TSCM Inspection Brokerage: Operational Service Playbook
Deliverable EP-031. Structure per cc02-standards/SERVICE-STANDARD.md. Every watch item binds a tripwire, a cadence, and an escalation route, or it is removed.
Document Control
| Field | Value |
|---|---|
| Service Reference | [REF-YYYY-###] |
| Classification | internal |
| Version | 0.1.0 |
| Prepared By | [Operations Manager] |
| Effective Date | [YYYY-MM-DD] |
| Term | [12 Months] |
Scope, Authorities & Limitations
This is a monitoring/operational service, not an investigation, a guarantee of detection, or legal advice. Collection is limited to lawful, authorized sources within the agreed scope; no unlawful access, intrusion, pretexting, or surveillance of non-consenting third parties is performed. Alerting is best-effort within the stated SLA and does not warrant prevention of any event.
Service Definition and the Brokered Model
The firm does not self-perform technical surveillance countermeasures (TSCM). This service is a brokerage: the firm scopes the requirement, selects and qualifies an independent specialist TSCM vendor, escorts the vendor throughout every engagement, quality-controls vendor performance against this playbook, and owns intake and handling of findings. The firm acts as the client’s intelligent buyer of a technical discipline it does not itself hold; it never represents that its own personnel performed a technical sweep.
| Rationale for Brokerage | Explanation |
|---|---|
| Capability Honesty | The firm does not claim, and does not certify its personnel to, technical RF detection or counter-surveillance competence. Brokerage keeps the service’s claimed capability limited to what the firm actually performs: scoping, vendor qualification, escort, quality control, and findings handling. |
| Equipment Cost | TSCM detection equipment (RF spectrum analysis tools, nonlinear junction detection, physical/thermal inspection tools) carries acquisition, calibration, and maintenance cost that is uneconomical to hold in-house at the firm’s sweep volume. |
| Certification Currency | TSCM operator certification and technique currency depend on continuous, high-volume specialist practice. A generalist protective operations firm cannot sustain certification currency at the rate a dedicated TSCM vendor does; brokerage transfers that currency risk to a vendor whose sole business is TSCM. |
Service Definition and Scope Boundaries
States what the firm does and does not do, and where the excluded work is routed.
- Inclusions: Scoping of TSCM requirements, vendor selection from
ART-vendor-roster, vendor qualification at the deep-vetting tier viaART-vendor-due-diligence, escort of vendor personnel throughout every engagement, quality control of vendor sweep performance, and intake, containment, and routing of findings. - Exclusions: The firm does not perform RF sweeps, bug detection, or any technical inspection with firm-owned equipment; that work is always performed by a qualified vendor under this brokerage. The firm makes no independent technical determination that a space is clear beyond the vendor’s certificate. Attribution of who placed a device, and any law-enforcement function beyond evidence preservation and lawful referral, are outside this service.
- Relationship to EP-005 (Residential Security Survey): EP-005 is the firm’s own physical and site-security survey of a residence (structural, access control, lighting, camera coverage, physical vulnerabilities), performed by firm personnel. EP-031 is the brokered technical/RF inspection performed by an independent TSCM specialist. The two disciplines are distinct and use different providers, but run together operationally: EP-005’s scope boundary excludes TSCM and routes it here; a residence program typically schedules an EP-005 survey and an EP-031 baseline sweep in the same onboarding window.
Scope Catalog
Locations and triggers covered by this brokerage. Any location not listed requires a scoping addendum before tasking.
