Space above false ceiling only outside the United States , if required :. Space below false floor only outside the United States , if required :. Is emergency power available for the IDS?
Emergency Procedures documented? Reserve Force available? Are response procedures tested and records maintained? Is the IDS tested and records maintained? Do the CTS installers and programmer have security clearances? If no, provide make and model number of telephone equipment, explain your configuration, and attach a line drawing?
Is access to the facility housing the switch controlled? Are all lines between the SCIF and the switch in controlled spaces? Does the CTS use remote maintenance and diagnostic procedures or other remote access features? Is there a hold or mute feature?
If no, are approved push-to-operated handsets provided? Is there an automatic call answering service for the telephones in the SCIF? Do all areas of the SCIF meet acoustical requirements? Compliance with these requirements is mandatory for all SCIFs established after the effective date of this annex. The IDS complements other physical security measures.
IDS operations shall comprise four phases as described below:. The detection phase begins when a sensor reacts to the stimuli for which the sensor was designed to detect. The alarm status is immediately transmitted to the Monitoring Station. The assessment phase is the initial phase requiring human interaction. On receiving an audible or visible alarm, monitoring personnel immediately assess the situation and determine the appropriate response.
The response phase begins immediately after the operator has assessed the alarm condition. All alarms shall be immediately investigated. During the response phase, the precise nature of the alarm shall be determined and appropriate measures taken to safeguard the SCIF. An alarm is a visual and audible indication that a sensor has detected the entry or attempted entry of an unauthorized person into a SCIF.
Alarms also signify the malfunction of a sensor that normally causes such an alarm. The monitoring station is the central point for collecting alarm status from the PCUs handling the alarm zones under control of an IDS. A PCU is a device that receives changes of alarm status from IDS sensors, and transmits an alarm condition to the monitoring station.
Sensors are devices that respond to a physical stimulus as heat, light, sound, pressure, magnetism, or a particular motion and transmits a resulting impulse.
This definition does not include US-controlled installations for example, military bases, embassies, leased space located in foreign countries. Emergency exit doors shall be monitored 24 hours a day to provide quick identification and response to the appropriate door when there is an alarm indication see paragraph 6. SCIFs shall be provided with IDE and alarm zones that are independent from systems safeguarding other protected sites. If a single monitoring station supervises several alarm zones, then the audible and visible annunciation for each such zone shall be distinguishable from other zones.
Note: If an access control system is integrated into an IDS, reports from the access control system shall be subordinate in priority to reports from intrusion alarms. As an alternative, the outside SCIF perimeter shall be continuously protected by the response force or a guard force until the IDS returns to normal operation.
If neither of these alternatives is possible, a catastrophic failure plan shall be submitted in writing to the CSA for review and approval prior to implementation. See paragraph 6. System administration key variables and operational passwords shall be protected and shall be restricted to SCI-indoctrinated personnel. Details of the IDS installation plans shall be controlled and restricted on a need-to-know basis. Contractors shall comply with UL by maintaining an active UL certificate of installation and service.
Any IDE that could allow unintentional audio or other intelligence-bearing signals in any form to pass beyond the confines of the SCIF is unacceptable and prohibited for IDS installation. IDE shall not include audio or video monitoring without appropriate countermeasures and CSA approval. IDS comprised of IDE with auto-reset features shall have the auto-reset capability disabled as required in paragraph 3. Accreditation files for the SCIF shall be maintained as described in paragraph 6.
Any failed IDE sensor shall cause an immediate and continuous alarm condition until the failure is corrected or compensated. Sufficient detectors shall be installed to assure meeting the requirements of paragraph 4.
Within the US motion detection sensors are normally not required above false ceilings or below false floors; however, these detectors may be required by the CSA for such areas outside of the US.
Entrance door sensors may have an initial time delay built into the IDS to allow for change in alarm status, but shall not exceed 30 seconds. The BMS installed on e mergency exit doors shall be monitored 24 hours a day. The use of dual-technology sensors is authorized when each technology transmits alarm conditions independent from the other technology. The means of changing between access and secure modes shall be located within the SCIF. Any polling from the monitoring station to the PCU shall not exceed six minutes regardless of access state.
Alternately, if the wiring cannot be contained within the SCIF, such cabling shall meet the transmission requirements of paragraph 3. Outside of the United States , if determined by the CSA, wiring will be protected within a closed conveyance. The use of wireless communications between sensors and PCU is normally prohibited.
