What is the difference between a SCIF and a SAPF?

A SCIF (Sensitive Compartmented Information Facility) is accredited to handle Sensitive Compartmented Information — intelligence information requiring additional controls beyond collateral Top Secret. A SAPF (Special Access Program Facility) is accredited to handle Special Access Program information — specific DoD, IC, or executive-branch programs with even tighter compartmentation. SCIFs are accredited under ICD 705 by an IC element; SAPFs are accredited under DoDM 5205.07 (for DoD SAPs) by a specific program's security authority.

Can the same facility be both a SCIF and a SAPF?

Yes. Facilities that serve both purposes are accredited as both — a physical envelope that meets both ICD 705 and DoDM 5205.07 requirements, with program-specific access controls layered on top for the SAP compartment. Multi-enclave facilities (JWICS + SIPRNet + SAPF) are common in defense prime environments.

The sponsoring program tells you which. If the program is sponsored under an IC element (CIA, NSA, NGA, NRO, etc.) for SCI handling, you need a SCIF. If the program is a named DoD Special Access Program, you need a SAPF under that program's authority. If the contract covers both SCI and SAP data, you need a multi-variant facility. You do not choose — the program's security authority chooses for you.

Is a SCIF more or less restrictive than a SAPF?

A SAPF for a specific program is typically more restrictive than a SCIF, because SAPs add program-specific access controls on top of the ICD 705 baseline. But the physical construction requirements are similar — both require RF shielding, acoustic treatment, controlled access, intrusion detection, and secure storage. The operational controls differ more than the construction does.

Can I start with a SCIF and upgrade to a SAPF later?

Sometimes. If the SCIF was designed with SAP flexibility in mind — adequate acoustic isolation, compartmentable space, appropriate access control architecture — the retrofit can be manageable. If the SCIF was built minimally to ICD 705 baseline, the retrofit to SAPF is usually closer to new construction. Design with the harder case in mind if there is any chance SAP work is in the future.

Who accredits a SCIF or SAPF?

SCIFs are accredited by the Cognizant Security Authority (CSA) of the sponsoring IC element. SAPFs are accredited by the specific program's security authority — for DoD SAPs, this is typically the Special Access Program Central Office (SAPCO) of the sponsoring service or agency. Accreditation is not a contractor certification; it is a government decision based on an inspection against the applicable standards.

SCIF vs SAPF: The Difference (and What Changes)

The words “SCIF” and “SAPF” get used interchangeably in casual defense-industry conversation, but they are not the same thing. They accredit under different authorities, handle different categories of information, and apply different operational controls. Conflating them in early program planning — or building one when you needed the other — causes rework that is measured in months and millions of dollars.

This article is the practitioner’s clarification. It is aimed at the program manager, facility security officer, CTO, or contracting officer who has just been told the program requires one or the other (or both), and needs to understand what that actually means before the site selection phase starts.

For the full build sequence, see the SCIF and SAPF accreditation playbook and the playbook for first-time SCIFs at venture-backed startups. This article focuses specifically on the distinction.

What a SCIF is

A Sensitive Compartmented Information Facility is a physical space accredited to handle Sensitive Compartmented Information — a category of classified information that requires additional controls beyond collateral Top Secret. SCI typically relates to intelligence sources, methods, and processes.

Governing standards:

ICD 705 (Intelligence Community Directive 705) — Sensitive Compartmented Information Facilities
ICD 705 Technical Specifications — the detailed construction requirements (wall types, acoustic isolation, emanation security, intrusion detection, visitor control)
CNSSI 1253 — security categorization and control selection for national security systems

Accrediting authority: the Cognizant Security Authority of the sponsoring IC element. For a contractor-operated SCIF supporting CIA work, the CSA is CIA Security; for NSA work, NSA Security; for a multi-element SCIF, typically whichever element sponsored the original construction, with reciprocal acceptance possible across elements.

What gets handled in a SCIF: SCI information at collateral TS or TS/SCI classifications. Network enclaves may include JWICS (TS/SCI) and other IC networks. Data may include intelligence products, source information, analytical work, and operational coordination.

Physical construction: meets ICD 705 Technical Specifications — RF shielding appropriate to the threat environment, acoustic treatment (typically STC 50+), secure doors and hardware, alarmed perimeter, access control (typically badge + PIN or biometric), surveillance (cameras covering access points), and secure storage for classified materials.

What a SAPF is

A Special Access Program Facility is a physical space accredited to handle Special Access Program information — a category of classified information with access restrictions beyond standard “need to know.” SAPs exist within DoD, the IC, and executive-branch agencies, each with their own program-specific access controls.

Governing standards:

DoDM 5205.07 Volumes 1–4 — DoD Special Access Program Security Manual (for DoD SAPs)
ICD 705 and related directives — for IC SAPs, which are often structured as SCIFs with SAP overlays
Program-specific security classification guides and standard operating procedures — defining the program’s specific access, handling, and reporting requirements

Accrediting authority: the Special Access Program Central Office (SAPCO) of the sponsoring service or agency for DoD SAPs; the sponsoring IC element’s authority for IC SAPs. Accreditation is program-specific — a SAPF accredited for Program A is not automatically authorized to handle Program B data.

What gets handled in a SAPF: specific Special Access Program information at whatever classification the program carries. This could be TS/SCI with SAP compartments added, or unacknowledged SAP information with different access rules. Network enclaves may include program-specific SAP networks, sometimes called SAPNET or with program-specific names.

Physical construction: typically meets or exceeds ICD 705 Technical Specifications, with additional program-specific requirements layered on. Access controls are substantially tighter — read-on required for each program accessor, personnel security screening beyond collateral TS/SCI clearance, program-specific nondisclosure agreements.

