UNCLASSIFIED
DIRECTOR
OF CENTRAL INTELLIGENCE1
Manual for PHYSICAL SECURITY STANDARDS FOR
SENSITIVE COMPARTMENTED
INFORMATION FACILITIES (SCIF)
EFFECTIVE4
UNCLASSIFIED
PREFACE:
hysical Security Standards for Scnsiliw Comparlmcmod Information Facilities (SCIFs) was approved by the Director of Ccmral Intelligence (DCI) on
A complete copy of1 consists of tbe basic DCID andhrough G. The annexes arc as follows
Annex ASCIF Checklist (approved
larms (approved
actical Operations/Field Training (approvedGround Opctnilon Part II- Aircraft/Airborne Opcraiion Padhipeorne Operation
rohibited Items (approvedlectronic Equipment in SCIFs Partisposal of Laser Toner Cartridges
Annex EAcoustical control and Sound Masking ltclm.qi.es (approved
Annex FPersonnel Access Controlselephone Security (approved
III
1 Table of Contents
PREFACE
AND
Policy
American Disabilities Act (ADA)
CI Facilities (SCIFs) 2
Physical Security Pieconslruction Review and
Personnel
Control of
Entry/Exit
Control of Electronic Devices and Other
SECURITY CONSTRUCTION POLICY FOR
Construction Policy for SCI
Temporary Secure Working Area
Requirements Common To All
Vault Construction
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE1 (Effective
I. POLICY AND CONCEPT
Statement
security standards arc hereby established governingand protection of facilities for storing, processing,Sensitive Compartrncnicd Information (SCI) whichsecurity safeguards. Compliance with this DCIDManual (hereafter referred to as the "Manual")for all Sensitive Compartrnented Informationestablished after the effective date of ihis manual, includingmake substantial renovations io existing SCIFs. Thoseprior to the effective date of this Manual will notio meet these standards.
physical security safeguards set forth in this Manual are the standards
for the protection of SCI. Senior Officials of the Intelligence Communityiih DCI coiKuncDce. may impose more stringent standards if ihey bdieve extraordinary conditions and circumstances warrant. SOICs may not delegate this authority. Additional cost resulting from more stringent standards should bc borne by the requiring Agency, Department, or relevant contract.
situations where conditions or unforeseen factors render full compliance
to these standards unreasonable, the SOIC or designee may waive specific requirements in accordance with this Manual. However, this waiver must be in writing and specifically state what has been waived. The Cognizant Security Authority (CSA) must notify' all co-utilizing agencies of any waivers it grants.
All SCIFs must be accredited by the SOIC or designee prior to conducting any SCI activities
One person is now authorized toCIF. which eliminates the two-
person rule (the staffingCIF with two or more persons in such proximity to each other to deter unauthorized copying or removal of SCI).
CIF design must balance threats and vulnerabilities against appropriate security measures In order to reach an acceptable level of risk. Each security' concept or plan must be submitted to Ihe CSA for approval. Protection against surreptitious entry, regardless of SCIF location, is always required. Security measures must be taken to deter technical surveillance of activities taking place within the SCIF. TEMPEST security measures must be considered if electronic processing of SCI is involved.
1
military and civilian compounds, (here may exist security controls such
as identification checks, perimeter fences, police patrols, and other security measures. When considered together with the SCIF location and internal security systems, those controls may be sufficient to be used in lieu of certain physical security or construction requirements contained in this Manual.
security planningCIF is intended to denyservices and other unauthorized personnel the opportunityentry into those facilities and exploitation ofFaulty security planning and equipment installation notsecurity but wastes money. Adding redundantcauses extra expense which could be used on otherWhen security features are neglected during initialof existing faaliues to comply with security requirements
merican Disabilities Act (ADA) Review
othing in this manual shall be construed to contradict or Inhibit compliance with (he law or building codes. CSAs shall work lo meet appropriate security needs according to the intent of this Manual at acceptable cost.
ENERAL ADMINISTRATIVE
Facilities (SCIFs)
A SCIF is an accredited area, room, group of rooms, buildings, or installation where SCI may be stored, used, discussed, and/or electronically processed. SCIFs will be afforded personnel access control to preclude entry by unauthorized personnel. Non-SCl indoctrinated personnelCIF must be continuously escorted by an indoctrinaicd employee who is familiar with the security procedures of that SCIF. The physical security protectionCIF is intended to prevent as well as detect visual, acoustical, technical, and physical access by unauthoriTed persons. Physical security criteria are governed by whether the SCIF is in the United States or not, according to the following conditions: closed storage, open storage, continuous operations, secure working aiea.
Security Preconstruction Review and Approval
CSAs shall review physical security preconst ruction plans for SCIF construction, expansion or modification. All documentation pertaining to SCIF construction will be appropriately controlled and restrictedeed-io-know basis. The approval or disapprovalhysical security prcconstruction plan shall beatter of record.
he requester shallixed Facility Checklist (FFC. Annex A) to the respective CSA for review and approval.
i The Checklist submission shall include floor plans, diagrams of electrical? communications, heating, ventilation, air conditioning (HVAC) connections, security equipment layout (to include the location of intrusion detectiontc. All diagrams or drawings must bc submitted on legible and reproducible media.
2
be CSA shall be responsible for providing oormrucuon advice and assistance and pre-approving SCIF construction or rnodificauon
ccrediUiion
The CSA will ensure SCIFs comply withhe CSA is authorized to inspect any SCIF, direct action to correct any deficient situation, and withdraw SCIFThe procedures for establishment and accreditation of SCIFs arc prescribed below:
The procedures for establishment and accreditation of SCIFs from conception through construction must be coordinated and approved by the SOICor CSA.
SCI shall never be handled, processed, discussed, or stored in any facility otherroperly' accredited SCIF unless written authorization is granted by the CSA.
An inspection of the SCIF shall be performed by the CSA or appointed representative prior to accreditation. Periodic reinspcclioru shall be based on threat, physical modifications, sensitivity of programs, snd past security performance Inspections may occur at any time, announced or urunnounced The completed fixed facility checklist will be reviewed during the inspection to ensure continued compliance. TSCM evaluations may be required al the discretion of the CSA as conditions warrant Inspection reports shall be retained within the SCIF and by the CSA All SCIFs shall maintain on site, current copies of the following documents
1 Fixed Facility Checklist
Accrcditalion authorization documentshysical. TEMPEST, and AIS>.
Inspection reports, including TSCM reports, for the entire period of SCIF Accreditation
Operating procedures. Special Security Officer Contractor Special Security Officer (SSO/CSSO) appointment letters. Memoranda af Agreementmergency Action Plans, etc.
(c) Copies of any waivers granted by tbe CSA
Authorized inspectors shall be admittedCIFor hindrance when inspection personnel are property certifiedthe appropriate level of security clearance and SCI indoctrinationsecurity level of the SCIF. Short doucc or emergency conditionsentry without regard to the normal SCIF duty hours Government
which arc presently accredited, under construction or Inprocess at the date of implementation of this Manual shallmodification to conform to these standards.
acilities undergoing major modification may be required to comply entirely with the provisions of this Manual. Approval for such modifications shall bc requested through the CSA and received prior to any modifications taking place within the SCIF.
n theeed arises toCIF after the accreditation has been termi rated, the CSA may approve the usereviously accredited SCIF basedeview of an updated facility accreditation package.
of Accreditation:
Termination of Accreditation: When it has been determinedCIF is no longer required, withdrawal of accreditation action will bc initiated by the SSO/CSSO. Upon notification, ihe CSA will issue appropriate SCI withdrawal correspondence The CSA or appointed representative willlose out inspection of the facility to ensure that all SCI material has been removed.
Suspension or Revocation of Accreditation: When ihe CSA determines that thereanger of classified information being compromised or that security conditionsCIF are unsatisfactory. SCI accreditation will bc suspended or revoked. All appropriate authorities must be notified of such action immediately.
Agencies desiring toCIF should accept the current accreditation and any waivers Any security enhancements required by an agency or department requesting co-ulillzation should be funded by that organization, and must be approved by the SOIC with DCI coricurrerice prior too-utilization agreement must be established prior to occupancy.
Special Access Programs (SAP) co-locatedCIF will meet the physical security requirements of Ihis Manual and DCI Special Access Programs (SAP) Policy.
Controls
ccess rosters listing all persons authorized access to the facility shall be maintained at tlie SCIF point of entry. Electronic systems, including
ombination* lo locks installed on security containers/safes, perimeter doors, windows and any other openings should bc changed whenever.
ombination lock is first installed or used.
ombination has been subjected, or believed lo have been subjectedompromise, and
(c) At other times when considered necessary by the CSA.
ll comblnalions to SCIF entrance doors should bc stored in another SCIF of equal or higher accreditation level When this is nol feasible, alternate arrangements will bc made in coordination wiih Die CSA.
lnspoclions
The CSA shall prescribe procedures for inspecting persons, their property, and vehicles at the entry or exit points of SCIFs, or at other designated points of entry to lhe building, facility, or compound The purpose of Ihe inspection is to deter lhe unauthonrcd removal of classified material, and deter the introduction of prohibited items or contraband- This shall include determination of whether inspections are randomly conducted or mandatory for all. and whether they apply for viniora ociK or for the entire staff assigned All personnel inspection procedures should bc reviewed by Ibe facility's legal counsel prior to promulgaiion
of Electronic Devices and Other Iiems
The CSA shall ensure that procedures are instituted for control of electronic devices and other items introduced into or removed from (he SCIF Seeor guidance.
The prohibition against electronic equipment in SCIFs docs not apply to those needed by the disabled or for medical or health reasons. motori/cd wheelchairs, hearing aids, heart pacemakers, amplified telephone headsets, teletypewriters for the hearing impaired) However, ihc SSO or CSSO shall establish procedures for notification that such equipment it being entered in to ihc SCIF
mergency and police personnel and their equipment, including devices earned by emergency medical personnel respondingedical crisisCIF. shall bc admitted to the SCIF wiihout regard lo their security clearance status Emergency personnel will bc escorted to ihc degree practical. However, debriefing of emergency personnel will bc iiuwiplislicd .is soon as possible, if appropriate
il Construction Policy for SCI Facilities
Physical security cnlcna is governed by whether the SCIF is located in the US or not. according to the following conditions: closed storage, open storage, continuous opera Dons, secure working areas.
losed Storage
nsideUS
(a) The SCIF must meet the spccificalions inermanent Dry Wall Construction)
(b) The SCIF must be alarmed in accordance witho this manual
(c) SCI must be stored in GSA approved secunry containers
Id) There mustesponse force capable of responding to an alarm withininutes after annunciationeserve response force available to assist the responding force.
(c) The CSA may require any SCIF perimeter walls accessible from exterior building ground level to meet Ibe equivalent protection afforded byExpanded Metal) construction requirement
utside US
(a) Tbe SCIF must meet the construction spccificalions for SCIFs as set forth inSteel Plate or ExpandedCIFs within US Government controlledr equivalent, having armed immediate response forces may use specifications indicated inPennanem Dry Wall ConstructKXi)prior approval of the CSA
(b) The SCIF must be alarmed in accordance with Annex B
(C) All SCI controlled material will be stored inpproved containersating for both forced and suneptiuous entry equal to or exceeding lhal afforded byonlainers
NSIDE US: When open storage is justified and approved by the CSA the SCIF must
be alarmed in accordance with Annex D.
esponse force capable of responding to an alarminuteseserve response force available to assist the response force: and
meet one of the following
ontrolled US government compoundmay use specifications indicated in ChapterDry Wall Construction) Of
ontrolled building withaccess control, may usePermanent Dry Wall Construction).may require any SCIF perimeter walls accessiblebuilding ground level to meet theafforded byExpandedrequirements: or
which arc not locatedonirolled buildingmay use specifications indicated in ChapterMeial) or (Vault) construct ions requirements
UTSIDE US: Open storage of SCI material will be avoided When open storage is justified as missionault construction is preferred The SCIF must:
(a) be alarmed in accordance with Annex It.
ib)esponse force capable of responding to an alarminuteseserve response force available to assist the responding force.
have in adequate, tested plan to protect, evacuate, or destroy the material in the event of cmcreencv or natural disaster, and
meet one of the following:
he construction specification for vaults set fonh inr
ontinuous Operation
THE US:
SCIF must meet the construction specificationsinPermanent Dry Wallalert system and duress alarm may be required bybased on operational and threat conditions
Provisions should be made (br storage of SCI in GSA approved containers If the aspiration of the material precludes ihis. there must bc an adequate, tesiod plan to protect, evacuate, or destroy lhe material in the event of emergency, civil unrest or natural disaster.
