PHYSICAL SECURITY STANDARDS FOR SENSITIVE COMPARTMENTED INFORMATION FACILITIES

Created: 1/30/1994

OCR scan of the original document, errors are possible

DIRECTOR

OF CENTRAL INTELLIGENCE1

PHYSICAL SECURITY STANDARDS FOR

SENSITIVE COMPARTMENTED INFORMATION FACILITIES (SCIF)

APPROVED 30 JANUARY 4

vfhujiiii

MI in mi

preface

hysical Security Standards for Sensitive CQmDartmenr.ftd Information Facilities (scifs) was approved by the Director of Central Intelligence (DCI) on

A complete copy of1 consists of the basic DCID andhrough G. The annexes are as follows:

- CIF checklist

larms

actical Operations/Field Training

round Operation

Partircraft/Airborne Operation

Parthipborne Operation

rohibited Items (approved

lectronic Equipment in SCIFs

Partisposal of Laser Toner Cartridges

coustical control and Sound Masking

Techniques (approved

ersonnel Access Controls (approved 30

elephone Security (to be issued)

Annexesre under review and revisions will be issued as approved by the DCI.

Corrections should be forwarded to:

Ccjnraunity Counterintelligence and Security Countermesures Office/Community Management Staff (CCISCMO/CMS)

Central Intellignece Agency, Washington, DC . Telephonic comments can be provided to CCISCMO-

74

1 Tabic of Contents

PREFACE

AND

Disabilities Act (ADA)

aculties

Security Preconstruction Review and

of

of Electronic Devices and Other

SECURITY CONSTRUCTION POLICY FOR

Policy for SCI

Secure Working Area

Common To All

4

ault Construction

Criteria For Permanent Dry Wall

Construction Criteria For^Steel

Construction Criteria For Expanded

approvedelease hate:1

DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE" (DCID) 1

(Approved 30 January

1 . POLICY AND CONCEPT

Statement

Physical security standards are hereby established governing the construction and protection of facilities for storing, processing, and discussing sensitive Coapartmented information (SCI) which requires extraordinary securityompliance with this1 Implementing Manual {hereafter referred to as theis mandatory for all Sensitive Coim?artmented Information Facilities (SCIFs) established after the effective date of this manual, including those that make substantial renovations to existing SCIFs. Those SCIFs approved prior to the effective date of this Manual will not require modification to meet these standards.

The physical security safeguards set forth in this Manual are the standards for the protection of SCI. Senior Officials of the Intelligence Communityith DCI concurrence, may impose more stringent standards if they believe extraordinary conditions and circumstances warrant. SOICs may not delegate this authority. Additional cost resulting from more stringent standards should be borne by the requiring Agency, Department, or relevant contract.

In situations where conditions or unforeseen factors render full compliance to these standards unreasonable, the SOIC or designee may waive specific requirements in accordance with this Manual. However, this waiver must be in writing and specifically state what has been waived. The Cognizant Security Authority (CSA) must notify all co-utilizing agencies of any waivers it grants.

All SCIFs must be accredited by the SOIC or designee prior to conducting any SCI activities.

One person is now authorized toCIF. which eliminates the two-person rule (the staffingCIF with two or more persons in such proximity bo each other to deter unauthorized copying or removal of SCI).

design must balance threats and vulnerabilities

against appropriate security measures in order to reach an acceptable level of risk. Each security concept or plan must be submitted to the CSA for approval. Protection against surreptitious

arrHiMo.oflrmtflSf

DATE: IM TIM

entry, regardless of SCIF location, is always required. Security measures must be taken to deter technical surveillance of activities taking place within the SCIF. TEMPEST security measures must be considered if electronic processing of SCI is involved.

On military and civilian compounds, there may exist security controls such as identification checks, perimeter fences, police patrols, and other security measures. When considered together with the SCIF location and internal security systems, those controls may be sufficient to be used in lieu of certain physical security or construction requirements contained in this Manual.

Proper security planningCIF is intended to deny foreign intelligence services and other unauthorized personnel the opportunity for undetected entry into those facilities and exploitation of sensitive activities. Faulty security planning and equipment installation not only jeopardizes security but wastes money. Adding redundant security features causes extra expense which could be used on other needed features. When security features are neglected during initial construction, retrofitting of existing facilities to comply with security requirements is necessary.

1.3 American Disabilities Act (ADA) Review

othing in this manual shall be construed to contradict or inhibit compliance with the law or building codes. CSAs shall work to meet appropriate security needs according to the intent of this Manual at acceptable cost.

2 . GENERAL/ADMINISTRATIVE

2.1 SCI Facilities (SCXPb)

A SCIF is an accredited area, room, group of rooms, buildings, or installation where SCI may be stored, used, discussed, and/or electronically processed. SCIFs will be afforded personnel access control to preclude entry by unauthorized personnel. Non-SCI indoctrinated personnelCIF must be continuously escorted by an indoctrinated employee who is familiar with the security procedures of that SCIF. The physical security protectionCIF is intended to prevent as well as detect visual, acoustical, technical, and physical access by unauthorized persons. Physical security criteria are governed by whether the SCIF is in the United States or not, according to the following conditions: closed storage, open storage, continuous operations, secure working area.

2.2 Physical Security Preconstruction Review and Approval

CSAs shall review physical security preconstruction plans for SCIF construction, expansion or modification. All documentation

approve0 fob release date: nov70i0

pertaining to SCIF construction will be appropriately controlled and restrictedeed-to-know basis. The approval or disapprovalhysical security preconstruction plan shall beatter of record.

The requester shallixed Facility Checklist (FFC. Annex A) to the respective CSA for review and approval.

The Checklist submission shall include floor plans, diagrams of electrical, communications, heating, ventilation, air conditioning (HVAC) connections, security equipment layout (to include the location of intrusion detectiontc. All diagrams or drawings must be submitted on legible and reproducible media.

The CSA shall be responsible for providing construction advice and assistance and pre-approving SCIF construction or modification.

2.3 Accreditation

The CSA will ensure SClFs comply withhe CSA is authorized to inspect any SCIF, direct action to correct any deficient situation, and withdraw SCIF accreditation. The procedures for establishment and accreditation of SClFs are prescribed below:

The procedures for establishment and accreditation of SCIFs from conception through construction must be coordinated and approved by the SOIC or CSA.

SCI shall never be handled, processed, discussed, or stored in any facility otherroperly accredited SCIF unless written authorization is granted by the CSA.

An inspection of the SCIF shall be performed by the CSA or appointed representative prior to accreditation. Periodic re-inspections shall be based on threat, physical modifications, sensitivity of programs, and past security performance. Inspections may occur at any time, announced or unannounced. The completed fixed facility checklist will be reviewed during the inspection to ensure continued compliance. TSCM evaluations may be required at the discretion of the CSA, as conditions warrant. Inspection reports shall be retained within the SCIF and by the CSA. All SCIFs shall maintain on site, current copies of the following documents:

1 Fixed Facility Checklist

Accreditation authorization documents hysical, tempest, and AIS).

Inspection reports, including TSCM reports, for the entire period of SCIF accreditation.

IPPIIMO FOIWilli

procedures. SpecialSpecial security Officer (SSO/CSSO)Memoranda of Agreementmergency Action Plans, etc.

of any waivers granted by the CSA.

Authorized inspectors shall be admitted

CIF without delay or hindrance when inspection personnel are properly certified to have the appropriate level of security clearance and SCI indoctrination for the security level of the SCIF. Short notice or emergency conditions may warrant entry without regard to the normal SCir duty hours. Government owned equipment needed to conduct SCIF inspections will be admitted into SCIF without delay.

which are presently accredited,or in the approval process at the dateof this Manual shall not require modificationto these standards.

Facilities undergoing major modification may be required to comply entirely with the provisions of this Manual. Approval for such modifications shall be requested through the CSA and received prior to any modifications taking place within the SCIF.

In theeed arises toCIF after the accreditation has been terminated, the CSA may approve the usereviously accredited SCIF basedeview of an updated facility accreditation package.

of Accreditation:

Termination of Accreditation: when it has been determinedCIF is no longer required, withdrawal of accreditation action will be initiated by the SSO/CSSO. Upon notification, the CSA will issue appropriate SCI withdrawal correspondence. The CSA or appointed representative willlose out inspection of the facility to ensure that all SCI material has been removed.

Suspension or Revocation of Accreditation-When the CSA determines that thereanger of classified information being compromised or that security conditionsCIF are unsatisfactory, SCI accreditation will be suspended or revoked All appropriate authorities must be notified of such action immediately.

2.4 ist ion

desiring toCIF should accept

the current accreditation and any waivers. Any security enhancements required by an agency or department requesting co-

flFrAOWD FORRILEASE DATE:0

utilization should be funded by that organization, and must be approved by the SOIC with DCI concurrence prior too-utilization agreement must be established prior to occupancy.

Access Programs (SAP) co-located within a

SCIF will meet the physical security requirements of this Manual and DCI Special Access Programs (SAP) Policy, January

2.5 Personnel Controls

Access rosters listing all persons authorized access to the facility shall be maintained at the SCIF point of entry. Electronic systems, including coded security identification cards or badges may be used in lieu of security access rosters.

Visitor identification and control: Each SCIF shall have procedures for identification and control of visitors seeking access to the SCIF.

2.C Control of Combinations

to locks installed onperimeter doors, windows and any otherbe changed whenever:

combination lock is first installed or used;

combination has been subjected, or believed been subjected to compromise; and

other times when considered necessary by the CSA.

combinations to SCIF entrance doors shouldin another SCIF of equal or higher accreditation level.is not feasible, alternate arrangements will be madewith the CSA.

2.7 sot ry/Exit Inspections

The CSA shall prescribe procedures for inspecting persons, their property, and vehicles at the entry or exit points of SCIFs, or at other designated points of entry to the building, facility, or compound. The purpose of the inspection is to deter the unauthorized removal of classified material, and deter the introduction of prohibited items or contraband. This shall include determination of whether inspections are randomly conducted or mandatory for all. and whether they apply for visitors only or for the entire staff assigned. All personnel inspection procedures should be reviewed by the facility's legal counsel prior to promulgation.

APPROVED FOR RELEASE rJATE:HOV?OIO

2.8 Control of Electronic Device* end Other Items

The CSA shall ensure that procedures are instituted for control of electronic devices and other items introduced into or removed from the SCIF. Seeor guidance.

The prohibition against electronic equipment in SCIFs does not apply to those needed by the disabled or for medical or health reasons. motorized wheelchairs, hearing aids, heart pacemakers, amplified telephone headsets, teletypewriters for the hearingowever, the SSO or CSSO shall establish procedures for notification that such equipment is being entered into the SCIF.

Emergency and police personnel and their equipment, including devices carried by emergency medical personnel respondingedical crisisCIF, shall be admitted to the SCIF without regard to their security clearance status. Emergency personnel will be escorted to the degree practical. However, debriefing of emergency personnel will be accomplished as soon as possible, if appropriate.

Equipment for TEMPEST or Technical Surveillance countermeasures (TSCM) testing shall be admittedCIF as long as the personnel operating the equipment are certified to have the appropriate level of security clearance and SCI indoctrination.

3. PHYSICAL SHCORITY CONSTRUCTION POLICY FOR BCXFfl

3.1 Construction Policy for SCI Facilities

Physical security criteria is governed by whether the SCIF is located in the US or not, according to the following conditions: closed storage, open storage, continuous operations, secure working areas.

losed Storage

:

The SCIP must meet the specifications inPermanent Dry Wall Construction).

The SCIF must be alarmed in accordance witho this

SCI must be stored in GSA approved security

containers.

mustesponse force capableto an alarm withininutes after annunciation andresponse force available to assist the responding force.

