Download Intelligence Community Standard Number 705-1 and more Lecture notes Construction in PDF only on Docsity!
INTELLIGENCE COMMUNITY STANDARD
NUMBER 705-
ICS 705- 1
PHYSICAL AND TECHNICAL SECURITY STANDARDS FOR SENSITIVE
COMPARTMENTED INFORMATION FACILITIES
(EFFK'TlVE: 17 SEPTEMBER 2010)
A. AUTHORITY: The National Security Act of 1947, as amended; Executive Order 12333, as amended; Executive Order 13526; Intelligence Community Directive (leD) 705, Sensitive Compartmented Information Facilities; and other app li cable provisions of law.
B_ PURPOSE I. This Intelligence Community Standard sets forth the physical and technical security
standards that apply to all sensitive compartmented information facilities (SelF) , including
existing and new construction, and renovation of SerFs for reciprocal use by all Intelligence Community (Ie) elements and to enalble information sharing to the greatest extent possible.
- The standards contained herein facilitate the protection of sensitive compartmented infonnation (SCI), including protection against compromising emanations, inadvertent observation or overhearing, disclosure by unauthorized persons, forced entry, and the detection of surreptitious and covert entry.
3. The Assistant Deputy Director of National Intelligence for Security (ADDNlISEC) shall,
in consultation with IC elements, develop and establish technical specifications to implement SClF standards that include descriptions of best practices. The ADDNIISEC shall, in consultation with Ie elements, review and update the Technical Specifications/or Construction and Management a/Sensitive Compartme nted Information Facilities (hereinafter "Ie Tech Spec ") on an ongoing basis.
c. ApPLICABILITY
1. This Standard applies to the Ie, as defined by the National Security Act of 1947, as
amended; and such other elements of any other department or agency as may be designated by
the President, or designated jointly by the Director of National Intelligence and the head of the
department of agency concerned, as an element of the Ie.
ICS 705·\
- Ie elements shall fully implement this Standard within 180 days of its effective date.
a. Facilities under construction or renovation as of the effective date of reD 705 shall be
required to meet these standards or request a waiver to the standards.
b. SCIFs accredited as of the effective date ofICD 705 shall continue to be operated in
accordance with the physical and teclmical security requirements applicable at the time of the
most recent accreditation or re-accreditation.
c. SerFs that have been de-accredited for less than one year but continuously controlled at
least at the Secret level (in accordance with 32 CfR Parts 2001 and 2004) may be re-accredited
one time, based upon the standards used for the previous accreditation.
D. RECIPROCAL USE
These standards are designed to ensure the protection of SCI and provide a secure
environment for infonnation sharing and reciprocal use ofSCIFs. Any SCIF that has been
accredited by one IC element head or designee shall be reciprocally accepted by all IC elements
when there are no waivers to these sumdards. Standards for reciprocal use are detailed in IC
Standard 705- 2, Standards for the Accreditation and Reciprocal Use of Sensitive Compartmented
Information Facilities. A waiver may be necessary only in extraordinary circumstances when
these standards cannot be met. Waive:rs are detailed in section H of this Standard.
E. RISK MANAGEMENT
1. Analytical risk management is the process of assessing threats against vulnerabilities and
implementing security enhancements to achieve the protection of information and resources at an
acceptable level of risk, and within acceptable cost. The Accrediting Official (AD) must ensure
the application of analytical risk management in the SelF planning, design and construction
process.
2. Security in Depth
a. Security in Depth (SID) is the acceptance of the AO of external and/or internal SelF
factors that enhance the probability of detection before actual penetration to the SelF occurs by
the existence of a layer or layers of s(xurity that offer mitigations for risks.
b. To qualify for SID, at least one layer identified in the IC Tech Spec shall be applied.
c. SID inside the United States will allow Cognizant Security Authorities (CSA) to use
less stringent construction techniques, and increase the alarm response times.
d. SID is mandatory for SClFs located outside the United States due to increased threat.
F. SelF PLANNING AND DESIGN
1. selF security begins with the planning and design phase. To ensure security oversight is
applied throughout development and accreditation, all SCIF planning shall begin with
sponsorship by an AO.