There mustesponse force capable of responding io an alarminuteseserve response force available lo assist the responding force
THE US:
(a) The SCIF must meet the construction specifications for SCII's as set forth inExpandedn alert system and duress alarm may bc required by the CSA. bused on operational and threat conditions (b) The capability must exist for storage of all SCI in GSA-approved security containers, or Ihc SCIF must have an adequate lested plan lo protect, evacuate, or destroy the material in the event of emergency or natural disaster
(D) SCIFs located within US Government controlled compounds, or equivalent, having immediate response fortes, may use the secure area construction specifications as listed inPermanent Dry Wall Con struct ion) with prior approval of the CSA
(c) There mustesponse force capable of responding to an alarminutes,eserve response force available to assist lhe responding force
ecure Working Areas are accredited facilities used for handling, discussing, and/or processing SCI but where SCI will not be stored
NSIDE THE USr
(a) The Secure Working Area SCIF must meet the specifications set forth inPermanent Dry Wall Construction).
(d) There musiesponse force capable of responding to an alarm withininuies after annunciation,escue response force available to assist Ihc responding force
UTSIDE THE US:
Secure Working Area SCIF mufl meet ihc construction
specifications indicated inPermanent Dry Wall Conn ruction)
The Secure Working Area SCIF must be equipped with an approved alarm system as set forth in Annex B
No storage of SCI material is authorized
<d) There mustesponse force capable of responding to an alarm withininuies.eserve response force available to assist the responding force
emporary Secure Working Area (TSWA)
Temporary Secure Working area is definedemporarilylhat is used no more lhanours monthly for lheand/or processing of SCI. but where SCI should no) bcith sufficient justification, ihc CSA may approve longer periods ofof SCI for no longeronth*
the entiie period the TSWA is in use. Ihc entrance willand access limited to persons having clearance for whichhas been approved Approval for using such areas musi bcthe CSA selling forth roomuilding, location,specific security measures employed during usage as well asperiods TSWAs should be covered by an alarm system Thesenc4 be used for periods exceeding an overage iota) of 4t) hoursNo special construction is required other lhan io meetrequirements as set forth in Annex E. when applicable Iffacility must also bc used for the discussion ot SCI. aCounter measures (TSCM) evaluation may be required atof Ihe CSA. as conditions warrant.
hen not in use at the SCI level, the TSWA will bc:
Securedeylockombination lock approved by the CSA
Access will bc limited lo personnelS Secret clearance.
equirements Common To All SCIFs: Within The US and Overseas
CONSTRUCTION: The SCIF perimeter walls, floors and ceiling, will be permanently constructed and attached to each other. All construction must be done inanner as to provide visual evidence of unauthorized penetration.
SOUND ATTENUATION: The SCIF perimeter walls, doors, windows, floors and ceiling, including all openings, shall provide sufficient sound attenuation to preclude inadvertent disclosure of conversation. The requirement for sound attenuation are contained within Annex E.
ENTRANCE. EXIT, AND ACCESS DOORS:
Primary' entrance doors to SCIFs shall be limited lo one. If circumstances require more than one entrance door, this must be approved by the CSA. In some circumstances, an emergency exit door may be required. In cases where local fire regulations are more stringent, they will be complied with. All perimeter SCIF doors must be closed when not in use. with the exception of emergency circumstances.oor must be left open for any length of time due to an emergency or other reasons, then it must be controlled in order to present unauthorized removal of SCI.
All SCIF perimeter doors must be plumbed in their frames and the frame firmly affixed io the surrounding wall. Door frames must be of sufficient strength to preclude distortion that could cause improper alignment of door alarm sensors, improper door closure or degradation of audio security.
All SCIF primary entrance doors must be equipped with an automatic doorSA-approvcd combination lock and an access control device with ihe following requirements^
If doors arc equipped with hinge pins located on the exterior side of the door where it opens into an uncontrolled area outside the SCIF, the hinges will be treated to prevent removal of llie door. welded, set screws, etc.)
CIF entrance door is not used as an access control door and stands open in an uncontrolled area, the combination lock will be protected against unauthorized access/tampering.
doors: The useault door foracility is not authori/ed. Such use willthe locking mechanism, cause malfunctioning ofescape device, andecurity andTo precludeecond door will be installed and
emergency exit doors shall bc constructed ofin strength and density lo the main entrance door.be secured with deadlocking panic hardware onand have no exterior hardware- SCIF perimeterdoors should be equippedocal annunciator in orderpeople working in the area that someone exiled theto some type of emergency condition
Construction Types: Selections of entrance anddoors shall be consistent with SCIF perimeterSpecUkations of doors, combination locks,devices and other related hardware may be obtainedCSA. Some acceptable types of doors arc:
wood coreinimumnches thick
gauge metal cladding over wood ora minimumnches thick. The metalbc continuous and cover the entire front and backdoor.
(e> Metal fire or acoustical protectioninimumnchesoreign manufactured equivalent may bc used if approved by the CSA.
oined metal rolling door, minimum ofauge, usedoading dock or garage structure must be approvedasc-by-casc basis
HYSICAL PROTECTION OF VENTS. DUCTS, AND PIPES:
All vents, ducts, and similar openings in excess ofquare inches thai enter or passCIF must be protected with cither bars, or grills, or commercial metal duct sound baffles lhat meet appropriate sound attenuation class as specified in Annex E. within Ihe United Slates, bars or grills are not required if an IDS is used. If one dimension of the duct measures less than six inches, or due? is less thanquare inches, bars are not required; however, all ducts must be treated io provide sufficient sound anenuaiion. If bars arc used, they mustnch diameter steel welded vertically and horizontallynches on center, if grills are used, they must beaugc expanded steel; if commercial sound baffles are used, the baffles or wave forms must be metal permancnily installed and no farther apan lhannches in oneeviationnch in vertical and/or horizontal spacing is permissible.
Based on ihe TEMPEST accreditation, ii may be required that all vents, ducts, and pipes muston-conductive section <a
n access port to allow visual inspection of the protection in the vent or duct should be installed inside the secure perimeter of the SCIF. If (he inspection port must be installed outside the perimeter of the SCIF. it must be locked.
INDOWS:
All windows which might reasonably afford visual surveillance of personnel, documents, materials, or activities within the facility, shall be made opaque or equipped with Winds, drapes or other coverings to preclude such visual surveillance.
Windows at groundill be constructed from or covered with materials which will provide protection from forced entry The prelection provided to the windows need be no stronger than the strength of the contiguous walls. SCIFs located within fenced and guarded governmenl compounds or equivalent may eliminate this requirement if the windows are made Inoperable by either permanently scaling them or equipping them on the insideocking mechanism,
perimeter windows at ground level shall be covered by anCONSTRUCTION SPECIFICATIONS
ault Construction Criteria
Reinforced Concrete Construction: Walls, floor, and ceiling willinimum thickness of eight inches of reiruorced concrete. The concrete mixture willomprehensive strength rating of atsi Reinforcing will be accomplished with steel reinforcinginimumnches in diameter, positioned centralized in the concrete pour and spaced horizontally and vertically six inches on center, rods will be tied or welded at the inter-sections The reinforcing is to be anchored into Ihe ceiling and floorinimum depth of one-half ihe thickness of the adjoining member.
GSA-approved modular vaults meeting Federal Specification
may be used in lieu. above,
Construction: Where unique structural circunuMnccs doconstructiononcrete vault, consiruction will be ofB thick, having characteristics of high yield andThe metal plates ate to be continuously welded tomembershickness equal to that of tbe plates. If thesteel members are being placedontinuous floor andreinforced concrete, ihey
must be firml) affixedepth of one-half the thickness of the floor and ceiling. If the floor and/or ceiling construction Is less than six Inches of relriforcedteel liner isbe constructed Ihe same as the walls lo form the floor and ceiling of the vault. Scams where Ihe steel plates meet horizontally and vertically arc lo be continuously welded logeilier.
ll vaults shall be equippedSA-approvcdrault door. Within theault door is acceptable. Normally within the Unitedault will have only one door that serves as both entrance and exit from the SCIF in order lo reduce ctss
CIF Criteria For Permanent Dry Wall Construction
Walls, floor and eating will be pcrrranenily constructed and attached loer To provide visual evidence of attempted entry, all construction, to include above ihe false ceiling andaised floor, must be done inanner as to provide visual evidence of unauthorized Penetration.
CIF Construction Criteria For Steel Plate
Walls, ceiling and floors arc lo be reinforced on the inside with steel plate not less' thick. The plates at all vertical joints are to be affixed to vertical steel membershickness not less than thai of the plates. The vertical plates will be spot welded to Ihe vertical members byne inch long weld everynches; meeting of the plates in the horizontal plane will be continuously welded Floor and ceiling reinforcements must be securely affixed lo the walls with steel angles welded or bolted in place.
CIF Construction Criteria For Expanded Metal
Walls arc io be reinforced, slab to slab,auge expanded metal The expanded metal will be spot -eldednches to vertical and horuonul metal supportsgauge or greater thickness that has been solidly aad permanentiv attached to Ihe true floor and true ceiling.
eneral
The use of materials having ihickncss or diameters larger than those specified above is permissible. The terms "anchored lo and/or embedded into the floor and ceiling" may apply io the affixing or supporting members and reinforcing to true slab or ihe most solid surfaces, however, subfloors and false ceiling arc noi lo be used for this purpose
13
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE1
GLOSSARY
Access Controlystem to identify and/or admit personnel with properly authorized accessCIF using physical, electronic, nnd'ct human controls
formal approvalpecific place, referred toensitive Compartmcmcd Information Facilityhat meets prescribed physical, technical, and personnel security
Acousticsecurity measures designed and used lo deny aural
access Io classified information.
Astragalnarrow strip of material applied over the gap between a
pair of doors for protection from unauthorized entry and sound attenuation.
Personnel:
person who is fully cleared and indoctrinated for SCI,alid need lo know, and has been granted access to lhe SCIF.
Magnetic Switch (BMS):
type of IDS sensor which may be installed on any rigid, operable
opening. doors, windows) through which access may bc gained to ihc SCIF.
Detector:
IDS sensor used with screens and grids, open wiring, and grooved stripping in various arrays and configurations necessary to detect surreptitious and forcible penetrations of movable openings, floors, walls, ceilings, and skylights An alarm is activated when the wire is broken.
Storage:
storage of SCI material in properly secured GSA approved security containers within an accredited] SCIF.
Telephone System (CTS):
referred toybrid key system, business communication
system, or office communications system.
Security Authority (CSA):
single principal designatedOIC (see definition of SOIC)
to serve as the responsible official for all aspects of security program management with respect lo the protection of
Continuous Operation:
Controlled Area/ Compound: Controlled Building:
Co-Utilization:
sources and methods, under SOIC responsibility.
This condition existsCIF is staffedours every day.
Any ateahich entry is subject to restrictions or control for
security reasons.
A building to which entry is subject to restrictions or control for security reasons
Two or more organizations sharing the same SCIF 14
Dead Holt:
kick boll wiih no spring action. activatedey or turn knob and cannot bc moved by end pressure
Panic Hardware; Decibelocument:
panic hardwareeadlocking latch thatevice when
in the closed position resists ihc latch from beingnii of sound measurement.
any* recorded information regardless of its physical form or characteristics, including, without limitation, written or printed matter, data processing cards and tapes, maps, charts, paintings, drawings, photos, engravings, sketches, working notes and papers, reproductions of such things by any means or process, and sound, voice, magnetic or electronic recordings in any form.
Technology: Expanded Steel:
microwave or ultrasonic ids sensors which combine the features of more lhan one volumetric technology.
also called expanded metalace work patterned material produced from sheet steel by making regular uniform cuts and then pulling il apart with uniform pressure
properly trained and equipped individual whose duties include the protectioncif. guards whose duties require direct accesscif. or patrolcif, must meet the clearance criteria in director of central intelligencesa will determine if indoctrination is required
Community (and agencies wilhin the
Intelligence Community):
to ihe united stales government agencies and organizations
identified in)hroughf executive.