| Sweep Type | Typical Trigger | Locations Covered |
|---|---|---|
| Residence Sweep | Program baseline; periodic per threat level | Principal residence(s), interior and perimeter per Sweep Tier |
| Executive Office Sweep | Program baseline; periodic per threat level | Principal office, boardroom, adjacent conference space |
| Vehicle Sweep | Program baseline; pre-travel | Principal vehicle(s), driver compartment, cargo areas |
| Event/Meeting Venue Pre-Occupancy Sweep | Scheduled sensitive meeting or event | [VENUE], prior to principal or party occupancy |
| Gift/Electronics Inspection | Receipt of a gift or unvetted electronic device intended for principal use or a principal space | Individual item, isolated from principal spaces pending clearance |
| Post-Incident Sweep | [[EP-027-field-contact-and-suspicious-activity-report|EP-027 Field Contact and Suspicious Activity Report]] filed, or an [[OSINT-050-hostile-surveillance-vulnerability-assessment|OSINT-050 Hostile Surveillance Vulnerability Assessment]] finding delivered | Location(s) identified by the triggering report |
Sweep Tiers
All technical parameters are engagement-specific and set by the tasked vendor’s SOP; the firm does not specify RF thresholds, frequency ranges, or detection method internals.
| Tier | Description | Typical Duration | Technical Parameters |
|---|---|---|---|
| Tier 1 - Full Spectrum | Full RF spectrum sweep plus physical/visual inspection of the space | [N] hours | [FREQUENCY RANGE], [DETECTION METHOD] per vendor SOP |
| Tier 2 - Limited Pre-Meeting | Targeted RF check plus visual inspection of high-risk fixtures and furnishings ahead of a single meeting | [N] hours | [FREQUENCY RANGE], [DETECTION METHOD] per vendor SOP |
| Tier 3 - In-Conference Monitoring | Live RF monitoring by a vendor technician present for the duration of the meeting/event | [EVENT DURATION] | [MONITORING METHOD] per vendor SOP |
Vendor Qualification Gate
No vendor is tasked until every gate below is satisfied and logged. This gate exists because a TSCM vendor is given RF equipment and unsupervised-seeming access to a principal’s most private spaces; the vetting bar is the deep tier, not the standard roster floor.
| Gate | Requirement | Verification Method |
|---|---|---|
| Roster Sourcing | Vendor selected from ART-vendor-roster (Pre-Vetted Vendor Roster) | Roster status check by Operations Manager |
| Deep Due Diligence | Vendor subject to ART-vendor-due-diligence (Third-Party & Vendor Due Diligence) at the deep tier before first engagement, reflecting the extreme sensitivity of RF-equipped access to private spaces | OSINT-016 report on file, current within [N] months |
| NDA | Vendor firm and every assigned technician execute a non-disclosure agreement covering findings, methods, and principal identity | Signed NDA on file per technician |
| Counter-Intelligence Interview | Every assigned technician completes a counter-intelligence screening interview before first engagement | Interview record on file; Operations Manager sign-off |
| No-Subcontracting Clause | Vendor contract prohibits subcontracting any part of the engagement without prior written approval | Clause present in executed vendor contract |
| Equipment List Disclosure | Vendor discloses make, model, and serial of all equipment to be brought on-site before each engagement | Equipment list received and logged before site access is granted |
| Continuous Escort | A detail member escorts the vendor technician at all times within principal spaces; the vendor is never left alone in a principal space | Escort log entry covering the full duration of vendor site access |
1. Scope & Watch Criteria / Tripwires
Watch items are conditions the brokerage monitors across the vendor relationship and the sweep program, not technical RF conditions (those belong to the vendor’s own methodology).
| Watch Item | Indicator | Tripwire Threshold | Severity (L×I) | Escalation Route |
|---|---|---|---|---|
| Positive TSCM Finding | Vendor reports a suspect device, transmitter, or anomalous RF/physical indicator | Any positive finding, regardless of vendor confidence | Critical (21-25) | Verbal-only notification per Section 4 Findings Intake Protocol; no written or electronic transmission near the finding |
| Vendor Conduct Violation | Vendor technician unescorted in a principal space, or undisclosed subcontracting detected | Any occurrence | High (16-20) | Immediate notification to Operations Manager; vendor engagement suspended pending review |
| Vendor Certification Lapse | Vendor’s TSCM certification or ART-vendor-due-diligence reassessment expires | Certification or due-diligence file older than [N] months at time of tasking | Elevated (11-15) | Notification to Operations Manager; vendor held off active tasking pending renewal |
| Quiet-Room Discipline Breach | Sensitive discussion held in a space between sweeps without quiet-room protocol observed | Any observed breach | Moderate (6-10) | Notification to Detail Leader; reinforcement briefing to principal party |
2. Tasking Cadence & Sources
Baseline tasking sets the sweep program at program start; periodic tasking follows the region package threat level; event-driven tasking is trigger-based and time-bound.
