ICD-705 Frequently Asked Questions (FAq)

Different organizations have different requirements, but all SCIF/SAPF planning must start with sponsorship from an Accrediting Official (AO). The Intelligence Community Standard Number 705-1 (ICS 705-1) states in section F.1 'To ensure security oversight is applied throughout development and accreditation, all SCIF planning shall begin with sponsorship by an AO'. While a general statement, it is vital to project success as it allows the AO to establish requirements to be met for accreditation from the start, enabling proper planning, cost estimating, designing, and subsequent contracting. To receive sponsorship, the project security office needs to submit a Concept Approval Request (CAR) to the SCIF/SAPF Cognizant Security Authority (CSA) AO. 

Again, different organizations have different requirements, but before the design starts the project should have:

• AO Sponsorship
• Submitted Pre-Construction Checklist & Initial TEMPEST Checklist to AO - Submission part of the CAR process & must be approved by AO prior to design start
• Assigned Site Security Manager (SSM)
• Completed Risk Assessment
• TEMPEST Countermeasure Review (TCR) - Returned by the Certified TEMPEST Technical Authority (CTTA) 
• Construction Security Plan (CSP) Draft - Final version by 30% design mark

Yes. Every project, inside and outside of the US, must have an SSM. The SSM may be US government, US military, or US contractor and may be Full Time or Part Time, as confirmed by the AO, however, the SSM shall not work for the general construction contractor per the Pre-Construction Checklist section 3.1.2. and DoDM 5105.21.v2 section 4.b.

The need for CSTs is primarily risk driven. In overseas environments, the answer is typically yes, the project must have CSTs. For projects within the US, the answer may be yes or no, depending on the risk of the project and the mitigations necessary to address the risk. The AO, and only the AO, has the final say on if CSTs are required on a project. Just because a project is in the US does not automatically signify CSTs are not needed. The need for CSTs shall be identified following the risk assessment and outlined on the Pre-Construction Checklist (section 3.2-3.2.2), then confirmed by the AO. If CSTs are required, they shall be described in the project CSP and must be planed for early to allow for sourcing, funding, contracting, deployment, and other individual project requirements. 

The IC Tech. Spec. states in section 3.B.1. 'Prior to awarding a construction contract, a CSP for each project shall be developed by the SSM and approved by the AO.' While this statement is not incorrect, the CSP needs to be submitted and approved far in advance than just before the construction contract is awarded. The early CSP approval is critical for project planning, cost estimations, and contractural impacts. Any security requirements that will/may impact the construction contractor Cost, Scope, and/or Schedule must be identified, planned for, and included into the construction contract solicitation package to avoid contract modifications post award.  

It is critical that a security representative, usually the SSM, is deeply involved in the design and design review process of any SCIF/SAPF construction project. This inclusion ensures that security and construction accreditation requirements are included, and accurately, into the final design package to provide a streamlined final accreditation process. An SSM must have the knowledge and skillset to look at a set of blueprints and confirm the design of the SCIF/SAPF is all inclusive of accreditation requirements. The design review should not only confirm requirements are stated properly, but that they are designed to perform to the requirements, e.g. the perimeter wall may state STC 45, but the wall detail may not be designed to perform to STC 45 standards. It is critical that design issues related to construction accreditation requirements are identified and corrected throughout the design review process to avoid unnecessary, and costly, contract modifications during construction. 

The short answer to this question is No, not every SCIF/SAPF required TEMPEST countermeasures. TEMPEST countermeasures are required on a project by project basis depending upon a variety of project specific considerations and variables. The CSA CTTA, through the AO, shall review the project specifics (identified on the initial TEMPEST checklist) to determine what, if any, TEMPEST countermeasures are required. With that, two critical notes:

• If TEMPEST countermeasures are required, they must be included into the design and planned for early. TEMPEST countermeasures are expensive and the project cost estimations will be impacted greatly when required. 
• Due to a variety of changing tides related to technical risk & emerging technologies, there continues to be an increase with TEMPEST countermeasure requirements applied for new projects. Do not assume that just because a past project did not require TEMPEST countermeasures, a new project will not require them, no matter how similar the projects.