SCIF Container Series | Part 8.1: Intrusion Detection Systems


SCIFs, when not occupied, must be protected by Intrusion Detection Systems (IDS). This includes walls that are not at the SCI level. The AO will ultimately determine what security programs will be needed to protect these areas of a SCIF from unauthorized entry and movement. Doors that don’t have access control systems and/or not under visual surveillance must be monitored by the IDS. In the event of a power failure or other event that makes the IDS inoperable, SCI-indoctrinated personnel must occupy areas of the SCIF until the IDS system resumes normal operation. The SCIF emergency plan will address IDS failures.


All system plans must be approved by the AO. As a part of the SCIF accreditation package, a final system acceptance testing will be conducted.

IDS System Requirements


All IDS installation of monitoring stations and related components must comply with:

  • Underwriters Laboratories (UL) Standard for National Industrial Security Systems for the Protection of Classified Materials, UL 2050
    • Installation must comply with Extent 3 installation noted in UL 2050. This includes systems developed and used by the USG. These systems don’t need UL certification but should comply with Extent 3 installation.

Areas, as mentioned above, that do not need protection at the SCI level will be protected by IDS that includes UL 639 listed motion sensors and UL 634 listed High Security Switches (HSS) that meet UL Level II requirements and/or other AO-approved sensors. New SCIF accreditations must use UL Level II HSS. Until IDS modifications and upgrades are made, existing UL Level I HSS are authorized.


All cabling that extends beyond the SCIF perimeter must use Encrypted Line Security or be installed in a closed sealed metal conveyance (pipe, tube, or something constructed of Electrical Metallic Tubing (EMT), pipe conduit or rigid sheet metal ducting). All joints and connections on the closed metal conveyance must be permanently sealed around all surfaced by welding, epoxy, fusion, etc. Set screws cannot be used to seal the surface. This seal will provide a continuous bond between all components of the conveyance. If a service or pull box must be used, it must be approved with GSA approved combination padlock or an AO approved key lock.


SCIFs that share a common perimeter or have an established Co-Use Agreement (CUA) and support the same IC Element, may have the PCU (Premise Control Unit) programmed into multiple units or partitions. This allows each SCIF to function as individual control units for the IDS installed in several different areas or rooms that are independent of one another. Compliance conditions apply to the PCU, IDS, and partitions of the PCU equally. However, the PCU must be independent of IDS safeguarding non-UL 2050 certified areas.


For a monitoring station that is in charge of more than one IDS, there must be both audible and visible annunciation for each IDS. Fire, smoke, radon, water, and other systems must be independent of the IDS. If IDS incorporates an access control system (ACS), the ACS notifications must be subordinate in priority to IDS alarms. Without the application of specific countermeasures and the approval of the AO, systems cannot include audio or video monitoring. If monitoring systems contain auto-reset features, those features must be disabled.


All system key items and passwords must be protected and restricted to U.S. SCI-indoctrinated personnel. Alarm activations must be displayed locally until cleared by an authorized SCI-cleared individual. Determined by the AO, all IDS technical drawings, installation instructions, specifications, etc. will be restricted and documented in the CSP.

IDS False Alarms


An IDS false alarm is defined as any alarm signal transmitted in the absence of a confirmed intrusion that is caused by changes in the environment, equipment malfunction, or electrical disturbances. If false alarms exceed this requirement, a technical evaluation of the system must be conducted to determine the cause. Once evaluation is complete and the system is repaired or resolved, it must be documented. False alarms cannot exceed one alarm per 30-day period per IDS partition.