However, under exceptional circumstances, when such cabling is not possible or feasible, the wireless communications maintain continuous connection and are impervious to jamming, manipulation, and spoofing and meets other security requirements of this annex, the CSA may authorize in writing the use of wireless communications between sensors and the PCU. Co-utilizing agencies shall be notified of any such exception.
Alarm status shall be provided at the monitoring station. The alarm-monitoring panel shall be designed and installed in a location that prevents observation by unauthorized persons. Alarm annunciations shall exist for the below listed alarm conditions. Intrusion Alarm. An intrusion or attempted intrusion shall cause an immediate and continuous alarm condition.
A failed IDE sensor shall cause an immediate and continuous alarm condition. The IDS, when in the maintenance mode, shall cause an immediate and continuous alarm or maintenance message throughout the period the IDS is in the maintenance mode.
Zones that are shunted or masked shall also cause such an alarm. See paragraph 3. The IDS, when sustaining tampering, shall cause an immediate and continuous alarm. Equipment at the monitoring station shall visibly and audibly indicate a failure in a power source, a change in power source, and the location of the failure or change. The IDS shall incorporate within the SCIF and at the monitoring station, a means for providing a historical record items specified in paragraph 6. If the IDS has no provision of automatic entry into archive, as an alternative, a manual logging system shall be maintained in accordance with paragraph 6.
All alarm activations shall be reset by SCI-indoctrinated personnel. An IDS with an auto-reset feature shall have the auto-reset feature disabled. The UL certificate shall state that line security has been employed. The following types of line security are acceptable:. Encrypted-line security is achieved by using an approved bit or greater encryption algorithm.
The algorithm shall be certified by NIST or another independent testing laboratory. If the communication technology described in 3. The communication scheme shall be adequately supervised to protect against modification and substitution of the transmitted signal.
Networked IDSs. See paragraphs 5. The IDS application software shall be installed and run on a host computer dedicated to security systems. A unique user ID and password is required for each individual granted access to the IDS host computer.
Passwords shall be a minimum of eight characters; consist of alpha, numeric, and special characters; and shall be changed a minimum of every six months. Computer auditing and network intrusion detection software NIDS shall monitor and log access attempts and all changes to IDS applications. The IDS shall have three modes of operation: access mode, secure mode, and maintenance mode as described below.
IDS modes shall meet the following requirements. During access mode, normal authorized entry into the facility in accordance with prescribed security procedures shall not cause an alarm.
Tamper and emergency exit door circuits shall remain in the secure mode of operation. In the secure mode, any unauthorized entry into the SCIF shall cause an alarm to be immediately transmitted to the monitoring station. When an alarm zone is placed in the maintenance mode, a signal for this condition shall be automatically sent to the monitoring station. This signal shall appear as an alarm or maintenance message at the monitoring station and shall continue to be displayed visibly at the monitoring station throughout the period of maintenance.
The IDS shall not be securable while in the maintenance mode. All maintenance periods shall be archived in the system. Additionally, a shunted or masked zone or sensor shall be displayed as such at the monitoring station throughout the period the condition exists. After the initial installation, the capability for remote diagnostics, maintenance, or programming of IDE shall not exist unless accomplished only by appropriately SCI-indoctrinated personnel and shall be appropriately logged or recorded in the Remote Service Mode Archive.
A self-test feature shall be limited to one second per occurrence. See paragraph 5. In the event such commercial power fails, the IDE shall automatically transfer to an emergency electrical power source without causing an alarm indication. Emergency backup electrical power for the SCIF and monitoring station shall be provided by battery, generator, or both. If batteries are provided for emergency backup power, they shall provide a minimum of 24 hours UL of backup power and they shall be maintained at full charge by automatic charging circuits.
The tamper detection shall be monitored continuously whether the IDS is in the access or secure mode of operation. This section specifies the requirements for IDS installation and testing. Additionally, IDE installation and testing shall meet the following requirements.
The IDE shall be installed in a manner that assures conformance with all requirements of sections 3. US citizens shall accomplish all IDE installation.
Motion detection equipment shall be installed in accordance with manufacturer specifications, UL, or equivalent standards. SCIF perimeter door-open BMSs shall be installed so that an alarm signal initiates before the non-hinged side of the door opens beyond the thickness of the door from the seated position.
