Sensitive security information
Sensitive Security Information or SSI is a term used in the United States to denote sensitive but unclassified information obtained or developed in the conduct of security activities, the public disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. It is not a form of classification under Executive Order 12958 as amended. SSI is not classified national security information in the sense of Top Secret, Secret or Confidential. The safeguarding and sharing of SSI is governed by Title 49 Code of Federal Regulations parts 15 and 1520. This designation is assigned to information to limit the exposure of the information to only those individuals that "need to know" in order to participate in or oversee the protection of the nation's transportation system. Those with a need to know can include persons outside of TSA, such as airport operators, aircraft operators, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, foreign vessel owners, and other persons.
Information designated as SSI cannot be shared with the general public, and it is exempt from disclosure under the Freedom of Information Act.
Background: Legislative and Regulatory History
Following the September 11, 2001 terrorist attacks in the United States, Congress passed the Aviation and Transportation Security Act known as ATSA, which established the DOT Transportation Security Administration. The Act also transferred the responsibility for civil aviation security from FAA to TSA. On February 22, 2002, FAA and TSA published a joint final rule transferring the bulk of FAA's aviation security rules, including FAA's SSI regulation to TSA as 49 CFR Part 1520. It also specified in more detail which information is SSI, and protected vulnerability assessments for all modes of transportation. The Homeland Security Act of 2002 established the Department of Homeland Security and transferred TSA from DOT to DHS. The Act also amended Title 49 U.S.C. §40119 to retain SSI authority for the Secretary of Transportation, and added subsection to 49 U.S.C. § 114, reaffirming TSA's authority under DHS to prescribe SSI regulations. TSA and DOT expanded the SSI regulation to incorporate maritime security measures implemented by U.S. Coast Guard regulations and clarify preexisting SSI provisions in an interim final rule issued on May 18, 2004. The DOT SSI regulation is at 49 CFR Part 15, and the TSA SSI regulation remains at 49 CFR Part 1520.The REAL ID Act of 2005 required DHS to establish standards for driver's licenses that Federal agencies could accept for official identification purposes, including "boarding federally regulated commercial aircraft." Title 6 CFR Part 37 was published January 29, 2008, and requires a security plan and related vulnerability assessments that are defined as SSI and governed by 49 CFR 1520.
The Homeland Security Appropriations Act of 2006 required DHS to provide department-wide policies for designating, safeguarding, and marking documents as SSI, along with auditing and accountability procedures. The Act also required that DHS report to Congress the number of SSI Coordinators within DHS, and provide a list of documents designated as SSI in their entirety. It also required that DHS provide guidance that includes extensive examples of SSI to further define the individual categories found under 49 CFR section 1520.5 through. The Act directed that such guidance serve as the primary basis and authority for protecting, sharing, and marking information as SSI.
The Homeland Security Appropriations Act of 2007 required DHS to revise its SSI directives and mandated timely review of SSI requests. It also contained reporting requirements, mandated expanded access to SSI in litigation, and required that all SSI over three years old, and not in current SSI categories, be released upon request unless the DHS Secretary makes a written determination that the information must remain SSI.
The Rail Transportation Security Final Rule, published in the Federal Register on November 26, 2008, adds rail-related terms and covered persons to Part 1520, including railroad carriers, rail facilities, rail hazardous materials shippers and receivers, and rail transit systems that are detailed in a new Part 1580. Although rail vulnerability assessments and threat information were already SSI under Part 1520, this rail final rule specifies that information on rail security investigations and inspections, security measures, security training materials, critical rail infrastructure assets, and research and development is also SSI.
Categories
As enumerated in 49 CFR §1520.5, there are 16 categories of SSI of which there are three types. Four of the categories are termed "categorical" and are automatically designated as SSI. Eleven of the categories require a judgment or analysis to receive an SSI designation and one category is termed as 'other' and is determined by a written request from an authorized office.Determining Sensitive Security Information
Information receiving SSI designation includes but is not limited to:- Security programs and contingency plans regarding any aircraft operator, airport operator, or fixed-base operator security program.
- Security contingency plans regarding any vessel, maritime facility, or port area.
- National or area security plans.
- Security incident response plans.
- Security Directives issued by the TSA
- Driver license security designs, descriptions of security features and private keys for encrypted machine-readable data contained therein.
- Information pertaining to advanced methods of authenticating State issued driver licenses and identification cards.
- State government Driver License & Identification Card Security Plans.
- Methods of assessing vulnerabilities in government issued secure documents
Criticism and Praise of the SSI Policies
Some examples in question were:
- The TSA had written responses to questions that were designated as sensitive security information, but did not treat the same information as sensitive the month earlier.
- The TSA had said certain information related to the electronic screening of checked baggage at airports was SSI where this information had already been exposed to the public domain.
The resulting opinion was that sensitive material needs to be protected, but the public also needs to be informed of information that affects safety and security.
"Although the release of certain sensitive information could put the nation's citizens and infrastructure at risk, the federal government should be mindful of the public's legitimate interest in, and right to know, information related to threats to the transportation system and associated vulnerabilities. Accordingly, access to this information should only be limited when it is necessary to guard against those who pose a threat and their ability to develop techniques to subvert security measures."
In a November 30, 2007, report to Congress entitled Transportation Security Administration's Processes for Designating and Releasing Sensitive Security Information, the Government Accountability Office stated:
"DHS, primarily through TSA's SSI Office, has addressed all of the legislative mandates from the DHS Appropriations Act, 2007, and taken actions to satisfy all of the recommendations from our June 2005 report. DHS revised its MD to address the need for updating SSI guidance, and TSA has established more extensive SSI criteria and examples that respond to requirements in the DHS Appropriations Act, 2007, and our 2005 recommendation that TSA establish guidance and procedures for using TSA regulations to determine what constitutes SSI. Further, TSA has documented the criteria and examples in various publications to serve as guidance for identifying and designating SSI. TSA has also shared its documentation of the criteria and examples with other DHS agencies."
In Congressional testimony on information sharing for homeland security, and controlled unclassified information presented on July 28, 2008, GAO went even further when stating:
"The Transportation Security Administration's program on managing information it designates as sensitive security information could serve as a model to guide other agencies' implementation of CUI."