DIRECTOR
OF
CENTRAL
INTELLIGENCE
DIRECTIVE
1/21Manual for
PHYSICAL SECURITY
STANDARDS FOR
SENSITIVE
COMPARTMENTED
INFORMATION
FACILITIES (SCIF)EFFECTIVE 30 JANUARY 1994
PREFACE:
DCID 1/21, Physical Security Standards for Sensitive Compartmented Information Facilities (SCIFs) was approved by the Director of Central Intelligence (DCI) on 30 January 1994.
A complete copy of DCID 1/21 consists of the basic DCID and annexes A through G. The annexes areas follows:
Annex A - SCIF Checklist (approved 27 May 1994)Annex B - Alarms (approved 27 May 1994)
Annex C - Tactical Operations/Field Training (approved 27 May 1994) Part I - Ground Operation Part II - Aircraft/Airborne Operation Part III - Shipborne Operation
Annex D - Prohibited Items (approved 30 January 1994) Part I - Electronic Equipment in SCIFs Part II - Disposal of Laser Toner Cartridges
Annex E - Acoustical control and Sound Masking Techniques (approved 30 January 1994)
Annex F - Personnel Access Controls (approved 30 January 1994)
Annex G - Telephone Security (approved 29 July 1994)
DCID 1/21
Table of Contents
PREFACE
1.1 Policy Statement
1.2 Concept
1.3 American Disabilities Act (ADA) Review2.1 SCI Facilities (SCIFs)
2.2 Physical Security Preconstruction Review and Approval
2.3 Accreditation
2.4 Co-Utilization
2.5 Personnel Controls
2.6 Control of Combinations
2.7 Entry/Exit Inspections
2.8 Control of Electronic Devices and Other Items3. PHYSICAL SECURITY CONSTRUCTION POLICY FOR SCIFs
3.1 Construction Policy for SCI Facilities
3.2 Temporary Secure Working Area (TSWA)
3.3 Requirements Common To All SCIFs4. CONSTRUCTION SPECIFICATIONS
4.1 Vault Construction Criteria
4.2 SCIF Criteria For Permanent Dry Wall Construction
4.3 SCIF Construction Criteria For Steel Plate
4.4 SCIF Construction Criteria For Expanded Metal
4.5 General
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE (DCID) 1/21
(Effective 30 January 1994)
1.1 Policy Statement1.1.1 Physical security standards are hereby established governing the construction and protection of facilities for storing, processing, and discussing Sensitive Compartmented Information (SCI) which requires extraordinary security safeguards. Compliance with this DCID 1/21 Implementing Manual (hereafter referred to as the "Manual") is mandatory for all Sensitive Compartmented Information Facilities (SCIFs) established after the effective date of this manual, including those that make substantial renovations to existing SCIFs. Those SCIFs approved prior to the effective date of this Manual will not require modification to meet these standards.1.1.2 The physical security safeguards set forth in this Manual are the standards for the protection of SCI. Senior Officials of the Intelligence Community (SOICs), with DCI concurrence, may impose more stringent standards if they believe extraordinary conditions and circumstances warrant. SOICs may not delegate this authority., Additional cost resulting from more stringent standards should be borne by the requiring Agency, Department, or relevant contract.
1.1.3 In situations where conditions or unforeseen factors render full compliance to these standards unreasonable, the SOIC or designee may waive specific requirements in accordance with this Manual. However, this waiver must be in writing and specifically state what has been waived. The Cognizant Security Authority (CSA) must notify all co-utilizing agencies of any waivers it grants.
1.1.4 All SCIFs must be accredited by the SOIC or designee prior to conducting any SCI activities.
1.1.5 One person is now authorized to staff a SCIF, which eliminates the two- person rule (the staffing of a SCIF with two or more persons in such proximity to each other to deter unauthorized copying or removal of SCI).
1.2 Concept
1.2.1 SCIF design must balance threats and vulnerabilities against appropriate security measures in order to reach an acceptable level of risk. Each security concept or plan must be submitted to the CSA for approval. Protection against surreptitious entry, regardless of SCIF location, is always required. Security measures must be taken to deter technical surveillance of activities taking place within the SCIF. TEMPEST security measures must be considered if electronic processing of SCI is involved.1.2.2 on military and civilian compounds, there may exist security controls such as identification checks, perimeter fences, police patrols, and other security measures. When considered together with the SCIF location and internal security systems, those controls may be sufficient to be used in lieu of certain physical security or construction requirements contained in this Manual.
1.2.3 Proper security planning for a SCIF is intended to deny foreign intelligence services and other unauthorized personnel the opportunity for undetected entry into those facilities and exploitation of sensitive activities. Faulty security planning and equipment installation not only jeopardizes security but wastes money. Adding redundant security features causes extra expense which could be used on other needed features. When security features are neglected during initial construction, retrofitting of existing facilities to comply with security requirements is necessary.
1.3 American Disabilities Act (ADA) Review
1.3.1 Nothing in this manual shall be construed to contradict or inhibit compliance with the law or building codes. CSAs shall work to meet appropriate security needs according to the intent of this Manual at acceptable cost.2.1 SCI Facilities (SCIFs)A SCIF is an accredited area, room, group of rooms, buildings, or installation where SCI may be stored, used, discussed, and/or electronically processed. SCIF's will be afforded personnel access control to preclude entry by unauthorized personnel. Non-SCI indoctrinated personnel entering a SCIF must be continuously escorted by an indoctrinated employee who is familiar with the security procedures of that SCIF. The physical security protection for a SCIF is intended to prevent as well as detect visual, acoustical, technical, and physical access by unauthorized persons. Physical security criteria are governed by whether the SCIF is in the United States or not, according to the following conditions: closed storage, open storage, continuous operations, secure working area.
2.2 Physical Security Preconstruction Review and Approval
CSAs shall review physical security preconstruction plans for SCIF construction, expansion or modification. All documentation pertaining to SCIF construction will be appropriately controlled and restricted on a need-to-know basis. The approval or disapproval of a physical security preconstruction plan shall be made a matter of record.
2.2.1 The requester shall submit a Fixed Facility Checklist (FFC, Annex A) to the respective CSA for review and approval.2.2.2 The Checklist submission shall include floor plans, diagrams of electrical, communications, heating, ventilation, air conditioning (HVAC) connections, security equipment layout (to include the location of intrusion detection equipment), etc. All diagrams or drawings must be submitted on legible and reproducible media.
2.2.3 The CSA shall be responsible for providing construction advice and assistance and pre-approving SCIF construction or modification.
2.3 AccreditationThe CSA will ensure SCIFs comply with DCID 1/21. The CSA is authorized to inspect any SCIF, direct action to correct any deficient situation, and withdraw SCIF accreditation. The procedures for establishment and accreditation of SCIFs are prescribed below:
2.3.1 The procedures for establishment and accreditation of SCIFs from conception through construction must be coordinated and approved by the SOIC or CSA.2.3.2 SCI shall never be handled, processed, discussed, or stored in any facility other than a properly accredited SCIF unless written authorization is granted by the CSA.
2.3.3 An inspection of the SCIF shall be performed by the CSA or appointed representative prior to accreditation. Periodic reinspections shall be based on threat, physical modifications, sensitivity of programs, and past security performance. Inspections may occur at any time, announced or unannounced. The completed fixed facility checklist will be reviewed during the inspection to ensure continued compliance. TSCM evaluations may be required at the discretion of the CSA, as conditions warrant. Inspection reports shall be retained within the SCIF and by the CSA. All SCIFs shall maintain on site, current copies of the following documents:
(a) DCID 1/21 Fixed Facility Checklist(b) Accreditation authorization documents. (e.g., physical, TEMPEST, and AIS).
(c) Inspection reports, including TSCM reports, for the entire period of SCIF accreditation
(d) Operating procedures, Special Security Officer Contractor Special Security Officer (SSO/CSSO) appointment letters, Memoranda of Agreement (MOAs), Emergency Action Plans, etc.
(e) Copies of any waivers granted by the CSA.
2.3.4 Inspection: Authorized inspectors shall be admitted to a SCIF without delay or hindrance when inspection personnel are properly certified to have the appropriate level of security clearance and SCI indoctrination for the security level of the SCIF. Short notice or emergency conditions may warrant entry without regard to the normal SCIF duty hours. Government owned equipment needed to conduct SCIF inspections will be admitted into SCIF without delay.
2.3.5 Facilities which are presently accredited, under construction or in the approval process at the date of implementation of this Manual shall not require modification to conform to these standards.
2.3.5.1 Facilities undergoing major modification may be required to comply entirely with the provisions of this Manual. Approval for such modifications shall be requested through the CSA and received prior to any modifications taking place within the SCIF.2.3.5.2 In the event a need arises to reopen a SCIF after the accreditation has been terminated, the CSA may approve the use of a previously accredited SCIF based upon a review of an updated facility accreditation package.
2.3.6 Withdrawal of Accreditation:
2.3.6.1 Termination of Accreditation: When it has been determined that a SCIF is no longer required, withdrawal of accreditation action will be initiated by the SSO/CSSO. Upon notification, the CSA will issue appropriate SCI withdrawal correspondence. The CSA or appointed representative will conduct a close out inspection of the facility to ensure that all SCI material has been removed.2.3.6.2 Suspension or Revocation of Accreditation: When the CSA determines that there is a danger of classified information being compromised or that security conditions in a SCIF are unsatisfactory, SCI accreditation will be suspended or revoked. All appropriate authorities must be notified of such action immediately.
2.4 Co-Utilization
2.4.1 Agencies desiring to co-utilize a SCIF should accept the current accreditation and any waivers. Any security enhancements required by an agency or department requesting co-utilization should be funded by that organization, and must be approved by the SOIC with DCI concurrence prior to implementation. A co-utilization agreement must be established prior to occupancy.2.4.2 Special Access Programs (SAP) co-located within a SCIF will meet the physical security requirements of this Manual and DCI Special Access Programs (SAP) Policy, January 4, 1989.
2.5 Personnel Controls
2.5.1 Access rosters listing all persons authorized access to the facility shall be maintained at the SCIF point of entry. Electronic systems, including coded security identification cards or badges may be used in lieu of security access rosters.2.5.2 Visitor identification and control: Each SCIF shall have procedures for identification and control of visitors seeking access to the SCIF.
2.6 Control of Combinations
2.6.1 Combinations to locks installed on security containers/safes, perimeter doors, windows and any other openings should be changed whenever:(a) A combination lock is first installed or used;(b) A combination has been subjected, or believed to have been subjected to compromise, and
(c) At other times when considered necessary by the CSA.
2.6.2 All combinations to SCIF entrance doors should be stored in another SCIF of equal or higher accreditation level. When this is not feasible, alternate arrangements will be made in coordination with the CSA.
2.7 Entry/Exit Inspections
The CSA shall prescribe procedures for inspecting persons, their property, and vehicles at the entry or exit points of SCIFs, or at other designated points of entry to the building, facility, or compound. The purpose of the inspection is to deter the unauthorized removal of classified material, and deter the introduction of prohibited items or contraband. This shall include determination of whether inspections arc randomly conducted or mandatory for all, and whether they apply for visitors only or for the entire staff assigned. All personnel inspection procedures should be reviewed by the facility's legal counsel prior to promulgation.
2.8 Control of Electronic Devices and Other Items
2.8.1 The CSA shall ensure that procedures are instituted for control of electronic devices and other items introduced into or removed from the SCIF. See Annex D for guidance.2.8.2 The prohibition against electronic equipment in SCIFs does not apply to those needed by the disabled or for medical or health reasons (e.g. motorized wheelchairs, hearing aids, heart pacemakers, amplified telephone headsets, teletypewriters for the hearing impaired). However, the SSO or CSSO shall establish procedures for notification that such equipment is being entered in to the SCIF
2.8.3 Emergency and police personnel and their equipment, including devices carried by emergency medical personnel responding to a medical crisis within a SCIF, shall be admitted to the SCIF without regard to their security clearance status. Emergency personnel will be escorted to the degree practical. However, debriefing of emergency personnel will be accomplished as soon as possible, if appropriate.
2.8.4 Equipment for TEMPEST or Technical Surveillance Countermeasures (TSCM testing shall be admitted to a SCIF as long as the personnel operating the equipment are certified to have the appropriate level of security clearance and SCI indoctrination.
3. PHYSICAL SECURITY CONSTRUCTION POLICY FOR SCIFs3.1 Construction Policy for SCI FacilitiesPhysical security criteria is governed by whether the SCIF is located in the US or not, according to the following conditions: closed storage, open storage, continuous operations, secure working area .
3.1.1 Closed Storage3.1.1.1 Inside U.S:(a) The SCIF must meet the specifications in Chapter 4 Permanent Dry Wall Construction).(b) The SCIF must be alarmed in accordance with Annex B to this manual
(c) SCI must be stored in GSA approved security containers.
(d) There must be a response force capable of responding to an alarm within 15 minutes after annunciation and a reserve response force available to assist the responding force.
(e) The CSA may require any SCIF perimeter walls accessible from exterior building ground level to meet the equivalent protection afforded by Chapter 4 (Expanded Metal) construction requirement.
3.1.1.2. Outside U.S:
(a) The SCIF must meet the construction specifications for SCIFs as set forth in Chapter 4 (Steel Plate or Expanded Metal). SCIFs within US Government controlled compounds)1, or equivalent, having armed immediate response forces may use specifications indicated in Chapter 4 (Permanent Dry Wall Construction) with prior approval of the CSA.(b) The SCIF must be alarmed in accordance with Annex B.
(c) All SCI controlled material will be stored in GSA-approved containers having a rating for both forced and surreptitious entry equal to or exceeding that afforded by Class 5 containers.
(d) There must be a response force capable of responding to an alarm within 10 minutes and a reserve response force available to assist the responding force.
____________________
1 A controlled building or compound is one to which access is restricted and unescorted entry is limited to authorized personnel.
3.1.2. Open Storage
3.1.2.1 INSIDE US: When open storage is justified and approved by the CSA. the SCIF must:(a) be alarmed in accordance with Annex B;(b) have a response force capable of responding to an alarm within 5 minutes and a reserve response force available to assist the response force; and
(c) meet one of the following:
(1) SCIFs within a controlled US government compound or equivalent may use specifications indicated in Chapter 4 (Permanent Dry Wall Construction): or(2) SCIFs within a controlled building with continuous personnel access control, may use specifications indicated in Chapter 4 (Permanent Dry Wall Construction). The CSA may require any SCIF perimeter walls accessible from exterior building ground level to meet the equivalent protection afforded by Chapter 4 (Expanded Metal) construction requirements; or
(3) SCIFs which are not located in a controlled building or compound may use specifications indicated in Chapter 4 (expanded Metal) or (Vault) constructions requirements.