The IDE shall be tested to provide assurances that it meets all requirements of sections 3. Records of testing and test performance shall be maintained in accordance with paragraph 6. US citizens shall accomplish all IDE testing. The test is to be conducted by taking a four-step trial, stopping for three to five seconds, taking a four-step trial, stopping for three to five seconds, repeating the process throughout the SCIF.
Whenever possible, the direction of the next trial is to be in a different direction. All BMSs shall be tested to ensure that an alarm signal initiates before the non-hinged side of the door opens beyond the thickness of the door from the seated position. Remove each IDE cover individually and ensure that there is an alarm indication on the monitoring panel in both the secure and access modes. Tamper detection devices need only be tested upon installation with the exception of the tamper detection on the PCU that is activated when it is opened.
The CSA may require more frequent testing of tamper circuits. The IDS shall be operated and maintained to assure that the requirements of sections 3. Additionally, IDE operation and maintenance shall meet the following requirements. The monitoring station shall be continuously supervised and operated by US citizens who have been subjected to a trust-worthiness determination favorable NAC with no clearance required.
Monitoring station operators shall be trained in IDE theory and operation to the extent required to effectively interpret incidents generated by the IDE and to take proper action when an alarm activates. All alarms shall be investigated and the results documented. Every alarm condition shall be considered a detected intrusion until resolved. The response force shall take appropriate steps to safeguard the SCIF as permitted by a written support agreement see paragraph 6.
An SCI-indoctrinated individual must arrive as soon as possible, but not to exceed 60 minutes, to conduct an internal inspection of the SCIF, attempt to determine the probable cause of the alarm activation and reset the IDS prior to the departure of the response force. Such personnel may include local law enforcement support or other external forces as stated in formal agreements.
Coordinated response force testing shall be conducted semi-annually. False alarm activations may be used in lieu of a response-force test provided the proper response times were met. A record of response-force personnel testing shall be maintained for a minimum of two years. Sensors that do not meet prescribed requirements shall be adjusted or replaced as needed to assure that the requirements of sections 3 and 4 of this standard are continually met.
The maintenance program for the IDS shall ensure that false-alarm incidents do not exceed one in a period of 30 days per alarm zone.
If the IDS is connected to a network, the IDS and NIDS system administrator shall maintain configuration control, ensure the latest operating system security patches have been applied, and shall configure the operating system to provide a high level of security. The IDE shall be tested semiannually every six months to provide assurances that the IDS is in conformance with the requirements of paragraphs 4.
Records of semiannual testing and test performance shall be maintained in accordance with paragraph 6. If the IDS is connected to a network, the IDS system administrator shall maintain configuration control, ensure the latest operating system security patches have been applied, and shall configure the operating system to provide a high level of security.
After initial installation, remote diagnostics, maintenance, or programming of the IDE shall not exist unless accomplished by SCI-indoctrinated personnel only and shall be appropriately recorded.
An SCI-indoctrinated individual shall arrive within 60 minutes to conduct an internal inspection of the SCIF, attempt to determine the probable cause of the alarm activation, and reset the IDS prior to the departure of the response force.
The following documentation shall be developed for the IDS. The IDS design and installation documentation shall be provided to the government sponsoring activity and maintained in the SCIF as specified in paragraph 3. If an alternative catastrophic failure plan is contemplated see paragraph 3. A written support agreement shall be established for external monitoring, response, or both.
The agreement shall include the response time for both response force and SCIF personnel, responsibilities of the response force upon arrival, maintenance of SCIF points of contact, and length of time response personnel are required to remain on-site.
The duties of the monitor operator shall be documented in a SOP. The SOP shall include procedures for observing monitor panel s for reports of alarms, changes in IDE status, assessing these reports, and in the event of an intrusion alarm, dispatching the response force or notifying the proper authority to do so and notifying the appropriate authority of the event. A written SOP shall be established to address the appropriate actions to be taken when maintenance access is indicated at the monitor-station panel.
The SOP shall require that all maintenance periods shall be archived in the system. This record shall include: testing dates, names of individuals performing the test, specific equipment tested, malfunctions detected, and corrective actions taken.
