Secure facilities are always being evaluated against the threats, risks and vulnerabilities posed by new technological developments and activities by intelligence adversaries, while engaged in the protection of national security information. Seismic shifts can occur when either new policy standards are promulgated, or specific deadlines are administered to ensure uniform compliance with updated policy.
When the latter occurs, industry faces the daunting issues of meeting client timelines for their facilities to ensure the continuous operation of their contracts, while simultaneously balancing this against costs incurred that can dramatically impact annual and projected budgets. Especially with larger organizations that are simultaneously budgeting for the construction of new facilities, upgrading existing facilities under a specific timetable may mean modification of existing facilities in a timeline that exceeds planned new construction. These costs can be in the tens of millions of dollars and the effects can be devastating to the overall financial health of the organization.
Faced with the prospect of losing or pausing major contracts, how can Industry arrive at a suitable remedy for meeting client requirements in a measured, suitable manner that addresses logistical, financial and national security requirements? In one word… POAMs, (Plan of Action and Milestones).
What is a POAM? The official description of a POAM by the National Institute of Standards and Technology, (NIST) where it is most typically and widely used is: “A Plan of Action and Milestones (POAM) is a document that identifies tasks, resources, and deadlines for addressing system weaknesses. It's a tool used primarily in the cybersecurity industry to ensure that a system is compliant with NIST security controls.” POAMs are crucial for any organization looking to enhance its cybersecurity compliance posture and both government and industry systematically use POAMs to guide them through the correct steps in securing their systems.
In this instance however, this construct is being reinvented by customers for use in determining a compliance plan to bring grandfathered DCID 6/9 and even DCID 1/21 SCIFs/SAPFs up to current ICD 705 standards. For that reason, let’s look at existing traits of POAM use and common features we can cross over for our utilization with secure facilities upgrades.
Key components of a POAM include:
A description and detailed accounting of the three pillars of risk, threats and vulnerabilities associated with impacts to the organization. Often, Security Officers already have assessment reports based previous inspections or assessments they have conducted on their facilities. Many times these assessments were completed in concert with their sponsors/stakeholders which can be utilized to help determine any updates (such as technical requirements) that may be optimally included in bringing the facility(s) up to ICD 705 full compliance
An understanding of the resources required and agreed upon milestones for inspection or completion
Understanding the impact to national security against the elements of those three pillars (risk, threat, vulnerabilities) both during the upgrades and corresponding detrimental factors if milestones are not met by the agreed upon dates
A detailed outline of contract engagement with necessary parties for remediation and mitigations to bring the facility up to being fully compliant with ICD 705 standards, to include identification of roles and responsibilities, key stakeholders and process flow for achieving progress and actionable solutions in meeting the milestones. “Process flow” is further defined as the coordination and communication that needs to occur between internal and external stakeholders
Another element may include coordination of the organization’s budget planning with internal stakeholders and coordination on larger business objectives
POAMs need to have established milestone objectives, but should also layer in flexibility and adaptability to changes in the three pillars, budgets, or stakeholder requirements
Foundational level requirements to ensure compliance with POAMs:
Proactive acknowledgment of the need for a POAM methodology for adherence to customer requirements and objectives
An understanding by all internal and external stakeholders of adherence to the agreed upon plan of action, timelines and deliverables. Delays can be cumulative and create vulnerabilities in the protection of national security information.
Along the lines of the latter, regular assessments during the process of completed tasks against the established milestones and completion date
What would the process look like for POAM compliance in upgrading facilities to the ICD 705 standard? At a basic level, probably something like this…
Compliance with the recently issued Memorandum on POAMs
Recently released government memorandum on ICD 705 compliance and POAMs includes the need to complete several tasks, activities, and deliverables and submit a POAM under hard 2025 deadlines. In understanding these requirements, we would recommend conducting an inventory to identify the total number SCIFs that are not compliant with ICD 705 across the entire organization.
The next task would be to conduct the required risk assessment, or to modify/upgrade any existing risk assessment data already in place. This recently issued memo provides a risk assessment framework that 'may' be used to provide a prioritized list of SCIFs for upgrade based on a composite score, (highest scored SCIFs should be upgraded as the priority).
The scoring in the Risk Assessment Table in Appendix A of the recently released memo is based on the 'Indicators of Risk' and may be a bit confusing. This is where ICD 705 and TEMPEST expertise is required to accurately score non-compliant SCIFs
The footnotes below the Risk Assessment Table in Appendix A of this same memo are another critical factor for compliance requiring again, in-depth ICD 705 and TEMPEST subject matter expertise
The POAM template in Appendix B of this memorandum is something stakeholders, (SCIF/SAPF Owners) 'may' use to develop their POAMs for their non-compliant SCIFs. As it is likely that many stakeholders will adhere to this template, it would be advantageous for most organizations to use this template for purposes of consistency.
There are 3 areas of this POAM Template where stakeholders should focus their concern:
Statement of Understanding: The wording here can be a bit confusing and the larger challenge is likely to be with TEMPEST compliance as there is very little published guidance on TEMPEST
Concept of Operations: This activity is going to require a 'Gap Analysis' to identify all areas of the current SCIF that are not compliant with ICD 705 and TEMPEST requirements. In addition, once identified, a summary of how the entity is going to address the area of non-compliance is required and the stakeholder will need to provide the 'how' on upgrading to be compliant
Lastly, Timeline: Although this memo states a 'good faith' estimate on start date and completion date is required, it is likely that most organizations will not be able to provide that until they understand the cost of upgrading. A cost estimate is likely to be a key component for every SCIF upgrade as part of the Gap Analysis, so entities can factor those costs into their 2026, 2027, and 2028 budgets.
In conclusion, the implementation of a POAM solution is integral to achieving ICD 705 compliance under the new customer requirements in addressing vulnerabilities, risks and emerging threats for the protection of national security information as well as meeting the hard deadlines in the recently released government memo.
SPG is a “Design Build” General Contractor engaged solely in the consulting, design, and construction, of secure fixed facilities and modular platforms. Any secure facility stakeholder can utilize SPG’s “SCIF PMO as a Service” to address all of the above requirements to provide a “turnkey” solution for your organization in meeting the new ICD 705 compliance mandate. SPG has a successful track record of providing seamless integration and unparalleled expertise in SCIF/SAPF full lifecycle planning, coordination, compliance, and accreditation services with a no cost Master Service Agreement, (MSA) contracting format with a la carte task orders issued as needed to initiate projects when requirements are fully vetted and funding is available and/or approved. Feel free to reach out to Jason Phillippe at Jason@spgsecure.com or Terry DiVittorio at terrycade@spgsecure.com to discuss in greater detail.