Scif · Volume 10
Access Control, Alarms, and Accreditation
10.1 The box is half the job
Every previous volume has treated the SCIF as a thing that gets built: a shell of the right sound group, a door that resists the right forced-entry job, a Faraday envelope pierced only by filtered and waveguide-treated penetrations. All of that is necessary and none of it is sufficient. A perfectly constructed SCIF with no operating discipline is a very expensive room that the accrediting authority will not accredit and, if it somehow were accredited, would not stay that way. The other half of the discipline is procedural and electronic: who is allowed in and how they prove it, how the empty room is watched, who answers when the alarm trips, what paperwork demonstrates that all of the above meets the standard, and the formal act by which an authority declares the room fit to hold Sensitive Compartmented Information. This volume is about that half — the operating regime that turns a well-built box into an accredited SCIF, and the accreditation lifecycle that certifies and re-certifies it.
The organizing idea, worth stating once and holding onto, is that a SCIF has two entirely different security postures and they are governed by two entirely different systems. While the facility is occupied, it is watched by cleared people, and the security problem is controlling and accounting for who comes and goes — a duty-hours problem answered by the access control system (ACS), which can be electronic, networked, and convenient precisely because human presence backstops it. While the facility is unoccupied, no one is watching, so the room must protect itself with mechanisms that need neither power nor a network nor a monitor to hold: the GSA-approved combination lock on the door or container, and the intrusion detection system (IDS) reporting to a monitoring station that will dispatch a response force. The ACS and the GSA lock are not competitors and not redundant; they answer opposite threat models on opposite sides of the moment the last cleared person leaves and secures the space. Confusing the two — imagining that a sophisticated badge reader could stand in for the after-hours lock, or that a mechanical lock could manage daytime traffic — is the single most common category error in the whole subject, and the architecture below exists specifically to keep them separate.
10.2 Access control: the duty-hours system
The access control system is what governs entry while the SCIF is open for business. In its simplest accredited form it is a person: a cleared individual who controls the door, recognizes those entitled to enter, and admits no one else. The IC Tech Spec permits exactly this — a manually controlled door supervised by an appointed person — for facilities where it is practical. Everywhere else, the manual method is augmented or replaced by an automated access control system, and the engineering interest is in what “automated” is allowed to mean.
An automated ACS authenticates a person against one or more factors before releasing an electric strike or maglock. The factors are the familiar three: something you have (a credential — a proximity card, a smartcard, an iCLASS or PIV/CAC token), something you know (a PIN entered on a keypad), and something you are (a biometric — fingerprint, hand geometry, iris). The Tech Spec’s requirement is not that any particular factor be used but that the system reliably establish that the person at the door is on the access list and is who the credential claims — which in practice pushes higher-sensitivity entrances toward two-factor authentication, most commonly card-plus-PIN or card-plus-biometric, so that a lost or cloned card alone does not open the door.

Two properties of the ACS matter for accreditation and are easy to get wrong. First, the decision must not live in the reader. A reader on the unsecure side of the door is, physically, exposed to an adversary; if it made the grant/deny decision and simply drove the lock, defeating the reader would defeat the door. So an accredited ACS puts the reader on the outside but the controller — the device that holds the access database and makes the decision — inside the secured perimeter, with only a request-to-enter signal crossing outward and only a lock-release crossing back. The wiring between them is protected, and tamper of the reader is detected. Second, the ACS records every transaction: identifier, door, timestamp, grant or deny. That log is both an operational tool and an audit artifact; it is how the security staff reconstruct who was inside during any window, and its integrity is part of what the accreditor examines.
The ACS also has to fail correctly. On loss of power or a fire alarm it must allow egress — nobody is to be trapped by a security device — while not thereby handing an adversary free ingress. This is the perennial life-safety-versus-security tension, and it is resolved by hardware choices (fail-safe versus fail-secure locks, mechanical egress hardware that always works from the inside) reviewed against both the fire code and the security standard, which do not always want the same thing.