Records of the response-force personnel testing shall also be retained. All records of testing shall be maintained for a minimum of two years. If the IDS has no provision for automatic entry into archive see paragraph 3.
The responsible security officer shall routinely review the historical record. Results of investigations and observations by the response force shall also be maintained at the monitoring station. The SCIF responsible security officer shall routinely review the historical record.
Records of alarm annunciations shall be retained for a minimum of two years and longer if needed until investigations of system violations and incidents have been successfully resolved and recorded. Shunting or masking of any zone or sensor shall be appropriately logged or recorded in an archive. All maintenance periods shall be archived into the system.
An archive shall be maintained for all remote service mode activities. The following documents shall be included in the SCIF accreditation file along with other SCIF accreditation documentation: Final acceptance tests of original installation and any modifications; catastrophic failure plan see paragraph 6. Final acceptance tests and the catastrophic failure plan shall be maintained in both the SCIF accreditation file and at the CSA location.
This annex pertains to specialized Sensitive Compartmented Information Facilities SCIFs deployed in a tactical operations or field training environment. It is divided into three parts to reflect the accepted modes of tactical operation:. This Annex prescribes the procedures for the physical security requirements for the operation of a Sensitive Compartmented Information Facility SCIF while in a field or tactical configuration, including training exercises.
Situation and time permitting, these standards will be improved upon using the security considerations and requirements for permanent secure facilities as an ultimate goal.
If available, permanent-type facilities will be used. Under field or combat conditions, a continuous hour operation is mandatory. Every effort must be made to obtain the necessary support from the host command e. The Tactical SCIF approval authority shall determine whether proposed security measures provide adequate protection based on local threat conditions. Guards shall be armed with weapons and ammunition.
The types of weapons will be prescribed by the supported commander. Exceptions to this requirement during peace may only be granted by the T-SCIF approval authority based on local threat conditions.
During a period of declared hostilities or general war, a T-SCIF may be established at any level of accreditation upon the verbal order of a General or Flag Officer Commander.
Approval authorities may require use of a local tactical deployment checklist. The message shall provide the following information:. A T-SCIF may be configured using vehicles, trailers, shelters, bunkers, tents, or available structures to suit the mission. The shelter or van shall be secured at all times when not activated as a SCIF. The combination to the lock will be protected to the level of security of the material stored therein. When situations occur where there are no SCI-indoctrinated people within the shelter, i.
Stringent security arrangements shall be employed to ensure that the quantity of SCI material is not allowed to accumulate more than is absolutely necessary. The construction material must be of such composition to show visible evidence of forced entry. Vents and air ducts must be constructed to prevent surreptitious entry.
The doors must be solid construction and plumbed so the door forms a good acoustical seal. If installed, emergency exits and escape hatches must be constructed so they can only be opened from the interior of the SPSCIF. Access control to the fenced compound must be continuous. NOTE: Just as with combinations, keys require protection equivalent to the information which they protect. Guard response time will be five minutes or less.
Electrical power supplied to T- SClFs may be furnished by commercial or locally generated systems, as follows:. The generator shall not require location within the SCIF compound perimeter. The motor generator location shall be within the SCIF compound perimeter.
This annex prescribes the physical security procedures for the operation of a Sensitive Compartmented Information Facility SCIF for aircraft, including airborne missions. This annex is applicable to all aircraft to be utilized as a SCIF. Existing or previously accredited facilities do not require modification to conform with these standards.
Approval authorities may require use of a local deployment checklist, if necessary. The letter or message will indicate the following information:. Waivers to the requirement for weapons and ammunition may be approved on a case-by-case basis by the Commander. However, compliance with directives pertaining to security of SCI material and communications is mandatory. Accredited aircraft require perimeter access controls, a guard force, and a reserve security team.
Hatches that cannot be secured from the outside will be sealed using serially numbered seals. If the facility is not accredited for the level of information to be stored, the material must be double wrapped with initialed seals and stored in a GSA-approved security container. If an aircraft landing in unfriendly territory is anticipated, all SCI material will be immediately destroyed, with the destruction process preferably taking place prior to landing.
Such emergency preparation rehearsals will be made a matter of record. Evacuation plans and destruction equipment must be approved by the CSA and tested by mission personnel This annex specifies the requirements for construction and security protection of SCIFs located on ships. The application of this annex to surface non-combatants or sub-surface vessels will be referred to the CSA. Such situations will be referred to the CSA for resolution on a case-by-case basis.
