ICD 705 Facility Requirements

Physical security forms the foundation for all other SL5 protections [6], [7], [22], [23]. This section specifies facility construction requirements that have no direct NIST SP 800-53 equivalent. These requirements draw on an applicable subset of ICD 705 and ICS 705-1 (Physical and Technical Standards for Sensitive Compartmented Information Facilities), published by the Office of the Director of National Intelligence [6], [7], [22], [23]. The particular subset is determined by whether the threat model being prioritised is theft of model weights and cryptographic keys, or also extends to sabotage, autonomy threats, and algorithmic IP theft. SL5-level security may generally warrant an updated version of ICD 705 plus potential additional AI-datacenter and AI-SCIF specific overlays. ICD 705 provides detailed specifications for perimeter construction, intrusion detection, access control, acoustic protection, and TEMPEST countermeasures; this section summarizes key requirements and SL5-specific adaptations.

Adaptation for SL5:

• “SL5-protected information” (covered models and secrets) replaces “Classified Information” [26]
• Chief Security Officer (CSO) or Site Security Manager serves as accreditation authority
• SenL-5 clearance replaces government security clearances [26]

Security in Depth

Facility design implements Security in Depth (SID)—layered security controls that increase the probability of detecting unauthorized access attempts before reaching the Red Zone perimeter. Layers may include perimeter fencing, building access controls, and controlled areas surrounding Red Zones. SID considerations should inform site selection and building layout.

Zone Architecture

Red Zone: The SL5 Network operates within Red Zones—physically hardened environments constructed to ICD 705/ICS 705-1 standards. Any system with network access to SL5-protected information must be within a Red Zone. Red Zones may span multiple geographically distributed facilities.

Black Zone: Areas with no network path to SL5-protected information. Black Zones may exist within the same facility as Red Zones but are completely network-isolated.

Construction

Red Zones form complete physical enclosures per ICS 705-1—walls, floor, and ceiling create a continuous barrier with no gaps. Acoustic attenuation (Sound Group 3 or 4) prevents eavesdropping through the perimeter [7], [23]. Windows are prohibited; where required by safety codes, they must be non-opening with RF/optical shielding. All utility penetrations (HVAC, power, fire suppression) must maintain perimeter integrity.

TEMPEST

Red Zones require TEMPEST countermeasures per NSTISSAM TEMPEST/1‑92, pre-engineered into construction to the maximum extent practicable [9], [21]. RF shielding prevents electromagnetic signal egress from the perimeter, dedicated power conditioning prevents power-line analysis, and all equipment must be hardwired—no wireless devices permitted.

Intrusion Detection

Red Zones require intrusion detection systems (IDS) per ICD 705 Chapter 7, with sensors covering all perimeter entry points and motion detection within the space. Alarm response time requirements depend on storage type: 5 minutes for open storage (Sensitive compartmented information (SCI) material accessible outside containers), 15 minutes for closed storage (SCI material secured in General Services Administration (GSA)-approved containers when unoccupied) [6], [7], [23].

Transmission Security

All Weight Enclave traffic leaving the Red Zone perimeter requires Protected Distribution Systems (PDS) per CNSSI 7003—including encrypted inter-building connections [8]. PDS provides physical protection through hardened conduit and alarmed carriers.