Can a venture-backed startup actually get a SCIF?

Yes, but not without a government sponsor. Commercial startups cannot self-sponsor a SCIF — a cleared government agency or DoD component must sponsor the facility and designate the Authorizing Official. The sponsor relationship is typically established through a contract that requires classified work, and the Facility Clearance process runs in parallel with the physical SCIF construction. Plan for 15–24 months from sponsor identification to operational accreditation.

What does ICD 705 actually require?

ICD 705 is the Intelligence Community Directive that specifies construction, acoustic, TEMPEST, access control, and documentation standards for SCIFs. It governs wall construction, door hardware, HVAC penetrations, sound attenuation performance, physical access devices, alarm systems, and the Fixed Facility Checklist documentation demonstrating compliance. Implementation details are in the ICD 705 Technical Specification, which gets revised periodically — always work from the current version.

Does Fortinetics design or construct SCIFs?

We advise. We work with the program office, the facility security officer, and the executing prime contractor on network architecture, TEMPEST countermeasure coordination, multi-enclave integration, and the accreditation documentation set. Construction itself is executed by cleared construction contractors. Our value is in the engineering decisions made before construction begins and in the documentation that the Authorizing Official actually needs to approve the facility.

What's TEMPEST and do we need it?

TEMPEST is the set of standards and techniques for preventing information leakage via unintended electromagnetic emanations from electronic equipment. TEMPEST countermeasures may be required inside SCIFs and SAPFs depending on the inspectable space available and the threat assessment. The program is managed by NSA. Whether your facility needs TEMPEST countermeasures is a determination made by the Authorizing Official based on program requirements and physical environment.

How does FCL (Facility Clearance) relate to SCIF accreditation?

FCL is a determination by DCSA that a contractor facility is eligible to handle classified information. SCIF accreditation is the specific accreditation of a physical space within that facility for SCI handling. Both are required for a contractor to operate classified work; FCL is a prerequisite or parallel process. First-time FCL typically takes 8–14 months; SCIF construction and accreditation another 12–18 months; the two tracks usually overlap rather than sequence.

← Frameworks · CLASSIFIED · ICD 705

SCIF and SAPF accreditation — ICD 705 compliance end to end.

A SCIF is accredited space for handling Sensitive Compartmented Information. A SAPF is the same plus Special Access Program controls. We advise defense primes and government program offices on SCIF design, SAPF construction sequencing, multi-enclave classified network architecture, TEMPEST countermeasure coordination, and the Fixed Facility Checklist documentation that Authorizing Officials actually approve. We've handled three classified network enclaves in parallel within a single SAPF envelope for a Space Force program.

Book a scoping call →

ICD 705

Primary construction standard

3 enclaves

Parallel in one SAPF

12–24 mo

Typical accreditation window

SCIF vs SAPF — the short answer

A SCIF (Sensitive Compartmented Information Facility) is accredited for processing, storing, and discussing Sensitive Compartmented Information — intelligence data derived from sensitive sources and methods. Construction and operational standards come from ICD 705 and the IC Tech Specs.

A SAPF (Special Access Program Facility) is accredited for Special Access Program material under DoD Manual 5205.07. SAPFs typically share construction standards with SCIFs (ICD 705 is the benchmark) but add SAP-specific access control, compartmentation, and program-security procedures. Every SAPF is also a SCIF; the reverse is not always true.

For a practitioner, the relevant distinction is who approves the accreditation — a Cognizant Security Authority for SCI, or a Program Security Officer + SAP Central Office for SAP — and which program's security procedures govern the day-to-day operations.

Who needs a SCIF or SAPF?

Defense primes and subcontractors supporting programs that process SCI or SAP material. The contract specifies the classification envelope; the facility follows. Many primes maintain multiple SCIFs across sites.

Government program offices bringing existing federal facilities back into service or building new ones. Our work has included direct-government advisory relationships where the program office names the network integration POC, independent of the executing prime.

Venture-backed startups with emerging classified customer work. Less common historically, but increasingly relevant as defense-tech startups win first classified contracts. Startup SCIFs require a government sponsor for the Facility Clearance; the sponsor relationship is the gating step.

The framework stack

A SCIF or SAPF accreditation pulls from several overlapping standards. Knowing which one dictates which requirement saves meaningful time during documentation drafting:

ICD 705 — the primary physical and technical construction standard. Wall construction, intrusion detection, acoustic attenuation, emanation protection, alarm response timing.
IC Tech Specs for ICD 705 — detailed technical specifications implementing ICD 705. Where wall types, door specifications, TEMPEST requirements, and cabling rules live.
CNSSI 1253 — Committee on National Security Systems Instruction. Security categorization and control baseline for National Security Systems (extends NIST 800-53 with NSS overlays).
NISPOM (32 CFR 117) — National Industrial Security Program Operating Manual. Governs how cleared contractors handle classified information and operate classified facilities.
DoD Manual 5205.07 — DoD SAP Security Manual, governing SAPF-specific requirements.
RMF / NIST 800-37 — Risk Management Framework for authorizing information systems (ATO) within the facility.

Multi-enclave SAPFs

Some programs require multiple classified network enclaves within a single facility envelope. A Space Force SAPF we advised on operated three parallel enclaves: JWICS (TS/SCI), SIPRNet (Secret), and a Space Force program network (TS/SI/SAR). Each enclave had independent crypto, dedicated circuits, and a distinct sponsor — inside one facility meeting ICD 705 construction standards.