2. Facility Types. Detennining where the SCIF will be located and how it will be used is
necessary in determining what security enhancements may be necessary. Reciprocal use of the
SClF shall be based upon the type of facility and its current use. (For example, a facility
ICS 705·
trained, and assigned to a project for the purpose of ensuring the security integrity of a site, building, and/or material/items) may be required when the threat warrants as dctcnnined by the AO. See additional guidance in the Ie Tech Spec for overseas SeIFs built within facilities under COM authority.
d. When SelF renovations require that construction personnel enter an operational SelF,
they shall be cleared or be escorted by personnel cleared to the level of the SelF. See additional
guidance in the Ie Tech Spec for ove:rseas SerFs built within fac ilities under COM authority.
c. SCI indoctrinated escorts may not be required when a barrier has been constructed to
protect the SelF from the areas identified for construction.
f. Access control to the construction site is required and shall be addressed in the CSP.
G. PHYSICAL AND TECHNICAL SECURITY STANDARDS
I. Physical Security for SCIFs a. Perimeter (1) The perimeter of the SCIF includes a ll perimeter walls, windows and doors as well as the ceiling and floor.
(2) The perimeter of the SCIF sha ll provide a physical barrier to forced, covert and surreptitious entry.
(3) Walls, floor and ceiling shall be permanently and solidly constructed and attached to each other. Raised floors and false: ceilings shall not be used to anchor wall support materials. All construction, to include above the: false ceiling and below a raised floor, shall be constructed to provide visual evidence of unauthorized penetration.
(4) When RF shielding is required by Certified TEMPEST Technical Authority (CIT A) evaluation, it should be planned for installation during initial construction as costs are significantly higher to retrofit after construction is complete.
(5) SCIFs that require disl;:ussions of SCI shall provide acoustic protection to prevent conversations from being inadvertently overheard outside ofthe SClF.
(6) Details for the construction of the perimeter to meet standards shall be provided within the Ie Tech Spec for SCIFs.
- Technical Security Standards for SCIFs a. RF transmitters shall not be introduced into a SCIF unless evaluated and mitigated to be a low risk to classified information by a competent authority (e.g., CTTA) and approved by the AO.
b. Access Control Systems (1) Access to SerFs is restricted to authorized personnel. Access control methods shall be approved by the AO.
(2) Access control methods may include anyone of the following but are not approved for securing SelF entrances when the SelF is unoccupied:
ICS 705-
(a) Automated access control systems using at least two technologies (badge, PIN, biometric, etc.)
(b) Electromechanical, mechanical or personal recognition (in small facilities and/or where there is a single monitored entrance)
c. Intrusion Detection System (1) Intrusion Detection System (IDS) shall detect attempted or actual unauthorized
human entry into a SelF.
(2) IDS installation, relat~:d components, and monitoring stations shall comply with Underwriters Laboratories CU L) 2050 Extent 3 standards. Systems developed and used exclusively by the U.S. Government do not require UL certification but shall comply with UL 2050 Extent 3 standards for installation.
(3) Contractor SeIFs shall maintain a current UL certificate of installation and service. Any changes to the IDS after the certificate is issued shall require renewal of the certificate.
(4) SCrFs accredited prior to the effective date ofICD 705 are not required to upgrade to current IDS standards. IC elements shall ensure that upon re-accreditation the SCIF is compliant with current IDS standards, unless a waiver is granted in accordance with ICD 705..
(5) Response times for IDS shall meet 32 CFR Parts 2001 and 2004 for protecting Top Secret information.
(6) For SCIF construction. under COM authority, IDS installations shall be coordinated with the Department of State (DoS), Overseas Building Operations and the Bureau of Diplomatic Security.
d. Unclassified Telecommunkations Systems (I) Any unclassified telecommunications system introduced into the SCrF shall be evaluated by the CITA and AO for tiechnical surveillance countermeasures and TEMPEST concerns.
(2) Unclassified telephone systems introduced within the SelF shall meet National Telephone Security Working Group requirements for security. See Ie Tech Spec for details.
e. Portable Electronic Devices (1) Portable Electronic Devices pose a risk to SCI since they often include capabilities to interact with other information systems and can enable hostile attacks targeting classified infonnation in Se lFs.