3.1.2.2 OUTSIDE US: Open storage of SCI material will be avoided. When open storage is justified as mission essential, vault construction is preferred. The SCIF must:
(a) be alarmed in accordance with Annex B;(b) have a response force capable of responding to an alarm within 5 minutes and a reserve response force available to assist the responding force.
(c) have an adequate, tested plan to protect, evacuate, or destroy the material in the event of emergency or natural disaster; and
(d) meet one of the following:
(1) The construction specification for vaults set forth in Chapter 4 (Vaults); or(2) With the approval of the CSA, SCIFs located on a controlled US government compound or equivalent having immediate response forces, may use expanded metal, steel plate, or GSA approved modular vaults in lieu of vault construction.
3.1.3 Continuous Operation
3.1.3.1 INSIDE THE US:(a) The SCIF must meet the construction specifications as identified in Chapter 4 (Permanent Dry Wall Construction). An alert system and duress alarm may be required by the CSA, based on operational and threat conditions.(b) Provisions should be made for storage of SCI in GSA approved containers. If the configuration of the material precludes this, there must be an adequate, tested plan to protect, evacuate, or destroy the material in the event of emergency, civil unrest or natural disaster.
(c) There must be a response force capable of responding to an alarm within 5 minutes and a reserve response force available to assist the responding force.
3.1.3.2 OUTSIDE THE US:
(a) The SCIF must meet the construction specifications for SCIFs as set forth in Chapter 4 (Expanded Metal). An alert system and duress alarm may be required by the CSA, based on operational and threat conditions. (b) The capability must exist for storage of all SCI in GSA-approved security containers, or the SCIF must have an adequate, tested plan to protect, evacuate, or destroy the material in the event of emergency or natural disaster.(b) SCIFs located within US Government. controlled compounds, or equivalent, having immediate response forces, may use the secure area construction specifications as listed in Chapter 4 (Permanent Dry Wall Construction) with prior approval of the CSA
(c) There must be a response force capable of responding to an alarm within 5 minutes, and a reserve response force available to assist the responding force.
3.1.4 Secure Working Areas are accredited facilities used for handling, discussing, and/or processing SCI. but where SCI will not be stored.
3.1.4.1 INSIDE THE US:(a) The Secure Working Area SCIF must meet the specifications set forth in Chapter 4 (Permanent Dry Wall Construction).(b) The Secure Working Area SCIF must be alarmed with a balanced magnetic switch on all perimeter entrance doors.
(c) No storage of SCI material is authorized.
(d) There must be a response force capable of responding to an alarm within 15 minutes after annunciation, and a reserve response force available to assist the responding force.
3.1.4.2 OUTSIDE THE US:
(a) The Secure Working Area SCIF must meet the construction specifications indicated in Chapter 4 (Permanent Dry Wall Construction).(b) The Secure Working Area SCIF must be equipped with an approved alarm system as set forth in Annex B.
(c) No storage of SCI material is authorized.
(d) There must be a response force capable of responding to an alarm within 10 minutes, and a reserve response force available to assist the responding force.
3.2 Temporary Secure Working Area (TSWA)
3.2.1 A Temporary Secure Working area is defined as a temporarily accredited facility that is used no more than 40 hours monthly for the handling, discussion, and/or processing of SCI, but where SCI should not be stored. with sufficient justification, the CSA may approve longer periods of usage and storage of SCI for no longer than 6 months.3.2.2 During the entire period the TSWA is in use, the entrance will be controlled and access limited to persons having clearance for which the area has been approved. Approval for using such areas must be obtained from the CSA setting forth room number(s), building, location, purpose, and specific security measures employed during usage as well as during other periods. TSWAs should be covered by an alarm system. These areas should not be used for periods exceeding an average total of 40 hours per month. No special construction is required other than to meet sound attenuation requirements as set forth in Annex E, when applicable. If such a facility must also be used for the discussion of SCI, a Technical Surveillance Countermeasures (TSCM) evaluation may be required at the discretion of the CSA, as conditions warrant.
3.2.3 When not in use at the SCI level, the TSWA will be:
(a) Secured with a keylock or a combination lock approved by the CSA.(b) Access will be limited to personnel possessing a US Secret clearance.
3.2.4 if such a facility is not alarmed or properly protected during periods of non-use, a TSCM inspection may be conducted prior to use for discussion at the SCI level.
3.3 Requirements Common To All SCIFs; Within The US and Overseas
3.3.1 CONSTRUCTION: The SCIF perimeter walls, floors and ceiling, will be permanently constructed and attached to each other. All construction must be done in such a manner as to provide visual evidence of unauthorized penetration.3.3.2 SOUND ATTENUATION: The SCIF perimeter walls, doors, windows, floors and ceiling, including all openings, shall provide sufficient sound attenuation to preclude inadvertent disclosure of conversation. The requirement for sound attenuation are contained within Annex E.
3.3.3 ENTRANCE, OUT, AND ACCESS DOORS:
3.3.3.1 Primary entrance doors to SCIFs shall be limited to one. If circumstances require more than one entrance door, this must be approved by the CSA. In some circumstances, an emergency exit door may be required. In cases where local fire regulations are more stringent, they will be complied with. All perimeter SCIF doors must be closed when not in use, with the exception of emergency circumstances. If a door must be left open for any length of time due to an emergency or other reasons, then it must be controlled in order to prevent unauthorized removal of SCI.3.3.3.2 All SCIF perimeter doors must be plumbed in their frames and the frame firmly affixed to the surrounding wall. Door frames must be of sufficient strength to preclude distortion that could cause improper alignment of door alarm sensors, improper door closure or degradation of audio security.
3.3.3.3 All SCIF primary entrance doors must be equipped with an automatic door closer, a GSA-approved combination lock and an access control device with the following requirements:2
(a) If doors are equipped with hinge pins located on the exterior side of the door where it opens into an uncontrolled area outside the SCIF, the hinges will be treated to prevent removal of the door (e.g. welded, set screws, etc.)(b) if a SCIF entrance door is not used as an access control door and stands open in an uncontrolled area, the combination lock will be protected against unauthorized access/tampering.
____________________
2 This requirement does not apply to the GSA approved Class 5.6- and 8 vault doors.
3.3.3.4 Control doors: The use of a vault door for controlling daytime access to a facility is not authorized. Such use will eventually weaken the locking mechanism, cause malfunctioning of the emergency escape device, and constitute a security and safety hazard. To preclude this, a second door will be installed and equipped with an automatic door closer and an access control device. (It is preferable that the access door be installed external to the vault door.)
3.3.3.5 SCIF emergency exit doors shall be constructed of material equivalent in strength and density to the main entrance door. The door will be secured with deadlocking panic hardware on the inside and have no exterior hardware. SCIF perimeter emergency exit doors should be equipped with a local annunciator in order to alert people working in the area that someone exited the facility due to some type of emergency condition.
3.3.3.6 Door Construction Types: Selections of entrance and emergency exit doors shall be consistent with SCIF perimeter wall construction. Specifications of doors, combination locks, access control devices and other related hardware may be obtained from the CSA. Some acceptable types of doors are:
(a) Solid wood core door, a minimum of 1-3/4 inches thick.(b) Sixteen gauge metal cladding over wood or composition materials, a minimum of 13/4 inches thick. 'Me metal cladding shall be continuous and cover the entire front and back surface of the door.
(c) Metal fire or acoustical protection doors, a minimum of 1 314 inches thick. A foreign manufactured equivalent may be used if approved by the CSA.
(d) A joined metal rolling door, minimum of 22 gauge, used as a loading dock or garage structure must be approved on a case- by-case basis.
3.3.4 PHYSICAL PROTECTION OF VENTS, DUCTS, AND PIPES:
3.3.4.1 All vents, ducts, and similar openings in excess of 96 square inches that enter or pass through a SCIF must be protected with either bars, or grills, or commercial metal duct sound baffles that meet appropriate sound attenuation class as specified in Annex E. within the United States, bars or grills are not required if an MS is used. If one dimension of the duct measures less than six inches, or duct is less than 96 square inches, bars are not required; however, all ducts must be treated to provide sufficient sound attenuation. If bars arc used, they must be 1/2 inch diameter steel welded vertically and horizontally six (6) inches on center; if grills arc used, they must be of 9-gauge expanded steel; if commercial sound baffles are used, the baffles or wave forms must be metal permanently installed and no farther apart than six (6) inches in one dimension. A deviation of 1/2 inch in vertical and/or horizontal spacing is permissible.3.3.4.2 Based on the TEMPEST accreditation, it may be required that all vents, ducts, and pipes must have a non-conductive section (a piece of dissimilar material e.g., canvas, rubber) which is unable to carry electric current, installed at the interior perimeter of the SCIF.
3.3.4.3 An access port to allow visual inspection of the protection in the vent or duct should be installed inside the secure perimeter of the SCIF. If the inspection port must be installed outside the perimeter of the SCIF. it must be locked.
3.3.5 WINDOWS:
3.3.5.1 All windows which might reasonably afford visual surveillance of personnel, documents, materials, or activities within the facility, shall be made opaque or equipped with blinds, drapes or other coverings to preclude such visual surveillance.3.3.5.2 Windows at ground level3 will be constructed from or covered with materials which will provide protection from forced entry. The protection provided to the windows need be no stronger than the strength of the contiguous walls. SCIFs located within fenced and guarded government compounds or equivalent may eliminate this requirement if the windows are made inoperable by either permanently sealing them or equipping them on the inside with a locking mechanism.
3.3.5.3 All perimeter windows at ground level shall be covered by an IDS.
____________________
3 This should be interpreted to mean any windows which are less than 18 feet above the ground measured from the bottom of the window, or are easily accessible by means of objects directly beneath the windows, (e.g. electrical transformer. air conditioning units. vegetation or landscaping which can easily be climbed, etc.).
4. CONSTRUCTION SPECIFICATIONS4.1 Vault Construction Criteria4.1.1 Reinforced Concrete Construction: Walls, floor, and ceiling will be a minimum thickness of eight inches of reinforced concrete. The concrete mixture will have a comprehensive strength rating of at least 2,500 psi. Reinforcing will be accomplished with steel reinforcing rods, a minimum of 5/8 inches in diameter, positioned centralized in the concrete pour and spaced horizontally and vertically six inches on center, rods will be tied or welded at the inter-sections. The reinforcing is to be anchored into the ceiling and floor to a minimum depth of one-half the thickness of the adjoining member.4.1.2 GSA-approved modular vaults meeting Federal Specification FF-V-2737, may be used in lieu of a 4. 1. 1. above.
4.1.3 Steel-lined Construction: Where unique structural circumstances do not permit construction of a concrete vault, construction will be of steel alloy- type of 1/4" thick, having characteristics of high yield and tensile strength. The metal plates are to be continuously welded to load-bearing steel members of a thickness equal to that of the plates. If the load- bearing steel members are being placed in a continuous floor and ceiling of reinforced concrete, they must be firmly affixed to a depth of one-half the thickness of the floor and ceiling. If the floor and/or ceiling construction is less than six inches of reinforced concrete, a steel liner is to be constructed the same as the walls to form the floor and ceiling of the vault. Scams where the steel plates meet horizontally and vertically are to be continuously welded together,
4.1.4 All vaults shall be equipped with a GSA-approved Class 5 or Class 8 vault door. Within the US, a Class 6 vault door is acceptable. Normally within the United States a vault will have only one door that serves as both entrance and exit from the SCIF in order to reduce costs.
4.2 SCIF Criteria For Permanent Dry Wall Construction
Walls, floor and ceiling will be permanently constructed and attached to each other. To provide visual evidence of attempted entry, all construction, to include above the false ceiling and below a raised floor, must be done in such a manner as to provide visual evidence of unauthorized Penetration.
4.3 SCIF Construction Criteria For Steel Plate
Walls, ceiling and floors arc to be reinforced on the inside with steel plate not less than 1/8" thick. The plates at all vertical joints are to be affixed to vertical steel members of a thickness not less than that of the plates. The vertical plates will be spot welded to the vertical members by applying a one inch long weld every 12 inches; meeting of the plates in the horizontal plane will be continuously welded. Floor and ceiling reinforcements must be securely affixed to the walls with steel angles welded or bolted in place.
4.4 SCIF Construction Criteria For Expanded Metal
Walls are to be reinforced, slab to slab, with 9-gauge expanded metal. The expanded metal will be spot welded every 6 inches to vertical and horizontal metal supports of 16-gauge or greater thickness that has been solidly and permanently attached to the true floor and true ceiling.
4.5 General
The use of materials having thickness or diameters larger than those specified above is permissible. The terms "anchored to and/or embedded into the floor and ceiling" may apply to the affixing of supporting members and reinforcing to true slab or the most solid surfaces; however, subfloors and false ceiling are not to be used for this purpose.
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE (DCID) 1/21
Access Control System: A system to identify and/or admit personnel with properly authorized access to a SCIF using physical, electronic, and/or human controls.
Accreditation: The formal approval of a specific place, referred to as a Sensitive Compartmented Information Facility (SCIF), that meets prescribed physical, technical, and personnel security standards.
Acoustic Security: Those security measures designed and used to deny aural access to classified information.
Astragal Strip: A narrow strip of material applied over the gap between a pair of doors for protection from unauthorized entry and sound attenuation.
Authorized Personnel: A person who is fully cleared and indoctrinated for SCI, has a valid need to know, and has been granted access to the SCIF.
Balanced Magnetic Switch (BMS): A type of IDS sensor which may be installed on any rigid, operable opening (i.e. doors, windows) through which access may be gained to the SCIF.
Break-Wire Detector: An IDS sensor used with screens and grids, open wiring, and grooved stripping in various arrays and configurations necessary to detect surreptitious and forcible penetrations of movable openings, floors, walls, ceilings, and skylights. An alarm is activated when the wire is broken.
Closed Storage: The storage of SCI material in properly secured GSA approved security containers within an accredited SCIF.
Computerized Telephone System (CTS): Also referred to as a hybrid key system, business communication system, or office communications system.
Cognizant Security Authority (CSA): The single principal designated by a SOIC (see definition of SOIC) to serve as the responsible official for all aspects of security program management with respect to the protection of intelligence sources and methods, under SOIC responsibility.
