Many people commonly ask, “What is a SCIF?.” A more important question might be, “Why do SCIFs fall short?”. SCIFs (Sensitive Compartmented Information Facilities) generally fail when they lack policy compliant construction expertise, which seems to be in short supply in this Industry. As the saying goes, “The hurrieder I go, the behinder I get” and this is just as true for a niche area of the construction industry called “SCIF construction” as anything else. It is absolutely critical that stakeholders take every step necessary to prevent substandard policy compliance in construction of these types of facilities, especially when one considers that these spaces are our nation’s highest level of protection for national security information at the Top Secret, Sensitive Compartmented Information (TS/SCI) or Special Access Program (SAP) levels. Focusing on the early stages of policy compliance is an essential part of doing things the right way, not only in the beginning, but throughout the entire project, but the reality today is that many SCIF stakeholders tend to leapfrog their way around the process instead. This article will attempt to provide some clarity by identifying the appropriate lifecycle of the SCIF construction process, followed by identification of some of the more common failings and consequences along the way.
The correct steps for SCIF design, construction and accreditation process are a matter of ICD 705 policy and are very clearly outlined. Those steps look something like this:
The entire process begins with an identified requirement for a SCIF, sanctioned by an appropriate party (if Government), or with a contractual basis (DD254) for non-government Industry. For purposes of this article, I am going to focus on the Industry process, which then requires (in many cases) a “Concept of Operations” approval from the Accreditation office with a Cognizant Security Authority (CSA) sponsor. Unfortunately, this isn’t a standardized process in the Intelligence Community (IC) and can range from an informal nod from a USG sponsor, to a more formal Construction Security Worksheet and initial layout drawings. A “Pre-Construction Checklist” is rumored to be in the works with new policy updates for ICD 705, Version (1.5), but as of this writing, that update hasn’t yet been promulgated.
Once initial approvals and justifications are obtained (Industry note: If you don’t have Sponsor approval, contractually or otherwise, 705 policy prohibits “Spec Building” of secure facilities and you risk facing larger cost issues if you proceed unilaterally), typically this is when you would begin exploring things like site selection, design-build company selection and initial completion of your Construction Security Plan (CSP); Fixed Facility Checklist (FFC); and TEMPST Checklist forms. The key piece to all of this is establishing an initial, proactive and collaborative relationship with your Accrediting Official (AO).
An often-overlooked piece is also the Analytic Risk Management (ARM) process when evaluating new or existing facilities as well. The bottom line is that future issues and additional costs are often easily solved or aren’t issues in the first place if a company follows the correct policy protocol for evaluating threats, risks and vulnerabilities associated with their site build and has established a dialogue with the entity that will eventually be accrediting their space. Why is this important? How can you ask a Designer to build in the appropriate countermeasures for your space, if you have no idea what your TEMPEST posture is? What will you do if you engage your AO late and they levy additional requirements due to a perceived threat you didn’t anticipate, but you have already established a budget based upon an early rough order of magnitude (ROM) from your General Contractor (or worse, already issued a purchase order or contract)? For these reasons and more, it makes good fiscal and administrative sense to ensure you have all the correct information early on to make your SCIF build a seamless process that culminates in a quick accreditation (without schedule deviations or delays).
In our next segment, we’ll talk about some of the important considerations in the Design and Construction of SCIFs.