Home » Identity & Access » Access Control

Secure Facilities: Lessons from the SCIFs

A government rule called The Director of Central Intelligence Directive 6/9 details the physical requirements for Sensitive Compartmented Information Facilities (SCIFs)

Labeling sensitive information at your company will stem from a combination of your corporate goals and the need to comply with government regulations such as the Health Insurance Portability and Accountability Act or the Trade Secrets Act.

This discussion of sensitive information ties into a risk analysis of both the data sets you want to keep secure and the intellectual property you have in your companyâ¬"s portfolio.

Organizations with government contracts donâ¬"t have much choice when it comes to the information they protect: SCIF design specifications are spelled out for them. Security executives and their business colleagues have to make these assessments themselves.

Michael Creaney, a principal and director of development at the Creaney & Smith Group, a commercial real estate developer, says that just as the level of cleanliness in a clean room, which is used by drug manufacturers, depends on what is occurring inside of it (counting, mixing or testing drugs), the level of SCIF security depends on the information within it.

Understanding what needs to be protected will start with prioritizing sensitive data. â¬SYou need to look at the information you are trying to protect, decide what the consequence would be if the information was leaked, and what you are willing to do to keep that from happening,â¬ says Walter. Some organizations find it useful to bring in outside consultants to help this evaluation process.

PROTECTION AT A PRICE

SCIFs are expensive, and for that reason, experts say companies with government contracts should follow the letter of their government specsâ¬and no more. So corporations employing SCIF-inspired standards for facility management, for heating, ventilation and cooling systems, for access control or electrical wiring, should pick and choose the requirements from the government directives that are best suited to meet their needs.

Even the lowest-level SCIF requirements come at a cost. â¬SAt the lowest level, the [facilities] are secured physically and electronically for preventing the loss of info, data and material,â¬ says Creaney, who has been building and retrofitting office space for SCIFs since 1984. This lowest levelâ¬government SCIF projects reach five or six different levels, Creaney saysâ¬is probably what would benefit most corporations, experts say. At that level, SCIFs may cost an extra $50 per square foot (above and beyond normal office space cost); toward the higher end, as much as $350,

Creaney says. Mattice cites a range from $150 to as much as $1,000 per square foot. Shaw of Morgan Franklin says that the cost of a 2,000-square-foot SCIF divided into multiple offices can run from $400,000 to $1 million.