scif construction a different approach dell global security james t. baruch february 1, 2012

16
SCIF Construction “A Different Approach” Dell Global Security James T. Baruch February 1, 2012

Upload: ayanna-batt

Post on 28-Mar-2015

222 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

SCIF Construction “A Different Approach”

Dell Global Security

James T. Baruch

February 1, 2012

Page 2: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

2 Services

SCIF Pre-Construction

“Planning Phase”

Page 3: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

3 Services

Step 1. Have a Need

• Unlike in the past, “Build it and they will come” is not a viable business plan.

• Have the appropriate written authorization.• For most of us this will be a DD254 with appropriate boxes

checked.• Classification Level• SCI• COMSEC• Storage• Processing• Correct SCIF Address/location on DD254.

Page 4: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

4 Services

Step 2. Construction Security Plan

• For contractor facilities ICD 705 looks very similar to DCID 6/9?– A new Requirement of ICD 705 is an Implementation is a CSP.

– Each cognizant authority will approve CSP’s prior to giving an “approval to build.”

– The CSP in many cases replaces the “Discovery Meetings” that are routinely held prior to SCIF construction.

– CSP Specifies who can build a SCIF› “Construction and design of SCIFs should be preformed by

U.S. Companies using U.S. Citizens to reduce risk, but may be performed by U.S. companies using U.S. persons (an individual who has been lawfully admitted for permanent residence as defined. In 8. U.S.C. 1 101(a)(20) or who is a protected individual as defined by Title 8 U.S.C. 1 324b(a)(3))). The Accreditation Official shall ensure mitigations are implemented when using non-U.S. citizens. These mitigation shall be documented in the CSP.”

Page 5: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

5 Services

U.S. Companies & U.S. Citizens.

Page 6: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

6 Services

Step 2. Construction Security Plan – Cont.

• Negotiating with Construction Contractors.

– Require Employees and Sub-Contractors are U.S. Citizens.

› (Include this in your RFQ and contract language.)– Ensure that the company and it’s subs are U.S. Owned.

– Justifications are required for any request of not using all U.S. Citizens.

› In these instances, your justification or exceptions should identify the non-U.S. Citizens, as well as your proposed mitigation strategy within the CSP.

› If you are unsure whether your contractor is U.S. owned, work with your cognizant security agencies industrial security office for assistance.

– At a minimum the Information Technology Infrastructure of your SCIF MUST be installed by U.S. citizens ONLY. (Alarms, wiring, fiber, etc..)

Page 7: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

7 Services

SCIF Building

A different approach:

Working Backwards….

Page 8: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

8 Services

What features does my SCIF need?

• Alarms• Doors• Strong Perimeter• Appropriate Windows• Appropriate Storage (Paper vs Media – it may be

different.)• Security in Depth • Lots and lots of paperwork! (logs, inventories, audits,

plans, policies, accounts, methods...)

Page 9: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

9 Services

ALARMS

• Test all alarm points (motions and tampers), including door contacts, and alarm panel tampers.

• Ensure Sufficient alarm motion sensor coverage.• Test alarm response and guard force response time.

(Type and length of alarm emergency back up?) • Primary and Secondary pathways? (ISP, POTS?)• Obtain UL2050 Cert.

• Alarms installed by UL2050 company to UL2050 standards.• Remove factory defaults from alarm Panel.

Page 10: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

10 Services

DOORS

• Sweeps and seals around and under door. Do a light and sound test. (Sound Generators, No discussion signs, auto closers on doors).

• Check locking hardware on main SCIF door, and crash bars on emergency exits.

• BMS and annunciators on emergency exit doors.• Proper access control. (badge swipe or cipher lock) in

addition to X-09.

Page 11: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

11 Services

SCIF Perimeter

• Walls are finished and painted above false ceiling?• No holes or unfinished space above false ceiling.• Check inspection ports and ensure man bars are

properly affixed (to duct, not man-bar frame) with welds or metal epoxy over screws.

• All penetrations have non-conductive breaks or are grounded.

• All open pipes are capped or filled with foam.• Check tempest foil (if required) extends our the proper

length along ceiling. • Recommend a labeling system for each Pipe, wire, duct, etc.

above false ceiling. Use reflective tags to help locate inspection ports.

Page 12: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

12 Services

Windows

• Check for Tempest Film (if required.)• Ensure Windows have blinds or curtains with hardware

removed.• Check coverage and functionality of red lights for un-

cleared visitors.• Ensure guard response time is appropriate for your

building. (This may vary based on number and height to windows from ground level.)

Page 13: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

13 Services

Storage Level / Security in Depth

• Does the SCIF have security in Depth? If so, at what classification. (example, SCIF is located on a Millitary installation where only U.S. Cleared Secret personell can access? Or SCIF is located in a pubic building also occupied by a University? Fenced in? Control the parking lot?

• Open or closed storage? Are there adequate safes and safe drawers for Open/Closed storage that allows for separation of programs?

• What is the required alarm response time based on Open/Close and Security in depth?

Page 14: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

14 Services

Paperwork

• Finalized Fixed Facility Checklist (FFC). • Tempest Worksheet (If required… will be

Classified once filled in.)• Standard Practices and Procedures (SPP

SOP).• Alarm Response Plan & Guard Force Posting

instructions.• Alarm Company Audit Logs• Emergency Action Plan. • SCIF Roster / Access Log / OPEN/CLOSED

logs.

Page 15: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

15 Services

Paperwork – continued

• Visitor Logs (Cleared and un-cleared/maintenance)

• Safe logs (open/closed logs and Password lists.)

• Reproductions / Destruction logs. (Approved equipment /methods?)

• Classified Document/Media Control logs, Transmittals, and courier briefs (DCS account.)

• Equipment Maintenance Logs• COMSEC Account.• Automated Information Systems. (AIS)

“SSP’s.”

Page 16: SCIF Construction A Different Approach Dell Global Security James T. Baruch February 1, 2012

16 Services

Questions?