UnVttQ FOB ntllASi MTLIOVIIM

bl. SS^%SSl

:

Construction) with prior

Annex'lar"edwith

Open Storage

by "the *csa,U >usci"ed(a) be alarmed in accordance with Annex B;

(c) meet one of the following:

may require any SCIF perimetoi? walls arr-cTr-Iff *

building ground "level to* meetuiv^

Expanded Metal) construction requirements; or

1 ontrolled building or compound ia on* to whichI

unwcortrf *ntry i. limited to .uthori.ed

1

Pa9e

MTLIOVfMI

CIFs which are not locatedontrolled building or compound may use specifications indicated inexpanded Metal) or (Vault) constructions requirements.

UTSIDE US; Open storage of SCI material will be avoided. When open storage is justified as mission essential, vault construction is preferred. The SCIF must:

<a) be alarmed in accordance with Annex B;

esponse force capable of responding to an alarminuteseserve response force available to assist the responding force.

have an adequate, tested plan to protect, evacuate, or destroy the material in the event of emergency or natural disaster; and

one of the following:

The construction specification for vaults set forth in Chapter 4 r

With the approval of the CSA, SCIFs locatedontrolled US government compound or equivalent having immediate response forces, may use expanded metal, steel plate, or GSA approved modular vaults in lieu of vault construction.

Operation

THE US:

The SCIF must meet the construction specifications as identified inPermanent Dry Walln alert system and duress alarm may be required by the CSA, based on operational and threat conditions.

Provisions should be made for storage of SCI in GSA approved containers. If the configuration of the material precludes this, there must be an adequate, tested plan to protect, evacuate, or destroy the material in the event of emergency, civil unrest or natural disaster.

There mustesponse force capable of responding to an alarminuteseserve response force available to assist the responding force.

THE US:

(a) The SCIF must meet the construction specifications for SCIFs as set forth inExpandedn alert system and duress alarm may be required by the CSA, based on operational and threat conditions.

The capability must exist for storage of all SCI in GSA-approved security containers, or the SCIF must have an adequate, tested plan to protect, evacuate, or destroy the material in the event of emergency or natural disaster.

SCIFs located within US Government controlled compounds, or equivalent, having immediate response forces, may use the secure area construction specifications as listed inPermanent Dry Wall Construction) with prior approval of the CSA.

There mustesponse force capable of responding to an alarminutes,eserve response force available to assist the responding force.

Working Areas are accredited facilities used

for handling, discussing, and/or processing SCI, but where SCI will not be stored.

INSIDE THE US:

la) The Secure Working Area SCIF must meet the specifications set forth in Chapter 4 (Permanent Dry Wall

Construction).

Secure Working Area SCIF must bea balanced magnetic switch on all perimeter entrance doors.

storage of SCI material is authorized.

mustesponse force capableto an alarm withininutes after annunciation, andresponse force available to assist the responding force.

OUTSIDE THE US:

The Secure Working Area SCIF must meet the construction specifications indicated inPermanent Drv Wall

The Secure Working Area SCIF must be equipped with an approved alarm system as set forth in Annex B.

storage of SCI material is authorized.

mustesponse force capableto an alarm withinvinutes,eserveavailable to assist the responding force.

3.2 Temporary Secure Working Area (TSWA)

Temporary Secure working area is defined as a

temporarily accredited facility that is used no more thanours monthly for the handling, discussion, and/or processing of SCI but where SCI should not be stored, with sufficient justification the

OPPHUVIO FOH RtltOSl

lAiLiovruo

CSA may approve longer periods of usage and storage of SCI forthan 6

the entire period the TSWA is in use,will be controlled and access limited to personsfor which the area has been approved. Approval forareas must be obtained from the CSA setting forthbuilding, location, purpose, and specificemployed during usage as well as during othershould be covered by an alarm system. These areas shouldused for periods exceeding an average total ofoursNo special construction is required other than to meetrequirements as set forth in Annex E,acility must also be used for the discussion of SCI,Surveillance Counter-measures (TSCM) evaluation mayat the discretion of the CSA, as conditions warrant.

not in use at the SCI level, the TSWA will be:

Secured with a keylock or a combination lock approved by the CSA.

Access will be limited to personnelS Secret clearance.

acility is not alarmed orduring periods ofSCM inspection mayprior to use for discussion at the SCI level.

3.3 Requirements Common To All SCIFs, Within The US and Overseas

CONSTRUCTION: The SCIF perimeter walls, floors and ceiling, will be permanently constructed and attached to each other. All construction must be done inanner as to provide visual evidence of unauthorized penetration.

SOUND ATTENUATION: The SCIF perimeter walls, doors, windows, floors and ceiling, including all openings, shall provide sufficient sound attenuation to preclude inadvertent disclosure of conversation. The requirements for sound attenuation are contained within Annex E.

EXIT, AND ACCESS DOORS:

rimary entrance doors to SCIFs shall be limited to one. it circumstances require more than one entrance door, this must be approved by the CSA. In some circumstances, an emergency exit door may be required. In cases where local fire regulations are more stringent, they will be complied with. All perimeter SCIF doors must be closed when not in use. with the exception of emergency circumstances.oor must be left open for any length of time due to an emergency or other reasons, then it must be controlled in order to prevent unauthorized removal of SCI.

vpinuraiiuiuf

IAILMV1IM

All SCIF perimeter doors must be plumbed in their frames and the frame firmly affixed to the surrounding wall. Door frames must be of sufficient strength to preclude distortion that could cause improper alignment of door alarm sensors, improper door closure or degradation of audio security.

All SCIF primary entrance doors must be equipped with an automatic doorSA-approved combination lock and an access control device with the following requirements:1

U) If doors are equipped with hinge pins located on the exterior side of the door where it opens into an uncontrolled area outside the SCIF, the hinges will be treated to prevent removal of the door. welded, set screws, etc.)

(b)CIF entrance door is not used as an access control door and stands open in an uncontrolled area, the combination lock will be protected against unauthorized access/tampering.

Control doors: The useault door for controlling daytime accessacility is not authorized. Such use will eventually weaken the locking mechanism, cause malfunctioning of the emergency escape device, andecurity and safety hazard. To precludeecond door will be installed and equipped with an automatic door closer and an access control device. (It Is preferable that the access door be installed external to the vault door.)

SCIF emergency exit doors shall be constructed of material equivalent in strength and density to the main entrance door. The door will be secured with deadlocking panic hardware on the inside and have no exterior hardware. SCIF perimeter emergency exit doors should be equippedocal annunciator in order to alert people working in the area that someone exited the facility due to some type of emergency condition.

Door Construction Types: Selections of entrance and emergency exit doors shall be consistent with SCIF perimeter wall construction. Specifications of doors, combination locks, access control devices and other related hardware may be obtained from the CSA. Some acceptable types of doors are:

Solid wood coreinimumnches

Sixteen gauge metal cladding over wood or compositioninimumnches thick. The metal

2 This requirementot apply to th* CSA Approved.sult doors.

SPPHOUED FOHfllLUSE DATE:0

cladding shall be continuous and cover the entire front and back surface of the door.

Metal fire or acoustical protectioninimumnchesoreign manufactured equivalent may be used if approved by the CSA.

A joined metal rolling door, minimum ofauge, usedoading dock or garage structure must be approvedase-by-case basis.

PROTECTION OF VENTS, DUCTS, AND PIPES:

All vents, ducts, and similar openings in excess ofquare inches that enter or passCIF must be protected with either bars,or grills, or commercial metal duct sound baffles that meet appropriate sound attenuation class as specified in Annex E. Within the United States, bars or grills are not required if an IDS is used. If one dimension of the duct measures less than six inches, or duct is less thanquare inches, bars are not required; however, all ducts must be treated to provide sufficient sound attenuation. If bars are used, they mustnch diameter steel welded vertically and horizontallynches on center; if grills are used, they must beauge expanded steel; if commercial sound baffles are used, the baffles or wave forms must be metal permanently installed and no farther apart thannches in oneeviationnch in vertical and/or horizontal spacing is permissible.

Based on the TEMPEST accreditation, it may be required that all vents, ducts, and pipes muston-conductive sectioniece of dissimilaranvas, rubber) which is unable to carry electric current, installed at the interior perimeter of the SCIF.

An access port to allow visual inspection of the protection in the vent or duct should be installed inside the secure perimeter of the SCIF. if the inspection port must be installed outside the perimeter of the SCIF. it must be locked..

All windows which might reasonably afford visual surveillance of personnel, documents, materials, or activities within the facility, shall be made opaque or equipped with blinds, drapes or other -coverings to preclude such visual'

Windows at groundill be constructed from or covered with materials which will provide protection from

This shouldinterpreted to Man any windows which ars lass thaneet above the ground steasured froa tha bottoai of tha window, or are easily

IPPIOVUfOIIKlEASI

mil in iih

forced entry. The protection provided to the windows need be no stronger than the strength of the contiguous walls. SCIFs located within fenced and guarded government compounds or equivalent may eliminate this requirement if the windows are made inoperable by either permanently sealing them or equipping them on the insideocking mechanism.

All perimeter windows at ground level shall be covered by an IDS.

4 . CONSTRUCTION SPECIFICATIONS

4.1 Vault Construction Criteria

Reinforced Concrete Construction: Walls, floor, and ceiling willinimum thickness of eight inches of reinforced concrete. The concrete mixture willomprehensive strength rating of atsi. Reinforcing will be accomplished with steel reinforcinginimumnches in diameter, positioned centralized in the concrete pour and spaced horizontally and vertically six inches on center; rods will be tied or welded at the intersections. The reinforcing is to be anchored into the ceiling and floorinimum depth of one-half the thickness of the adjoining member.

GSA-approved modular vaults meeting Pederal Specificationay be used in lieu. above.

Steel-lined Construction: Where unique structural circumstances do not permit constructiononcrete vault, construction will be of steel alloy-type" thick, having characteristics of high yield and tensile strength. The metal plates are to be continuously welded to load-bearing steel membershickness equal to that of the plates. If the load-bearing steel members are being placedontinuous floor and ceiling of reinforced concrete, they must be firmly affixedepth of one-half the thickness of the floor and ceiling. If the floor and/or ceiling construction is less than six inches of reinforcedteel liner is to be constructed the same as the walls to form the floor and ceiling of the vault. Seams where the steel plates meet horizontally and vertically are to be continuously welded together.

All vaults shall be equippedSA-approvedrault door, within theault door is acceptable. Normally within ^he Unitedault will have only one door that serves as both entrance and exit from the SCIF in order to reduce costs.

accessible by swans of objects directly beneath the windows,electrical transformer, air conditioning units, vegetation, or landscaping which can easily be climbed, etc.).

4.2 SCIF Criteria For Permanent Dry Hall Construction

Walls, floor and ceiling will be permanently constructed and attached to each other. To provide visual evidence of attempted entry, all construction, to include above the false ceiling andaised floor, must be done inanner as to provide visual evidence of unauthorized penetration.

Construction Criteria For Steel Plate

Walls, ceiling and floors are to be reinforced on the inside with steel plate not less* thick. The plates at all vertical joints are to be affixed to vertical steel membershickness not less than that of the plates. The vertical plates will be spot welded to the vertical members byne inch long weld everynches; meeting of the plates in the horizontal plane will be continuously welded. Floor and ceiling reinforcements must be securely affixed to the walls with steel angles welded or bolted in place.

Construction Criteria For Expanded Metal

Walls are to be reinforced, slab to slab,auge expanded metal. The expanded metal will be spot weldednches to vertical and horizontal metal supportsgauge or greater thickness that has been solidly and permanently attached to the true floor and true ceiling.

The use of materials having thickness or diameters larger than those specified above is permissible. The terras 'anchored to and/or embedded into the floor and ceiling- may apply to the affixing of supporting members and reinforcing to true slab or the most solid surfaces; however, subfloors and false ceiling are not to be used for this purpose.

DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE (DCID) 1

GLOSSARY

Access Control System:

A system to identify and/or admit personnel with properly authorized accessCIF using physical, electronic, and/or human controls.

Accreditation:

The formal approvalpecific place, referred toensitive Compartmented Informationhat meets prescribed physical, technical, and personnel security standards.

Acoustic Security:

Those security measures designed and used to deny aural access to classified information.

Astragal Strip:

A narrow strip of material applied over the gapair of doors for protection from unauthorized entry and sound attenuation.

Authorized Personnel:

A person who is fully cleared and indoctrinated for SCI,alid need to know, and has been granted access to the SCIF.

Balanced Magnetic Switch (BMS)i

A type of IDS sensor which may be installed on any rigid, operable opening. doors, windows) through which access may be gained to the SCIF.

Break-Wire Detectori

An IDS sensor used with screens and grids, open wiring, and grooved stripping in various arrays and configurations necessary to detect surreptitious and forcible penetrations of movable openings, floors, walls, ceilings, and skylights. An alarm is activated when the wire is broken.

Closed Storage:

The storage of SCI material in properly secured GSA approved security containers within an accredited SCIF.

Computerised Telephone System (CTS):

Also referred toybrid key system, business communication system, or office communications system.

Cognizant Security Authority (CSA):

The single principal designatedOIC (see definition of SOIC) to serve as the responsible official for all aspects of security program management with respect to the protectionintelligence sources and methods, under SOIC responsibility.

cantinuous Operation:

This condition existsCIF is staffedours every

day

Controlled Area/Compound:

Any area to which entry is subject to restrictions or control for security reasons.

Controlled Building:

A buildings to which entry is subject to restrictions or control for security reasons.

Co-Utilisationi

Two or more organizations sharing the same SCIF.

Dead Bolt i

a lock bolt with no spring action. Activatedey or turn knob and cannot be moved by end pressure.

Deadlocking Panic Hardware:

a panic hardwareeadlocking latch thatevice when in the closed position resists the latch from being retracted.

Decibel {db) t

A unit of sound measurement.

Document:

Any recorded information regardless of its physical form or characteristics, including, without limitation, written or printed matter, data processing cards and tapes, maps, charts, paintings, drawings, photos, engravings, sketches, working notes and papers, reproductions of such things by any means or process, and sound, voice, magnetic or electronic recordings in any form.

Dual Technology!

PIR, microwave or ultrasonic IDS sensors which combine the features of more than one volumetric technology.

Expanded StealI

Also called expanded METALace work patterned material produced from sheet steel by making regular uniform cuts and then pulling it apart with uniform pressure.

Guard:

A properly trained and equipped individual whose duties include the protectionCIF. Guards whose duties require direct accessCIF, or patrolGIF, must meet the clearance criteria in Director of Central IntelligenceSA will determine if indoctrination is required.

intelligence Community (and agenciea witbln the Intelligence Community)t

Refers to the United States Government agencies and organizations identified in)hroughf Executive.

Intrusion Detection System:

A security alarm system to detect unauthorized entry.

Isolator!

A device or assembly of devices which isolates orelephone or Computerized Telephone System (CTS) from all wires which exit the SCIF and which as been accepted as effective for security purposes by the Telephone Security Group (TSG approved).

Key Service Unit (KSU)i

An electromechanical switching device which controls routing and operation of an analog telephone system.

Line Supervision:

Class X:

ine security is achieved through the use of DES or an algorithm based on the cypher feedback or cypher block chaining mode of encryption. Certification by NIST or another independent testing laboratory is required.

Class XX:

Class II line supervision refers to systems in which the transmission is based on pseudo random generated or digital encoding using an interrogation and response scheme throughout the entire communication, or UL Class AA line supervision. The signal shall not repeat itselfinimum six month period, Class II security shall be impervious to compromise using resistance, voltage, current, or signal substitution techniques.

Motion Detection Sensor:

An alarm sensor that detects movement.

Non-Conductive Section:

Material. canvas, rubber,hich is installed in ducts, vents, or pipes, and is unable to carry audio or rf emanations.

Non-Discueaion Area:

A clearly defined areaCIF where classified discussions are not authorized due to inadequate sound attenuation.

Open Storage:

The storage of SCI materialCIF in any configuration other than within GSA approved security containers.

Response Force: Personnel (not including those on fixed security posts) appropriately equipped and trained, whose duties include

flrrrlOVlD FOR RELfASf Dili0

initial or follow up responsa to situations which threaten the security of the SCIF. This includes local law enforcement support or other external forces as noted in agreements.

Secure Working Area:

An accredited SCIF used for handling, discussing and/or processing of SCI, but where SCI will not be stored.

Senior Official of tha Intelligence Community (SOIC)i

The head of an agency, office, bureau, or intelligence element identified in) hroughf Executive.

Sensitive Coapartmeated information I)t

SCI is classified information concerning or derived from intelligence sources, methods or analytical processes, which is required to be handled exclusively within formal control systems established by the Director of Central Intelligence.

Sensitive Compartmanted Information Facility lF)i

An accredited area, room, group of rooms, building, or installation where SCI may be stored, used, discussed and/or electronically process.

Sound Group I

Voice transmission attenuation groups established to satisfy acoustical requirements. Ratings measured in sound transmission class may be found in the Architectural Graphic Standards.

Sound Transmission Claas (STC)t

The rating used in architectural considerations of sound transmission loss such as those involving walls, ceilings, and/or floors.

Special Access Program (SAP)i

Any approved program which imposes need-to-know or access controls beyond those normally required for access to CONFIDENTIAL, SECRET or TOP SECRET information.

Surreptitious Sntryi

Unauthorized entryanner which leaves no readily discernible evidence.

Tactical SCIFi

An accredited area used for actual or simulated war operationspecified period of time.

Technical Surveillance Coantermeasuree (TSCM) Surveys and Evaluations!

A physical, electronic, and visual examination to detect technical surveillance devices, technical security hazards, and attempts at clandestine penetration.

flrrRMOFQBFillUttl HTLIOVIIII

Type Accepted Telephone!

Any telephone whose design and construction conforms with the design standards for Telephone Security Group approved telephone sets. (TSGr iS).

Vault!

A room(s) used for the storing, handling, discussing, and/or processing of SCI and constructed to afford maximum protection against unauthorized entry.

Waiver:

An exemptionpecific requirement of this document.

DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE (DCID) 1

ANNEX Approved 27 Kay

8CXP accreditation checklist

Tafal.fiContents

Section A

Section BSecurity3

Section C

5

Section EDetection . 6

Section FTelephone

Section GProtection. 9

Section HSecurity 10

Attachments

DATE

FIXED FACILITY CHECKLIST

[ 1 PRECCttSTRUCTION ( | NEW ( ] MODIFIED FACILITY Section A -- inform*tIon 1. SCIF Datii

Orvenixatloo/Ccespeny Huhi

CCIF Identification Number (if applicable).

Organization eubordinat* to (Xf applicable)i

Contract Mnbtr t.

CSA

Project Headquarter Security Office (if applicable)!

2 . SCIF Locationi

Street Addreaai

ooa<e> Moi

Cod*:

Heaponaibl* Security Pereonneli

Telephone:

DSN Telephone:

Secure Telephonei Type:

No: (specify both classified and unclaaaifled)

fLIASII0

4. Accreditation Data:

of SCI Requested:

Indicate the storage required: Open Storage Closed

Storage Continuous Operation Socure Working Area

Temporary Secure Working Area

Accreditation Information (If applicable):

(1) Category of SCIi

(2) Accreditation granted by:

TEMPEST Accreditation (ifccreditation

If Automated Information Systems (AXSs) are used, hasbeen granted? NO

Accredltalon granted by:on _

*. SAP co-located within SCIP?

(If Yes, Classification!end provide copy ofAgreement for SAP operation in SCIF.)

Hoursitohours,days per week.

Total square feet SCIF occupies!

Is construction or modification complete?

YES NO (If NO, expected date of completion

)

TSCM Service completed by

(Attach copy of report)

Were deficiencies corrected? NA (If

NO, explaim

b. Last Physical Security Inspection by

_ (Attach copy of report)

Were deficiencies corrected? YES O NA (If

NO, explain:

Last Securlty/Asslstance Visit by

7. REMARKS i

Section b Peripheral Security

exterior security;

Fence:

Alarm i

lightingi

(CCTV)i

C. Otheri

type:

Access Controls:

Continuous! YESNO

It NO, during what hours?

Jaotlon c -- SCX* Security

11. Bow Is access to the SCXP controlled?

Ouard Force:YES NO Security Clearance

Assigned Personnel:YES NO

C. By Access Control Device:YES NO

If yes. No

FOI RELEASE

12. Does th* SCIP have window.? YES HO

a. How ar*coustically protected? (IC applicable)

b. How ar* they secured agalnat opening?

c. Hon* are they protected against visual surveillance?

11. Do ventilation ducts penetrate tbe SCIF perimeter? YES NO

a. ber and sis* (Indicate on floor plan) i

b. If overquare inches, type of protection ueedi

(1) XDSiNO (Describe in Section E)

(2) Sera/Grille/Hetal BeffleeiYESNO

xplalnt

O. Metal Duct Sound Baffleei Are ducts equipped withi

Hetal Baffle*i YES NO

Nola* Generatori NO

Non-Conductive Joints YES NO

Inspection Porte i NO

If YES, are they within the SCIF? If

they ax* located outaid* of th* SCIF, how ar*ecured?

d. If TEMPEST accreditation authority requireei areenetrating th* SCIF equipped with non-conductive unionspoint they breach the SCIF perimeter? NO

Are they provided acoustical protection? (ifYES NO

14. Constructiooi

a. Perisketer walls:

(1) hlcknessi

(2) Do th* walls extend frost the true floor to the YES NO

b. True celling (Material and thickness) i

wriwuFOiruiiui

exiling? YES NO If yea:

(I) Type of calling material:

(21 Distance between false and true ceilingi

floor (material and thickness)i

a. False Floor? NO If yes:

Distance between false and true floor:

15. Remarks:

section D Doors

16. Describe SCIF Primary Entrance Door (Indicate on floor plan):

Is an automatic door closer installed? YES NO If NO,

explalni

17. Describe number and type of doors used for SCIF emergency exits anddoors (Indicate on floor plan)t

Is an automatic door closer NO If NO,

18. Describe how the door hinges exterior to the SCIF axe "secured(if in an uncontrolled area)t

19. Locking devices:

a. Perimeter SCIF Entrance Door:

(1) List manufacturer, model number and Group rating:

(2} Does- entrance door stand open into an uncontrolledYES NO If YES, describe tamper protection:

Emergency Exits and Other Perimeter Doors:

Describe (locks, metal strip/bar, deadbolts, panic hardware):

Where are the door lock combinations tiled?

20. Remarks:

S Intrusion Detection Systems

manufacturer atid svxlel in response to following Method of Interior Motion Detection Protection:

a. AccessableAreas?

b. Hotion Detection Sensors (Indicate on floor Plan):

Tamper protection: YES MO

Other. CCTV, etc.)i

22. Door and Window Protection (Indicate on floor Balanced Magnetic Switch (BUS) on door?:

Tamper protection: YES NO

b. If SCIF has ground floor windows, how axe they protected?

c. other. CCTV, etc..)

23. Method of ventilation and duct work protection:

24. Space above false ceiling (only outside the United States, if required):

Motion Detection Sensors:

Tamper protection: YES NO

b. Other. CCTV):

below false floor (only outside the united States,

Detection Sensors:

Tamper protection: YES O

. CCTV):

transmission line security protection:

line supervision (Manufacture and Model)

If electronic line supervision, class of service: . , X XX

emergency power available for the IDS? YES NO

TYPE: Battery Emergency Generator Other

Where is the IDS control unit for the SCIF located (Indicated on floor plan)?

