JAFAN 6/0 Checklist

Home / Glossary / JAFAN 6/0 Checklist
The JAFAN 6/0 checklist governs Special Access Program security requirements, including physical security, personnel vetting, and protections for classified information systems in DoD SAP environments.

JAFAN 6/0 checklist is the compliance assessment and verification tool derived from the Joint Air Force-Army-Navy (JAFAN) 6/0 Manual, a governing security standard that establishes the physical, personnel, information, and operational security requirements for protecting classified information associated with Department of Defense Special Access Programs (SAPs). The JAFAN 6/0 Manual — formally titled the DoD Manual for Special Access Program Security — provides the foundational policy framework for SAPs across the military services and defense agencies, and the associated checklist translates these requirements into a structured self-assessment and inspection tool used by SAP Security Officers and government oversight inspectors to verify program compliance.

For cybersecurity professionals and security architects supporting defense contractors, government agencies, or organizations seeking DoD SAP access, the JAFAN 6/0 checklist is the operational instrument through which SAP security compliance is demonstrated, assessed, and documented. Understanding its structure, scope, and requirements is essential for organizations managing classified program security and for security teams advising on the intersection of physical, personnel, and information security disciplines within DoD SAP environments.

Origins and Purpose of JAFAN 6/0

The JAFAN 6/0 framework emerged from the military services’ need for a unified, interoperable security standard governing Special Access Programs across DoD components. Before the JAFAN series, each military service maintained its own SAP security regulations, complicating joint program management, cross-service collaboration, and consistent oversight by DoD senior security officials.

  • JAFAN Series Context: The JAFAN 6/0 Manual is the flagship document of the JAFAN series, which includes related standards governing information systems security (JAFAN 6/3) and SAP facility construction security (JAFAN 6/4). Together, these documents form an integrated SAP security framework applicable across the Army, Navy, Air Force, and joint DoD programs, providing consistency in how classified SAP information is protected regardless of which military service sponsors a program.
  • Relationship to DAFMAN and ICD Standards: JAFAN 6/0 operates within a broader classified security policy hierarchy that includes Intelligence Community Directives (ICDs), the DoD Manual 5205.07 series, and service-specific implementing regulations. For programs sponsored by the Air Force — now operating under DAFMAN (Department of the Air Force Manual) policy frameworks — JAFAN 6/0 remains an active reference for multi-service and joint SAP environments requiring cross-component security consistency.
  • Checklist as Compliance Instrument: The JAFAN 6/0 checklist transforms the manual’s policy requirements into an actionable self-assessment and inspection framework. Program Security Officers (PSOs) and government inspection teams use the checklist to conduct structured reviews of SAP security programs, generating a documented compliance record that supports program accreditation, reaccreditation, and oversight reporting.
  • Oversight and Inspection Architecture: DoD SAP oversight authorities — including the DoD Special Access Program Central Office (SAPCO) and service-level SAP Central Offices — use JAFAN 6/0 checklist assessments during formal program inspections. These inspections occur at defined intervals and evaluate compliance across the full JAFAN 6/0 requirement set, with findings driving corrective action plans and program security enhancement requirements.

Understanding the JAFAN 6/0 framework’s policy lineage and its role in the DoD oversight architecture provides essential context for organizations preparing for SAP security inspections or building new SAP security programs.

JAFAN 6/0 Physical Security Requirements

Physical security is a cornerstone of the JAFAN 6/0 framework, recognizing that inadequate physical access controls can negate the most sophisticated technical and procedural protections. JAFAN 6/0 physical security requirements govern the facilities, access control systems, and construction standards applicable to SAP information handling environments.

  • Sensitive Compartmented Information Facility Standards: SAP information is typically handled within SCIFs or SAP Facilities (SAPFs) accredited to JAFAN 6/0 standards. These facilities must satisfy specific construction requirements — including wall, ceiling, and floor construction specifications; door and lock standards; and RF and acoustic isolation requirements — that prevent unauthorized parties from gaining physical access, observing visually, and collecting electronic emanations.
  • Access Control and Entry Management: JAFAN 6/0 mandates rigorous access control systems for SAP facilities, including two-factor authentication for facility entry, visitor control procedures with documented access logs, and escort requirements for individuals without unescorted access approval. Access rosters are strictly controlled, regularly reviewed, and updated to reflect current program participation status.
  • Intrusion Detection System Requirements: SAP facilities must maintain accredited intrusion detection systems (IDS) connected to monitored alarm monitoring centers with defined response time requirements. JAFAN 6/0 specifies IDS performance standards, testing frequencies, and false alarm management procedures to ensure that physical intrusion detection capabilities remain reliable and operationally effective.
  • Open Storage Accreditation: Programs that handle classified materials outside approved containers within a facility must obtain open storage accreditation — an enhanced physical security certification that imposes additional construction, access control, and alarm monitoring requirements beyond standard SCIF accreditation. Open storage accreditation is evaluated as part of the JAFAN 6/0 checklist assessments.