10.2.1 Visitor control, the access roster, and passing clearances
The ACS answers how an authorized person gets through the door; a separate apparatus answers who is authorized in the first place. Every SCIF maintains an access roster — the list of people indoctrinated for the specific compartments handled there and cleared for unescorted entry. Getting onto that roster is not a badge-office formality: it requires the appropriate clearance, a specific need-to-know for the compartmented material, and formal indoctrination (the reading and signing of the relevant nondisclosure agreements). The roster is maintained by the facility’s security officer and is the authority behind every credential the ACS honors.
Visitors — cleared people not on the local roster — are handled by visitor control, and this is where the phrase passing clearances enters. Before a visitor is admitted, the hosting security office verifies, through official channels, that the visitor holds the requisite clearance and access; the visitor’s home security office “passes” (transmits) a visit certification attesting to their clearance level, compartments, and the basis for the visit. Historically this moved by DSSCS message traffic between Special Security Offices; today it is largely carried in the personnel-security system of record (the Defense Information System for Security, DISS, and its visit-request function). Only after the certification is confirmed is the visitor admitted — escorted if not independently cleared for the compartments in play, unescorted only if the passed clearances warrant it. Uncleared visitors (maintenance, construction, inspectors without SCI access) are admitted only under continuous escort, and their presence generally triggers a sanitization of the space so that nothing classified is exposed to them.

A recurring physical measure in higher-security entrances is the access-control vestibule — the device the trade still cheerfully calls a mantrap: two doors or barriers in series such that the second will not open until the first has closed, so that exactly one authenticated person transits at a time (Figure 2). The point is to defeat tailgating and piggybacking — the unauthorized person who follows an authorized one through a held door — which no card reader on a single door can prevent by itself. Where the traffic or the sensitivity does not justify a portal, the same job is done by a staffed reception point that simply watches the door.
10.2.2 Two-person integrity where required
Certain material and certain operations are governed by the two-person integrity (TPI) rule — sometimes styled the no-lone-zone — under which no single individual may be alone with the protected asset, and two authorized people must be present and in view of each other. TPI is not a blanket SCIF requirement; it attaches to specific programs (classically nuclear command-and-control material, and some cryptographic and special-access holdings) and, where it applies, drives both procedure and hardware: the room may be configured so that it cannot be accessed by one person’s credential alone (two credentials required), and the operating procedures forbid the last two occupants from leaving separately. The engineering consequence is that the ACS must be able to enforce simultaneous dual authentication and to alarm on a lone occupant where the rule demands it — a capability the accreditor will verify against the program’s requirements rather than assume.
10.3 The GSA lock, from the security-management view
Volumes 6 and 7 treated the door and its lock as construction; here they are treated as procedure, because the hardware is only as good as the discipline around the combination. When the last cleared person leaves and secures the SCIF, the daytime ACS is no longer the barrier — the space is protected by a high-security combination lock and by the IDS. That lock meets Federal Specification FF-L-2740 (current revision B), the U.S. Government’s top specification for electromechanical combination locks, and for three decades it has been met by essentially one product family: the Kaba Mas X-0 series (now dormakaba) — the X-07 (1992, the first lock ever to meet FF-L-2740), the X-08, the X-09, and the current X-10 (2013, meeting revision B). A companion door-mounted deadbolt for pedestrian doors, the CDX series, meets the related specification FF-L-2890. These locks are electromechanical but self-powered — turning the dial spins a small generator (dormakaba’s PowerStar technology), so there is no battery to fail and no external power to cut, which is exactly the property the after-hours job demands: the secure lock cannot be defeated by pulling the building’s power because it makes its own.

From the security-management side, the hardware matters less than the combination discipline that surrounds it. A combination is not a permanent property of a lock; it is a controlled secret with a lifecycle. It is changed when the SCIF is first placed in service, whenever a person who knew it departs or loses access, whenever the combination may have been compromised, and on a periodic schedule regardless. It is set by an authorized person, known to the minimum number of people, and never written where it could be found — with one deliberate exception. The combination record is sealed on a Standard Form 700 (Security Container Information): the SF-700 carries the identity of the container/door and the responsible persons openly, while the combination itself goes on a detachable portion that is sealed in an envelope, itself marked and stored as classified information at the highest level the container protects, in another approved container. The SF-700 exists so that the combination can be recovered in an emergency (a lockout, an incapacitated custodian) without ever being written on a sticky note under the keyboard — which is precisely the failure it is designed to prevent.
