Secure AV in Government: More Than Just AV
Date: October 2011
Working on projects for the government has always required a certain amount of discretion and attention to detail. And over time, the roles of the AV consultant and integrator have risen in profile as AV technologies have evolved into vital communications tools for government agencies. All of which means that AV professionals seeking work in the government marketplace are faced with requirements for something they may not have considered before: secure AV.
“Secure AV is all about communications,” explains Rodrigo Ordóñez, CTS-D, Senior Consultant at K2 Audio. “You customize the system to match the client’s security needs. It’s not a one-size-fits all solution.”
“Secure AV is when content is not accessible outside the organization or intended audience,” says Gordon Moore, Vice President of Sales for Lectrosonics. “It also depends on the amount of time you want the information to remain a secret. The NFL, for example, uses encrypted wireless microphones, but the information they exchange is relevant for less than one minute. Information relating to a patented cancer drug may need to be secret for decades. Government secrets may need to be secure forever.”
That said designing secure AV systems for the government is less cloak-and-dagger than one might think. In fact, designing AV systems for government or military facilities has a lot in common with designing for corporate, entertainment or medical customers. However, there are important differences that make designing secure AV systems for government a specialty.
What is Secure AV?
There is no formal definition, standard or accepted metric for secure AV. And in many ways the goal of providing secure AV can be as elusive as providing secure IT.
“There is no way to ensure 100-percent security on any AV or IT system,” says Edwin Morman, CTS-D, CTS-I and Audiovisual Design Engineer for General Dynamics IT. “When discussing secure AV, we are typically referring to a subset of government and corporate AV systems that are designed in such a way as to minimize the risk to the data that is processed or displayed.”
In government installations, these AV systems often are displaying or processing information that is classified. The systems themselves may be located in secure areas called SCIFs, or sensitive compartmented information facilities. And everything from the physical construction of the site to the electronic components installed within plays a part in reducing the risk that classified information will be inadvertently exposed.
“The range of secure rooms can go from a multi-application room that can handle a secure event to a totally secure room with no outside lines,” Ordóñez says. “That level is defined by the client.”
Ray Rayburn, AES Fellow and Principal Consultant for K2 Audio, says that secure AV even applies to acoustics. “There is acoustic isolation of the space [to consider], as well as in-room acoustics,” he says. “It’s not just the walls, but the ceiling and bypasses to the wall. You also have to review air handling systems, which can transmit audio signals.”
And while secure video conferencing and display systems are a large portion of a secure AV system design, any device with an electrical connection to any device that processes classified data must be considered. “This brings in control systems and routing and switching systems,” says Morman. “There are specific rules for the separation of systems — and even cabling — that process classified and unclassified data.”
All told, secure AV can mean a myriad of things. Understanding all the nuances of these specialized installations is important to winning business and executing good designs — even if the knowledge base for secure AV is ill-defined.
Credentials and Market Knowledge
In the same way that it’s hard to define secure AV, it’s hard to prescribe an educational track that would qualify someone to work in the specialty field. Basic AV knowledge and industry certification apply to secure AV just as they do to corporate, house of worship and other markets. But in addition to AV certifications, some government agencies require IT certifications, such as CompTIA’s A+, Network+ and Security+ credentials, in order to work on AV systems, according to Patrick DeZess, CTS-D, Director of Engineering for Audio Video Systems.
And depending on which part of the government a company wants to work in, one credential may be required above all others.
“The ability to demonstrate clear understanding of how secure facilities are built, coupled with knowledge of all the regulations goes a long way,” says Carl Maurer, CTS, EAVA, Audiovisual IPT Lead for General Dynamics IT. “But it also helps to maintain a national security clearance.”
Attaining security clearance to work in certain parts of the government is not a once-and-done exercise. It requires background checks, which need re-checking on a regular basis. Those who work in secure government situations say maintaining a security clearance means constant studying, training and education. “Clearance is an all-the-time commitment,” says Scott Sharer, a consultant at Communication Design Group, which has clients in the federal government, Defense Department, and government contractor communities.
Moreover, getting a critical mass of new clearances under your belt can take time, which is why Sharer says it’s uncommon to see new companies enter the market for secure AV systems in government, though it does happen.
“New companies will bring security experience with them,” says Larry Cowart, also with Communication Design Group. “And companies can expand into this area by hiring ex-military who have clearance and contacts.”
