A relative of mine used to work in this space 20 years ago. Seems policies haven’t changed at all.
Tangental story about how serious the Gov takes OpSec. When I was in Iraq, a Marine in my unit found a roll of red Classified tape. He thought it would be cool to put a strip on his personal laptop, which was confiscated almost immediately. It was very clearly a personal machine, but policy is policy, and he never got that laptop back.
Oh yeah, they take it seriously most of the time. But you do get seemingly odd outputs from those procedures. Case in point...
Many years ago, I worked part-time for a small construction cost management contractor. They did some TS work for DoD/State (usually combo projects, where NSA/CIA/Army had a wing of a consulate that State managed).
I did not have a TS (or any other clearance) at the time. One day, I'm tasked with counting the windows and doors in an old hospital in Munich. All the room numbers are Sharpied out in one half of the building.
So, it's pretty obvious "men in black pajamas" are using that wing. I just don't know the room numbers.
Seemed super weird to me that only the numbers were considered secured info. I'm sure there was an explanation.
Years later, a friend-of-a-friend was moving to Munich to do "State Department" work (he was an HVAC contractor with a TS). Off hand, I said "oh, I bet you'll be in wing X, floor Y or Z in the old hospital". He about fell over that somebody in no way associated with his agency would know that. Got a chuckle from me.
The number of SCIFs increased a ton, especially in contractors being allowed to have their own SCSI rooms. The number of clearances also went up a lot, and the cycle time on granting a clearance got much faster. Overall some things got relaxed, other things got stricter, scale increased everywhere.
IMO the biggest factor in the increase is just the ever-increasing DoD budget
> Tangental story about how serious the Gov takes OpSec.
...and yet, Chelsea Manning walked in with nothing more than a CD player and a self labeled CD-RW and exfiltrated tons of data from a secured facility.
From a friend who worked in IT work at DIA c. 2000: there were an absurd, non-zero number of researchers with clearances who surfed for porn while on [SN]IPRNet, networks they knew were monitored, and unsurprisingly were caught and lost their careers. Nonzero. I'd posit the reason it continued for so long was the real reasons for termination were kept secret to avoid organizational and political embarrassment but at the expense of not setting an example.
If individuals in this particular demographic are hired but lack self-control and are sexually frustrated, then they're potentially huge liabilities to being recruited by adversaries (MICE). It would seem that before issuing clearances, these factors should be assessed rather than going through a standard clipboard audit by the FBI. And, while holding clearances, positive socialization opportunities should be encouraged if not artfully arranged. Who's ever going to leave a job or be disloyal when your boss or some coworkers expedite the love lives of those who aren't already full in that regard? This implies fostering a layer of socially astute managers. It would be a radical departure for government culture perhaps, but a necessary one to ensure the integrity and stability of a clandestine community. Happiness isn't just recognition or sufficient autonomy, but total happiness beyond work. (Throw away the "work-life balance" cliche that is tired and paid lip-service to.)
My company infosec training actually advises you don't have voice assistants or cellphones in your work area. They even make light of it in the video: "I know it sounds crazy, but it's not".
Google and Amazon as the biggest voice assistant makers are, of course, our competitors. But they are competitors to I would say most software companies in some fashion.
We have been told that so many times at work, but I know most snr people seem to leave them and their smart watches in listen mode as they occasionally go off in video calls.
Once in a zoom call my watch said “sorry, I didn’t understand that”… and simultaneously the watch the other person on the call was wearing said the same thing!
I wouldn't be surprised if something like the Apple Vision Pro becomes common in such spaces (and for classified / company-confidential work in general) over the next few years.
I think the combination of biometric authentication with a display that is immune to cameras and shoulder-surfing is really powerful. If the device has anti-screenshot protection and automatically logs the user out when removed from their head, there's virtually no way to quickly transfer sensitive documents out of it.
How strictly are SCIF policies enforced? I'm just a civilian who's never had exposure to that world, but based on my experience with other parts of the government, I'd expect SCIF compliance to fall on a broad spectrum from "sloppy or non-existent" to "overly strict and paranoid." Is my intuition accurate? Who's accountable for the compliance of a given SCIF - can anyone with clearance "setup a SCIF" or does it need to be registered, audited, etc?
In my experience, they are seriously enforced, though any time you have a large number of people you'll definitely find exceptions. The threat of massive fines and long jail times tends to encourage compliance. Also, many of the people who work in SCIFs know they are dealing with information that, if released, could lead to a number of people getting killed (think intelligence sources) or a country being unable to defend itself because a US weapon system was compromised (think Ukraine). Nation-states are working to extract information from SCIFs, it's not a theoretical problem, and SCIF users know this.
I don't work in this space, but many of my friends do, as did my father.
SCIF policies are usually strictly enforced. But, that's the most secure workplace available to civilians and they aren't all that common. They also tend to be located in facilities that are higher-than-normal security. Out here in Reston, all my friends who work in SCIFs are also in fenced/gated complexes with paramilitary guards.
There are secure (but not SCIF) facilities that probably vary more. My father's little 6 person contracting office had a secure room, with a Dod approved design and a safe inside, for contracts that required that level of security (State/DoD facilities in China and Russia required TS clearance, other projects varied).
The people that work in SCIFs also generally take it seriously. TS+poly is worth a big chunk of salary here in DC and not something to risk (and that's ignoring that flaunting those laws is a felony for anybody not named Trump). And most believe in the mission (whatever that happens to be). The work spans everything from military hardware to CIA or NSA operations. And a lot of stuff that probably doesn't really need to be TS, but that's a whole other discussion.
Internet access is via SIPRNet (for classified) or NIPRNet (non-classified, but secured). Phones are through dedicated secure switchboards.
The above is common in the DC area (lots of DoD contractors).