What Are The Standards For Sensitive Compartmented Information Facilities?
A SCIF in a warehouse - there's a significant similarity to the old James Hardie control room going on here.
We’ve been asked by a customer to plan a sensitive compartmented information facility to be commissioned at one of their facilities and we’re interested in establishing whether or not there are specific standards relating to these facilities around which we can design a solution.
A: Sensitive Compartmented Information Facilities are enclosed, secure areas within a building where sensitive compartmented information may be stored, processed or discussed, depending on the operational requirements of the organisation.
Typical SCIF users are government departments, but larger private organisations wishing to ensure sensitive information is protected have a requirement for them as well. A SCIF can also be temporary or mobile, in a vehicle, a ship, an aircraft, or in the field.
The characteristics of a SCIF are that it is a secure room or suite of rooms within a secure facility built to an elevated security standard physically and protected against electronic surveillance from any possible external source. There will either be no unauthorised entry or uncleared personnel must surrender all electronic devices upon entering the SCIF.
The location will be access controlled, there will be alarms, CCTV coverage, secure storage containers, privacy from external observation of any kind and regular checks to ensure the facility is ‘clean’ and bug free. Some SCIFs are devoid of electrical cabling, others feature monitoring of all electronic services, some SCIFs are layered, with services in the outer ring and none in the SCIF room.
More Specifically in Australia…
From what SEN understands, there are 5 Aust Govt security zones ranging from Zone 1 public access (e.g. Centrelink office) to Zone 5 TOP SECRET, including acoustic protected internal compartments, data centres, some Defence R&D sites, etc.
The default minimum zone for Govt offices is Zone 2, formerly Intruder Resistant Area. Zone 1 becomes Zone 2 after hours. All SCIFs (Sensitive Compartmented Information Facilities) are Zone 5, but not all Zone 5s are SCIFs.
The existence of SCIFs is not classified. Location, contents and related technology is classified. Most SCIFs are used to process and store highly classified national security information (e.g. Five Eyes AUSCANUKUSNZ) and conduct confidential discussions, are or should be within Zone 4, and able to be inspected around the entire perimeter.
Construction is ideally 12mm plasterboard then 9mm marine grade plywood or 1mm sheet steel edge to edge on the exterior over steel studs, 50mm acoustic insulation, then 12mm plasterboard on the interior, in a smooth light painted finish to detect signs of covert intrusion or placement of surveillance devices. No untreated penetrations exceeding 150mm. Dual access authentication (e.g. card plus PIN or biometric) on solid core block timber 45mm thick doors in 1.6mm cold formed steel frames is required, with SCEC endorsed access control (electronic mortice lock) and mechanical (rectangular bolt mortice) locking, strike shield, hinge pins, heavy duty 2-stage door closer, acoustic seals, etc.
Type 1A SCEC endorsed ASIO-T4 security alarm systems, either Honeywell or Gallagher, must be used for all Zones 4 and 5, with door balanced magnetic reed switches and internal volumetric detectors, and field panels located in the zone.
Type 1A systems must be designed, commissioned and certified compliant by a SCEC endorsed consultant (87 globally as at 19 Nov 2020), who in practice often also advises upon all other aspects of zone construction including cabling, other services integration (e.g. electrical and mechanical), compliance, and cost effective cohesive asset protection.
SCIF unescorted access is only permitted to holders of NV2 TOP SECRET security clearance and the relevant codeword and/or caveat briefings (for codeword signals, satellite, imagery, comms, ICT, human and other operational and strategic INT.
The Defence Security Principles Framework – DSPF [UNCLASS] at Front (defence.gov.au) Principle 73, page 357, and following pages set out the zone types and relevant certification/accreditation authorities.
SCIFs may only be certified and accredited by ASIO-T4, Aust Signals Directorate, Aust Geospatial-Intelligence Organisation, and Defence Chief Information Officer Group. If a zone is not formally certified and accredited, it cannot be used to process or store highly classified information or other official assets, or to protect classified discussions.
Failure to coordinate all aspects to achieve a fully compliant zone installation incurs significant costs. SCIFs are the highest security zone compartments and require significant experience, qualifications, and project coordination skills, including SCEC security consultants, SCEC locksmiths and asset owners (i.e. ultimate operators of the SCIF, responsible for custody and protection of the holdings).
All zones including Zone 5 SCIFs must meet the physical, electronic, personnel, information, administrative and related measures prescribed in ASIO-T4 Technical Notes and other Aust Govt policy (e.g. Protective Security Policy Framework, Protective Security Circulars, Security Equipment Guides, Security Equipment Evaluated Products List, Security Construction and Equipment Committee bulletins – The Protective Security Policy Framework | Protective Security Policy Framework – www.scec.gov.au).
The administrative security burden involved in gaining SCIF approval is also extensive (e.g. security risk assessment, project security plan, standard operating procedures, construction security plan, acoustic and technical countersurveillance testing plan, inspection and certification coordination plan).
No SCIF (or other Zone 5) design work or assessments are started until formal sponsorship is granted, usually at MAJGEN/two star level or equivalent. Aust Govt compliant security zones cannot be constructed based on “if we build it they will come” thinking. In every instance, an official sponsor is obligatory.
In short, there are rigorous standards around SCIFs. As outlined above, in Australia you need to go through SCEC consultancy and proper channels to get a handle on local requirements – you can check out T4’s courses here.
Anyone with more info on this topic is welcome to send it to [email protected] so it can be added to this discussion.