Does your business card say NSA, DoD, CIA, or any of the other TLA’s on it? Do you handle Secret, Top Secret, or above classified information? You know you can’t talk about it anywhere but a Starbucks or a SCIF, right?  (Kidding about the Starbucks!)

SCIF? What’s a SCIF? A SCIF is a Secure Compartmentalized Information Facility, where Top Secret and above classified information can be discussed in full confidence that it will not be overheard or intercepted.

But how?

Without going into huge amounts of technical details, the problems faced range from simple to pretty complex. Simple solutions are fiberglass insulation batting to combat someone simply listening in and ventilation ducts where the air has to zigzag (baffled ducts) to combat those same nosy listeners. The walls are thick, to prevent someone from cutting through easily, with expanded metal protecting the wallboard, again to prevent a quick breakin.

Complex solution 1 is an electrically conductive shell, forming a faraday cage, or pretty similar. This makes sure that no radio frequency emissions, from a bug or a Blackberry, get out.

There are guards, locks, and a lot of other ways to make sure there aren’t any leaks.  It has to be protected with a motion detection system, could have cameras, etc.

Building one is not fun. Although the construction isn’t terribly complex, the accreditation and documentation requirements are positively byzantine.  The normal accreditation documents are a binder about 3 inches thick.

So if you need a SCIF, an accredited SCIF, and you need it in the next few days to weeks, without spending months going through the accreditation process, what do you do?

You call Kevin Beer, from MTNGS. He’ll ship you a portable SCIF. With cleared installers, and with guaranteed accreditation. Well, actually, he’ll ship you one once you pay for it.

And it’s not the cheapest thing going. An 8×10 foot SCIF, including everything, roof, walls, floor, installers, accreditation document pre-filled out, etc, is over $180,000.  Could you build one for less? Absolutely! I can double wallboard an 8×10 room, add expanded metal, put up a security system, etc, for a LOT less than that.

So why would I spend that kind of money on a portable modular SCIF from MTNGS?

The one I build isn’t portable. Nor modular. I can’t scan and wrap all the segments of mine, ship it onsite, and build it with 2 people in less than 2 to 3 days. I have to do an investigation of the downstairs tenants, to make sure they’re not going to try to listen in from below. I have to fill out the accreditation docs and go through a full accreditation procedure. Not entirely fun. I mean, have you gone through a government audit/accreditation? Not my idea of a good day. (Don’t tell the IRS I said that!)

Essentially, the RSOC, or Re-Deployable Security Operations Center, is a building built from really big Legos.  2 foot wide panels tongue and groove into each other.

The floor sits on channel iron, with sound dampening foam on top.

Each panel is 2 feet by 8 feet, by about 4 inches thick.  There’s fiberglass acoustic batting, expanded metal mesh, spray on RF dampener, and they weigh about 90 pounds each.  Heavy, but movable.  The roof and floor panels hook to the walls with a bracket.

So it’s a room (RSOC) inside whatever room you put it in.  Moving next year?  Take it with you.  Need to build a SCIF in a country of concern?  Scan, wrap, and ship the components.  If the tamper markers are still good, the components can be put together by 2-3 people in 2-5 days (depends on how big it is).  No need for local labor, or lots of tools.  Ratchet wrench, drill, screwdriver, done.

Pretty cool, and it makes sense.  But wait, there’s more!  They guarantee accreditation.  Apparently, they have 4 former accreditors on staff to make sure you don’t have problems.  They even send you the accreditation binder, pre-filled out.

I went inside the sample/demo unit they’ve got in their headquarters in Leesburg, Va.  LED lighting, plenty of A/C, and it felt very professional.  It’s not a T-SCIF (Temporary SCIF), but a full working SCIF, which 2 of them built inside of a day inside a room in a typical office building in Leesburg.

Did I mention the pink noise generators?  One of the only available options, the pink noise generator actually turns the panels into speakers broadcasting pink noise.  If you’ve never heard it, pink noise sounds a bit like conversation from a distance. So basically, from the outside, the RSOC perpetually sounds like a conference room, when you’re sweating, about to give that presentation to the three levels of bosses above you.  And they’re all talking, so you don’t know when to go in?  Yeah, that room.

If you don’t have the budget, and do have the time, expertise, and Tums for the accreditation process, build your own.  It’s cheaper, and you can build expertise in the accreditation process, as well as the building process.

If you have the budget, and need what MTNGS is selling, i.e., portability, guaranteed accreditation, and modularity, then you should definitely take a look.  They guarantee accreditation, and handle a lot of the details for you.  As far as I know, they’re the only ones building portable SCIF’s out there right now.  Have you seen any others?

Related News

Joshua Marpet is on the Board of Directors of two Infosec conferences, BSides Las Vegas, and Security BSides Delaware. He is also staff at Derbycon, Shmoocon, and as the "InfoSec Megaphone", anywhere else he goes. Joshua is an experienced Forensic, Incident Response, and mobile forensics expert and researcher. As an adjunct professor at Wilmington University, he teaches Information Security at an NSA/DHS certified Center of Academic Excellence. In his professional life, he is a managing partner at Guarded Risk, a proactive forensics and proactive incident response firm.