Detection System:
security alarm system to detect unauthorized entry.
device or assembly of devices which isolates orelephone or computerized telephone system (cts) from all wires which exit lhe scff and which as been accepted as effective for security purposes by the telephone security group (tsg approved).
Key Sen-ice Unit (KSU): An elecuomechanical switching device which controls routing and operation of an analog telephone system.
Line Supervision:
Class1 line security is achieved through the use of DES or
an algorithm based on the cypher feedback or cypher block chairing mode of encryption. Certification by NIST or another iruiependent testing laboratory is required.
15
Class ii:
Motion Detection Sensor:
Non-Conductive Section: Non-Discussion Area: Open Storage: Response Force:
Secure Working Area:
Senior Official of Ihe
Intelligence Community (SOIO:
Sensitive Compart-menied Information (SCI):
Sensitive Compart-
II line supervision refers to systems in which the transmission is based on pseudo random generated or digital encoding using an interrogation and response scheme throughout the entire communication, or UL Class AA line supervision. The signal shall not repeat itselfinimum six month period. Class II security' shall be impervious to compromise using resistance, voltage, current, or signal substitution techniques.
An alarm sensor lhal detects movement
Material. canvas, robber, etc) which is installed in ducts, vents, or pipes, and is unable lo carry audio or RF emanations.
A clearly defined areaCIF where classified discussions are noi authorized due lo inadequate sound attenuation.
The storage of SCI materialCIF in any configuration other than wilhin GSA approved security containers.
Personnel (noi including ihosc on fixed security posts) appropriately equipped and trained, whose duties include initial or follow up response to situations which threaten the security of the SCIF. This includes local law enforcement support or other external forces as noted in agreements.
An accredited SCTF used for handling, discussing and/or processing of SCI, but where SCI will not be stored.
The head of an agency, of fine, bureau, or intelligence element
identified in)hroughf Executive.
SCI is classified information concerning or derived fromsources, methods or analytical processes, which is required
to be handled exclusively wilhin formal control systems established by ihe Director of Central Intelligence.
An accredited area, room, group of rooms, building, or installation
Information Facilityound Group:
Sound Transmission Claw (STQ:
where SCI mar be stored, used,
electronically
processed.
Voice bansmission attenuaiion groups established lo satisfy acoustical requirements. Ratings measured in sound transmission class may bc found in lhe Architectural Graphic Starulards.
The rating used in architectural considerations of soundloss such as those involving walls, ceilings, and/or floors.
Access Program Any approved program which imposes nccd-to-know or
access
beyond those normally required for access lo
CONFIDENTIAL. SECRET or TOP SECRET information
lfi
Surreptitious Entry:
entryanner which leaves no readily discernible evidence
SCIF:
accredited area used for actual or simulated war operationspecified period of lime
Surveillance Counter-measures
(TSCM) Surveys and Evaluations:
physical, ckctronic. and visual examination to detect technical
surveillance devices, technical security hazards, and attempts at
clandestine penetration.
Accepted Telephone:
telephone whose design and construction conforms with the
design standards for Telephone Security Group approved telephone sets. (TSG.
room(s) used for the storing, handling, discussing, and/or processing of SCI and constructed to afford maximum protection against unauthorized entry.
Waiver.
exemptionpecific requirement of this document. 17
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE1
Effective
SCIF ACCREDITATION CHECKIJST
Table of Corneals
encral Information Section II Peripheral SecurityCIF Security
oors
ntrusion Dciccuon Svsiems
clcplione System
coustical Proicciion
Section II Administrative Secuniy
Attachments
A-l
DATE
FIXED FACILITY CHECKLISTRE CONSTRUCTIONODIFIED FACILITYeneral Information
I. SCIF Data: Organization/Company Name: SCIF IdcrUifkanon Number (ifrganization subordinate to (If applicable):
2.
xpiration Date: CSA:
Project Headquarter Security Office (ifCIF Location: Street Address:
Room(s) No:
ZIP Code:
Responsible Security Personnel:
Commercial Telephone:
DSN Telephone:
Secure Telephone: Type:
Home Telephone:
Fax No: (specify both classified and Unclassified)
Data:
of SCI Requested.
Indicate the storage required: Open Storage Closed Storage Continuous Operation Secure Working Area Temporary Secure Working Area
Accreditation Information (If applicable):
Category of SO:
Accreditation granted by: on
TEMPEST Accreditation (ifccreditation
Automated Information Systems (AISs) arc used, has angranted? YES NO
Accreditation granted
co-located within NO
(If Yes.nd provide copy of Co-utilization Agreement for SAP operation in SCIF.)
toper week.
square feet SCIF occupies:
Is construction or modification complete?
(If NO. expected date of
completion)
6. Inspections:
a. TSCM Service completed
(Attach copy of report)
Were deficiencies corrected? YES NO NA (If NO. explain:)
b. Last Physical Security Inspection
(Attach copy of report)
7
Section Is Peripheral Security
Describe building exterior security
Alarm:
lighting:
Guards:
f Other
type:
Access Controls:
If NO, during what hours?
CIF Security
is access to the SCIF controlled?
a. By Guard Security Clearance
Level:
By Assigned Personnel
By Access Control Device
yes. Manufacturer
No
are ihey secured against ooening?-
are Ihey protected against visual surveillance? (If applicable)
ventilation ducts penetrate the SCIFNumber and size (Indicate on floor plan):
overquare inches, type of protection used:
NO Describe in Section E)
ars/Grills Metal Baffles: YES NOxplain:
Duct Sound Baffles Are ducts equipped wilh:
Metal NO
Noise Generator:
Non-Conductive NO
Inspection Ports:
If YES. are they within the SCIF? If they are located
outside of
ihe SCIF. how are they secured?
TEMPEST accrcdiuiion authority requires: are pipes, conduits, etc..SCIF equipped wilh non-conductive unions al ihe point they breach theYES NO
Arc they provided acoustical protection? (if applicable). YES NO
walls:
hickness:
o the walls cxiend from the true floor to the true
NO
ceiling (material and
d. True floor (material and thickness).
e False Floor? YES NO if yes Distance between false and true Boor
15 Remarksoors
escribe SCIF Primary Entrance Door (Indicate on floor plan):
Is an automatic door closer NO If NO. explain.
escribe number andof doors used for SCIFls and other perimeter doors (Indicate on floor plan):
Is an automatic door closer installed? YES NO If NO. explain
IS Describe how the door hinges exterior io the SCIF arc secured against removal (if in an uncontrolled area)
ocking devices;
a. Perimeter SCIF Entrance Door.
list manufacturer, model number and Group rating:
Docs entrance door stand open into an uncontrolled area?
YES NO If YES. describe tamper protection:
b Emergency Exits and Oiher Perimeter Doors
Describe (locks, metal stnpnar. dcadbolts. panichere are the door lock cocr.b. nations filed? 20 Remarks
A-7
nlruiion Detectioo System*
(awanJ moSti mamben im rtipOtMj/iowi
21. Method of imcrior Motion Detects Protection
a Accessible Perimeter? Storage Areas?
b. Motioo Dciectton Sensors (Indicate on flooramper protection: YES NO
c Other (eg CCTV. etc)
22 Door and Window- Protection (Indicate on tloor plan):
a Balanced Magnetic Switch (BMS) on door'.': Tamper protection: YES NO
b If SCIF has ground floor windows, how arc they protected1
c Other (eg. CCTV. etc..)
Method of ventilation and duct work prMcction:
Space above false ceiling (only outside the United States, if required)
a. Motion Detection Sensors: Tamper protection: YES NO
b OtherCTV):
below false floor (only outside the United Sutes, if required)
Detectionprotection: YES NO
. CCTV):
transmission line security protection:
a Flee ironic line supervision (Manufacture and Model)
Ii emergency po-er available for lhe IDS? YES NO TYPE; Generator Other
Where is ilie IDS control unit for lhe SCIF locaicd (Indicated on floor plan)?
29. Where is the IDS Alarm annunciator panel located (Indicate on floor plan. Addrcssl
Response Personnel Describe;
Response Force Security
level;
b Emergency Proceduresckxumcnicd*
c Reserve Force
d. Response time required for alarm
c. Arc response procedures tested and records maintained? YES NO If no, explain:
the IDS levied and records maintained" no. explain
elephone System
33. Method of on-hoc* security provided
aomputerized Telephone System NO
Manufactuter/Modcl:
Location of the CTS:
Ihc CIS installed as peronfiguration Requirements?
YES NO
If no, provide make and model number of telephone equipment, explain your configuration, andine drawing"
Is access to the facility housing the switch controlled" YES NO
(c> Arc all lines between the SCIF and the switch in controlled spaces? YES
NO
the CTS use remote maintenance and diagnostic procedure! or oiher
remote access features? YES NO
If yes. explain those procedure*
bpprovedanufacturerAlodel
TSG number
Ringer Protection (ifpproved disconnect device*"
(I)TSG number:
ol off-hook security provided:
a Isihcrcaholdormutcfcamre? YES NO
and is it provided bv
f no. arc approved push -lo-opcr.wrd handsets provided? YES NO Describe:
telephone call answering
a Is there an automatic call answering service for the telephones in lhe SCIF? YES NO
If yes. provide make and model number of ihc equipment, explain the configuration, andine drawing
41. Is Ihc SCIF equippedublic address, cmcrgcncy/firc announcement or music
If yes. describe and explain how protecled?
42 If any intercommunication system that is not part of the telephone system is used, describe and explain how protected:
43. Remarks:
dministrate Security
45. Destruction Methods
a Describe method used for destruction of cla&sifiecVtcnsiiive material
Manufacturer
Model:
b Describe location of dcslniction sitefs) in relation lo ihc secure facility;
c Have provisions been made for the emergency- destruction ofrogram material? (If required) YES NO
If YES, has Ihc emergency destruction equipment and plan been coordinated wiihCSA? YES NO
46. If reproduction of classilled/scaciiive material lakes place outside Ihc SCIF, describe equipment and security procedures used lo reproduce documents:
47 Remarks
A-ll
DIRECTOR OF CENTRAL1
ANNEXD (Effective)
INTRUSION DETECTION SYSTEMS
ets forth the requirements and establishes the standards for intrusion detection systems for all SCIFs throughout government and for government-sponsored contractor facilities Compliance with these standards is mandator) for all facilities established after the effective date of this annex, including any major renovation of existing facilities insofar as the rcriovation will permit reasonable and practical upgrading, as determined by (he Cognizant Security Authority (CSA).
ONCEPT
An Intrusion Detection System (IDS) must detect an attempted or actual human entry into the protected area. An IDS complements other physical security measures and consists of three essential components:
Inlnision Detection Equipment (IDE).
Security und response force personnel
3 Operation procedures.OPERATION
I IDS components operateystem with four distinct phases
4 Response
hese elements arc equally important, and none can be eliminated (fan IDS is to provide an acceptable degree of protection
lcction: The detection phase begins as soonetector or sensor reacts to stimuli it is designed to detect The sensor alarm condition is then transmit led over cabling located within the protected area to the Premise Control Unit (PCU) The PCU may service many sensors. The PCU and theervestone' ai the moniior station
This shall be used as the definition of an alarmed zone for purposes of Ihis document
eporting: The PCU receives signals from all sensorsroiecied area and incorporates these signalsommunication scheme. Anoilier signal is added to the communication for supervision to prevent compromise of the communications scheme. This supervised signal is intended to disguise the
B-l
information and protect the IDS against tampering or injection of false information by an Intruder. The supervised signal is sent by the PCU via the transmission link to the monitor station Inside the monitor station,edicated panel or central processor monitors information from the PCU lignals When alarms occur, an annunciator generates an audible and visible alert to security personnel Alarms result normally from intrusion, tampering, component failure, or system power failure
ssessment: The assessment period is the first phase that requires human imeraction. When alarm conditions occur, the operator assesses Ihc situation and dispatches Ihc response force.
esponse: The response phase begins as soon as the operator assesses an alarmesponse force must immediately respond to all alarms. The response phase must also determine the precise nature of lhe alarm and lake all measures necessaryafeguard the SCIF.
EQUIREMENTS
As determined by the CSA, all areasCIF that reasonably afford access lo the SCIF. or where SCI it stored, shall bc protected by an IDS unless continually occupied.