| Tasking | Cadence | Basis | Owner |
|---|---|---|---|
| Baseline Sweep | At program start, all Scope Catalog locations | Program initiation | Operations Manager |
| Periodic Sweep | Not less than [FREQUENCY] at [THREAT LEVEL], scaled to the region package threat level | Region package threat level; protective intelligence assessment | Operations Manager |
| Event-Driven Sweep | Per Event-Driven Triggers table below | Trigger event | Detail Intelligence Officer |
Event-Driven Triggers
| Trigger | Action | Lead Time |
|---|---|---|
| Sensitive meeting or event scheduled | Tier 2 pre-meeting sweep of venue | Vendor tasked no later than [N] hours before occupancy |
| Gift or unvetted electronic device received for principal use | Tier 1 item-level inspection before item enters a principal space | Vendor tasked within [N] hours of receipt |
| [[EP-027-field-contact-and-suspicious-activity-report|EP-027]] field contact / suspicious activity report filed | Post-incident sweep of affected location(s) | Vendor tasked within [N] hours of report filing |
| [[OSINT-050-hostile-surveillance-vulnerability-assessment|OSINT-050]] hostile surveillance vulnerability finding delivered | Post-incident sweep of identified vulnerability location(s) | Vendor tasked within [N] hours of finding delivery |
| Threat level escalation in the region package | Full-spectrum re-sweep of residence and office | Vendor tasked within [N] hours of escalation notice |
3. Reporting Cadence & Product Format
The sweep certificate is the routine product; a findings report only issues in writing after the verbal-first protocol in Section 4 has run its course.
| Product | Trigger/Cadence | Format | Recipient | Channel |
|---|---|---|---|---|
| Sweep Certificate | Issued at completion of every sweep, all tiers | Signed certificate, [TEMPLATE REF] | Client / Operations Manager | Secure Portal |
| Findings Report (clean) | Issued within [N] hours of a clean, no-finding sweep | Written summary | Operations Manager / Client | Secure Portal |
| Findings Report (positive) | Issued only after verbal notification and containment per Section 4; written report follows once the space is confirmed clear for written handling | CONFIDENTIAL written report | Named recipients per Need-to-Know Matrix | Secure channel confirmed clear of any remaining risk |
| EP-027 Field Report Feed | Any positive finding or vendor conduct violation | [[EP-027-field-contact-and-suspicious-activity-report|EP-027 Field Contact and Suspicious Activity Report]] | Protective Intelligence Officer, for [[OSINT-052-threat-case-assessment-and-management-tam|OSINT-052 TAM]] case intake | Secure Portal |
| Monthly Program Review | Monthly | PDF Executive Summary | Client | Secure Email |
4. Escalation & Notification Triggers (Findings Intake Protocol)
Positive findings receive a verbal-first protocol: nothing regarding a suspected device is transmitted, written, radioed, or entered into any system while the device may still be live or the space compromised. All initial notification is face-to-face, or by a pre-arranged out-of-space verbal signal, from a location confirmed clean.
Containment Decisions
- The vendor technician and escort withdraw from the immediate vicinity of the suspect device without touching, disabling, or discussing it in the space, to avoid tipping off an adversary or destroying evidence.
- The principal and party are moved to a pre-designated clean space.
- No discussion of the finding occurs within the swept space or any space suspected of compromise until that space is independently confirmed clear.