Physical security compliance under JAFAN 6/0 is not a one-time accreditation event but a continuous requirement maintained through ongoing security practices, periodic facility inspections, and formal reaccreditation cycles.

JAFAN 6/0 Personnel Security and Access Controls

Personnel security is equally central to the JAFAN 6/0 framework — recognizing that insider threat represents one of the most significant risks to Special Access Program integrity. JAFAN 6/0 personnel security requirements govern who may access SAP information, how access is established and maintained, and how personnel are managed throughout the SAP access lifecycle.

  • Need-to-Know Determinations: Access to SAP information is governed by a strict need-to-know principle that requires program management to affirmatively determine that a specific individual requires access to a specific portion of program information to perform their assigned duties. Need-to-know determinations are documented, reviewed periodically, and must be revalidated whenever an individual’s assignment or duties change — an ongoing administrative discipline that the JAFAN 6/0 checklist directly evaluates.
  • Special Access Program Nomination and Indoctrination: Individuals nominated for SAP access undergo enhanced background investigations that exceed standard security clearance requirements. Upon access approval, personnel are formally indoctrinated into the SAP through a briefing process that documents their acknowledgment of the program’s security requirements, classification levels, and handling restrictions.
  • Continuous Evaluation and Reporting Requirements: SAP personnel are subject to continuous evaluation programs that monitor for security-relevant life events and behavioral indicators. Personnel must self-report foreign contacts, financial distress indicators, and other reportable events to their PSO. The JAFAN 6/0 checklist evaluates the currency and completeness of personnel reporting documentation as well as PSO notification and response procedures.
  • Debriefing and Access Termination: When personnel complete their assignment to SAP or leave the program for any reason, they must be formally debriefed, acknowledging their continued obligations to protect SAP information even after access termination. Debriefing documentation is retained as a program security record and is subject to JAFAN 6/0 inspection.

For security architects and program managers, the personnel security elements of the JAFAN 6/0 checklist represent the intersection of human resources management and security compliance, requiring close coordination among PSOs, human resources functions, and program leadership.

JAFAN 6/0 Information Systems Security Requirements

The information systems security requirements within JAFAN 6/0 govern how classified SAP information is processed, stored, transmitted, and destroyed on automated information systems operating within or connected to SAP environments. These requirements significantly exceed standard classified information system requirements and align with the technical security controls detailed in JAFAN 6/3 for SAP information systems.

  • System Accreditation and ATO Requirements: Information systems processing SAP information must be separately accredited — in addition to any underlying network or infrastructure accreditation — to confirm that security controls appropriate for the SAP classification level are in place and effective. ATO packages for SAP systems include dedicated security plans, risk assessments, and control implementation documentation evaluated by the Designated Accrediting Authority.
  • Network Isolation and Connectivity Restrictions: SAP information systems are typically isolated from general-purpose classified networks, with strict controls on connectivity and data transfer procedures. Network connections between SAP systems and external networks require formal approval and technical controls — including hardware data diodes, approved media sanitization procedures, and manual transfer approval workflows — to prevent unauthorized data flows.
  • Media Control and Sanitization: JAFAN 6/0 imposes strict controls on media entering and leaving SAP information systems, including approval requirements for the introduction of removable media, logging of all media movements, and certified sanitization or physical destruction procedures for media removed from SAP systems. The JAFAN 6/0 checklist evaluates media control logs, sanitization records, and the currency of sanitization equipment certifications.
  • Audit and Monitoring Requirements: SAP information systems must maintain comprehensive audit logs of user activity, access events, and security-relevant system events. These logs are retained for defined periods, reviewed at specified intervals, and protected from modification. Security incident reporting procedures must be documented and up to date, with defined escalation paths to the appropriate oversight authorities.

The information systems security elements of JAFAN 6/0 bridge physical security and personnel security with technical control implementation — requiring integrated management across security disciplines to achieve and maintain compliant SAP information system operations.

Implementing the JAFAN 6/0 Checklist

Effective implementation of the JAFAN 6/0 checklist requires a structured approach that integrates SAP security management across physical, personnel, and information security disciplines. Organizations preparing for government SAP inspections or conducting internal compliance assessments should follow a systematic implementation methodology.

