What is a SCIF
You need to build a SCIF. But let’s face it: That’s easier said than done.
The term “SCIF,” pronounced “skiff,” stands for “Sensitive Compartmented Information Facility.” SCIFs are complicated structures, and few contractors have a lot of experience with building them. If you’re in need of a SCIF, the requirements, regulations and government directives that come with it can get overwhelming fast. You may not even know where to start.
If that feeling sounds familiar, you’re in the right place.
This page will tell you exactly what a Sensitive Compartmented Information Facility is, explain its basic components and standards and cover the latest requirements for planning and building a SCIF before you start your project.
Definition of a SCIF
A Sensitive Compartmented Information Facility is a U.S. government-accredited facility where SCI (Sensitive Compartmented Information) can be stored, discussed and electronically processed.
SCIFs are required for government-classified SCI programs. SCI is derived primarily from intelligence-gathering activities and from classified research and development projects. It goes without saying that information like that needs to be protected.
A SCIF has to be built to very specific standards, laid out in the ICD 705 Tech Spec. These include requirements for the facility’s physical security, acoustic security, visual controls, access control systems (ACS), intrusion detection systems (IDS) and emanation (TEMPEST) security.
Questions to Answer Before Building
So you just learned you need to build a Sensitive Compartmented Information Facility (SCIF) but aren’t quite sure where to start? It’s not quite as simple as “build it and they will come.” Without the proper pre-construction steps and information in order, your SCIF construction could have costly delays. Ask yourself the questions below to ensure your facility is on the right track to be accredited by the government as a usable SCIF to store and process classified information.
Do you have a sponsor?
You must have a U.S. government sponsor in order to get a SCIF accredited. Your sponsor is the entity that gave you (or is planning to give you) the classified contract and will issue you a DD-254 form with the requirement for a SCIF. The DD-254 form conveys security requirements to contractors and subcontractors when a contract requires access to classified information. (You can read here for more information regarding the form.)
With the issuance of the DD-254, you will be assigned an Accrediting Official (AO) by the government. You must have approval from an AO for your project prior to the start of construction. To proceed with your project without an AO’s approval would be to “build on risk.” If you do not have approval before the start of your SCIF project, the government is under no obligation to accredit your facility, even if it’s built to accepted SCIF standards.
What is the use of the space?
Before starting your SCIF construction, you will need a clear understanding of how the facility will be used. These details will inform many factors for building a SCIF and will shape the programming phase of your construction project.
For instance, will the space be utilized as a data center, for manufacturing or for storage? This knowledge could greatly influence your heating and cooling needs. Will the space need a certain amount of workstations for full-time or part-time employees, a conference room or any private offices? Knowledge of all these nuances plays a part in how much space is needed and in creating a comfortable and functional facility.
Gather as many details as you can about how the space will be used. When you have a firm grasp on the function of the space, your project will be set up for success from the start and will likely avoid costly changes after construction is underway.
Where will the SCIF be located?
Whether your SCIF will be new construction or a renovated facility, being strategic with where it is located can save you time and money. For instance, picking a location with no windows is always preferable since all windows end up needing security mitigations, which increase project costs. Ideally your facility will be built toward the center of a building, offering the greatest amount of security and protection. However, if you are not using an existing building or don’t have office space that you can renovate, there are secure facilities, such as modular or container SCIFs, that can be set up as standalone structures on a piece of land or inside a warehouse.
If renovating, it is helpful to know which floor of a building is available to you for your SCIF and to have a good working knowledge about the location. Understanding the composition of the floor and roof above is important, as this can affect whether mitigations will need to be implemented to increase physical hardening or acoustic performance. Furthermore, knowing if the building has a concrete pan deck system can be very helpful in saving money since then you could put the facility on a floor other than the top floor and utilize the concrete pan deck as the SCIF perimeter and not need to build a ceiling system.
Another element to consider is if the general public, which could include foreign nationals, could have unescorted access to your location’s perimeter. If so, you would need to increase the physical hardening of the walls, therefore increasing the cost.
Lastly, consider ease of constructability. What will your access and working hours look like? Will you easily be able to move materials around your project? Transporting materials up multiple floors can add a lot of extra work and cost very quickly, so being prepared before construction is always helpful.
Beyond cost and time implications, all of these factors regarding location will play a part in determining the level of high-security features you will need based on security in depth (SID). If SID already exists in your location, be sure to confirm with the Tech Spec if the standards are up to date.
Has a risk assessment been completed?
