Assessment of the ISC Security Design Criteria
THE ISC SECURITY DESIGN CRITERIA
The ISC Security Design Criteria document (ISC, 2001) is a mix of performance objectives, prescriptive requirements, and references to industry design standards. The design criteria are generally acceptable and full implementation of the ISC Security Design Criteria will provide some protection for building occupants against most blast-related threats and will significantly reduce injuries. However, the organization of the document makes it difficult to identify clearly the connections between specific criteria and the performance objectives they are meant to achieve.
The document is also focused on the terrorist vehicle bomb as the primary means of attack; there is little guidance on defending federal buildings and their occupants from chemical, biological, or radiological weapons.
Without overarching goals and objectives and without clearly illustrated connections between desired performance and proposed solutions, the document encourages consideration of specific aspects of building design in isolation (e.g., structure independent of fire protection). This could result in building performance not being considered comprehensively—for instance, failure to design for survivability of fire protection systems after a bomb attack could result in an otherwise avoidable post-attack fire.
There is also a lack of consistency in the document’s language, grammatical structure, and flow that makes it difficult to comprehend as a whole. This could confuse those responsible for the physical security com-
ponent of building design, as well as those who must review designs and make decisions about design options. These and related issues can be addressed by continuing refinement of the ISC Security Design Criteria, clarifying and reformatting the document to provide both more complete and comprehensible design criteria and the necessary policy guidance.
The continued use of both prescriptive and performance criteria is appropriate for several reasons, including the fact that in much of the building design process using prescriptive criteria need not limit creative design. Performance analysis and design are only needed for certain portions of the process, for example, the design of glazing to satisfy a unique threat or location. Structured appropriately, prescriptive criteria can be a means of meeting performance objectives. However, the ISC Security Design Criteria do not provide guidance on the amount and completeness of information to be provided in documenting a performance-based security design. Documentation is a way of verifying that scenarios of good design practice have been analyzed and applied. It should demonstrate compliance with performance objectives, review and acceptance by trained government officials or their designees, construction inspection and testing, and issuance of the documents necessary to demonstrate that occupancy and related requirements have been met.
Responsibility for Implementing and Overseeing the ISC Criteria
Executive Order 12977 (Clinton, 1995) established the Interagency Security Committee (ISC) as “a permanent body to address continuing government-wide security.” The ISC has a broad membership of 17 federal agencies. Although the ISC has produced the security standards mandated in Section 5, items (1) and (2) of the Executive Order, it does not appear to be overseeing “the implementation of appropriate security measures”; nor has the General Services Administration (GSA) Administrator put in place the means to monitor “Federal agency compliance with policies and recommendations of the Committee [ISC],” as mandated by Section 6, paragraph (c).
By asking the committee to evaluate the ISC Security Design Criteria to determine if they were prescriptive or performance-based, it is understood that GSA desires to give as much freedom as possible to designers of its facilities by allowing them to use performance-based rather than prescriptive—and presumably more restrictive—criteria wherever possible. The committee believes that there are two organizational constraints to achieving both the intent of Executive Order 12977 and the objective of allowing designers maximum freedom to apply imaginative solutions. First, there must be a professional staff with the qualifications and authority to evaluate and approve proposed solutions. Second, that staff must be housed
within an agency with the commitment and stability to see the program through.
Outsourcing Management Functions for the Acquisition of Federal Facilities (NRC, 2000) describes a “smart owner” in the commercial design, engineering, and construction industry as a business entity that has the skill base—usually a staff with professional qualifications and authority—necessary to plan, guide, and evaluate the facility acquisition process. A smart owner asks how a specific facility will contribute to the success of the organization’s mission. This has numerous implications for a performance-based regulatory approach, including increased responsibility for building owners, design professionals, and approval authorities, as well as training and education issues, qualification and competency requirements, facilities management issues, and financial implications. Whether security-related design remains a responsibility of the ISC as provided in Executive Order 12977 or devolves to a more central or security-focused entity, such as the Department of Homeland Security, the government will need to meet the definition of a smart owner if it is to implement a performance-based security design program properly.
