Are a SCIF and a SAPF built differently?

Largely no. Both follow ICD 705 and its technical specification for construction — sound attenuation, access control, intrusion detection, perimeter protection. A SAPF may add program-specific requirements on top of that baseline, and some SAPs impose stricter or bespoke controls, but the core physical build is shared. The bigger differences are administrative and personnel-related, not structural.

Can a SCIF be used as a SAPF (or vice versa)?

Sometimes, through co-utilization — ICD 705 allows a SCIF to be approved for SAP use, or a SAPF for SCI work — but it is never automatic. It requires explicit agreement from both accrediting authorities, and the more restrictive program's requirements govern the shared space. Design to the highest standard either program demands and obtain the co-use approvals deliberately.

Who accredits a SAPF?

The program's security authority — typically a Program Security Officer under a cognizant SAP Central Office (a DoD SAPCO), working against the DoD SAP security manuals (5205.07 series) and, for information systems, JSIG. This differs from a SCIF, which is accredited by the Accrediting Official of the cognizant Intelligence Community element under ICD 705.

Do I need SCI eligibility to work in a SAPF?

Not necessarily — SAP access and SCI access are separate regimes. SAPF access turns on a Program Access Request, SAP-specific nondisclosure agreements, and billet-based need-to-know for that program. SCIF access turns on SCI eligibility plus a read-on to the specific compartment. A person can be read into a SAP without holding SCI access, and vice versa, depending on the programs involved.

← Compare · CLASSIFIED SPACES

SCIF vs SAPF: the accredited-space distinction that turns on classification regime

A SCIF (Sensitive Compartmented Information Facility) and a SAPF (Special Access Program Facility) are built to substantially the same physical standard — ICD 705 — but they serve different classification regimes and answer to different accrediting authorities. The construction overlaps; the program security framework does not.

The short answer

It's not a free choice — the material you handle decides it. SCI → SCIF; Special Access Program → SAPF. The physical construction is largely shared (both follow ICD 705), so the real divergence is the accrediting authority, the governing security manuals, and the personnel-access regime.

SCIF

You store, process, or discuss Sensitive Compartmented Information (SCI) — compartmented intelligence under the cognizance of an Intelligence Community element. The space is accredited as a SCIF by the responsible Accrediting Official under ICD 705.

SAPF

You handle Special Access Program (SAP) material. The space is accredited as a SAPF under the DoD SAP security framework (the 5205.07 manuals / JSIG), by the Program Security Officer / cognizant SAP authority — built to ICD 705 plus any program-specific requirements.

Side by side

Dimension

SCIF

SAPF

Protects

Sensitive Compartmented Information (SCI) — compartmented intelligence

Special Access Program (SAP) material

Construction standard

ICD 705 (+ the technical specification)

ICD 705 as the baseline, plus SAP program-specific requirements

Governing security framework

ICD 705 / IC directives; the AO's SCI guidance

DoD SAP security manuals (5205.07 series) / JSIG

Accrediting authority

Accrediting Official for the cognizant IC element

Program Security Officer / cognizant SAP security authority (often a DoD SAPCO)

Personnel access

SCI eligibility + read-on to the relevant compartment(s)

Program Access Request (PAR), SAP nondisclosure, billet-based access

Construction elements

Sound attenuation, access control, IDS, perimeter — per ICD 705

Same physical baseline; some programs add stricter or bespoke controls

Co-use / conversion

A SCIF may be approved for SAP use case-by-case (co-utilization)

A SAPF can often host SCI work with the right approvals; not automatic

Typical timeline

Months from design to accreditation, AO-dependent

Similar build; the SAP approval/oversight cycle can add time

Same walls, different authority

The most common misconception is that a SCIF and a SAPF are fundamentally different buildings. They are not. Both are accredited under ICD 705 — the same intelligence-community directive that governs the physical and technical security of secure facilities — and the construction elements (sound attenuation/STC ratings, access control, intrusion detection, perimeter penetration protection, RF considerations where applicable) are drawn from the same technical specification.

What differs is what the space protects and who accredits it. A SCIF protects Sensitive Compartmented Information — compartmented intelligence under an Intelligence Community element — and is accredited by that element's Accrediting Official. A SAPF protects Special Access Program material and is accredited under the DoD SAP security framework (the DoD 5205.07 manuals and, for information systems, JSIG) by the program's security authority. The walls look the same; the paperwork, the oversight chain, and the personnel-access regime do not.