The risk assessment is the first required element by the Tech Spec to be completed right away, but more importantly, it drives many of the security design features that will be built. The design of a secure facility cannot be finalized and approved by the AO until the findings of the risk assessment are incorporated into the design. Also, after a risk assessment is conducted, management could decide not to build a SCIF at the location at all, or add other features not thought of before the assessment.
Do workers need to be U.S. persons or U.S. citizens?
If U.S. citizens are required, it can likely restrict your bidder pool and potentially be more expensive. It could also take more time to bid your project. This requirement can be driven by the customer or by the AO.
What level of acoustic protection is required?
Since sensitive and classified information will be discussed in your facility, acoustic protection is required to prevent anyone from hearing that information outside of the secure space. Knowing which level of acoustic protection is key and affects a project’s budget.
The STC (Sound Transmission Class) rating required for your facility is determined by whether the facility utilizes amplified sound, e.g., things like video teleconferencing or speaker phones. If there is amplified sound, STC 50 is required. If there will be no amplified sound, a minimum of STC 45 is required. SCIF perimeter walls always need some type of acoustic protection, but you will need to also consider which STC rating your interior walls will need to meet.
What is your timeline?
Ensure you set proper expectations to allow for all the time that is needed for bidding your project, government approval, the permit processing, construction, accreditation, and move-in. In our experience, it is very rare to see even the smallest project complete that process in less than six months.
Are there any specific building considerations to keep in mind?
Are you aware of any weight limits, access issues, heating/cooling or electrical upgrades needed, adversarial neighbors, or adversarial landlords? Are there any special circumstances for your building like any sort of remediation, lead, asbestos, etc.? All of these factors can affect the time and cost of your project.
The key to a successful accreditation for your SCIF construction—and a truly secure facility—lies in the time you take to answer all of these questions. The quicker you can gather the information to answer these, the more efficient you will be as you start your project. Feel free to use this SCIF Project Planning Worksheet to help you keep track of the information you gather.
Types of SCIFs & Determining Cost
This is likely the type of construction that first comes to mind when you think of a SCIF. You’ll either be building the SCIF from the ground up on site or renovating an existing space to meet ICD 705 requirements. A renovation, or a tenant improvement project for leased facilities, is typically going to be your least expensive option for SCIF construction.
If you utilize a design/build project delivery method, where both the designer and builder work for the same company, you can reap a variety of benefits. For example, this method is the best way to ensure your SCIF is accredited. With one team working on the SCIF from start to finish, it’s easier to oversee that construction is kept up to the necessary requirements and a standard of quality.
In modular construction, most or all of the facility is built off-site. It’s then brought into the facility and assembled and completed on site. In the last decade, interest in modular construction has drastically increased for secure facilities.
A modular facility can be a great choice in a variety of circumstances. If you’re running out of space in your building but have some outdoor space, a modular building will be faster and less expensive than conventional construction. Modular construction also often has a shorter timeline, and less time on-site can mean less risk of on-site construction complications. Modular SCIFs can also be helpful if you need to relocate it in the future.
Modular construction does have some limitations, as it needs adequate space in a secure location. The SCIF may not be able to be constructed to match specific architectural styles, so if you need it to blend in, you may have to look for another construction type. If you have heavy-duty equipment, the modular building may not be able to handle the load, as they typically have a raised floor system.
Also known as “SCIF in a box,” the container SCIF is an ISO shipping container that’s been retrofitted to meet SCIF standards and accredited. These are a much smaller space than other types, so you have to be creative in how you utilize the space, but this construction is not without its benefits.
These are typically the fastest option you have, as they take less than 12 weeks to be designed and constructed. The container SCIF is ideal in situations where you need something relocatable; it can be moved from site to site without having to be disassembled. These are the easiest SCIFs to acquire, as you can essentially choose a model from a catalogue and have it in your space and functioning in as little as 12 weeks.
Related: Adamo offers Rapid SCIF containerized facilities
With these SCIFs, one of the biggest drawbacks is the limitations in space. There’s only so much that can fit inside a 20- or 40-foot container, especially when you have to include air conditioning, access control systems, and doors, plus any needed equipment like computers.
Unfortunately, because every project is unique, there is no set price tag for SCIF construction. The type of SCIF you choose will understandably be a big driver of cost. As mentioned above, a renovation will likely cost you the least. Next to renovating an existing space, modular construction is the least expensive option for your SCIF construction. In terms of price per square foot, the container SCIF has the highest price tag.