GSA Facility Standards
In its review of the ISC Security Design Criteria, the committee also considered the Facilities Standards for the Public Buildings Service (GSA, 2000). Available on the Internet and in hard copy, the Facilities Standards is GSA’s attempt to apply the ISC Security Design Criteria in its role as the federal government’s largest provider of space and facilities to federal agencies for nonmilitary users. The Facilities Standards is issued to architects and engineers who design buildings for GSA’s Public Buildings Service. However, the committee finds it troublesome that the Facilities Standards document does not include the text from Part 1 of the ISC Security Design Criteria that would connect the criteria, in a policy sense, with the Presidential Executive Order that established the Interagency Security Committee. Absent this linkage or another official promulgation, there is no evidence that GSA requires its regional offices to apply these standards.
The committee assumes that Executive Order 12977, which created the ISC and mandated enhancement of “the quality and effectiveness of security in and protection of buildings and facilities in the United States occupied by Federal employees,” continues to be the driver of the measures contained in the ISC Security Design Criteria and Chapter 8 of the Facilities Standards. Without the guidance provided by the Introduction to the ISC Security Design Criteria, users of the Facilities Standards may not be aware of the context in which the security criteria are to be applied, or of how the design criteria relate to the risk guidelines and the process of drafting
project-specific criteria. The applicability statement of the Facilities Standards is also less specific than that contained in the ISC Security Design Criteria. The committee views this as a critical obstacle to implementing a performance-based process because of the need to link security design solutions to higher goals and objectives for the performance of federal buildings.
Section 5 of Executive Order 12977 requires that agencies with security responsibilities be encouraged “to share security related intelligence in a timely and cooperative manner” and that they develop and maintain “a centralized security data base of all Federal facilities.” This is a necessary step for providing feedback to the threat assessment and risk analysis process and informing decision making about protective measures. The new Physical Security and Hazard Mitigation Committee of the Federal Facilities Council partially fulfills this objective, but a more formal process is warranted.
Assessing and Managing Risk
Improvements to the ISC Security Design Criteria related to risk assessment cannot be achieved without structural changes in the way the federal government manages its general approach to building security. Risk assessment requires broad-based activity by the different disciplines affected by security: physical security, architecture, civil engineering, blast effects, biological/chemical hazard effects, fire safety, and mechanical/electrical operations, especially as related to post-event life safety and rescue efforts. At the risk assessment stage, a detailed knowledge of the assessment methods used in each of these areas is not required: practical knowledge and general rules of thumb are usually sufficient. Historical cost information is also needed for analysis of alternative risk abatement techniques.
Many if not all of the required resources are available in the federal government, but interagency cooperation is essential if these resources are to be available for every project where the ISC Security Design Criteria are used. Specifically, the effort must be made to collect actual costs related to physical security after each project, or at least for a representative number of projects. If accurate cost information is not available, budgetary constraints may mean that changes to building security features instituted late in the design process are not consistent with the risk assessment conducted to guide the design. This very real influence of budgetary realities on actual provision of security features (as opposed to whether they are merely included in preliminary designs) has enormous implications for the perfor-
mance of a building in an attack, as well as for the safety of the occupants and the continuance of mission-related activities.
The committee’s recommendations are presented in two groups. The first are those that the committee believes can and should be implemented in the short term to help maximize comprehension and use of the important security concepts in the ISC Security Design Criteria with minimum effort. Unless this first set of recommendations is implemented as soon as possible, the ISC Security Design Criteria will probably continue to be underused and misinterpreted by users who do not have a strong background in blast or security analysis. The second set of recommendations addresses fundamental ways that the ISC Security Design Criteria could be improved over a longer term through their modification to take into account the greatly expanded body of knowledge on blast effects and other threats (chemical, biological, and radiological) that has emerged since the criteria were first developed. These recommendations should also improve government oversight of their implementation.
Group 1—Short-term Recommendations
The committee recommends that:
The Interagency Security Committee give immediate consideration to the changes suggested by the committee as a result of its evaluation of the ISC Security Design Criteria.
