Dell Global Security
SCIF Construction “A Different Approach”
James T. Baruch
February 1, 2012
SCIF
PreConstruction
“Planning Phase”
2
Services
Step 1. Have a Need
• Unlike in the past, “Build it and they will come” is not a viable
business plan.
• Have the appropriate written authorization.
• For most of us this will be a DD254 with appropriate boxes
checked.
• Classification Level
• SCI
• COMSEC
• Storage
• Processing
• Correct SCIF Address/location on DD254.
3
Services
Step 2. Construction Security Plan
• For contractor facilities ICD 705 looks very similar to DCID
6/9?
– A new Requirement of ICD 705 is an Implementation is a CSP.
– Each cognizant authority will approve CSP’s prior to giving an “approval
to build.”
– The CSP in many cases replaces the “Discovery Meetings” that are
routinely held prior to SCIF construction.
– CSP Specifies who can build a SCIF
› “Construction and design of SCIFs should be preformed by U.S. Companies
using U.S. Citizens to reduce risk, but may be performed by U.S. companies
using U.S. persons (an individual who has been lawfully admitted for
permanent residence as defined. In 8. U.S.C. 1 101(a)(20) or who is a
protected individual as defined by Title 8 U.S.C. 1 324b(a)(3))). The
Accreditation Official shall ensure mitigations are implemented when using
non-U.S. citizens. These mitigation shall be documented in the CSP.”
4
Services
U.S. Companies
& U.S. Citizens.
5
Services
Step 2. Construction Security Plan – Cont.
• Negotiating with Construction Contractors.
– Require Employees and Sub-Contractors are U.S. Citizens.
› (Include this in your RFQ and contract language.)
– Ensure that the company and it’s subs are U.S. Owned.
– Justifications are required for any request of not using all U.S. Citizens.
› In these instances, your justification or exceptions should identify the
non-U.S. Citizens, as well as your proposed mitigation strategy within
the CSP.
› If you are unsure whether your contractor is U.S. owned, work with
your cognizant security agencies industrial security office for
assistance.
– At a minimum the Information Technology Infrastructure of your SCIF
MUST be installed by U.S. citizens ONLY. (Alarms, wiring, fiber, etc..)
6
Services
SCIF Building
A different
approach:
Working
Backwards….
7
Services
What features does my SCIF need?
• Alarms
• Doors
• Strong Perimeter
• Appropriate Windows
• Appropriate Storage (Paper vs Media – it may be different.)
• Security in Depth
• Lots and lots of paperwork! (logs, inventories, audits, plans,
policies, accounts, methods...)
8
Services
ALARMS
• Test all alarm points (motions and tampers), including door
contacts, and alarm panel tampers.
• Ensure Sufficient alarm motion sensor coverage.
• Test alarm response and guard force response time. (Type and
length of alarm emergency back up?)
• Primary and Secondary pathways? (ISP, POTS?)
• Obtain UL2050 Cert.
• Alarms installed by UL2050 company to UL2050 standards.
• Remove factory defaults from alarm Panel.
9
Services
DOORS
• Sweeps and seals around and under door. Do a light and
sound test. (Sound Generators, No discussion signs, auto
closers on doors).
• Check locking hardware on main SCIF door, and crash bars on
emergency exits.
• BMS and annunciators on emergency exit doors.
• Proper access control. (badge swipe or cipher lock) in addition
to X-09.
10
Services
SCIF Perimeter
• Walls are finished and painted above false ceiling?
• No holes or unfinished space above false ceiling.
• Check inspection ports and ensure man bars are properly
affixed (to duct, not man-bar frame) with welds or metal epoxy
over screws.
• All penetrations have non-conductive breaks or are grounded.
• All open pipes are capped or filled with foam.
• Check tempest foil (if required) extends our the proper length
along ceiling.
• Recommend a labeling system for each Pipe, wire, duct, etc. above
false ceiling. Use reflective tags to help locate inspection ports.
11
Services
Windows
• Check for Tempest Film (if required.)
• Ensure Windows have blinds or curtains with hardware
removed.
• Check coverage and functionality of red lights for un-cleared
visitors.
• Ensure guard response time is appropriate for your building.
(This may vary based on number and height to windows from
ground level.)
12
Services
Storage Level / Security in Depth
• Does the SCIF have security in Depth? If so, at what
classification. (example, SCIF is located on a Millitary
installation where only U.S. Cleared Secret personell can
access? Or SCIF is located in a pubic building also occupied by
a University? Fenced in? Control the parking lot?
• Open or closed storage? Are there adequate safes and safe
drawers for Open/Closed storage that allows for separation of
programs?
• What is the required alarm response time based on
Open/Close and Security in depth?
13
Services
Paperwork
• Finalized Fixed Facility Checklist (FFC).
• Tempest Worksheet (If required… will be
Classified once filled in.)
• Standard Practices and Procedures (SPP SOP).
• Alarm Response Plan & Guard Force Posting
instructions.
• Alarm Company Audit Logs
• Emergency Action Plan.
• SCIF Roster / Access Log / OPEN/CLOSED logs.
14
Services
Paperwork – continued
• Visitor Logs (Cleared and uncleared/maintenance)
• Safe logs (open/closed logs and Password lists.)
• Reproductions / Destruction logs. (Approved
equipment /methods?)
• Classified Document/Media Control logs,
Transmittals, and courier briefs (DCS account.)
• Equipment Maintenance Logs
• COMSEC Account.
• Automated Information Systems. (AIS) “SSP’s.”
15
Services
Questions?
16
Services