Need-to-Know Matrix
| Role | Informed | Timing | Method |
|---|---|---|---|
| Detail Leader | Yes | Immediate, from a confirmed clean space | Face-to-face |
| Operations Manager | Yes | Immediate | Face-to-face or secure voice from a clean location |
| Principal | Per client disclosure policy [DISCLOSURE POLICY REF] | Within [N] hours, as directed by Operations Manager | Face-to-face |
| Client Legal Counsel | Yes, before any law enforcement contact | Within [N] hours | Secure voice from a clean location |
| Law Enforcement | Per Routing to Law Enforcement below | Per legal counsel direction | Per jurisdiction protocol |
| Broader detail staff | No; need-to-know only | N/A | N/A |
Routing to Law Enforcement
- Evidence preservation: the device is not further handled, moved, or disabled beyond the initial containment; the site is treated as a scene pending law-enforcement guidance.
- Lawful handling: contact with law enforcement is made through the jurisdiction-appropriate reporting channel identified in the region package, with chain-of-custody logged from first containment.
- No self-help attribution: the firm does not attempt to identify or accuse a responsible party; attribution determinations belong to law enforcement and, where the client directs it, counsel-directed investigation.
- Case feed: every positive finding is recorded as an [[EP-027-field-contact-and-suspicious-activity-report|EP-027 Field Contact and Suspicious Activity Report]] and routed to [[OSINT-052-threat-case-assessment-and-management-tam|OSINT-052 Threat Case Assessment & Management]] case intake for the affected principal.
Escalation Table
| Severity Tier | Trigger Condition | Notify | Method | Acknowledgement Target |
|---|---|---|---|---|
| Critical | Positive TSCM finding | Detail Leader, Operations Manager, Client Legal Counsel per Need-to-Know Matrix | Verbal, face-to-face or secure voice from a clean location only | [N] minutes |
| High | Vendor conduct violation | Operations Manager | Secure Chat | [N] hour |
| Elevated | Vendor certification or due-diligence lapse detected at tasking | Operations Manager | Secure Chat | 24 Hours |
| Moderate | Quiet-room discipline breach | Detail Leader | Shift log entry | 24 Hours |
5. Service Levels (SLA)
The SLA binds tasking and sweep-completion timing; it does not warrant technical detection outcomes, per the Section 9 limits.
Activation SLA
- Baseline Sweep: From program start, all Scope Catalog locations swept within [N] days.
- Event-Driven Tasking: Vendor tasked within the Lead Time set for each trigger in Section 2.
- Mobilization Checklist: Vendor Qualification Gate fully satisfied, escort assigned, and region package threat level confirmed before any tasking is issued.
Key Performance Indicators (KPIs)
| Metric | Target | Measurement | Reporting | Remedy/Credit |
|---|---|---|---|---|
| Baseline Sweep Completion | 100% of Scope Catalog locations swept within [N] days of program start | Sweep certificates vs. scope catalog | Monthly | Schedule remediation at no additional brokerage fee |
| Event-Driven Tasking Timeliness | 100% within Lead Time targets in Section 2 | Tasking log vs. trigger timestamp | Monthly | Vendor performance review |
| Vendor Roster Currency | 100% of tasked vendors current on ART-vendor-due-diligence | Due-diligence file audit | Monthly | Vendor suspended from active tasking pending renewal |
| Findings Report Turnaround (clean) | 95% within [N] hours of sweep completion | Report timestamp vs. sweep completion | Monthly | Staff review |
6. Review & Renewal
Reviewed against sweep-program performance and vendor qualification currency, not against any technical detection outcome.
- Service Review: Monthly review between client representative and Operations Manager, covering sweep completion, vendor conduct, and roster currency.
- Change-Control: Any change to the Scope Catalog, Sweep Tiers, or vendor assignment requires a written addendum.
- Termination: Termination requires [N] days written notice. Any outstanding vendor engagement is completed or stood down per the vendor contract’s own terms.
7. Deliverables & Records
Records exist to prove the brokerage process was followed, not to make a technical claim about a space.
