Provide Security for Building Occupants and Assets

by the WBDG Safe Committee

Last updated: 05-01-2008

Overview

The bombings at New York City's World Trade Center, Oklahoma City's Alfred P. Murrah Federal Office Building, and Atlanta's Centennial Park, shook the nation, and made Americans aware of the need for better ways to protect occupants, assets, and buildings from human aggressors (e.g. disgruntled employees, criminals, vandals, and terrorists).

A Department of Justice study called "Vulnerability Assessment of Federal Facilities", conducted in response to a Presidential directive and issued one day after the 19 April 1995 Oklahoma City bombing, produced recommended minimum standards for security at federal facilities. It divided federal sites into five security levels ranging from Level 1 (minimum security needs) to Level 5 (maximum). The study listed recommendations for upgrading federal building security, including 52 security standards addressing such items as parking, lighting, physical barriers, and closed circuit television monitoring.

More recently, the 11 September 2001 terrorist attacks demonstrated the country's vulnerability to an even wider range of threats and reasserted heightened public concern for the safety of workers and occupants in all Building Types. Many federal agencies responding to these concerns have adopted an overarching philosophy to provide appropriate and cost-effective protection for building occupants. That is, while it may be cost prohibitive to design a facility to a worse case scenario, decision makers should strive to make smart choices and investments that will lessen the risk of mass casualties resulting from terrorist attacks.

Some federal agencies have issued their own security design standards. The most prominent of these are the DOD Unified Facilities Criteria (UFC) UFC 4-010-01 DoD Minimum Anti-Terrorism Standards for Buildings and Interagency Security Committee (ISC) Security Design Criteria. There are currently no universal codes or standards that apply to both public and private sector buildings. However, most designers agree that security issues must be addressed in concert with other design objectives and integrated into the overall building design throughout the process to ensure a quality building with effective security. This concept is known as multi-hazard design.

Depending on the building type, acceptable levels of risk, and decisions made based on recommendations from a comprehensive threat assessment, vulnerability assessment, and risk analysis, appropriate countermeasures should be implemented to protect people, assets, and mission. Types of attack and threats to consider include:

• Unauthorized entry (forced and covert)
• Insider threats
• Explosive threats: Stationary and moving vehicle-delivered, mail bombs, package bombs
• Ballistic threats: Small arms, high-powered rifles, drive-by shootings, etc.
• Weapons of mass destruction (chemical, biological, and radiological)
• Cyber and information security threats

Recommendations

Basic to realizing an effective security plan and design is the implementation of appropriate countermeasures to deter, delay, detect, and deny attacks. Oftentimes the countermeasures work on the layered defense concept or "Onion Philosophy." This concept provides for increasing levels of security from the outer areas of the site or facility towards the inner, more protected areas. Some or all of the issues outlined below need consideration for effective security design and building operations.

Unauthorized Entry (Forced and Covert)

Protecting the facility and assets from unauthorized persons is an important part of any security system. Some items to consider include:

• Compound or facility access control
  • Control perimeter: Fences, bollards, anti-ram barriers
  • Traffic control, remote controlled gates, anti-ram hydraulic drop arms, and hydraulic barriers, parking
  • Forced-Entry-Ballistic Resistant (FE-BR) doors and windows
• Perimeter intrusion detection systems
  • Clear zone
  • Video and CCTV
  • Alarms
  • Detection devices (motion, acoustic, infrared)
• Personnel identification systems
  • Access control, fingerprints, biometrics, ID cards
• Protection of information and data
  • Acoustic shielding
  • Shielding of electronic security devices from hostile electronic environment
  • Secure access to equipment, networks, and hardware, e.g. satellites and telephone systems

Insider Threats

One of the most serious threats may come from persons who have authorized access to a facility. These may include disgruntled employees or persons who have gained access through normal means (e.g., contractors, support personnel, etc). To mitigate this threat some items to consider include:

• Implement personnel reliability programs and background checks
• Limit and control access to sensitive areas of the facility

Explosive Threats: Stationary and Moving Vehicle-Delivered, Mail Bombs, Package Bombs

Explosive threats tend to be the criminal and terrorist weapon of choice. Devices may include large amounts of explosives that require delivery by a vehicle. However, smaller amounts may be introduced into a facility through mail, packages, or simply hand carried in an unsecured area. Normally the best defense is to provide defended distance between the threat location and the asset to be protected. This is typically called standoff distance. If standoff is not available or is insufficient to reduce the blast forces reaching the protected asset, structural hardening may be required. If introduced early in the design process, this may be done in an efficient and cost-effective manner. If introduced late in a design, or if retrofitting an existing facility, such a measure may prove to be economically difficult to justify. Some items to consider include:

• The design team should include qualified security and blast consulting professionals from the concept stage forward.
• Provide defended standoff with rated or certified devices such as fencing, bollards, planters, landscaping, or other measures that will stop persons, if required, and vehicle delivered threats.
• Consider structural hardening and hazard mitigation designs such as ductile framing that is capable of withstanding abnormal loads and preventing progressive collapse, protective glazing, strengthening of walls, roofs, and other facility components.
• Design the facility with redundant egress and other critical infrastructure to facilitate emergency evacuation and control during an event.

