What is TEMPEST?

Understanding what is TEMPEST in SCIF construction and TEMPEST mitigations

Among the special security considerations in place for dealing with Classified information, TEMPEST is a recently growing piece that requires its own set of construction mitigations. Electronic systems give off a signal that can be exploited by adversaries to gain access to information, given they use the right equipment. These signals are referred to as unintended emanations, and TEMEPST is the study, investigation and mitigation of these emanations. While TEMPEST looks like an acronym, it is actually an Unclassified short name.

In the ICD 705 Technical Specifications, or Tech Spec, the mitigations for TEMPEST concerns are laid out. Currently, TEMPEST mitigations are not a blanket requirement for all SCIFs or SAPFs. This could change in the future, with the Defense Intelligence Agency (DIA) releasing and then rescinding a memo in 2022 requiring Radio Frequency (RF) shielding in future SCIF builds. While that memo was quickly made redundant, it does show that blanket TEMPEST requirements are a possibility, especially as we wait for V 1.6 of the Tech Spec.

A TEMPEST Overview

SCIF and SAPFs are necessary when Classified information is being processed and requires a higher level of security. When a signal is picked up from these facilities, adversaries are able to mirror the screens of computers personnel are using. If they look at Classified information, suddenly that information is compromised. Equipment capable of doing this can even be purchased commercially.

Each piece of equipment that processes information has what’s known as a TEMPEST footprint. This is the distance from the piece of equipment to the furthest point the signal could be picked up. Generally, equipment that uses more power will have a larger footprint.

SCIFs must be built with these concerns in mind, which leads to unique construction requirements.

TEMPEST Mitigations

One major TEMPEST mitigation is the practice of Red/Black separation. Essentially, systems that contain national security information, or Red systems, from those that don’t, or black systems. Any Red systems or circuits must be appropriately shielded, creating a secure boundary. This boundary is going to be the SCIF perimeter.

So how is this boundary created? There are a few forms of mitigation that are often used to block signals, known as RF shielding. One of these is the inclusion of RF-shielding foil in the perimeter wall construction. This foil, added to the walls, floor and ceiling, helps prevent signals from escaping the facility. Data-bearing signals can also travel along pipes and vents, so improperly secured penetrations can carry signals outside the facility. Because of this, pipes must be properly grounded and waveguides added to vents. Both of these interrupt the signal before they’re able to escape the facility.

When it comes to TEMPEST, the mitigations you’re required to include will be determined by the Certified TEMPEST Technical Authority (CTTA). They will work with your Accrediting Official (AO) and your Site Security Manager (SSM) to determine what mitigations are necessary based on your location’s unique risks and vulnerabilities. This will be determined during the pre-construction portion of your project, as you will fill out information in the TEMPEST Checklist that will inform your requirements.

Should you need to add RF shielding to your facility, it’s important to test your wall assembly and penetrations to ensure they’re actually meeting requirements once they’re built. Professional testing services allow you to figure this out so you can move forward confidently with accreditation.

SSU’s team of experts will test your facility to ensure you meet both RF shielding and acoustic protection requirements. We use state-of-the-art equipment to give you results you can trust. Whether you need one room tested or your whole facility, we can meet your needs. Contact us today to learn more.