National Industrial Security Systems : Protecting US government assets held by government contractors

Courtesy of the Underwriters Laboratories Fire & Security Authority
Issue 1 - 2008
by Pete Tallman

Sensitive US government material held by government contractors is subject to a wide variety of potential threats and housed in a range of settings across the US, from major metropolitan areas to isolated locations with limited communication and support resources. In the early 1990s government officials and UL recognized the need for an alarm system verification program flexible enough to be applied in multiple settings, yet consistent enough to allow confidence in the delivery of alarm services. Developing a specialized category of service, a new standard and an Alarm System Certificate became the key for coordinating the variety of features that might be used in a particular setting and the relationship of each service provider. The result of this collaboration between UL and US government officials was the creation of the National Industrial Security System Category (CRZH), which has been designed with enough flexibility to allow protection to be rational, appropriate for the identified threat and cost effective.

Two standards are maintained by UL for this category:

• UL 2050, the Standard for Safety of National Industrial Security Systems, establishes a variety of ways in which installation, monitoring, investigation and repair service can be provided.

• UL 681, the Standard for Safety of Installation and Classification of Burglar Alarm and Holdup Alarm Systems, further defines requirements for installation of equipment and devices comprising an alarm installation in a protected area.

An alarm system certificate ties them together through the Alarm System Certification process; certificates are issued by UL at the request of UL Listed alarm service companies. The use of certification for compliance with the National Industrial Security System Category has increased steadily since its establishment in 1992. Currently, the following US government manuals contain the requirement:

• The National Industrial Security Program Operating Manual, DoD 5220.22-M
• The Physical Security Standards for Sensitive Compartmented Information Facilities, DCID 6/9
• The Manual for Physical Security of Sensitive Conventional Arms, Ammunition, and Explosives, DoD 5100.76-M
• The Physical Security Standards for Special Access Program Facilities, JAFAN 6/9

The applicable manual indicates specifications and techniques that may be required in a given situation. The US government cognizant security office or agency (CSO/CSA) assesses threats (see graphic) and determines system features, but UL 2050 and UL 681 specify the details of system delivery.

For example, if a CSO/CSA stipulates that an investigator must be a private guard and respond to an alarm within 20 minutes, UL 2050 details how to assign an investigator, how to conduct an investigation, how to record activity and follow-up actions. Category CRZH allows an alarm service company to assign the delivery of monitoring and investigation services to other service providers, but keeps full responsibility for compliance of the delivery of all services with the requirements in the standards.

Collaboration allows UL to keep pace with technological changes
Alarm system technology has changed dramatically since the National Industrial Security Systems Category was created. UL staff maintains close, collaborative contact with government organizations, government contractors and alarm service companies to stay abreast of the latest technological advances. These relationships give UL staff a strong view of evolving security issues, actual performance data and the practical impact of new technology. The movement to send signals from alarm systems in the form of packets of data across public and private networks raised concerns about the security of the communication paths. The regular collaboration between all parties allowed UL to publish requirements for the use of this technology by drawing on existing Federal Information Publication Standards and an encryption algorithm certification program from the National Institute of Standards and Testing, resulting the availability of alarm equipment that provides encrypted line security.

Centralization of the monitoring stations operated by government contractors created another new challenge. Data networks enable signals to be sent across widely distributed networks, meaning that a monitoring station can be located hundreds, even thousands, of miles from an alarmed area. CSO/ CSAs and UL quickly recognized the difficulties presented by this challenge, creating the National Industrial Security Monitoring Station Service Category (CRZM). This category allows the UL Listed alarm service company to assign area monitoring to a facility that has been evaluated by UL staff and found to be in compliance with UL 2050; the facility must have an active UL Listing. This relieves the UL Listed alarm service company of the responsibility for maintaining a monitoring facility while retaining the responsibility to ensure that alarm signal processing and monitoring system staff training are in compliance with category requirements.

The National Industrial Security System and the Associated National Industrial Security Monitoring Station Categories are tributes to the value of collaboration between parties with a common interest. A constant focus on the concepts of flexibility and threat appropriate requirements, coupled with a service delivery verification process has benefited government contractors, alarm service companies and officials responsible for protecting assets of the US government.

For more technical information about UL 2050, please contact Pete Tallman in Melville, NY at +1.631.546.2415 or at Peter.H.Tallman@us.ul.com.

No comments: