TSCM Inspection Brokerage: Operational Service Playbook

Deliverable EP-031. Structure per cc02-standards/SERVICE-STANDARD.md. Every watch item binds a tripwire, a cadence, and an escalation route, or it is removed.

Document Control

FieldValue
Service Reference[REF-YYYY-###]
Classificationinternal
Version0.1.0
Prepared By[Operations Manager]
Effective Date[YYYY-MM-DD]
Term[12 Months]

Scope, Authorities & Limitations

This is a monitoring/operational service, not an investigation, a guarantee of detection, or legal advice. Collection is limited to lawful, authorized sources within the agreed scope; no unlawful access, intrusion, pretexting, or surveillance of non-consenting third parties is performed. Alerting is best-effort within the stated SLA and does not warrant prevention of any event.

Service Definition and the Brokered Model

The firm does not self-perform technical surveillance countermeasures (TSCM). This service is a brokerage: the firm scopes the requirement, selects and qualifies an independent specialist TSCM vendor, escorts the vendor throughout every engagement, quality-controls vendor performance against this playbook, and owns intake and handling of findings. The firm acts as the client’s intelligent buyer of a technical discipline it does not itself hold; it never represents that its own personnel performed a technical sweep.

Rationale for BrokerageExplanation
Capability HonestyThe firm does not claim, and does not certify its personnel to, technical RF detection or counter-surveillance competence. Brokerage keeps the service’s claimed capability limited to what the firm actually performs: scoping, vendor qualification, escort, quality control, and findings handling.
Equipment CostTSCM detection equipment (RF spectrum analysis tools, nonlinear junction detection, physical/thermal inspection tools) carries acquisition, calibration, and maintenance cost that is uneconomical to hold in-house at the firm’s sweep volume.
Certification CurrencyTSCM operator certification and technique currency depend on continuous, high-volume specialist practice. A generalist protective operations firm cannot sustain certification currency at the rate a dedicated TSCM vendor does; brokerage transfers that currency risk to a vendor whose sole business is TSCM.

Service Definition and Scope Boundaries

States what the firm does and does not do, and where the excluded work is routed.

  • Inclusions: Scoping of TSCM requirements, vendor selection from ART-vendor-roster, vendor qualification at the deep-vetting tier via ART-vendor-due-diligence, escort of vendor personnel throughout every engagement, quality control of vendor sweep performance, and intake, containment, and routing of findings.
  • Exclusions: The firm does not perform RF sweeps, bug detection, or any technical inspection with firm-owned equipment; that work is always performed by a qualified vendor under this brokerage. The firm makes no independent technical determination that a space is clear beyond the vendor’s certificate. Attribution of who placed a device, and any law-enforcement function beyond evidence preservation and lawful referral, are outside this service.
  • Relationship to EP-005 (Residential Security Survey): EP-005 is the firm’s own physical and site-security survey of a residence (structural, access control, lighting, camera coverage, physical vulnerabilities), performed by firm personnel. EP-031 is the brokered technical/RF inspection performed by an independent TSCM specialist. The two disciplines are distinct and use different providers, but run together operationally: EP-005’s scope boundary excludes TSCM and routes it here; a residence program typically schedules an EP-005 survey and an EP-031 baseline sweep in the same onboarding window.

Scope Catalog

Locations and triggers covered by this brokerage. Any location not listed requires a scoping addendum before tasking.

Sweep TypeTypical TriggerLocations Covered
Residence SweepProgram baseline; periodic per threat levelPrincipal residence(s), interior and perimeter per Sweep Tier
Executive Office SweepProgram baseline; periodic per threat levelPrincipal office, boardroom, adjacent conference space
Vehicle SweepProgram baseline; pre-travelPrincipal vehicle(s), driver compartment, cargo areas
Event/Meeting Venue Pre-Occupancy SweepScheduled sensitive meeting or event[VENUE], prior to principal or party occupancy
Gift/Electronics InspectionReceipt of a gift or unvetted electronic device intended for principal use or a principal spaceIndividual item, isolated from principal spaces pending clearance
Post-Incident Sweep[[EP-027-field-contact-and-suspicious-activity-report|EP-027 Field Contact and Suspicious Activity Report]] filed, or an [[OSINT-050-hostile-surveillance-vulnerability-assessment|OSINT-050 Hostile Surveillance Vulnerability Assessment]] finding deliveredLocation(s) identified by the triggering report

Sweep Tiers

All technical parameters are engagement-specific and set by the tasked vendor’s SOP; the firm does not specify RF thresholds, frequency ranges, or detection method internals.