- Sweep Certificate: date, location, tier, tasked vendor, technician(s), escorting detail member, result (clean/positive), and equipment-list reference.
- Findings Report Handling: classification CONFIDENTIAL, distribution limited to the Need-to-Know Matrix, transmitted only once the space or item is confirmed clear for written handling.
- Retention: sweep certificates and findings reports retained [N] years then destroyed; vendor due-diligence files, NDAs, counter-intelligence interview records, and equipment-list disclosures retained for the life of the vendor relationship plus [N] years.
- Storage: all records held on encrypted storage; positive-finding records receive restricted access controls beyond the standard CONFIDENTIAL handling floor.
8. Pricing / Engagement Model
Placeholders only; no rate is asserted.
| Element | Basis | Placeholder |
|---|---|---|
| Brokerage / Program Management Fee | Per sweep or monthly retainer | [$ AMOUNT] per [SWEEP / MONTH] |
| Vendor Pass-Through Cost | Vendor’s direct quote per engagement | [PASS-THROUGH, NO MARKUP / MARKUP %] |
| Escort Labor | Detail member hours at standard rate | [RATE] per hour |
| Emergency / Post-Incident Surcharge | Expedited tasking outside standard lead time | [%] surcharge |
9. Limits
States what this service does not warrant, beyond the mandatory caveat above.
- The firm makes no technical assurance claim beyond what the tasked vendor’s own certification and sweep certificate state; the firm’s role is procurement, escort, and quality control of the vendor process, not independent technical verification of RF conditions.
- A sweep certifies a space clean only at the time of inspection. Quiet-room behavior discipline (no sensitive discussion in an unswept or previously-swept space treated as permanently clean) is required of the client party between sweeps; this service does not mitigate risk introduced by its absence.
- This is not an investigation and does not guarantee detection of every device; alerting and findings routing are best-effort within the stated SLA.
Annex A: Source & Watch-List Register (graded)
Graded inputs feeding the watch items in Section 1.
- TSCM Vendor Roster (
ART-vendor-roster, [[BIZ-006-pre-vetted-vendor-roster|BIZ-006]]), qualification confirmed viaART-vendor-due-diligence([[OSINT-016-third-party-and-vendor-due-diligence|OSINT-016]]). Grade: [ADMIRALTY GRADE, VENDOR-SPECIFIC]. - Region Package threat level, feeding periodic sweep cadence. Grade: [GRADE].
- [[EP-027-field-contact-and-suspicious-activity-report|EP-027]] field reports and [[OSINT-050-hostile-surveillance-vulnerability-assessment|OSINT-050]] findings, feeding event-driven triggers. Grade: [GRADE].
Annex B: Onboarding / Offboarding & Data-Handling Checklist
- Onboarding Checklist:
- Confirm vendor selected from
ART-vendor-roster. - Confirm
ART-vendor-due-diligencedeep-tier vetting complete and current. - Execute NDA with vendor firm and every assigned technician.
- Complete counter-intelligence screening interview for every assigned technician.
- Confirm no-subcontracting clause is present in the executed vendor contract.
- Receive and log equipment-list disclosure before first site access.
- Brief the escorting detail member on the continuous-escort requirement.
- Pull [[EP-005-residential-security-survey|EP-005 Residential Security Survey]] and the region package threat level to set baseline tasking.
- Confirm vendor selected from
- Offboarding Checklist (vendor):
- Confirm removal of all vendor equipment from site at engagement close.
- Archive sweep certificates and findings reports per the retention schedule.
- Conduct vendor performance review and update roster status.
- Debrief the escorting detail member.
- Data-Handling: Findings reports are classified CONFIDENTIAL, distributed only per the Need-to-Know Matrix, and held on encrypted storage; retention and destruction follow Section 7. The verbal-first protocol governs handling of any positive finding until the space or device status is confirmed resolved.
END OF SERVICE PLAYBOOK
Model wiring
Generated from cell frontmatter at publish time.