Ballistic Threats

These threats may range from random drive-by shootings to high-powered rifle attacks directed at specific targets within the facility. It is important to quantify the potential risk and to establish the appropriate level of protection. The most common ballistic protection rating systems include: Underwriters Laboratories (UL), National Institute of Justice (NIJ), H.P. White Laboratory, and ASTM International. Materials are rated based on their ability to stop specific ammunition (e.g., projectile size and velocity). Some items to consider include:

• Visual shielding, such as opaque windows or screening devices
• Ballistic resistant rated materials and products
• Locating critical assets away from direct lines of sight

Weapons of Mass Destruction: Chemical, Biological, and Radiological (CBR)

Commonly referred to as WMD, these threats generally have a low probability of occurrence but the consequences of an attack may be extremely high. While fully protecting a facility against such threats may not be feasible with the exception of very special facilities, there are several common sense and low cost measures that can improve resistance and reduce the risk from the WMD threat. Some items to consider include:

• Protect pathways into the building
  • Control access to air inlets and water systems
  • Provide detection and filtration systems for HVAC systems
  • Provide for emergency HVAC shutoff and control
  • Segregate portions of building spaces (i.e., provide separate HVAC for the lobby, loading docks, and the core of the building)
  • Consider providing positive pressurization to keep contaminates outside of the facility
• Provide an emergency notification system to facilitate orderly response and evacuation.

Cyber and Information Security Threats

In today's world, business continuity and mission function rely heavily on the transmission, storage, and access to a wide range of electronic data and communication systems. Protecting these systems from attack is critical for most users ranging from individuals, businesses, and government agencies. Some items to consider include:

• Understand and identify the information assets that you are trying to protect. These may include personal information, business information such as proprietary designs or processes, national security information, or simply the ability of your organization to communicate via email and other LAN/WAN functions.
• Protect the physical infrastructure that supports information systems. For example, if your computer system is electronically secure but is vulnerable to physical destruction you may not have achieved an adequate level of protection.
• Provide software and hardware devices to detect, monitor, and prevent unauthorized access to or the destruction of sensitive information.

Development and Training on Occupant Emergency Plans

Occupant Emergency Plans should be developed for building Operations staff and occupants to be able to respond to all forms of credible attacks and threats. Clearly defined lines of communication, responsibilities, and operational procedures are all important parts of Emergency Plans. Emergency Plans are an essential element of protecting life and property from attacks and threats by preparing for and carrying out activities to prevent or minimize personal injury and physical damage. This will be accomplished by pre-emergency planning; establishing specific functions for Operational staff and occupants; training Organization personnel in appropriate functions; instructing occupants of appropriate responses to emergency situations and evacuation procedures; and conducting actual drills.

Emerging Issues

Balancing Security and Sustainability

Providing for sustainable designs that meet all facility requirements is often a challenge to the design community. With limited resources it is not always feasible to provide for the most secure facility, the most architecturally expressive design, or energy efficient building envelope. From the concept stage through the development of construction documents, it is important that all project or design stakeholders work cooperatively to ensure a balanced design. Successful designs must consider all competing design objectives.

Designing for Fire Protection and Physical Security

Care should be taken to implement physical security measures that allow Fire Protection forces access with to sites and buildings and building occupants with adequate means of emergency egress. GSA has conducted a study and developed recommendations on design strategies that achieve both secure and fire safe designs. Specifically, the issue of emergency ingress and egress through blast resistant window systems was studied. Training was developed based on this information and is available at the GSA Public Buildings Service—Building Security Technology Web site.

Integrated Systems

In recent years, there has been a general trend towards integrating various stand-alone security systems, integrating systems across remote locations, and integrating security systems with other systems such as communications, and fire and emergency management. For example, CCTV, fire, and burglar alarm systems have been integrated to form the foundation for access control.

Relevant Codes and Standards

Highly complex security system design is still neither codified nor regulated, and no universal codes or standards apply to all public and private sector buildings. However, in many cases, government agencies, including the military services, and private sector organizations have developed specific security design criteria.

Mandates

• Executive Order 12977, "Interagency Security Committee"
• Interagency Security Committee (ISC) Security Design Criteria—Unites all Federal protective design requirements (For Official Use Only)