Continuous Operation: This condition exists when a SCIF is staffed 24 hours every day.
Controlled Area: Any area to which entry is subject to restrictions or control for Compound: security reasons.
Controlled Building: A building to which entry is subject to restrictions or control for security reasons.
Co-Utilization: Two or more organizations sharing the same SCIF
Dead Bolt: A lock bolt with no spring action. Activated by a key or turn knob and cannot be moved by end pressure.
Deadlocking Panic Hardware: A panic hardware with a deadlocking latch that has a device when in the closed position resists the latch from being retracted.
Decibel (db): A unit of sound measurement.
Document: Any recorded information regardless of its physical form or characteristics, including, without limitation, written or printed matter, data processing cards and tapes, maps, charts, paintings, drawings, photos, engravings, sketches, working notes and papers, reproductions of such things by any means or process, and sound, voice, magnetic or electronic recordings in any form.
Dual Technology: PIR, microwave or ultrasonic IDS sensors which combine the features of more than one volumetric technology.
Expanded Steel: Also called EXPANDED METAL MESH. A lace work patterned material produced from sheet steel by making regular uniform cuts and then pulling it apart with uniform pressure.
Guard: A properly trained and equipped individual whose duties include the protection of a SCIF. Guards whose duties require direct access to a SCIF, or patrol within a SCIF, must meet the clearance criteria in Director of Central Intelligence Directive 1114. CSA will determine if indoctrination is required.
Intelligence Community (and agencies within the Intelligence Community): Refers to the United States Government agencies and organizations identified in section 3.4(f) (I through 7) of Executive Order 12333.
Intrusion Detection System: A security alarm system to detect unauthorized entry.
Isolator: A device or assembly of devices which isolates or disconnects a telephone or Computerized Telephone System (CTS) from all wires which exit the SCIF and which as been accepted as effective for security purposes by the Telephone Security Group (TSG approved).
Key Service Unit (KSU): An electromechanical switching device which controls routing and operation of an analog telephone system.
Line Supervision:
Class I: Class I line security is achieved through the use of DES or an algorithm based on the cypher feedback or cypher block chaining mode of encryption. Certification by NIST or another independent testing laboratory is required.Class II: Class II line supervision refers to systems in which the transmission is based on pseudo random generated or digital encoding using an interrogation and response scheme throughout the entire communication, or UL Class AA line supervision. The signal shall not repeat itself within a minimum six month period, Class II security shall be impervious to compromise using resistance, voltage, current, or signal substitution techniques.
Motion Detection Sensor: An alarm sensor that detects movement.
Non-Conductive Section: Material (i.e. canvas, rubber, etc.) which is installed in ducts. vents, or pipes, and is unable to carry audio or RF emanations.
Non-Discussion Area: A clearly defined area within a SCIF where classified discussions are not authorized due to inadequate sound attenuation.
Open Storage: The storage of SCI material within a SCIF in any configuration other than within GSA approved security containers.
Response Force: Personnel (not including those on fixed security posts) appropriately equipped and trained, whose duties include initial or follow up response to situations which threaten the security of the SCIF. This includes local law enforcement support or other external forces as noted in agreements.
Secure Working Area: An accredited SCIF used for handling, discussing and/or processing of SCI, but where SCI will not be stored.
Senior Official of the Intelligence Community (SOIC): The head of an agency, of fine [sic], bureau, or intelligence element identified in section 3.4(f) (1 through 6) of Executive Order 12333.
Sensitive Compartmented Information (SCI): SCI is classified information concerning or derived from intelligence sources, methods or analytical processes, which is required to be handled exclusively within formal control systems established by the Director of Central Intelligence.
Sensitive Compartmented Information Facility (SCIF): An accredited area, room, group of rooms, building, or installation where SCI may be stored, used, discussed and/or electronically processed.
Sound Group: Voice transmission attenuation groups established to satisfy acoustical requirements. Ratings measured in sound transmission class may be found in the Architectural Graphic Standards.
Sound Transmission Class (STC): The rating used in architectural considerations of sound transmission loss such as those involving walls, ceilings, and/or floors.
Special Access Program (SAP): Any approved program which imposes need-to-know or access controls beyond those normally required for access to CONFIDENTIAL. SECRET or TOP SECRET information.
Surreptitious Entry: Unauthorized entry in a manner which leaves no readily discernible evidence.
Tactical SCIF: An accredited area used for actual or simulated war operations for a specified period of time.
Technical Surveillance Countermeasures (TSCM) Surveys and Evaluations: A physical, electronic, and visual examination to detect technical surveillance devices, technical security hazards. and attempts at clandestine penetration.
Type Accepted Telephone: Any telephone whose design and construction conforms with the design standards for Telephone Security Group approved telephone sets. (TSG Standard #3, #4, or #5).
Vault: A room(s) used for the storing, handling, discussing, and/or processing of SCI and constructed to afford maximum protection against unauthorized entry.
Waiver: An exemption from a specific requirement of this document.
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE (DCID) 1/21
ANNEX A
(Effective 27 May 1994)SCIF ACCREDITATION CHECKLIST
Table of Contents
Section A General Information
Section B Peripheral Security
Section C SCIF Security
Section D Doors
Section E Intrusion Detection Systems
Section F Telephone System
Section G Acoustical Protection
Section H Administrative Security
Attachments
DATE
FIXED FACILITY CHECKLIST
[ ] PRECONSTRUCTION [ ] NEW [ ]MODIFIED FACILITY
Section A General Information
1. SCIF Data: Organization/Company Name:
SCIF Identification Number (if applicable):Organization subordinate to (If applicable):
Contract Number & Expiration Date:
CSA:
Project Headquarter Security Office (if applicable):
2. SCIF Location:
Street Address:Bldg Name/#: Floor:
Room(s) No:City: State/Country:
ZIP Code:
3. Responsible Security Personnel:
Primary: Alternate:Commercial Telephone:
DSN Telephone:
Secure Telephone: Type:
Home Telephone:
Fax No: (specify both classified and )
Classified: :
Other:
4. Accreditation Data:
a. Category of SCI Requested:Indicate the storage required: Open Storage Closed Storage Continuous
Operation Secure Working Area Temporary Secure Working Areab. Existing Accreditation Information (If applicable):
(1) Category of SCI:(2) Accreditation granted by:
onc. Last TEMPEST Accreditation (if applicable): Accreditation granted
by: ond. If Automated Information Systems (AISs) are used, has an accreditation been granted? YES NO
Accreditation granted
by: one. SAP co-located within SCIF? YES NO
(If Yes, Classification:, and provide copy of Co-utilization Agreement for SAP operation in SCIF.)f. Duty Hours: hours to hours, days per week.
g. Total square feet SCIF occupies:
5. Construction/modification: Is construction or modification complete?
YES NO N/A
(If NO, expected date of completion)6. Inspections:
a. TSCM Service completed by on
(Attach copy of report)Were deficiencies corrected? YES NO NA
(If NO, explain: )b. Last Physical Security Inspection by on
(Attach copy of report)Were deficiencies corrected? YES NO NA
(If NO, explain: )c. Last Security Assistance visit by on
7. REMARKS:
Section B Peripheral Security
8. Describe building exterior security:
a. Fence:b. Fence Alarm:
c. Fence lighting:
d. Television (CCTV):
e. Guards:
f. Other:
9. Building:
a. Construction type:b. Describe Access Controls:
(1) Continuous: YES NO(2) If NO, during what hours?
10. Remarks:
Section C SCIF Security
11. How is access to the SCIF controlled?
a. By Guard Force: YES NO Security Clearance
Level:b. By Assigned Personnel: YES NO
c. By Access Control Device: YES NO
If yes, Manufacturer Model No12. Does the SCIF have windows? YES NO
a. How are they acoustically protected? (If applicable)b. How are they secured against opening?
c. How are they protected against visual surveillance? (If applicable)
13. Do ventilation ducts penetrate the SCIF perimeter? YES NO
a. Number and size (Indicate on floor plan):b. If over 96 square inches, type of protection used:
(1) IDS: YES NO Describe in Section E)(2) Bars/Grills Metal Baffles: YES NO
OTHER - Explain:c. Metal Duct Sound Baffles: Are ducts equipped with:
(1) Metal Baffles: YES NO(2) Noise Generator: YES NO
(3) Non-Conductive Joints: YES NO
(4) Inspection Ports: YES NO
If YES, are they within the SCIF? YES NO If they are located outside of the SCIF, how are they secured?d. If TEMPEST accreditation authority requires; are pipes, conduits, etc., penetrating the SCIF equipped with non-conductive unions at the point they breach the perimeter? YES NO
Are they provided acoustical protection? (if applicable) YES NO14. Construction:
a. Perimeter walls:(1) Material & Thickness:(2) Do the walls extend from the true floor to the true ceiling? YES NO
b. True ceiling (material and thickness):
c. False ceiling? YES NO if yes:
(1) Type of ceiling material:(2) Distance between false and true ceiling:
d. True floor (material and thickness):
e. False Floor? YES NO
if yes: Distance between false and true floor:15. Remarks:
Section D Doors
16. Describe SCIF Primary Entrance Door (Indicate on floor plan):
Is an automatic door closer installed? YES NO
If NO, explain:17. Describe number and type of doors used for SCIF emergency exits and other perimeter doors (Indicate on floor plan):
Is an automatic door closer installed? YES NO
If NO, explain:18. Describe how the door hinges exterior to the SCIF are secured against removal (if in an uncontrolled area):
19. Locking devices:
a. Perimeter SCIF Entrance Door:(1) List manufacturer, model number and Group rating:(2) Does entrance door stand open into an uncontrolled area? YES NO
If YES, describe tamper protection:
b. Emergency Exits and Other Perimeter Doors:
Describe (locks, metal strip/bar, deadbolts, panic hardware):c. Where are the door lock combinations filed?
20. Remarks:
Section E Intrusion Detection Systems
Give manufacturer and model numbers in response to following questions:21. Method of Interior Motion Detection Protection:
a. Accessible Perimeter?
Storage Areas?b. Motion Detection Sensors (Indicate on floor Plan):
Tamper protection: YES NOc. Other (e.g. CCTV, etc.):
22. Door and Window Protection (Indicate on floor plan):
a. Balanced Magnetic Switch (BMS) on door?:
Tamper protection: YES NOb. If SCIF has ground floor windows, how are they protected?
c. Other (e.g. CCTV, etc..)
23. Method of ventilation and duet work protection:
24. Space above false ceiling (only outside the United States, if required):
a. Motion Detection Sensors:
Tamper protection: YES NOb. Other (e.g. CCTV):
25. Space below false floor (only outside the United States, if required):
a. Motion Detection Sensors: Tamper protection: YES NOb. Other (e.g. CCTV):
26. IDS transmission line security protection:
a. Electronic line supervision (Manufacture and Model):
if electronic line supervision. class of service: I IIb. Other:
27. Is emergency power available for the IDS? YES NO
TYPE: Battery Emergency Generator Other28. Where is the IDS control unit for the SCIF located (Indicated on floor plan)?
29. Where is the IDS Alarm annunciator panel located (Indicate on floor plan, Address)?
30. IDS Response Personnel: Describe:
a. Response Force Security Cleared: YES NOLevel:b. Emergency Procedures documented? YES NO
c. Reserve Force available? YES NO
d. Response time required for alarm condition: minutes.
e. Are response procedures tested and records maintained? YES NO
If no, explain:31. Is the IDS tested and records maintained? YES NO
If no, explain:32. Remarks:
Section F Telephone System
33. Method of on-hook security provided:
a. TSG-2 Computerized Telephone System (CTS)? YES NO(1) Manufacturer/Model:(2) Location of the CTS:
(3) Do the CTS installers and programmers have security clearances?
If yes, at what access level (minimum established by CSA):If no, are escorts provided?
(4) Is the CTS installed as per TSG-2 Configuration Requirements? YES NO
(a) If no, provide make and model number of telephone equipment, explain your configuration, and attach a line drawing?(b) Is access to the facility housing the switch controlled? YES NO
(c) Arc all lines between the SCIF and the switch in controlled spaces? YES NO
(5) Does the CTS use remote maintenance and diagnostic procedures or other remote access features? YES NO
If yes, explain those procedures:b. TSG-6 approved telephones?
(1) Manufacturer/Model:(2) TSG number:
(3) Ringer Protection (if required):
c. TSG-6 approved disconnect devices?
(1) Manufacturer/Model:(2)TSG number:
34. Methods of off-hook security provided:
a. Is there a hold or mute feature? YES NO(1) If yes, which feature and is it provided by the: CTS?
or Telephone(2) If no, are approved push-to-operate handsets provided? YES NO
Describe:
35. Automatic telephone call answering:
a. Is there an automatic call answering service for the telephones in the SCIF? YES NOIf yes, provide make and model number of the equipment, explain the configuration, and provide a line drawing.
Section G Acoustical Protection
40. Do all areas of the SCIF meet acoustical requirements? Yes No
If no, describe additional measures taken to provide minimum acoustical protection (e.g. door, windows, etc)41. Is the SCIF equipped with a public address, emergency/fire announcement or music system? Yes No
If yes, describe and explain how protected?42. If any intercommunication system that is not part of the telephone system is used, describe and explain how protected:
43. Remarks:
Section H Administrative Security
45. Destruction Methods:
a Describe method used for destruction of classified/sensitive material:Manufacturer: Model:
Manufacturer: Model:b. Describe location of destruction site(s) in relation to the secure facility:
c. Have provisions been made for the emergency destruction of classified/sensitive program material? (If required): YES NO
If YES, has the emergency destruction equipment and plan been coordinated with the CSA? YES NO46. If reproduction of classified/sensitive material takes place outside the SCIF, describe equipment and security procedures used to reproduce documents:
47 Remarks:
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE (DCID) 1/21
ANNEX B
(Effective 27 May 1994)INTRUSION DETECTION SYSTEMS
Annex B sets forth the requirements and establishes the standards for intrusion detection systems for all SCIFs throughout government and for government-sponsored contractor facilities. Compliance with these standards is mandatory for all facilities established after the effective date of this annex. including any major renovation of existing facilities insofar as the renovation will permit reasonable and practical upgrading, as determined by the Cognizant Security Authority (CSA).
