In the 1960s, it would not have been a spy movie without characters avoiding “bugs” by going into the bathroom, turning on the shower and repeatedly flushing the toilet. Preventing secrets from being overheard needs more than the sound of running water, though. If you really have a secret to share, or keep safe, you need a SCIF.

SCIF stands for Sensitive Compartmented Information Facility, a room or series of rooms that have been designed and constructed to prevent outside access to the information being discussed in them. The Federal government has a set of standards spelled out in Intelligence Community Directive 705/IC Technical Specification.

The Cost of Classification

Building a SCIF is costly. Experts note that basic facility security adds a minimum of $50 per square foot to the cost. High end facilities can run $1,000 or more per square foot over the normal costs of construction.

The SCIF is built to prevent the transmission of sound through the walls, floor or ceiling and through HVAC. Common things like running electrical power and internet cabling must be dedicated to the SCIF, and not shared with uncleared facilities. The room may be enclosed in a Faraday cage or other means of preventing electronic transmissions from the space.

There should be just one entrance to the SCIF. Entrance to the area must be using two access control technologies, one for normal day-to-day use, and one for use when the SCIF is in use as a secure facility.

Perhaps the most important aspect of physical security within the SCIF is the proper training and education of those employees going in and out. What goes on in the SCIF should stay in the SCIF. Most major breaches of recent years offer clear examples of what happens when individuals fail to follow SCIF procedures and the rules of their privileged access. Just as security challenges change over time, so, too, do SCIF restrictions. In an era of FitBits and Smart Watches, SCIF users are told to leave any transmitting devices at home. And if you’re looking for a window view – don’t expect to find it inside a SCIF.

WHAT ARE TECHNICAL SECURITY AND TEMPEST SCIF REQUIREMENTS?

SCIFs aren’t just physical spaces. When it comes to protecting classified information, technology places a critical role, as well. In today’s technical environment, SCIF design isn’t just focused on locks and perimeter protections, but on how to keep the phenomena of electromagnetic waves and emanations, aka radio frequency, from leaking classified out of the SCIF. Beyond physical security denying visual, audio, and physical unauthorized access to a SCIF, there is also a technical security component. And, by the way, this vulnerability pre-dates the Civil War. The Faraday cage was invented by English scientist Michael Faraday in 1836, who built a metal foil coated room to demonstrate that electromagnetic conductivity operating on the outside of the facility would not penetrate through the walls—and vice versa.

Secure storage lockers are available to protect physical, on-site documents. SCIFs function like normal offices, with workstations and space to hold meetings. But cellphones and other unsecured devices are barred.

TEMPEST policy and countermeasures for the US Government are the domain of the U.S. National Security
Agency. In fact, they established the codeword TEMPEST – it’s not an acronym – for the phenomena
decades ago. It concerns electronic devices that emit RF and “fortuitous conductors”, such as metal pipes, monitors, power lines, copper wires, poor grounding, HVAC ducts, etc., accidentally conveying the signal beyond the SCIF’s protections. As SCIF construction mandates are for physical protection, TEMPEST countermeasures are for technical security – together with the goal of keeping our most sensitive secrets safe from prying eyes, ears, unauthorized physical access, AND technical exploitation.

The next time that you have the need to discuss classified information with colleagues, don’t head to the washroom. Instead, head to the SCIF.

Related News

Charles Simmins brings thirty years of accounting and management experience to his coverage of the news. An upstate New Yorker, he is a freelance journalist, former volunteer firefighter and EMT, and is owned by a wife and four cats.