Where is the IDS Alarm annunciator panel located (Indicate on floor plan. Address)?

IDS Response Personnel: Describe!

Force Security Cleared: YES

Leveli

Procedures documented? YES NO

Force available? YES NO

time required for alarm condition:

m. Are response procedures tested and recordsYES

If no, explain:

31. Is the IDS tested and records maintained? YES NO

If no, explain:

32. Remarka:

OKCTIOM F - Mi-IHISTRATIVE TILXVBOHE 8ECURITT

13. Hathod of-cn-hook security provided:

a. omputerised Telephone System <CTS) ? TES NO

11] Manu facturer/Nod*li

Location of tha CTSi

Do tha CTS Inatallara and programmere bava aaourlty_

It yes, at what access level (minimus) aatabllehad by

_

If no. are escorts

the CTS Installed as per TSG-2,

If no. provide stake and model number of telephone equipment, explain your configuration, andine drawing?

Ia access to the facility housing tha switch controlled?YES NO

Are ell lines between the SCIF and th* switch in ontrolled spaces? ES NO

the CTS us* remote maintenance and diagnosticother remote accaia features? YES NO

If yes, explain those prof-urtu

approved telephone.?

TSO

Ringer Protection (if required))

approved disconnect devices?

(1) Manufacturer/Model!

AfPimOFOIHlliASl UTLlMIlM

34. Methods ofook security provided:

a. Xaold or mute feature? YES HO

yes. which featureand Is it provided by the:

CTS7 or Telephone

no, are approved puah-to-operated handsets provided?

YES Describe i

Automatic telephone call answeringi

a. Is there an automatic call answering service for the telephonesSCIP? YES NO

ea, provide make and model number of tbe equipment, explain the configuration, andine drawing.

flection a -- Acoustical Protection

40. Do all areas of the SCIF meet acoustical requirements? Yes No

If no, describe additional measures taken to provideprotection. door, windows, etc)

41. Is the SCIF equippedublic address,or music system? Yes No

If yes, describe and explain how protected?

42. If any intercommunication system that ie not part of thels used, describe and explain how

43. Remarks:

ftFFRMDKJlnllUSI DATE:HDV?ail

Section h Adaloletrstive Security

45. Destruction Methods:

Describe method used for destruction of

i

Model:

b. Describe location of destruction sits(s) in relation to the

e. Have provisions been made for the emergency destructionprogram material? (If required)TBS HO

If TBS, has the emergency destruction equipment and planwith the CSA? YES HO

46. If reproduction of classified/sensitive material taxes place outside the SCIF, describe equipment and security procedures used to reproduce documents:

47. Remarks:

APPROVED FOR RELEASE DAtEiNQVZBIO

DIRECTOR OF CENTRAL INTELLIGENCE .DIRECTIVE (DCID) 1

ANNEX Approved 37 Kay

INTRUSION DETECTION SYSTEMS

ets torch the requirements and establishes the standards for Intrusion detection systems for all SCIFs throughout government and for government-sponsored contractor facilities, compliance with these standards is mandatory for all facilities established after the effective date of this annex, including any major renovation of existing facilities insofar as the renovation will permit reasonable and practical upgrading, as determined by the Cognizant Security Authority (CSA).

OHCBPT

An Intrusion Detection System (IDS) must detect an attempted or actual human entry into the protected area. An IDS complements other physical security measures and consists of three essential components:

Intrusion Detection Equipment (IDE).

Security and response force personnel.

Operation procedures.

2.0 OPERATION

components operateystem withphases:

Detection.

Reporting.

Assessment.

Response.

.>

elements are equally important, and noneeliminated if an IDS is to provide an acceptable degree

Detection: The detection phase begins as soonetector or sensor reacts to stimuli it is designed to detect. The sensor alarm condition is then transmitted over cabling located within the protected 'area to the Premise Control Unit (PCU). The PCU may service many sensors. The

PCU and the sensors it serveszone" at the monitor station- This shall be used as the definition of an alarmed zone for purposes of this document.

The PCU receives signalssensorsrotected area andommunication scheme. Another signal isthe communication for supervision to prevent compromisecommunications scheme. This supervised signalto disguise the information and protect thetampering or injection of false information-by The supervised signal is sent by the PCU vialink to the monitor station. Insideedicated panel or centralinformation from the PCU signals. Whenan annunciator generates an audible and visiblesecurity personnel. Alarms result normallytampering, component failure, or system

Assessment: The assessment period is the first phase that requires human interaction. When alarm conditions occur, the operator assesses the situation and dispatches the response force.

Response: The response phase begins as soon as the operator assesses an alarm condition. esponse force must immediately respond to all alarms. The response phase must also determine the precise nature of the alarm and take all measures necessary to safeguard the SCIF.

EQUIREMENTS

As determined by the CSA, all areasCIF that reasonably afford access to the SCIF, or where SCI is stored, shall be protected by an IDS unless continually occupied.

Acceptability of Equipment: All IDE mustisted (or equivalent as defined by the CSA) and approved by the CSA. Government and proprietary installed, maintained, or furnished systems are subject to approval only by the CSA.

Approval Procedures: Vendors mayIDE requests eitherpecialSpecial Security Officer (SSO/CSSO)to the CSA. Vendors shouldLinstallation and servicenddirectly to the SSO/CSSO or CSA for acceptance. justification, the CSA may waive thiswaivers must be documented. All requests fordescribe the IDE fully and include theisted independent laboratory. Anevaluates the manufacturer's compliancespecifications. equest for acceptance of line

supervision using Data Encryption Standard (DES) must also include validation from the National Institute of Standards and Technology (NIST) or another independent testing laboratory recognized by the CSA. The description must identify the manufacturer and model of equipment and show how the IDE meets CSA and/or ul standards.

3.4 Preinstallation Approval of IDS: The CSA will approve'a proposed IDS before its installationCIF as part of the Initial SCIF construction approval process. roposal for an IDS will be examined for the type and employment of accepted equipment. An IDS proposal will be submitted as partreconstruction approval process.

Equipment:

Transmission Line Security: When the transmission line leaves the SCIF and traverses an uncontrolled area.r Class II CSA accepted line security shall be used.

Class I: ine security is achieved through the use of DES or an algorithm based on the cipher feedback or cipher block chaining mode of encryption. Certification by NIST or another independent testing laboratory is required. The certificate must be retained by the CSA for the duration of operation of the SCIF.

Class II: class II line supervision refers to systems in which the transmission is based on pseudo-random generated tones or digital encoding using an interrogation and response scheme throughout the entire communication, or UL class AA line supervision. The signal shall not repeat itselfinimum six-month period. Class II security shall be Impervious to compromise using resistance, voltage, current, or signal substitution techniques.

Internal Cabling: The cabling between the sensors and the PCU should be dedicated to IDE and must comply with national and local code standards. If applicable, the cabling must be installed in accordance with TEMPEST and COMSEC requirements.

Restrictions on Integration ol Access Controls into SCIF IDSs: If-an access control system is integrated into an IDS, reports from the access control system should be subordinate in priority to reports from intrusion alarms.

Maintenance Mode: when an alarm zone is placed in the maintenance mode, this condition will be signaled automatically to the monitor station. This signal must appear as an alarm or maintenance message at the monitor

APPROVED FOR RIIEASE MTLinilll

station, and the IDS shall not be securable while in the maintenance mode. However, the alarm or message must continue visibly at the monitor station throughout the period of maintenance. tandard operating procedure (SOP) must be established to address appropriate actions when maintenance access is indicated at the panel. All maintenance periods will be archived in the system. The CSA may require that the maintenance Personal Identification Number (PIN) be established and controlled by the customer. The IDC will not contain any capability for remote diagnostics, maintenance, or programming, except for an alarm remote test feature at the monitor station. elf-test feature will be limited to one second per occurrence.

of Shunting orShunting or masking of any internal zonemust be appropriately logged or recorded in archive.

A shunted or masked internal zone or sensor must be displayed as such at the monitor station throughout tbe period the condition exists whenever thereurvey of zones or sensors.

Alarms Indications: Indications of alarm status shall be revealed at the monitoring station and optionally within the confines of the SCIF.

Power Supplies: Primary power for all IDE will be commercial AC or DC power. In the event of commercial power failure at the protected area or monitor station, the equipment will change power sources without causing an alarm indication.

Emergency Power: Emergency power must comply with. Emergency power may consist of battery and/or generator power. When batteries are used.for emergency power, they will be maintained at full charge by automatic charging circuits. Theeriodic maintenance schedule shall be followed and results documented.

Power Source and Failure Indication: An illuminated indication will exist at the PCU of the power source in use (AC or DC). Equipment at the monitor station will indicate visibly andailure in powerhange in power source, and the location of the failure or change.

Protection: All IDE withinwith removable covers will be equipped with The tamper detection will bewhether the IDS is in the access or secureoperation.

Prohibition Against Fortuitous Conduction via IDE: No IDE will be employed that allows audio and intelligence-bearing signals to pass out of the SCIF inorm.

Safeguarding IDE:

n areas outside the United States. IDE must' remain solely under US control, or as otherwise authorized by the CSA.

ey variables and operational passwords will be safeguarded, disseminated, and controlled as determined by the CSA.

nstallation:

Independent Equipment: All SCIFs will have intrusion detection equipment and zones independent from other protected sites. When many alarmed areas are protected by one monitor station, audible and visible annunciations for SCIF zones must be clearly distinguishable from other annunciations. All sensors protecting the SCIF will be installed within the SCIF.

Access/Secure Switch and PCU: No capability will exist to allow changing the access status of the IDSocation outside the SCIF unless performedroperly accessed individual. All PCUs must be located inside the SCIF and should be located near the SCIF entrance. SCIF personnel must initiate all changes in access and secure status. Operation of the PCU will be restricted by useevice or procedure that verifies authorized use. In the secure mode, any unauthorized entry into the SCIF shall cause an alarm to be transmitted immediately to the monitor station.

Motion Detection Protection: All areas of the SCIF that reasonably afford access to the SCIF or where SCI is stored shall be protected with motion detectionltrasonic, passive infrared, etc. Use of dual technology is authorized when one technology transmits an alarm condition independently from the otherailed detector will cause an immediate and continuous alarm condition. Detection equipment must be installed in compliance with

Accessible Areas: Within the United States, alarms are not required above the false ceiling or below the false floor. Outside the United States, such alarms may be required by the CSA.

Protection of SCIF Perimeter Doors: Each SCIF perimeter door will be protectedalanced magnetic

APPROVED FOR RELEASEI0

switch (bms) that meets the minimum standards of. The bms must be installed inanner that an alarm signal will initiate before the nonhinged side of the door opens beyond the thickness of the door from the seated position. Emergency exit doors equipped with integrated life safety hardware may have the life safety alarm component integrated into the SCIF IDS as an additional detector. Emergency exit doors will be monitoreday to provide quick identification and response to the appropriate door when there is an alarm indication.

. b Windows: All readily accessible windows1 will be protected by an IDS, either independently or by the motion detection sensors in the room, as determined by the CSA.

IDE Installation criteria: All IDE will be installedanner to prevent access or removalocation external to the SCIF and in compliance withor "installation of Burglar Alarm Equipment."

IDS Requirements for Continuous Operations Facilities: CIF accredited for continuous operations may not require an IDS as determined by the CSA. This type of SCIF will be equipped with an alerting system if the occupants cannot observe all potential entrances into the SCIF. The system alerts occupants to an intrusion into the SCIF. An alert system will consist of BMSs or other appropriate sensors. None of the IDE or cabling associated with the alert system will extend beyond the perimeter of the SCIF.