Two companion forms round out the routine. The SF-701 (Activity Security Checklist) is the end-of-day walkthrough — windows, containers, alarms, coffee pots — signed off as the space is secured. The SF-702 (Security Container Check Sheet) rides on each container and door, initialed each time it is opened, closed, and checked, so that the record shows the barrier was actually secured and by whom. None of this is glamorous, and all of it is exactly the sort of evidence an inspection looks for, because the failures that lose classified material are far more often procedural (a container left open, a combination never changed after a departure) than they are the movie-plot drilling of a Class 5 door.
The day gate (Volume 7) is the procedural complement to all this: the lightweight inner grille that does the duty-hours work while the heavy vault door stands open, so the multi-hundred-pound door and its combination lock are cycled only at securing time. The split is the same one that runs through the entire volume — a heavy secure barrier for the unwatched hours, a light convenient barrier for the staffed ones — and it recurs because the threat model itself changes the moment the room empties.
10.4 The intrusion detection system
While the SCIF is closed, the mechanical lock holds the door and the IDS watches everything else. Its job is not to stop an intruder — the barriers do that — but to detect one and summon a response before the intruder can reach and exploit the material, inside the time that the barrier’s forced-entry rating buys. The IDS is therefore a detection-plus-response system, and both halves are specified.
The sensor suite has a characteristic shape. Every door in the SCIF perimeter carries a balanced magnetic switch (BMS) — a door-position sensor engineered specifically to resist the classic defeat of an ordinary magnetic contact, in which an intruder holds an external magnet to the switch while easing the door open. A BMS uses a balanced, biased magnetic circuit that alarms on either an increase or a decrease in field, so a substitute magnet unbalances it and trips it rather than holding it closed. The interior volume is covered by motion detectors — passive infrared (PIR), microwave, or dual-technology units that require both physics to agree before alarming, which suppresses the false alarms that plague either alone (Figure 4). Depending on the space, the suite may add sensors on other openings, glass-break sensors, or vibration sensors on walls, but the door BMS plus interior motion coverage is the backbone, sized so that an intruder cannot cross the protected volume without being seen by something.

All of these sensors report to a premise control unit (PCU) — the panel inside the SCIF that gathers the sensor loops, holds the arming state, and communicates with the outside monitoring station. The PCU is where two disciplines central to alarm engineering live. The first is line supervision: the communication path from the PCU to the monitoring station cannot be a plain wire that an adversary could simply cut or short (which would silence the alarm without tripping it), so the link is continuously supervised — an end-of-line or, better, an encrypted/interrogated circuit whose interruption or substitution is itself an alarm condition. The standard requires the transmission line be supervised to a defined class so that cutting, shorting, or spoofing it fails loud, not silent. The second is tamper protection: every enclosure — PCU, junction boxes, sensor housings — carries a tamper switch that alarms on being opened, so an attempt to defeat the system by getting inside its own hardware is detected regardless of the system’s armed state.
The PCU has two operating states, and the discipline of moving between them is part of the accredited procedure. In access mode the SCIF is occupied and the interior motion sensors are shunted so that the occupants can move about, while the perimeter and tamper protection stay live. In secure mode the space is closed and the full suite is armed. The transition is deliberately gated by an entry/exit delay: after arming, an authorized person has a bounded interval to leave and secure the door before the interior sensors go hot, and on return, opening the door starts a bounded interval during which they must authenticate to the PCU (disarm to access mode) before the alarm reports. Those delays are kept short — long enough for a legitimate person to transit, short enough that they do not become a window an intruder could exploit — and the arm/disarm action itself is authenticated and logged, so the record shows who secured and who opened the space.