TierDescriptionTypical DurationTechnical Parameters
Tier 1 - Full SpectrumFull RF spectrum sweep plus physical/visual inspection of the space[N] hours[FREQUENCY RANGE], [DETECTION METHOD] per vendor SOP
Tier 2 - Limited Pre-MeetingTargeted RF check plus visual inspection of high-risk fixtures and furnishings ahead of a single meeting[N] hours[FREQUENCY RANGE], [DETECTION METHOD] per vendor SOP
Tier 3 - In-Conference MonitoringLive RF monitoring by a vendor technician present for the duration of the meeting/event[EVENT DURATION][MONITORING METHOD] per vendor SOP

Vendor Qualification Gate

No vendor is tasked until every gate below is satisfied and logged. This gate exists because a TSCM vendor is given RF equipment and unsupervised-seeming access to a principal’s most private spaces; the vetting bar is the deep tier, not the standard roster floor.

GateRequirementVerification Method
Roster SourcingVendor selected from ART-vendor-roster (Pre-Vetted Vendor Roster)Roster status check by Operations Manager
Deep Due DiligenceVendor subject to ART-vendor-due-diligence (Third-Party & Vendor Due Diligence) at the deep tier before first engagement, reflecting the extreme sensitivity of RF-equipped access to private spacesOSINT-016 report on file, current within [N] months
NDAVendor firm and every assigned technician execute a non-disclosure agreement covering findings, methods, and principal identitySigned NDA on file per technician
Counter-Intelligence InterviewEvery assigned technician completes a counter-intelligence screening interview before first engagementInterview record on file; Operations Manager sign-off
No-Subcontracting ClauseVendor contract prohibits subcontracting any part of the engagement without prior written approvalClause present in executed vendor contract
Equipment List DisclosureVendor discloses make, model, and serial of all equipment to be brought on-site before each engagementEquipment list received and logged before site access is granted
Continuous EscortA detail member escorts the vendor technician at all times within principal spaces; the vendor is never left alone in a principal spaceEscort log entry covering the full duration of vendor site access

1. Scope & Watch Criteria / Tripwires

Watch items are conditions the brokerage monitors across the vendor relationship and the sweep program, not technical RF conditions (those belong to the vendor’s own methodology).

Watch ItemIndicatorTripwire ThresholdSeverity (L×I)Escalation Route
Positive TSCM FindingVendor reports a suspect device, transmitter, or anomalous RF/physical indicatorAny positive finding, regardless of vendor confidenceCritical (21-25)Verbal-only notification per Section 4 Findings Intake Protocol; no written or electronic transmission near the finding
Vendor Conduct ViolationVendor technician unescorted in a principal space, or undisclosed subcontracting detectedAny occurrenceHigh (16-20)Immediate notification to Operations Manager; vendor engagement suspended pending review
Vendor Certification LapseVendor’s TSCM certification or ART-vendor-due-diligence reassessment expiresCertification or due-diligence file older than [N] months at time of taskingElevated (11-15)Notification to Operations Manager; vendor held off active tasking pending renewal
Quiet-Room Discipline BreachSensitive discussion held in a space between sweeps without quiet-room protocol observedAny observed breachModerate (6-10)Notification to Detail Leader; reinforcement briefing to principal party

2. Tasking Cadence & Sources

Baseline tasking sets the sweep program at program start; periodic tasking follows the region package threat level; event-driven tasking is trigger-based and time-bound.

TaskingCadenceBasisOwner
Baseline SweepAt program start, all Scope Catalog locationsProgram initiationOperations Manager
Periodic SweepNot less than [FREQUENCY] at [THREAT LEVEL], scaled to the region package threat levelRegion package threat level; protective intelligence assessmentOperations Manager
Event-Driven SweepPer Event-Driven Triggers table belowTrigger eventDetail Intelligence Officer

Event-Driven Triggers

TriggerActionLead Time
Sensitive meeting or event scheduledTier 2 pre-meeting sweep of venueVendor tasked no later than [N] hours before occupancy
Gift or unvetted electronic device received for principal useTier 1 item-level inspection before item enters a principal spaceVendor tasked within [N] hours of receipt
[[EP-027-field-contact-and-suspicious-activity-report|EP-027]] field contact / suspicious activity report filedPost-incident sweep of affected location(s)Vendor tasked within [N] hours of report filing
[[OSINT-050-hostile-surveillance-vulnerability-assessment|OSINT-050]] hostile surveillance vulnerability finding deliveredPost-incident sweep of identified vulnerability location(s)Vendor tasked within [N] hours of finding delivery
Threat level escalation in the region packageFull-spectrum re-sweep of residence and officeVendor tasked within [N] hours of escalation notice

3. Reporting Cadence & Product Format

The sweep certificate is the routine product; a findings report only issues in writing after the verbal-first protocol in Section 4 has run its course.