False/Nuisance Alarm: Any alarm signal transmitted in the absenceetected intrusionalse alarm. alse alarmuisance alarm when the effects of environment, equipment malfunction, operator failure, animals, electrical disturbances, and known effects cause the alarm indication. All alarms shall be investigated and the results documented. The maintenance program for the IDS shall ensure that incidents of false/nuisance alarms will not exceed oneeriod ofays per zone. '

3.7 Personnel:

IDE Installation and Maintenance Personnel: Alarm installation and maintenance will be accomplished by US citizens who have been subjectedrustworthiness determinationAC with no clearance to

^Thls should be Interpreted to mean any windows which are less thaneet above the ground measured treat the bottom of the window, or are easily accessible by means of objects directly beneath the windows,. electrical transformer, air conditioning units, vegetation, or landscaping which can easily be climbed, etc.).

VrimO FOI RIUAS( DATLHOVZ0I0

be issued). Use of foreign nationals or other personnel for this purpose must have prior CSA. approval.

Monitor Station Staffing: The monitor station will be supervised continuously by US citizens who have been subjectedrustworthiness determinationAC with no clearance to be issued). Use of foreign nationals or other personnel for this purpose must have prior CSA approval. The duties of the monitoring operator will be documented and will entail observing monitor panels for reports of alarms and changes in IDE status, making accurate assessments of these reports, and dispatching the response force or notifying the appropriate authority in the event of an intrusion alarm. The operator will have no duties that interfere with the primary functions of monitoring alarms and dispatching the response force. ocumented chain of authority will exist for use by security personnel during unusual situations. The operator will be trained sufficiently in the operation and theory of the IDE to properly interpret all incidents generated by the IDE. This training must also include all actions to be taken on receipt of an alarm activation.

3.1 Procedures:

Testing: SCIF IDS sensors will bo tested semiannually. ecord of IDE testing will be maintained at the SCIF that reflects: testing date, individuals who performed the test, specific ecnjipment tested, malfunctions, and corrective actions taken. Tests of the response force will be conducted semiannually. ecord of response force testing will be maintained.

Safeguarding IDS Plans: Details of installed IDS shall be controlled and restrictedeed-to-know basis.

peratingritten support agreement must be established for external monitoring and/or response.

Monitoring Station: Where there is an operations security concern, the alarm monitoring panel shall be designed to prevent observation by unauthorized persons.

Alarm Condition Response: Every alarm condition will be treated initiallyetected intrusion until resolved by the response force. The response force will investigate the source of an alarm and will notify SCIF personnel. The response force will take appropriate steps to safeguard the SCIF and prevent the escape of an intruder from the SCIF as permitted by SOP, local law enforcement, and circumstances until properly relieved. Response time to an alarm will not exceed:

Open Storageminutes

Closed Storageminutes

Catastrophic Failure: If the IDE suffers catastrophic failure, or loses primary and emergency power, SCIF-indoctrinated individuals must provide security by physically occupying the SCIF until the IDS can be made functional. As an alternative, the outside SCIF perimeter may be continuously protected by the response force or as determined by the CSA.

IDS Logging: The IDS willeans foristorical record of all events, either automatically or through the useanual log system. If the IDE has no provision of automatic entry into archive, the operator will record the time, source, and type of alarm, and action taken. Results of investigations by the response force will be maintained at the monitor station. The historical record must be routinely reviewed by the responsible security officer. Records of alarm annunciations shall be retained for at leastays or until investigations of system violations and incidents have been successfully resolved and recorded.

DIRECTOR Or CENTRAL INTELLIGENCE DIRECTIVE 1

ANNEX Approved 37 Kay

TACTICAL, IELD TRAINING

This annex pertains to specialized Sensitive Compartmented information Facilities (SCIFs) deployedactical operations or field training enviroruoent - It is divided into three parts to reflect the accepted modes of tactical operation:

round Operation

Partircraft/Airborne Operation

Parthipborne Operation

APPROVED FOR RELEASEI0

able of Contents

PART I GROUND OPERATION

1

AND

OF TACTICAL

SCIF OPERATIONS USING VANS, SHELTERS, AND

SCIF OPERATIONS WITHIN EXISTING PERMANENT

SIGINT

5

ELECTRICAL

TEMPEST

TELEPHONE

AIRCRAFT/AIRBORNE OPERATION

1

3 .

OF AIRCRAFT/AIRBORNE

AND PATROL

AIRCRAFT. .

DESTRUCTION

SHIPBOARD OPERATION

2 .AND

OF SHIPBOARD SCIFS

APPHOVtD FOR PELEASEI0

DETECTION SYSTEM

SCUTTLES AND

OF CRYPTOGRAPHIC

STORAGE

5

TELEPHONE UNTT-III

POWERED

INTERCOM ANNOUNCING

INTERCOMMUNICATION ANNOUNCING

6

INTERCOMMUNICATION

ANNOUNCING

TUBE

PROCESSING

21,

SECURE WORKING AREAS

PORTABLE SHIPBOARD COLLECTION VANS

APPROVED FOR RELEASEI0

PART I GROUND OPERATION

1.0 PURPOSE:

This Annex prescribes the procedures for the physical security requirements for the operationensitive Compartmented Information Facility (SCIP) whileield or tactical cohfiguration, including training exercises. It also addresses the standards for truck mounted or towed trailer style shelters designed for useactical environment but usedarrison environment knownemi-permanent SCIF (SPSCIF).

2.0 APPLICABILITY AND SCOPS:

Recognizing that field/tactical operations, as opposed to operationsixed military Installation, are of the type considered least secure, the following minimum physical security requirements will be met and maintained. Situation and time permitting, these standards will be improved upon using the security considerations and requirements for permanent secure facilities as an ultimate goal. If available, permanent-type facilities will be used. Under field or combathour operation is mandatory. Every effort must be made to obtain the necessary support from the host commandecurity containers, vehicles, generators, fencing, guards, weapons, etc.).

3.1 The Tactical SCIPCIF) shall be located within the supported headquarters defensive perimeter and preferably, also within the Tactical Operations Center (TOC) perimeter.

2.3 CIF shall be established and clearly markedhysical barrier, where practical, the physical barrier should be triple-strand concertina or General Purpose Barbed Tape Obstacle (GPBTO). The Tactical SCIP approval authority shall determine whether proposed security measures provide adequate protection based on local threat conditions.

The perimeter shall be guarded by walking or fixed guards to provide observation of the entire controlled area. Guards shall be armed with weapons end ammunition. The types of weapons will be prescribed by.the supported commander. Exceptions to this requirement during peace may only be granted byCIF approval authority based on local threat conditions.

Access to the controlled area shall be restrictedingle gate/entrance, which will be guardedontinuous basis.

An access list shall be maintained, and access restricted.to those people whose names appear on the list.

The Tactical SCIF shall be staffed with sufficient personnel as determined by the on-site security authority based on the local threat conditions.

Emergency destruction and evacuation plans shall be kept current.

CI material shall be stored in lockable containers when not in use.

shall be established andbackup response forces, if possible.

The SSO, or designee, shall conduct an inspection of the vacated Tactical SCIF area to ensure SCI materials are not inadvertently left behind whenCIF moves.

ReconciliationCIF activation and operational data shall be made not more thanays after SCIF activation. Interim reporting of SCIF activities may be made to the CSA.

RESPONSIBILITIES I

The Cognizant Security Authority (CSA) is responsible for ensuring compliance with these standards and providing requisite SCI accreditation. The CSA may furtherCIF accreditation authority one command level lower. The Senior Intelligence Officer (SIO) is responsibleemporary field or Tactical SCIF is used in support of field training exercises. eriod of declared hostilities or generalCIF may be established at any levelccreditation upon the verbal ordereneral or Flag Officer Commander.

4.0 ACCREDITATION OF TACTICAL SCIFS:

'4.1 An Accreditation Checklist shall not be required for establishmentCIF. Approval authorities may require useocal tactical deployment checklist.

4.3 The element requesting establishmentCIF shall notify the CSA, or designee, prior to commencement of SCIF operations. The message shall provide the following information:

ID number of parent SCIF.

Name of the Tactical SCIF.

ippimo (oitnuusi

DATE.iOV HIO

of contact (responsible officers).

of security measuresoperational period of SCIF.

5.0 PHYSICAL CONFIGURATION:

CIF may be configured using vehicles, trailers, shelters, bunkers, tents, or available structures to suit the mission. SelectionCIF site should first consider effective and secure mission accomplishment.

6.0 TACTICAL SCIF OPERATIONS USING VANS, SHELTERS, AND VEHICLES:

igid side shelter or portable van is used for SCI operations, it shall be equipped withombination lock that meets allof Federal Specificationr other CSA-approved lock. The combination to the lock or keys shall be controlled by the SSO at the security level for whichCIF is accredited. The shelter or van shall be secured at all times when not activatedCIF.

The SCIF entranceadio frequency shielded enclosure designed for tactical operations may be secured with the manufacturer-supplied locking device or any combination of the locking devices mentioned above.

7.0 TACTICAL SCIF OPERATIONS WITHIN STRUCTURES

7.1CIF may be operated within an existing structure when:

Location is selectedandom basis.

WimOFQInEUASI MIL IIOV fill

location is not reused6

J^JL1^ withinonths for SCI discussion,

a TSCM evaluation is recom-ended.

is no restriction over SCI discussionCIF during war.

MOBILE SICINT SCIFs:

hour operation is mandatory.

CIF shall be staffed with sufficient personnel as determined by the oo-aite security authority based on the local threat conditions.

External physical security measures shall be incorporated into tha perimeter defense plans for the immediate area in whichCIF is located.

1 hysical barrier is not requiredrerequisite toobileCIF.

physical security controls will normallyunction of the people controlling theoperations ofCIF.

irt. Cornr,unicatlons fiha11 established and maintained with backup guard forces, if possible.

1.5 Emergency destruction plans shall incorporate incendiary methods to ensure total destruction of SCI material in emergency situations.

id 8ide shelterortable van are two possible configurations that may be used.

,iflid side shelter or portable van is used, it is subject to the following additional estrictions:

ithelter, it shall be

le Jnay ttB Cohe shelter with the capability of moving on short notice.

A GSA-approved security container shall be permanently affixed within*the shelter. The combination to the lock will bo protected to the level of security of the material stored therein.

Entrance toCIF shall be controlled by SCI-indoctrinated people on duty within the sneitcr. when situations occur where there are no SCI-indoctrinated people within theuring re-

OFPnOVlD FOR RttlASl MTLIOVflll

deployment, classified material shall be stored within the locked GSA container and the exterior entrance to the shelter will be secured.

Entrance toCIF shall be limited to SCI-indoctrinated people with an established need-to-know whenever SCI material is used within the shelter.

igid side shelter or portable van is not availableacility is required for SCI operations, such as in the caseoft side vehicle or man-portable system, it is subject to the following additional restrictions:

Protection will consist of an opaqueeather pouch, metal storage box, or other suitable container that prevents unauthorized viewino of the material.

. This container shall be kept in the

physical possession of an SCI-indoctrinated person.

quantity of SCI material permitted withinwill be limited to that which is absolutelysustain the mission. Stringent securitybe employed to ensure that the quantity of SCInot allowed to accumulate more than is

workin* Papers generated within the

T-SCIF shall be destroyed at the earliest possible time after they have served their mission purpose to preclude accumulation of unnecessary classified material.

if AIS equipment is used to store or process SCIapid and certain means of destruction shall be available to AIS operators to ensure the total destruction of classified material under emergency or combat conditions.

cessation of hostilities, allshall be returned to the parent element of thereconciliation of records and destruction of

9.0 SEMI-PERMANBNT SCIFS:

9.1 Vehicles with mounted shelters or towed trailer type shelters, designed for field or tactical use. that are employed as tactical SCIFs when deployed may also be usedcif in nontactical situations if the SIO determines thereeed for more SCIF area and time and/or funds are not

aPPHOVIDlU( DATE.KQV20III

available to construct orermanent SCIF. These types of SCIFs are SEMI-PERMANENT SCIFs (SPSCIFs).

