Secure Facilities: Lessons from the SCIFs

A framework for applying federal security standards to private-sector facilities

Secrets aren’t advertised; they are protected. The government keeps some of the biggest secrets of all—the exposure of which might pose a threat to national security—in places where the name hides nothing: a Sensitive Compartmented Information Facility (SCIF). But the buildings carrying the SCIF label are made to hide everything.

A government rule called “The Director of Central Intelligence Directive 6/9” details the physical requirements for SCIF construction: Walls, floor and ceiling must be permanently constructed and attached to each other. They should also be reinforced on the inside with steel plates, and slab-to-slab with 9-gauge expanded metal. All doors, windows, walls, floors, vents and ducts must be protected by sound masking devices, such as noise and vibration generators, bars, grills or sound baffles, in order to meet sound attenuation criteria and prevent disclosure of conversations. Entrance doors should be limited to one, which must be equipped with locks and alarms, and made of solid wood (no less than 1-and-3/4 inches thick) or clad with 16-gauge metal (no less than 1-and-3/4 inches thick). And, most important of all: The building must be nondescript enough so that you can’t tell what it is.

[Also see 19 ways to build physical security into a data center]

“The concept behind SCIFs was to create a secure area that had appropriate protections in place to ensure to the greatest extent possible that the highly sensitive information inside would not be compromised,” says Lynn Mattice, VP and CSO at Boston Scientific, a manufacturer of medical devices. Mattice is familiar with the requirements around SCIF construction: As director of corporate security at Northrop during the major defense buildup of the Reagan administration, he oversaw the completion of multiple rooms built to SCIF standards. At Whirlpool, where he was director of corporate security for a number of years, and now at Boston Scientific, Mattice says he has built soundproof rooms and does sweeps for electronic countermeasures from time to time.

While it’s unlikely that the cost-benefit calculation for a private-sector organization would lead many businesses to build a facility meeting all of the requirements of a government-mandated SCIF—such features can add hundreds of dollars per square foot of office space—there are lessons to learn about secure facilities from the people who construct them according to the federal government’s strict specifications. Most large organizations would benefit from employing some of the requirements, says Hal Walter, a classification compensation analyst at the University of North Carolina at Charlotte. “Some global organizations today are just as large as the governments that these facilities were designed for,” Walter says.

The key is to know what information is sensitive enough to require many of the same methods the government uses to guard its secrets. ASSESS WHAT YOU NEED TO PROTECT

For the past five-plus decades—think history of the Cold War—the government has maintained a hierarchy of classified information, determined by the level of threat its exposure would bring to the United States:

Top Secret owns the list: Its public knowledge would pose grave danger to national security. Weapons design specs and sensitive intelligence fall within this category. Secret (the level that most classified information in this country is assigned) means if this information was leaked, it would cause serious damage. Confidential information would harm national security if it were made public; while it’s the lowest level, it is still information that the government does not want made available.

Sensitive Compartmented Information (SCI) refers to the security wrapped around access to this classified information—not the information itself. SCI is often loosely applied to describe all sensitive materials, and that’s not correct, says Ben Shaw, facilities security officer (FSO) at advisory Morgan Franklin. “People use it as a blanket term,” he says, when in fact, it’s more like an extra layer of security, usually applied to special access programs or special government projects.

For example, the Department of Defense may want to limit access to sensitive information about a particular project so only people working on the project have access. Thus even an individual possessing a Top Secret security clearance would need specially granted access to that information (which would be maintained within a SCIF). There is no universal SCI clearance (as there is for Top Secret clearances) because an SCI access authorization is related to specific programs or information. Mattice says that before you even go through the clearance process, a contract sponsor from the government will certify that you “need to know” SCI level information. “Most SCI access authorizations require one of the most in-depth background investigations the government runs,” says Mattice. Such a clearance may also require a polygraph exam and periodic reexaminations, says Mattice.

For the purposes of this article, substitute other business-critical words for “national security” when thinking about secure facilities. Walter thinks that companies would be most driven to protect matters that could be embarrassing or costly or would give advantages to a competitor. Mergers and acquisitions are good examples. “If my company was up for a merger, or I was going to discuss a takeover, controlling leaks would be critical. A company needs an area where people in upper management can securely discuss things or look at documents,” says Walter. Data such as customer account information, health records and Social Security numbers would also be considered highly sensitive. And internal company information, such as business plans, should be protected as such.

