Accreditation for Secure Facilities
There are many potential pitfalls during the programming, design and construction of secure facilities that must be overcome in order to avoid expensive change orders, schedule delays and worst of all, an inability to utilize the facility for its intended operation and mission.
By Roseana D. Richards, P.E., LEED AP, M.SAME, and Daniel Langevin
The sharing of secure information is critical to achieving mission success. Having the right classified facility to disseminate information is vital. One of the final requirements in the design and construction of a secure facility in which sensitive or classified information is discussed, handled, or stored is to obtain an accreditation. Not being able to obtain the accreditation, or having to make other arrangements in order to satisfy mission requirements can be disruptive, costly, or both.
“UFC 4-010-05, Sensitive Compartmented Information Facilities Planning, Design and Construction” was first issued in February 2013 as the flagship UFC for secure facilities. Although there are some unique and specialized design and construction requirements for a secure facility, years of experience show that it is not so much the design and construction materials that make the difference, it is the process in getting there.
The key to creating a smooth and successful process is to ensure that all of the involved stakeholders are engaged from the programming stage all the way through to the final accreditation. The accreditation process needs to be fully understood by those that are programming, planning, designing and constructing the facility. LESSONS FOR SUCCESS
So what are the recommendations to be able to execute the design and construction of a secure facility project successfully? Here are a few best practices that have been learned along the way:
- Connect with experts early. Identify and engage the Accrediting Official (AO) and the Site Security Manager (SSM) as early in the programming and planning stages as possible. Their assessment of the potential risks based upon the activities being conducted within the secure facility is paramount to identifying what construction classifications, levels of security and security systems will be necessary in order to achieve mission requirements. Secure facilities traditionally cost more on a square foot basis than similar non-secure facilities. Therefore, programming adequate funding and planning spatial needs is critical to be determined at the start.
- Know the stakeholders involved. A design charrette where all stakeholders are present is a great way to enable the architectural and engineering design team to closely coordinate with those who will be working within the secure facility as well as those that will be involved in the accreditation. These early introductions of all stakeholders can pay huge dividends in opening up the channels of communication so that questions and clarifications can be answered in a timely manner.
- Understand the client’s needs. During project planning and early design, the architect and engineering team need to work closely with the SSM and others, such as the Certified TEMPEST Technical Authority and the Mission Users to fully understand their operations and functions. Since these individuals may not necessarily be experts in understanding how to interpret drawings and specifications, it is critical to create opportunities where explanation and collaboration of the design functionality is explained by the design team. Periodic review and oversight by the AO is also highly recommended during the design, as the construction details and system functionality ultimately will require his/her approval.
Although there are some unique and specialized design and construction requirements for a secure facility, years of experience show that it is not so much the design and construction materials that make the difference, it is the process in getting there.
- Assess progress throughout the project. Similar to any code official, the AO’s interpretation of the various regulations and criteria can vary from the designer’s; therefore it is important to discuss the design approach and gain their concurrence with how the criteria is being satisfied. This concurrence can make a huge difference in avoiding surprises later in the design or construction process. As an example, security-in-depth refers to mechanisms in which the probability of detection is increased before the actual penetration of the secure area occurs. If security-in-depth exists (such as fences, secured perimeters, and other security systems), the AO may approve alternative construction requirements based on analytical risk management. Using this framework, the AO balances the threat against known vulnerabilities allowing the protection of critical assets with an acceptable level of risk.
- Be detail-oriented. The routing of various mechanical, electrical and communications systems throughout a secure facility matters. Penetrations of secure spaces potentially create vulnerabilities which require regular inspections. Knowing where the AO and SSM will allow these penetrations to be located is critical to meeting mission requirements. Not knowing where they can exist may cause re-design delays at best and re-design and construction delays and change orders at worst.
- Document and verify. The design documents not only need to provide adequate detail and information for the specialized construction and systems, they also need to stipulate the specialized documentation required to validate the construction materials and quality were provided as intended. This requires the contractor and/or the SSM to photograph or otherwise document the construction prior to enclosing systems within walls or spaces. If allowed by the AO, the governing criteria should become a part of the specifications, so the contractor is fully aware of the accreditation checklist and process.
- Allow for flexibility. If tying into existing security and controls systems requires the same manufacturer (a sole source) in order for the systems to function properly, then obtain the necessary justification and authorizations for those systems during the design phase. Allowing flexibility in equipment procurement in the construction documents may result in change orders and delays, especially if the new system cannot communicate properly with the existing.
- Develop a Construction Security Plan. Renovation of secure facilities necessitate that the SSM create a Construction Security Plan to address how the existing secure space will be protected during the construction process. It is important that the architectural and engineering design team understand what limitations this will place on the construction contractor and clearly identify any restrictions which might otherwise impede their progress. If the Construction Security Plan is not developed until construction begins, then the probability for construction delays and change orders increases.
- Utilize the design team during construction. Although many Department of Defense agencies provide a resident engineer to oversee construction, it is highly recommended that the design team be utilized as part of the construction oversight process. Their knowledge of the design, the stipulations and requirements communicated by the users could be invaluable to keeping the project on track throughout construction. Regardless of who is on site, daily observations of the construction is highly recommended to ensure not only the quality meets expectations, but that all appropriate documentation is provided.
Secure facilities can be successfully executed through several project delivery methods—including design-bid-build, design-build and construction manager at-risk to name a few. However, an emphasis on selecting companies that have previous experience in either the design or construction of secure facilities is highly recommended. Architects, engineers and contractors who cannot demonstrate a sophisticated quality control program are likely to struggle in understanding the importance of paying attention to detail and meeting the specialized requirements of a secure facility.
In the end, the ultimate goal is to provide the users with a facility in which their operations can be successfully executed and the AO provides approval. By having all stakeholders engaged from the beginning and keeping the finish line in mind throughout (the accreditation), there will be a greater probability for success with minimal surprises.