A look at the build-on-risk model
To “build on risk” is to construct a high-security facility (like a SCIF or SAPF) without having a government sponsor. Most of the time, a company will build a facility on risk in anticipation of a contract or program being awarded by the government. The “risky” part, though, is that without a government sponsor or assigned Accrediting Official (AO) being involved from the beginning, the government is under no obligation to accredit the facility as a SCIF or SAPF. That could potentially mean that the facility won’t be accredited, that it will be unusable as a SCIF/SAPF to store or process classified information, and that the funds used to build it will essentially have been wasted.
Why wouldn’t you wait for a government sponsor?
It’s no secret that government contracting can be a slow process. Because of that, some defense contractors want to get a head start on designing and constructing their SCIF so that the program they anticipate being awarded can get going as soon as possible. However, the IC Tech Spec for ICD/ICS 705 (the document that dictates the process and specifications for building SCIFs and SAPFs) requires that an AO be involved from the start. The government AO will need to work with the Site Security Manager (SSM) on the pre-construction documentation, including a risk assessment, determining security in depth (SID), the Fixed Facility Checklist, and will determine items to incorporate into the design, such as the amount of hardening that needs to be built into the walls based on the risk analysis and security in depth. In addition, a Certified TEMPEST Technical Authority (CTTA) will determine which TEMPEST measures (if any) need to be integrated into the design. That complete pre-construction conceptual design package must be submitted to and approved by the AO before construction begins.
The reason that some companies still build on risk, despite what the ICD 705 Tech Spec says, is that AO involvement didn’t used to be required until after the facility was built. Up until about a decade ago, when SCIF construction was dictated by the DCID 6/9 (and SAPFs were built according to JAFAN 6/9), companies were essentially given the standard to build to, and then the AO inspected it after it was built. Building without a government sponsor didn’t matter as much then, since they didn’t need to be involved until construction was complete. When the ICD was released in 2011, it began to shift the culture. The government had grown tired of not being involved along the way and then finding a facility not built correctly or not built to the standards they would have recommended. The ICD was trying to accomplish two things: that the government would be involved early on to incorporate things like hardening and RF foil into the design, and to save money by keeping facilities from being overbuilt (government programs sometimes pay directly for the secure facilities).
Can’t the SCIF just be built to the maximum standards?
Technically, yes. You can build the SCIF to the maximum physical standards of the Tech Spec, and there is a chance that you can get the facility accredited, though it’s definitely not guaranteed. The problems with that are (1) you will be spending a lot of money that you wouldn’t need to spend if the AO and CTTA had given you specific direction on how to build that SCIF perimeter and (2) you still haven’t followed the administrative requirements of building a SCIF, so you are asking the government to accept your facility without having been a part of the process. In our experience, it’s getting more and more rare to see the government accredit a facility that’s already been built. That’s why, when we receive phone calls from defense contractors looking to build a SCIF on risk, we try to talk them out of it.
How do I make sure my SCIF gets accredited?
It might not be what you want to hear, but the best way to make sure your facility is accredited is to wait for your DD 254 and get in touch with your AO before working on your facility’s design. If you’re in negotiations with the government or part of an RFP, and the government knows it will award it to your company, they will sometimes sponsor it before the contract is finalized, just to get the ball rolling on construction.
Some companies might see building a SCIF as a way to increase their business opportunities. For example, a company might have a contract in an already accredited SCIF and know of other contracts that are coming. So in that same building, they’re having a second SCIF built just like the first, with the same wall type and shielding, counting on the AO to be OK with that direction in the second facility. While accreditation is not guaranteed in that situation, it could be considered less risky than building a first SCIF without a sponsor.
To have an accredited facility, be sure to engage a reputable company with experience in designing and constructing secure facilities. With decades of experience in SCIF/SAPF design and construction, we guarantee accreditation for any facility that we design and build, provided that the AO approved the design before we built the facility. Go here to learn more about our SCIF construction experience and how we can help meet your company’s high-security facility needs.