us-jafan-6-9, Wikileaks, Compleat Wikileaks Archive, Misc [ Pobierz całość w formacie PDF ]
Change One to Annex B incorporated on 9 December 2004
J
OINT
A
IR
F
ORCE -
A
RMY –
N
AVY
Manual
Physical Security Standards
for Special Access Program Facilities
23 March 2004
TABLE OF CONTENTS
FOREWORD............................................................................ 3
1. POLICY AND CONCEPT........................................................ 4
1.1 Policy Statement.............................................................. 4
1.2 Concept........................................................................ 4
1.3 American Disabilities Act (ADA) Review............................... 4
2. GENERAL ADMINISTRATIVE................................................. 5
2.1 SAP Facilities (SAPFs)...................................................... 5
2.2 Physical Security Preconstruction Review and Approval.............. 5
2.3 Accreditation.................................................................. 5
2.4 Co-Utilization................................................................. 6
2.5PersonnelControls........................................................... 6
2.6 Control of Combinations.................................................... 6
2.7 Entry/Exit Inspections....................................................... 6
2.8 Control of Electronic Devices and Other Items......................... 6
3. PHYSICAL SECURITY CONSTRUCTION POLICY FOR SAPFs....... 7
3.1 Construction Policy for SAP Facilities................................... 7
3.2 Temporary Secure Working Area (TSWA).............................. 8
3.3 Requirements Common To All SAPFs; Within The
US and Overseas............................................................. 9
4. CONSTRUCTION SPECIFICATIONS......................................... 10
4.1 Vault Construction Criteria................................................. 10
4.2 SAPF Criteria When Using Permanent Dry Wall Construction...... 11
4.3 SAPF Construction Criteria When Using Steel Plate.................. 11
4.4 SAPF Construction Criteria When Using Expanded Metal........... 11
4.5General......................................................................... 11
5. GLOSSARY.......................................................................... 11
ANNEX A - SAPF Accreditation Checklist........................................ 14
ANNEX B - Intrusion Detection Systems (IDS)................................... 33
ANNEX C - Acoustical Control and Sound Masking Techniques.............. 41
ANNEX D - Personnel Access Controls............................................ 43
ANNEX E - Telecommunications Systems and Equipment...................... 45
2
FOREWORD
This Manual provides enhanced Physical Security Standards for Special Access Program
Facilities (SAPFs) supporting Air Force, Army and Navy DoD SAPs and SAP-type
compartmented efforts established and approved by the Executive Branch.
The Director of Central Intelligence Directive (DCID) 6/9 of 18 November 2002 was used as the
model publication from which this Manual was crafted. The subject matter and order of
presentation closely resemble DCID 6/9. No specific security measure contained in this Manual
exceeds the requirements for physical security standards supporting Sensitive Compartmented
Information (SCI) facilities.
Throughout this Manual it is understood that whenever a security alternative is specified for a
SAP by the government Program Security Officer (PSO), his or her authority is strictly based on
the security determinations of the service component Cognizant Security Authority/Agency
(CSA). CSA is defined as Authorities/Agencies of the Department of Defense (DoD) military
departments that have been delegated the responsibility authorized by E.O. 12829 to establish an
industrial security program for the purpose of safeguarding classified information under the
jurisdiction of each military department when disclosed or released to U.S. Industry. This
authority is complemented by the National Industrial Security Program Operating Manual
(NISPOM) and the DoD Overprint to the NISPOM Supplement, and for the purposes of this
directive specifically refers to the DoD military department Special Access Program (SAP)
activities authorized by E.O. 12958 employing enhanced security measures exceeding those
normally required by DoD 5200.1-R for information at the same classification level. DoD SAP
CSAs are the DoD military department Special Access Programs Coordinators (SAPCOs).
The provisions of this Manual are applicable to all government and contractor personnel
participating in the administration of DoD SAPs. In cases of doubt over the requirements of this
Manual, users should consult the PSO prior to taking any action or expending program-related
funds. In cases of extreme emergency requiring immediate attention, the action taken should
protect the Government's interest and the security of the program from compromise.
