What is a SCIF?
(pronounced “skiff”)
A SCIF is a U.S. government–accredited facility where Sensitive Compartmented Information (SCI) can be stored, discussed or electronically processed. Primarily government and government-related contractors that require high security have the need for SCIFs.
There are other spaces also used to process, store and discuss classified information such as Special Access Program Facilities (SAPF) and Open Storage Areas, formally known as Closed Areas (NISPOM). To learn more about other types of specialized/secure facilities, read more below.
Specialized Standards
Physical Security
& Hardening
Acoustic
Controls
Visual
Controls
Alarms & Access
Control
Electronic &
TEMPEST Security
SCIF Requirements
1
Minimum Requirements for SCIFs
Defined in Intelligence Community Directive (ICD) 705/ IC Technical Specification
The directive describes many specialized construction requirements with the intention to ensure that high-security features are built into the facility beyond those achieved by typical commercial construction.
For example, all perimeter surfaces (walls, ceilings and floor) are to be constructed so that they will reveal evidence of unauthorized entry or tampering.
2
Individualized Solutions
Each Program Has Its Own Performance Requirements
Depending on each project’s individual performance requirements, additional materials may be required for construction, such as radiant barrier foil, physical perimeter hardening by use of expanded metal with heavier gauge metal studs, as well as additional protective acoustical features to prevent eavesdropping and collection of audio intelligence emanating from the SCIF.
Read more about the specialized standards for SCIF construction here.
3
Protective Measures
A Few Factors that Need to be Considered
While there are standard requirements for any SCIF, each project will also have protective measures that are determined by factors such as the facility’s location, security in depth (SID), inspectable space, program requirements, “Open” or “Closed” storage and TEMPEST considerations.
These are only a few of the factors that can determine what specific protective measures may be required.
Selecting a Properly Qualified Design/Build Firm is Imperative
Additionally, there are various construction methods of achieving the proper protective measures required and the various methods can have a substantial cost impact on the project. It is most beneficial in terms of both time and money to ensure that the designer of a SCIF has substantial experience with the different potential requirement scenarios and that the contractor building the facility has had enough experience to avoid common assumptions that standard commercial contractors, without a lot of SCIF experience, would typically make. The most optimum solution is to select a properly qualified design/build firm.
Other Types of Secure Facilities
SCI Facilities are not the only types of secure environments that are required to protect classified or sensitive information. Information or discussions that are classified at the SECRET level may only require a CLOSED area. If you have the need for Radio Frequency shielding, you may need to work inside of an RF Enclosure or screen room.
You may have sensitive or proprietary information that needs to be kept controlled, or your facility may need to have access control added depending on different levels of program access.
Although SCIF and SAP Facilities used to be built differently and with a different standard, they are now built using the same standard. SAPF typically refers to facilities for the Department of Defense, so facilities for the U.S. Navy, U.S. Army, U.S. Air Force, or U.S. Marine Corps. SCIFs are typically for programs run by the Intelligence Community, but both SCIFs and SAPFs are built to the same specifications.
These types of facilities, formerly called Closed Areas, fall under the National Industrial Security Program Operating Manual (NISPOM), now the 32 CFR Part 117. The construction requirements can vary, depending on the intended use of the facility. Acoustic measures may be required in physical security requirements. There may be high-security hardware and other access control measures installed. These types of facilities typically require less work than SCIF or SAPF to construct, but there are variables involved that can impact cost and feasibility. Is it always best to have an expert evaluate the site and project prior to developing conceptual budgets and timelines.
Protecting electronic data and data processing is critical, whether or not that data is classified. Even within normal day-to-day functions, sensitive information can come from many sources within any organization. Data centers not only require high levels of IT security but also controlled access to the physical equipment itself. One inherent vulnerability to these types of facilities is their dependence on power and environmental controls. The equipment that provides power and cooling becomes "mission critical" as it sustains the ability for the data center to perform. Mission critical systems have an elevated need for monitoring and control. These systems should also be protected with security measures that are in line with the security level of the data center that is supported by the mission-control systems. Enlisting the services of a professional that understands security, power management systems and electrical systems will ensure that your data center is a completely secure facility.
In today's world, there is a need for security even without the presence of classified information. Corporate proprietary information, trade secrets and information can be targeted. Adding security measures as simple as doorways and locking hardware — or more complex items such as electronic access control systems and intrusion detection systems — are different ways to limit and control access to sensitive information. Adding security measures to improve the control of restricted or sensitive information will typically involve several types of trades and professional. A key to successfully implementing these types of measures efficiently and without wasted costs is to consult with a security professional that understands all of the elements of your project.
There can be a number of factors that drive the need for Radio Frequency (RF) shielded or Electro Magnetic Pulse (EMP) shielded enclosures. Security concerns about TEMPEST emanations, the need for isolated test environments, or EMP shielding on mission-critical systems and equipment can be requirements that drive the need for these facilities. Along with a high level of technical design, these facilities will often require specialized testing to ensure that they perform properly prior to installing/operating programs within the facility's perimeter. Shielded facilities should always be designed and installed by qualified experienced professionals.
