How to implement site security and handle common violations
SCIF and SAPF security doesn’t begin when the facility is operational—it begins with construction. Securing the construction site is a required part of any ICD 705 project, though the specific requirements will vary based on the unique risks and vulnerabilities of the location and program.
An Overview of Site Security
The Accrediting Official (AO) and accreditation team are responsible for determining the requirements for site security. These requirements will be laid out in the Construction Security Plan (CSP). The primary goal of site security is to protect the facility from adversaries during construction and ensure that only authorized persons have access to the site. The strictness of these measures can vary significantly depending on the needs of the program.
For example, a facility being constructed on a military base might require less security measures since civilian access is already restricted. In contrast, a facility being built within an existing building that houses other tenants unaffiliated with the program will require much stricter protocols.
One security measure that the Tech Spec mandates for all projects is that personnel need to either be U.S. persons or U.S. citizens, depending on AO guidance. U.S. persons are individuals legally authorized to work within the U.S. To ensure compliance, you must verify their identity and paperwork before they can work on the site. Additionally, a daily sign-in sheet is necessary to verify that everyone on-site is authorized to be there.
The objective of SCIF and SAPF construction is to maintain a low profile—essentially, to remain hidden in plain sight. Ideally, no one without a need to know will be aware that a secure facility is under construction. Sites will have some type of controlled perimeter established by a fence or the existing building in which the facility is being built. This perimeter is crucial for controlling access, with a manageable access point that can be monitored, observed or manned according to AO requirements.
Photo documentation is another vital component of site security, as well as your accreditation package. These photos serve as evidence that everything was constructed to meet the ICD 705 standards and that nothing was tampered with during construction.
Material storage is also a significant site security concern. The AO may require materials to be kept out of sight in a locked area with cameras. They may need to be locked within the perimeter of the facility itself if the facility is being built in an existing building. This is partly due to security and partly due to the unique requirements of the Tech Spec. If materials are out in the open, someone could potentially tamper with them and plant a listening device. Moreover, if non-secure construction is occurring simultaneously with secure construction, accidentally mixing up materials between the two projects could lead to non-compliance with ICD 705 standards.
Common Site Security Violations
Accidentally using the wrong materials due to poor material management is one common site security violation people make. For example, while ICD 705 construction requires 16-gauge studs on walls, that isn’t as common in other types of construction. If you end up using the wrong gauge studs, that can mean that part of construction doesn’t meet requirements and will likely need to be redone, which means tearing down walls. If there are materials for another construction project present on your site, like if the secure facility is being housed within a larger facility that’s being constructed, someone on site needs to be making sure the correct materials are used.
Another common issue is unauthorized individuals gaining access to the site without being properly vetted. For example, when an inspector needs to visit, their identity must be verified before they are allowed on site. Inspectors, members of the end-user group or contractors may be brought on site without verification of their documentation. To avoid this, maintain a list of everyone who will need to visit the site to ensure you request documentation in advance.
In most cases, cell phones and transmitting devices are not permitted on site. This is an easy rule to accidentally violate, as a worker may forget their phone in their pocket. Post reminders about this policy in visible areas and make sure all on-site workers are aware of the policy. Occasionally, this could be a deliberate security violation rather than an accidental one, in which case the issue may need to be escalated further.
Click here to download
Protocol When Site Security Rules are Violated
When a site security violation occurs, the Site Security Manager (SSM) needs to be informed. The CSP will outline the necessary steps to take in the event of a violation. The SSM will create a report for the AO detailing the violation, including the date and time it occurred, and any immediate actions taken in response.
For minor violations, such as a first-time cell phone infraction, the response would likely involve asking the individual to remove the phone from the site. Repeated violations might lead to the phone being confiscated or even destroyed.
In extreme cases of security violations, the AO will contact appropriate law enforcement for further investigation.
SSMs often wear multiple hats, and balancing site security with other responsibilities can be a daunting task. With Adamo’s SSM support services, you don’t have to manage it alone. Our ICD 705 experts can help with developing and overseeing the CSP, managing worker oversight, implementing security measures and more. Avoid costly delays and let us guide you on a smooth path to accreditation.