This Manual is intended to be a living document. Users are encouraged to submit change
recommendations to service component SAPCOs via their cognizant security office.
JOHN. B. HENNESSEY MARK T. DOODY JOHN E. PIC
Director, Security and Special COL, GS Director, Special Programs
Programs Oversight Chief, Technology Management Office (CNO(N7SP))
ffie (TM)
USAF
USA
USN
3
1. POLICY AND CONCEPT
facility vice the transmission requirements of
classified material outlined in the DoD Overprint to
the NISPOMSUP.
1.1
Policy Statement
1.1.1
Physical security standards are hereby
established governing the construction and protection
of facilities for storing, processing, and discussion of
Special Access Program (SAP) information which
requires extraordinary security safeguards.
Compliance with this Joint Air Force-Army-Navy
Implementation Manual (hereafter referred to as the
"Manual") is mandatory for all Special Access
Program Facilities (SAPFs) established after the
effective date of this manual, including those that
make substantial renovations to existing SAPFs.
Those SAPFs approved prior to the effective date of
this Manual will not require modification to meet
these standards; however, documentation approved
by the PSO must be maintained on file within the
SAPF indicating that the physical security
construction of the facility occurred prior to the
effective date of this Manual.
1.2
Concept
1.2.1
SAPF design must balance threats and
vulnerabilities against appropriate security measures
in order to reach an acceptable level of risk. Each
security concept or plan must be submitted to the
PSO for approval. For the purposes of this Manual,
the PSO is defined as the accreditation authority for
the compartmented facility. Protection against
surreptitious entry, regardless of SAPF location, is
always required. Security measures must be taken to
deter technical surveillance of activities taking place
within the SAPF. TEMPEST security measures must
be considered if electronic processing of SAP
information is involved.
1.2.2
On military and civilian compounds,
security controls may exist such as identification
checks, perimeter fences, police patrols, and other
security measures which form a basis for what is
considered "security-in-depth." Security in-depth is
considered when supplemental protection is afforded
together with the SAPF location whereas internal
security systems may be sufficient to be used in lieu
of certain physical security or construction
requirements contained in this Manual.
1.1.2
The physical security safeguards set forth
in this Manual are the standards for the protection of
SAP information within the Departments of the Air
Force, Army and Navy. Only the Component Level
SAP Central Office may impose more stringent
standards if they believe extraordinary conditions and
circumstances warrant. This authority may only be
delegated by the Service Component SAPCO.
Additional cost resulting from more stringent
standards should be borne by the requiring Agency,
Department, or relevant contract.
1.2.3
Proper security planning for a SAPF is
intended to deny foreign intelligence services and
other unauthorized personnel the opportunity for
undetected entry into those facilities and exploitation
of sensitive activities. Faulty security planning and
equipment installation not only jeopardizes security
but wastes money and resources. Adding redundant
security features causes extra expense which could be
used on other needed features. When security
features are neglected during initial construction,
retrofitting of existing facilities to comply with
security requirements becomes necessary and
extremely costly.
1.1.3
In situations where conditions or
unforeseen factors render full compliance to these
standards unreasonable, security officers in the grade
of GS-14 or O-5 or above may apply commensurate
levels of protection to specific requirements within
this Manual. Commensurate levels of protection will
not be designed with the intent to reduce or lessen the
security protection of the area of consideration. Any
waivers to the specific requirements of this Manual
must be approved in writing by the Service
Component SAPCO or delegated representative.
1.3
American Disabilities Act (ADA) Review
1.1.4
All SAPFs must be formally accredited in
writing by a government PSO or designee prior to
conducting any SAP activities.
1.3.1
Nothing in this manual shall be construed
to contradict or inhibit compliance with the law or
building codes. PSOs shall work to meet appropriate
security needs according to the intent of this Manual
at acceptable cost.
