The following technical specification for the construction of sensitive compartmented information facilities (SCIFs) is available online via the website of several construction companies as well as the U.S. Navy.
Update: Version 1.2 of the manual is now available. You can also download version 1.1 from October 31, 2011.
TECHNICAL SPECIFICATIONS FOR CONSTRUCTION AND MANAGEMENT OF SENSITIVE COMPARTMENTED INFORMATION FACILITIES
- IC Tech Spec‐for ICD/ICS 705
- 166 pages
- April 23, 2012
This Intelligence Community (IC) Technical Specification sets forth the physical and technical security specifications and best practices for meeting standards of Intelligence Community Standard (ICS) 705-1 (Physical and Technical Standards for Sensitive Compartmented Information Facilities). When the technical specifications herein are applied to new construction and renovations of Sensitive Compartmented Information Facilities (SCIFs), they shall satisfy the standards outlined in ICS 705-1 to enable uniform and reciprocal use across all IC elements and to assure information sharing to the greatest extent possible. This document is the implementing specification for Intelligence Community Directive (ICD) 705, Physical and Technical Security Standards for Sensitive Compartmented Information Facilities (ICS-705-1) and Standards for Accreditation and Reciprocal Use of Sensitive Compartmented Information Facilities (ICS-705-2) and supersedes Director of Central Intelligence Directive (DCID) 6/9.
The specifications contained herein will facilitate the protection of Sensitive Compartmented Information (SCI) against compromising emanations, inadvertent observation and disclosure by unauthorized persons, and the detection of unauthorized entry.
A. Analytical Risk Management Process
1. The Accrediting Official (AO) and the Site Security Manager (SSM) should evaluate each proposed SCIF for threats, vulnerabilities, and assets to determine the most efficient countermeasures required for physical and technical security. In some cases, based upon that risk assessment, it may be determined that it is more practical or efficient to mitigate a standard. In other cases, it may be determined that additional security measures should be employed due to a significant risk factor.
2. Security begins when the initial requirement for a SCIF is known. To ensure the integrity of the construction and final accreditation, security plans should be coordinated with the AO before construction plans are designed, materials ordered, or contracts let.
a) Security standards shall apply to all proposed SCI facilities and shall be coordinated with the AO for guidance and approval. Location of facility construction and or fabrication does not exclude a facility from security standards and or review and approval by the AO. SCI facilities include but are not limited to fixed facilities, mobile platforms, prefabricated structures, containers, modular applications or other new or emerging applications and technologies that may meet performance standards for use in SCI facility construction.
b) Mitigations are verifiable, non-standard methods that shall be approved by the AO to effectively meet the physical/technical security protection level(s) of the standard. While most standards may be effectively mitigated via non-standard construction, additional security countermeasures and/or procedures, some standards are based upon tested and verified equipment (e.g., a combination lock meeting Federal Specification FF-L 2740A) chosen because of special attributes and could not be mitigated with non-tested equipment. The AO’s approval is documented to confirm that the mitigation is at least equal to the physical/technical security level of the standard.
c) Exceeding a standard, even when based upon risk, requires that a waiver be processed and approved in accordance with ICD 705.
3. The risk management process includes a critical evaluation of threats, vulnerability, and assets to determine the need and value of countermeasures. The process may include the following:
a) Threat Analysis. Assess the capabilities, intentions, and opportunity of an adversary to exploit or damage assets or information. Reference the threat information provided in the National Threat Identification and Prioritization Assessment (NTIPA) produced by the National Counterintelligence Executive (NCIX) for inside the U.S. and/or the Overseas Security Policy Board (OSPB), Security Environment Threat List (SETL) for outside the U.S. to determine technical threat to a location. When evaluating for TEMPEST, the Certified TEMPEST Technical Authorities (CTTA) shall use the National Security Agency Information Assurance (NSA IA) list as an additional resource for specific technical threat information. It is critical to identify other occupants of common and adjacent buildings. (However, do not attempt to collect information against U.S. persons in violation of Executive Order (EO) 12333.) In areas where there is a diplomatic presence of high and critical threat countries, additional countermeasures may be necessary.
b) Vulnerability Analysis. Assess the inherent susceptibility to attack of a procedure, facility, information system, equipment, or policy.
c) Probability Analysis. Assess the probability of an adverse action, incident, or attack occurring.
d) Consequence Analysis. Assess the consequences of such an action (expressed as a measure of loss, such as cost in dollars, resources, programmatic effect/mission impact, etc.).