Integrated IDS and Remote Terminal Access
The United States government local area network (LAN) or wide area network (WAN) requires the AO’s CIO to be consulted before connecting an IDS. The IDS hosting system must be issued an Authority to Operate (ATO) by the agency’s CIO, following the FISMA Risk Management Framework that is outlined in NIST SP 800-53.
For IDS that have been already integrated into a networked system (LAN or WAN) the following requirements must be met:
- System software must be installed on a host device that is logically and physically restricted to corporate/government elements cleared to the SCI level.
- Host devices must be located in a Physically Protected Space. Protected space is defined as a locked room with walls, floor, and ceiling that form a solid physical boundary to which only SCI-cleared personnel have access to.
- SCI-cleared personnel must escort any uncleared or personnel with less than SCI-clearance that require access to this space.
- Door will use Commercial Grade 1 hardware fitted with high security key cylinder(s) in compliance with UL 437.
- Room must be protected by UL Extent 3 burglar alarm system and access control (unless manned 24 hours).
- All transmissions of system information over the LAN/WAN must be encrypted using National institute of Standards and Technology (NIST) FIPS 140-2, VPN, or closed and sealed conveyance. FIPS-197 (AES) can be used with AO approval.
- All host system components and equipment must be isolated in a way that includes (but aren’t limited to):
- Virtual Private Networks (VPNs)
- Other Application Level security mechanisms or similar enhancements that allow secure and private data transfers only between the PCU, host computer, remote terminal and monitoring station
- Any components of the IDS are remotely programmable, continuous network monitoring is needed. Network monitoring includes auditing and reporting of all network intrusion detection and prevention systems.
- A secondary communication path may be used to augment an existing data communication link to reduce search of data communication failures of less than five minute duration.
- Supervision for a secondary communication path must be equivalent to that of a primary communication path
- Secondary communication path can be wireless only if approved by the AO after consulting with the CTTA and/or the appropriate technical authority
- A unique user ID and password is required for each individual granted access to system host computing devices or remote terminal. Passwords must be a minimum of 12 characters consisting of alpha, numeric, and special characters. The password must be changed every six months or utilize US Government Personal Identity Verification (PIV) Card or Common Access Card (CAC) with two factor certificate authentication.
- Persons with IDS admin access must immediately notify the AO or designee of any unauthorized modifications.
Remote System terminals:
Remote system terminals must utilize AO approved role-based user permissions (e.g. Super User, SO, Guard). All USG installations must prohibit non SCI cleared personnel from modifying the IDS or ACS. Remote system terminals require an independent user ID and password in addition to the host login requirements. Host systems must log and monitor failed login attempts. All remote sessions must be documented and accessible to the AO upon request.
All host systems and PCUs must be patched and maintained to implement current firmware and security updates. USG systems must be in compliance with Information Assurance Vulnerability Alert (IAVA) guidance.
Requirements for IDS Systems Software Passwords:
- Passwords must be a minimum of 12 characters consisting of alpha, numeric, and special characters
- The password must be changed every six months or utilize US Government Personal Identity Verification (PIV) Card or Common Access Card (CAC) with two-factor certificate authentication
IDS Modes of Operation
The IDS must operate in two modes: armed or disarmed. With this system there must not be any remote capability for changing the two modes by a non-SCI cleared personnel. Changing the arming or disarming status must be limited to just SCI-indoctrinated persons.
When the system is in disarmed mode, normal entry into the SCIF, following all security procedures, will not cause an alarm to sound. A record must always be maintained of who is responsible for disarming the IDS. However, tamper circuits and emergency exit door circuits must remain in armed mode. The PCU must have the ability to allow certain alarm points to remain armed while other points are in disarmed status.
The IDS is placed into armed mode when the last person leaves the SCIF. A record must also be kept identifying the person who armed the system. When in armed mode, any unauthorized entry into the SCIF will cause an alarm to be immediately transmitted to the monitoring station.
Each failure of arming or disarming the system must be reported to the SCIF Security Manager. Records of these events will be kept for two years.
Maintenance Requirements and Zone Shunting/Masking Modes
If maintenance is performed on the system, the monitoring station must be notified and a log must be kept. All maintenance periods must be archived in the system. System maintenance can only be done by an SCI cleared IDS administrator of SCIF Security Officer (SO). When a point is shunted or masked for reasons other than system maintenance, it must be displayed as such at the monitoring station throughout the period the condition exists.
Any sensor that has been shunted must be reactivated upon the next change in status from armed to disarmed. A PIN is required, for maintenance purposes, to be established and controlled by the SCI cleared IDS administrator or SCIF SO. All procedures must be documented in the SCIF SOP. PEDs (portable electronic devices) are only allowed attachment to the system equipment for the purpose of system maintenance, repair and reporting. The PED attachment can either be temporary or permanent depending on system needs. The stand-alone PED must meet the following requirements:
- Must be kept under control of SCI-cleared personnel
- PED, when not in use, must be maintained in a Physically Protected Space
- Mass storage devices containing SCIF alarm equipment details, configurations, or event data will be protected at an AO-approved appropriate level.
