Best practices for navigating TEMPEST requirements throughout the project life cycle
TEMPEST, the study, investigation and mitigation of unintentional emanations from electronic equipment, is a complicated and sometimes overlooked aspect of SCIF and SAPF security. The DD 254 form, the form the government uses to communicate security requirements for construction to contractors, has a simple yes or no checkbox for whether there will be TEMPEST requirements. However, TEMPEST is not a yes or no option, so you’ll need further detail. Ultimately, the Certified TEMPEST Technical Authority (CTTA) will determine exactly what those TEMPEST requirements will be.
There is no one-size-fits-all approach to TEMPEST requirements. While the decision for the exact mitigations your facility will need are out of your hands, there are steps you can take from pre-design to construction that will make the process run more smoothly and keep you from running into expensive snags.
Starting Off on the Right Foot
Your Accrediting Official (AO) will likely have a large caseload, which will cause their time to be at a premium, and the CTTA will probably be even busier. Because of this, it’s important for you to make things run as efficiently as possible with them. To begin, discuss with your AO how they would like to receive your paperwork. Some AOs may prefer it in pieces, with one or two forms at a time, while others may want one complete package with everything.
Building a positive relationship with your AO and having them on your side will always make the project run smoother. They’re also the ones who will be communicating with the CTTA, so the easier you can make their job, the better they can manage that channel of communication.
While the CTTA can be difficult to get in touch with, it’s crucial you wait for them to provide their guidance to the AO and Cognizant Security Authority (CSA). Some contractors will proceed at risk with their design and begin construction without the CTTA’s approval. This would likely be done as a time-saving measure, but it can end up costing far more in the long-run.
For example, if you begin construction and then get word from the CTTA that your HVAC system will require waveguides as a mitigation, that isn’t a simple or quick fix. If the waveguides weren’t factored into the original design, you may face major delays, cost increases, or even a need for a complete redesign. From the beginning, make sure the contract holder who needs the facility is aware of the need for CTTA guidance and understands it may take some time. Ultimately, this is a wait that will actually save you time and money in the long run.
A very common TEMPEST mitigation is RF shielding foil being added to wall assemblies. When this foil is added, it’s common practice for contractors to extend the foil from the wall and overlap it onto the floor about a foot. This helps to avoid any gapping at the base of the wall in the foil.
However, while the perimeter wall is still under construction, ensure that the excess foil is taped up onto the wall rather than remaining loose on the floor. Otherwise, the foil could end up torn from being walked over or have dirt and debris kicked under it. Torn foil will not perform to the standard it should, and it needs to be applied on a clean surface, so taping it up until it’s time to add the next layer of the wall assembly will keep it protected and ready to go.
For facility perimeter doors, there are RF-rated assemblies available that will allow your facility to meet its shielding effectiveness requirements. However, sometimes contractors may attempt to add mitigations to a non-RF door, like RF caulk, RF gasketing, or shielding strips along the sides of the doors. This may add some protection, but it does not test as effectively as the already RF-rated assemblies, so it’s more effective to go with those.
If You Don’t Meet Requirements
Unfortunately, unlike adding sound masking for acoustic protection, there isn’t necessarily a quick fix for a facility that isn’t performing to the required level of protection. For example, you may need to remove a layer of drywall and add further layers of RF foil to the walls in order to meet requirements or add waveguides to various penetrations if they aren’t already there. This is going to be more expensive to do after construction, so it’s another reason to make sure you have the CTTA’s guidance before you begin construction.
If you’re embarking on a SCIF or SAPF construction project and have questions about TEMPEST or other complicated ICD 705 Tech Spec requirements, Adamo can help. Our consultants will partner with your team and guide you through any and every aspect of your project you may need assistance with. We also offer RF shielding testing services so you can make sure you’re meeting your requirements.