Updated: Aug 2
TEMPEST is one of the most misunderstood (and least understood) aspects of ICD 705, but here are the magic steps to de-mystifying this hotly debated subject….Ready?
Before initiating any kind of contract to build or design your project after being certified to do so with a DD254 form, proactively collaborate with your AO and submit what information you can with your Construction Security Plan (CSP); Fixed Facility Checklist (FFC); and TEMPEST Checklist forms
Follow the directions you receive back from your AO (Accrediting Official) and CTTA (Certified TEMPEST Technical Authority) and incorporate that information into your SCIF Statement of Work (SOW).
Boom….It can be that easy…So why isn’t it that easy? There are many reasons why and this is part of a series of interrelated articles on TEMPEST that will stop short of a technical “deep dive,” but
will hopefully help clear up some of the areas where projects can get stuck.
So let’s start with trying to do things the right way and see what happens…Let’s say you are following the rules and you’ve pulled together a basic concept plan of the space you are looking to build out and you have filled in as much of the boilerplate information as possible on your CSP, FFC and TEMPEST Checklist, contacted your AO associated with your stakeholder organization and passed this information on to him/her. On the corporate side, you have a green light on funding and approvals and Facilities is pressing to get Contracting involved in finalizing an SOW for an RFP (Request for Proposal) for a General Contractor (GC) bid. Sounds great, right? Wrong….
Yes, that’s the correct process (and few are done that way, unfortunately), but what do you really know about how you need to construct your space? Do you have an up to date “threat, risk and vulnerability assessment” for your facility that defines Security In-Depth and Stand Off space? Did you submit that with your other forms? How do some of the factors you identify in your assessment cause issues with complying with ICD 705, separate from any issues identified by the CTTA? Assuming you received feedback from your AO before taking any further steps, do you understand how that feedback translates to defining your SOW for the GC? Do you understand the AO/CTTA relationship for your accrediting stakeholder organization? Each organization is different…Sometimes you will get separate and distinct feedback from your AO and CTTA separately (usually through the AO), but sometimes an MOU (Memorandum of Understanding) is in place allowing the AO to make CTTA determinations. Do you have an understanding of your AO’s requirements as your project commences? For example, if the feedback you get specifies the facility will need to attain 60dB of RF attenuation and the construction schedule will need to reflect milestone inspections, instrumentation testing and prior approval “mock ups”…Does your SOW actually reflect all of that? Are the GC’s you are looking to bid to even qualified to know how to build to a specified level of RF attenuation if requested by the AO? Most are not…
What’s worse, is when you get no feedback, or a boilerplate letter from the AO that speaks generally of things you need to be compliant with…Organizations can be resource challenged, especially with a very limited number of CTTA’s to go around (many of which are also focused on overseas priorities). Does no response mean you can build whatever you want as long as it meets ICD 705 specifications? Does no response (or minimal response) mean that now you can confidently tell your company leadership their project budget is solid and there will be no “gotchas” coming with final Accreditation? Maybe not….And what does 705 really say about TEMPEST? Well, it abdicates all “inspectable space” determinations to the CTTA…And there is reference to the “Best Practices Guidelines for Architectural Radio Frequency Shielding, prepared by the Technical Requirements Steering Committee under the Center for Security Evaluation…A document available through the Center for Security Evaluation, Office of the Director of National Intelligence (NCSC/CSE)…But less than 1% of the general SCIF/SAPF building population even knows what this document is (or how to get it).
As you can see, even when doing things the right way, there are quite a few issues that can immediately pop up in the process and it’s critical to address many of these things as early as possible to ensure a smooth and seamless project that is on time and on budget, even with the technical calculations that may come into play. Questions like knowing whether or not your space will be evaluated with instrumentation, or how involved in the project the AO wants to be (inspections, etc.) are important to know so these things can be integrated into the larger project. SPG understands both the questions you will have at the beginning of your project and the solutions to them. In the next segment, we will further explore where most companies typically are in relation to being compliant with TEMPEST concerns and some common misperceptions, but if you are reading this before publication, please contact us so we can get you the assistance right away in getting your project back on track.