Acceptability of Equipment: All IDE must bc UL-Iistcd (or equivalent as defined by lhe CSA) and approved by ihc CSA. Government and proprietary installed, maintained, or furnished systems arc subject to approval onl> by the CSA
Vendor Approval Procedures Vendors may submit their IDE requests citherpecial Security Officer'Contractor Special Security Officer (SSCVCSSO) or directly to the CSA Vendors shouldL certificate for installation and service0 apply) directly lo the SSO/CSSO or CSA for acceptance. With sufficient justification, ihe CSA may waive this requirement and waivers must bc documented All requests for acceptance must desenbe the IDE fully and include the results of testingisted independent laboratory An independent laboratory evaluates ihe manufacturer's compliance to performanceequest for acceptance of line supervision using Data Encryption Standard (DES) must also include validation from the National Institute of Standards and Technology (NIST) or another independent testing laboratory recognized by Ihc CSA The description must idcoiify the marmfaciurer and model of equipment and show how the IDE meets CSA and/or UL standards
Teinstallatjan Approval of IDS The CSA willroposed IDS before iu installationCIF as pan of the initial SCIF ccustrucbon approvalroposal for an IDS will be examined for ihc type and cmptoymcru of accepted equipment An IDS proposal will be submitted as panrccoTistruction approval process
I Class I:ine security is achieved through (he use of DES or an algorithm based on the cipher feedback or cipher block chaining mode of encryption Certification by NIST or another independent testing laboratory is required The certificate must be retained by the CSA for the duration of operation of the SCIF
lass II: Class II line supervision refers to systems in which the transmission is based on pseudo-random generated tones or digital encoding using an tniertogation and response scheme throughout the entire communication, or UL Class AA line supervision The signal shall not repeal itselfinimum six-month period Class II security' shall be imperxious to compromise using resistance, voltage, current, or signal substitution techniques
Internal Cabling: The cabling between the sensors and the PCU should be dedicated to IDE and must comply with national and local code standards. If applicable, the cabling must be installed in accordance with TEMPEST and COMSBC requirements
Restriction on integration of Access Controls into SCIF BOSs: If si access control system is integrated into an IDS. reports from the access control system should be subordinate in priority to reports from intrusion alarms.
Maintenance Mode. When an alarm /one is placed in the maintenance mode, ihis condition will be signaled automatically to the monitor station This signal must appear as an alarm or maintenance message at the monitor station, and the IDS shall not be securablc while in the maintenance mode However, the alarm or message must continue visibly at the monitor station throughout the period oftandard opcraiing procedure (SOP) must be established to address appropriate actions when maintenance access is indicated at the panel All maintenance periods will be archived in the system. The CSA may require that the maintenance Personal Identification Number (PIN) be established and controlled by the customer The IDE will not contain any capability for remote diagnostics, maintenance, or programming, except for an alarm remote test feature at the monitorelf-test feature will be limited to one second per occurrence
nnunciation of Shunting or Masking Condition: Shunting or masking of any internal /one or sensor must be appropriately logged ot recorded inhunted or masked internal zone or sensor must be displayed as such at ihe monitor station throughout the period the condition exists whenever thereurvey of zones or sensors.
larms Indications' Indications of alarm status shall be revealed at Ihe monitoring station and optionally within the confines of the SCIF.
mergency Power; Emergency power must comply with. Emergency power may consist of battery and/or generator power. When batteries arc used for emergency power, they will be maintained at full charge by automatic charging circuits. The manufacturer's pcriodx maintenance schedule shall be followed and results documented
ower Source and Failure Indication- An illuminated indication will exist at the PCU of the power source in use (AC orquipment at the monitor station will indicate visibly andailure in powerhange in power source, and the location of the failure ot change.
amper Protection All IDE wilhin the SCIF with removable covers will be equipped with tamper switches The tamper detection will bc monitored coniinuously whether the IDS is in Ihc access or secure mode of operation
rohibition Against Fortuitous Conduction via IDE. No IDE will bc employed that allows audio and intelligence-bearing signals io pass out of the SCIF in any form
afeguarding IDE
n areas outside the United States. IDE must remain solely under US control, or as otherwise authon/cd by the CSA
ey variables and operational passwords will bc safeguarded, disseminated, and controlled as determined by Ihc CSA.
nstallation
ndepcndem Equipment All SCIFs will have intrusion detection equipment and zones independent from other protected sites. When many alarmed areas are protected by one monitor station, audible and visible annunciations for SCIF /oiks mast bc clearly distinguishable from other annunciations All sensors protecting the SCIF will bc installed wilhin the SCIF.
ccess/Secure Switch and PCU No capability will exist to allow changing the access status of tbe IDSocation outside the SCIF unless performedroperly accessed individual All PCUs most be located inside the SCIF and should bc located near the SCIF entrance. SCIF personnel must inmate all changes in access and secure status. Operation of ihe PCU will bc restricted by useevice or procedure that verifies authon/cd use In the secure mode, any unauthorized entry into the SCIF shall cause an alarm to be transmitted immediately io Ihc monitor station
technology is auilttri/cd when one technology tratumid in alarm condition irvdcpcndcntrv from the otherailed detector nil) cause an immediate and continuous alarm condition. Detection equipment must be installed in compliance with UL 6SI
ccciaible Areas: Within the United Slates, alarms arc not required above the false ceiling or below the false floor. Outside the United States, such alarms may be required by the CSA.
rotection of SCIF Perimeter Doors: Each SCIF pen meter door will be
protecteda la need magnetic switch (BMSl that meets the minimum standards ofhe QMS must be installed inanner that an alarm signal will initiate before Ihe nonhinged side of the door opens beyond the ihickness of lite door from ihe seated position. Emergency exit doors equipped with integrated life safety hardware may have the life
safety alarm component integrated into the SCIF IDS as an additional detector Emergency exit doors will be monitoreday to
provide quick identification and response to the appropriate door when
there is an alarm indication
windows' All readily accessible windows will be protected by an IDS. cither Independently' or by Use motion detection sensors in Ihe room, as determined by the CSA
IDE Installation Criteria All IDE will be installedanner to prevent access or removalocation external lo the SCIF and in compliance withor 'Installation of Burglar Alarm Equipmcnl"
DS Requirements for Continuous OperationsCIF accredited for continuous operations may not require an IDS as determined by the CSA This lype of SCIF will be equipped with an alerting system if the occupants cannot observe all potential enirances into ihe SCIF. The system alerts occupants to an intrusion into the SCIF. An alert system will consist of BMSs or other appropriate sensors None of the IDE or cabling associated with ihe alert system will extend beyond ihe perimeter of the SCIF.
alse/Nuisance Alarm Any alarm signal transmitted in the absenceetected intrusionalsealse alarmuisance alarm when the effects of environment, equipment malfunction, operator failure, animals, electrical disturbances and known effects cause the alarm indication All alarms shall be investigated and the results documented The maintenance program for the IDS shall ensure thai incidents of false/nuisance alarms will not exceed oneenod ofays per /one.
I This should be interpreted to mean any windows which are less thanect above the ground measured from ihe bottom of the window, or are easily accessible by means of
ersonnel:
DE Installation and Maintenance Personnel: Alarm installation and maintenance will be accotnptUhod by US citizens who base been subjectedrustworthiness determinationAC with no clearance to be issued) Use of foreign nationals or other personnel for this purpose must have prior CSA approval.
onitor Station Stalling: The monitor station will be supervised continuous ry by US citizens who have been subjectedrustworthiness determination. NAC with no clearance to be issued) Use of foreign nationals or other personnel for this purpose must have prior CSA approval. The duties of the monitoring operator will be documented and will email observing monitor panels for reports of alarms and changes in IDE status, making accurate assessments of ihese reports, and dispatching the response force or notifying the appropriate authority in the cvcnl of an intrusion alarm The operator will have no duties that interfere with the primary' functions of monitoring alarms and dispatching the responseocumented chain of authority will east for use by security personnel during unusual situations The operator will be trained sufficiently in the operation and theory of the IDE to property interpret all incidents gcncraied by the IDE. Inn training must also include all actions to be taken on receipt of an alarm activation
SJ Procedures:
esting: SCIF IDS sensors will be testedecord of IDE testing will be maintained at the SCIF that reflects, testing date. Individuals who performed the test, specific equipment tested, malfunctions, and corrective actions taken Tests of the response force will be conductedecord of response force testing will be maintained
afeguarding IDS Plans Details of installed IDS shall be controlled and restrictedrcd-lo-know basis
peratingritten support agreement must be established for external monitoring and/or response
onitoring Station: Where there is an operations security concern, the alarm monuonng panel shall be designed to prevent observation by unauthorized persons
larm Condition Response: Every alarm condition will be treated initiallyetected imrusion until resolved by the response force The response force will tnvestigaic the source of an alarm and will notify SCIF personnel. The response force will take appropriate steps to safeguard the SCIF and prevent the escape of an intruder from the SCIF
atastrophic Failure: If lhe IDIi lulTcrs catastrophic failure, or lows primary and emergency power, SClF-inaoctrinaied Indlviduati mustidc security by physically occupying the SCIF until tbe IDS can be nude functional As an alternative, the outside SCIF perimeter may be continuously protected by lhe response force or as determined bv the CSA.
DS Logging. The IDS willeans foristorical record cf all events, either automatically or through the useanual log system If the IDF. has no provision of automatic entry into archive, the operator will record the time, source, and type of alarm, and action taken Results of investigations by the response force will be maintained at lhe monitor station The histoocal record musi bc routinely reviewed by the responsible security officer Records of alarm annunciations shall be retained for al leastays or until investigations of system violations and incidents have been successfully rcsoKcd and recorded
b-7
DIRECTOR OF CENTRAL INTELLIGENCE1
ANNEXC (Effective
TACTICALRAINING
This annex pertains io specialized Sensitive Companmcntcd Information Faciliti (SCIFs) deploywlactical operations or field training environment It is divided in three parts to reflect tlie accepted modes of tactical operation:
round Opcratiori
PartircaalVAirborne Operation
Partrnc Operation
C-I
able of Con (cms
ROUND OPERATION
URPOSE
0 APPLlCABnJTY AND SCOPE
0 RESPONSIBILITIES
CCREDITATION OF TACTICAL SCIFs SO PHYSICAL CONFIGURATION
ACTICAL SCIF OPERATIONS USING VANS. SHELTERS. AND VEHICLES
ACTICAL SCIF OPERATIONS WITHIN EXISTING PERMANENT STRUCTURES
OBILE SIGINTEMI-PERMANENT0 ELECTRICAL POWER
EMPEST REQUIREMENTS
ELEPHONE EQUIPMENT
IRCRAFT/AIRBORNE OPERATION
PPLICABILITY
lORESPONSIBlLiTrFS
CCREDITATION OFUOHNE FACILITIES
OST AND PATROL REQUIREMENTS
NTRY HATCHES
EMPEST REQUIREMENTS
NSCHEDULED AIRCRAFT LANDINGS
OICE TRANSMISSIONS
i DESTRUCTION REQUIREMENTS
PART III SHIPBOARD OPERATION
URPOSE
PPLICABILITY AND SCOPE
YPES OF SHIPBOARD SCIFsClFs)
TANDARDS
NTRUSION DETECTION SYSTEM (IDS)
ASSING SCITTLES AND WINDOWS
OCATION OF CRYPTOGRAPHIC EQUIPMENT
FCURF STORAGE CONTAINERS
EIF.PHONES
ECURE TELEPHONE UNIT-1I1 CSTU-lll)
OUND POWRRED TELEPHONES
CI INTERCOM ANNOUNCING SYSTEM
UPPORTING INTERCOMMUNICATION ANNOUNCING SYSTEMS
I
9
OMMERCIAL INTERCOMMUNICATION EQUIPMENT
I
9
ENERAL ANNOUNCING SYSTEMS
I
9
MERGENCY POWER
CI PROCESSING SYSTEMS
EMPORARY ACCREDITATION
EMPORARY SECURE WORKING AREAS (TSWAs)
MBARKED PORTABLE SHIPBOARD CO! .LECTION VANS (PSCVs)
C-*
ROUND OPERATION:
URPOSE:
This Annex prescribes ihe procedures for [he physical security requirements for the operationenshive Compartmenied Information Facility (SCIF) whileield or tactical configuration, including training exercises. It also addresses the standards for truck mounted or towed trailer style shelters designed for useactical environment but usedarrison environment knownemi-permanent SCIF (SPSCIF).