1.0 CONCEPT
An Intrusion Detection System (IDS) must detect an attempted or actual human entry into the protected area. An IDS complements other physical security measures and consists of three essential components:
1.1 Intrusion Detection Equipment (IDE).1.2 Security and response force personnel.
1.3 Operation procedures.
2.0 OPERATION
2.1 IDS components operate as a system with four distinct phases:2.1.1 Detection.2.1.2 Reporting.
2.1.3 Assessment.
2.1.4 Response.
2.2 These elements arc equally important, and none can be eliminated if an IDS is to provide an acceptable degree of protection.
2.2.1 Detection: The detection phase begins as soon as a detector or sensor reacts to stimuli it is designed to detect. The sensor alarm condition is then transmitted over cabling located within the protected area to the Premise Control Unit (PCU). The PCU may service many sensors. The PCU and the sensors it serves comprise a "zone" at the monitor station.This shall be used as the definition of an alarmed zone for purposes of this document.
2.2.2 Reporting: The PCU receives signals from all sensors in a protected area and incorporates these signals into a communication scheme. Another signal is added to the communication for supervision to prevent compromise of the communications scheme. This supervised signal is intended to disguise the information and protect the IDS against tampering or injection of false information by an intruder. The supervised signal is sent by the PCU via the transmission link to the monitor station. Inside the monitor station, either a dedicated panel or central processor monitors information from the PCU signals. When alarms occur, an annunciator generates an audible and visible alert to security personnel. Alarms result normally from intrusion, tampering, component failure, or system power failure.
2.2.3 Assessment: The assessment period is the first phase that requires human interaction. When alarm conditions occur, the operator assesses the situation and dispatches the response force.
2.2.4 Response: The response phase begins as soon as the operator assesses an alarm condition. A response force must immediately respond to all alarms. The response phase must also determine the precise nature of the alarm and take all measures necessary to safeguard the SCIF.
3.0 REQUIREMENTS
3.1 As determined by the CSA, all areas of a SCIF that reasonably afford access to the SCIF, or where SCI is stored, shall be protected by an IDS unless continually occupied.
3.2 Acceptability of Equipment: All IDE must be UL-listed (or equivalent as defined by the CSA) and approved by the CSA. Government and proprietary installed, maintained, or furnished systems are subject to approval only by the CSA.
3.3 Vendor Approval Procedures: Vendors may submit their IDE requests either through a Special Security Officer/Contractor Special Security Officer (SSO/CSSO) or directly to the CSA. Vendors should provide a UL certificate for installation and service (UL 611, 681, 1076, and 2050 apply) directly to the SSO/CSSO or CSA for acceptance. With sufficient justification, the CSA may waive this requirement and waivers must be documented. All requests for acceptance must describe the IDE fully and include the results of testing by a listed independent laboratory. An independent laboratory evaluates the manufacturer's compliance to performance specifications. A request for acceptance of line supervision using Data Encryption Standard (DES) must also include validation from the National Institute of Standards and Technology (NIST) or another independent testing laboratory recognized by the CSA. The description must identify the manufacturer and model of equipment and show how the IDE meets CSA and/or UL standards.
3.4 Preinstallation Approval of IDS: The CSA will approve a proposed IDS before its installation within a SCIF as part of the initial SCIF construction approval process. A proposal for an IDS will be examined for the type and employment of accepted equipment. An IDS proposal will be submitted as part of a preconstruction approval process.
3.5 Equipment:
3.5.1 Transmission Line Security: When the transmission line leaves the SCIF and traverses an uncontrolled area, Class I or Class H CSA accepted line security shall be used.3.5.1.1 Class I: Class I line security is achieved through the use of DES or an algorithm based on the cipher feedback or cipher block chaining mode of encryption. Certification by NIST or another independent testing laboratory is required. The certificate must be retained by the CSA for the duration of operation of the SCIF.3.5.1.2 Class II: Class II line supervision refers to systems in which the transmission is based on pseudo-random generated tones or digital encoding using an interrogation and response scheme throughout the entire communication, or UL Class AA line supervision. The signal shall not repeat itself within a minimum six-month period. Class II security shall be impervious to compromise using resistance, voltage, current, or signal substitution techniques.
3.5.2 Internal Cabling: The cabling between the sensors and the PCU should be dedicated to IDE and must comply with national and local code standards. If applicable, the cabling must be installed in accordance with TEMPEST and COMSEC requirements.
3.5.3 Restriction on Integration of Access Controls into SCIF IDSs: If an access control system is integrated into an IDS, reports from the access control system should be subordinate in priority to reports from intrusion alarms.
3.5.4 Maintenance Mode: When an alarm zone is placed in the maintenance mode, this condition will be signaled automatically to the monitor station. This signal must appear as an alarm or maintenance message at the monitor station, and the IDS shall not be securable while in the maintenance mode. However, the alarm or message must continue visibly at the monitor station throughout the period of maintenance. A standard operating procedure (SOP) must be established to address appropriate actions when maintenance access is indicated at the panel. All maintenance periods will be archived in the system. The CSA may require that the maintenance Personal Identification Number (PIN) be established and controlled by the customer. The IDE will not contain any capability for remote diagnostics, maintenance, or programming, except for an alarm remote test feature at the monitor station. A self-test feature will be limited to one second per occurrence.
3.5.5 Annunciation of Shunting or Masking Condition: Shunting or masking of any internal zone or sensor must be appropriately logged or recorded in archive. A shunted or masked internal zone or sensor must be displayed as such at the monitor station throughout the period the condition exists when-em there is a survey of zones or sensors.
3.5.6 Alarms Indications: Indications of alarm status shall be revealed at the monitoring station and optionally within the confines of the SCIF.
3.5.7 Power Supplies: Primary power for all IDE will be commercial AC or DC power. In the event of commercial power failure at the protected area or monitor station, the equipment will change power sources without causing an alarm indication.
3.5.7.1 Emergency Power: Emergency power must comply with UL 603. Emergency power may consist of battery and/or generator power. When batteries are used for emergency power, they will be maintained at full charge by automatic charging circuits. The manufacturer's periodic maintenance schedule shall be followed and results documented.3.5.7.2 Power Source and Failure Indication: An illuminated indication will exist at the PCU of the power source in use (AC or DC). Equipment at the monitor station will indicate visibly and audibly a failure in power source, a change in power source, and the location of the failure or change.
3.5.8 Tamper Protection: All IDE within the SCIF with removable covers will be equipped with tamper switches. The tamper detection will be monitored continuously whether the IDS is in the access or secure mode of operation.
3.5.9 Prohibition Against Fortuitous Conduction via IDE: No IDE will be employed that allows audio and intelligence-bearing signals to pass out of the SCIF in any form.
3.5.10 Safeguarding IDE:
3.5.10.1 In areas outside the United States, IDE must remain solely under US control, or as otherwise authorized by the CSA.3.5.10.2 Key variables and operational passwords will be safeguarded, disseminated, and controlled as determined by the CSA.
3.6 Installation:
3.6.1 Independent Equipment: All SCIFS will have intrusion detection equipment and zones independent from other protected sites. When many alarmed areas are protected by one monitor station, audible and visible annunciations for SCIF zones must be clearly distinguishable from other annunciations. All sensors protecting the SCIF will be installed within the SCIF.3.6.2 Access/Secure Switch and PCU: No capability will exist to allow changing the access status of the IDS from a location outside the SCIF unless performed by a properly accessed individual. All PCUs must be located inside the SCIF and should be located near the SCIF entrance. SCIF personnel must initiate all changes in access and secure status. Operation of the PCU will be restricted by use of a device or procedure that verifies authorized use. In the secure mode, any unauthorized entry into the SCIF shall cause an alarm to be transmitted immediately to the monitor station.
3.6.3 Motion Detection Protection: All areas of the SCIF that reasonably afford access to the SCIF or where SCI is stored shall be protected with motion detection sensors, e.g., ultrasonic, passive infrared. etc. use of dual technology is authorized when one technology transmits an alarm condition independently from the other technology. A failed detector will cause an immediate and continuous alarm condition. Detection equipment must be installed in compliance with UL 681 and 1076.
3.6.4 Accessible Areas: Within the United States, alarms are not required above the false ceiling or below the false floor. Outside the United States, such alarms may be required by the CSA.
3.6.5 Protection of SCIF Perimeter Doors: Each SCIF perimeter door will be protected by a balanced magnetic switch (BMS) that meets the minimum standards of UL 634. The BMS must be installed in such a manner that an alarm signal will initiate before the non-hinged side of the door opens beyond the thickness of the door from the seated position. Emergency exit doors equipped with integrated life safety hardware may have the life safety alarm component integrated into the SCIF IDS as an additional detector. Emergency exit doors will be monitored 24 hours a day to provide quick identification and response to the appropriate door when there is an alarm indication
3.6.6 windows: All readily accessible windows1 will be protected by an IDS, either independently or by the motion detection sensors in the room, as determined by the CSA.
____________________
1 This should be interpreted to mean any windows which arc less than 18 feet above the ground measured from the bottom of the window, or are easily accessible by means of objects directly beneath the windows, (e.g. electrical transformer, air conditioning units, vegetation, or landscaping which can easily be climbed, etc.).
3.6.7 IDE Installation Criteria: All IDE will be installed in a manner to prevent access or removal from a location external to the SCIF and in compliance with UL 681 for "Installation of Burglar Alarm Equipment."
3.6.8 IDS Requirements for Continuous Operations Facilities: A SCIF accredited for continuous operations may not require an IDS as determined by the CSA. This type of SCIF will be equipped with an alerting system if the occupants cannot observe all potential entrances into the SCIF. The system alerts occupants to an intrusion into the SCIF. An alert system will consist of BMSs or other appropriate sensors. None of the IDE or cabling associated with the alert system will extend beyond the perimeter of the SCIF.
3.6.9 False/Nuisance Alarm: Any alarm signal transmitted in the absence of a detected intrusion is a false alarm. A false alarm becomes a nuisance alarm when the effects of environment, equipment malfunction, operator failure, animals, electrical disturbances, and known effects cause the alarm indication. All alarms shall be investigated and the results documented. The maintenance program for the IDS shall ensure that incidents of false/nuisance alarms will not exceed one in a period of 30 days per zone.
3.7 Personnel:
3.7.1 IDE Installation and Maintenance Personnel: Alarm installation and maintenance will be accomplished by US citizens who have been subjected to a trustworthiness determination (e.g., NAC with no clearance to be issued). Use of foreign nationals or other personnel for this purpose must have prior CSA approval.3.7.2 Monitor Station Staffing: The monitor station will be supervised continuously by US citizens who have been subjected to a trustworthiness determination (e.g., NAC with no clearance to be issued). Use of foreign nationals or other personnel for this purpose must have prior CSA approval. The duties of the monitoring operator will be documented and will entail observing monitor panels for reports of alarms and changes in IDE status, making accurate assessments of these reports, and dispatching the response force or notifying the appropriate authority in the event of an intrusion alarm. The operator will have no duties that interfere with the primary functions of monitoring alarms and dispatching the response force. A documented chain of authority will exist for use by security personnel during unusual situations. The operator will be trained sufficiently in the operation and theory of the IDE to properly interpret all incidents generated by the IDE. This training must also include all actions to be taken on receipt of an alarm activation.
3.8 Procedures:
3.8.1 Testing: SCIF IDS sensors will be tested semiannually. A record of IDE testing will be maintained at the SCIF that reflects: testing date, individuals who performed the test, specific equipment tested, malfunctions, and corrective actions taken. Tests of the response force will be conducted semiannually. A record of response force testing will be maintained.3.8.2 Safeguarding IDS Plans: Details of installed IDS shall be controlled and restricted on a need-to-know basis.
3.8.3 Operating Procedures: A written support agreement must be established for external monitoring and/or response.
3.8.4 Monitoring Station: Where there is an operations security concern, the alarm monitoring panel shall be designed to prevent observation by unauthorized persons.
3.8.5 Alarm Condition Response: Every alarm condition will be treated initially as a detected intrusion until resolved by the response force. The response force will investigate the source of an alarm and will notify SCIF personnel. The response force will take appropriate steps to safeguard the SCIF and prevent the escape of an intruder from the SCIF as permitted by SOP, local law enforcement, and circumstances until properly relieved. Response time to an alarm will not exceed:
3.8.5.1 Open Storage Area five minutes3.8.5.2 Closed Storage Area 15 minutes
3.8.6 Catastrophic Failure: If the IDE suffers catastrophic failure, or loses primary and emergency power, SCIF-indoctrinated individuals must provide security by physically occupying the SCIF until the IDS can be made functional. As an alternative, the outside SCIF perimeter may be continuously protected by the response force or as determined by the CSA.
3.8.7 IDS Logging: The IDS will incorporate a means for providing a historical record of all events, either automatically or through the use of a manual log system. If the D)E has no provision of automatic entry into archive, the operator will record the time, source, and type of alarm, and action taken. Results of investigations by the response force will be maintained at the monitor station. 71c historical record must be routinely reviewed by the responsible security officer. Records of alarm annunciations shall be retained for at least 90 days or until investigations of system violations and incidents have been successfully resolved and recorded.
