Systems. (AIS) “SSP’s.”