ProductTrigger/CadenceFormatRecipientChannel
Sweep CertificateIssued at completion of every sweep, all tiersSigned certificate, [TEMPLATE REF]Client / Operations ManagerSecure Portal
Findings Report (clean)Issued within [N] hours of a clean, no-finding sweepWritten summaryOperations Manager / ClientSecure Portal
Findings Report (positive)Issued only after verbal notification and containment per Section 4; written report follows once the space is confirmed clear for written handlingCONFIDENTIAL written reportNamed recipients per Need-to-Know MatrixSecure channel confirmed clear of any remaining risk
EP-027 Field Report FeedAny positive finding or vendor conduct violation[[EP-027-field-contact-and-suspicious-activity-report|EP-027 Field Contact and Suspicious Activity Report]]Protective Intelligence Officer, for [[OSINT-052-threat-case-assessment-and-management-tam|OSINT-052 TAM]] case intakeSecure Portal
Monthly Program ReviewMonthlyPDF Executive SummaryClientSecure Email

4. Escalation & Notification Triggers (Findings Intake Protocol)

Positive findings receive a verbal-first protocol: nothing regarding a suspected device is transmitted, written, radioed, or entered into any system while the device may still be live or the space compromised. All initial notification is face-to-face, or by a pre-arranged out-of-space verbal signal, from a location confirmed clean.

Containment Decisions

  • The vendor technician and escort withdraw from the immediate vicinity of the suspect device without touching, disabling, or discussing it in the space, to avoid tipping off an adversary or destroying evidence.
  • The principal and party are moved to a pre-designated clean space.
  • No discussion of the finding occurs within the swept space or any space suspected of compromise until that space is independently confirmed clear.

Need-to-Know Matrix

RoleInformedTimingMethod
Detail LeaderYesImmediate, from a confirmed clean spaceFace-to-face
Operations ManagerYesImmediateFace-to-face or secure voice from a clean location
PrincipalPer client disclosure policy [DISCLOSURE POLICY REF]Within [N] hours, as directed by Operations ManagerFace-to-face
Client Legal CounselYes, before any law enforcement contactWithin [N] hoursSecure voice from a clean location
Law EnforcementPer Routing to Law Enforcement belowPer legal counsel directionPer jurisdiction protocol
Broader detail staffNo; need-to-know onlyN/AN/A

Routing to Law Enforcement

  • Evidence preservation: the device is not further handled, moved, or disabled beyond the initial containment; the site is treated as a scene pending law-enforcement guidance.
  • Lawful handling: contact with law enforcement is made through the jurisdiction-appropriate reporting channel identified in the region package, with chain-of-custody logged from first containment.
  • No self-help attribution: the firm does not attempt to identify or accuse a responsible party; attribution determinations belong to law enforcement and, where the client directs it, counsel-directed investigation.
  • Case feed: every positive finding is recorded as an [[EP-027-field-contact-and-suspicious-activity-report|EP-027 Field Contact and Suspicious Activity Report]] and routed to [[OSINT-052-threat-case-assessment-and-management-tam|OSINT-052 Threat Case Assessment & Management]] case intake for the affected principal.

Escalation Table

Severity TierTrigger ConditionNotifyMethodAcknowledgement Target
CriticalPositive TSCM findingDetail Leader, Operations Manager, Client Legal Counsel per Need-to-Know MatrixVerbal, face-to-face or secure voice from a clean location only[N] minutes
HighVendor conduct violationOperations ManagerSecure Chat[N] hour
ElevatedVendor certification or due-diligence lapse detected at taskingOperations ManagerSecure Chat24 Hours
ModerateQuiet-room discipline breachDetail LeaderShift log entry24 Hours

5. Service Levels (SLA)

The SLA binds tasking and sweep-completion timing; it does not warrant technical detection outcomes, per the Section 9 limits.

Activation SLA

  • Baseline Sweep: From program start, all Scope Catalog locations swept within [N] days.
  • Event-Driven Tasking: Vendor tasked within the Lead Time set for each trigger in Section 2.
  • Mobilization Checklist: Vendor Qualification Gate fully satisfied, escort assigned, and region package threat level confirmed before any tasking is issued.

Key Performance Indicators (KPIs)

MetricTargetMeasurementReportingRemedy/Credit
Baseline Sweep Completion100% of Scope Catalog locations swept within [N] days of program startSweep certificates vs. scope catalogMonthlySchedule remediation at no additional brokerage fee
Event-Driven Tasking Timeliness100% within Lead Time targets in Section 2Tasking log vs. trigger timestampMonthlyVendor performance review
Vendor Roster Currency100% of tasked vendors current on ART-vendor-due-diligenceDue-diligence file auditMonthlyVendor suspended from active tasking pending renewal
Findings Report Turnaround (clean)95% within [N] hours of sweep completionReport timestamp vs. sweep completionMonthlyStaff review

6. Review & Renewal

Reviewed against sweep-program performance and vendor qualification currency, not against any technical detection outcome.