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE 1/21
ANNEX C
(Effective 27 May 1994)TACTICAL OPERATIONS/FIELD TRAINING
This annex pertains to specialized Sensitive Compartmented Information Facilities (SCIFs) deployed in a tactical operations or field training environment. It is divided into three parts to reflect the accepted modes of tactical operation:
Part I - Ground OperationPart II - Aircraft/Airborne Operation
Part III - Shipborne Operation
DCID 1/21,
Annex C
Table of Contents
PART I GROUND OPERATION
1.0 PURPOSE2.0 APPLICABILITY AND SCOPE
3.0 RESPONSIBILITIES
4.0 ACCREDITATION OF TACTICAL SCIFs
5.0 PHYSICAL CONFIGURATION
6.0 TACTICAL SCIF OPERATIONS USING VANS, SHELTERS, AND VEHICLES
7.0 TACTICAL SCIF OPERATIONS WITHIN EXISTING PERMANENT STRUCTURES
8.0 MOBILE SIGINT SCIFs
9.0 SEMI-PERMANENT SCIFs
10.0 ELECTRICAL POWER
11.0 TEMPEST REQUIREMENTS
12.0 TELEPHONE EQUIPMENT
PART H AIRCRAFT/AIRBORNE OPERATION
1.0 PURPOSE2.0 APPLICABILITY
3.0 RESPONSIBILITIES
4.0 ACCREDITATION OF AIRCRAFT/AIRBORNE, FACILITIES
5.0 POST AND PATROL REQUIREMENTS
6.0 ENTRY HATCHES
7.0 TEMPEST REQUIREMENTS
8.0 UNSCHEDULED AIRCRAFT LANDINGS
9.0 VOICE TRANSMISSIONS
10.0 DESTRUCTION REQUIREMENTS
PART III SHIPBOARD OPERATION
1.0 PURPOSE
2.0 APPLICABILITY AND SCOPE
3.0 TYPES OF SHIPBOARD SCIFs (S/SCIFs)
4.0 PERMANENT ACCREDITATION
5.0 STANDARDS
6.0 INTRUSION DETECTION SYSTEM (IDS)
7.0 PASSING SCUTTLES AND WINDOWS
8.0 LOCATION OF CRYPTOGRAPHIC EQUIPMENT
9.0 SECURE STORAGE CONTAINERS
10.0 TELEPHONES
11.0 SECURE TELEPHONE UNIT-III (STU-III)
12.0 SOUND POWERED TELEPHONES
13.0 SCI INTERCOM ANNOUNCING SYSTEM
14.0 SUPPORTING INTERCOMMUNICATION ANNOUNCING SYSTEMS
15.0 COMMERCIAL INTERCOMMUNICATION EQUIPMENT
16.0 GENERAL ANNOUNCING SYSTEMS
17.0 PNEUMATIC TUBE SYSTEMS
18.0 DESTRUCTION EQUIPMENT
19.0 EMERGENCY POWER
20.0 SCI PROCESSING SYSTEMS
21.0 TEMPORARY ACCREDITATION
22.0 TEMPORARY SECURE WORKING AREAS (TSWAs)
23.0 EMBARKED PORTABLE SHIPBOARD COLLECTION VANS (PSCVs)
PART I GROUND OPERATION:
1.0 PURPOSE:
This Annex prescribes the procedures for the physical security requirements for the operation of a Sensitive Compartmented Information Facility (SCIF) while in a field or tactical configuration, including training exercises. It also addresses the standards for truck mounted or towed trailer style shelters designed for use in a tactical environment but used in a garrison environment known as a Semi-permanent SCIF (SPSCIF).
2.0 APPLICABILITY AND SCOPE:
Recognizing that field/tactical operations, as opposed to operations within a fixed military installation, are of the type considered least secure, the following minimum physical security requirements will be met and maintained. Situation and time permitting, these standards will be improved upon using the security considerations and requirements for permanent secure facilities as an ultimate goal. If available, permanent-type facilities will be used. Under field or combat conditions, a continuous 24-hour operation is mandatory. Every effort must be made to obtain the necessary support from the host command (e.g., security containers, vehicles, generators, fencing, guards, weapons. etc.).
2.1 The Tactical SCIF (T-SCIF) shall be located within the supported headquarters defensive perimeter and preferably, also within the Tactical Operations Center (TOC) perimeter.2.2 The T-SCIF shall be established and clearly marked using a physical barrier. Where practical, the physical barrier should be triple-strand concertina or General Purpose Barbed Tape Obstacle (GPBTO). The Tactical SCIF approval authority shall determine whether proposed security measures provide adequate protection based on local threat conditions.
2.3 The perimeter shall be guarded by walking or fixed guards to provide observation of the entire controlled area. Guards shall be armed with weapons and ammunition. The types of weapons will be prescribed by the supported commander. Exceptions to this requirement during peace may only be granted by the T-SCIF approval authority based on local threat conditions.
2.4 Access to the controlled area shall be restricted to a single gate/entrance, which will be guarded on a continuous basis.
2.5 An access list shall be maintained, and access restricted to those people whose names appear on the list.
2.6 The Tactical SCIF shall be staffed with sufficient personnel as determined by the on-site security authority based on the local threat conditions.
2.7 Emergency destruction and evacuation plans shall be kept current.
2.8 SCI material shall be stored in lockable containers when not in use.
2.9 Communications shall be established and maintained with backup response forces, if possible.
2.10 The SSO, or designee, shall conduct an inspection of the vacated Tactical SCIF area to ensure SCI materials are not inadvertently left behind when the T-SCIF moves.
2.11 Reconciliation of T-SCIF activation and operational data shall be made not more than 30 days after SCIF activation. Interim reporting of SCIF activities may be to the CSA.
3.0 RESPONSIBILITIES:
The Cognizant Security Authority (CSA) is responsible for ensuring compliance with these standards and providing requisite SCI accreditation.. T1he CSA may further delegate T-SCIF accreditation authority one command level lower. The Senior Intelligence Officer (SIO) is responsible when a temporary field or Tactical SCIF is used in support of field training exercises. During a period of declared hostilities or general war, a T-SCIF may be established at any level of accreditation upon the verbal order of a General or Flag Officer Commander.
4.0 ACCREDITATION OF TACTICAL SCIFs:
4.1 An Accreditation Checklist shall not be required for establishment of a T-SCIF. Approval authorities may require use of a local tactical deployment checklist.
4.2 The element requesting establishment of a T-SCIF shall notify the CSA, or designee, prior to commencement of SCIF operations. The message shall provide the following information:
4.2.1 ID number of parent SCIF.4.2.2 Name of the Tactical SCIF.
4.2.3 Deployed from (location).
4.2.4 Deployed to (location).
4.2.5 SCI level of operations.
4.2.6 Operational period.
4.2.7 Name of exercise or operation.
4.2.8 Identification of facility used for T-SCIF operations (e.g., vans, buildings, tents).
4.2.9 Points of contact (responsible officers).
4.2.10 Description of security measures for entire operational period of SCIF.
4.2.11 Comments.
5.0 PHYSICAL CONFIGURATION:
A T-SCIF may be configured using vehicles, trailers, shelters, bunkers, tents, or available structures to suit the mission. Selection of a T-SCIF site should first consider effective and secure mission accomplishment.
6.0 TACTICAL SCIF OPERATIONS USING VANS, SHELTERS, AND VEHICLES:
6.1 When a rigid side shelter or portable van is used for SCI operations, it shall be equipped with either a combination lock that meets all requirements of Federal Specification FF-L-2740 or other CSA-approved lock. The combination to the lock or keys shall be controlled by the SSO at the security level for which the T-SCIF is accredited. The shelter or van shall be secured at all times when not activated as a SCIF.6.2 The SCIF entrance of a radio frequency shielded enclosure designed for tactical operations may be secured with the manufacturer supplied locking device or any combination of the locking devices mentioned above.
7.0 TACTICAL SCIF OPERATIONS WITHIN EXISTING PERMANENT STRUCTURES:
7.1 A T-SCIF may be operated within an existing structure when:7.1.1 Location is selected on a random basis.7.1.2 The location is not reused within a 36 month period. If reused within 36 months for SCI discussion, a TSCM evaluation is recommended.
7.2 There is no restriction over SCI discussion within a T-SCIF during war.
8.0 MOBILE SIGINT SCIFs:
8.1 A continuous 24-hour operation is mandatory.8.2 The T-SCIF shall be staffed with sufficient personnel as determined by the on-site security authority based on the local threat conditions.
8.3 External physical security measures shall be incorporated into the perimeter defense plans for the immediate area in which the T-SCIF is located.
8.3.1 A physical barrier is not required as a prerequisite to establish a mobile SIGINT T-SCIF8.3.2 External physical security controls will normally be a function of the people controlling the day-to-day operations of the T-SCIF.
8.4 Communications shall be established and maintained with backup guard forces, if possible.
8.5 Emergency destruction plans shall incorporate incendiary methods to ensure total destruction of SCI material in emergency situations.
8.6 A rigid side shelter or a portable van are two possible configurations that may be used.
8.6.1 When a rigid side shelter or portable van is used, it is subject to the following additional restrictions:
8.6.1.1 If it is a shelter, it shall be mounted to a vehicle in such a way as to provide the shelter with the capability of moving on short notice.8.6.1.2 A GSA-approved security container shall be permanently affixed within the shelter. The combination to the lock will be protected to the level of security of the material stored therein.
8.6.1.3 Entrance to the T-SCIF shall be controlled by SCI-indoctrinated people on duty within the shelter. When situations occur where there are no SCI-indoctrinated people within the shelter, i.e., during redeployment, classified material shall be stored within the locked GSA container and the exterior entrance to the shelter will be secured.
8.6.1.4 Entrance to the T-SCIF shall be limited to SCI-indoctrinated people with an established need-to-know whenever SCI material is used within the shelter.
8.6.2 When a rigid side shelter or portable van is not available and a facility is required for SCI operations, such as in the case of a soft side vehicle or man-portable system, it is subject to the following additional restrictions:
8.6.2.1 Protection will consist of an opaque container, i.e., leather pouch, metal storage box, or other suitable container that prevents unauthorized viewing of the material8.6.2.2 This container shall be kept in the physical possession of an SCI-indoctrinated person.
8.7 The quantity of SCI material permitted within the T-SCIF will be limited to that which is absolutely essential to sustain the mission. Stringent security arrangements shall be employed to ensure that the quantity of SCI material is not allowed to accumulate more than is absolutely necessary.
8.7.1 All working papers generated within the T-SCIF shall be destroyed at the earliest possible time after they have served their mission purpose to preclude accumulation of unnecessary classified material.8.7.2 If AIS equipment is used to store or process SCI data, a rapid and certain means of destruction shall be available to AIS operators to ensure the total destruction of classified material under emergency or combat conditions.
8.8 Upon cessation of hostilities, all classified material shall be returned to the parent element of the SCIF for reconciliation of records and destruction of obsolete material.
9.0 SEMI-PERMANENT SCIFs:
9.1 Vehicles with mounted shelters or towed trailer type shelters, designed for field or tactical use, that are employed as tactical SCIFs when deployed may also be used as a SCIF in non-tactical situations if the SIO determines there is a need for more SCIF area and time and/or funds are not available to construct or enlarge a permanent SCIF. These types of SCIFs are SEMI-PERMANENT SCIFs (SPSCIFs).9.2 The SPSCIF shall be accredited and operated in the same manner as a permanent SCIF. Requirements for TEMPEST and AIS accreditation apply as well.
9.3 The SPSCIF must be of rigid construction similar to a van, trailer, or transportable shelter. The construction material must be of such composition to show visible evidence of forced entry. Vents and air ducts must be constructed to prevent surreptitious entry. The doors must be solid construction and plumbed so the door forms a good acoustical seal. If installed, emergency exits and escape hatches must be constructed so they can only be opened from the interior of the SPSCIF.
9.4 The SPSCIF must be placed within a fenced compound on a military installation or equivalent, as determined by the CSA. The fence must be at least ten (10) feet from the SPSCIF and related building and equipment. The distance from the fence to the SPSCIF may have to be greater to provide acoustical security or to meet COMSEC or TEMPEST requirements. Access control to the fenced compound must be continuous.
9.5 All SPSCIFs must have a combination lock that meets all requirements of Federal Specification FF-L-2740 or other CSA approved lock. (NOTE: Just as with combinations, keys require protection equivalent to the information which they protect.)
9.6 SPSCIFs do not need any additional security measures if one of the following exists:
9.6.1 Continuous operations. Continuous operations exist when the SPSCIF is occupied by one or more SCI-indoctrinated persons 24 hours a day. When there are multiple vehicles/shelters within a fenced compound, only those occupied by one or more SCI-indoctrinated people qualify as continuous operations facilities.9.6.2 Dedicated guard force who have been subjected to a trustworthiness determination (e.g., NAC with no clearance to be issued). The dedicated guard force must be present whenever the SPSCIF is not occupied and must have continuous surveillance of the SPSCIF entrances. The guard force must check the perimeter of the SPSCIF at least twice an hour at random intervals. Guard response time will be five minutes or less.
9.7 SPSCIFs not storing classified material and not meeting one of the requirements in the above paragraphs may be required to have an Intrusion Detection System (IDS) as prescribed in ANNEX B as required by the CSA.
9.8 Requirements for storage when unoccupied:
9.8.1 SCI material will not be stored in a SPSCIF except when removal is not feasible, i.e., computer hard disk.9.8.2 Storage in the United States and Outside the United States. If the SPSCIF does not have continuous operations or a dedicated guard force, an combination lock that meets all requirements of Federal Specification FF-L- 2740 or other CSA approved lock and an IDS for the SPSCIF interior is required. The interior SPSCIF IDS must be as prescribed in ANNEX B. The CSA may require exterior compound IDS.
10.0 ELECTRICAL POWER:
Electrical power supplied to T-SCIFs may be furnished by commercial or locally generated systems, as follows:
10.1 Tactical generator with access controls, including guards or surveillance of the generating equipment.10.1.1 The generating equipment shall be located within the protected perimeter of the organization supporting the T-SCIF. The generator shall not require location within the SCIF compound perimeter.10.1.2 Generator operator and maintenance people shall be US citizens.
10.2 in general, RF filters or isolators are not required for TEMPEST protection of commercial AC (alternating current) power lines used for SCI processing equipment in a T-SCIF
10.3 Filtering and isolation generators (an electrical motor coupled to a generator by non-conductive means) may be used to provide isolated electrical power to the SCIF. The motor generator location shall be within the SCIF compound perimeter.
11.0 TEMPEST REQUIREMENTS:
Authority for TEMPEST accreditation of all compartments of SCI processed in a Tactical SCIF is delegated to the CSA based on review by the Certified TEMPEST Technical Authority (CTTA).
12.0 TELEPHONE EQUIPMENT:
Telephone instruments used within a T-SCIF shall meet requirements outlined in the Telephone Security ANNEX. Restrictions contained within the Telephone Security ANNEX pertaining to SCIF telephone services do not apply to T-SCIF operations during war.
PART II AIRCRAFT/AIRBORNE OPERATION:
1.0 PURPOSE:
This annex prescribes the physical security procedures for the operation of a Sensitive Compartmented Information Facility (SCIF) for aircraft including airborne missions.
2.0 APPLICABILITY:
This annex is applicable to all aircraft to be utilized as a SCIF. Existing or previously accredited facilities do not require modification to conform with these standards.
3.0 RESPONSIBILITIES:
The CSA is responsible for ensuring compliance with these standards and providing SCI accreditation. The CSA may delegate aircraft/airborne SCIF accreditation authority to the major command level. The major command/organization Senior Intelligence Officer (SIO) is responsible when an aircraft is used as a temporary SCIF in support of field training exercises. During a period of declared hostilities or general war, an aircraft/airborne SCIF may be established at any level of accreditation upon the verbal order of a General or Flag Officer Commander. The major command/organization is responsible for ensuring compliance with this annex.