1.1.5
A single person is now authorized to staff
a SAPF, eliminating the requirement for the two-
person rule concept. The elimination of the two-
person concept applies only to the staffing level of a
4
2. GENERAL ADMINISTRATIVE
2.3.1
The procedures for establishment and
accreditation of a SAPF from conception through
construction must be coordinated and approved by the
PSO.
2.1
SAP Facilities (SAPFs
). A SAPF is an
accredited area, room, group of rooms, buildings, or
installation where SAP may be stored, used,
discussed, and/or electronically processed. SAPFs
will be afforded personnel access control to preclude
entry by unauthorized personnel. Non-SAP
indoctrinated personnel entering a SAPF must be
continuously escorted by an indoctrinated employee
who is familiar with the security procedures of that
SAPF. The physical security protection for a SAPF is
intended to prevent as well as detect visual,
acoustical, technical, and physical access by
unauthorized persons. Physical security criteria are
governed by whether the SAPF is in the United States
or not, according to the following conditions: closed
storage, open storage, continuous operations, secure
working area.
2.3.2
SAP information shall never be handled,
processed, discussed, or stored in any facility other
than a properly accredited SAPF unless written
authorization is granted by the PSO.
2.3.3
An inspection of the SAPF shall be
performed by the PSO or appointed representative prior
to accreditation. Periodic reinspections shall be based
on threat, physical modifications, sensitivity of
programs, and past security performance. Inspections
may occur at any time, announced or unannounced.
The completed fixed facility checklist will be reviewed
during the inspection to ensure continued compliance.
TSCM evaluations may be required at the discretion of
the PSO, as conditions warrant. Inspection reports
shall be retained within the SAPF and by the PSO. All
SAPFs shall maintain on site, current copies of the
following documents:
2.2
Physical Security Preconstruction Review and
Approval.
PSOs shall review physical security
preconstruction plans for SAPF construction,
expansion or modification. All documentation
pertaining to SAPF construction will be restricted and
released on an as-needed basis. The approval or
disapproval of a physical security preconstruction
plan shall be made a matter of record.
h
JAFAN 6/9 Fixed Facility Checklist.
h
Accreditation authorization documents (e.g.,
physical, TEMPEST, and AIS).
h
Inspection reports, including TSCM reports, for
the entire period of SAPF accreditation.
h
Operating procedures, Command/Contractor
Program Security Officer (CPSO) appointment
letters, Memoranda
of
Agreement (MOAs),
Emergency Action Plans, etc.
h
Copies of any waivers granted by the PSO.
2.2.1
The requester shall submit a Fixed Facility
Checklist (FFC, Annex A) to the respective PSO for
review and approval. The completed Fixed Facility
Checklist will be classified in accordance with
specific Program security classification guidance.
2.2.2
The Checklist submission shall include
floor plans, diagrams of electrical communications
wiring, heating, ventilation, air conditioning (HVAC)
connections, security equipment layout (to include the
location of intrusion detection equipment), etc. All
diagrams or drawings must be submitted on legible
and reproducible media.
2.3.4
Inspection: Authorized inspectors shall be
admitted to a SAPF without delay or hindrance when
inspection personnel are properly certified to have the
appropriate level of security clearance and SAP
indoctrination for the security level of the SAPF.
Short notice or emergency conditions may warrant
entry without regard to the normal SAPF duty hours.
Government owned equipment needed to conduct
SAPF inspections will be admitted into the SAPF
without delay.
2.2.3
The PSO shall be responsible for
providing construction advice and assistance and pre-
approving SAPF construction or modification.
2.3
Accreditation.
The PSO will ensure SAPFs
comply with JAFAN 6/9. The PSO is authorized to
inspect any SAPF, direct action to correct any
deficient situation, and withdraw SAPF accreditation.
The procedures for establishment and accreditation of
SAPFs are prescribed below:
2.3.5
Facilities that are presently accredited,
under construction or in the approval process at the
date of implementation of this Manual shall not
require modification to conform to these standards.
2.3.5.1
Facilities undergoing major
modification may be required to comply entirely with
the provisions of this Manual. Approval for such
modifications shall be requested through the PSO and
5
[ Pobierz całość w formacie PDF ]