[Novalug] OT: SCIF Room construction

Clif Flynt CLIF@CFLYNT.COM
Sun Mar 30 17:08:15 EDT 2014


Hi,
  I was peripheral to building our SCIF room in Warrenton for DoD
Secret (not Top Secret) work.

  There wasn't much exciting in the construction aside from the obvious
things like getting the mesh in place and ordering the right doors and
locks.  In the NoVa area there are contractors who understand SCIF and
know what to do without you supervising each bolt & wirecutter.

  One trick about DoD security is that while access and protection is
important, what's *REALLY* important is traceability.  They want to
keep someone away from the military secrets, but the assumption is that
someone will get in eventually. When that happens, they want to know
exactly which secrets were compromised, not have to change the orders
for every ship, plane and private in the whole defense dept.

  Thus, all the wiring (power and network) is on the outside of the
walls, not inside, the way we'd do normal household wiring.  That's so
you can see if anyone has cut or tapped anything.

  Walls may be flimsy enough that you could punch through them, but
you can't punch through and patch it up so cleanly that it's not
obvious it was damaged.

  The inspector described it as a security padlock would not just be
hard to break open, but if you broke it open, it would fall apart into
a million pieces.  You couldn't smash it open, then slam it shut again
and have it look like it was still locked.

  In our case, we had an unmanned space, so we had secure file cabinets
where all documents were stored when the room was not manned.  I suspect
that these were fastened to the floor.  They are heavy enough when
empty that I never tried to move one.

  Others have mentioned procedures.  The cabinets required you
sign out what you took out of the drawers, and when it went back.
Ditto keeping a log of folks who entered the room, timestamps, etc.

  The computers in our room did not connect to the outside world. This
made my life a bit simpler.  I still needed to put in all the security
tweaks: PAM needed to enforce secure passwords and lock-outs when
people failed to login correctly, etc, but at least I didn't need quite
so much protection at the (non-existent) perimeter.

  I joked at the time that the only computer that would pass the
security requirements was turned off and broken (both).  It's not
quite that bad, but it's worth reading the appropriate documents
for your group to see what you need.   There are some how-to type
docs now that are much better than the Orange Book guidelines.  The
DoD inspectors have check-sheets that you might be able to get before
they arrive to confirm that you have the appropriate i's dotted.

  Most places already have a security system in place, but you might
want to check that your security team has the appropriate level of 
observation for whatever agency you're dealing with.  I know ours will
call within a minute of anyone forgetting to enter their passcode.

  The guy who did the physical end of setting up our SCIF considered
having a secure area added to his house so he could work at home.  Once
he finished getting all the ducks in a row for the company, he  decided
that making his own SCIF and keeping it in spec was much too much work
and he'd commute to the office instead.

  Hope this helps,
  Clif

-- 
... Clif Flynt ... http://www.cwflynt.com ... clif@cflynt.com ...
.. Tcl/Tk: A Developer's Guide (3'd edition) - Morgan Kauffman ..
....21'st Tcl/Tk Conference: Nov 10-14, 2014 Portland, OR, USA...
.............  http://www.tcl.tk/community/tcl2014/  ............








More information about the Novalug mailing list