The Built World Has a Security Code Gap
Modern buildings are regulated for fire, egress, structure, energy and accessibility, but most are not required to account for deliberate attack, communications disruption, electromagnetic exposure or coordinated physical-cyber failure. This article explains why security should become a normal design discipline rather than an afterthought.
Most buildings are code-compliant and still not security-resilient. That is the central problem Certanet was created to address.
The built environment has improved dramatically in fire safety, seismic engineering, energy performance, accessibility and life-safety planning. Yet many occupied buildings, utility sites, data facilities, manufacturing plants and public-sector assets remain exposed to threats that conventional building codes barely touch: forced entry, ballistic exposure, hostile surveillance, electromagnetic disruption, vehicle impact, coordinated cyber-physical attacks and long-duration grid instability.
Compliance is not the same as protection
A code-compliant facility generally meets the minimum rules adopted by the jurisdiction. That is valuable, but it is not the same as a threat-informed protective design. Security professionals know this instinctively. A building can have a certificate of occupancy, pass inspection and still rely on weak glazing, exposed utilities, unsecured roof access, unprotected exterior walls, undocumented standoff assumptions and electronic systems with no physical protection around the rooms that keep them alive.
The gap is not incompetence. It is scope. Conventional building codes were not written to make every building a secure facility. That means owners, designers, insurers and authorities having jurisdiction must decide when minimum code is not enough.
The missing layer is security performance
Fire protection has ratings. Structural design has loads. Energy performance has measurable targets. Security too often has opinions, vendor claims and fragmented checklists. The next generation of secure construction should move toward performance language for delay, detection, denial, survivability and continuity.
That does not mean every building needs a bunker-level envelope. It means risk should be translated into design requirements early enough to affect site planning, envelope selection, room placement, mechanical layout, communications pathways, backup power, access control and maintenance.
Where standards already point the way
Federal and defense criteria already show a more disciplined path. The Unified Facilities Criteria program incorporates building codes, DoD requirements and statutory provisions into planning and design criteria. UFC 4-010-01 establishes minimum antiterrorism standards where no specific threat or level of protection has otherwise been determined. The Interagency Security Committee Risk Management Process provides a structured basis for facility security levels and countermeasure selection for federal facilities.
The private sector should not copy those standards blindly. It should learn from their structure: define the asset, define the threat, define the consequence, define the required level of protection, then document the accepted residual risk.
Practical starting point
Every significant project should ask five questions before schematic design is complete:
- What would a capable adversary target first?
- Which systems must survive for the facility to remain safe?
- What physical pathways expose those systems?
- What electromagnetic or communications dependencies are assumed?
- Who owns the decision to accept residual risk?
Good security design is not paranoia. It is disciplined common sense applied before the concrete is poured and the walls are closed.
Recommended citation
Certanet, “The Built World Has a Security Code Gap,” 2026.