  • Compliance Baseline Establishment: Implementation begins with a comprehensive baseline assessment that maps current security practices against each JAFAN 6/0 checklist requirement. Security teams should document the current compliance status of every checklist item, identify gaps with supporting evidence, and prioritize remediation based on inspection risk and operational impact. This baseline assessment serves both as an internal compliance tool and as preparation for government inspection.
  • Security Officer Training and Qualification: Effective JAFAN 6/0 implementation depends on qualified Program Security Officers who understand both the policy requirements and the practical implementation standards that inspectors apply. Formal PSO training through DoD SAP security courses, supplemented by coordination with service-level SAP Central Offices, is essential for developing the institutional expertise required to maintain ongoing JAFAN 6/0 compliance.
  • Documentation Management Architecture: JAFAN 6/0 compliance generates a significant body of required documentation — access rosters, indoctrination records, facility inspection reports, media control logs, system audit records, and inspection findings — that must be maintained in an organized, retrievable format. Implementing a document management system designed around JAFAN 6/0 record retention requirements simplifies both ongoing program administration and inspection preparation.
  • Internal Inspection Program: Organizations should conduct formal internal JAFAN 6/0 checklist self-assessments on a schedule that precedes government inspection cycles. Internal inspections using the complete JAFAN 6/0 checklist identify compliance gaps before they become formal inspection findings, allowing remediation actions to be completed and documented before oversight reviews.

For organizations new to SAP security, engaging experienced SAP security consultants or former government SAP oversight officials during the implementation phase significantly accelerates compliance achievement. It reduces the risk of formal inspection findings.

JAFAN 6/0 and the Broader SAP Security Framework

The JAFAN 6/0 checklist operates within an integrated SAP security governance structure that connects program-level security management with DoD-level oversight, intelligence community policy, and cross-organizational security coordination requirements. Understanding this broader framework is essential for security professionals managing complex SAP programs.

  • Integration with JAFAN 6/3 and 6/4: JAFAN 6/0 addresses overall SAP security management, while JAFAN 6/3 provides detailed technical security requirements for information systems processing SAP data, and JAFAN 6/4 governs the construction standards for new SAP facilities. Security programs must implement all three documents in an integrated fashion — physical facility standards from 6/4, information system controls from 6/3, and overall security management requirements from 6/0 — to achieve comprehensive SAP security compliance.
  • DoD SAP Central Office Oversight: The DoD SAPCO provides policy authority and oversight for all DoD SAPs, with service-level SAP Central Offices exercising delegated oversight for their respective services’ programs. JAFAN 6/0 checklist findings are reported through these oversight chains, and systemic compliance deficiencies can trigger enhanced oversight, program suspension, or corrective action plan requirements from oversight authorities.
  • Intersection with Intelligence Community Directives: Programs that process Sensitive Compartmented Information in addition to SAP data must navigate the intersection of JAFAN 6/0 requirements and Intelligence Community Directives — particularly ICD 705, which governs SCIF physical and technical security standards. Where requirements from multiple frameworks apply, the most stringent standard generally prevails, requiring security architects to perform careful cross-framework requirements analysis.
  • Cyber Threat Considerations for SAP Environments: Nation-state cyber threat actors specifically target SAP information as a high-value collection objective. JAFAN 6/0 information systems security requirements are designed in part to counter these threats. Still, evolving attack techniques — including supply chain compromise, zero-day exploitation of accredited systems, and insider-facilitated exfiltration — require continuous security enhancements beyond baseline JAFAN 6/0 compliance to maintain effective protection of SAP information.

Security professionals supporting SAP programs should view JAFAN 6/0 compliance as a minimum baseline — a foundation upon which additional threat-informed security enhancements are layered to address the sophisticated, persistent adversaries who specifically target Special Access Program information.

Conclusion

The JAFAN 6/0 checklist provides the structured compliance framework through which DoD Special Access Programs demonstrate adherence to the physical, personnel, and information security requirements that govern the most sensitive classified programs in the U.S. defense establishment. For cybersecurity and security management professionals supporting defense contractors, government agencies, or organizations seeking SAP access, mastering the JAFAN 6/0 framework is essential for achieving inspection readiness, maintaining ongoing program compliance, and building the integrated security management capability needed to protect SAP information against the nation-state and insider threats that specifically target these high-value classified programs.

Deepwatch® is the pioneer of AI- and human-driven cyber resilience. By combining AI, security data, intelligence, and human expertise, the Deepwatch Platform helps organizations reduce risk through early and precise threat detection and remediation. Ready to Become Cyber Resilient? Meet with our managed security experts to discuss your use cases, technology, and pain points, and learn how Deepwatch can help.

Related Content

  • Move Beyond Detection and Response to Accelerate Cyber Resilience: This resource explores how security operations teams can evolve beyond reactive detection and response toward proactive, adaptive resilience strategies. It outlines methods to reduce dwell time, accelerate threat mitigation, and align SOC capabilities with business continuity goals.
  • The Dawn of Collaborative Agentic AI in MDR: In this whitepaper, learn about the groundbreaking collaborative agentic AI ecosystem that is redefining managed detection and response services. Discover how the Deepwatch platform’s dual focus on both security operations (SOC) enhancement and customer experience ultimately drives proactive defense strategies that align with organizational goals.
  • 2024 Deepwatch Adversary Tactics & Intelligence Annual Threat Report: The 2024 threat report offers an in-depth analysis of evolving adversary tactics, including keylogging, credential theft, and the use of remote access tools. It provides actionable intelligence, MITRE ATT&CK mapping, and insights into the behaviors of threat actors targeting enterprise networks.