An Adamo security expert explains what the DIA RF memo says about how we’re handling TEMPEST concerns
by Phil Chance
In November 2022—seemingly out of the blue—the Defense Intelligence Agency (DIA) issued a memo declaring all SCIFS, whether currently accredited or not, and all future SCIFS will be required to have approved Radio Frequency (RF) shielding on all floors, ceilings, walls, windows and doors. And then four days later, the DIA rescinded the letter but said that all future SCIFS should be programmed with shielding considerations or will be impacted by future costs.
The truth is it wasn’t truly out of the blue. You see, this whiplash is signaling the government’s concern with compromising emanations carried over radio waves that can be exploited by our government’s adversaries. In the ‘80s, TEMPEST was a huge concern in the intelligence community (IC), and it was common to see extreme measures to protect against these errant waves. TEMPEST is a code word (not an acronym) which encompasses the government/industrial program for controlling the emissions from systems processing classified data. Individual equipment may be “TEMPESTED” or commercial equipment may be placed in shielded enclosures.
One reason for the focus on TEMPEST was that the Cold War between the USSR and the United States was happening. Another reason was that our computer networks and processing equipment drew so much power and leaked so much energy which created a large TEMPEST footprint which was easier to exploit. As we moved away from the Cold War and entered the technical revolution, our equipment became more powerful and efficient and left a lower TEMPEST footprint, but now, far more sensitive technology exists that can sniff out more signals than ever before.
Related: How Does RF Shielding Effectiveness Testing Work?
In July of 2023, the Navy released their own message requiring approved RF shielding material to be installed on all future SCIFs and added whenever a SCIF undergoes renovations. This currently only applies to Navy SCIFs and SCIFs supporting Navy missions.
The TEMPEST landscape is shifting. The SCIF construction process includes having a Certified TEMPEST Technical Authority (CTTA) apply mitigations to each potential SCIF before it is built and accredited under the ICD 705 Technical Specifications. There are many challenges with this process. First, there aren’t enough CTTAs. I have communicated directly with exactly one CTTA in all of my time consulting on hundreds of SCIF projects all over the world. Of course, some of that is by design to ensure the CTTA focuses only on what they do best—reviewing new spaces and providing guidance on mitigations to the AO—but some of it is because they can’t keep up with the demand. What’s more, in my experience the only thing that has been consistent is that guidance from the CTTA between projects is inconsistent. In my experience, the guidance from CTTAs shows a wide range in expertise and understanding of construction and RF concepts and practical applications. In addition, all the government documents referenced for TEMPEST guidance are more than 25 years old. In conversations with Accrediting Officials (AOs), they are increasingly concerned with TEMPEST mitigations. A year ago, I was walking in a space with the AO at a preliminary accreditation site visit, and she commended us on our quality of work and TEMPEST mitigation strategy. Then she said, “All of this is built correctly, and all of it is known to be compromised already.” She wouldn’t expound upon that conversation except to give the clear indication that changes are coming.
The future SAPF and SCIF will need to have more clear and consistent guidance on TEMPEST if we want to protect government information. Part of the problem with that idea is as soon as the requirements are published, the adversary will begin R&Ding their compromise. So publishing requirements broadly will be a challenge, and maintaining improvement in concepts more rapidly will be important to continually protect government information.
So what should we do now? When you build a SCIF or SAPF you need a contractor who understands the ICD 705 requirements to build a space and an RF expert who has the scientific understanding of radio frequencies and knows how to mitigate TEMPEST at the practical implementation level so you can meet the design standard.
If you’re looking for an ICD 705 expert to assist on your SCIF/SAPF build, Adamo can help. Our consultants will partner with your team and guide you from pre-design to accreditation.
Phil Chance is the president of Adamo Security Group and is a subject-matter expert with more than 10 years of experience in multiple security disciplines.
Updated to include information about the Navy message. Originally published May 2, 2023.
