How to Write a SCIF Transportation Security Plan
A SCIF Transportation Security Plan specifies how and when a SCIF or SAPF will be moved—and what steps must be taken to ensure its security is not compromised.
Before a container or modular SCIF is moved to their final location, the facility will need its own Transportation Security Plan to ensure security is maintained. Photo credit: Canva Photos
The Accrediting Official (AO) for a Sensitive Compartmented Information Facility (SCIF) might require you to have a Transportation Security Plan (TSP) in place before the facility moves to a new location. Though typically used for facilities that are fabricated in one place before they are transported to their final destination, like modular SCIFs or container SCIFs, a TSP is also necessary if the project that necessitated the SCIF moves—even if that move is just down the street.
SCIF requirements for transport are typically included in the Construction Security Plan (CSP), which the Intelligence Community Directive (ICD) 705 mandates. The SCIF Transportation Security Plan must be reviewed and approved by the SCIF’s assigned AO.
The main purpose of the TSP is to document “how the asset is going to get from Point A to Point B” and “how it’s going to have its security maintained while it’s out on the road,” explained Daniel Garcia, a managing partner at Precision Security Consulting who consults on SCIF design, construction, and accreditation. Any specific security or personnel requirements identified by the AO for the transportation phase of the project “would need to get documented in the Transportation Security Plan.”
Who Writes the TSP—and When?
There is no one-size-fits-all approach to TSP writing. “Every project is assessed for security vulnerabilities and evaluated with the project's own set of circumstances in mind,” Garcia said, “so there could be security requirements that are different from one project to another.” That’s why it’s essential to have an experienced Site Security Manager (SSM) at the helm of the project.
It is the SSM’s responsibility to write the TSP and communicate any revisions to the AO. The SSM may need assistance drafting the document as the company in charge of the SCIF’s transport provides information on how and when it will be moved. But because the TSP is part of the CSP, it is “under the purview of the Site Security Manager to draft, maintain, and ensure its enforcement,” Garcia said.
Exactly when the TSP is written varies, but the process typically begins when the SSM identifies which transportation company will be moving the SCIF.
“Typically, the asset is still under construction—and maybe hypothetically, it could be a month or a few weeks out from being done,” Garcia said. “Then you would start getting that information from the transportation company and then develop your TSP, and then submit that to the AO for their review and see if they have any feedback.”
In some cases, the TSP is developed in iterations, with early drafts missing large chunks of information that are filled in later. “It’s always a safe bet” to submit those drafts to the AO, Garcia said, though feedback for each version isn’t guaranteed.
“I would generally recommend communicating any of that stuff to the AO—and that’s the responsibility of the Site Security Manager,” he said.
What Information Must Be Included?
The main objective of the TSP is to outline how the SCIF will get from its starting point to its destination. But the TSP must also identify which company will be responsible for the SCIF’s transport, how long the trip will take, what security measures will be in place, and how to contact the personnel who will be involved in the move.
The transportation company will typically be required to specify what route it’ll take—and on what timeline—while moving the SCIF. The more details it can provide about the highways and exits that will be used, as well as any anticipated pauses for the driver to recharge at rest stops, the better.
In some cases, there may be restrictions regarding who can be involved in the SCIF’s transport. The SCIF requirements set out in the ICD 705 say that the parties involved in a SCIF must be U.S.-owned companies that use U.S. citizens or U.S. persons, and “some projects may have a U.S. citizens only requirement,” Garcia said. “In that case, the transportation company would need to be a U.S.-owned company using U.S. citizen personnel.”
Any personnel requirements would be ”identified at the very beginning of the project,” Garcia said. “The AO would make that determination, and that’s something that is written into the Construction Security Plan.”
As far as security during the trip goes, “‘secure’ may just mean there’s some way of identifying if it has been tampered with,” Garcia explained. In some cases, doors and other openings may have tamper seals applied so that the SSM can later determine whether anyone attempted to break in. Tarps or plastic may also be used to cover the modular or container facilities as they’re being transported. “It’s not like that’s going to keep somebody from going in it if they wanted to,” Garcia said, “but you would be able to identify if somebody did go in if it’s torn or cut open.”
What If Transport Doesn’t Go As Planned?
Once the Transportation Security Plan is approved, it must be followed to the letter—or as close to the plan as possible. Any changes must be documented and sent to the AO. Last-minute changes should be avoided but may be necessary if there are unexpected route or timeline interruptions.
“If the plan has any type of deviation, then the transportation company—or whoever’s transporting that asset—would need to make sure that they notify the Site Security Manager, who can then document the deviation and identify if that’s going to be a problem,” Garcia explained.
What Happens When the SCIF Arrives?
The final step of the TSP involves the SSM officially receiving the SCIF when it arrives at its final destination. Before the SCIF can be installed, the SSM must assess it to check for attempted security breaches.
“If there are tamper seals, they’re checking those tamper seals, walking around and just seeing if they can visually observe any penetration attempts or break-in attempts,” Garcia said. If the modular or container facility instead arrives covered in a tarp or plastic, the SSM will similarly look for signs that those materials have been torn or cut.
Once the SSM has determined that no security breach occurred, the SCIF’s installation can begin.
Are you in need of a SCIF Transportation Security Plan? Contact UMI, who takes care of the whole TSP so you don't have to.