4.0 ACCREDITATION OF AIRCRAFT/AIRBORNE FACILITIES:
4.1 An accreditation checklist will not be required for the establishment of an aircraft/ airborne SCIF. Approval authorities may require use of a local deployment checklist, if necessary.4.2 The element requesting establishment of an aircraft/airborne SCIF will notify the CSA prior to commencement of SCIF operations. The letter or message will indicate the following information:
Name of aircraft/airborne SCIF
Major command/organization
ID number of parent SCIF, if applicable
Deployed from (location) and dates
Deployed to (location) and dates
SCI level of operations
Name of exercise or operation
Points of Contact
Type of Aircraft and area to be accredited as a SCIF
Description of security measures for entire operational period of SCIF (SOP)4.3 The SCIF will be staffed with sufficient personnel as determined by the on-site security authority based on the local threat environment.
4.4 SCI material will be removed from the aircraft on mission completion or at any landings, if feasible. When removal is not possible, or when suitable storage space/locations are not available, two armed (with ammunition) SCI-indoctrinated personnel must remain with the aircraft to control entry to the SCIF. Waivers to the requirement for weapons and ammunition may be approved on a case-by-case basis by the Commander.
4.5 The SSO or senior SCI-cleared person will conduct an inspection of the vacated SCIF to ensure SCI materials are not left behind.
4.6 Aircraft that transport SCI material incidental to travel between airfields do not require accreditation. However, compliance with directives pertaining to security of SCI material and communications is mandatory.
5.0 POST AND PATROL REQUIREMENTS:
Accredited aircraft require perimeter access controls, a guard force, and a reserve security team.
5.1 Unless protected by an approved IDS, hourly inspections will be made of all hatches and seals (including seal numbers).5.2 A guard force and response team must be provided, capable of responding within five minutes if open storage is authorized or 15 minutes for closed storage.
53 When aircraft are parked outside an established controlled area, a temporary controlled area must be established.
6.0 ENTRY HATCHES:
6.1 The aircraft commander or crew members will provide guard force personnel who have been subjected to a trustworthiness determination (e.g., NAC with no clearance to he issued) prior to departing from the immediate area of the aircraft.6.2 All hatches will be locked to prevent unauthorized access. Hatches that cannot be secured from the outside will be sealed using serially numbered seals.
7.0 TEMPEST REQUIREMENTS:
Authority for TEMPEST accreditation of all compartments of SCI processed in an aircraft/airborne SCIF is delegated to the CSA, based on review by the Cognizant Certified TEMPEST Technical Authority (CTTA).
8.0 UNSCHEDULED AIRCRAFT LANDINGS:
8.1 US Military Bases: The local SSO or base security officer will be notified of the estimated arrival time and security protection required.8.2 Other Airfields:
8.2.1 Within the United States, the local Federal Aviation Administration (FAA) Security Officer will be notified of the estimated arrival time and security protection required.8.2.2 on arrival, the senior SCI-indoctrinated person is responsible for controlling entry and maintaining surveillance over the aircraft until all SCI material is secured in an accredited SCIF or the aircraft departs.
8.2.3 Any properly accredited US Government SCIF may be used for temporary storage of materials from the aircraft. If the facility is not accredited for the level of information to be stored, the material must be double wrapped with initialed seals and stored in a GSA-approved security container.
8.3 Unfriendly Territory:
If an aircraft landing in unfriendly territory is anticipated, all SCI material will be immediately destroyed, with the destruction process preferably taking place prior to landing.
8.3.1 When flights are planned over unfriendly territory, SCI to be carried on board will be selected by the intelligence mission personnel and consist of the absolute minimum required for mission accomplishment.8.3.2 All personnel will rehearse emergency destruction before each mission. Such emergency preparation rehearsals will be made a matter of record.
9.0 VOICE TRANSMISSIONS:
SCI discussions will only be conducted via appropriately encrypted aircraft radio.
10.0 DESTRUCTION REQUIREMENTS:
10.1 An Emergency Action Plan (EAP) will be written that provides for the evacuation and/or destruction of classified material. Evacuation plans and destruction equipment must be approved by the CSA and tested by mission personnel.10.2 Emergency destruction and evacuation plans will be kept current.
PART III SHIPBOARD OPERATION:
1.0 PURPOSE:
This annex specifies the requirements for construction and security protection of SCIFs located on ships. The SCI accreditation checklist for ships may be obtained from the Director, Office of Naval Intelligence, 4301 Suitland Road, Washington, D.C. 20395.
2.0 APPLICABILITY AND SCOPE:
2.1 This annex is applicable to all new construction surface combatant ships. The application of this annex to surface non-combatants or sub-surface vessels will be referred to the CSA.2.2 There may be instances in which circumstances constitute a threat of such proportion that they can only be offset by stringent security arrangements over and above those prescribed in this annex. Conversely, there may be instances in which time, location, mission, and/or condition of use of materials would make full compliance with these standards unreasonable or impossible. Such situations will be referred to the CSA for resolution on a case-by-case basis.
2.3 Existing or previously approved facilities do not require modification to conform with these standards
3.0 TYPES OF SHIPBOARD SCIFs (S/SCIFs):
3.1 Permanent S/SCIFs: An area aboard ship where SCI operations, processing, discussion, storage, or destruction takes place. The area will have a clearly defined physical perimeter barrier and continuous physical security safeguards. The area may contain one or more contiguous spaces requiring SCIF accreditation. This type S/SCIF is routinely used during deployment and import operations.3.2 Temporary S/SCIFs: An area aboard ship where temporary SCI operations, processing, discussion, storage, or discussion takes place. The area will have a clearly defined physical perimeter barrier and continuous physical security safeguards. The area may contain one or more contiguous spaces requiring SCIF accreditation. It will be continuously manned with sufficient SCI-cleared and - indoctrinated personnel, as determined by the on-site security authority based on the local threat environment, when SCI is present within the area. Temporary shipboard SCI operations will be limited to:
3.2.1 A single deployment that will not exceed 12 months.3.2.2 A single mission requiring SCI operations that cannot be defined in length of operational time.
3.2.3 During the period immediately preceding relocation of the ship to a refitting facility where the Temporary S/SCIF is scheduled for renovation and compliance with this annex. There will be a schedule established for renovation of the S/SCIF with confirmatory reporting of such to the CSA.
3.2.4 Temporary Platforms: A mobile or portable SCIF may be temporarily placed aboard a ship. Such platforms will be accredited on a temporary basis for a single deployment mission. 'Me platform will be manned 24 hours a day by sufficient SCI-cleared and -indoctrinated personnel as determined by the on-site security authority. At the completion of the mission, the accreditation period will end and the CSA notified that the platform is certified clear and free of all SCI materials.
4.0 PERMANENT ACCREDITATION:
Ships requesting permanent accreditation status will provide to the CSA a complete inspection report and the Shipboard Inspection Checklist, certifying compliance with this Annex.
5.0 STANDARDS:
The physical security criteria for permanent S/SCIFs; is as follows:
5.1 Physical Perimeter: The physical perimeter of an SCI space will be fabricated of structural bulkheads (aluminum or steel) with a thickness not less than 0.125 inch. Elements of the physical perimeter will be fully braced and welded in place.5.2 Continuous SCI Spaces: Where several SCI spaces are contiguous to each other in any or all dimensions, the entire complex may be enclosed by a single physical perimeter barrier conforming to this annex.
5.2.1 Access to the SCI complex will be controlled by a single access door conforming to this annex. Each compartment within the complex may have a separate access door from within the common physical perimeter barrier. Such interior access control doors do not need to conform with this annex.5.2.2 Access procedures will be established to ensure against cross-traffic of personnel not holding appropriate SCI access.
5.3 Normal Access Door: The normal access door will be a shipboard metal joiner door with honeycomb-core and fitted as specified below:
5.3.1 Where the normal access door is in a bulkhead that is part of an airtight perimeter, the airtight integrity may be maintained by co-locating the airtight door with the metal joiner door, or by adding a vestibule.5.3.2 The metal joiner door will be equipped with a combination lock that meets all requirements of Federal Specification FF-L-2740 or other CSA approved lock.
5.3.3 in addition to the lock, the door will be equipped with an access control device.
5.3.4 The door will be constructed in a manner that will preclude unauthorized removal of hinge pins and anchor bolts, as well as to obstruct access to lock-in bolts between door and frame.
5.4 Emergency Exit: The emergency exit will be fabricated of aluminum plate or steel in accordance with this annex. The exit will be mounted in a frame braced and welded in place in a manner commensurate with the structural characteristics of the bulkhead, deck or overhead in which it is situated.
5.5 Restriction on Damage Control Fittings and Cables: Because of the security restrictions imposed in gaining access to these spaces, no essential damage control fittings or cables will be located within or pass through an SCI space. This requirement is not applicable to damage control fittings, such as smoke dampers, that may be operated by personnel within the space during normal manning.
5.6 Removable Hatches and Deck Plates: Hatches and deck plates less than 10 square feet that are secured by exposed nuts and bolts (external to the SCI space) will be secured with externally attached, high security padlocks (unless their weight makes removal unreasonable). The padlock keys will be stored in a security container located within a space under appropriate security control.
5.7 Vent and Duct Barriers: Vents, ducts, or other physical perimeter barrier openings with a cross-sectional dimension greater than 96 square inches will be protected at the perimeter with a fixed barrier or security grill.
5.7.1 The grill will be fabricated of steel or aluminum grating or bars with a thickness equal to the thickness of the physical perimeter barrier. If a grating is used, bridge center-to-center measurements will not exceed 1.5 inches by 4 inches. Bars will be mounted on 6 inch centers. The grating or bars will be welded into place.5.7.2 This requirement is not applicable to through ducts that have no opening into the space.
5.8 Acoustical Isolation: The physical perimeter barrier of all SCI spaces will be sealed or insulated with non-hardening caulking material to prevent inadvertent disclosure of SCI discussions or briefings from within the space, taking into account the normal ambient noise level, to persons located in adjacent passageways and/or compartments.
5.8.1 In cases where the perimeter material installation does not sufficiently attenuate voices or sounds of activities originating SCI information, the ambient noise level will be raised by the use of sound countermeasure devices, controlled sound generating source. or additional perimeter material installation.5.8.2 Air handling units and ducts will be equipped with silencers or sound countermeasure devices unless continuous duty blowers provide a practical, effective level of masking (blower noise) in each air path. The effective level of security may be determined by stationing personnel in adjacent spaces or passageways to determine if SCI can be overheard outside the space.
5.9 Visual Isolation: Door or other openings in the physical perimeter barrier through which the interior may be viewed will be screened or curtained.
6.0 INTRUSION DETECTION SYSTEM (IDS):
The S/SCIF access door and emergency exit will be protected by a visual and audible alarm system. The installation will consist of sensors connected at each door and alerting indicators located at the facility supervisors position. The normal access door alarm may have a disconnect feature.
6.1 Emergency exits will be connected to the alarm system at all times and will not have a disconnect feature installed.6.2 The IDS will be connected to a remote alarm monitor station, which may be co-located with other IDS, and located within a space which is continuously manned by personnel capable of responding to or directing a response to an alarm violation at the protected space when it is unmanned.
6.3 Primary power for the IDS will be connected to an emergency lighting panel within the space. SCI spaces that are under continuous manning will be staffed with sufficient personnel, as determined by the on-site security authority based on the local threat environment, who have the continuous capability of detecting forced or surreptitious entry without the aide of an IDS.
7.0 PASSING SCUTTLES AND WINDOWS;:
Passing scuttles and windows will not be installed between SCI spaces and any other space on the ship.
8.0 LOCATION OF CRYPTOGRAPHIC EQUIPMENT:
On-line and off-line cryptographic equipment and terminal equipment processing SCI will be located only within the S/SCIF.
9.0 SECURE STORAGE CONTAINERS:
SCI material will be stored only in GSA approved Class 5, 6, or 7 security containers. Containers will be welded in place, or otherwise secured to a foundation for safety.
10.0 TELEPHONES:
Telephone instruments used within a S/SCIF will meet the Telephone Security Annex standards.
11.0 SECURE TELEPHONE UNIT-III (STU-III):
The STU-III Type I terminals may be installed within a S/SCIF.
12.0 SOUND POWERED TELEPHONES:
Where possible, sound powered telephones will be eliminated from S/SCIFs. Sound powered telephones located within the S/SCIF connecting to locations outside the S/SCIF will comply with the following
12.1 The telephone cable will not break out to jackboxes, switchboards, or telephone sets other than at the designated stations. The telephone cable will not be shared with any circuit other than call or signal systems associated with the S/SCIF circuit.12.2 The telephone cable will be equipped with a selector switch, located at the controlling station, which is capable of.
12.2.1 Disconnecting all stations;12.2.2 Selecting any one station and disconnecting the remaining stations; and
12.2.3 Parallel connection to all stations.
12.3 Other S/SCIFs located aboard the same ship, which have sound powered telephones not equipped with the required selector switch, will have a positive disconnect device attached to the telephone circuit.
12.4 Sound powered telephones within a S/SCIF that are not used for passing SCI information will have a sign prominently affixed to them indicating that they are not to be used for passing SCI.
12.5 A call or signal system will be provided. Call signal station, type ID/D, when used for circuit EM will be modified to provide a disconnect in the line to prevent a loud-speaker from functioning as a microphone.
13.0 SCI INTERCOM ANNOUNCING SYSTEM:
An intercommunication-type announcing system processing SI that connects to or passes through areas outside the S/SCIF must be approved by the CSA.
14.0 SUPPORTING INTERCOMMUNICATION ANNOUNCING SYSTEMS:
Intercommunication-type announcing systems installed within an S/SCIF that do not process SCI information will be designated or modified to provide the following physical or electrical security safeguards:
14.1 Operational mode of the unit installed within the S/SCIF will limit operation to push-to-talk mode only.14.2 Receive elements will be equipped with a local amplifier as a buffer to prevent loud-speakers or earphones from functioning as microphones.
14.3 Except as specified, radio transmission capability for plain radio telephone (excluding secure voice) will not be connected. Cable conductors assigned to the transmission of plain language radio telephones will be connected to ground at each end of the cable
14.4 Equipment modified will have an appropriate field change label affixed to the unit that indicates the restriction. Additionally, the front panel will have a sign warning the user that the system is not passing classified information.