10.4.1 UL 2050 and the monitoring station
Detection is worthless without response, and the standard is specific about who does the watching. The IDS installation and its monitoring must conform to UL 2050, the Underwriters Laboratories standard for National Industrial Security Systems — the alarm standard written specifically for facilities protecting classified U.S. Government information. A UL 2050 installation is documented by a certificate issued against the standard, and it must be monitored by a station holding the relevant UL listing (the monitoring-station category the trade knows by its UL code CRZH) — either a UL-listed commercial central station or an equivalent government monitoring station. The certificate ties the specific facility, the extent of protection, the servicing company, and the monitoring arrangement together in a document the accreditor can inspect; it is the paperwork proof that the alarm system was installed and is watched to the standard rather than merely bought and bolted up.

The response half is a timed requirement. When the monitoring station receives an alarm it dispatches a response force, and the standard sets a maximum allowable response time — the interval from alarm to a responder physically reaching the SCIF. The exact number depends on the storage mode and assessed risk (open-storage and higher-risk facilities get the shortest allowances, commonly cited on the order of fifteen minutes and tighter where warranted), and the whole system is engineered so that barrier delay plus alarm plus response closes before an intruder could defeat the barrier and reach the material. This is the quiet arithmetic underneath the entire physical-security case: the forced-entry rating of the door (Volume 7) buys minutes, and the alarm-plus-response must fit inside them.

10.5 Open storage, closed storage, continuous operation
How the SCIF is secured when unoccupied depends on its storage mode, and the three modes are worth distinguishing because they change what the lock and IDS are actually protecting.
Open storage means classified material may be left out — on desks, on walls, in open shelving — because the entire room is the container. The SCIF’s perimeter, door, lock, and IDS together provide the protection that a GSA security container would otherwise provide for the documents individually. Open storage is the most convenient mode to work in and the most demanding to accredit: because the material is exposed, the room’s construction, alarm coverage, and response time all have to meet the higher bar, since the whole volume is standing in for a safe.
Closed storage means the room protects itself when unoccupied, but the classified material does not stay out — at securing time it is returned to GSA-approved security containers (the Class 5 and Class 6 safes and files) inside the SCIF, each with its own FF-L-2740 lock. The room’s barriers and IDS then protect the containers rather than exposed material, and the accreditation bar for the room’s construction can be correspondingly lower because a second, certified layer (the safe) sits between the intruder and the documents. Closed storage trades daily convenience (everything must be put away) for a less demanding facility standard.
Continuous operation means the SCIF is manned around the clock and never actually goes to the unoccupied state — a 24/7 operations center, a watch floor. Here the after-hours model largely does not apply: there is always a cleared person present, so the ACS-plus-human posture never hands off to the lock-plus-IDS posture. Continuous-operation facilities still have the hardware, but their accreditation reflects that the room is never dark, which changes the alarm and response calculus (the people are the detection) and imposes its own procedures for shift handover and for the rare planned or unplanned vacancy.
10.6 The people and the procedures
None of the hardware self-administers. Behind every accredited SCIF is a security officer and a body of written procedure, and the accreditor examines the procedure as closely as the copper.
The responsible official is the Special Security Officer (SSO) or, for a contractor facility, the Contractor Special Security Officer (CSSO) / Special Security Manager (SSM) — the person accountable for the day-to-day security of the SCIF and its SCI: maintaining the access roster, controlling combinations, running visitor control, overseeing the IDS and its testing, and enforcing the operating rules. The SSO works under the Special Security Representative structure and ultimately answers, through the chain, to the Accrediting Official (AO) who granted the accreditation. The single most consequential fact about the SSO’s role is that it is continuous: accreditation is not a one-time event that the SSO administers once, but a standing condition the SSO maintains, and the great majority of what loses an accreditation is an SSO-level lapse rather than a construction failure.
The written backbone is the Standard Operating Procedures (SOP) — the SCIF’s own security operating manual, covering opening and closing, access and visitor control, the handling and destruction of classified material, alarm procedures, and the response to security incidents. Alongside it sits the Emergency Action Plan (EAP), which specifies what happens in fire, natural disaster, bomb threat, power loss, or hostile action — how the space is secured or, where necessary, its material emergency-destroyed, and how people get out safely without leaving the material exposed. Both documents are part of the accreditation package, and both are living: they are exercised, updated, and inspected, not written once and filed.