PPLICABILITY AND SCOPE"
Recognizing lhal ficlcVtactical operations, as opposed to operationsixed military installation, are of the type considered least secure, the following minimum physical security requirements will bc met and maintained Situation and time permitting, these standards will be improved upon using the security considerations and requirements for permanent secure facilities as an ultimate goal. If available, permanent-type facilities will be used. Under field or combathour operation is mandatory. Every effort must bc made to obtain the necessary support from the host command. security containers, vehicles, generators, fencing, guards, weapons, etc.).
The Tactical SCIFCIF) shall bc located within the supported headquarters defensive perimeter and preferably, also within the Tactical Operations Center (TOC) perimeter.
CIF shall be established and clearly markedhysical barrier. Where practical, lhe physical barrier should bc triple-strand concertina or General Purpose Barbed Tape Obstaclehe Tactical SCIF approval authority shall determine whether proposed security measures provide adequate protection based on local threat conditions.
The perimeter shall be guarded by walking or fixed guards lo provide observation of the entire controlled area. Guards shall be armed with weapons and ammunition. The types of weapons will bc prescribed by Ihc suppoitcd commander. Exceptions io this requirement during peace may only be granted byCIF approval authority based on local threat conditions.
Access to the controlled area shall be restrictedingle gate/entrance, which will be guardedontinuous basis.
An access list shall be maintained, and access restricted to those people whose names appear on the list
The Tactical SCIF shall bc staffed wiih sufficient personnel as determined by Ihc on-site security authority based on the local threat conditions.
Emergency destruction and evacuation plans shall be kept current.
SSO. or designee, shall conduct an irispeciion of the vacalcd Tacticallo ensure SCI materials are not inad*<erlently left behind when the
ctivation and operational data shall be madeays after SCIF activation. Interim reporting of SCIF activities may be
KffeCSA.
ESPONSIBILITIES:
The Cognizant Security Authority (CSA) is responsible for ensuring compliance with these standard', and providing requisite SCIhe CSA may furtherCIF accreditation authority one command level loner. The Senior Intelligence Officer (SIO) is responsibleemporary field or Tactical SCIF is used in support of field training exercises.eriod of declared hostilities or generalCIF may be established at any level of accreditation upon the verbal ordereneral or Flag Officer Commander
CCREDITATION OF TACTICAL SCIFs:
An Accreditation Checklist shall not be required for establishmentCIF. Approval authonties may require useocal tactical deployment checklist.
The element requesting cstablishrnentCIF shall notify the CSA. or designee, prior to commencement of SCIF operations. The message shall providefollowing information:
ID number of parent SCIF.
Name of the Tactical SCIF.
Deployed from (location).
Deployed to (location).
SCI level of operations.
Operational period.
Name of exercise or operation.
Identification of facility usedCIF operationsans, buildings, tents).
Points of contact (responsible officers)
of security measures for entire operational period of SCIF.
HYSICAL CONFIGURATION:
CIF may be configured using vehicles, trailers, shelters, bunkers, tents, or available structures to suit the mission. SelectionCIF site should fust consider effective and secure mission accotnplishjnent
ACTICAL SCIF OPERATIONS USING VANS, SHELTERS. AND VEHICLES:
igid side shelter or portable van is used for SCI operations, it shall be equipped withombination lock that meets all requirements of Federal Specificationr other CSA-approvcd lock The combination to Use lock or keys shall be controlled by the SSO at the security level for whichCIF is accredited The shelter or van shall be secured at all times when not activatedCIF.
The SCIF entranceadio frequency shielded enclosure designed for tactical operations may be secured with the manufacturer supplied locking device or any combination of the locking devices mentioned above.
ACTICAL SCIF OPERATIONS WITHIN EXISTING PERMANENT STRUCTURES:
T-SCIF may be operated within an existing structure when:
Location is selectedandom basis.
The location is not reused6 month period. If reused withinonths for SCISCM evaluation is recommended.
is no restriction over SCI discussionCIF duringMOBILE SIGINT SCIFs:
Ahour operation is mandatory'.
CIF shall be staffed with sufficient personnel as determined by the on-site security authority based on the local threat conditions.
External physical security measures shall be incorporated into the perimeter defense plans for the immediate area in whichCIF is located.
A physical barrier is not requiredrerequisite toobileCIF
External physical security controls will normallyunction of the people controlling the day-to-day operations ofCIF.
rigid side shcllcrortable van arc two possible configurations that may
a rigid side shelter or portable van is used, it is subject to therestrictions:
if ithcllcr. ii shall bc mountedehicle inay as lo provide Ihe shcllcr wiih the capability of moving on short notice
A GSA-approved security container shall be permanently affixed within ihe shcllcr. The combination to the lock will be protected to Ihe level of security of lhe material stored therein.
Entrance toCIF shall be controlled by SCl-indoclrirtatcd people on duty within the shelter. When situations occur where Ihere arc no SCI-indoctrinated people within the, during redeployment, classified material shall bc stored within ihe locked GSA container and the exterior entrance io the shelter will be secured.
Entrance toCIF shall bc limited lo SCI-indocirinatcd people with an established nced-to-know whenever SCI material is used wilhin the shelter
a rigid side shcllcr or portable van is not availableacilityfor SCI operations, such as in the caseoft side vehiclesystem. It Is subject to the following additional restrictions:
Protection will consist of an opaqueeather pouch, metal storage box. or other suitable container that prevents uriauihorizcd viewing of the material
This container shall be kept in the physical possession of an SCI-indoctrinalcd person
quantity of SCI material permitted wilhinCIF will be limited tois absolutely essential to sustain the mission. Slringemshall be employed to ensure thai the quantity of SCI material isto accumulate more lhan is absolutely necessary.
AH working papers generated withinCIF shall be destroyed at lhe earliest possible time after they have served their mission purposereclude accumulation of unnecessary classified material.
if AIS equipment is used lo store or process SClapid and certain means of destruction shall be available to AIS operators to ensure lhe total destruction of classified material under emergency or combat conditions.
EMIPERMANENT SCIF*
Vehicle* with mounted shelters or lowede shelters, designed for field or lacilCHl use. thai arc employed as tactical SCIFs when deployed may also be usedCIF in noiitacUcal situations if the SIO determines ihereeed for more SCIF area and time and/or funds are not available io construct orermanent SCIF These type* of SCIFs are SEMI-PERMANENT SCIFs (SPSCIFs).
The SPSCIF shall be accredited and operated in the same mannerermanent SCIF Requirements for TEMPEST and AIS accreditation apply as well
The SPSCIF musl be of rigid construction similaran. trailer, or transportable shelter The construction material must be of such composition to show visible evidence of forced entry. Vents and air ducts must be constructed to present surreptitious entry The doors must be solid construction and plumbed so the doorood acoustical seal. If installed, emergency exits and escape hatches must be constructed so Ihey can only be opened from the Interior of the SPSCIF.
he SPSCIF must be placedenced compoundilitary installation ot equivalent, as deicrmined by Ihe CSA The fence musi be at least) feet front the SPSCIF and related building and equipment The distance from the fence lo the SPSCIF may base to be greater io provide acoustical security or lo meet COMSFC or TEMPEST requirements Access control to the fenced compound must be continuous.
SPSCIFs mustombination lock thai meets all requirementsr other CSA approsed lock (NOTE rust askeys require protection equivalent to the information which
do not need any additional security measures if one of the following
exists:
ontinuous operations Continuous operations exist when the SPSCIF is occupied by one or more SCI-indoctnnaled personsay When (here arc multiple vehicles/sheltersenced compound, only ihosc occupied by one or more SC^ndoctrinated people quality as continuous operations facilities.
edicated guard force who have been subjectedrustworthiness dctetminationAC with no clearance to be issued) The dedicated guard force must be present whenever the SPSCIF is not occupied and must have continuous surveillance of the SPSCIF entrances The guard force must check ihe perimeter of ihe SPSCIF at least twice an hour at random intervals Guard response time will be five minutes or less.
unclassified
PSCIFs not storing classified material and not meeting one of the requirements in the above paragraphs may be required to have an Intrusion Detection System (IDS) as prescribed ins required by the CSA.
equirements for storage when unoccupied
CI material will not be storedxcept when removal is not feasible,omputer hard disk
C-9
9torage in the United States and Outside (he United States If the SPSCIF docs not have continuous operationsedicated guard force, an combination lock lhal meets all requirements of Federal Specification0 or other CSA approved lock and an IDS for the SPSCIF interior is required The interior SPSCIF IDS must bc as prescribed in ANNEX B. The CSA may require exterior compound IDS.
LECTRICAL POWER:
Electrical power suppliedClFs may bc furnished by cocornercul or locally generated systems, as follows:
actical generator with access controls, including guards or surveillance of Ibe generating equipment
he generating equipment shall be located within the protected perimeter of the organization supponingCIF. The generator shall not require location within the SCIF compound perimeter.
enerator operator and mainicnance people shall be US aiuens.
n general. RF fillers or isolators arc not required for TEMPEST protection of commercial AC (alternating current) power lines used tor SCI processingCIF
iltering and itolatioa generators (an electrical motor coupledenerator by oon-conductive means) may be used xo provide isolated electrical power io the SCIF. The motor generator location shall be within the SCIF compound perimeter.
EMPEST REQUIREMENTS:
Authority for TEMPEST accreditation of all conipanmcms of SCI processedactical SCIF is delegated to the CSA based on review by ihc Certified TEMPEST Technical Authority (CTTA).
ELEPHONE EQUIPMENT:
Telephone instruments usedCIF shall meet requirerncnu outlined in the Telephone Security ANNEX. Rcstnctioni contained within ihe Telephone Security ANNEX pertaining lo SCIF telephone services do nol applyCIF operations during war
C-10
PART II AIRCRAFT/AnUJORhTE OPERATION:
URPOSE:
This annex prescribe* the physical security procedures for the operationensitive Compartmcnlcd Information Facility (SCIF) for aircraft, including airborne missions.
PPLICABILITY:
This annex is applicable lo all aircraft to be utilizedCIF Existing or previously accredited facilities do not require modification to conform with these standards
ESPONSIBILITIES:
The CSA is responsible for ensuring compliance with these standards and providing SCI accreditation. The CSA may delegate aiicrafUairbome SCIF accreditation authority lo
Ihc major uenundlrvd
The major comnurnd'organi/ation Senior Intelligence Officers responsible when an aircraft is usedemporary SCIF in support of field training exerciseseriod of declared hoadlilies or general war, an aircraft/airborne SCIF may be established at any level of accreditation upon ihc verbal ordereneral orficer Commander. The major comnund/organi/aiion is responsible for ensuring compliance with this annex.
CCREDITATlOh OF AIRCRAFT/AIRBORNE FACILITIES:
An accrcdiiation checklist will not be required for the establishment of an aircraft/ airborne SCIF Approval authorities may require useocal dcpiosnterM checklist, if necessary.
The clcmcni requesting estaWishmeni of an aiicraft/airborne SCIF will notify the CSA pnor lo commencement of SCIF operations The letter or message will indicate the following information
Name of aircrafVaitbornc SCIF Major corrtmand'organi/aiion ID number of pa rem SCIF. if applicable Deployed from (localion) and dates Deployed to (location) and (Lues SCI level of operations Name of exercise or operation Points of Contact
Type of Aircraft and area io be accreditedCIF
Description of security measures for entire operational period of SCIF (SOP)
SCIF will bc staffed wiih sufficicni personnel aa determined by theauthority based on lhe local threat environment
CI materia) will be removed from the aircraft oo mission completion or at any landings, if feasible When removal is not passible, or when suitable storage space/ local ions are not available, rwo aimed (with ammunition) SCI-indoctrinated personnel must remain with the aircraft to control entry to the SCIF. Waivers tu the requirement for weapons and ammunition may be approvedase-by-case basis by the Commander
C-U
he SSO or senior SCI-ciearetl person will cooducl in Inspeciion of ihe vacated SCIF io ensure SCI nuicrials are not left behind,
ircraft th.it transport SO maicnal incidcnul to travel between airficldi do not require accreditation llowevcr. compliance with directives pertaining to security of SO material and communications is mandatory.