The area will have a clearly defined physical perimeter barrier and continuous physical security safeguards. The area may contain one or more contiguous spaces requiring SCIF accreditation. It will be continuously manned with sufficient SCI-cleared and -indoctrinated personnel, as determined by the on-site security authority based on the local threat environment, when SCI is present within the area. Temporary shipboard SCI operations will he limited to:. Such platforms will be accredited on a temporary basis for a single deployment mission.
The platform will be manned 24 hours a day by sufficient SCI-cleared and -indoctrinated personnel as determined by the on-site security authority. At the completion of the mission, the accreditation period will end and the CSA notified that the platform is certified clear and free of all SCI materials. Ships requesting permanent accreditation status will provide to the CSA a complete inspection report and the Shipboard Inspection Checklist, certifying compliance with this Annex. Elements of the physical perimeter will be fully braced and welded in place.
Each compartment within the complex may have a separate access door from within the common physical perimeter barrier. Such interior access control doors do not need to conform with this annex. The exit will be mounted in a frame braced and welded in place in a manner commensurate with the structural characteristics of the bulkhead, deck, or overhead in which it is situated.
This requirement is not applicable to damage control fittings, such as smoke dampers, that may be operated by personnel within the space during normal manning. The padlock keys will be stored in a security container located within a space under appropriate security control.
If a grating is used, bridge center-to-center measurements will not exceed 1. Bars will be mounted on 6 inch centers. The grating or bars will be welded into place. The effective level of security may be determined by stationing personnel in adjacent spaces or passageways to determine if SCI can be overheard outside the space. The installation will consist of sensors connected at each door and alerting indicators located at the facility supervisor's position.
The normal access door alarm may have a disconnect feature. SCI spaces that are under continuous manning will be staffed with sufficient personnel, as determined by the on-site security authority based on the local threat environment, who have the continuous capability of detecting forced or surruptitious entry without the aide of an IDS.
Passing scuttles and windows will not be installed between SCI spaces and any other space on the ship. Containers will be welded in place, or otherwise secured to a foundation for safety. Cable conductors assigned to the transmission of plain language radio telephones will be connected to ground at each end of the cable.
Additionally, the front panel will have a sign warning the user that the system is not passing classified information. Pneumatic tube systems will not be installed. Existing systems will be equipped with the following security features:. Non-combatant surface ships that transit hostile waters without combatant escort will have appropriate Anti-compromise Emergency Destruction ACED equipment on board and such equipment will be prepared for use.
SCI material will not be destroyed by jettisoning overboard under any circumstances. Ships requiring temporary accreditation status will be processed for accreditation upon completion of a physical security inspection and certification of compliance with the following security requirements:. Dutch doors are not acceptable. Ships requiring TSWA accreditation for "contingency" or "part-time" usage will be processed for accreditation upon completion of a physical security inspection and certification of compliance with the following security requirements:.
Security storage containers will be welded in place, or otherwise secured to the foundation for safety and to prevent rapid removal. PSCVs are vans that are temporarily placed aboard ship and not part of the permanent structure of the ship. Ships requiring accreditation of embarked PSCVs must be annually accredited by the CSA and may be activated upon certification to the CSA of compliance with the following security requirements:.
These measures will consist of instructions promulgated by the station ashore and afloat in which the van is embarked, prohibiting loitering in the immediate vicinity of the van, and will include periodic visual security cheeks by appropriately SCI-indoctrinated personnel. The following guidance is provided concerning the control of electronic equipment. SOICs retain the authority to apply more stringent requirements as deemed appropriate.
NOTE: If equipped with data-ports, SOICs will ensure that procedures are established to prevent unauthorized connector to automated information systems that are processing classified information. Associated media will he controlled. The provisions in paragraphs 2. The Director of Central Intelligence and the Senior Officials of the Intelligence Community SOICs hereby establish the policy and procedures for the disposal of used laser toner cartridge drums cartridges. The policy established herein is based on technical research that has confirmed that the laser printer toner cartridges, removed from properly functioning printers, do not retain any residual static charge that could be associated with previously printed information.