Two operating rules deserve their own note because they define the daily texture of working in a SCIF. The first is the open/closed indicator — the simple, unmistakable sign (often a two-sided placard, red and green) hung at the entrance to show whether the SCIF is currently in open (SCI discussion in progress, uncleared visitors must not enter) or closed status. It is a trivial piece of cardboard doing a load-bearing job: it prevents the uncleared escort or the delivery driver from blundering into an active discussion.
The second is the prohibition on personal electronic devices (PEDs). Cell phones, smartwatches, fitness trackers, wireless earbuds, laptops with radios, and anything else that transmits, records, or could be turned into a covert sensor are barred from the SCIF as a matter of standing policy — the human-procedural complement to all the RF engineering of Volume 8. A phone in a pocket is a microphone, a camera, a GPS logger, and a radio, any of which defeats the acoustic and emanation protections the facility spent a fortune to build. The rule is enforced by policy, by signage, and often by a bank of lockers or a shielded pouch station at the entrance where devices are surrendered before crossing the line.

Finally, the SCIF is periodically swept. The Technical Surveillance Countermeasures (TSCM) program is the recurring inspection for illicit technical surveillance — hidden transmitters, taps, anomalous modifications — conducted by trained TSCM personnel with instrumented searches. A TSCM evaluation is often part of the initial accreditation and is repeated on a schedule or on cause (a break-in, uncontrolled access, suspicion). It is the direct lineal descendant of the Moscow-embassy sweeps of Volume 2: the acknowledgment that a facility secure on the day it was accredited can be compromised afterward, and that verifying it stays clean is a continuing obligation, not a one-time check.
10.7 The accreditation lifecycle
Everything above converges on a single formal act: accreditation, the decision by the Accrediting Official that a specific facility meets ICD 705 and its IC Tech Spec and may be used to store, process, and discuss SCI. Accreditation is not a certificate you apply for and receive by mail; it is the end of a defined process that begins before the first wall goes up and continues, through re-inspection, for as long as the SCIF exists. The engineer reading this wants the process, so here it is end to end.
Concept approval. Before construction — before design is even finalized — the sponsoring organization brings the concept to the AO: where the SCIF will be, what it will handle, its size and general design, and the security environment around it. The AO’s concept approval (or pre-construction approval) is the gate that says “this is worth designing to the standard; proceed.” Building a SCIF and then asking whether it can be accredited is the expensive way to discover it cannot; concept approval exists precisely to catch a doomed site or design on paper. This is also where the AO’s TEMPEST authority first weighs in on whether, given the location and the material, emanation countermeasures will be required — the determination that Volume 8 hangs on.
The Construction Security Plan. With the concept approved, the project produces a Construction Security Plan (CSP) governing how the SCIF is built securely. The CSP is the answer to a threat the finished-facility standards do not address: the vulnerability of the structure while it is being built, when uncleared trades, foreign-sourced materials, and unsupervised access could allow the introduction of a technical penetration into the very fabric of the walls. The CSP specifies material control, personnel vetting and escort, secure storage of construction materials and drawings, and inspection regimes — heightened for facilities built with non-U.S. labor or overseas, where the construction-security requirements escalate sharply. It is the reason a SCIF is not simply built by the low bidder and inspected at the end.
Construction to the standard. The facility is then built to the approved design under the CSP, with the required construction-security controls, generating the evidence the accreditation package will rest on: the actual wall sections, the penetration treatments, the door and lock installations, the IDS and ACS as installed. Photographs, drawings, and test records accumulate during construction precisely because much of what must be verified — what is inside a finished wall — cannot be seen once the drywall is up.
The Fixed Facility Checklist. The accreditation package’s centerpiece is the Fixed Facility Checklist (FFC) — the standardized form (a DIA/ODNI product, the “SCIF Fixed Facility Checklist,” current version 1.5.x) on which the facility documents, section by section, how it meets each applicable requirement of the IC Tech Spec. The FFC is comprehensive: general information and responsible personnel; the physical security of the perimeter, walls, floor, and ceiling; doors and locks; the IDS and ACS; acoustic protection; TEMPEST; and the operating procedures. It is submitted with a package of supporting artifacts — floor plans and wall sections, a penetration schedule cataloging every pipe, duct, conduit, and cable crossing the perimeter and how each is treated, the TEMPEST addendum, the SOP and EAP, the IDS and ACS plans, the UL 2050 certificate, and the TSCM report. Assembling the FFC package is the point at which every earlier volume’s engineering becomes a line item to be justified.