The practical distinction

The cleanest way to think about the distinction:

A SCIF is a facility for handling a category of information (SCI) under IC-wide standards. Who is read on to work in a SCIF is determined by SCI access rules and the individual’s need-to-know. A person cleared for SCI can work in any accredited SCIF their sponsor authorizes them to.

A SAPF is a facility for handling a specific program’s information under program-specific rules. Who is read on is determined by the program itself, typically via a formal read-on process involving program-specific briefings and program-specific NDAs. A person with TS/SCI access who is not read on to the program cannot access the SAPF, even if they work next door in a SCIF.

This distinction drives everything downstream — access controls, visitor procedures, personnel security, badging, network access, even conversation rules in shared common areas.

Why programs pick the wrong one

Three patterns cause first-time programs to build the wrong facility:

1. The contractor knows they need classified space and builds a SCIF by default. A SCIF is the more familiar variant; contractors who have built one before will build another one the same way unless told otherwise. If the program is actually a DoD SAP, the SCIF does not satisfy the SAP requirements and the facility has to be re-accredited or retrofit.

2. The program sponsor was not explicit about the variant required. “Classified space” or “secure facility” in contract language is ambiguous. The contractor assumes a SCIF; the program assumes a SAPF; construction proceeds on one basis and fails accreditation for the other.

3. The program evolves during contract execution. A program may start as SCI-only work and add a SAP compartment later. If the facility was built to minimal ICD 705 baseline, the SAP overlay requires significant retrofit. Facilities designed with SAP flexibility in mind accommodate the evolution at marginal cost.

The fix in all three cases is the same: early, explicit conversation with the program’s security authority about which variant is required, which accrediting body, and what specific standards apply.

The multi-enclave case

Large defense prime facilities commonly handle multiple classified information types in a single building envelope. A typical configuration:

SCIF enclave for IC-sponsored TS/SCI work (JWICS network, standard IC procedures)
SIPRNet enclave for DoD Secret work (separate network, DoD procedures)
SAPF enclave(s) for specific DoD SAPs (program-specific networks and procedures)

These enclaves share the building envelope but operate as separate compartments. Each accreditation is independent; a person cleared for the SCIF may not have access to the SAPF. Physical separation between enclaves is typically achieved through compartmented rooms, separate network runs, separate badge access, and sometimes separate HVAC/utility paths.

Multi-enclave facilities are harder to design, more expensive to build, and more complex to operate than single-enclave facilities. The return on investment comes from the flexibility to take on multi-program work without constructing additional facilities — common for primes running a long-duration multi-program contract book.

What changes for each variant

Three dimensions shift substantially between SCIF and SAPF:

Personnel security. SCIF access requires TS/SCI clearance eligibility and need-to-know. SAPF access requires additional program-specific read-on procedures, which may include polygraph requirements, program-specific NDAs, and program-specific background investigation elements. The read-on process for a SAP can add months to the personnel security timeline.

Access control architecture. SCIFs typically run badge+PIN or biometric access with visitor control. SAPFs add program-specific access layers — sometimes a separate badge required for the SAP compartment within a SCIF, sometimes a separate physical door with a different access control, sometimes an operations-room design where SAP discussions happen only in specific rooms inside a larger SCIF.

Operational procedures. SCIF procedures are defined by the SSO or FSO at a facility level. SAPF procedures include program-specific elements defined by the program’s security officer — how to handle program materials, how to conduct classified meetings, how to visit the facility from outside, how to transport materials. These procedures exist in parallel to the SCIF procedures if the SAPF is inside a larger SCIF.

Physical construction — where they are the same

Ironically, the hardest part of building a SCIF or SAPF — the physical construction — is substantially similar between the two. Both require:

RF shielding appropriate to the threat environment
Acoustic treatment meeting or exceeding STC 50
Secure doors, hardware, and penetration treatments
Alarmed perimeter and intrusion detection
Controlled access with two-factor or better authentication
Surveillance coverage of access points and common areas
Secure storage for classified materials
Emanation security (TEMPEST) where the threat warrants

A well-designed SCIF is typically a reasonable starting point for SAPF accreditation. The delta is primarily in access control architecture, procedures, and personnel security — not in wall construction.

This is why facilities built with SAP flexibility in mind can evolve to serve SAPs without full reconstruction, provided the program’s security authority accepts the design. Facilities built to minimal ICD 705 baseline have less retrofit flexibility.

How to decide

If you are a program manager or CTO facing this decision for the first time:

Ask the sponsoring program directly. “Is this a SCIF, SAPF, or both?” The answer should be unambiguous. If it is ambiguous, escalate until you have clarity before any site selection or design work starts.
Identify the accrediting authority. Different authorities have different interpretations of ICD 705. Getting the authority’s design preferences in writing early saves rework.
Design for the harder case. If there is any chance of SAP work during the facility’s useful life, design with SAP flexibility from the beginning. Retrofit from baseline SCIF to SAPF is more expensive than designing for SAP flexibility up front.
Budget for separate accreditation processes. Even in a multi-enclave facility, each enclave accredits under its own authority on its own timeline. Sequence the accreditations rather than expect simultaneous completion.

When to engage

The single highest-impact moment for outside advisory is before the program signs the lease or breaks ground. Early design decisions cascade through the entire program. A fifteen-minute call with a practitioner who has built both variants usually clarifies the right path faster than weeks of internal debate.

Our Classified Networks practice handles both single-variant SCIFs and SAPFs and multi-enclave facilities that combine them. For programs at the contract-award phase, a scoping conversation typically surfaces the facility variant question and lands a clear design direction before the next program milestone.

SCIF vs SAPF: the difference, and why programs pick the wrong one