The SPSCIF shall be accredited and operated in the same mannerermanent SCIF. Requirements for TEMPEST and AIS accreditation apply as well.

The SPSCIF must be of rigid construction similaran, trailer, or transportable shelter. The construction material must be of such composition to show visible evidence of forced entry. Vents and air ducts oust be constructed to prevent surreptitious entry. The doors must be solid construction and plumbed so the doorood acoustical seal. If installed, emergency exits and escape hatches must be constructed so they can only be opened from the interior of the SPSCIF.

The SPSCIF must be placedenced cxwmpoundilitary installation or equivalent, as determined by the CSA. The fence must be at least) feet from the SPSCIF and related building and equipment. The distance from the fence to the SPSCIF may have to be greater to provide acoustical security or to meet CQMSEC or tempest requirements. Access control to the fenced compound must be continuous.

-.5 All SPSCIFs mustombination lock thatrequirements of Federal Specificationrapproved lock. (NOTE: Just as with combinations,protection equivalent to the information which

SPSCIFs do not need any additional security measures if one of the following exists:

Continuous operations. Continuous operations exist when the SPSCIF is occupied by one or more SCI-indoctrinated personsay. when there are multiple vehicles/sheltersenced compound, only thoseoccupied by one or more SCI-indoctrinated people qualify as continuous operations facilities.

Dedicated guard force who have been subjectedrustworthiness determinationAC with no clearance to be issued). The dedicated guard force must be present whenever the SPSCIF is not occupied and must have continuous surveillance of the SPSCIF entrances. The guard force must check the perimeter of the SPSCIF at least twice an hour at random intervals. Guard response time will be five minutes or less.

9.1 SPSCIFs not storing classified material and not meeting one of the requirements in the above paragraphs may

APPROVED FOR RELEASEHDV7MI

be required to have an Intrusion Detection System (ids) as prescribed ins required by the CSA.

9.9 Requirements tor storage when unoccupied:

SCI material will not be storedPSCIF except when removal is notomputer hard disk.

Storage in the United States and Outside the United States. If the SPSCIF does not have continuous operationsedicated guard force, an combination lock that meets all requirements of Federal Specificationr other CSA approved lock and an IDS for the SPSCIF interior is required. The interior SPSCIF IDS must be as prescribed in ANNEX B. The CSA may require exterior compound

POWER:

Electrical power suppliedClFs may be furnished by commercial or locally generated systems, as follows:

generator with accessguards or surveillance of tho generating equipment.

The generating equipment shall be located within the protected perimeter of the organization supportingCIF. The generator shall not require location within the SCIP compound perimeter.

Generator operator and maintenance people shall be US citizens.

In general, RF filters or isolators are not required for TEMPEST protection of commercial AC (alternating current) power lines used for SCI processing equipmentCIF.

Filtering and isolation generators (an electrical motor coupledenerator by nonconductive means) may be used to provide isolated electrical power to the SCIF. The motor generator location shall be within the SCIF compound perimeter.

REQUIREMENTS:

Authority for tempest accreditation of all compartments of SCI processedactical scif is delegated to the CSA based on review by the Certified tempest Technical Authoritv (CTTA).

IPFROVEO FOB RlllBSl DATE.iOVIIII

EQUIPMENT:

Telephone instruments usedCIF shell meet requirements outlined in the Telephone Security ANNEX. Restrictions contained within the Telephone Security ANNEX pertaining to SCIF telephone services do not applyCIF operations during war.

PART OPERATION

1.0 PURPOSE:

This annex prescribes the physical security procedures for the operationensitive Compartnented Information Facility (SCIF) for aircraft, including airborne missions.

APPLICABILITY:

This annex is applicable to all aircraft to be utilizedCIF. Existing or previously accredited facilities do not require modification to conform with these standards.

3.0 RESPONSIBILITIES:

The CSA is responsible for ensuring compliance with these standards and providing SCI accreditation. The CSA may delegate aircraft/airborne SCIF accreditation authority to the major command level.

The major command/organization Senior Intelligence Officer (SIO) is responsible when an aircraft is usedemporary SCIF in support of field training exercises.eriod of declared hostilities or general war, an aircraft/airborne SCIF may be established at any level of accreditation upon the verbal ordereneral or Flag Officer Commander. The major command/organization is responsible for ensuring compliance with this annex.

4.0 ACCREDITATION OF AIRCRAFT/AIRBORNE FACILITIESl

4.1 An accreditation checklist will not be required for the establishment of an aircraft/airborne SCIF. Approval authorities may require useocal deploymentf necessary.

4.3 The element requesting establishment of an aircraft/airborne SCIF will notify the CSA prior to commencement of SCIF operations. The letter or message will indicate the following information:

Name of aircraft/airborne SCIF

Major command/organization

ID number of parent SCIF, if applicablefrom (location) and dates

Deployed to (location) and dates

SCI level of operations

Name of exercise or operation Points of Contact

Type of Aircraft and area to be accredited as a

SCIF

of security measures for entire

iffiovioioimiusi

M

operational period of SCIF (SOP)

The SCIF will be staffed with sufficient personnel as determined by the on-site security authority based on the local threat environment.

SCI material will be removed from the aircraft on mission completion or at any landings, if feasible. When removal is not possible, or when suitable storage space/locations are not available, two armed (with ammunition) SCI-indoctrinated personnel must remain with the aircraft to control entry to the SCIF. Waivers to the requirement for weapons and ammunition may be approvedase-by-case basis by the Commander.

The SSO or senior SCI-cleared person will conduct an inspection of the vacated SCIF to ensure SCI materials are not left behind.

Aircraft that transport SCI material incidental to travel between airfields do not require accreditation. However, compliance with directives pertaining to security of SCI material and communications is mandatory.

5.0 POST AMD PATROL REQUIREMENTSI

Accredited aircraft require perimeter accessuard force,eserve security team.

5.1 Unless protected by an approved IDS, hourly inspections will be made of all hatches and seals (including seal numbers).

5.3 uard force and response team must be provided, capable of responding within five minutes if open storage is authorized, orinutes for closed storage.

5.3 when aircraft are parked outside an established controlledemporary controlled area must be established.

6.0 ENTRY HATCHES t

The aircraft commander or crew members will provide guard force personnel who have been^subjectedrustworthiness determination. NAC with no clearance to be issued) prior to departing from the immediate area of the aircraft.

All hatches will be locked to prevent unauthorized access. Hatches that cannot be secured from the outside will be sealed using serially numbered seals.

7.0 TBHPEST REQUIREMENTS:

amnio fqimuasi

illi

Authority for TEMPEST accreditation of all compartments of SCI processed in an aircraft/airborne SCIF is delegated to the CSA. based on review by the Cognirant Certified TEMPEST Technical Authority (CTTA).

UNSCHEDULED AIRCRAFT LANDINGS I

Military Bases: The local SSO or basewill be notified of the estimated arrival timeprotection required.

Airfields:

Within the United States, the local Federal Aviation Administration (FAAJ Security Officer will be notified of the estimated arrival time and security protection required.

On arrival, the senior SCI-indoctrinated person is responsible for controlling entry and maintaining surveillance over the aircraft until all SCI material is secured in an accredited SCIF or the aircraft departs.

Any properly accredited US Government SCIF may be used for temporary storage of materials from the aircraft. If the facility is not accredited for the level of information to be stored, the material must be double wrapped with initialed seals and storedSA-approved security container.

Territory:

If an aircraft landing in unfriendly territory is anticipated, all SCI material will be immediatelyith the destruction process preferably taking place prior to landing.

when flights are planned over unfriendly territory, SCI to be carried on board will be selected by the intelligence mission personnel and consist of the absolute minimum required for mission accomplishment.

All personnel will rehearse emergency destruction before each mission, such emergency preparation rehearsals will beatter-of record.

9.0 VOICE TRANSMISSIONSl

SCI discussions will only be conducted via appropriately encrypted aircraft radio.

arfbovtc foh FEitast

imlih7im

REQUIREMENTS I

Emergency Action Plan (EAP) will beprovides for the evacuation and/or destructionmaterial. Evacuation plans andmust be approved by the CSA and tested by

Emergency destruction and evacuationbe kept current.

PART OPERATION

1.0 PURPOSE:

This annex specifies the requirements for construction and security protection of SCIFs located on ships. The SCI accreditation checklist for ships amy be obtained from the Director, Office of Naval1 suit land Road,. .

3.0 APPLICABILITY AND SCOPE i

3.1 This annex is applicable to all new construction surface combatant ships. The application of this annex to surface non-combatants or sub-surface vessels will be referred to the CSA.

2.3 There may be instances in which circumstanceshreat of such proportion that they can only be offset by stringent security arrangements over and above those prescribed in this annex. Conversely, there may be instances in which time, location, mission, and/or condition of use of materials would make full compliance with these standards unreasonable or impossible. Such situations will be referred to the CSA for resolutionase-by-case basis.

3.3 Existing or previously approved facilities do not require modification to conform with these standards.

3.0 TYPES OF SHIPBOARD SCIFs IFfl)i

3.1 CIFs: An area aboard ship where SCI operations, processing, discussion, storage, or destructiontakes place. Tho area willlearly defined physical perimeter barrier and continuous physical security"safeguards. The area may contain one or more contiguous spaces requiring SCIF accreditation. ThisCIF is routinely used during deployment and import operations.

3.3 CIFs: An area aboard ship where temporary SCI operations, processing, discussion, storage, or discussion takes place. The area willlearly defined physical perimeter barrier and continuous physical security safeguards. The area may contain one or more contiguous spaces requiring SCIF accreditation. It will be continuously manned with sufficient SCI-cleared and -indoctrinated personnel, as determined by the on-site security authority based on the local threat environment, when SCI is present within the area. Temporary shipboard SCI operations will be limited to:

ingle deployment chat will not exceed

onths.

A single mission requiring SCI operations that cannot be defined in length of operational time.

During the period immediately preceding relocation of the shipefitting facility where theCIF is scheduled for renovation and compliance with this annex. There willchedule established for renovation ofCIF with confirmatory reporting of such to the CSA.

Temporary Platforms: obile or portable SCIP may be temporarily placedhip. Such platforms will be accreditedemporary basis for adeployment mission. The platform will be manneday by sufficient SCI-cleared and -indoctrinated personnel as determined by the on-site security authority. At the completion of the mission, the accreditation period will end and the CSA notified that the platform is certified clear and free of all SCI materials.

PERMANENT ACCREDITATION:

Ships requesting permanent accreditation status will provide to theomplete inspection report and the Shipboard Inspection Checklist, certifying compliance with this Annex.

5.0 STANDARDS i

The physical security criteria forCiFs is as follows:

Physical Perimeter: The physical perimeter of an SCI space will be fabricated of structural bulkheads (aluminum or steel)hickness not lessnch. Elements of the physical perimeter will be fully braced and welded in place.

Continuous SCI Spaces: Where several SCI spaces are contiguous to each other in any or all dimensions, the entire complex may be enclosedingle physical perimeter barrier conforming to this annex. >

Access to the SCI complex will be controlledingle access door conforming to this annex. Each compartment within the complex mayeparate access door from within the common physical perimeter barrier. Such interior access control doors do not need to conform with this annex.

ANNEXFOR RELLASt

Access procedures will be established to ensure against cross-traffic of personnel not holding appropriate SCI access.'

Access floor: The normal access door willshipboard metal joiner door with honeycomb-core andspecified below:

Where the normal access door isulkhead that is part of an airtight perimeter, the airtight integrity may be maintained by col oca ting the airtight door with the metal joiner door, or byestibule.