A Unique Working Environment
Once a company is on the inside and engaged in secure AV installations for the government, they quickly realize the differences between government and other types of work—and they have little to do with the AV itself.
Among the biggest challenges working in a secure government facility are the differing rules and regulations among agencies. “There are few set rules that state, ‘this is allowed and this is not,’” says Morman. “Much of the process involves communicating with the persons responsible for the security of the data on the site and finding what will and won’t be allowed. It takes good engineering and consulting skills to help your clients get what they need. You have to have a good understanding of the environment where the equipment will go and the reasons for the sometimes extreme measures used to ensure the security of the data involved.”
Documents that do exist to detail the rules regarding technology systems in secure facilities are usually written with IT technologies in mind. It’s up to AV designers to understand how such rules apply to the AV systems. “In a secure environment, all AV technologies are affected in one way or another,” says Maurer. “Installation practices are affected by building standards. Any component with a processor is affected by information assurance standards.”
Sharer and Cowart say there are three key areas that an AV professional working in secure AV must understand: physical security for secure communication spaces, required signal types and transport methods, and an agency’s policies and procedures for moving electronic data. With that understanding, the AV consultant or system designer often plays a critical role based on his knowledge of the physics of AV.
When it comes to physical spaces, for example, Sharer says it is the AV consultant’s responsibility to ask questions that no one else is thinking about. “Sure, there are shaded windows, but what about the acoustics of the window?” he says. “A window can easily transmit sound. Consultants have to be up on the latest methods of defeating security and think unconventionally. For example, does the tile in the adjacent bathroom transmit sound to the toilet, on which a contact microphone can be attached to record conversations?”
Rayburn says that some secure facilities need a kill switch for all signals leaving the room. But in others, a switch isn’t good enough. “They have a physical break or physical disconnect for all wires leaving the room. At the highest levels of security, there is no external wiring and no equipment is removed from the room without authorization,” he adds.
And — AV systems and design aside — there are also many quirks in government that affect seemingly mundane day-to-day processes. “For example, you must handle files according to client requirements and not according to your own office’s requirements,” says K2 Audio’s Ordóñez. “If the client forbids the electronic transmission of AutoCAD files, then they will send someone to will bring you the files on a CD.”
Documentation and Verification
Finally, AV manufacturers also play a significant role in the design and integration of secure AV systems in government. That role is to provide detailed product documentation. As part of the AV design and installation, the consultant or integrator must hand over to the government client a packet of information that outlines physical and technical information about the installed equipment.
“The accreditation package contains all the information that pertains to the security of the data processed by the facility,” explains Morman. “One of those pieces of information is called a memory volatility statement, which lists each memory device in a manufacturer’s piece of equipment and whether it is volatile or non-volatile memory. In other words, does the memory store its data when the power is removed from the device? Manufacturers could simplify the process for AV installations by having these statements on file for each of their components when the AV integrator or consultant calls looking for it.”
Lectrosonics’ Gordon Moore agrees that the documentation provided by AV manufacturer is an important responsibility in the government market. He and his staff are often called upon by customers to provide memory volatility statements and other product specifications.
In addition, government agencies often require that technology equipment is tested and verified by the agency. This can mean an AV manufacturer must provide test equipment for an extended period of time plus any documentation requested along the way. Depending on the agency, the process can take anywhere from six months to a year.
“The manufacturers have to be willing to dedicate a portion of their staff to the process to see it through. They won’t be working on it full time, but they have to be able to act when the testing facility needs their involvement,” says Maurer. “If they wait, it only delays the schedule for approval. If the manufacturers have integrators trying to use their products on any project, it can be a challenge to get something approved in time for deployment.”
So although it seems like there are many hurdles to working on secure AV installations for the government, there are also significant opportunities for the AV consultant or integrator who is willing to take it on. Moore insists secure AV is a strong market niche for the integrator who learns it. “Advertise for and find the people who know security standards,” he suggests. “Hire in-house experts and attend national security trade shows. There is a learning curve on the first security project so be willing to invest some time.”
“Secure AV is an agile part of our industry,” says Audio Video Systems’ DeZess. “The technology and the security standards are constantly evolving.”
And as AV and IT continue to converge beyond government, what a company learns about secure AV will serve them well in other markets.