  • Service Review: Monthly review between client representative and Operations Manager, covering sweep completion, vendor conduct, and roster currency.
  • Change-Control: Any change to the Scope Catalog, Sweep Tiers, or vendor assignment requires a written addendum.
  • Termination: Termination requires [N] days written notice. Any outstanding vendor engagement is completed or stood down per the vendor contract’s own terms.

7. Deliverables & Records

Records exist to prove the brokerage process was followed, not to make a technical claim about a space.

  • Sweep Certificate: date, location, tier, tasked vendor, technician(s), escorting detail member, result (clean/positive), and equipment-list reference.
  • Findings Report Handling: classification CONFIDENTIAL, distribution limited to the Need-to-Know Matrix, transmitted only once the space or item is confirmed clear for written handling.
  • Retention: sweep certificates and findings reports retained [N] years then destroyed; vendor due-diligence files, NDAs, counter-intelligence interview records, and equipment-list disclosures retained for the life of the vendor relationship plus [N] years.
  • Storage: all records held on encrypted storage; positive-finding records receive restricted access controls beyond the standard CONFIDENTIAL handling floor.

8. Pricing / Engagement Model

Placeholders only; no rate is asserted.

ElementBasisPlaceholder
Brokerage / Program Management FeePer sweep or monthly retainer[$ AMOUNT] per [SWEEP / MONTH]
Vendor Pass-Through CostVendor’s direct quote per engagement[PASS-THROUGH, NO MARKUP / MARKUP %]
Escort LaborDetail member hours at standard rate[RATE] per hour
Emergency / Post-Incident SurchargeExpedited tasking outside standard lead time[%] surcharge

9. Limits

States what this service does not warrant, beyond the mandatory caveat above.

  • The firm makes no technical assurance claim beyond what the tasked vendor’s own certification and sweep certificate state; the firm’s role is procurement, escort, and quality control of the vendor process, not independent technical verification of RF conditions.
  • A sweep certifies a space clean only at the time of inspection. Quiet-room behavior discipline (no sensitive discussion in an unswept or previously-swept space treated as permanently clean) is required of the client party between sweeps; this service does not mitigate risk introduced by its absence.
  • This is not an investigation and does not guarantee detection of every device; alerting and findings routing are best-effort within the stated SLA.

Annex A: Source & Watch-List Register (graded)

Graded inputs feeding the watch items in Section 1.

  • TSCM Vendor Roster (ART-vendor-roster, [[BIZ-006-pre-vetted-vendor-roster|BIZ-006]]), qualification confirmed via ART-vendor-due-diligence ([[OSINT-016-third-party-and-vendor-due-diligence|OSINT-016]]). Grade: [ADMIRALTY GRADE, VENDOR-SPECIFIC].
  • Region Package threat level, feeding periodic sweep cadence. Grade: [GRADE].
  • [[EP-027-field-contact-and-suspicious-activity-report|EP-027]] field reports and [[OSINT-050-hostile-surveillance-vulnerability-assessment|OSINT-050]] findings, feeding event-driven triggers. Grade: [GRADE].

Annex B: Onboarding / Offboarding & Data-Handling Checklist

  • Onboarding Checklist:
    • Confirm vendor selected from ART-vendor-roster.
    • Confirm ART-vendor-due-diligence deep-tier vetting complete and current.
    • Execute NDA with vendor firm and every assigned technician.
    • Complete counter-intelligence screening interview for every assigned technician.
    • Confirm no-subcontracting clause is present in the executed vendor contract.
    • Receive and log equipment-list disclosure before first site access.
    • Brief the escorting detail member on the continuous-escort requirement.
    • Pull [[EP-005-residential-security-survey|EP-005 Residential Security Survey]] and the region package threat level to set baseline tasking.
  • Offboarding Checklist (vendor):
    • Confirm removal of all vendor equipment from site at engagement close.
    • Archive sweep certificates and findings reports per the retention schedule.
    • Conduct vendor performance review and update roster status.
    • Debrief the escorting detail member.
  • Data-Handling: Findings reports are classified CONFIDENTIAL, distributed only per the Need-to-Know Matrix, and held on encrypted storage; retention and destruction follow Section 7. The verbal-first protocol governs handling of any positive finding until the space or device status is confirmed resolved.

END OF SERVICE PLAYBOOK

Model wiring

Generated from cell frontmatter at publish time.