OST AND PATROL REQUIREMENTS:
Accredited aircraft require perimeter accessuard force,eserve security team
nless protected by an approved IDS. hourly inspections will be made of all hatches and seals (including seal numbers).
uard force and response team must be provided, capable of responding within five minutes if open storage is authorized orinutes for closed storage
hen aircraft arc parked outside an established controlledemporary controlled area must he established
NTRY HATCHES:
he aircraft commander or crew member* will provide guard force personnel who have been subjectedrustworthiness determinationAC with no clearance to lie issued) prior to departing from the immediate area of the aircraft
TI hatches will be locked to prevent unauthorized access. Hatches that cannot be secured from the outside will be sealed using serially numbered seals.
EMPEST REQUIREMENTS:
Authority for TEMPEST accreditation of all compartments of SCI processed in an aucrafl/airbornc SCIF is delegated to the CSA based on review by the Cognizant Certified TEMPEST Technical Authority (CTTA)
NSCHEDULED AIRCRAFT LANDINGS:
S Military Uases: The local SSO or base sccuniy officer will be notified of the estimated arrival time and security protection requited
ther Airfields:
ithin the United Sutes, the local Federal Aviation Administration (FAA) Security Officer will be notified of the estimated arrival lime and security protection required.
ny property accredited US (xrvcmment tea may be used for temporary storage o< materials from the aircraft- If Ibe facility is not accredited for the level of information lo be stored, ihe material roust be double wrapped with initialed seals and storedpproved security container.
nfriendly Territory
If an aircraft landing in unfriendly territory it anticipated, all SCI material will be immediately destroyed, with ihe destruction process preferably taking place prior to landing
hen flights arc planned over unfriendly territory. SCI lo be carried on board will be selected by the intelligence mission personnel and consist of Ihe absolute minimum required for mission accomplishment
ll personnel will rehearse emergency oca ruction before each mission Such errsergency preparation rehearsals will beatter of record
OICE TRANSMISSIONS:
SCI discussions will only be conducted via appropriaich encrypted aircraft radio
ESTRUCTION REQUIREMENTS:
n Emergency- Action Plan (EAP) will be written ihat provides for the evacuation snd'or destruction of classified material Evacuation plans and destruction equipment must be approved by the CSA and icsled by mission2 Emergency destruction and evacuation plans will be kept current
C-I3
HIPBOARD OPERATION:
LO PURPOSE:
This annex specifics lhe requirements for cooiiruction and sccunlv protection of SCIFs loculcd on ships. The SCI accreditation checklist for ships may bc obtained from ihc Director. Office of Navaluitland Road. Washington..
PPLICABILITY AND SCOPE:
his annex it applicablell new construction surface combatant ships The application of this annex to surfacer sub-surface vessels will be referred lo the CSA
There may bc instances in which arcumstanceshrcal of such proportion thai they can only be offset by stringent security arrangemcnis over and above those prescribed in this annex Coovtrsch. there may be instances in which time, location, mission, and/or condition of use of materials would make full compliance with these standards ururasonable or Impossible Such situations will be referred to the CSA for resolutionase-by -case basis
Existing or previously approved facilities do not require modification to conform wiih these standards
YPES OF SHIPBOARD SCIFa (SVSCIFa):
CIFs: An area aboard ship where SCI operations, processing, discussion, storage, or aVstruction takes place The area willlearly defined physical pen meter barrier and continuous physical security safeguards. The area may contain one or more contiguous spaces requiring SCIF accreditation. ThisCIF is routinely used during dcpkiyroem and import operations
Temporary SVSCIFs An area aboard ship where temporary SCI operations, processing, discussion, storage, or discussion lakes place The area willlearly defined physical perimeter barrier and continuous physical security-safeguards The area may contain one or more contiguous spaces requiring SCIF accreditation Ii will bc continuously manned wiih sufficient SCI-clcarcd and -indoctrinated personnel, as determined by the on-site security authority based on ihc local threat environment, when SCI is present wilhin ihe area. Temporary shipboard SCIill he limited ny
ingle deploy mem thai will not exceedonths
ingle mission requiring SCI operations lhat cannot be defined in length of operaiional time
uring (he period immediately preceding relocation of the shipefilling facility where ihcCIF is scheduled for renovation and
emporaryobile or portable SCIF nay be tempo ranlv placedhip Such plaiforms mil bc accreditedemporary basisingle employment rnisskm The platform will bc manneday by sufficient SCI-ckarcd and -indoctnnaied personnel as determined by the on-site security authority. At the completion of lite mission, the accreditation period will end and the CSA notified thai the platform is certified ciear and free of all SCI materials
ERMANENT ACCREDITATION:
Ships requesting permanent accreditation status will provide lo theomplete inspection report and the Shipboard Inspection Checklist, certifying compliance with thu Annex
TANDARDS:
The physical security criteria forCIFs is as follows:
Physical Perimeter: The physical perimeter of an SCI space will be fabricated of structural bulkheads (aluminum or steel)hickness not lessnch LJemcntiof the physical perimeter will be fully braced and welded in place.
Continuous SCI Spaces: Where several SCI spaces arc contiguous io each oiher in any or all dimensions, the entire complex may bc enclosedingle physical perimeter barrier conforming io this annex
ccess to ihc SCI complex will be controlledingle access door conforming to this annex Each compartment within the complex mayeparate access door from within the common physical perimeter barrier Such interior access control doors do not need to conform with this annex
ccess procedures will bc established io ensure againstof personnel iioi holding appropriate SCI access.
ormal Access Door The normal access door willhipboard metal joiner door
wuh horK^comb-core and fined ns specified below;
here the normal access door isulkhead that is pan of an airtight perimeter, the airtight integrity may be mainiaincd by colocaiing the airtight door with the metal joiner door, or byestibule
he metal joiner door will bc equippedombination lock lhal meets all requirements of Federal Specificationr other CSA approved
lock.
n addition lo lhe lock, ihe door will be equipped with an access control device
mergencyThe emergency exil will be fabricated of aluminum plaic or steel in accordance with this annex The exit will be mountedrame braced and welded in placeanner commensurate with the structural chanictcristics of the bulkhead, deck, or overhead in which it is situated
estriction on Damage Control Fittings and Cables: Because of the security restrictions imposed in gaining access to these spaces, no essential damage control fittings or cables will be located within or pass through an SCI space. This requirement is not applicableamage control fittings, iuch as smoke dampers, lhai may be operated by personnel within ihe space during normal manning.
emovable Hatches and Deck Plates Hatches and deck plates less thanquare feet thai arc secured by exposed nuts and bolts (external to the SCI space) will be secured wilh externally attached, high security padlocks (unless their weigh! makes removalhe padlock keys will be storedecurity container locatedpace under appropriate security control
enl and Duct Barriers. Vents, ducts, or other physical perimeter barrier openingsross-sectional dimension greater thanquare inches will be protected at the perimeterixed turner or security grill.
he gull will be fabricated of steel or aluminum grating or barshickness equal to the thickness of the physical perimeter barrierrating is used bridge center-to-center measurements will notnchesnches. Bars will be mountednch centers. The grating or bars will be welded into place
his requirement is not applicablehrough ducts Ihat have no opening into llie space.
coustical Isolation: The physical perimeter barrier of all SCI spaces will be sealed orth nonhardemng caulking material to prevent inadvertent disclosure of SCI discussions or briefings from within the space, taking into account ilsc normal ambient noise level. IO persons located in adjacent passageways and or com part menu
n cases where the perimeter material installation does not sufficiently attenuate voices or sounds of activities originating SCI infornsation. ihe ambient noise level will be raised by the use of sound couniermcasure devices, controlled sound generating source or additional perimeter material installation
ir handling uniis and ducts will be equipped with silencers or sound couniermcasure devices unless continuous duty blowersractical, effective level of masking (blower noise) in each air path. The effective level of security may be determined by stationing personnel in adjacent spaces Ol passageways lo dcicrminc if SCI can be overheard outside the space
NTRUSION DETECTION SYSTEM (IDS):
CIF access door ind emergency exit will be protectedisual ind audible alarm system The installation will consist of sensors connected at each door and alerting indicators located al the facilily supervisor's position. The normal access door alarm mayisconnect feature
Emergency exits will be connected to the alarm system at all limes and will nota disconnect feature installed
The IDS will be connectedemote alarm monitor station, which may be colocatcd with other IDS. and locatedpace which is continuously manned by personnel capable of responding to oresponsen alarm vioialion al the protected space when il is unmanned.
rimary power tor the IDS will be connected lo in emergency lighting panel within the space. SCI spaces that are under continuous manning will be staffed wilh sufficient personnel, as determined by the on-site security authority based on ihe Vocal threat ensironrnent. who have the continuous capability of detecting forced or surruptitious entry without the aide of an IDS
ASSING SCUTTLES AND WINDOWS;:
Pasting scuttles and windows will not be installed between SCI spaces and any other space on tlte ship.
OCATION OF CRYPTOGRAPHIC EQUIPMENT:
On-line and off-line cryptographic equipment and terminal equipment processing SCI will be located only withinCIF
ECURE STORAGE CONTAINERS:
SCI material will be stored only in GSA approved Class.ecurity containers Containers will be welded in place, or otlscrwise securedoundation for safety.
ELEPHONES;:
Telephone instruments usedCIF will meet ihe Telephone Security Annex standards
ECURE TELEPHONE UN IT-HI (STU-IIT):
The STU-IIIerminals may be installed0 SOUND POW'ERED TELEPHONES:
Where possible, sound powered telephones will bc eliminated from SVSClFs. Sound powered idephoncs located withinCIF connecting to locations outsideCIF will comply with the following
he telephone cable will not break out to lockboxes, switchboards, or telephone sets other than at the designated stations The telephone cable will not be shared with any drcuil other than call or signal systems associated withCIF circuit
CVU
he idcphonc cable will be equippedelector switch, located al ihe controlling station, which is capable of:
iKoriittlmg all stations.
Selecting any one station and disconnecting the remaining staiions; and
Parallel connection to all stations
ther SVSCIFs located aboard the same ship, which have sound powered telephones not equipped with the required selector switch, willost live disconnect device attached to the telephone circuit.
ound powered telephonesCIF lhat arc not used for passing SCI iriformation willign prominenlly affixed lo them indicating lhal ihey are not to bc used for passing SCI.
all or signal system will bc presided Call signal station, type ID/D. when used foi circuit EM will bc modified toisconnect in lhe line tooud-speaker from functioningkroplionc
CI INTERCOM ANNOUNCING SYSTEM:
An intercommunication type announcing syslcm processing SI lhat connects lo or passes through areas outsideCIF must be approved by the CSA
UPPORTING LNTEL'NICATION ANNOUNCING SYSTEMS:
Inicrcommumcalion-type announcing systems installed wilhinCIF thai do not riroccu SCI information will bc designated or modified to provide lhe following physical or elect ileal security safeguards:
Operational mode of ihc unii installed withinCIF will limit operation lo push-lo-Ulk mode only
Receive elements will bc equippedocal amplifieruffer to preveni loud-speakers or earphones from functioning as microobooes
Except as specified, radio transmission capability for plain radio telephone (excluding secure voice) will not be connected. Cable conductors assigned to lhe transmission of plain language radio telephones will be connected to ground al each end of the cable
Equipment modified will have an appropriate field change label affixed io the unit thai indicates the restriction. Additionally, (he front panel willign warning the user thai the system is not passing classified information
UNCIASS1FIED
FNERAL ANNOUNCING SYSTEMS:
General announcing system loudspeakers Mill rune an audio amplifier, and (he output signal lines will he installed withinCIF.
NEUMATIC TUBE SYSTEMS:
Pneumatic tube systems will not be installed. Existing systems will be equipped with the following security features;
ocked covet at both ends
apability to maintain the pressure or vacuum and capability lo lock in ihe secure posiuonhe initiating end.
Direct voice communications link between both ends to confirm the transponation and receipt of passing cartridge*
Special, distinctive color for SCI material passing cartridges
Pneumatic tubes will run through passageways and will be capable of being visually inspected along ihcir entire length.
ESTRUCTION EQUIPMENT:
A CSA-approved rncans of destruction of SCI material will be provided forCLF Non-combatant surface ships that transit hostile waters without ccmbsunt escort will have appropriate Ami-compromise Emergency Dcitruction (ACED) equipment on board and such equipment will be prepared for use. The ACED will be dedicated to SCI destruction. SC! matcriiil will not be destroyed by jettisoning overboard under am circumstances
MERGENCY POWER:
CIF will have emergency power available thai will opetaic destruction equipment, alarm systems, access control devices, and emergency lighting equipmentinimum of six hours.