The metal joiner door will be equippedombination lock that meets all requirements of Federal Specificationr other CSA approved lock.

in addition to the lock, the door will be equipped with an access control device.

The door will be constructedanner that will preclude unauthorized removal of hinge pins and. anchor bolts, as well as to obstruct access to lock-in bolts between door and frame.

Emergency Exit: The emergency exit will be fabricated of aluminum plate or steel in accordance with this annex. The exit will be mountedrame braced and welded in placeanner commensurate with the structural characteristics of the bulkhead, deck, or overhead in which it is situated.

Restriction on Damage Control Fittings and Cables: Because of the security restrictions imposed in gaining access to these spaces, no essential damage control fittings or cables will be located within or pass through anpace. This requirement is not applicable to damage control fittings, such as smoke dampers, that may be operated by personnel within the space during normal manning.

Removable Hatches and Deck Plates: Hatches and deck plates less thanquare feet that are secured by exposed nuts and bolts {external to the SCI space) will be secured with externally attached, high security padlocks (unless their weight makes removal unreasonable). The padlock keys will be storedecurity container locatedpace under appropriate "security control.

5.7 vent and Duct Barriers: vents, ducts, or other physical perimeter barrier openingsross-sectional dimension greater thanquare inches will be protected at the perimeterixed barrier or security grill.

ANNEX

The grill will be fabricated of steel or aluminum grating or barshickness equal to the thickness of the physical perimeter barrier. rating is used, bridge center-to-center measurements will notnchesnches. Bars will be mountednch centers. The grating or bars will be welded into place.

This requirement is not applicable to through ducts that have no opening into the space.

5.1 Acoustical isolation! The physical perimeter barrier of all SCI spaces will be sealed or insulated with nonhardening caulking material to prevent inadvertent disclosure of SCI discussions or briefings from within the space, taking into account the normal ambient noise level, to persons located in adjacent passageways and/or compartments.

In cases where the perimeter material installation does not sufficiently attenuate voices or sounds of activities originating SCI information, the ambient noise level will be raised by the use of sound counter-measure devices, controlled sound generating source, or additional perimeter material installation.

Air handling units and ducts will be equipped with silencers or sound countermeasure devices unless continuous duty blowersractical, effective level of masking (blower noise) in each air path. The effective level of security may be determined by stationing personnel in adjacent spaces or passageways to determine if SCI can be overheard outside the space.

Sa.9 Visual Isolation; Door or other openings in the physical perimeter barrier through which the interior may be viewed will be screened or curtained.

CO INTRUSION DETECTION SYSTEM (IDS) I

CIF access door and emergency exit will be protectedisual and audible alarm system. The installation will consist of sensors connected at each door and alerting indicators located at the facility supervisor's position. The normal access door alarm mayisconnect feature.

fi.l Emergency exits will be connected to the alarm system at all times and will notisconnect feature installed.

The IDS will be connectedemote alarm monitor station, which may be colocated with other IDS, and locatedpace which is continuously manned by personnel capable of responding to orespqnse to an alarm violation at the protected space when it is unmanned.

C-III 4

APPROVED FOR RELEASEI0

6.3 Primary power for the IDS will be connected to an emergency lighting panel within the space. SCI spaces that are under continuous manning will be staffed with sufficient personnel, as determined by the on-site security authority based on the local threat environment, who have the continuous capability of detecting forced or surreptitious entry, without the aide of an IDS.

7.0 PASSING SCUTTLES AND WINDOWSi

Passing scuttles and windows will not be installed between SCI spaces and any other space on the ship.

1.0 LOCATION OP CRYPTOGRAPHIC EQUIPMENTI

On-line and off-line cryptographic equipment and terminal equipment processing SCI will be located only withinCIF.

9.0 SECURE A0B CONTAINERSi

SCI material will be stored only in GSA approved Clas6,ecurity containers. Containers will be welded in place, or otherwise securedoundation for safety.

I

Telephone instruments usedCIF will meet the Telephone Security Annex standards.

TELEPHONE UNIT-HI (STU-III)i

The STU-IIIerminals may be installedCIF.

POWERED TELEPHONES t

where possible, sound powered telephones will be eliminatedCIFs. sound powered telephones located withinCIF connecting to locations outsideCIF will comply with the following:

The telephone cable will not break out to jackboxes, switchboards, or telephone sets other than at the designated stations. The telephone cable will not be shared with any circuit other than call or signal systems associated withCIF circuit.

The telephone cable will be equippedelector switch, located at the controlling station, which is capable of:

Disconnecting all stations;

arrnovic fob feliasi

MTLIOVZIM

Selecting any one station and disconnecting the remaining stations; and

Parallel connection to all stations.

CIFs located aboard the same ship, which have sound powered telephones not equipped with the required selector switch, willositive disconnect device attached to the telephone circuit.

Sound powered telephonesCIF that are not used for passing SCI information willign prominently affixed to them indicating that they are not to be used for passing SCI.

A call or signal system will be provided. Call signal station, type ID/D, when used for circuit EM will be modified toisconnect in the line tooudspeaker from functioningicrophone.

INTERCOM ANNOUNCING SYSTEM:

An intercommunication type announcing system processing SI that connects to or passes through areas outsideCIF must be approved by the CSA.

INTERCOMMUNICATION ANNOUNCING

SYSTEMS:

Intercommunication-type announcing systems installed withinCIF that do not process SCI information will be designated or modified to provide the following physical or electrical security safeguards:

Operational mode of the unit installed withinCIF will limit operation to push-to-talk mode only.

Receive elements will be equippedocal amplifieruffer to prevent loudspeakers or earphones from functioning as microphones.

Except as specified, radio transmission capability for plain radio telephone (excluding secure voice) will not be connected. Cable conductors assigned to the transmission of plain language radio telephones will be connected to ground at each end of the cable.

Equipment modified will have an appropriate field change label affixed to the unit that indicates the restriction. Additionally, the front panel willign warning the user that the system is not passing classified information.

INTERCOMMUNICATION EQUIPMENT:

intercommunication equipment will not bo installedCIF without prior CSA approval.

ANNOUNCING SYSTEMSI

General announcing system loudspeakers will have an audio amplifier, and the output signal lines will be installed withinCIF.

TTJBI SYSTEMS i

Pneumatic tube systems will not be installed. Existing systems will be equipped with the following security features:

cover at both ends.

to maintain the pressure or vacuum

and capability to lock in the secure position at the initiating end.

Direct voice communications link between both ends to confirm the transportation and receipt of passing cartridges.

Special, distinctive color for SCI material passing cartridges.

Pneumatic tubes will run through passageways and will be capable of being visually inspected along their entire length.

BQUIPMENTi

A CSA-approved means of destruction of SCI material will be provided forCIF. Non-combatant surface ships that transit hostile waters without combatant escort will have appropriate Anti-Compromise Emergency Destruction (ACED) equipment on board and such equipment will be prepared for use. The ACED will be dedicated to SCI destruction. SCI material will not be destroyed by jettisoning overboard under any circumstances.

CIF will have emergency power available that will operate destruction equipment, alarm systems, access control devices, and emergency lighting equipmentinimum of six hours.

AfPltnrlOrOlftllLUf DAII. Willi

processing systems:

IF that processes SCI electronically or electrically should beEMPEST evaluation prior to activation. All computer and network systems that process SCI must be accredited or certified for operation by the cognizantccreditation Authority.

ACCREDITATIONt

Ships requiring temporary accreditation status will be processed for accreditation upon completionhysical security inspection and certification of compliance with the following security requirements:

the space is used to electrically process

SCI information, the CSA willEMPEST evaluation based on threat.

physical perimeter barrier will consist of

standard structural, nonsupport. or metal joiner bulkheads welded or riveted into place and meet the acoustical isolation requirementsCIF.

Doors will be at least metal joiner doors equipped with door closures and capable of being secured from the inside. Dutch doors are not acceptable. If cryptographic equipment is installed or stored within the space and the space will be temporarily unmanned while cryptographic key material and/or SCI material are stored elsewhere, the door will be equippedamper-proof hasp and combination padlock.

Doors and other openings in the perimeter that permit aural or visual penetration of the internal space will be screened, curtained, or blocked.

An effective, approved secure means of destruction of SCI material will be readily available in the space or nearby in general service spaces.

equipment used to process SCI

information will be located in the SCI space or, if locatedecure processing center other than that accredited for SCI, will be electrically configured) so as not to be compatible with the secure processing system of that secure processor.

telephones (to include STU-III instruments

and sound powered telephones) will be as specified for

S/SCIFS.

CIFs.

of SCI via AIS will,be as specified

SECURE WORKING AREAS (TSNAe)i

Ships requiring TSWA accreditation loror "part-time" usage will be processed for accreditation upon completionhysical security inspection and certification of compliance with the following security requirements:

physical perimeter barrier requiresconstruction, provided it can prevent visualaccess during all periods of SCI operation.

will be capable of being secured from

the inside.

Provisions will be made foremporary sign that reads "RESTRICTEDEEP OUT -AUTHORIZED PERSONNEL ONLY*.

When SCI material is to be stored in theecure storage container will be provided. Security storage containers will be welded in place, or otherwise secured to the foundation for safety and to prevent rapid removal.

electrical security requirements forTSWA will be specified by the CSA.

3 PORTABLE SHIPBOARD COLLECTION VANS

(PSCVa)i

PSCVs are vans that are temporarily placed aboard ship and not part of the permanent structure of the ship, ships requiring accreditation of embarked PSCVs must be annually accredited by the CSA and may be activated upon certification to the CSA of compliance with the following security requirements:

exterior surfacethe van will be solid

construction and capable of showing evidence of physical penetration (except for intended passages for antenna cables, power lines, etc.)

access door will fit securely and be

equippedubstantial locking^device to secure the door from the inside in order to prevent forcible entry without tools.

2security measures will be established

to preclude viewing of classified material by uncleared personnel.

2provisions will be established to

control the approach of uncleared personnel within the vicinity of the van. These measures will consist of instructions promulgated by the station (ashore and afloat) in which the van is embarked, prohibiting loitering in the immediate vicinity of the van, and will include periodic visual security checks by appropriately SCI-indoctrinated personnel.

destruction equipment will be

available and effective procedures established to ensure rapid and complete destruction of classified material in emergency situations.

SCI material will be stored within the van

and continuously inanned by sufficientas determined by the on-site securityon the local threat environment, when activated for If SCI material is to be stored outside thespace must be accredited by the CSA and be intheCIF

The electrical security requirementsSCV will be as specified by the CSA.

flrrHOino (OBHEiiasi

I0

DIRECTOR Or CENTRAL INTELLICENCB1

APPROVED

PART I

ELECTRONIC EQUIPMENT IH SENSITIVE COMPARTMENTED FACILITIES (SCIFS)

1.0 INTRODUCTION

It is the policy of the Director of Central Intelligence and the Senior Officials of the Intelligence Community (SOICs) that personally owned electronic equipment that has been approved for introductionCIF should not be routinely carried into or out of the SCIF due to the possibility of technical compromise. It is also their policy that electronic equipment that is introducedCIF is subject to technical and/or physical inspection at any time.

2.0 GUIDANCE

The following guidance is provided concerning the control of electronic equipment. SOICs retain the authority to apply more stringent requirements as deemed appropriate.

2.1 DOMESTIC UNITED STATES

The following personally owned electronic equipment may be introducedCIF:

Electronic calculators, electronic spell-checkers, wrist watches, and data diaries. NOTE: If equipped with data-ports, SOICs will ensure that procedures are established to prevent unauthorized connector to automated information systems that are processing classified information.

Receive only pagers and beepers.

Audio and video equipment with only afeature (no recordingr with the "record* feature disabled/removed.