While SCIF size will affect your cost, there are a number of fixed costs that will be the same whether your building is 200 or 2,000 square feet. These can be things like project management, an access control system, an STC door, and an intrusion detection system. If you’re building a smaller facility, you’ll likely be looking at a higher cost per square foot than in a larger facility.
SCIFs are going to be an expensive construction project no matter what. There are some ways to manage those costs, which you can read more about here.
The Roles You Need to Know
When you’re building your SCIF, there are several positions that will play a key role in the construction and accreditation of your SCIF.
The Accrediting Official (AO)
The AO is an individual appointed by the head of an Intelligence Community (IC) element to oversee and accredit facilities, information technologies, and programs that use, store, process, or discuss classified information. The AO can also designate people to act on their behalf.
The AO will be your go-to through the construction process for security oversight of the entire project. They review and approve your design concept plans, your Construction Security Plan (CSP), and your final design prior to start of construction. They’ll also prepare requests for waivers to exceed or lower standards and consider the Security in Depth (SID) of your facility.
The AO may be less available than other personnel you’ll work with, as they may have a heavy case load or be officing out of somewhere far from your SCIF site. Building strong communication with your AO early on will help your construction move more smoothly.
It’s key that you thoroughly prepare all the documents for your AO and communicate as efficiently as possible. The more information you can give them throughout, the less likely it is an issue will arise late in the process that could cause a delay.
For more advice on how to build and maintain a positive relationship with your AO, check out our blog on the topic.
The Site Security Manager (SSM)
The SSM is a role that will need to be approved by the AO at the initial stage of your project. They directly oversee and enforce all security matters for your project. They report to the AO all relevant information and will be with your project from the beginning until accreditation.
The SSM will be assigned only to your site. They ensure your SCIF meets the security requirements from the Tech Spec. The SSM will develop your CSP in consultation with the AO. They’ll perform periodic inspections of the site to make sure you’re sticking to the CSP.
When you need input on the security of your project, the SSM will likely be the most available security contact you have.
The Certified TEMPEST Technical Authority (CTTA)
The CTTA is a peer to the AO and makes sure your project meets TEMPEST requirements, which you can read more about in our section on the standards for SCIF construction. The CTTA and AO work in collaboration, but most often they do not work directly with the SSM and the rest of the project team.
The CTTA will provide mitigations you need to make to meet TEMPEST. This will be an important part of getting accredited. However, your CTTA will likely have an even larger caseload than your AO, so it can be difficult to get their input on your SCIF. Because of this, you’ll want to contact them as soon as you possibly can during the initial phases of your project.
The risk assessment is a crucial part of your SCIF building process. During the assessment, you’ll evaluate the area in which your SCIF is being built and figure out what might threaten your facility’s security. Based on the findings in your risk assessment, your Accrediting Official (AO) will recommend what mitigations and security measures your facility will need.
The risk assessment is a collaborative process between the Accrediting Official (AO) and Site Security Manager (SSM). Since AOs often have a large caseload, they can be difficult to get a hold of, which can make the assessment take longer. To speed things up, your SSM can perform their own preliminary assessment and send their findings to the AO for their input.
There are four components to the risk assessment process: threat analysis, vulnerability analysis, probability analysis and consequence analysis.
For your threat analysis, look at anything that could potentially cause harm to your facility. This could be a local known bad actor who would attack the facility, someone who worked on your facility and could disclose sensitive information, or a possible cyber-attack. Insider threats, including negligent insiders, are included in this analysis.
These threats could harm your facility by intrusion, destruction or disclosure. They can come from outside your project, but tradesmen you hire and people within your company can also present a potential threat.
Vulnerabilities are places where your facility could be weak to attack. The process evaluates any vulnerabilities your project may have that could be exploited. For example, if your SCIF is in a building with other tenants, that could be a weak point for your facility.
For this analysis, you’re looking for any weaknesses that bad actors could take advantage of in order to breach your SCIF or get information about the work taking place in your SCIF.
Once you know what your threats and vulnerabilities are, you’ll figure out how likely they are to cause an issue. If your facility is built near the coast, there may be some risk of a tsunami. However, if you’re an hour from the ocean, the probability of it affecting you will be low. The more likely the outcome, the more you want to be prepared for it.
If something does go wrong, the consequence analysis will evaluate how much damage it would do to your facility, organization, or the information you process. If your workers rely on a bridge to get to work, and that bridge is closed one day, what will be the consequences if your workers are late as a result of traffic? For some projects, this may be minimal, but for a facility doing a critical 24/7 process, you may have more serious repercussions.
