Which documents you need for your accreditation package and best practices
An issue with your accreditation package could potentially lead to major delays in getting your SCIF or SAPF operational. Avoid tripping at the accreditation “finish line” by making sure you know exactly what you need to provide your Accrediting Official (AO).
The Site Security Manager (SSM) will be the primary person in charge of completing the accreditation package and working with the AO. While your accreditation package is needed to complete your construction project, not everything in it is submitted at the end of construction. Some things need to be submitted and approved by the AO before construction even begins.
One of the first things you’ll submit to the AO is concept approval for the SCIF. This information will identify the SSM and some basic information about the facility, like the general location, as well as your risk management review.
Before you can begin construction, you need to create a Construction Security Plan (CSP). This document establishes the security protections that will be implemented during the construction process. The CSP outlines topics including security measures like fencing, cameras or guards, identification of adjacent facilities, explanation of how construction plans and other documents will be handled, and more.
You will also submit an initial version of your Fixed Facility Checklist (FFC) and TEMPEST Addendum. At this stage, you will not know most of the information you need to include in these forms, such as the location and mitigation of penetrations, which is decided further along during the design process. You will have information from the concept approval that you can add. Basically, be as thorough as possible when filling out these forms prior to construction, but know that you don’t have to complete them until later. If there is information the AO wants to know at this stage that you didn’t include, they will reach out after you submit it.
The DoD Manual 5105.21 Volume 2 lays out some specific documents you will need to submit to the AO for your accreditation package. These are your final FFC, specification sheets for the Intrusion Detection System (IDS) component parts, a UL 2050 certification for IDS, a NIST 128-bit certificate for IDS, IDS test results and a catastrophic failure plan. You may also need a co-utilization agreement if the space will be shared by multiple programs or Technical Surveillance Countermeasure (TSCM) reports if the AO requires them.
However, these documents do not make up the entirety of your accreditation package. In addition to these, you will need the security briefing/training records of anyone involved with the construction process, the final Master Access Roster (MAR), any security incident reports, security features product data sheets for products like shielding and doors, and extensive photo documentation.
The SSM will need to be the one keeping the records proving that all people working on the project have received a security briefing. The SSM also keeps the MAR, which shows everyone who has had access to the site through the construction process. Photo documentation will need to be taken throughout the project to show the AO how things are constructed and to prove that ICD 705 Tech Spec standards are met.
You will also submit your fully completed TEMPEST Addendum and FFC at this time. As part of completing the FFC, there are several more documents that you will need to include in the accreditation package that are not listed in the DoD manual. You will need any approved waivers from the AO, a penetration plan showing sizes and mitigations of penetrations, and a security design set that has floor plans depicting the locations of features such as CCTV system coverage, relevant utilities and penetrations for the FFC.
For the TEMPEST Addendum, you need external and internal maps that show a scale drawing of the SCIF within its location, like within the base for the external map and within the building for the internal map. These are both part of the security design set as well. The goal with this set is to distill SCIF information into key parts that the AO can easily read through.
If you want to make the accreditation package easier to complete, you need to be working on it and thinking about it from the beginning. If you only do the required submittals before beginning construction and then don’t think about the package again until construction is over, you will have to spend a lot of time finding all the information you need and may risk missing something crucial, like photo documentation of something that is no longer accessible. If you keep your documents well organized and make sure you’re checking off your needed boxes as you go along, it will make the whole thing significantly easier.
For any SSM overseeing a SCIF project, you need to be able to have knowledge of construction, high-security requirements, and the specialized standard found in the Tech Spec. Being able to read and understand design documents will make completing your package much easier, especially when it comes to parts of the package like the FFC, which requires you to list specific details of your facility’s construction.
However, if you don’t personally have all the expertise you need to complete your accreditation package, Adamo can help. Our consultants have vast experience in working on SCIF and SAPF projects and bring the knowledge you need to guarantee accreditation. Our SSM support services can partner with you for design review, inspections of security features, accreditation package creation and more, or our technical consulting team can offer help with everything from risk and vulnerability assessments to acoustic and RF testing to budget estimation. Contact us today to learn how we can help you ensure accreditation.