CI PROCESSING SYSTEMS:
CIF ihat processes SCI electronically' or electrically should beEMPEST evaluation prior to activation. All computer and network systems that process SCI must be accredited or certified for operation by the cognizant SCI AIS Accreditation Authority
EMPORARY ACCREDITATION:
Ships requiring temporary Accreditation statui mil be processed for accreditation upon completionhysical security' inspection and certification of compliance wilh the following security- requirements
2LI if the space is used lo electrically process SCI information, ihe CSA willEMPEST evaluation based on threat
C-20
The physical perimeter barrier willof standard structural, nonsuppofl. or metal joiner bulkheads ndded or riveted into place and meet the acoustical isolation requirementsCIF.
Doors will be at least metal joiner doors equipped with door closures and capable of being secured from the inside. Dutch doors are not acceptable If cryptographic equipment is installed or stored within tlsc space and the space will be temporarily unmanned while cryptographic key material and/or SCI material arc stored dsc-wfacre, the door mil be equippedairir^-pcoof hasp and combination pad-lock.
Doors and other openings in (he perimeter lhat permit aural or visual
penetration of the internal space will bc screened, curtained, or blocked.
An effective, approved secure means of destruction of SCI material will bc readily- available in ihe space or nearby in general service spaces
Cryptographic cquipinerU used lo process SCI information will bc located in ihc SCI space or. if locatedecure processing center other lhan that accredited for SCI. mil be electrically configured so as not to be compatible with the secure processing system of lhal secure processor.
ll tclcphoiics (to include STU-III instruments and sound powered telephones) will be as specifiedCIF*
Processing of SCI via AIS will bc as specified forTEMPORARY SECURE WORKING AREAS (TSWAs):
Ships requiring TSWA accreditation for 'contingency'* or "part-time" usage mil be processed for accreditation upon completionhysical security inspection and certified ion of compliance with the following security lequircmcnts:
The physical perimeter barrier requires no special construction, provided rl can
prevent visual and aural access during all periods of SCI operation
oors will be capable of being secured from ihe inside
Provisions will be made foremporary sign thai reads "RESTRICTED AREAKEEPUTHORIZED PERSONNEL ONLY" .
When SCI material is lo bc stored in theecure storage container will be provided Security storage containers will be welded in place, or otherwise secured to Ihe foundation for safety and to prevent rapid removal
The electrical security requirementshipboard TSWA mil be specified bv lhe CSA.
mbarked portable shipboard collection vans (pscvi):
PSCVi arc vans Ihat are temporarily placed aboard ship and not part of the permanent structure of the ship. Ships requiring accreditation of embarked PSCVs must be annually accredited by the CSA and may he activated upon certification to the CSA of compliance with the following security lequircmcnu:
The exterior surface of tbe van will be solid construction and capable of showing evidence of physical penetration (except for intended passages for antenna cablet, power lines, etc 1
The access door will fit securer) and be equippedubstantial locking device to secure the door from the inside in order to prevent forcible entry wiihoui tools
Adequate security measures will be established to preclude viewing of classified material by uncleared personnel
dequate provisions will be established to control the approach of uncleared personnel within the vicinity of the van. These measures will consist ofpromulgated by the station (ashore and afloat) in which the van is embarked, prohibiting loitering in the immediate vicinity of the van. and will include periodic visual security cheeks by appropriately SCLindoctrinated personnel.
Adequate destruction equipment will be available and effective procedures established to ensure rapid and complete destruction of classified material in emergency situations
All SCI material will be stored within the van and coniimiously manned by sufficientndoctrinated personnel as determined by the on-site security authority based on the local threat environment, when activated for SCI support If SCI material is to be stored outside the van. the space must be accredited by the CSA and be in compliance with the above SVSCIF criteria
The electrical security requirementsSCV will be as specified bv the CSA
C-22
DIRECTOR OF CENTRAL INTELLIGENCE1
ANNEXD (Effective
PART I
ELECTRONIC ECHJIPMENT LN SENSITIVE COMPARTMENTED FACILITIES
(SCIFS)
LO INTRODUCTION
K is ihc policy of the Director of Central Intelligence and the Senior Officials ol" the Intelligence Community (SOICi) that personally owned clccuonlc equipment that ha* been approved for introductionCIF should not bc routinely carried into or out of the SCIF due to the possibility of technical con-promise It is also their policy lhat electronic equipment that is introducedCIF is subject to technical and/or physical inspection at any time.
UIDANCE
The following guidance is provided concerning the control of electronic equipment SOIC* retain tlie authority to apply more stringent requirements as deemed appropriate
OMESTIC UNITED STATES
The following personally owned electronic equipment may be introduced into a
SCIF:
Electronic calculators, electronic spell-checkers, wrist watches, and data diaries NOTE; If equipped with data-ports. SOICs will ensure thai procedures aic established lo prevent unauthorized connector to automated information systems that arc processing classified information
Receive only pagers and beepers
udio and video equipment withplayback" feature (no recordingr with the 'record" feature duoUod/rcrnoved
adios
ROHIBITED EXCEPT FOR OFFICIAL DUTY
The following items are prohibited unless approved by the SOIC for conduct of official duties:
wo-way transmitting equipment
2ROHIBITED IN SCIF*
The following iicms are prohibiied in SCIFs:
owned photographic, video, and audio
o^iied compuierv and associatedOVERSEAS
The provisions inbove apply in the overseas environment wiih the exception that all personally owned electronic equipment may be introduced in the SCIF ONLY with the prior approval of the SOIC and on-site security reprcscniative. based on local threat conditions
D-2
DIRECTOR OF CENTRAL INTELLIGENCE1
ANNEX D
Pan II
DISPOSAL OF LASER TONER CARTRIDGES
NTRODUCTION
The Director of Central Intelligence and the Senior Officials of the Intelligence Corrtmunity (SOICs) hereby establish the policy and procedures for disposing of used laser loner cartridges and drums The policy established herein is based on the fact that exploitation of used loner cartridges is considered to be unlikely at this lime; therefore, the expense of destroying loner cartridges is not deemed lo be justified SOICs are responsible for implementation of this policy within their respective deportment/agency. When deemed necessary and appropriate, SOICs may establish additional security measures.
OLICY
ITHIN COWS, ALASKA. AND HAWAII
Used loner cartridges may be tieatcd, handled, stored, and disposed of as UNCLASSIFIED, if,inimum, al teasi five full pages of Unclassified, randomly generated text arc run through ihe machine before the cartridge is removed. These pages should not include any blank spaces or solid black areas.
VERSEAS
In addition to Ihe sanitization measure described in paragraphhe dm adequately scored with an abrasive substance,andpaper, to further opportunity for image recovery by rendering the drum unusable.
ENIAL OF ACCESS
most likely avenue of technical penetration of reproduction equipmentuncleared personnel. If exploitation of equipment is of concern loil is recommended Ihat maintenance be conductcd byindividuals. If ihis is not feasible, mainienance workers should beor be escorted and closely monitored by knowledgeable personnel
keeping with Environmental Protection Agencyare encouraged to establish procedures forsanitized loner cartridges
D-3
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE1
EflWUvc
ACOUSTICAL CONTROL AND SOUND MASJCING TECHNIQUES
asic Design:
Acoustical protection measures and sound mailing system* sre designed to protect SCI against being inadvertently overheard by the casual passerby, not to protect against deliberate interception of audio. The abilityCIF structure to retain sound within the perimeter is ratedescriptive value, the Sound Transmission Class (STC).
LI The STC Rating STCingle number rating used to determine the sound bairicr performance of walls ceilings, floors, windows, and doors.
se of Sound Groups The current edition of Architectural Graphics Standards (AGS) describe* various types of sound control, isolation rcqinrcntcnts and office planning The AGS established Soundhroughf whichre considered adequate for specific acoustical security requirements for SCIF construction
oundTC ofr better. loud speech can be understood faiity well. Normal speech cannot be easily understood.
ound Group 2STC ofr better Loud speech can be heard, but is hardly intelligible Normal speech can be heard only faintly if al all
SoundTC ofr bctlcr. Loud speech can be faintly heard but not understood. Normal speech is unintelligible
SoundTC off bctlcr. Very loud sounds, such as loud singing brass musical instrumentsadio al full volume, can be heard only faintly or not at all.
ound Reduction for SCIFs:
The amount of sound energy reduction may vary according to individual facility requirements However, Sound Group ratings shall be used io describe Ihe effectiveness of SCIF acoustical security iiscasurcs afforded by various wall materials and other building components
ll SCIF perimeter walls shall meet Sound Groupnless additional protection is required for amplified sound
ound Masking and Stand-Off Distance
hen normal constiuctlon and baffling measures have been determined lo bc inadequate for meeting Soundrs appropriate, sound masking shall be employed Protection against iritcrccptioo of SCI discussions may include use of sound masking devices, structural cnhnricctnentt, or SCIF perimeter placement
Sound masking devices may include vibration and noise generating systems located oo the perimeter of the SCIF.
Structural enhancements may include live use of high density building material*. sound deadening materials) to increase the resistance of the pen meter to vibration al audio frequencies
CIF perimeter placemeni may include construction designtand-off distance between the closeston-SCI Indoctrinated person could bc positioned and the point when SCI discussions become available for interception. Useerimeter fence or protective zone between the SCIF perimeter walls and the closest "listening place" is permitted as an alternative lo other sound protection measures.
asking of sound which emanates from an SCI discussion area is commonly doneound maskingound masking system mayoise generator, tape, disc or record playeroise source and an amplifier and speakers or transducers for distribution
lacemen) of Speakers and Transducers:
To be effective, the masking device must produce soundigher volume on ihc exterior of the SCIF than the voice conversations within ihe SCIF. Speakers/transducers should be placed close to or mounted on any paths which would allow audio lo leave lhe area These paths may include doors, windows, common perimeter walls, scnts/ducts. and any other means by which voice can leave the area
or common walls, the speakers/transducers should be placed so the sound Optimizes acoustical protection.
or doors and windows, lhe spcaxcivtransducers should be close to lhe aperture of the window or door and the sound projectedirection facing away from conversations.
nce the speakers or transducers arc optimally placed, lhe system volume must bc set and fixed The level for each speaker should be determined by listening to convcrsauons occurring within the SCIF and the masking sound and adjusting the level until conversations are unintelligible from outside the SCIF.
nstallation of Equipment'.
The sound masking system shall be subject to review during TSCM evaluation to
ensure that the system does notechnical security hazard.
ound Sources:
The sound source must be obtainedlayer unit located within the SCIF. Any device equippedapability to record ambient sound wilhin the SCIF must have thai capability disabled. Acceptable methods include:
Audio amplifierecord lurniable.
udio amplifierassette. rccl-tc-rcel. Compact Discr Digital Audio Tape (DAT) playback unit.
ntegrated amplifier and playback unil incorporating any of the above music sources
mergency Notification Systems
The iMrcducuori of ckctronic systems that have components outside tbe SCIF should be avoided Speakers or Other transducers, which arc partystem that is not wholly contained in the SCIF, are sometimes required to be in the SCIF by safety or fire regulations In such instances, the system can be introduced if protected as follows:
All incoming wiring shall breach the SCIF perimeter al one po.ru TEMPEST or TSCM concerns may require electronic isolation.
in systems thai require nouftcation only, the system shalligh gain butler amplifier In systems that require two-way communication, the system shall have electronic isolation. SCIF occupants should be alerted when the system is activated All electronic isolation components shall be installed wilhin the SCIF as near to the point of SCIF egress as possible
E-3
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE1
ANNEXF (EBeaivc JO
PERSONNEL ACCESS CONTROLS
ccess Controls:
The SCIF perimeter entrance should be under visual control at all times during duty hours to preclude entry by unauthorized personnel This may be accomplished by several methods. employee work station, guard.egardless of the method utilized, an access control system shall be used on the SCIF entrance Persons not SCI-indoctrinated shall be ccwinuoush escortedCIF by an SCI-indoctrinated person who is familiar with (he security procedures of that SCIF.
utomated Access Control Systems. An automaied access control system may be used lo control admittance to SCIFs during working hours in lieu of visual control, if ii meets ihc criteria stated below
he automated access control system must identify an individual and authenticate that person* authority to enter the area through the use of an identification (ID) badge or card, or by personal wenUty verification Automated Identification of individuals exiting the area is desirable.