If your facility is breached, there may be minor consequences, but there is no such thing as no consequences in that situation.
Once you’ve gone through the SCIF risk management process and have this information, you’re able to figure out what mitigations will be critical to your facility and where you may be able to ease up. This will be a main driver of cost, since it will tell you what you need in the way of physical hardening, acoustic protections, or other mitigations.
Developing a Construction Security Plan (CSP)
The Construction Security Plan (CSP) establishes the security protections for the design and construction of a SCIF or SAPF project. A required document in the ICD 705 Tech Spec, the CSP is critical in making sure a project site stays protected from potential threats through all phases of construction. It also assigns the responsibility for the enforcement of the CSP to specific agencies and individuals within the government and industry to make sure everything goes to plan.
What a CSP includes
The purpose of developing a CSP is to have a security plan in place that the Accrediting Official (AO) and the site security manager (SSM) can refer back to when they need to communicate the security guidelines at a high level to all involved on the project.
Some topics outlined in a CSP include:
- Identification information like the identified SSM and AO, site location, start date and completion date, description of project, etc.
- Identification of adjacent facilities
- Site security measures like fencing, cameras, guards, escorts, etc.
- Security measures for how the construction plans and other related documents are handled
- Information to verify the construction workers allowed on the site (U.S. documentation, clearances required, etc.)
- Security measures to ensure the integrity of the procurement, shipping and storage of building/finishing material that the AO may require
Keep in mind that the above topics are all “suggested topics” for a CSP, so there is some room for interpretation in what goes into your specific CSP, depending on your secure facility’s size, purpose and location. The ambiguous requirements of a CSP might leave some security professionals a little intimidated, especially when they’re used to checking boxes and filling in required information instead of answering essay questions, so to speak. But if you keep these tips in mind, your CSP will be easier to develop and implement.
Here are five tips to help this process run smoothly and efficiently:
Hire a great Site Security Manager (SSM)
A Construction Security Plan, no matter how well-developed, is only as good as the SSM who enforces it. When looking for your perfect SSM, look for someone with a strong background in site security with an ability to work well in a team setting. Since the SSM is in charge of implementing the CSP, they should be a vocal leader with great communication skills.
The SSM is approved via the CSP by the AO and is responsible to make periodic security inspections to make sure the CSP is followed and notify the AO when there are violations, which is why those communication skills are so important.
Review the risks and security in depth
As part of the CSP process, you’ll need to review your project’s analytical risk assessment and security in depth. Make sure that you’re outlining specific security measures to stop unauthorized access and visual observations.
The CSP also contains site control measures (as stated in the ICD/ICS 705) like:
- Signs at all entry points listing prohibited and restricted items (e.g., cameras, firearms, explosives, drugs, etc.)
- Physical security barriers to deny unauthorized access
- Vehicle inspections
- Identity verification
- Random searches at site entry and exit points
Looking deeply into the security and risk assessment are foundational inputs that build the CSP, so be thorough when conducting this research. In other words, the more work you put in at this step, the fewer problems you may face down the road.
Don’t over-secure your site
You might think the more security the better for your site, right? Not necessarily. A common mistake made in CSP development is over-securing your site, not considering the huge cost, especially when the project’s risk doesn’t warrant that level of security.
For example, if you require escorted work on your site at a ratio of cleared escort for every five contractors, but your project’s risks don’t require it, that could be an unnecessary budget expense. This might work OK if you need escorts on a 300-square-foot remodel, but on a 100,000-square-foot building, that could cost millions of dollars to escort 200 to 300 contractors.
Another common over-securing measure could be making all personnel on the site U.S. citizens when you only need U.S. persons. The cost of construction increases if everyone needs to be U.S. citizens versus just persons because it greatly reduces the pool of contractors and subcontractors you’re able to work with. In addition, it could not only increase your budget but also delay your project timeline.
Keep the design criteria out of the Construction Security Plan
A common misconception is that the CSP must contain everything, including the design criteria for the project and the security in depth for the finished project. Again, the purpose of the CSP is to protect the project before and during construction, but it doesn’t extend after the project is accredited.
The Pre-Construction Checklist, TEMPEST Checklists and addendums, other checklists, and a security design package are what contain the construction methods, not the CSP.
To help avoid these mistakes, read the ICD/ICS 705 carefully, and consult with colleagues who have walked through this and done it well. Don’t be afraid to ask for help because winging it just won’t cut it when it comes to your CSP.