Thus, countermeasures to "declassify" a cartridge before releasing it, such as printing multiple pages of unclassified information or physically destroying the cartridge drum, are unnecessary and the expense of destroying toner cartridges is not deemed to be justified. When deemed necessary and appropriate, SOICs may establish additional security measures.
This policy applies to all equipment that uses similar technology a laser printer with removable toner cartridge as part of its production process i. Laser Faxes, Printers, Copiers, etc. However, should a print cycle not be completed, there is the potential that residual toner may be left on the drum that could cause an information compromise. The following procedures should be followed for those situations where the print cycle was not successfully completed.
If residual toner is present, manually rotating the drum is sufficient to wipe off residual toner material present. Acoustical protection measures and sound masking systems are designed to protect SCI against being inadvertently overheard by the casual passerby, not to protect against deliberate interception of audio.
Loud speech can be understood fairly well. Normal speech cannot be easily understood. Loud speech can be heard, but is hardly intelligible. Normal speech can be heard only faintly if at all. Loud speech can be faintly heard but not understood. Normal speech is unintelligible. Very loud sounds, such as loud singing, brass musical instruments or a radio at full volume, can be heard only faintly or not at all. The amount of sound energy reduction may vary according to individual facility requirements.
However, Sound Group ratings shall be used to describe the effectiveness of SCIF acoustical security measures afforded by various wall materials and other building components. Protection against interception of SCI discussions may include use of sound masking devices, structural enhancements, or SCIF perimeter placement. Use of a perimeter fence or protective zone between the SCIF perimeter walls and the closest "listening place" is permitted as an alternative to other sound protection measures.
A sound masking system may utilize a noise generator, tape, disc or record player as a noise source and an amplifier and speakers or transducers for distribution. The level for each speaker should be determined by listening to conversations occurring within the SCIF and the masking sound and adjusting the level until conversations are unintelligible from outside the SCIF. The sound source must be obtained from a player unit located within the SCIF.
Any device equipped with a capability to record ambient sound within the SCIF must have that capability disabled. Acceptable methods include:. The introduction of electronic systems that have components outside the SCIF should be avoided. Speakers or other transducers, which are part of a system that is not wholly contained in the SCIF, are sometimes required to be in the SCIF by safety or fire regulations.
In such instances, the system can be introduced if protected as follows:. In systems that require two-way communication, the system shall have electronic isolation.
SCIF occupants should be alerted when the system is activated. All SCIFs shall have personnel access control systems to control access at all perimeter entrances. Placards, signs, notices, and similar items are not acceptable as personnel access control systems. If you cannot use Tor, or your submission is very large, or you have specific requirements, WikiLeaks provides several alternative methods.
This includes other media organisations. Leaks News About Partners. Our submission system works hard to preserve your anonymity, but we recommend you also take some of your own precautions. Act normal If you are a high-risk source, avoid saying anything or doing anything after submitting which might promote kafan.
What links here Related changes Special pages Printable version Permanent link. If you have any issues talk to WikiLeaks. If the computer you are uploading from could subsequently be audited in an investigation, consider using a computer that is not easily tied to you.
Personal tools Log in. Contact us to discuss how to proceed. Advanced users, if they wish, can also add a further layer of encryption to their submission using our public Jqfan key. If you can use Tor, but need to contact WikiLeaks for other reasons use our secured webchat available at http: Do not talk about your submission to others If you have any issues talk to WikiLeaks.
If a legal action is mafan against you as a result of your submission, there are organisations that jafam help you. If you are a high-risk source and the computer you prepared your submission on, or uploaded it from, could subsequently be audited in an investigation, we recommend that you format and dispose of the computer hard drive and any other storage media you used.
In our experience it is always possible to find a custom solution for even the most 33 difficult situations. Tor is an encrypted anonymising network that makes it harder to intercept internet communications, or see where communications are coming jafwn or going to.
If you do this and are a high-risk source you should make sure there are no traces of the clean-up, since such traces themselves may draw suspicion. The following is the address of our secure site where you can anonymously upload your documents to WikiLeaks editors. Technical users can also use Tails to help ensure you do not leave any records of your submission on the computer. Please jqfan these basic guidelines. If you are at high risk and you have the capacity to do so, you can also access the submission system through a secure operating system called Tails.
How to contact WikiLeaks? What computer to use If the computer you are uploading from could subsequently be audited in an investigation, consider jxfan a computer that is not easily tied to you.
0コメント