Physical inspection and validation. The AO’s team then validates the facility against the FFC — a physical security inspection that verifies the paperwork matches the building. Inspectors check the perimeter and penetrations, exercise the door and locks, test the IDS end to end (including that alarms actually report to the monitoring station and that the response arrives inside the required time), examine the ACS and its logs, conduct or review the acoustic testing, and confirm the operating procedures and records are real. This is where a facility that looks perfect on paper meets someone whose job is to find the duct that was never baffled and the tamper switch that was never wired.
TEMPEST review by the CTTA. In parallel, where the concept-stage determination flagged emanation concerns, the Certified TEMPEST Technical Authority (CTTA) conducts the TEMPEST review — assessing the facility against the classified emanation requirements, prescribing countermeasures (shielding, RED/BLACK separation, filtering) to the degree the specific threat and location warrant, and verifying they were implemented. The CTTA’s determination is a distinct authority from the physical-security review and is the reason, as Volume 8 argued, that not every SCIF is a Faraday cage: the CTTA decides how much emanation countermeasure a given facility actually needs, and signs off that it was done.
The accreditation decision. With the FFC validated, the TEMPEST review complete, and any deficiencies corrected, the AO renders the accreditation decision. A clean facility is accredited for the specific compartments and uses documented; a facility with minor, non-security-critical shortfalls may be accredited with a waiver or on condition of correction; a facility that fails on a security-critical point is not accredited until it is fixed. The accreditation names what the SCIF is approved for — it is not a generic blessing but a specific authorization tied to the facility as documented.
Reciprocity, re-accreditation, and re-inspection. ICD 705’s governing intent is reciprocity: a SCIF accredited by one authority is, as a rule, to be accepted by others without being torn apart and re-accredited from scratch, so that a properly accredited facility can be used by another agency on the strength of the existing accreditation plus a review of the current documentation. Accreditation is not, however, permanent. SCIFs undergo periodic re-inspection (a recurring physical security review on a defined cadence) to confirm they still meet the standard, and re-accreditation when circumstances change materially — a modification to the structure, a change in the material handled, a new threat in the environment, or the correction following a compromise. The lifecycle is a loop, not a line: accredit, operate, inspect, and re-accredit, indefinitely.
Co-utilization and joint use. Where more than one organization uses a single SCIF, a co-utilization agreement (CUA) — a memorandum of agreement among the tenants and the accrediting authority — governs the shared arrangement: who is the accrediting AO of record, who runs security, how access rosters and visitor control are administered across the tenants, and how costs and responsibilities divide. Joint-use is common and sensible (SCIFs are expensive; sharing one beats building three), but it multiplies the coordination the SSO must manage and is itself a documented, accredited condition rather than an informal handshake.
De-accreditation. Finally, the thing that concentrates the mind: a SCIF can lose its accreditation. The accreditation is withdrawn for uncorrected deficiencies found at re-inspection, for unauthorized structural or configuration changes that void the validated baseline, for a security violation or compromise that breaks the trust the accreditation rested on, for failure of the IDS or the monitoring/response arrangement, for a TEMPEST or TSCM finding, or for the facility simply falling out of compliance as procedures lapse. De-accreditation is not merely administrative — a de-accredited SCIF may no longer hold or process SCI, which can halt the mission it exists to support until it is brought back into compliance and re-accredited. This is the enforcement teeth behind the whole procedural regime: the accreditation that took months to earn can be lost in an afternoon of neglect, and the SSO’s continuous job is to see that it is not.
10.8 Fifty-fifty
The through-line of this volume, and arguably of the whole series to this point, is that a SCIF is roughly half construction and half operating regime, and that the two halves are not separable. The finest shielded, sound-isolated, forced-entry-rated shell in the world is not a SCIF until an access control system governs who enters it, a GSA lock and a UL 2050 alarm protect it when it is empty, a security officer maintains the rosters and combinations and procedures, and an accrediting authority has validated all of it against the standard and agreed to keep validating it. Conversely, the most disciplined operating regime cannot rescue a shell that leaks sound or emanations or lets an intruder through faster than the response can arrive. The construction volumes built the box; this volume built the discipline around it; and only the two together produce the thing the whole enterprise is named for.