15.0 COMMERCIAL INTERCOMMUNICATION EQUIPMENT:
Commercial intercommunication equipment will not be installed within a S/SCIF without prior CSA approval.
16.0 GENERAL ANNOUNCING SYSTEMS:
General announcing system loudspeakers will have an audio amplifier, and the output signal lines will be installed within the S/SCIF.
17.0 PNEUMATIC TUBE SYSTEMS:
Pneumatic tube systems will not be installed. Existing systems will be equipped with the following security features:
17.1 Locked cover at both ends.17.2 Capability to maintain the pressure or vacuum and capability to lock in the secure position at the initiating end.
17.3 Direct voice communications link between both ends to confirm the transportation and receipt of passing cartridges.
17.4 Special, distinctive color for SCI material passing cartridges.
17.5 Pneumatic tubes will ran through passageways and will be capable of being visually inspected along their entire length.
18.0 DESTRUCTION EQUIPMENT:
A CSA-approved means of destruction of SCI material will be provided for each S/SCIF. Non-combatant surface ships that transit hostile waters without combatant escort will have appropriate Anti-compromise Emergency Destruction (ACED) equipment on board and such equipment will be prepared for use. The ACED will be dedicated to SCI destruction. SCI material will not be destroyed by jettisoning overboard under any circumstances,
19.0 EMERGENCY POWER:
A S/SCIF will have emergency power available that will operate destruction equipment, alarm systems, access control devices, and emergency lighting equipment for a minimum of six hours.
20.0 SCI PROCESSING SYSTEMS:
A S/SCIF that processes SCI electronically or electrically should be provided a TEMPEST evaluation prior to activation. All computer and network systems that process SCI must be accredited or certified for operation by the cognizant SCI AIS Accreditation Authority.
21.0 TEMPORARY ACCREDITATION:
Ships requiring temporary accreditation status will be processed for accreditation upon completion of a physical security inspection and certification of compliance with the following security requirements:
21.1 if the space is used to electrically process SCI information, the CSA will make a TEMPEST evaluation based on threat.21.2 The physical perimeter barrier will consist of standard structural, non-support, or metal joiner bulkheads welded or riveted into place and meet the acoustical isolation requirements of a S/SCIF.
21.3 Doors will be at least metal joiner doors equipped with door closures and capable of being secured from the inside. Dutch doors are not acceptable. If cryptographic equipment is installed or stored within the space and the space will be temporarily unmanned while cryptographic key material and/or SCI material are stored elsewhere, the door will be equipped with a tamper-proof hasp and combination pad-lock.
21.4 Doors and other openings in the perimeter that permit aural or visual penetration of the internal space will be screened, curtained, or blocked.
21.5 An effective, approved secure means of destruction of SCI material will be readily available in the space or nearby in general service spaces.
21.6 Cryptographic equipment used to process SCI information will be located in the SCI space or, if located in a secure processing center other than that accredited for SCI, will be electrically configured so as not to be compatible with the secure processing system of that secure processor.
21.7 All telephones (to include STU-III instruments and sound powered telephones) will be as specified for S/SCIFs.
21.8 Processing of SCI via AIS will be as specified for S/SCIFs.
22.0 TEMPORARY SECURE WORKING AREAS (TSWAs):
Ships requiring TSWA accreditation for "contingency" or "part-time" usage will be processed for accreditation upon completion of a physical security inspection and certification of compliance with the following security requirements:
22.1 The physical perimeter barrier requires no special construction, provided it can prevent visual and aural access during all periods of SCI operation.22.2 Doors will be capable of being secured from the inside.
22.3 Provisions will be made for posting a temporary sign that reads "RESTRICTED AREA - KEEP OUT - AUTHORIZED PERSONNEL ONLY".
22.4 When SCI material is to be stored in the space, a secure storage container will be provided. Security storage containers will be welded in place, or otherwise secured to the foundation for safety and to prevent rapid removal.
22.5 The electrical security requirements for a shipboard TSWA will be specified by the CSA.
23.0 EMBARKED PORTABLE SHIPBOARD COLLECTION VANS (PSCVs):
PSCVs are vans that are temporarily placed aboard ship and not part of the permanent structure of the ship. Ships requiring accreditation of embarked PSCVs must be annually accredited by the CSA and may be activated upon certification to the CSA of compliance with the following security requirements:
23.1 The exterior surface of the van will be solid construction and capable of showing evidence of physical penetration (except for intended passages for antenna cables, power lines, etc.)23.2 The access door will fit securely and be equipped with a substantial locking device to secure the door from the inside in order to prevent forcible entry without tools.
23.3 Adequate security measures will be established to preclude viewing of classified material by uncleared personnel.
23.4 Adequate provisions will be established to control the approach of uncleared personnel within the vicinity of the van. These measures win consist of instructions promulgated by the station (ashore and afloat) in which the van is embarked, prohibiting loitering in the immediate vicinity of the van, and will include periodic visual security cheeks by appropriately SCI-indoctrinated personnel.
23.5 Adequate destruction equipment will be available and effective procedures established to ensure rapid and complete destruction of classified material in emergency situations.
23.6 All SCI material will be stored within the van and continuously manned by sufficient SCI-indoctrinated personnel as determined by the on-site security authority based on the local threat environment, when activated for SCI support. If SCI material is to be stored outside the van, the space must be accredited by the CSA and be in compliance with the above S/SCIF criteria.
23.7 The electrical security requirements for a PSCV will be as specified by the CSA.
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE 1/21
ANNEX D
(Effective 30 January 1994)PART I
ELECTRONIC EQUIPMENT IN SENSITIVE COMPARTMENTED FACILITIES
(SCIFS)1.0 INTRODUCTION
It is the policy of the Director of Central Intelligence and the Senior Officials of the Intelligence Community (SOICs) that personally owned electronic equipment that has been approved for introduction into a SCIF should not be routinely carried into or out of the SCIF due to the possibility of technical compromise. It is also their policy that electronic equipment that is introduced into a SCIF is subject to technical and/or physical inspection at any time.
2.0 GUIDANCE
The following guidance is provided concerning the control of electronic equipment. SOICs retain the authority to apply more stringent requirements as deemed appropriate.
2.1 DOMESTIC UNITED STATESThe following personally owned electronic equipment may be introduced into a SCIF:
2.1.1 Electronic calculators, electronic spell-checkers, wrist watches, and data diaries. NOTE: If equipped with data-ports, SOICs will ensure that procedures are established to prevent unauthorized connector to automated information systems that are processing classified information.2.1.2 Receive only pagers and beepers.
2.1.3 Audio and video equipment with only a "playback" feature (no recording capability), or with the "record" feature disabled/removed.
2.1.4 Radios
2.1.5 PROHIBITED EXCEPT FOR OFFICIAL DUTY
The following items are prohibited unless approved by the SOIC for conduct of official duties:
2.1.5.1 Two-way transmitting equipment.2.1.5.2 Recording equipment (audio, video, optical). Associated media will be controlled.
2.1.5.3 Test, measurement, and diagnostic.
2.1.6 PROHIBITED IN SCIFs
The following items arc prohibited in SCIFs:
2.1.6.1 Personally owned photographic, video, and audio recording equipment.2.1.6.2 Personally owned computers and associated media.
2.2 OVERSEAS
The provisions in paragraphs 2.1.5 and 2.1.6 above apply in the overseas environment with the exception that all personally owned electronic equipment may be introduced in the SCIF ONLY with the prior approval of the SOIC and on-site security representative, based on local threat conditions.
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE 1/21ANNEX D
Part IIDISPOSAL OF LASER TONER CARTRIDGES
1.0 INTRODUCTION
The Director of Central Intelligence and the Senior Officials of the Intelligence Community (SOICs) hereby establish the policy and procedures for disposing of used laser toner cartridges and drums. The policy established herein is based on the fact that exploitation of used toner cartridges is considered to be unlikely at this time; therefore, the expense of destroying toner cartridges is not deemed to be justified. SOICs are responsible for implementation of this policy within their respective department/agency. When deemed necessary and appropriate, SOICs may establish additional security measures.
2.0 POLICY
2.1 WITHIN CONUS, ALASKA, AND HAWAIIUsed toner cartridges may be treated, handled, stored, and disposed of as UNCLASSIFIED, if, at a minimum, at least five full pages of Unclassified, randomly generated text are run through the machine before the cartridge is removed. These pages should not include any blank spaces or solid black areas.
2.2 OVERSEAS
In addition to the sanitization measure described in paragraph 1, the drum must be adequately scored with an abrasive substance, e.g., sandpaper, to further reduce the opportunity for image recovery by rendering the drum unusable.
3.0 DENIAL OF ACCESS
3.1 The most likely avenue of technical penetration of reproduction equipment is through uncleared personnel. If exploitation of equipment is of concern to a SOIC, it is recommended that maintenance be conducted by appropriately cleared individuals. If this is not feasible, maintenance workers should be US citizens or be escorted and closely monitored by knowledgeable personnel.3.2 In keeping with Environmental Protection Agency policy, agencies/departments are encouraged to establish procedures for recycling properly sanitized toner cartridges.
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE (DCID) 1/21
ANNEX E
(Effective 30 January 1994)ACOUSTICAL CONTROL AND SOUND MASKING TECHNIQUES
1.0 Basic Design:
Acoustical protection measures and sound masking systems are designed to protect SCI against being inadvertently overheard by the casual passerby, not to protect against deliberate interception of audio. The ability of a SCIF structure to retain sound within the perimeter is rated using a descriptive value, the Sound Transmission Class (STC).
1.1 The STC Rating: STC is a single number rating used to determine the sound barrier performance of walls. ceilings. floors, windows, and doors.1.2 Use of Sound Groups: The current edition of Architectural Graphics Standards (AGS) describes various types of sound control, isolation requirements and office planning. The AGS established Sound Groups I through 4, of which Groups 3 and 4 are considered adequate for specific acoustical security requirements for SCIF construction
1.2.1 Sound Group 1 - STC of 30 or better. Loud speech can be understood fairly well. Normal speech cannot be easily understood.1.2.2 Sound Group 2 - STC of 40 or better. Loud speech can be heard, but is hardly intelligible. Normal speech can be heard only faintly if at all.
1.2.3 Sound Group 3 - STC of 45 or better. Loud speech can be faintly heard but not understood. Normal speech is unintelligible.
1.2.4 Sound Group 4 - STC of 50 or better. Very loud sounds, such as loud singing, brass musical instruments or a radio at full volume, can be heard only faintly or not at all.
2.0 Sound Reduction for SCIFs:
The amount of sound energy reduction may vary according to individual facility requirements. However, Sound Group ratings shall be used to describe the effectiveness of SCIF acoustical security measures afforded by various wall materials and other building components.
2.1 All SCIF perimeter walls shall meet Sound Group 3, unless additional protection is required for amplified sound.2.2 If compartmentation is required within the SCIF, the dividing office walls must meet Sound Group 3.
3.0 Sound Masking and Stand-Off Distance:
3.1 When normal construction and baffling measures have been determined to be inadequate for meeting Sound Group 3 or 4, as appropriate, sound masking shall be employed. Protection against interception of SCI discussions may include use of sound masking devices, structural enhancements, or SCIF perimeter placement.3.1.1 Sound masking devices may include vibration and noise generating systems located on the perimeter of the SCIF.3.1.2 Structural enhancements may include the use of high density building materials (i.e. sound deadening materials) to increase the resistance of the perimeter to vibration at audio frequencies.
3.1.3 SCIF perimeter placement may include construction design of a stand-off distance between the closest point a non-SCI indoctrinated person could be positioned and the point when SCI discussions become available for interception. Use of a perimeter fence or protective zone between the SCIF perimeter walls and the closest "listening place" is permitted as an alternative to other sound protection measures.
3.2 Masking of sound which emanates from an SCI discussion area is commonly done by a sound masking system. A sound masking system may utilize a noise generator, tape, disc or record player as a noise source and an amplifier and speakers or transducers for distribution.
4.0 Placement of Speakers and Transducers:
To be effective, the masking device must produce sound at a higher volume on the exterior of the SCIF than the voice conversations within the SCIF. Speakers/transducers should be placed close to or mounted on any paths which would allow audio to leave the area. These paths may include doors, windows, common perimeter walls, vents/ducts, and any other means by which voice can leave the area.
4.1 For common walls, the speakers/transducers should be placed so the sound optimizes acoustical protection.4.2 For doors and windows, the speakers/transducers should be close to the aperture of the window or door and the sound projected in a direction facing away from conversations.
4.3 Once the speakers or transducers are optimally placed, the system volume must be set and fixed. The level for each speaker should be determined by listening to conversations occurring within the SCIF and the masking sound and adjusting the level until conversations are unintelligible from outside the SCIF.
5.0 Installation of Equipment:
5.1 The sound masking system and all wires and transducers shall be located within the perimeter of the SCIF.5.2 The sound masking system shall be subject to review during TSCM evaluations to ensure that the system does not create a technical security hazard.
6.0 Sound Sources:
The sound source must be obtained from a player unit located within the SCIF. Any device equipped with a capability to record ambient sound within the SCIF must have that capability disabled. Acceptable methods include:
6.1 Audio amplifier with a record turntable.6.2 Audio amplifier with a cassette, reel-to-reel, Compact Disc (CD), or Digital Audio Tape (DAT) playback unit.
6.3 Integrated amplifier and playback unit incorporating any of the above music sources.
7.0 Emergency Notification Systems:
The introduction of electronic systems that have components outside the SCIF should be avoided. Speakers or other transducers, which are part of a system that is not wholly contained in the SCIF, are sometimes required to be in the SCIF by safety or fire regulations. In such instances, the system can be introduced if protected as follows:
7.1 All incoming wiring shall breach the SCIF perimeter at one point. TEMPEST or TSCM concerns may require electronic isolation.7.2 in systems that require notification only, the system shall have a high gain buffer amplifier. In systems that require two-way communication, the system shall have electronic isolation. SCIF occupants should be alerted when the system is activated. All electronic isolation components shall be installed within the SCIF as near to the point of SCIF egress as possible.
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE (DCID) 1/21
ANNEX F
(Effective 30 January 1994)PERSONNEL ACCESS CONTROLS
1.0 Access Controls:
The SCIF perimeter entrance should be under visual control at all times during duty hours to preclude entry by unauthorized personnel. This may be accomplished by several methods (e.g., employee work station, guard, CCTV). Regardless of the method utilized, an access control system shall be used on the SCIF entrance. Persons not SCI-indoctrinated shall be continuously escorted within a SCIF by an SCI-indoctrinated person who is familiar with the security procedures of that SCIF.
