Designing to Military Standards

SMMA has designed a number of highly secured spaces for Army Reserve and National Guard training facilities, including arms vaults, communications security (COMSEC) areas, and secret internet protocol router network (SIPRNet) cafés, the latter being among the most challenging and interesting, in terms of design. 

What follows is an overview of the criteria used to design a SIPRNet café. This article is acronym heavy, and every effort has been made to spell out terms used by the Army Reserve.

Per the Army Reserve IT Manual, the implementation of SIPRNet in an Army Reserve facility is based on encryption within SIPRNet cafés—these spaces are dedicated to the transmission and reception of secure information. Strict adherence to United States Army Reserve Command (USARC) requirements must be maintained during the design and construction of such spaces. 

Throughout the design process, the entire SIPRNet system is reviewed with, and approved by, a civilian division, known as the G6, contracted by the USARC. The G6 manages the USARC Enterprise Architecture Program, directs a staff of Army civilians and contractors, and ensures that the activities of the USARC Enterprise Services Activity (ESA) Divisions (Network Services, Network Applications, and Information Management Services) comply with USARC Enterprise Architecture.

SCIF-in-a-Box for SMMA designed SIPRnet cafe

Image of SCIF-in-a-Box by Trusted Systems

Diagram of a standard SIPRNet café layout from SMMA

The SIPRNet Café

This is a diagram of a standard SIPRNet café layout, taken from the Army Reserve IT Manual, showing workstations and general service administration (dashed box labeled GSA). Network equipment cabinet where sensitive data is encrypted. The contractor is responsible for providing infrastructure to connect to the Government-provided equipment.

SPIRNet Color Coding

 

BLACK System

The BLACK System, also known as the Sensitive but Unclassified (SBU) System, comprises standard telecommunications pathways, cables, devices, and equipment that are physically separated from the RED System (see next item). The BLACK System processes and carries only unclassified and/or encrypted information.

BLACK System communications lines, devices, and equipment must be installed at a minimum of 39 inches from the GSA-approved container, and a minimum of 6 inches from RED lines; BLACK voice and data outlets must be installed a minimum of 20 inches from RED outlets.

A 2-inch intermediate or rigid steel conduit is provided from the GSA-approved container to the Telecommunications Equipment Room (TER), with the BLACK backbone cables necessary to support the encryption equipment.

 

RED System

The RED System processes and carries unencrypted classified signals. It consists of telecommunications pathways, conduits, cables, devices, and equipment that are mounted exposed on the walls for daily visual inspection, to allow any tampering to be detected. As noted above, the RED System is physically separated from the BLACK System—as its name indicates, cables and jacks are specified to be red.

The GSA-approved container is located to provide a minimum 39 inches of separation from BLACK lines, except the BLACK horizontal cables that connect to the GSA-approved container, noted above. It must also be located to provide a minimum 39 inches of separation from fortuitous conductors, such as HVAC ducts, pipes, and equipment.

The protected distribution system constitutes a hardened distribution system that affords significant physical protection against unauthorized personnel from gaining access without being discovered.

RED cables are installed in electrical metallic tubing or steel conduit utilizing fittings of the same material. The conduit system is designed in a tree-­type arrangement, beginning in the SIPRNet café with a single conduit sized to contain all of the cables, while allowing for 50% growth. Pull boxes are used to branch the carrier to workstation outlets, and a call button for personnel outside the room is located on the corridor wall adjacent to the door

Security IDS

Intrusion-Detection System (IDS)

The SIPRNet café requires a security IDS that consists of a balanced magnetic switch for the door, complete motion detector coverage within the space, and an entry card-key reader. The Government provides the electronic devices, and the contractor is responsible for conduit and box provisions and power.

Additional Requirements

In addition to the telecommunication and security systems described above, the café must be designed and constructed to an extensive array of stringent building and mechanical system requirements, including:

  • Floors, Walls, and Roofs: The construction of the walls, floor, and roof must utilize permanent materials (e.g., plaster, gypsum wallboard, metal panels, hardboard, wood, plywood, etc.) that offer resistance to, and evidence of, unauthorized entry into the area. Walls are extended to the true ceiling and attached with permanent construction materials, using mesh or 18-gauge expanded steel screens.

  • Ceilings: These are constructed of plaster, gypsum, wallboard material, hardware, or other similar material that the command security manager deems to be of equal strength.

  • Doors: The access door to the room is substantially constructed of wood or metal. The hinge pins on out-swing doors are pinned, brazed, or spot-welded, to prevent removal. The door is equipped with a built-in, GSA-approved combination lock meeting federal specifications. Doors, other than the access door, are secured from the inside by a variety of means—examples include deadbolt locks, panic deadbolt locks, and rigid wood and metal bars that extend across the width of the door. Key-operated locks that can be accessed from the exterior side of the door are prohibited.

  • Windows: Windows that are less than 18 feet above the ground when measured from the bottom of the window, or that are easily accessible by means of objects directly beneath the windows, are constructed from or covered with materials that provide protection from forced entry. This protection provided to the windows need be no stronger than the contiguous walls.

  • Openings: Utility openings, such as ducts and vents, are designed to be at less than a person-passable (96 square inches) opening. Openings larger than 96 square inches are hardened in accordance with Military Handbook 1013/1A, which provides guidance to ensure that appropriate physical security considerations are included in the design of facilities.

 

Images not property of SMMA. Left: US Army. Middle: US Army Flickr. Right: Virginia National Guard Public Affairs

  • Two US Army servicemen looking at a laptop screen
  • A row of US Army servicemen and women typing at computers
  • US Army privates working in a SPIRNet café

SMMA’s acquired expertise in the design of highly secure spaces like the SPIRNet café carries over in the design of other facilities that may not require the same level of protection, but demand the same level of detail, to meet the specific criteria of a wide range of project types.