Multi-enclave architectures are the hardest SAPF engineering problem. The network integration point-of-contact role coordinates across the program office, the prime, the FSO, and each enclave's sponsor. TEMPEST considerations multiply across enclaves. Cable-path engineering becomes three-dimensional rather than two. The payoff is a single facility that supports multiple classified missions — but the engineering discipline must be consistent with the complexity.

Why Fortinetics for SCIF and SAPF work

Active multi-enclave experience. We operate across three classified network enclaves (JWICS, SIPRNet, Space Force) in parallel inside a single SAPF envelope — a configuration that forces the hardest SAPF engineering decisions and that we've made repeatedly.

Government-direct advisory relationships. We've been named by a Space Force program office as the primary network integration point of contact for a salvaged federal SCIF — a direct government-to-firm relationship outside the typical prime-subcontractor flow.

Documentation fluency. The Fixed Facility Checklist, Construction Security Checklist, TEMPEST countermeasure review, and accreditation package that the Authorizing Official actually needs — not the documentation a construction firm assembles, but the documentation an AO approves.

Advisory, not construction. We advise. Construction itself is executed by cleared construction contractors. Our value is in engineering decisions made before the drywall goes up and in documentation that maps cleanly to accreditation approval.

Recent regulatory changes

What changed in SCIF / SAPF, recently.

April 2026

GAO Report 26-107861 — 815 cleared-contractor security violations in FY2025

DCSA documented 815 violations across 4,600+ reviews plus 1,032 open vulnerabilities. Data spills dominate at ~60%, improper storage 11.5%, unauthorized access 6.5%. DCSA reviews only 25-30% of the cleared industrial base annually — real industry violation count is likely 2,500-3,300 per year, most never observed.
Read more →
June 2025

2025 ICD 705 update — first major SCIF standard overhaul since 2010

Raised minimum RF attenuation (typically 60 dB, structurally integrated), tightened acoustic controls, and enhanced TEMPEST countermeasures. Most existing SCIFs are now architecturally non-compliant with the updated technical specifications.
Read more →
June 2025

AOs expect earlier documentation at project initiation

The 2025 update shifted compliance risk toward the design phase rather than inspection. Accrediting authorities now expect earlier security coordination, earlier documentation, and stronger design-to-construction-to-accreditation alignment. Late-stage compliance discovery is being flagged as higher risk.
Read more →

Frequently asked

Questions we get about SCIF / SAPF.

Can a venture-backed startup actually get a SCIF?: Yes, but not without a government sponsor. Commercial startups cannot self-sponsor a SCIF — a cleared government agency or DoD component must sponsor the facility and designate the Authorizing Official. The sponsor relationship is typically established through a contract that requires classified work, and the Facility Clearance process runs in parallel with the physical SCIF construction. Plan for 15–24 months from sponsor identification to operational accreditation.
What does ICD 705 actually require?: ICD 705 is the Intelligence Community Directive that specifies construction, acoustic, TEMPEST, access control, and documentation standards for SCIFs. It governs wall construction, door hardware, HVAC penetrations, sound attenuation performance, physical access devices, alarm systems, and the Fixed Facility Checklist documentation demonstrating compliance. Implementation details are in the ICD 705 Technical Specification, which gets revised periodically — always work from the current version.
Does Fortinetics design or construct SCIFs?: We advise. We work with the program office, the facility security officer, and the executing prime contractor on network architecture, TEMPEST countermeasure coordination, multi-enclave integration, and the accreditation documentation set. Construction itself is executed by cleared construction contractors. Our value is in the engineering decisions made before construction begins and in the documentation that the Authorizing Official actually needs to approve the facility.
What's TEMPEST and do we need it?: TEMPEST is the set of standards and techniques for preventing information leakage via unintended electromagnetic emanations from electronic equipment. TEMPEST countermeasures may be required inside SCIFs and SAPFs depending on the inspectable space available and the threat assessment. The program is managed by NSA. Whether your facility needs TEMPEST countermeasures is a determination made by the Authorizing Official based on program requirements and physical environment.
How does FCL (Facility Clearance) relate to SCIF accreditation?: FCL is a determination by DCSA that a contractor facility is eligible to handle classified information. SCIF accreditation is the specific accreditation of a physical space within that facility for SCI handling. Both are required for a contractor to operate classified work; FCL is a prerequisite or parallel process. First-time FCL typically takes 8–14 months; SCIF construction and accreditation another 12–18 months; the two tracks usually overlap rather than sequence.

SCIF / SAPF insights

SCIF · 9 min read

SCIF and SAPF accreditation: a practitioner's sequencing playbook

SCIF · 7 min read

SCIF vs SAPF: the difference, and why programs pick the wrong one

SCIF · 10 min read

Your first SCIF: a playbook for venture-backed defense startups

Case studies

Defense — Space Systems · 9 mo

Multi-enclave SAPF advisory for a Space Force prime

Defense — Space Systems · 6 mo

Government-direct SCIF network integration: network lead for a Space Force program office

Next step

Book a scoping call.

Thirty minutes. We'll walk through your specific SCIF / SAPF target, current posture, and what a realistic engagement shape looks like. NDA-first when the scoping needs sensitive detail.

Book a scoping call →