The ISC Security Design Criteria be expanded to include basic information on how blasts affect buildings and people, as a technical basis for the protective strategies incorporated in the document (for suggested content, see Chapter 3 above).
A preface be added to the ISC Security Design Criteria that clearly establishes the authority and applicability of the document by citing Executive Order 12977 and all related executive or legislative actions.
The ISC Security Design Criteria be reviewed by a professional editor familiar with building codes and standards to improve its organization and ensure consistency in format, language, and style. This should improve both the readability and the utilization of the document.
Information provided in Part 3 of the ISC Security Design Criteria document be integrated with Parts 1 and 2, so that all information pertaining to a particular design component or system (e.g., struc-
tural or mechanical) is located together, thus clarifying the document and simplifying its use.
The spirit and intent of the language in the introduction to the ISC Security Design Criteria be incorporated in any document that references the criteria.
The Interagency Security Committee in concert with its member agencies begin a comprehensive review of the ISC Security Design Criteria as soon as possible. This review should include creation of risk assessment and management tools as well as policy guidance for physical protection and security to guide the development of risk reduction strategies and a performance-based design process. The review should also consider expanding the criteria to (1) include critical occupancies such as child care centers, (2) broaden the range of possible threats and countermeasures to cover chemical, biological, and radiological weapons, and (3) address the impact on protective design of such issues as emergency planning, enhanced fire protection, life-cycle costing, procurement strategy, and construction security.
Group 2—Long-term Recommendations
The committee recommends that:
The ISC security criteria be fully integrated into the Facilities Standards for the Public Buildings Service and not isolated in a single chapter of that document. This will help to ensure that security design is integrated into the overall design strategy of each facility from the very start of planning.
The Interagency Security Committee be empowered to commit resources to implement and monitor the security design guidelines for federal buildings, as established in the ISC Security Design Criteria and as mandated by Executive Order 12977, Section 5, part (a) (2) and Section 6, part (c). Although the actual monitoring may be outsourced if there are insufficient staff within ISC member agencies, the assessment of program performance in general should be a governmental function.
The Interagency Security Committee be made responsible for providing leadership and vision and crafting a strategy for instituting necessary changes to the ISC Security Design Criteria. The ISC will need to communicate its vision to those whose cooperation will be needed to achieve it, and must motivate and inspire people to “energize themselves to overcome political, bureaucratic, and resource barriers.”
The member agencies of the Interagency Security Committee employ staff with the necessary core competencies (technical, management, communications, and financial skills) to ensure that the ISC Security Design Criteria are implemented. This includes a thorough understanding of the objectives of the security criteria, the process of establishing project-specific criteria, and the consequences of failure. If aspects of implementation and monitoring are to be delegated to administrative regions, the designated agency must provide adequate training to ensure competent interpretation and implementation of the criteria and, as performance criteria permit, assessment of alternative solutions. Where in-house capabilities or resources are limited, outsourcing may be appropriate, but program objectives and implementation should remain the responsibility of the Interagency Security Committee.
The designated lead agency for implementation of the ISC Security Design Criteria create a security database, and other agencies, to the extent permitted by law and national security, be directed to share information as required by Executive Order 12977. This effort should include building a database of explosive events in order to define the probabilities of different explosive charge weights.
As experience with implementing the ISC Security Design Criteria increases, the document should be expanded to include examples of best practices in building design for each security level. This will give users practical demonstrations of how specific criteria can be met.
Clinton, William Jefferson. 1995. Executive Order 12977, Interagency Security Committee. Washington, D.C.: The White House.
GSA (General Services Administration). 2000. Facilities Standards for the Public Buildings Service . General Services Administration. Washington, D.C.: Government Printing Office.
ISC (Interagency Security Committee). 2001. ISC Security Design Criteria for New Federal Office Buildings and Major Modernization Projects. Washington, D.C.: GSA.
NRC (National Research Council). 2000. Outsourcing Management Functions for the Acquisition of Federal Facilities. National Research Council. Washington, D.C.: National Academy Press.