System Components


Sensors

  • All system sensors must be located within the SCIF
    • Exception: The AO can approve external sensors on the SCIF perimeter so long as they are installed in a closed sealed metal conveyance (pipe, tube, or something constructed of Electrical Metallic Tubing (EMT), pipe conduit or rigid sheet metal ducting). All joints and connections on the closed metal conveyance must be permanently sealed around all surfaced by welding, epoxy, fusion, etc. Set screws cannot be used to seal the surface. If a service or pull box must be used, it must be approved with GSA approved combination padlock or an AO approved key lock.
  • SCIF perimeter doors must be protected by an HSS and a motion detection sensor
  • Emergency exit doors will be alarmed and monitored 24 hours per day
  • When primary entrance door has a delay to allow changing the system mode of access, this delay must not exceed 30 seconds
  • Dual technology sensors are authorized when each technology transmits alarm conditions that are independent of the other technology.
  • Areas not protected at the SCI level will have a sufficient number of motion detection sensors or be approved by the AO. Sensors will consist of UL 639 listed motion sensors and UL 634 listed HSS that meet UL Level II requirements and/or other AO-approved equivalent sensors.
    • Note: For facilities outside the U.S. and in Category I and II countries, motion detection sensors above false ceilings or below false floors may be required by the AO.
  • Failed sensors will cause immediate and continuous alarm activation until this failure is investigated and corrected following procedures documented in the SCIF SOP/Emergency Action Plan.

Premise Control Units (PCUs)


Premise control Units (PCUs) must be located within a SCIF and access modes can only be started by SCIF personnel only. The access/secure switch will be restricted by a device or procedure that confirms authorized use. Within the SCIF, the cabling between sensors and the PCU must be dedicated to the system and comply with both national and local electrical codes and Committee for National Security Systems (CNSS) standards. However if the wiring can’t be contained within the SCIF, the wiring must meet the requirements in the External Transmissions Line Security section below.


At the PCU and/or monitoring station, alarm status must be continuously displayed with an alphanumeric display. Every effort must be made to install the alarm-monitoring panel in a location that prevents observation by unauthorized personnel. The PCU/monitoring station must identify and display all activated sensors. A change in power status (AC or backup) will also be indicated locally and at the monitoring station/PCU. All auto-alarm reset features of the IDS must be disabled.


Alarm notifications must be immediate and continuous for the following situations:

  • Intrusion Detection
  • Failed Sensor
  • Tamper Detection
  • Maintenance Mode
  • IDS Sensor Points masked or shunted during maintenance mode

In the events noted above, only SCI-indoctrinated personnel can reset the PCU and only after inspection and determination for the cause of the alarm. IDS transmission lines going from the SCIF to the monitoring station must meet the National Institute of Standards and Technology, Federal Information Processing Standards (FIPS) for certified encrypted lines. The FIPS standards employed must be noted in the UL 2050/CRZH Certificate or other certificate. PCUs that are certified under UL 1610 have to meet FIPS 197 or FIPS 140-2 encryption certification and method.


For PCUs certified under UL1076, only FIPS 140-2 will be the accepted encryption certification and method. The AO can approve alternative methods but must be noted in the IDS Certificate. IDS Admin that are SCI cleared must maintain and change all default profiles, PINs, or passcodes to a unique PIN/passcode.


More IDS specifications will be explored in the next installment: Part 8.2.


Does your facility require a SCIF? KL Security offers SCIF Container Solutions with panelized modular systems for scalable modular, portable, & mobile requirements.  We assist in the acquisition of modular facilities for DoD & Government Access Control and ICD705 SCIFs or SAPF facilities. We also assist with special access control planning and commercial business security.


Call 866-867-0306 or email [email protected] to see how the experts at KL Security can assist your facility in security needs.

Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities
SCIF Container Series | Part 1: Site Evaluation
SCIF Container Series | Part 2: Design Planning Checklist
SCIF Container Series | Part 3: Perimeter Wall Construction – Wall A
SCIF Container Series | Part 4: Perimeter Wall Specifications – Wall B
SCIF Container Series | Part 5: Perimeter Wall Specifications – Wall C
SCIF Container Series | Part 6: Vents and Ducts
SCIF Container Series | Part 7: Modular SCIFs

Information has been gathered from sources deemed reliable but not guaranteed and is subject to change without notice. The information contained in this site is provided for informational purposes only.