SCIF Design Best Practices / Lessons Learned Presentation to: September 19, 2016

Purpose of the Presentation Overview of what a SCIF is & what comprises a SCIF Governing criteria for a SCIF Review of SCIF Stakeholders Best Practices / Lessons Learned in executing a SCIF project

What is a SCIF? Sensitive Compartmented Information Facility Facility which handles Confidential, Secret, Top Secret information Facility must be accredited in order to handle, process, discuss or store Sensitive Compartmented Information (SCI) Provides for operational capabilities that are critical to the supported command’s mission

What is a SCIF? Even though SCIF ultimately is a building (or area within a building) in which sensitive information is handled, the development of a SCIF is a process which requires collaboration between many stakeholders At the conclusion of construction, an accreditation process occurs which classifies the facility as one in which sensitive information can be handled The execution goal is for there to be “No surprises” when the accreditation process takes place.

Pop Quiz! Question: Why is it important that there not be surprises at the end construction?

Pop Quiz! Question: Why is it important that there not be surprises at the end construction? Answer: Because if the accreditation isn’t obtained, then the facility may not be able to be operated as a SCIF, thereby not fulfilling mission requirements.

Relevant Criteria for SCIF UFC’s UFC & 02: DoD Minimum Antiterrorism Standards/Standoff Distances for Buildings UFC : Sensitive Compartmented Information Facilities Planning, Design and Construction Other Governing Criteria ICD/ICS 705: Technical Specifications for Construction and Management of SCIF JAFAN Manual 6/9: Joint Air Force Army Navy Manual for Physical Security Standards for Special Access Program Facilities (SAPF) DCID 6/9: Director of Central Intelligence Directive 6/9 was superseded by ICD/ICS 705 Other DoD Criteria Exists

SCIF Classifications Secure Working Area (SWA) An area where SCI is handled, discussed and/or processed, but not stored Temporary Secure Working Area (TSWA) Secure working area which is used less than 40 hours/month and the accreditation is limited to 12 months or less Temporary SCIF SCIF established for a limited time to meet tactical, emergency or immediate operational requirements

SCIF Classifications (cont’d) Closed Storage SCIF where SCI material is stored in GSA approved storage containers when not in use. This includes documents, computer hard drives and storage media Open Storage SCIF in which SCI may be openly stored or processed Continuous Operation SCIF which is staffed and operated 24/7

SCIF Stakeholders Accrediting Official (AO) Person designated by the Cognizant Security Authority (CSA) who is responsible for all aspects of SCIF management and operations to include security policy implementation and oversight. Site Security Manager (SSM) Person designated by the AO who is responsible for all aspects of SCIF management and operations to include security policy implementation and oversight. Certified TEMPEST Technical Authority (CTTA) US Government appointed employee who has met established certification requirements in regard to TEMPEST

SCIF Stakeholders (cont’d) Mission Users Persons who will work, operate, handle SCI in the facility once the facility becomes operational Architect – Engineer Design of SCIF shall be performed by US Companies utilizing US Citizens or US Persons A-E’s with past experience in SCIF planning and design provides a big benefit to the Government Construction Contractor Construction of SCIF shall be performed by US Companies utilizing US Citizens or US Persons Construction teams with past experience in SCIF construction techniques also provides a benefit to the Government

Purpose of a SCIF To mitigate against a forced entry, covert entry, visual surveillance, acoustic eavesdropping and electronic emanations which could compromise the operation held within the SCIF. Therefore, security requirements to protect against these actions need to be identified and implemented in order to have an accredited SCIF. Security can be a combination of building features or operational procedures.

