When working with wireless access systems within Government bodies, additional regulations can apply outside of the standard host-country regulatory rules and regulations (FCC, ETSI, etc). Some of these are for health and safety of the personnel in the immediate area (HERP), others are more broadly meant to prevent electronic eaves dropping on sensitive communications (TEMPEST). Others are more important, involving the prevention of electromagnetic emissions from triggering detonation mechanisms on large missiles and bombs or combustible fuels vapors (HERO and HERF). Navigating some of these can be overwhelming, so having an introductory primer on some of the most common and relevant regulations regarding emissions will be valuable if/when they come up in your environment.
In this primer, we will be discussing separation distances between NIPR Wireless Networks and Classified Network areas or terminals. Future primers will cover HERO, HERP, and HERF.
Red-Black Separation per CNSSAM TEMPEST/01-13 (FOUO only)
In government parlance, there is often a ‘Black’ and ‘Red’ network. Black comprises the Non-Classified Internet Protocol Router Network (NIPR or NIPRNet) and the Red comprises the Secret Internet Protocol Router Network (SIPR or SIPRNet). Concerns about leakage, surveillance, and integrity fall outside of this primer, but in short, there are requirements about separation and proximity of Red and Black networks co-existing that allow for the protection of the data residing on and being processed within the SIPRNet.
The Committee on National Security Systems Advisory Memorandum (CNSSAM) releases guidance through it’s TEMPEST security guidelines (most of which are classified) that regulate these separation requirements between Black and Red. However, relevant to electromagnetic emissions with wireless networks is usually the question of ‘How far can an access point be located from a secured area (SCIF or SIPRNet terminal)?’ Within the CNSSAM TEMPEST/1-13 (FOUO) guidance are guidelines for separation distances between NIPR WLAN and Classified Areas.
Note: While CNSSAM TEMPEST/01-13 provides guidance for separation, ultimately any facility that processes National Security Information (NSI) is responsible for approving and validating any and all separation requirements, and may decide to increase the stated distances at their purview. This officer is the Certified TEMPEST Technical Authority (CTTA). Each NSI-processing facility should have a CTTA.
Section 3.6 identifies Transmitter Separation requirements and is built around two main classifications.
How the devices are installed matters as well. Typically fixed devices (access points, repeaters, etc) have larger separation distances as they are most often high powered devices. Non-Stationary devices typically have shorter distances as they are usually smaller, low-powered devices. However, ultimately the facilities and their CTTA seeking certification have the ultimate say.
Separation Distances Broken Down
The following table gives generally approved guidance (per CNSSAM TEMPEST/01-13 Table 3) pursuant to CTTA approval:
Separation From Red Equipment
Stationary (docked or permanently installed)
Mobile (hand-held or not docked)
Stationary Low-powered devices
Transmitters carried through a space
RF ID, proximity badges, and other
query-response RF devices
Based on all of the above information, the general guidance for separation from NIPRNet wireless access points would be that a separation distance of at least 3 meters (or 10 feet imperial) from any Red Area or Red processing device. This means that access points should be placed at least 3 meters from any Sensitive Compartmented Information Facility (SCIF) or SIPRNet terminal within a secured area.
When working with a facility, in consult with said facility's CTTA, there are additional protections that can be afforded to add headroom to the provided guidance listed above.
Conclusion – Guidance plus CTTA Approval
The above information is intended to serve as a general breakdown as to the separation requirements between ‘Black’ WiFi and ‘Red’ areas. The ultimate authority falls to the NSI’s CTTA and IA bodies to approve all RF designs. However, with careful planning, using both the CNSSAM TEMPEST/01-13 guidance and the additional avoidance strategies listed above, in most cases a working solution should be attainable to provide NIPRNet WiFi in government buildings that also process NSI.
CNSSAM TEMPEST/1-13 - https://www.cnss.gov/CNSS/issuances/memoranda.cfm
RF-Shielding Paint - http://www.mwt-materials.com/Products/Coatings/coatings.html
Search the FCC for Regulatory Power Allowed - http://transition.fcc.gov/oet/ea/fccid/
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.