D Badges or Cards The ID badge or card must use embedded sensori. integrated circuits, magnetic stripes or other means of encoding data lhat identifies the facility and ihe individual to whom the card is issued
ersonal Identity Verification. Personal identity verificationDevice) identifies Ihc individual requesting access by some utuquc personal characteristic, such as:
I-1ngerrxinting.
Hand Geometry.
flnndwriiing,
Retina, or
(c) Voice recognition
n conjunctionersonal identification number (PIN) is required The PIN must be separately enicred inio lhe system by each individualeypad device and shall consist of four or more digits, randomly selected, wuh no known or logical association with the individual The PIN must be changed when il is believed to have been compromised or subjected to compromise.
LU Authentication of ihe individual's authori/ationnict the area must be avcc*nplishcd within ihe system by ihe inputs from the ID badge/card or the personal identity verification device or the keypad with an electrorue data base of individuals authon/ed inio therocedure must be established for removal of the individual's authorisation to enter the area upon reassignment, transfer or lerminaiion. ot when the individual's access is suspended, revoked, or downgradedevel lower than required
security protection must be established and conlinuouslyall devices/equipment Ihat constitute Ihe system The level ofvary depending upon ihe type of oVviccVcquipmcni being protectedbasic intent of utilizing the security controls already in effect within
Locations where authorization data, card encoded data and personal Identification or verification data is input, stored, or recorded must be protectedCIF or controlled by SCI indoctrinated personnel
Card readers, keypads, communication or interface devices located outside the cniraikcontrolled area shall have tamper rcvivUnt enclosures, and be securely fastenedall or other structure Control panels locatedontrolled area shall requireinimal degree of physical security protection sufficient K> preclude unauthorized access to the mechanism
Keypad devices shall be designed or installed inanner that an unauthorized person in (he inuttcdiale vicinity cannot observe the
selection of input numbers.
ystems that utilize transmission lines to carry access authorizations, personal identification, or verification data between devices/ equipment located outside the controlled area shallinimum of Class It line supervision, as described in Annex B
lectric strikes used in access control systems shall be heavy duty industrial grade
Access lo records and informal ion concerning encoded ID data and PINs shall be restricted to individuals appropriately indoctrinated at the same level as ihe information contained wilhin. Access lo identification or authorization data, operating system software ot any identifying data associated wilh tbe access control system shall be limited to the fewest number personnel as possible Such data or software shall be kepi secure when unattended.
Records shall be maintained reflecting active assignment of ID badge/card. PIN. level of access, access, and similar system-related records Records concerning personnel removed from the system shall be retained forays Records of entries to SCIFs shall be retained for at leastays or until
ersonnel entering or leaving an area shall he required to imrncdiatcry secure lhe entrance or cut point Authorized personnel who permit another individual to enter the area arc responsible for confirming the individual's access and need to know.
lectric. Mechanical, or Electromechanical Access Control Devices. Electric, mechanical, or electromechanical devices which meet the criiena staled belowe used to control admittance lo SCIF areas during working hours if the entrance is under visual control These devices arc also acceptable lo control access lo coenpanmcnlcd areas wilhin the SCIF Access control devices must be installed in the following manner
he electronic control panel containing the mechanical mechanism by which Ihc combination is set will be located inside the SCIF. The control panel (located within the SCIF) will requireinimal degree of physical security designed to preclude unauihori/cd access to lhe mechanism.
he control panel shall be installed inanner, orhielding device mounted, so lhal an unauthorized person in the immediate vicinity cannot observe the setting or changing of lhe combination
he selection and setting of the combination shall be accomplished by an individual cleared at the same level as lhe highest classified information continued within. The combination shall be changed as required in.
lectrical components, wiring included, or mechanical links (cables, icds and so on) should bc accessible only from inside the SCIF. or if ihey traverse an uncontrolled area they shall be securedrotective covcring-to preclude surreptitious manipulation of components.
F-3
UNCIASSIEIL'D
DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE1
Effective
TE1JSPHONE SYSTEMS and EQUIPMENT
I0PURPOSE
This Annex specifies the require menu and procedures for systcrnaiic.il iv iriccwporating Telephone Securiiy Group (TSG) approved telephone security measures into the planning, installation. maiiHcnance, and management ol telephone service for SCIFs within and outside Ihe United Stales.
EFINITIONS
DMINISTRATIVEelephone inlcndcd for Unclassified conversation This designauoo specifically excludes secure-soicc sysicms unless theyon-secure mode of operation
ISCONNECTevice lhal (I)reak at some point in tlie normal hardwire conduction path thai existselephone and ns telecommunications medium,nly when the telephonein lhe in-usc (off-hook) state,emporary metallic connection across lhal break
evice thai |l)reak al some point in lhe normal hardwire conduct ton path that existselephone and iu telecommunications medium,nly when the telephone is in lhe in-use (off-hook) stale,emporary comrnumcation channel across lhat break without establishing an end to end metallic connection
erminal is off-book when ns signaling protocol to us network conirollcr specifics that there is an Inieniionnitiate, accept, or mainlain communications wiih some oiher Icrminal.
ON-HOOK This condition refersetwork communications line and simulianeoush to all the terminals connected to thatcrminal is on-hook when it is not offhock, its signaling protocol io its network controller specifies thai there is no intentionnitiate, accept, or maintain communications wiih any other line or terminalelephone to bc considered on-hook. ihc handset must be in the handset cradle and all speakcrphonc and hands-free functions must be turned off.
TECHNICAL SURVEILLANCE COUNTERMEASURES (TSCM) Techniques and measures used to detect and nullify hostile pcnetralion technologies, which are used to obtain unauthorized access to sensitiveUM also includes the oV^elopmcnt and use of protective systems So detect and/or deter hostile penetration attempts and lhe hostile exploitation of naturally' occurring hazards
TSG The TSG (Telephone Security' Group) is the primary technical and policy
resource in ihe National Advisory' Groiip/Stjcurily Counienneasurcs (NAG/SCM) structure for all aspects of (he TSCM program thai involve telephones or telephone systems
TYPE-ACCEPTED TELEPJIONES These are specially configured telephone models that arc warranted by their manufacturers to incorporate specific TSG-mandated security measures On-hoc* telephone security protection is an intrinsic properly for TYPE-ACCEPTED TELEPHONES and Ihey may be installed uithoul ancillary isolation or disconnect devices. (See
UNATTENDED OFF-HOOK AUDIO SECURITY. Security measures intended to prevent the compromise of background comersations when the user temporarily leases the insirumeni off-hook (Sec
LO APPLICABILITY AND SCOPE
VI Administrative telephone system installations must include security measures that balance the vulnerabilities of the system against the technical threats of its environment
This Annex is compatible with bul may not satisfy roqwrements of other security
disciplines such as COMSEC. OPSEC. or TEMPEST.
The telephone security measures of this Annex apply to any telephone system thai provides serviceCIF.
This Annex does not apply if tbe SCIF isNo Classified Discussion Area" and warning notices are posted prominently within the SCIF.
EFERENCES
The below-llslcd TSG standards are available to all rnembers of ibe United States Intelligence Community from their respective cognizant security authorities (CSAs) Individual standards may be released to ncai-governmenl rxrrsonnel following CSA determination of the need. Any such release is to be accompaniedelter identifying the standard as an of official US Govcinincnt document that may not be disseminated fuilher without specific approval of the issuing agency.
tandard I. Introduction to Telephone Security. Provides telephone security background and TSG-approved options for telephone installations IS US Government sensitive discussion areas For use by all personnel concerned wilh telephone security.
tandardSG Guidelines for Computerized Telephone Systems Establishes requirements for planning. Installing, maintaining, andIS For personnel involved in writing contracts, planning, installing, maintaining, inspecting and system administration
3 Standardype-Accepted Program for Telephones Used Edith the Conventional Central Office Interface-rogram that outlines specifications for design and manufacture and procedures required for type-acceptance. For personnel involved in writing contracts, manufacturing, and inspecting.
G-2
tandardype-Acceptance Program for Elections Telephones Used in Computerized Telephone S) stemsrogram lhal outlines spec fkaJ torn for design and manufacture and procedures required for type-Acceptance. For personnel involved in wTrting contracts, manufacturing, and inspccling.
Standardii-Hook Telephone Audio Security Performance Speciftcatioivs
Specifies the amount of audio leakage allowed in the on-hook condition of telephones without disconnects For personnel involved in writing contracts, manufacturing, and inspecting telephones such as STD-IHs.
Standardelephone Security Group-Approved Equipment. Lists TSG-approved equipment For all personnel concerned wiih procurement and use of TSG-approved equipment
StandardSG Guidelines for Cellular Telephones PtovkIcs guidelines for ihc manufacture and use of secure and non-secure cellular telephones in US Government sensitive discussion areas For personnel irrvofved io writing contracts, nunufactunng. inspecting, maintaining, and using cellular telephones
Standardiciophonic Response Criteria for Non-Conimimications Devices Specifies the maximum audio response allowed for isolation devices and other non-communication equipment used in US Governmenl sensitive discussion areas For personnel involved in writing contracts, manufacturing, installing, and inspecting telephone-related equipment
StandardSG Approval Program for Secure Telephonea and Equipment Thai Connect io lhe Conventional Central Office Interface Specifies TSG requirements for secure telephones and equipment interfacing wiih ihc conventional central office For personnel involved in writing contracts, manufacturing, and inspecting TSG approved telephones.
ESPONSIBILITIES
SG: The TSG is responsible for evaluating vulnerabiliiics of telephone systems and identifying security counter measures
CSA The CSA is responsible for selecting, liepicincnling. and verifying secunty
measures lo balance lhe vulnerabilities of the telephone system against the technical threats of its environment This requires the CSA to:
ssist Special Security Officers (SSOs) and Contractor Special Security Officcri (CSSOs) in selecting lhe most cost effective counlermeasurcs
urrent set of TSG standards
rovide wriitcn waivers to any requirements of this Annex and TSG standards In granting waivers, (he CSA accepts full rcsponsibilily for the associated risks
equest technical surveillance countenncaiures (TSCM) inspections at conditions warrant to prevent the hiss or compromise of intelligence sources and methods, including sensitive companmcntcd information, through adversary use of technical surveillance
SOCSSO: Tbe SSOCSSO is responsible for requesting CSA approval for new telephone systems and niajor modilications to existing systems by:
necessary- documentation on new systems and any changessystems to the CSA for cvahration
the docurncnialionREQUIREMENTS
ACCESS CONTROL: Installation and maintenance personnel will possess the appropriate security clearance as determined by the CSA. Uncleared installation and maintenance personnel given access to the SCIF should be US ciii/ens and will be monitored by escorts.
CABIF. CONTROL
ll telcpJionc wire and fiber optic (fiber) conductor cables should enter the SCIFommon opening.
ach conductor should be accurately accounted for from the point of entry The accountability should identify* the precise use of every conductor through labeling, log, or journal entries.
nused conductors will be removed. If removal is not feasible, the CSA may require that metallic conductors be stripped, bound together, and grounded
nused fiber conductors will be uncoupled from the interface within the CLEF
N HOOK SECURITY;
Approved points of on-hook isolation may be provided by any of the following:
he telephone, disconnect, or isolator, if TSG approved Standardvailable from the CSA lists TSG-approved equipment and ordering information
6he iclcphonc switch, if il meets ihe requirements of Standard 2
ll communication fines between the telephone switch and the SCIF arc in controlled space and inspectabk by government or contractor security personnel and lechmcally qualified telephone personnel
o SCIF telephone or other devicepeaker can be forcedoftware command from the telephone switch or forced to remain "oA-hook"ser has tcrmirutcd the conversation
FF-HOOK SECURITY;
Unattended off-book security may be accomplished by one of the following:
old or mute feature that does not allow audio from the telephone
to leave the controlled area
push-to-opcrate handset will be required if an appropriate bold feature is
not available. (Sec
ESTRICTIONS.
owned equipment that can interlace with the Klephone system is
prohibited
are designed to pick up and transmil nearbythey arc in use Therefore, speakcrphones arc restrictedoffice areas where sensitive conversations mightinterceptccl Prior CSA approval is requiredin sole-use offices.
Answering Devices (TADs) may have features, remote room monitoring Prior CSArequired for TADs.
g-5
Original document.
Comment about this article, ask questions, or add new information about this topic: