ICD 705 Is About to Change More Than You Think

Why the Tech Spec Rumor Gets the Level Wrong

For months, conversations across the cleared contractor community have circulated around a single expectation: that the next meaningful change to how SCIFs are built and managed will arrive via an update to the IC Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities. That's the document most practitioners know simply as the "Tech Spec."

That expectation isn't wrong, exactly. A Tech Spec update is almost certainly coming. But treating it as the primary event misunderstands how the IC security standard architecture actually works.

The Tech Spec implements policy. It tells you how to execute standards that are set at a higher level, at the ICD and ICS tier. If the fundamental policy framework has gaps, if definitions are ambiguous, if re-accreditation triggers are inconsistently applied, if TEMPEST criteria lack measurability, a Tech Spec revision cannot fix those problems. Only a change at the ICS level can.

And there are strong reasons to believe that is exactly what is being developed.

What the Policy Landscape Is Actually Telling Us

You don't need access to any pre-decisional document to read the direction of travel. The threat environment, the evolution of technology, and the known weaknesses in how ICS 705 has been interpreted and applied over the years all point to the same set of necessary reforms.

Signal 1 — TEMPEST criteria lack measurable, testable thresholds. Current standards are largely prescriptive rather than performance-based. The IC has increasingly moved toward quantifiable, auditable requirements in other security domains — TEMPEST is overdue for the same treatment.

Signal 2 — Security In Depth is applied inconsistently. SID has existed as a concept in IC security policy for years, but its application has been discretionary in ways that create significant compliance variability across IC elements and cleared contractor facilities.

Signal 3 — SCIF taxonomy has created operational confusion. The current definitions of permanent SCIFs, SWAs, TSWAs, and T-SCIFs have been interpreted inconsistently, with some organizations maintaining "temporary" facilities indefinitely to avoid full accreditation requirements.

Signal 4 — Waiver governance lacks enterprise visibility. The current waiver process allows significant compliance gaps to remain invisible at the community level. There is increasing policy momentum toward centralized tracking and standardized waiver documentation.

Signal 5 — Supply chain and construction nationality rules need reinforcement. Post-2017 supply chain security concerns have hardened across the IC. Construction nationality requirements that exist in current standards have not always been enforced with sufficient rigor or documentation discipline.

Signal 6 — PED and wireless policy is fragmented. Current policy scatters PED and wireless requirements across multiple directives. A foundational ICS update provides the opportunity to rationalize these into a coherent, maintainable framework at the right policy tier.

What Fundamental ICD 705 Changes Are Likely Coming

Based on observable policy trends, known gaps in the current framework, and the logical direction of IC security modernization, here is an informed assessment of where a foundational ICS 705 revision is likely to land.

More quantitative, measurable TEMPEST standards

The move toward performance based standards rather than prescriptive checklists is a well established trend in security policy. For TEMPEST, this means expecting specific Radio Frequency attenuation thresholds with defined measurement methodologies, statistical pass/fail criteria rather than binary compliance determinations, and explicit testing requirements at defined points in the construction and accreditation lifecycle.

The implications are significant. Facilities that passed TEMPEST review under older, less rigorous criteria may not meet new quantified thresholds. Retrofitting TEMPEST countermeasures after construction is substantially more expensive than integrating them during the design phase — which is itself likely to become more explicitly mandated.

Security In Depth becoming mandatory in more environments

Current policy treats SID as largely discretionary for domestic facilities while requiring it overseas. Given the evolution of insider threat and physical security risk, it is reasonable to expect SID requirements to broaden, potentially with a minimum layer requirement that applies regardless of geography.

This would represent a meaningful shift from risk optional to risk baseline, removing the discretion that has allowed some facilities to operate with minimal layered security controls.

Tighter SCIF taxonomy and time limitation enforcement

Expect clearer, more enforceable definitions of facility types, particularly around temporary facilities. A time limited accreditation category with hard caps and mandatory transition planning closes a gap that has allowed indefinite "temporary" SCIFs to proliferate without full compliance requirements. This affects a non trivial number of operational facilities across the IC and cleared contractor base.

Centralized waiver visibility and reporting requirements

The current waiver process is largely bilateral between the AO and IC element head, with limited community level visibility. Policy level reform is likely to require standardized waiver documentation, residual risk statements, and reporting to a central IC repository, giving the community a true picture of where standards are being compromised and enabling better aggregate risk management.

Reinforced construction nationality and supply chain requirements

The policy direction on supply chain security has been consistently hardening across the national security enterprise for nearly a decade. SCIF construction requirements are likely to reflect this with more explicit documentation obligations, clearer oversight requirements for any use of non US personnel, and potentially new requirements around construction material provenance.

