Understanding ICD 705 Compliance: A Complete Guide for Secure Modular Facilities
Making sure your modular SCIF meets all ICD 705 requirements is no joke—and trying to take shortcuts during fabrication will only cost time and money.
When it comes to building SCIFs (Sensitive Compartmented Information Facilities), the importance of meeting all security requirements cannot be overstated. For mobile and modular SCIFs, these requirements are spelled out in the Intelligence Community Directive (ICD) 705, a document that outlines the technical specifications for the construction, accreditation, and maintenance of SCIFs.
While the rules can be a bit looser for temporary facilities (T-SCIFs), the mobile and modular SCIFs that Universal Modular Inc. (UMI) fabricates meet the same high-level accreditation requirements as fixed facilities that handle sensitive information—with no exceptions.
The “no shortcuts” approach popularized by brands like Wendy’s is one that UMI swears by. “We’re Dave Thomas over here with the square patty,” says UMI President Zachary Stark. “We’re not cutting any corners.”
What Is ICD 705?
Before fabrication of a SCIF can begin, a client needs to obtain the ICD 705 technical requirements for their project. These requirements will depend upon several factors, including the nature of the project, where it will operate, and who will be working within or in close proximity to the SCIF.
While each SCIF’s physical and electronic security needs are different, one of the purposes of the ICD 705 is to set a standard for facilities that handle sensitive information. These requirements range from more obvious security mitigations like alarm systems to radio frequency (RF) shielding and acoustic protection levels.
A client won’t know what their ICD 705 requirements will be until their project has been issued a Department of Defense Contract Security Classification Specification (DD Form 254). They will then be assigned an accrediting official (AO), who will provide the ICD 705 requirements specific to the secure facility. Once fabrication is complete, the AO will make an accreditation decision based on whether the SCIF meets all requirements.
Follow the Process
There exists a detailed process for fabricating SCIFs safely and securely—and it’s vital to follow that process from start to finish so that the facility is completed on time and on budget.
The Design Stage
The process starts with the facility’s design plan. It’s at this early point when TEMPEST—the term used in reference to the investigation, research, and control of potentially compromising emanations from electronic devices—becomes part of the conversation. The design team will pull together a TEMPEST checklist (which will include RF shielding requirements) in addition to a Transportation Security Plan (TSP) and Construction Security Plan (CSP).
The AO and the Certified TEMPEST Technical Authority (CTTA) must review the TEMPEST checklist, TSP, and CSP before fabrication can begin. The CTTA will also, at this time, issue a TEMPEST Countermeasures Review (TCR) outlining the specific countermeasures required for your project. Additionally, if the AO or CTTA have feedback, any changes need to be worked into the design and reviewed again before the start of fabrication.
Documentation Is Essential
Once fabrication is underway, every step of the build must be documented—just as with standard construction projects. Hundreds, sometimes thousands, of photos will be taken throughout fabrication and later submitted to the AO, who will use the images to see exactly how the facility came together from its factory beginnings to its placement onsite.
The TSP comes into play once it is time for the SCIF to be moved to its designated end location—and the level of security only rises upon its arrival. In addition to closely following the CSP while mating the SCIF’s wall sections, finalizing the data communications and security systems, and addressing other lingering fabrication needs, UMI enlists the skills and expertise of U.S. citizen workers only onsite for security purposes.
Upon completion, the facility’s Final Fixed Facility Checklist (FFC) will be sent to the client, who must then forward it to their AO. The AO will then visit the site to make their accreditation decision.
Modular SCIFs vs. Fixed Facilities
Fabrication primarily occurs in a factory before a modular SCIF is transported to its designated site. This is the only real difference between a modular SCIF and a traditional construction project. Functionally speaking, modular SCIFs meet all of the same acoustic, RF shielding, control protection, and documentation requirements as fixed facilities.
When it comes to SCIFs, UMI knows that clients can’t afford to take shortcuts and jeopardize their accreditation, which is why we are meticulous in every step of the process, like installing RF foil.
Why Does Compliance Matter?
Put simply: “Compliance matters because if you don’t get accreditation, the program cannot operate,” Stark said.
Clients who don’t follow the process run the risk of winding up with a SCIF that does not meet its security requirements—and that could compromise national security. Cutting corners also has time and cost implications.
For example, if a SCIF’s wall is below its required sound transmission class (STC) level to the point where people talking inside can easily be overheard by those outside, that’s a real threat to the facility’s security. There are mitigations for everything—in this example, a costly sound masking system could be installed to address the issue. But this would delay accreditation, require approval from the AO, and likely result in a less enjoyable work environment.
To avoid costly and timely mitigations, all steps during fabrication need to be documented and completed according to the plans created during the initial design phase. Cutting a corner here or there won’t help—it’ll just delay the process and increase the cost.
Common Challenges
Ensuring that the SCIF is built properly is the most crucial part of ICD 705 compliance. The smallest details, down to things like the acoustic caulking below the bottom wall plates, are critical so that every piece of the puzzle can be installed correctly to meet all security requirements. This is where photo documentation is vital, and it creates accountability during the fabrication process. Though time-consuming, meticulous documentation is the most efficient way to reach the finish line.
Last-minute changes also pose budget and timeline challenges. If a client wants to rework part of their SCIF’s design or security plan, all changes must first be submitted to the AO for approval—and all progress halts in the meantime. Clients should be 100% sure about their SCIF’s needs from the start to avoid extra costs and delays.
Popular Shortcut Requests
“Can I just buy a SCIF and get it accredited later?”
This request is made often—typically by clients who haven’t yet secured their anticipated program or been issued a DD Form 254—but it’s not a good idea.
Clients must receive their DD Form 254 before an AO can be assigned. To stay ICD 705 compliant, the SCIF’s design and security plans must be approved by the AO before fabrication can begin. The government has no obligation to accredit a facility if its assigned AO does not first give it the green light for fabrication.
Incomplete documentation is another shortcut that can cost time and money. While it may seem like it would save time to skip taking some of the photos required during fabrication, documentation needs to be complete for the AO’s review. Missing photos indicate proof is missing of at least part of the SCIF’s build. If that occurs, the AO may request partial deconstruction to ensure the SCIF was put together properly—and that will cost time and money.
If you’re planning to build a modular SCIF, download our Modular SCIF Planning Worksheet to make sure your project is planned properly from the beginning. If you want to make sure your modular SCIF project is ICD 705-compliant the first time, contact us today.