Get your entire team on the same page
With all of the moving parts that come with a secure construction project, it’s important to make sure your entire team is up to speed on the Construction Security Plan and can have it to refer back to when things get hectic. Ideally the CSP gets created during the concept phase of a project, and once it’s approved by the AO, it’s passed on to the contractors and architects to get all project personnel on the same page. With the CSP, they can understand how to handle documents, what restrictions are placed on the construction employees (e.g., required U.S. citizenship or criminal background check), and what the day-to-day rules are during construction.
Depending on the size, location and use of your ICD 705 facility, the CSP development process can be either relatively simple or extremely complicated. Don’t overthink the process or overdo it on the security aspects with your CSP.
The Standards for SCIF construction
To build a SCIF, there are special guidelines you have to adhere to that are unique to this type of construction. Reaching these standards is crucial in order to get your SCIF accredited.
ICD/ICS 705 (IC Tech Spec V1.5.1)
These are the standards set by the National Counterintelligence and Security Center set for the construction of SCIFs. In this guide, you’ll find the specifics of how your walls must be constructed, the requirements for physical hardening, electronic security and acoustic protection of your facility, and everything else you need to follow to build your SCIF. If your building doesn’t match these requirements, you won’t be accredited.
You must use the most up-to-date version of the Tech Spec for accreditation. Prior versions will not be accepted. Check out some of the major updates made in V1.5 here.
For your acoustic protection, your facility perimeter will have to meet a minimum of STC (Sound Transmission Class) 45, or STC 50 if you’re using amplified sound. Your walls and doors will have to be built to meet these standards, and you may have to add sound masking or baffling as well.
TEMPEST regulations are enforced by your CTTA and look at preventing compromising emanations from escaping your facility. Compromising emanations are unintentional data-related or intelligence-bearing signals, which, if intercepted and analyzed, disclose the national security-related information processed by information-processing equipment.
For the TEMPEST review, the CTTA may evaluate the volume and sensitivity of the National Security Information (SCI) being processed, the presence of any locally known threats, SID, access controls, and the TEMPEST profile of processing equipment.
Some countermeasures you may have to implement include installing radiant barrier R-foil on your SCIF perimeter walls, adding a non-conductive section on metallic pipes, or using fiber optic cabling, which doesn’t have any emanations.
TEMPEST countermeasures can vary significantly from project to project, so the CTTA will play an important role in telling you what you’ll need and getting your project to accreditation.
Build it Right – the First Time
When you set out to build a SCIF with the required high-security features it needs to get accredited, you have to do it right the first time. There’s too much on the line to get it wrong.
Let’s say you’re a smaller defense company that’s never developed a SCIF before. You’re not clear on exactly what is required in your design documents, technical specifications or CSP. There are so many variables involved that you end up stumbling through the dark, trying to accomplish something you can’t even see properly.
You’re almost always going to overlook a requirement, and that means your accreditation official will delay your accreditation, or worse, won’t accredit your facility at all. Before you know it, your deadline is out the window, management is breathing down your neck and the time-sensitive government program that needs that facility can’t move into it and begin operating.
This is not a pleasant scenario for anyone, and it’s a situation that no defense company, Site Security Manager (SSM) or Facility Security Officer (FSO) should ever have to experience. Follow these six steps to make sure your SCIF is designed and built correctly the first time.
Step 1: Get a Government Sponsor
The first thing you need to do is make sure that your government sponsor is involved. Your sponsor is the entity that gave you (or is planning to give you) the classified contract. There are 18 entities in the U.S. government intelligence community (IC) that have the authority to accredit SCIFs, and your sponsor will be one of them — or possibly a second- or third-tier level of the IC element. Without a government sponsor it is impossible to have an accredited SCIF, even if you have a facility built to SCIF standards.
Step 2: Develop Pre-construction Documentation
The SSM of your project is responsible for this step. Working with the accreditation officer and the designer, your SSM determines the high-security features you need based on security in depth (SID), inspectable space, risk analysis, fixed facility documentation, accreditation documentation, telecommunications systems design, any red-black separation requirements, access control system (ACS) and intrusion detection system (IDS) requirements, and closed-circuit television (CCTV) requirements before you move forward.
In most cases, the Certified TEMPEST Technical Authority (CTTA) will determine which (if any) TEMPEST measures need to be integrated into the SCIF’s design. Once you have a complete pre-construction design package, you need to submit it to the accrediting official for approval before you proceed any further.
