An overview of what’s required for the construction of a Sensitive Compartmented Information Facility (SCIF)
In order for a facility to be accredited by the government as a SCIF (Sensitive Compartmented Information Facility) or SAPF (Special Access Program Facility), two key items are required:
- A U.S. government sponsor (which would likely sponsor via a contract of some sort) to both demonstrate the need for your company to have access to classified information as well as provide input during the design and construction phases of the project so that the facility is built with the required minimum protections to keep the classified information secure.
- The facility is required to be designed and built according to the current version of the Intelligence Community Directive (ICD) 705 and per the referenced “Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities” (or “Tech Spec,” which you can find here). The Tech Spec outlines the minimum construction requirements for a secure facility, but your company’s specific program or situation may require additional measures in order to protect the classified information being stored, discussed or processed there.
Without following the Tech Spec during planning, design and construction, the government is not obligated (and likely won’t) accredit the facility. And without a government sponsor or input, you’ll have a room that’s acoustically, physically and electronically protected like a SCIF, but you can’t call it a SCIF or store or process classified information within the facility. That’s why it’s important to understand how to build a SCIF correctly from the beginning.
Once you have successfully moved past sponsorship and you’re on the path to finding a contractor to build your facility, it’s extremely helpful and important to understand the ICD 705 construction standards. SCIF construction differs greatly from traditional construction, and the current version of the Tech Spec has 174 pages of specific guidelines that cover everything from wall materials to ductwork to the type of hardware you can have on the SCIF doors. Below is a 30,000-foot view of the current ICD 705 standards, but keep in mind that every SCIF project will come with its own set of challenges and unique requirements based on the government’s input and guidance throughout the process.
What’s Required for Building a SCIF
There are four main differences between SCIF construction and standard construction, which all protect the perimeter.
The purpose of hardening is to first prevent overall access to unauthorized personnel and secondly protect the space from forced entry, and there are a few acceptable means. If you already have a concrete wall, that will satisfy the physical hardening requirement. If your facility has security in depth (meaning that the site already has multiple layers of security around it, such as if it’s in the center of a military base), you’ll likely just need one layer of drywall on each side. If you don’t already have a concrete wall to use, you’ll construct a wall assembly, which must include 16-gauge metal studs spaced a maximum of 16 inches on center. Depending on the extent of your security in depth, your accrediting official will require you to have either plywood in the walls or expanded metal, which looks like a large diamond mesh. Keep in mind that the floors and ceilings must also have physical protection equal to the walls.
Because classified information will be discussed in the space, ICD 705 requires multiple acoustic protections so that nothing sensitive is heard outside the SCIF. The perimeter of the facility must meet a rating of STC (Sound Transmission Class) 45 at a minimum, or STC 50 if you’ll be using amplified sound, such as video teleconferencing, speaker phone or a PA system.
- Walls: There are many ways to achieve the correct performance, and the Tech Spec currently has a suggested wall assembly including a specific number of drywall layers and acoustic caulk.
- Utilities: All utilities must be surface-mounted. This protects the integrity of the wall assembly’s acoustic properties, as utilities inside the walls eliminate drywall at the junction boxes and displace insulation, therefore reducing the sound protection. Ducts require measures such as non-conductive breaks, Z ducts, sound baffles and/or sound masking.
- Perimeter doors: Any entry/exit doors must perform to the same acoustic ratings as the walls. This requires a specific type of door—one that’s made of either solid core wood stave (like butcher block) or at least 18-gauge metal, and is sold as an assembly that makes an acoustic seal around the entire door. The entire assembly should be tested by the manufacturer per ASTM E-90. Note that the door must have hardware per the government specification FF-L-2740 or FF-L-2890.
When the facility is occupied, it must be protected by an access control system (ACS), which requires two-factor authentication, such as a card and PIN. The system can range from a standalone piece of hardware on the door to a more complex system that is computer-driven and has multiple card-access points. When the SCIF is unoccupied, it must be protected by an intrusion detection system (IDS), which has to meet the UL-2050 specification for protecting national security information. The IDS includes protections for the perimeter doors, interior motion sensors and other devices that report to a monitored premise control unit (PCU).
If the facility will be electronically processing classified information, it will require TEMPEST mitigations. TEMPEST refers to protecting the electromagnetic emanations coming off of processing equipment (laptops, servers, etc.) that store or process classified information. The emanations are unintentional, but they allow the possibility of the information being intercepted and exploited. Radio frequency (RF) shielding may require RF foil or RF paint to be added to the walls. Other measures include creating stand-off distances, RF wave guides for penetrations and grounding.
Navigating through these requirements can be intimidating and challenging, so it’s important to have expertise within your team. You can either take a SCIF development class so that you yourself understand the entire process, or bring in an expert to work with your team to make sure the process is as efficient as possible.