UFC / ISC Security Criteria Overview and Comparison  

by Nancy A. Renfroe, PSP, J. Mikhael Erekson, PE, and Daniel R. Renfroe, PSP
Applied Research Associates, Inc.

Updated: 
05-31-2021

Introduction

For facilities located inside the United States, the federal government currently utilizes two primary security standards:

  1. The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard—November 2016

  2. The Unified Facilities Criteria (UFC) DoD Minimum Antiterrorism Standards for Buildings (UFC 4-010-01, 12 December 2018)

2016 Cover of document The Risk Management Process for Federal Faciliites: An Interagency Security Committee Standard, August 2013, first edition
2016 Cover of the document UFC 4-010-01 DoD Minimum Antiterrorism Standards for Buildings


Description

The Interagency Security Committee (ISC) Standard was developed for federal civilian government agencies and the UFC Standard was developed for Department of Defense (DoD) facilities. The following excerpts from the two standards clarify the intended application:

Pursuant to the authority of the ISC contained in Executive Order (E.O.) 12977, October 19, 1995, "Interagency Security Committee," as amended by E.O. 13286, March 5, 2003, The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard is applicable to all buildings and facilities in the United States occupied by Federal employees for nonmilitary activities. These include existing buildings, new construction, or major modernizations; facilities owned, to be purchased, or leased; stand-alone facilities, Federal campuses, and where appropriate, individual facilities on Federal campuses; and special-use facilities.

The Unified Facilities Criteria (UFC) system is prescribed by MIL-STD 3007 and provides planning, design, construction, sustainment, restoration, and modernization criteria, and applies to the Military Departments, the Defense Agencies, and the DoD Field Activities in accordance with USD (AT&L) Memorandum dated 29 May 2002. UFC will be used for all DoD projects and work for other customers where appropriate. All construction outside of the United States is also governed by Status of Forces Agreements (SOFA), Host Nation Funded Construction Agreements (HNFA), and in some instances, Bilateral Infrastructure Agreements (BIA.) Therefore, the acquisition team must ensure compliance with the most stringent of the UFC, the SOFA, the HNFA, and the BIA, as applicable.

However, in December 2012, the Deputy Secretary of Defense released a memorandum which stated the security standards established by the Department of Homeland Security's Interagency Security Committee (ISC) in The Risk Management Process for Federal Facilities shall apply to all off-installation leased space managed by DoD and all DoD occupied spaced in buildings owned or operated by the U.S. General Services Administration (GSA).

A. Overview of ISC Standard

The ISC Standard: Risk Management Process for Federal Facilities (RMP) classifies facilities with a facility security level (FSL). The FSL for each facility—and the resulting security requirements—depends upon five factors:

mission criticality, symbolism, facility population, facility size, and threat.

The ISC Standard provides examples and definitions for the various levels for each of the five factors.

The ISC associates the FSL with a level of risk and a baseline level of protection (LOP). Rating the five categories to determine the FSL and associated level of risk and protection allows ISC requirements to be a somewhat risk-based process. Further, risk-based adjustments can be made on a threat-by-threat basis.

Appendix B: Countermeasures (For Official Use Only) in the ISC Standard identifies the security measures to be applied as part of the baseline LOP. These are to be considered guidance remembering that implementation of specific countermeasures should be tied to a risk assessment for each of the undesirable events (threats) addressed in the standard to arrive at a customized LOP. The extensive list of countermeasures provided in the ISC Standard are presented in the following seven categories:

  1. Site—including the site perimeter, site access, exterior areas and assets, and parking;
  2. Structure—including structural hardening, facade, windows, and building systems;
  3. Facility Entrances—including employee and visitor pedestrian entrances and exits, loading docks, and other openings in the building envelope;
  4. Interior—including space planning and security of specific interior spaces;
  5. Security Systems—including intrusion detection, access control, and surveillance camera systems;
  6. Security Operations and Administration—including planning, security force operations, management and decision making, and mail handling and receiving;
  7. Cyber—including cyber security requirements for building access control systems.

B. Overview of UFC Standard

The latest version of UFC Standard: 4-010-01 shifts from the previous approach of applying mitigation measures tied to a specific design basis explosive threat to minimum threat-independent design requirements where "no identified threat or level of protection has been determined in accordance with UFC 4-020-01." However, the UFC 4-020-01 Planning Manual takes a risk-based approach similar to the ISC RMP to determine if the minimum requirements in UFC 4-010-01 are adequate, or if additional mitigation measures are appropriate. This evaluation process becomes a critical step in the planning and project development phases since UFC 4-010-01 no longer provides guidance for varying levels of protection. Based on a risk assessment, facilities which have identified threats must increase the level of protection to adequately mitigate the threats.

These UFC documents are part of a series of security engineering unified facilities criteria documents that cover minimum standards, planning, preliminary design, and detailed design for security and antiterrorism. The documents in this series are designed to be used sequentially by a diverse audience to facilitate development of projects throughout the design cycle.

In addition to the standards, planning, and design UFCs mentioned above, there is a series of additional UFCs providing detailed design guidance for developing final designs based on the preliminary designs developed using UFC 4-020-02. These support manuals provide specialized, discipline-specific design guidance. Some address specific tactics such as direct fire weapons, forced entry, or airborne contamination. Others address limited aspects of design such as resistance to progressive collapse or design of portions of buildings such as mail rooms. Still others address details of designs for specific protective measures such as vehicle barriers or fences. The Security Engineering Support Manuals are intended to be used by the design team during the development of final design packages.

The major design strategies associated with UFC 4-010-01 are:

  • Prevent Building Collapse
  • Minimize Hazardous Flying Debris
  • Provide Effective Building Layout
  • Limit Airborne Contamination
  • Provide Mass Notification

Application

With the most recent 2018 change to UFC 4-010-01, the risk-based design approach for the two standards are more closely aligned when UFC 4-020-01 establishes design basis threats and an appropriate level of protection. While the risk methodology guidance is slightly different, the overall goal of focusing the security design to mitigate identified risks is the same. The ISC RMP focuses on a broad range of diverse threats and the UFC is more focused on explosives and chemical, biological, and radiological threats. Previous versions of the UFC were very prescriptive with regards to structural design for explosive threat mitigation. Now the UFC approach is more like the ISC, with general guidance focused on meeting the mitigation intent, but leaving the determination of countermeasure adequacy against the identified risk up to the security professionals.

While both standards require the performance of a security risk assessment prior to mitigation design and implementation, this step is often ignored in favor of applying the baseline measures outlined in each document based on facility characteristics. This approach negates the purpose of each standard, which is to make risk-based decisions to optimize the design and allocate resources towards measures which will address the identified risks.

Relevant Codes and Standards

Additional Resources

Federal Agencies