Elements of a SCIF Security in Depth (SID) Multiple layers of physical security measures, such as: Site features such as a controlled perimeter (fence) Access Control Point (secured gates) Building perimeter SCIF Perimeter (either part of the building perimeter or within the building)

Elements of a SCIF Risk Assessment & Management AO, SSM, Supported Command (Mission), CTTA, Communications, Security Forces, amongst others must determine the minimum or enhanced security requirements based upon the SCIF classification

Elements of a SCIF (cont’d) Physical SCIF Perimeter Wall, floor, ceiling/roof construction Sound transmission coefficient (STC) Rating of 45 or 50 RF Shielding Door and door hardware Vault – concrete or steel construction Penetrations of the SCIF Perimeter Limited number of locations for perimeter penetrations Utilities such as mechanical, electrical, communications, etc. require special details Inspection of perimeter penetrations

SCIF within a SCIF (Compartmented Areas) Clarify if adjacent missions require enhanced security Access Control Systems (ACS) Intrusion Detection Systems (IDS) Communications Systems Comm Data (LAN/WAN) TEMPEST Countermeasures Fire Alarm / Mass Notification Systems HVAC DDC System Communication Protocols Elements of a SCIF (cont’d)

Best Practices / Lessons Learned Design Charrettes – dedicated discussions between the A-E’s design team and Gov’t security personnel on all aspects of the desired security requirements AO and SSM need to be identified for the project AO, SSM and other security stakeholders need to be available to the design team to answer questions throughout the life of the project Devil is in the Details – review of construction details and specifications by the AO and SSM to ensure security requirements have been satisfied

Best Practices / Lessons Learned Communication and understanding of needs is the biggest “lessons learned” that we’ve experienced

Best Practices / Lessons Learned Separation requirements for Compartmented Areas What STC ratings are required? Do penetrations require unique security measures? Can utilities cross one CA to serve another CA? Single Point of Penetration in SCIF Perimeter Determine interpretation of this ICD/ICS 705 requirement Alternative means to allow inspection of penetrations Access Control System (ACS) Identify zones for Compartmented Areas Secured vestibule (man trap) Types of acceptable door hardware, security system, etc. Is a sole source for a particular vendor necessary to tie into existing systems?

Best Practices / Lessons Learned Ceiling Inspection Panels

Best Practices / Lessons Learned Intrusion Detection System Partial design with delegated design responsibility to contractor and manufacturer Construction Documentation Include ICD/ICS 705 or JAFAN 6/9 Manual as part of the Division 01 Specs Highlight specific contractor responsibilities such as: Construction photographs as documentation Manner in which to phase/tie-in to existing systems Inspections prior to concealing construction Greater importance to phasing needs, tie-ins, existing system operability, SCIF functionality during construction A detailed Construction Security Plan (CSP) becomes even more critical for a renovation project.

Best Practices / Lessons Learned Justification & Authorizations (J & A’s) Avoid change orders for sole source situations Examples are for ACS, IDS, Door Hardware Consider Procurement Method Qualified Design-Build Team Traditional Design-Bid-Build Avoid contractors who may not have depth of experience or sophistication to execute a SCIF project Construction Phase Services For large SCIF projects, consider oversight required during construction Full time Resident Engineer/Architect

Best Practices / Lessons Learned AO, SSM, CTTA and Users (Mission) need to collaborate in order to develop the Construction Security Plan (CSP) Starts with well developed understanding of security measures required or contemplated Chapter 2 of UFC has well developed checklist for planning a SCIF project and the required project documentation. For example, What is the SCIF Classification? Are there multiple SCIF’s (Compartmented Areas) needed within a particular building? Has the required security been included in the project budget?

Summary Successful SCIF project execution requires active involvement by project stakeholders who have a vested interest in the security of the facility Classification and development of the required security measures identified by the Government Charrette or other design meetings to collaborate on project security requirements Active review of design documents to ensure needs are met Sufficient oversight during construction to ensure details are constructed in accordance with the design “No Surprises” should be the desired goal when it’s time to obtain the SCIF accreditation

SCIF Facility Design Best Practices / Lessons Learned Thank you for your attention! George Fragulis PE, BEMP, CEM, PMP, LEED AP