Capability for remote diagnostics, maintenance, or programming of IDE must be accomplished only by SCI-cleared personnel and must be logged/recorded. In the event of a power failure, the system will automatically transfer emergency electrical power sources without causing alarm activation. 24 hours of uninterrupted backup power is required and must be provided by batteries, an UPS (uninterruptible power supply), generators, or any combination. An audible or visual indicator at the PCU shall provide an indication of the primary or backup power source in use. Equipment at the monitoring station will visibly and audibly indicate a failure in a power source or a change in power source. As directed by the AO, the individual system that failed will be indicated at the PCU or monitoring station.
In accordance with UL 2050, monitoring stations must be government-managed or one of the following:
- AO-operated monitoring station
- Government contractor monitoring station
- National industrial monitoring station
- Cleared commercial central station
All monitoring station employees must be eligible to hold a U.S. SECRET clearance. Operators must be trained in system theory and operation in order to effectively interpret certain system incidents and take appropriate actions.
Operations and Maintenance of IDS
All alarm activations must be considered an unauthorized entry until it’s resolved. Response force will take appropriate steps to protect the SCIF, as permitted by a written support agreement, until SCI-indoctrinated individual(s) arrive to take control of the situation. The SCI-indoctrinated individual(s) must arrive in 60 minutes (in accordance with UL 2050) or a response time approved by the AO.
The individual(s), upon arrival, will conduct an internal inspection of the SCIF, attempt to determine the cause of the alarm activation, and reset the IDS prior to the departure of the response force.
All maintenance and repair personnel that aren’t TOP SECRET-cleared and indoctrinated for SCIF access must be escorted during system repairs/maintenance. Repairs must be initiated by a service tech within four hours of the receipt of a request for service or trouble signal. Until repairs are completed or AO-approved alternate documented procedures are started, the SCIF will be continuously manned on a 24-hour basis by SCI-indoctrinated personnel.
Emergency-power battery maintenance should follow the manufacturer’s periodic maintenance schedule and procedures. Battery maintenance will be documented in the system’s maintenance logs and kept for two years. If a generator is used to provide emergency power, it must also be tested per the manufacturers recommended testing procedures. If the communications path is through a network, the network’s power source must also be tested.
The system administrators must maintain configuration control, make sure the latest operating security patches have been applied, and configure the system to provide a high level of security. Inside the United States, all network maintenance personnel within the SCIF shall be a U.S. person and be escorted by cleared SCIF individuals. Outside the U.S., network maintenance personnel must be U.S. TOP SECRET-cleared or U.S. SECRET-cleared and be escorted by SCIF personnel.
Installation and Testing of the IDS
All IDS installation and testing within the U.S must be performed by U.S. companies using U.S. citizens. Outside the U.S., installation and testing must be performed by personnel who are U.S. TOP-SECRET-cleared or U.S. SECRET-cleared and escorted by SCIF personnel. All IDS system components and elements must be installed in accordance with the IDS requirements listed in Part I and Part II, UL 2050, and the manufacturer’s instructions and standards.
Prior to operational use, acceptance testing must be conducted on all systems to provide assurance that they meet all requirements prior to SCIF accreditation. Semi-annual IDS testing must be conducted to ensure continued system performance. All records of testing and test performance must be maintained in accordance with documentation requirements.
All motion detection sensors must be tested to ensure proper activation of the sensor at a minimum of four steps (“trial”) at a rate of one step per second (30 inches ± 3 inches or 760 mm ± 80 mm per second). This test must be conducted by taking a four-step trial, stopping for three to five seconds and then taking another four-step trial. These trials must be repeated throughout the SCIF and from different directions. An alarm must activate at least three out of every four consecutive trials made by moving through the SCIF.
All HSS devices must also be tested to ensure that an alarm signal activates before the non-hinged side of the door opens beyond the thickness of the door. For example, a 1 ¾ inch thick door will activate an alarm signal before the door opens 1 ¾ inches. Each IDS equipment cover will be individually removed or opened to ensure there’s an alarm activation at the PCU or monitoring station in both secure and access modes. Tamper detection devices only need to be tested when installed. However, the AO may require more frequent testing of tamper circuits if needed.
Does your facility require a SCIF? KL Security offers SCIF Container Solutions with panelized modular systems for scalable modular, portable, & mobile requirements. We assist in the acquisition of modular facilities for DoD & Government Access Control and ICD705 SCIFs or SAPF facilities. We also assist with special access control planning and commercial business security.
Call 866-867-0306 or email [email protected] to see how the experts at KL Security can assist your facility in security needs.
Information has been gathered from sources deemed reliable but not guaranteed and is subject to change without notice. The information contained in this site is provided for informational purposes only.