(2) The Ie Tech Spec provides details and guidance for PED restrictions within SCIFs.
- Temporary SelF Standards: Toempo rary SCIFs that are required for emergency, tactical or other immediate operational needs often require additional security considerations including OPSEC. These facilities are addresst!d as a separate topic in the Ie Tech Spec.
- Overseas SCIFs a. Overseas SClFs may be:
rcs 705 -
(2) The mitigation techniques considered that are not sufficient to meet the standard (3) Justification for the waiver (4) A statement of residual risk (5) Guidelines, policies andlor procedures that will be implemented to reduce risk
caused by the waiver
(6) Time expectation when the standard will be met and the waiver will no longer be required. (7) A statement of acceptance of reciprocal use.
b. A waiver request submitted when a standard will be exceeded shall include the
following: (I) The standard that will be exceeded (2) A statement of documented risk that justifies the need to exceed standards (3) Time expectation that the waiver will no longer be required (4) A statement of acceptance of reciprocal use
- Within 30 days of approval, w.aivers shall be reported to the Assistant Director of National Intelligence for Policy, Plans, and Requirements (ADNIIPPR) via the Ie selF repository.
I. OPERATIONS AND MANAGEMENT
Once accredited and operational, the operations and management of a SelF provides a continuous security posture. The Ie Tech Spec provides standards for operational and management efforts that enable continuing security.
J. ROLES AND RESPONSIBILITIES
- The ADDNI/SEC shall: a. Develop and establish teclmical specifications to implement this Ie Standard. b. Provide programmatic oversight of the implementation of this Ie Standard. c. Resolve disputes between and among selF stakeholders with this Ie Standard. d. Identify and incorporate Ie best practices into the Ie Tech Spec established pursuant to section 8.3 of this Ie Standard.
e. Develop training to ensure a common understanding of these standards and mitigations.
f. Recommend, in consultation with Ie elements, to the ADNIIPPR substantive or
technical amendments to this Ie Standard, as appropriate.
- Heads of IC Elements shall: a. Implement the provisions of this Standard. b. Approve waivers to this St.andard, as appropriate.
- CSAs shall:
lCS 705-
a. Provide oversight of the SelF construction and accreditation program under their
security purview.
b. Ensure the timely input of :required SelF data to the Ie sel F repository.
- AOs shall:
a. Provide security oversight of all aspects of SelF construction under their security
purview.
b. Review and approve the de:sign concept, esp, and final design for each construction
project prior to the start of construction. c. Depending on the magnitude of the project, detennine if the SSM perfonns duties on a
full-time, principal basis, or as an additional duty to on-site persOImcl.
d. Accredit SCIFs under their cognizance.
e. Prepare waiver requests fo J[' the Ie element head or designee.
f. Provide the timely input of all required SelF data to the Ie sel F repository.
g. Consider S[D on U.S. Government or U. S. Government sponsored contractor facilities to substitute for standards herein. SID shall be documented in the CSP and the Fixed Facility Checklist.
- SSMs shall: a. Ensure the requirements herein are implemented and advise the AO of compliance or vanances.
b. In consultation with the AO , develop a CSP regarding implementation of the standards herein. This document shall include actions required to document the project from start to finish. c. Conduct periodic security inspections for the duration of the project to ensure compliance with the CSP. d. Document security violations or deviations from the CSP and notify the AO within 3 business days.
e. Ensure procedures to control site access are implemented.
- CTTAs shall: a. Review SCIF construction or renovation plans to determine if T EMP E ST countermeasures are required and recommend solutions. To the maximum extent practicable, TEMPE ST mitigation requirements shall be incorporated into the SCIF design.
b. Provide the CSA and AO with documented results of review with recommendations.
- CSTs shall: a. Supplement site access controls, implement screening and inspection procedures, as well as monitor construction and personnel, when required by the CSP. b. In low and medium technical threat countries, begin surveillance of non-cleared workers at the start of SCIF construction or the installation of major utilities, whichever comes first.