Radios y

PROHIBITED EXCEPT FOR OFFICIAL DUTY

The following items are prohibited unless approved by the SOIC for conduct of official duties:

Two-way transmitting equipment.

equipment (audio, Associated media will be controlled.

measurement, and diagnostic

equipment.

IH SCIPfl

The following items are prohibited in

SCIFs:

Personally owned photographic, video, and audio recording equipment.

Personally owned computers and associated media.

2.2 OVERSEAS

The provisions inbove apply in the overseas environment with the exception that all personally owned electronic equipment may be introduced in the SCIF ONLY, with the prior approval of the SOIC and on-site security representative, based on local threat conditions.

1

DIRECTOR OF CENTRAL IRTKLLIGENCB1

art II

DISPOSAL OP LASER TONER CARTRIDGES

1.0 INTRODOCTION

The Director of Central Intelligence and the Senior Officials of the Intelligence Corn-unity (SOICs) hereby establish the policy and procedures for disposing of used laser toner cartridges and drums. The policy established herein is based on the fact that exploitation of used toner cartridges is consideered to be unlikely at this time; therefore, the expense of destroying toner cartridges is not deemed to be justified. SOICs are responsible for implementation of this policy within their respective department/agency. When deemed necessary and appropriate, SOICs may establish additional security measures.

2.0 POLICY

CONDS, ALASKA, AND HAWAII

Osed toner cartridges may be treated, handled, stored, and disposed of as UNCLASSIFIED, if,inimum, at least five full pages of unclassified, randomly generated text are run through the machine before the cartridge is removed. These pages should not include any blank spaces or solid black areas.

In addition to the sanitization measure described in paragraphhe drum must be adequately scored with an abrasive substance, eg, sandpaper, to further reduce the opportunity for image recovery by rendering the drum unuseable.

3.0 DENIAL OF ACCESS

most likely avenue of technical penetrationequipment is through uncleared personnel.of equipment is of concernOIC, itthat maintenance be conducted byindividual. If this is not feasible,should be US citizens or be escorted andby knowledgeable personnel.

keeping with Environmental Protection agencies/departments are encouraged to extablish

procedures for recycling properly sanitized toner cartridges.hat verifies authorized use. In the secure mode, any unauthorized entry into the SCIF shall cause an alarm to be transmitted immediately to the monitor station.

DIRECTOR OP CENTRAL INTELLIGENCE DIRECTIVE (DCID) 1

annex Approved 30 January

ACODSTICAL CONTROL AND SOUND MASKING TECHNIQUES

1.0 Basic Design:

Acoustical protection measures and sound masking systems are designed to protect SCI against being inadvertently overheard by the casual passerby, not to protect against deliberate interception of audio. The abilityCIF structure to retain sound within the perimeter is ratedescriptive value, the Sound Transmission Class (STC).

he STC Rating: STCingle number rating used to determine the sound barrier performance of walls, ceilings, floors, windows, and doors.

se of Sound Groups: The current edition of Architectural Graphics Standards (AGS) describes various types of sound control, isolation requirements and office planning. The AGS established Soundhroughf whichre considered adequate for specific acoustical security requirements for SCIF construction.

oundtc ofr better. Loud speech can be understood fairly well. Normal speech cannot be easily understood.

oundTC ofr better. Loud speech can be heard, but is hardly intelligible. Normal speech can be heard only faintly if at all.

SoundTC ofr better. Loud speech can be faintly heard but not understood. Normal speech is unintelligible.

SoundTC ofr better. Very loud sounds, such as loud singing, brass musical instrumentsadio at full volume, can be heard only faintly or not at

2.0 Sound Reduction for SCIFs;

The amount of sound energy reduction may vary according to individual facility requirements. However, Sound Croup ratings shall be used to describe the effectiveness of SCIF acoustical security measures afforded by various wall materials and other building components.

flrrflowio toR releasi

DATE;IIQVZI>IO

All SCIF perimeter walls shall meet Sound Groupunless additional protection is required for amplified sound.

If compartmentation is required within the SCIF, the dividing office walls must meet Sound Group 3.

3.0 Sound Masking and Stand-Off Distancei

hen normal construction and baffling measures have been determined to be inadequate for meeting Soundrs appropriate, sound masking shall be employed. Protection against interception of SCI discussions may include use of sound masking devices, structural enhancements, or SCIF perimeter placement.

ound masking devices may include vibration and noise generating systems located on the perimeter of the SCIF.

tructural enhancements may include the use of high density building materials. sound deadening materials) to increase the resistance of the perimeter to vibration at audio frequencies.

CIF perimeter placement may include construction designtand-off distance between the closeston-SCl indoctrinated person could be positioned and the point when SCI discussions become available for interception. Useerimeter fence or protective zone between the SCIF perimeter walls and the closest -listening place- is permitted as an alternative to other sound protection measures.

of sound which emanates from anarea is commonly doneound maskingsound masking system mayoise generator,or record playeroise source and an amplifieror transducers for distribution.

4.0 Placement of Speakers and Tranaducerst

To be effective, the masking device must produce soundigher volume on the exterior of the SCIF than the voice conversations within the SCIP. Speakers/transducers should be placed close to or mounted on any paths which would allow audio to leave the area. These paths may include doors, windows, common perimeter walls, vents/ducts, and any other means by which voice can leave the area.

4.1 Por common walls, the speakers/transducers should be placed so the sound optimizes accoustical protection.

UriOVUFORflfUASt BAILIW1HI

For doors and windows, the speakers/transducers should be close to the aperture of the window or door and the sound projectedirection facing away from conversations.

Once the speakers or transducers are optimally placed, the system volume must be set and fixed- The level for each speaker should be determined by listening to conversations occurring within the SCIF and the masking sound and adjusting the level until conversations are unintelligible from outside the SCIF.

5.0 Installation of Equipment:

sound masking system and all wires shall be located within the perimeter of the

SCIF.

sound masking system shall be subject toTSCM evaluations to ensure that the system doesa technical security hazard.

6.0 Sound Sources:

The sound source must be obtainedlayer unit located within the SCIF. Any device equippedapability to record ambient sound within the SCIF must have that capability disabled. Acceptable methods include:

amplifierecord turntable.

Audio amplifierassette, reel-to-reel. Compact Discr Digital Audio Tape (DAT) playback unit.

Integrated .amplifier and playback unit incorporating any of the above music sources.

7.0 Emergency Notification Systems:

The introduction of electronic systems that have components outside the SCIF should be avoided. Speakers or other transducers, which are partystem that is not wholly contained in the SCIF, are sometimes required to be in the SCIF by safety or fire regulations. In such instances, the system can be introduced protected as follows:

All incoming wiring shall breach the SCIF perimeter at one point. TEMPEST or TSCM concerns may require electronic isolation.

In systems that require notification only, the system shalligh gain buffer amplifier. In systems that require two-way communication, the system shall have

electronic isolation. SCIF occupants should be alerted when the system is activated. All electronic isolation components shall be installed within the SCIF as near to the point of SCIF egress as possible.

DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE (DCID) 1

ANNEX F

PERSONNEL ACCESS CONTROLS (Approved 30 January

1.0 Access Controls:

The SCIF perimeter entrance should be under visual control at all times during duty hours to preclude entry by unauthorized personnel. This may be accomplished by several methodsmployee work station, guard,egardless of the method utilized, an access control system shall be used on the SCIF entrance. Persons not SCI-indoctrinated shall be continuously escortedCIF by an SCI-indoctrinated person who is familiar with the security procedures of that SCIF.

1.1 Automated Access Control Systems1: An automated access control system may be used to control admittance to SCIFs during working hours in lieu of visual control, if it meets the criteria stated below.

The automated access control system must identify an individual and authenticate that person's authority to enter the area through the use of an identification (ID) badge or card, or by personal identity verification. Automated identification of individuals exiting the area is desirable.

1 Manufacturers of automated access control equipment or devices must essure in writing that their system will meet the following standards before CSA's may favorably consider .such systems:

Chances of an unauthorized individual gaining access through normal operation of the equipment are no more than one in ten thousand;

Chances of an authorized individual being rejected for access through normal operation of the equipment are no more than one in one thousand.

ID Badges or Cards. The ID badge or card must use embedded sensors, integrated circuits, magnetic stripes or other means of encoding data that identifies the facility and the individual to whom the card is issued.

Personal Identity Verification. Personal identity verification (Biometrics Device) identifies the individual requesting access by some unique personal characteristic, such as:

(a) Fingerprinting.

Geometry,

Handwriting,

Retina, or

Voice recognition.

In conjunctionersonal identification number (PIN) is required. The PIN must be separately entered into the system by each individualeypad device and shall consist of four or more digits, randomly selected, with no known or logical association with the individual. The PIN must be changed when it is believed to have been compromised or subjected to compromise.

Authentication of the individual's authorization to enter the area must be accomplished within the system by the inputs from the ID badge/card or the personal identity verification device or the keypad with an electronic data base of individuals authorized into therocedure must be established for removal of the individual's authorization to enter the area upon reassignment, transfer or termination, or when the individual's access is suspended, revoked, or downgradedevel lower than required.

Physical security protection must be established and continuously maintained for all

devices/equipment that constitute the system. The level of protection may vary depending upon the type of devices/equipment being protected with the basic intent of utilizing the security controls already in effect within the facility.

Locations where authorization data, card encoded data and personal identification or verification data is input, stored, or recorded must be protectedCIF or controlled by SCI indoctrinated personnel.

Card readers, keypads, communication or interface devices located .outside the entranceontrolled area shall have .tamper resistant enclosures, and be securely fastenedall or other structure. Control panels locatedontrolled area shall requireinimal degree of physical security protection sufficient to preclude unauthorized access to the mechanism.

Keypad devices shall be designed or installed inanner that an unauthorized person in the

1age 2

immediate vicinity cannot observe the selection of

Systems that utilize transmission

lines to carry access authorizations, personal identification, or verification data between devices/equipment located outside the controlled area shallunimum of class II line supervision, as described in Annex B.

Electric strikes used in access control systems shall be heavy duty industrial grade.

Access to records and information concerning encoded ID data and PlNs shall be restricted to individuals appropriately indoctrinated at the same level as the information contained within. Access to identification or authorization data, operating system software or any identifying data associated with the access control system shall be limited to the fewest number personnel as possible. Such data or software shall be kept secure when unattended.

Records shall be maintained reflectina active assignment of ID badge/card, PIN, level of access, access, and similar system-related records. Records concerning personnel removed from the system shall be retained forays. Records of entries to SCIFs shall be retained for at leastays or until investigations of system violations and incidents have been successfully resolved and recorded.

Personnel entering or leaving an area shall be required to immediately secure the entrance or exit point. Authorized personnel who permit another individual to enter the area are responsible for confirming the individual's access and need-to-know.

1.2 Electric, Mechanical, or Electromechanical Access control Devices. Electric, mechanical, or electromechanical devices which meet the criteria stated below may be used to control admittance to SCIF areas during working hours if the entrance is under visual control. These devices are also acceptable to control access to coropartmented areas within the SCIF. Access control devices must be installed in the following manner:

u '1 he electronic control panel containing the mechanical mechanism by which the combination is set will be located inside the SCIF. The control panel (located within the SCIF) will requireinimal degree of physical security designed to preclude unauthorized access to the mechanism.

The control panel shall be installed inanner, orhielding device mounted, so that an unauthorized person in the immediate vicinity cannot observe the setting or changing of the combination.

The selection and setting of the combination shall be accomplished by an individual cleared at the same level as the highest classified information continued within. The combination shall be changed as required in.

Electrical components, wiring included, or mechanical links (cables, rods and so on) should be accessible only from inside the SCZF, or if they traverse an uncontrolled area they shall be securedrotective covering to preclude surreptitious manipulation of components.

Original document.

Comment about this article or add new information about this topic:

CAPTCHA