Choosing the Right Modular SCIF Vendor
Purchasing a modular SCIF has many advantages, such as expedient acquisition, low cost, and easy installation. Modular SCIFs are now more frequently the preferred solution over traditional construction, which makes it more important than ever to understand the differences between modular SCIF vendors to ensure your SCIF will be fully secure and accredited.
When evaluating vendors, there are many factors to consider. Their ability to meet specifications, deliver on time, and stay on budget are all important. However, the most critical component is their track record with successful accreditation. A vendor’s ability to deliver a modular SCIF that will achieve accreditation is dependent on one aspect that should never be overlooked by the purchaser— the security of the vendor’s manufacturing process.
While there may be a detailed Construction Security Plan (CSP) for the installation site, some modular SCIF manufacturers can have multiple construction locations. Every site where manufacturing and assembly of a modular SCIF occurs represents a potential security risk when the proper security procedures and “Security In-Depth” are not in place. It’s in the best interest of the purchaser to use a vendor who has one manufacturing location, guaranteeing the SCIF’s integrity and facilitating accreditation.
It is entirely possible for two different vendors to each deliver very similar SCIF units that are physically identical in almost every way. Yet, one may not receive accreditation, while the other does, primarily due to the Accrediting Official’s (AO’s) approval of the security that must be integrated into the manufacturing process.
A Subject Matter Expert with SPG, a company recognized as one of the foremost leaders in this field today, explains, “With modular SCIFs, choosing a manufacturer who has verified, in-depth security measures in place throughout their production process is essential for accreditation. It is almost impossible to fix or retrofit a modular SCIF that was manufactured using practices that lack this process. ICD705 clearly states, ‘Security begins when the initial requirement for a SCIF is known. To ensure the integrity of the construction and final accreditation, security plans should be coordinated with the AO before construction plans are designed, materials ordered, or contracts let.’ The smart plan is to have a collaborative conversation with your AO to ensure pre-approval of all of the requirements up front for this process.”
Before choosing a vendor for your modular SCIF, be sure to conduct in-depth research to ensure you’ve accounted for some of the following (not all inclusive):
- How many different locations will the SCIF be moved during manufacturing?
- What security measures are in place at each of these locations? (Access controls, 24/7 surveillance, gates/fences, etc.)
- Can the vendor assist you through the Accreditation Process to include the Accreditation Documentation? (Construction Security Plan (CSP), Fixed Facility Checklist (FFC), TEMPEST Worksheet, etc.)
- What security measures are in place for project documents?
- Do they meet the latest NIST requirements for cyber security?
- How do they secure the transfer of digital information?
This degree of research will help in choosing a modular SCIF vendor that is experienced, capable, and understands the importance of security at every step of the manufacturing process. It will aid in avoiding the headache and enormous expense of a failed accreditation, and ultimately result in receiving an accredited SCIF that is delivered on time, on budget and ready to deploy for the mission.