Where the real work diverges

For an organization standing up an accredited space, the construction is the tractable part. The divergence shows up in three places.

Accreditation path. A SCIF accreditation runs through the cognizant IC element's AO against ICD 705. A SAPF runs through the program's security authority against the SAP manuals, which layer program-specific requirements on top of the ICD 705 baseline — and those requirements are sometimes not knowable until you are read into the program.
Personnel. SCI access turns on SCI eligibility plus a read-on to the specific compartment. SAP access turns on a Program Access Request, SAP-specific nondisclosure, and billet-based need-to-know. The vetting and the access-management mechanics are different programs.
Information systems. A SCIF's IS authorization follows the IC's process; a SAPF's follows JSIG. The control sets overlap (both descend from NIST 800-53), but the authorization authority and the specific overlays differ.

Our [SCIF/SAPF accreditation playbook](/insights/scif-sapf-accreditation-playbook/) walks the end-to-end build, and the [SCIF/SAPF framework page](/frameworks/scif-sapf/) covers how we run these engagements.

Building for both

Some organizations need to host both SCI and SAP work. ICD 705 provides for co-utilization — a SCIF can be approved for SAP use, or a SAPF for SCI work — but it is never automatic. It requires the agreement of both accrediting authorities, and the more restrictive program's requirements govern the shared space.

The pragmatic approach: design to ICD 705 to the highest standard either program will demand, document the construction security plan (CSP/FFC) to satisfy both authorities, and secure the co-use approvals explicitly rather than assuming a SCIF "counts" as a SAPF. The cost delta of building to the stricter standard up front is almost always less than retrofitting an accredited space after the fact.

Frequently asked

SCIF vs SAPF — common questions.

What is the difference between a SCIF and a SAPF?: A SCIF (Sensitive Compartmented Information Facility) protects compartmented intelligence (SCI) under an Intelligence Community element and is accredited by that element's Accrediting Official under ICD 705. A SAPF (Special Access Program Facility) protects Special Access Program material and is accredited under the DoD SAP security framework (the 5205.07 manuals / JSIG) by the program's security authority. Both are built to the same ICD 705 physical standard — the difference is the classification regime, the accrediting authority, and the personnel-access process.
Are a SCIF and a SAPF built differently?: Largely no. Both follow ICD 705 and its technical specification for construction — sound attenuation, access control, intrusion detection, perimeter protection. A SAPF may add program-specific requirements on top of that baseline, and some SAPs impose stricter or bespoke controls, but the core physical build is shared. The bigger differences are administrative and personnel-related, not structural.
Can a SCIF be used as a SAPF (or vice versa)?: Sometimes, through co-utilization — ICD 705 allows a SCIF to be approved for SAP use, or a SAPF for SCI work — but it is never automatic. It requires explicit agreement from both accrediting authorities, and the more restrictive program's requirements govern the shared space. Design to the highest standard either program demands and obtain the co-use approvals deliberately.
Who accredits a SAPF?: The program's security authority — typically a Program Security Officer under a cognizant SAP Central Office (a DoD SAPCO), working against the DoD SAP security manuals (5205.07 series) and, for information systems, JSIG. This differs from a SCIF, which is accredited by the Accrediting Official of the cognizant Intelligence Community element under ICD 705.
Do I need SCI eligibility to work in a SAPF?: Not necessarily — SAP access and SCI access are separate regimes. SAPF access turns on a Program Access Request, SAP-specific nondisclosure agreements, and billet-based need-to-know for that program. SCIF access turns on SCI eligibility plus a read-on to the specific compartment. A person can be read into a SAP without holding SCI access, and vice versa, depending on the programs involved.

Go deeper

SCIF · 9 min read

SCIF and SAPF accreditation: a practitioner's sequencing playbook

CMMC · 8 min read

Designing a CUI enclave: seven architectural mistakes that survive through implementation

Framework pages

CLASSIFIED · ICD 705

SCIF & SAPF Accreditation

Not sure which fits your situation?

Book a scoping call.

Thirty minutes. We'll walk through your target, your current posture, and which path — or which combination — actually fits. If the answer is "neither yet," we'll say so.

Book a scoping call →