1.1 Automated Access Control Systems: An automated access control system may be used to control admittance to SCIFs during working hours in lieu of visual control, if it meets the criteria stated below.1.1.1 The automated access control system mug identify an individual and authenticate that person's authority to enter the area through the use of an identification (ID) badge or card, or by personal identity verification. Automated identification of individuals exiting the area is desirable.11.1.1.1 ID Badges or Cards. The ID badge or card must use embedded sensors, integrated circuits, magnetic stripes or other means of encoding data that identifies the facility and the individual to whom the card is issued1.1.1.2 Personal Identity Verification. Personal identity verification (Biometrics Device) identifies the individual requesting access by some unique personal characteristic, such as:
(a) Fingerprinting,
(b) Hand Geometry,
(c) Handwriting,
(d) Retina, or
(e) Voice recognition.____________________
1 Manufacturers of automated access control equipment or devices must assure in writing that their system will meet the following standards before CSA!s may favorably consider such systems: Chances of an unauthorized individual gaining access through normal operation of the equipment are no more than one in ten thousand. Chances of an authorized individual being rejected for access through normal operation of the equipment are no more than one in one thousand.1.1.2 in conjunction with 1.1.1.1, above, a personal identification number (PIN) is required. The PIN must be separately entered into the system by each individual using a keypad device and shall consist of four or more digits, randomly selected, with no known or logical association with the individual. The PIN must be changed when it is believed to have been compromised or subjected to compromise.
1.1.3 Authentication of the individuals authorization to enter the area must be accomplished within the system by the inputs from the ID badge/card or the personal identity verification device or the keypad with an electronic data base of individuals authorized into the area. A procedure must be established for removal of the individual's authorization to enter the area upon reassignment, transfer or termination, or when the individual's access is suspended, revoked. or downgraded to a level lower than required.
1.1.4 Physical security protection must be established and continuously maintained for all devices/equipment that constitute the system The level of protection may vary depending upon the type of devices/equipment being protected with the basic intent of utilizing the security controls already in effect within the facility.
1.1.4.1 Locations where authorization data, card encoded data and personal identification or verification data is input, stored, or recorded must be protected within a SCIF or controlled by SCI indoctrinated personnel,1.1.4.2 Card readers, keypads, communication or interface devices located outside the entrance to a controlled area shall have tamper resistant enclosures, and be securely fastened to a wall or other structure. Control panels located within a controlled area shall require only a minimal degree of physical security protection sufficient to preclude unauthorized access to the mechanism.
1.1.4.3 Keypad devices shall be designed or installed in such a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers.
1.1.4.4 Systems that utilize transmission lines to carry access authorizations, personal identification, or verification data between devices/ equipment located outside the controlled area shall receive a minimum of Class II line supervision, as described in Annex B.
1.1.4.5 Electric strikes used in access control systems shall be heavy duty industrial grade.
1.1.5 Access to records and information concerning encoded ID data and PINs shall be restricted to individuals appropriately indoctrinated at the same level as the information contained within. Access to identification or authorization data, operating system software or any identifying data associated with the access control system shall be limited to the fewest number personnel as possible. Such data or software shall be kept secure when unattended.
1.1.6 Records shall be maintained reflecting active assignment of ID badge/card, PIN, level of access, access, and similar system-related records. Records concerning personnel removed from the system shall be retained for 90 days. Records of entries to SCIFs shall be retained for at least 90 days or until investigations of system violations and incidents have been successfully resolved and recorded.
1.1.7 Personnel entering or leaving an area shall be required to immediately secure the entrance or exit point. Authorized personnel who permit another individual to enter the area are responsible for confirming the individual's access and need to know.
1.2 Electric, Mechanical, or Electromechanical Access Control Devices. Electric, mechanical, or electromechanical devices which meet the criteria stated below may be used to control admittance to SCIF areas during working hours if the entrance is under visual control. These devices are also acceptable to control access to compartmented areas within the SCIF. Access control devices must be installed in the following manner:
1.2.1 The electronic control panel containing the mechanical mechanism by which the combination is set will be located inside the SCIF. The control panel located within the SCIF will require only a minimal degree of physical security designed to preclude unauthorized access to the mechanism.1.2.2 The control panel shall be installed in such a manner, or have a shielding device mounted, so that an unauthorized person in the immediate vicinity cannot observe the setting or changing of the combination.
1.2.3 The selection and setting of the combination shall be accomplished by an individual cleared at the same level as the highest classified information continued within. The combination shall be changed as required in Chapter 2.6.
1.2.4 Electrical components, wiring included, or mechanical links (cables, rods and so on) should be accessible only from inside the SCIF, or if they traverse an uncontrolled area they shall be secured within a protective covering-to preclude surreptitious manipulation of components.
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE (DCID) 1/21
ANNEX G
(Effective 29 July 1994)TELEPHONE SYSTEMS and EQUIPMENT
1.0 PURPOSE
This Annex specifies the requirements and procedures for systematically incorporating Telephone Security Group (TSG) approved telephone security measures into the planning, installation, maintenance, and management of.telephone service for SCIFs within and outside the United States.
2.0 DEFINITIONS
2.1 ADMINISTRATIVE TELEPHONE. A telephone intended for Unclassified conversation. This designation specifically excludes secure-voice systems unless they incorporate a non-secure mode of operation.2.2 DISCONNECT DEVICE. A device that [1] inserts a break at some point in the normal hardwire conduction path that exists between a telephone and its telecommunications medium, and [2] only when the telephone is in the in-use (off- hook) state, establishes a temporary metallic connection across that break.
2.3 ISOLATOR. A device that [11 inserts a break at some point in the normal hardwire conduction path that exists between a telephone and its telecommunications medium, and [2] only when the telephone is in the in-use (off-hook) state, provides a temporary communication channel across that break without establishing an end to end metallic connection.
2.4 OFF-HOOK. A terminal is off-hook when its signaling protocol to its network controller specifics that there is an intention to initiate, accept, or maintain communications with some other terminal.
2.5 ON-HOOK. This condition refers to a network communications line and simultaneously to all the terminals connected to that line. A terminal is on-hook when it is not off-hook; its signaling protocol to its network controller specifics that there is no intention to initiate, accept, or maintain communications with any other line or terminal. For a telephone to be considered on-hook, the handset must be in the handset cradle and all speakerphone and hands-free functions must be turned off.
2.6 TECHNICAL SURVEILLANCE COUNTERMEASURES (TSCM). Techniques and measures used to detect and nullify hostile penetration technologies, which are used to obtain unauthorized access to sensitive information. TSCM also includes the development and use of protective systems to detect and/or deter hostile penetration attempts and the hostile exploitation of naturally occurring hazards.
2.7 TELEPHONE SYSTEM. The telephone installation that provides service to the SCIF, and includes but is not limited to: all equipment, hardware, wiring, features, software, and supporting systems.
2.8 TSG. The TSG (Telephone Security Group) is the primary technical and policy resource in the National Advisory Group/Security Countermeasures (NAG/SCM) structure for all aspects of the TSCM program that involve telephones or telephone systems.
2.9 TYPE-ACCEPTED TELEPHONES. These are specially configured telephone models that are warranted by their manufacturers to incorporate specific TSG-mandated security measures. On-hook telephone security protection is an intrinsic property for TYPE-ACCEPTED TELEPHONES and they may be installed without ancillary isolation or disconnect devices. (See Standard 6.)
2.10 UNATTENDED OFF-HOOK AUDIO SECURITY. Security measures intended to prevent the compromise of background conversations when the user temporarily leaves the instrument off-hook. (See Standard 1.)
3.0 APPLICABILITY AND SCOPE
3.1 Administrative telephone system installations must include security measures that balance the vulnerabilities of the system against the technical threats of its environment.3.2 This Annex is compatible with but may not satisfy requirements of other security disciplines such as COMSEC, OPSEC, or TEMPEST.
3.3 The telephone security measures of this Annex apply to any telephone system that provides service to a SCIF.
3.4 This Annex does not apply if the SCIF is declared a "No Classified Discussion Area" and warning notices are posted prominently within the SCIF.
4.0 REFERENCES
The below-listed TSG standards are available to all members of the United States Intelligence Community from their respective cognizant security authorities (CSAs). Individual standards may be released to non-government personnel following CSA determination of the need. Any such release is to be accompanied by a letter identifying the standard as an of official US Government document that may riot be disseminated further without specific approval of the issuing agency.
4.1 Standard 1, Introduction to Telephone Security. Provides telephone security back-ground and TSG-approved options for telephone installations in US Government sensitive discussion areas. For use by all personnel concerned with telephone security.4.2 Standard 2, TSG Guidelines for Computerized Telephone Systems. Establishes requirements for planning, installing, maintaining, and managing a CTS. For personnel involved in writing contracts, planning, installing, maintaining, inspecting, and system administration.
4.3 Standard 3, Type-Accepted Program for Telephones Used Edith the Conventional Central Office Interface. Identifies a program that outlines specifications for design and manufacture and procedures required for type- acceptance. For personnel involved in writing contracts, manufacturing. and inspecting.
4.4 Standard 4, Type-Acceptance Program for Electronic Telephones Used in Computerized Telephone Systems. Identifies a program that outlines specifications for design and manufacture and procedures required for type-acceptance. For personnel involved in writing contracts, manufacturing, and inspecting.
4.5 Standard 5, On-Hook Telephone Audio Security Performance Specifications. Specifies the amount of audio leakage allowed in the on-hook condition of telephones without disconnects. For personnel involved in writing contracts, manufacturing, and inspecting telephones such as STU-IIIs.
4.6 Standard 6, Telephone Security Group-Approved Equipment. Lists TSG-approved and use of TSG- equipment. For all personnel concerned with procurement approved equipment.
4.7 Standard 7, TSG Guidelines for Cellular Telephones. Provides guidelines for the manufacture and use of secure and non-secure cellular telephones in US Government sensitive discussion areas. For personnel involved in writing contracts, manufacturing, inspecting, maintaining, and using cellular telephones.
4.8 Standard 8, Microphonic Response Criteria for Non-Communications Devices. Specifies the maximum audio response allowed for isolation devices and other non-communication equipment used in US Government sensitive discussion areas. For personnel involved in writing contracts, manufacturing, installing, and inspecting telephone-related equipment
4.9 Standard 9, TSG Approval Program for Secure Telephones and Equipment That Connect to the Conventional Central Office Interface. Specifics TSG requirements for secure telephones and equipment interfacing with the conventional central office. For personnel involved in writing contracts, manufacturing, and inspecting TSG approved telephones.
5.0 RESPONSIBILITIES
5.1 TSG: The TSG is responsible for evaluating vulnerabilities of telephone systems and identifying security countermeasures.5.2 CSA: The CSA is responsible for selecting, implementing, and verifying security measures to balance the vulnerabilities of the telephone system against the technical threats of its environment. This requires the CSA to:
5.2.1 Assist Special Security Officers (SSOs) and Contractor Special Security Officers (CSSOs) in selecting the most cost effective countermeasures.5.2.2 Maintain a current set of TSG standards.
5.2.3 Provide written waivers to any requirements of this Annex and TSG standards. In granting waivers, the CSA accepts full responsibility for the associated risks
5.2.4 Request technical surveillance countermeasures (TSCM) inspections as conditions warrant to prevent the loss or compromise of intelligence sources and methods, including sensitive compartmented information, through adversary use of technical surveillance.
5.3 SSO/CSSO: The SSO/CSSO is responsible for requesting CSA approval for new telephone systems and major modifications to existing systems by:
5.3.1 Submitting necessary documentation on new system:s and any changes to existing systems to the CSA for evaluation.5.3.2 Maintaining the documentation on-site.
6.0 REQUIREMENTS
6.1 ACCESS CONTROL: Installation and maintenance personnel will possess the appropriate security clearance as determined by the CSA. Uncleared installation and maintenance personnel given access to the SCIF should be US citizens and will be monitored by escorts.6.2 CABLE CONTROL:
6.2.1 All telephone wire and fiber optic (fiber) conductor cables should enter the SCIF through a common opening.6.2.2 Each conductor should be accurately accounted for from the point of entry. The accountability should identify the precise use of every conductor through labeling, log, or journal entries.
6.2.3 Unused conductors will be removed. If removal is not feasible, the CSA may require that metallic conductors be stripped, bound together, and grounded.
6.2.4 Unused fiber conductors will be uncoupled from the interface within the SCIF.
6.3 ON-HOOK SECURITY:
Approved points of on-book isolation may be provided by any of the following:
6.3.1 The telephone, disconnect, or isolator, if TSG approved. Standard 6, available from the CSA, lists TSG-approved equipment and ordering information.6.3.2 The telephone switch, if it meets the requirements of Standard 2.
6.3.3 With CSA approval, isolation may be provided by the telephone switch not meeting TSG Standard 2 provided that:
6.3.3.1 Access to the facility housing the telephone switch is controlled.6.3.3.2 All communication fines between the telephone switch and the SCIF are in controlled space arid inspectable by government or contractor security personnel and technically qualified telephone personnel
6.3.3.3 No SCIF telephone or other device with a speaker can be forced "off-hook" via a software command from the telephone switch or forced to remain "off-hook" after a user has terminated the conversation.
6.4 OFF-HOOK SECURITY:
Unattended off-hook security may be accomplished by one of the following:
6.4.1 Use of a hold or mute feature that does not allow audio from the telephone to leave the controlled area.6.4.2 A push-to-operate handset will be required if an appropriate hold feature is not available. (See Standard 6.)
6.5 RESTRICTIONS.
6.5.1 Personally owned equipment that can interface with the telephone system is prohibited.6.5.2 Speakerphones are designed to pick up and transmit nearby conversation when they are in use. Therefore, speakerphones are restricted from common-use office areas where sensitive conversations might be unknowingly intercepted. Prior CSA approval is required for speakerphones in sole-use offices.
6.5.3 Telephone Answering Devices (TADs) may have features which are security vulnerabilities, e.g., remote room monitoring. Prior CSA approval is required for TADs.
See also "DCID 1/21 Explained: An Illustrated Reference Guide For SCIF Construction, Version 1.0," by Tim Schneider: http://www.afmc.wpafb.af.mil/HQ-AFMC/IN/ins/dcid-1.htm