Anticipated Impact by Stakeholder

Existing SCIFs: Reaccreditation pressure. Facilities built to older standards may face compliance gaps under new quantified TEMPEST thresholds and expanded SID requirements. The reaccreditation cycle becomes the forcing function, but planning should begin well before that clock runs out.

New Construction: Design phase integration is non negotiable. Higher TEMPEST standards and mandatory SID layers must be designed in, not retrofitted. Predesign risk assessments and CTTA engagement at the earliest planning stage will be more important than ever.

Cleared Contractors: Contract and compliance exposure increases. Tighter construction nationality rules, CSP documentation requirements, and more defined oversight ratios create both compliance obligations and potential contract risk if not addressed proactively.

Accrediting Officials: More structured accountability. Expanded waiver documentation requirements and centralized reporting mean AOs carry greater documented responsibility. Paper trail discipline becomes critical.

IC Elements: Reciprocal use implications. A waiver for any standard removes a SCIF from mandatory reciprocal use. Broader compliance requirements mean more potential waiver, and potentially less interoperability across the IC unless elements invest in upgrades.

The SAPF Angle Almost Everyone Is Missing

The broader conversation about ICD 705 changes is almost exclusively focused on SCIFs. But Special Access Program Facilities operate under different authority, primarily DoD SAP policy, while historically mirroring SCIF construction and technical standards in practice.

When foundational SCIF policy changes, SAPF policy does not automatically follow, but it typically tracks over time, and more immediately, facilities that serve dual SCIF/SAPF functions must comply with the more restrictive standard. For companies managing both facility types, a policy, level ICS 705 update creates a compliance planning problem that cannot be addressed through a single, siloed response.

Organizations that treat this as a SCIF only problem and fail to evaluate SAPF exposure are setting themselves up for a difficult and expensive correction. The smart move is unified compliance assessment across both facility types, now, while there's still planning runway.

How Companies Should Prepare — Starting Now

Waiting for the official release of updated policy before beginning to adapt is a choice that has real costs. The time between policy release and required compliance is rarely as generous as organizations expect, and the most expensive corrections, particularly in TEMPEST and physical construction, cannot be made quickly.

1. Conduct a forward looking facility audit. Audit current SCIFs and SAPFs not against where standards are today, but against where they are logically heading. Identify TEMPEST gaps, SID layer deficiencies, and re-accreditation timeline exposure now.

2. Engage your CTTA and AO early. Don't wait for formal guidance to open conversations with your Certified TEMPEST Technical Authority and Accrediting Official. Early engagement creates planning runway and avoids emergency retrofit scenarios.

3. Budget for TEMPEST upgrades. If new standards introduce quantified RF attenuation thresholds, many existing facilities will need treatment. This is the most expensive and time consuming category of remediation, budget planning should begin now.

4. Tighten your CSP documentation discipline. Construction Security Plan quality and completeness is likely to face greater scrutiny. Establish or strengthen documentation standards for all active and planned construction projects regardless of size.

5. Review construction contracts for nationality compliance. Audit current and planned construction contracts against the anticipated tightening of US citizen and US firm requirements. Document any mitigations proactively rather than reactively.

6. Align SCIF and SAPF compliance strategy. If you manage both facility types, develop a unified compliance assessment framework. Do not treat the ICS 705 update as a SCIF only issue, the SAPF exposure is real and underappreciated across the industry.

7. Track IC SCIF repository requirements. Centralized waiver reporting and SCIF data requirements are almost certainly going to expand. Ensure your internal data management and AO reporting processes can support increased documentation obligations.

8. Plan for reaccreditation backlogs. Major policy changes historically create accreditation pressure across the community simultaneously. Facilities that begin compliance preparation early will have significantly more scheduling flexibility than those that wait.

The Bottom Line

The community is watching the wrong layer of the stack. A Tech Spec update is not nothing, but it cannot address the structural gaps that exist at the policy tier. The signals pointing toward a foundational ICS 705 revision are clear to anyone looking at the right level. The organizations that will navigate this transition most effectively are those that start treating it as the significant policy event it appears to be, and begin preparing accordingly, today.

Is Your Facility Ready for What's Coming?

If the policy level changes outlined here concern you, or if you're not sure how your current SCIF or SAPF measures up against where standards are heading, now is the time to get ahead of it.

Our team works exclusively in the SCIF and SAPF space. We can help you assess your current compliance posture, identify gaps before they become problems, and develop a preparation strategy that doesn't wait for the official release.

Talk to an expert today — schedule a free consultation.

The views expressed here are informed analytical predictions based on publicly observable policy trends and professional experience. No non-public, controlled, or restricted government information is reflected in this analysis.