Labeling sensitive information at your company will stem from a combination of your corporate goals and the need to comply with government regulations such as the Health Insurance Portability and Accountability Act or the Trade Secrets Act.

This discussion of sensitive information ties into a risk analysis of both the data sets you want to keep secure and the intellectual property you have in your company’s portfolio.

Organizations with government contracts don’t have much choice when it comes to the information they protect: SCIF design specifications are spelled out for them. Security executives and their business colleagues have to make these assessments themselves.

Michael Creaney, a principal and director of development at the Creaney & Smith Group, a commercial real estate developer, says that just as the level of cleanliness in a clean room, which is used by drug manufacturers, depends on what is occurring inside of it (counting, mixing or testing drugs), the level of SCIF security depends on the information within it.

Understanding what needs to be protected will start with prioritizing sensitive data. “You need to look at the information you are trying to protect, decide what the consequence would be if the information was leaked, and what you are willing to do to keep that from happening,” says Walter. Some organizations find it useful to bring in outside consultants to help this evaluation process. PROTECTION AT A PRICE SCIFs are expensive, and for that reason, experts say companies with government contracts should follow the letter of their government specs—and no more. So corporations employing SCIF-inspired standards for facility management, for heating, ventilation and cooling systems, for access control or electrical wiring, should pick and choose the requirements from the government directives that are best suited to meet their needs.

Even the lowest-level SCIF requirements come at a cost. “At the lowest level, the [facilities] are secured physically and electronically for preventing the loss of info, data and material,” says Creaney, who has been building and retrofitting office space for SCIFs since 1984. This lowest level—government SCIF projects reach five or six different levels, Creaney says—is probably what would benefit most corporations, experts say. At that level, SCIFs may cost an extra $50 per square foot (above and beyond normal office space cost); toward the higher end, as much as $350, Creaney says. Mattice cites a range from $150 to as much as $1,000 per square foot. Shaw of Morgan Franklin says that the cost of a 2,000-square-foot SCIF divided into multiple offices can run from $400,000 to $1 million.

Walter says that it is essential for companies working on buildings with SCIF-level features to work with a contractor who can see the reasons behind extra precautions: “Otherwise you may end up with a nice-looking facility that leaks like a sieve because the people building it did not understand the reasoning behind the plans.” THINK IN LAYERS Secure facilities experts like Shaw, Creaney and Tabetha Chandler, president of consultancy and SCIF builder FSO To Go, spend a lot of time studying government specifications for constructing secure facilities. The reasons for this range from the different rules that authorities have set out for what makes a secure building (see “By the Book,” this page) to the fact that they say more government programs require secure facilities since the September 11 terror attacks. They deliver a clear message from this experience as bureaucratic interpreters: Know how your facility and staff need to work so you can secure assets needing protection. And be ready to do it for a long time. “It’s unfortunate that people build things and then become complacent—when it’s time to enact that level of security they don’t posture their business or train their staff to fully understand the requirements,” says Chandler. For that reason, these experts say you should think about secure facilities as not one entity, but many. Some examples: Physical security. Chandler says that security officers need to understand their building’s surroundings and environment. “Physical security is always the center point of securing classified information,” she says. “Look at who is 200 meters around you; don’t just center on your office suite or headquarters.” At the minimum, says Walter, the facility should have one access point or door devoid of any gaps, and ductwork openings that are secure. Information security. Phones should have filters that prevent wiretapping, says Walter, and encryption is vital. “It tends to be transparent to the user, and it can be easily installed and upgraded.” Controlling electronic transmissions can be accomplished with shielding, filters, grounding and devices limiting radio frequency (RF) emissions. Shielding the walls of the SCIF with foil and other conductive materials will help ground electronic signals generated within the SCIF, says Walter. Employee security. Last but most important is the human factor. “The best security systems, even ones built by the CIA, can be and have been compromised by employees,” Walter notes. A select number of designated employees should be assigned responsibility for certain facets of security, such as inventory of data and documents, says Walter. If employees violate policies and procedures, they must be held accountable, he adds. It’s also important to have an efficient way to identify employees who don’t follow security measures and resolve the situation immediately, he says. Even if your company doesn’t require a security clearance, you should know who has access to the data. And, of course, vetting everyone on the secure site through background checks is a must.