Federal Guidelines

• Department of Defense:
• DOD Security Engineering Manual (For Official Use Only)
• FM 3-19.30 Physical Security—Sets forth guidance for all personnel responsible for physical security
• NAVFAC MIL-HDBK-1012/3 Telecommunications Premises Distribution Planning, Design, and Estimating
• UFC 1-200-01 Design: General Building Requirements
• UFC 3-520-01 Design: Interior Electrical Systems
• UFC 4-010-01 DoD Minimum Anti-Terrorism Standards for Buildings
• UFC 4-010-02 DoD Minimum Standoff Distances for Buildings (FOUO)
• UFC 4-023-03 Design of Buildings to Resist Progressive Collapse
• USAF Installation Force Protection Guide
• General Services Administration (GSA):
• Facilities Standards for the Public Building Service, P100, Chapter 8.
• Other "official use only" documents may be obtained from the Office of the Chief Architect
• GSA Guidelines for Progressive Collapse
• Department of Veterans Affairs (VA):
• Physical Security Design Manual for VA Facilities: Mission Critical Facilities
• Physical Security Design Manual for VA Facilities: Cost Estimates for Physical Security Enhancements
• Department of State:
• Architectural Engineering Design Guideline (5 Volumes) (For Official Use Only)
• Physical Security Standards Handbook, 07 January 1998 (For Official Use Only)
• Structural Engineering Guidelines for New Embassy Office Buildings, August 1995 (For Official Use Only)
• Federal Aviation Administration (FAA):
• FAA Order 1600.69 Security Risk Management
• Federal Emergency Management Agency (FEMA):
• FEMA 386-7 Integrating Manmade Hazards into Mitigation Planning
• FEMA 426 Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings
• FEMA 427 Primer for Design of Commercial Buildings to Mitigate Terrorist Attacks
• FEMA 428 Primer to Design Safe School Projects in Case of Terrorist Attacks
• FEMA 429 Insurance, Finance, and Regulation Primer for Terrorism Risk Management in Buildings
• FEMA 430 Site and Urban Design for Security
• FEMA 452 Risk Assessment - A How-To Guide to Mitigate Potential Terrorist Attacks Against Buildings
• FEMA 453 Design Guidance for Shelters and Safe Rooms

Others

• Department of Commerce Administrative Orders:
• Inspector General Investigations, DAO 207-10
• Occasional Use of Public Areas in Public Buildings, DAO 206-5
• Security Programs, DAO 207-1
• Designing for Security in the Nation's Capital by the National Capital Planning Commission (NVPC). October 2001.
• Guidelines for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks by the National Institute for Occupational Safety and Health (NIOSH).
• Vulnerability Assessment of Federal Facilities by Department of Justice.

Private Sector Guidelines

• Design of Blast Resistant Buildings in Petrochemical Facilities by American Society of Civil Engineers (ASCE). 1997.
• Structural Design for Physical Security, State of the Practice by Edward Conrath, et al. Alexandria, VA: Structural Engineering Institute of American Society of Civil Engineers (ASCE), 1999.

Major Resources

WBDG

Products and Systems

Fenestration Systems—Exterior Doors

Security Centers

• Anti-Terrorism Force Protection (DOD) (Limited access)
• Defense Threat Reduction Agency
• Department of Defense (DOD) Anti-terrorism body—Pentagon's J34
• Federal Emergency Management Agency (FEMA) All-Hazard Mitigation Program on Anti-terrorism
• Naval Facilities Engineering Service Center (NFESC), Security Engineering Center of Expertise ESC66 - E-mail: securityeng@nfesc.navy.mil
• USAF Electronic System Center (ESC), Hanscom AFB
• U.S. Army Corps of Engineers, Electronic Security Center
• U.S. Army Corps of Engineers, Protective Design Center
• U.S. Department of Defense
• U.S. Department of Homeland Security

Organizations and Associations

• The American Institute of Architects (AIA) Security Resource Center
• American Society of Civil Engineers (ASCE)
• American Society of Industrial Security (ASIS)
• Battelle Memorial Institute, National Security Program
• Center for Strategic and International Studies (CSIS)
• Centers for Disease Control and Prevention (CDC)
• Federal Facilities Council (FFC) Standing Committee on Physical Security and Hazard Mitigation (Sponsored by National Academies of Science)
• International CPTED Association (ICA)
• National Academy of Sciences
• National Defense Industrial Association (NDIA)
• National Institute of Standards and Technology (NIST)
• Postal Security Action Group (PSAG)
• Protective Glazing Council (PGC)
• Security Industry Association (SIA)
• Society of American Military Engineers (SAME)
• The Infrastructure Security Partnership (TISP)
• U.S. Army Soldier and Biological Chemical Command (SBCCOM)

Trade Journals/Magazines

• Architectural Design for Security and Security and Technology Design by Donald M. Rochon. June 1998.
• Designing for Crime and Terrorism, Security and Technology Design by Randall I. Atlas. June 1998.
• Government Security
• Security Magazine
• Security Solutions Online: Access Control and Security Systems
• Security through Environmental Design, Security and Technology Design by Robert Pearson. September 1997.

Training Courses

• FEMA E155—Building Design for Homeland Security

Others

• Anthrax-Contaminated Facilities: Preparations and a Standard for Remediation by the Congressional Research Service. 2005.
• Creating Defensible Space by Oscar Newman. Washington, DC: U.S. Department of Housing and Urban Development, April 1996.
• National Symposium of Comprehensive Force Protection, Society of American Military Engineers (SAME), Charleston, SC, Oct 2001. Lindbergh & Associates.
• Protecting Building Occupants from Biological Threats—Website from the Center for Biosecurity of UPMC that includes useful information about biological threats to building occupants, practical steps for reducing risk, and costs and benefits of risk reduction measures, along with a wealth of related materials and additional resources.