04-02-2015 10:31 PM - edited 04-03-2015 11:57 AM
When working with wireless access systems within Government bodies, additional regulations can apply outside of the standard host-country regulatory rules and regulations (FCC, ETSI, etc). Some of these are for health and safety of the personnel in the immediate area (HERP), others are more broadly meant to prevent electronic eaves dropping on sensitive communications (TEMPEST). Others are more important, involving the prevention of electromagnetic emissions from triggering detonation mechanisms on large missiles and bombs or combustible fuels vapors (HERO and HERF). Navigating some of these can be overwhelming, so having an introductory primer on some of the most common and relevant regulations regarding emissions will be valuable if/when they come up in your environment.
In this primer, we will be discussing separation distances between NIPR Wireless Networks and Classified Network areas or terminals. Future primers will cover HERO, HERP, and HERF.
Red-Black Separation per CNSSAM TEMPEST/01-13 (FOUO only)
In government parlance, there is often a ‘Black’ and ‘Red’ network. Black comprises the Non-Classified Internet Protocol Router Network (NIPR or NIPRNet) and the Red comprises the Secret Internet Protocol Router Network (SIPR or SIPRNet). Concerns about leakage, surveillance, and integrity fall outside of this primer, but in short, there are requirements about separation and proximity of Red and Black networks co-existing that allow for the protection of the data residing on and being processed within the SIPRNet.
The Committee on National Security Systems Advisory Memorandum (CNSSAM) releases guidance through it’s TEMPEST security guidelines (most of which are classified) that regulate these separation requirements between Black and Red. However, relevant to electromagnetic emissions with wireless networks is usually the question of ‘How far can an access point be located from a secured area (SCIF or SIPRNet terminal)?’ Within the CNSSAM TEMPEST/1-13 (FOUO) guidance are guidelines for separation distances between NIPR WLAN and Classified Areas.
Note: While CNSSAM TEMPEST/01-13 provides guidance for separation, ultimately any facility that processes National Security Information (NSI) is responsible for approving and validating any and all separation requirements, and may decide to increase the stated distances at their purview. This officer is the Certified TEMPEST Technical Authority (CTTA). Each NSI-processing facility should have a CTTA.
Section 3.6 identifies Transmitter Separation requirements and is built around two main classifications.
- High Power Transmitters – High powered transmitters are devices capable of exceeding 100mW (>20dBm) EIRP. These certainly include access points, even if they are configured not to exceed 20dBm EIRP. As such, the max regulatory capability is the watermark. Most access points will easily exceed 20dBm, especially when using external antennas. It may also include high-powered client devices, though most laptops, tablets, phones, and other mobile data devices are well below 20dBm and would fall under the Low-Power Transmitting category., Since the cellular radio exceeds 20dBm, cell phones are considered high-powered devices, though most all secure facilities and SCIFs forbid the presence of any mobile cell phone.
- Low-Power Transmitters – Low powered transmitters are devices that transmit less than or equal to 100mW (≤20dBm). These usually are lower powered devices like Bluetooth devices, cell phones (cellular radio disabled), and other devices that don’t require any FCC or ETSI licenses. These devices are also heavily scrutinized as many of these devices could be updated via software later that allow them to exceed the 20dBm threshold.
How the devices are installed matters as well. Typically fixed devices (access points, repeaters, etc) have larger separation distances as they are most often high powered devices. Non-Stationary devices typically have shorter distances as they are usually smaller, low-powered devices. However, ultimately the facilities and their CTTA seeking certification have the ultimate say.
Separation Distances Broken Down
The following table gives generally approved guidance (per CNSSAM TEMPEST/01-13 Table 3) pursuant to CTTA approval:
Separation From Red Equipment
Stationary (docked or permanently installed)
Stationary (docked or permanently installed)
Mobile (hand-held or not docked)
Stationary Low-powered devices
Transmitters carried through a space
RF ID, proximity badges, and other
query-response RF devices
Based on all of the above information, the general guidance for separation from NIPRNet wireless access points would be that a separation distance of at least 3 meters (or 10 feet imperial) from any Red Area or Red processing device. This means that access points should be placed at least 3 meters from any Sensitive Compartmented Information Facility (SCIF) or SIPRNet terminal within a secured area.
When working with a facility, in consult with said facility's CTTA, there are additional protections that can be afforded to add headroom to the provided guidance listed above.
- When placing APs around a SCIF or SIPRNet area, using APs with directional antennas that radiate the RF away from the ‘Red’ area will reduce both all RF received into the area, as well as decreases the ability of the AP to ‘hear’ from the ‘Red’ area.
- The SCIF should be wrapped with copper mesh to essentially build a true faraday-cage around it (most SCIFs should be RF-shielded anyway, but sometimes they are not).
- RF-Absorbing paint (such as MF-500 or ME-500 from MWT) should be used to help prevent any outside RF from getting through walls or surfaces painted. These are also handy for preventing microwave RF interference from break room areas from disrupting general RF operations for WiFi in general.
- AP power should be decreased near or around SCIFs or ‘Red’ areas.
Conclusion – Guidance plus CTTA Approval
The above information is intended to serve as a general breakdown as to the separation requirements between ‘Black’ WiFi and ‘Red’ areas. The ultimate authority falls to the NSI’s CTTA and IA bodies to approve all RF designs. However, with careful planning, using both the CNSSAM TEMPEST/01-13 guidance and the additional avoidance strategies listed above, in most cases a working solution should be attainable to provide NIPRNet WiFi in government buildings that also process NSI.
CNSSAM TEMPEST/1-13 - https://www.cnss.gov/CNSS/issuances/memoranda.cfm
RF-Shielding Paint - http://www.mwt-materials.com/Products/Coatings/coatings.html
Search the FCC for Regulatory Power Allowed - http://transition.fcc.gov/oet/ea/fccid/
Sr. Techical Marketing Engineer