Which sets up the question the series has been circling from the beginning and finally has to answer honestly. A private engineer, reading all of this, can see that the construction is, in principle, reproducible — the shielding, the acoustic detailing, the penetrations are just engineering, buyable and buildable by anyone with the budget and the patience. But the accreditation is not: there is no path by which a private citizen self-accredits a SCIF, because accreditation is an act of government authority tied to a sponsoring need and a chain of accountability that a hobbyist simply does not sit inside. The next volume takes that distinction as its subject — what a private individual realistically can build (an RF- and sound-isolated room, a genuine Faraday lab, to a real and satisfying engineering standard) and what they categorically cannot (an accredited SCIF), and how to think clearly about the difference without either overclaiming or giving up the parts that are genuinely within reach.
Sources
- Office of the Director of National Intelligence, IC Tech Spec for ICD/ICS 705 — Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities, Version 1.5.x (public release) — chapters on intrusion detection systems (IDS), access control systems (ACS), and the accreditation process. https://www.dni.gov/files/Governance/IC-Tech-Specs-for-Const-and-Mgmt-of-SCIFs-v15.pdf
- Intelligence Community Directive (ICD) 705, Sensitive Compartmented Information Facilities, and ICS 705-1 / 705-2 (accreditation, reciprocity, and the physical/technical security standards). https://www.dni.gov/files/documents/ICD/ICD_705_SCIFs.pdf
- DIA / ODNI, SCIF Fixed Facility Checklist, Version 1.5 (the FFC form and its sections; source of Figure 8). https://www.dni.gov/files/Governance/SCIF-Fixed-Facility-Checklist-V15.pdf
- UL 2050, National Industrial Security Systems — the alarm standard for facilities protecting classified U.S. Government information; the UL “CRZH” monitoring-station category and the UL 2050 certificate/extent-of-protection framework. UL Solutions product-category guidance. https://www.ul.com/
- Federal Specification FF-L-2740B, Locks, Combination (high-security electromechanical combination locks for GSA-approved containers and vault doors) — met by the dormakaba/Kaba Mas X-07/08/09/10 family. dormakaba/Kaba Mas X-10 product documentation. https://www.dormakaba.com/us-en/products/electronic-access-data/high-security-locks
- Federal Specification FF-L-2890B, Lock Extension (Pedestrian Door Deadbolt) — the pedestrian-door companion met by the Kaba Mas CDX series. GSA / dormakaba product documentation. https://www.dormakaba.com/
- U.S. General Services Administration, security container and vault-door approvals (GSA-approved Class 5 / Class 6 containers and Class 5 vault doors), and the Standard Forms SF-700 (Security Container Information), SF-701 (Activity Security Checklist), and SF-702 (Security Container Check Sheet). GSA / ISOO forms. https://www.gsa.gov/reference/forms
- Center for Development of Security Excellence (CDSE, Defense Counterintelligence and Security Agency), Fixed Facility Checklist short and SCIF physical-security student guides. https://www.cdse.edu/
- Defense Counterintelligence and Security Agency (DCSA) — visit certification / “passing clearances” via the Defense Information System for Security (DISS) and the personnel-security process; roles of the SSO/SSM/CSSO. https://www.dcsa.mil/
- Interlogix / GE Security balanced magnetic switch (BMS) and dual-technology motion-detector product literature (illustrative of the sensor types the Tech Spec requires; no defeat detail). Vendor datasheets.
- Defense Visual Information Distribution Service (DVIDS) — base defense operations center / alarm-monitor imagery (Figures 5, 6) and prohibited-electronic-device signage (Figure 7): Creech AFB (Tech. Sgt. Nadine Barclay, 2015), Kadena AB (Senior Airman Jessica H. Smith, 2018), Keesler AFB (Airman 1st Class Devyn Waits, 2023). https://www.dvidshub.net/
Comments (0)