Step 3: Develop the Facility Design
The details of your design depend on whether the SCIF is going to be ground-up construction or part of an existing building. They also depend on the existing SID, whether the facility is going to be open or closed storage and other considerations as identified by the accreditation official. You also have to take the government program’s functional requirements into consideration in your design, such as heating and cooling demands, infrastructure, lab or data processing needs and so on.
Once you’ve established the correct criteria, you can proceed with the actual design documents. At minimum, these include the project plans, project specifications, the Pre-Construction Checklist, Fixed Facility Checklist (FFC), the TEMPEST Checklist and the Construction Security Plan (CSP). The design process can last anywhere from four to 24 weeks, depending on the size, location and complexity of the project. Make sure your design team is well experienced in the development of SCIFs to minimize gaps in your design documentation.
Step 4: Get Jurisdiction Approval
After your completed design is approved by the accrediting official, you then have to get approval from whatever jurisdiction the project is located in. For example, if the SCIF is on a military base, it has to be approved by the local military jurisdiction. If it’s in a municipality, you’ll need to talk to the local building department. (Note: When you create the design plans and documentation for your SCIF, the plans should not contain any verbiage that indicates that the project is a secure facility.)
Step 5: Construct the SCIF
After everything has been approved, you’re ready to build your SCIF.
Your contractors should always be qualified people who have proven experience building SCIFs (at least two to three accredited facilities per year for the last three years). During construction, your SSM needs to make sure that the building process is executed in accordance with every detail of the CSP. Every person who comes onto the job site must be documented, the project design documents must be controlled and other elements of the CSP must be adhered to and executed properly.
Your SSM needs to document the entire construction process in accordance with the CSP. These processes are as important as the actual construction itself.
Step 6: Get Government Accreditation
After the SCIF has been built and all other jurisdictions (building authorities, corporate management, etc.) have signed off on the project, the last thing you need is to prepare your final accreditation documents and schedule a final accreditation inspection.
The inspection is performed by a government accrediting official (AO) who verifies that all of the required high-security features of the SCIF have been installed according to what was preapproved in the design and pre-construction documents. The AO will also verify that the CSP was properly followed during construction of the SCIF and that all the required documentation was developed during the construction processes. Your AO will inspect your SCIF and all of its systems to ensure that they function the way they were designed to function and that the facility is ready to operate as a Sensitive Compartmented Information Facility (SCIF).
The process of SCIF accreditation doesn’t begin when you finish your facility; you have to have it in mind from the beginning. Being organized and keeping good documentation throughout the SCIF process can optimize your accreditation process and speed it up, making the steps you take early on crucial to your eventual accreditation.
There are several documents you’ll need to turn into your AO as part of the accreditation process. Start on documents like your Fixed Facility Checklist (FFC) and TEMPEST checklist early on to make sure everything is documented. However, you won’t be able to finish them until your project is complete. These documents will include information like where your penetrations are, what your access control is, and if you have any radio transmitters in your facility. The TEMPEST checklist will be approved first and will take up to 90 days for government review.
Another important piece is your “as-builts.” These plans show any ways that your final construction didn’t exactly follow the initial design plan. Construction jobs don’t typically follow the design exactly, so you’ll have some edits to add. Field conditions may not be what was assumed, causing you to have to adjust, or new needs arise and things are changed as construction goes on. For example, you may have had to move a penetration in your facility, and you’ll need to note that for the AO. It’s key to document changes as they happen.
You may also need a Compartmented Area Checklist if your facility has any Compartmented Areas. These are similar to the FFC. There are three types of Compartmented Areas, and the checklist changes significantly depending on which type you have.
As you construct the SCIF, make sure to take photos of everything. There’s no such thing as too many photos. When it comes time to send the photos to the Accrediting Official (AO), you’ll want to send photos that show what you documented in your FFC and other documents, as these will likely be what the AO will want to focus on.
Once you’ve turned in your documents to your AO, they’ll review them and run a final inspection of your facility. They’ll make sure everything in your documentation aligns with the construction. The better your documentation, the more likely it is your AO will feel confident that you’ve met your requirements.
If everything is in order, your SCIF will be added to the SCIF repository, which gives your facility its ID number, and you’ll receive an interim accreditation. With the interim accreditation, you’ll be able to begin operations within your facility pending the final approval.
This process can take anywhere from a few weeks to a few years. If you follow the process from the beginning and give your AO constant, continuing and clear information, you can optimize the process and help speed things along.