Sensitive security information

Sensitive security information (SSI) is a category of United States sensitive but unclassified information obtained or developed in the conduct of security activities, the public disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. It is not a form of classification under Executive Order 12958 as amended. SSI is not a security classification for national security information (eg. Top Secret, Secret). The safeguarding and sharing of SSI is governed by Title 49 Code of Federal Regulations (CFR) parts 15 and 1520. This designation is assigned to information to limit the exposure of the information to only those individuals that "need to know" in order to participate in or oversee the protection of the nation's transportation system. Those with a need to know can include persons outside of TSA, such as airport operators, aircraft operators, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, foreign vessel owners, and other persons.

SSI was created to help share transportation-related information deemed too revealing for public disclosure between Federal government agencies; State, local, tribal, and foreign governments; U.S. and foreign air carriers; and others.

Information designated as SSI cannot be shared with the general public, and it is exempt from disclosure under the Freedom of Information Act (FOIA).

Background: Legislative and regulatory history
SSI got its start in the Air Transportation Security Act of 1974 (Pub. L. No. 93-366), which, among other things, authorized the Federal Aviation Administration (FAA) to prohibit disclosure of information obtained whose disclosure would constitute an unwarranted invasion of personal privacy; reveal trade secrets or privileged or confidential commercial or financial information obtained from any person; or would reduce the safety of passengers &mdash; all notwithstanding the Freedom of Information Act. On June 28, 1976, FAA published a proposal to create Title 14 Code of Federal Regulations (CFR) Part 191 entitled "Withholding Security Information from Disclosure under the Air Transportation Security Act of 1974." Part 191 created the category of sensitive but unclassified information now known as Sensitive Security Information (SSI), and described the information to be protected from disclosure, including "the security program of any airport; the security program of any air carrier; any device for the detection of any explosive or incendiary device or weapon; and, any contingency security plan."

Less than a year after the December 21, 1988, bombing of Pan Am Flight 103 over Lockerbie, Scotland, the President's Commission on Aviation Security and Terrorism recommended improvements in FAA security bulletins, leading to the creation of Security Directives and Information Circulars. In 1990, section 9121 of the Aviation Safety and Capacity Expansion Act of 1990 (Pub. L. 101–508) broadened 14 CFR Part 191 to prohibit disclosure of "any information obtained in the conduct of security or research and development activities." The Aviation Security Improvement Act of 1990 (Pub. L. No. 101-604) required minimizing the number of people with access to information about threats, often contained in security directives (SDs) and information circulars (ICs). On March 21, 1997, FAA revised 14 CFR Part 191, and changed its title to "Protection of Sensitive Security Information." It also strengthened the existing rule to protect SSI from unauthorized disclosure, expanded its application to air carriers, airport operators, indirect air carriers, foreign air carriers, and individuals, and specified in more detail the information protected to include SDs, ICs, and inspection, incident, and enforcement-related SSI.

Following the September 11, 2001 terrorist attacks in the United States, Congress passed the Aviation and Transportation Security Act (Pub. L. No. 107-71) known as ATSA, which established the DOT Transportation Security Administration (TSA). The Act also transferred the responsibility for civil aviation security from FAA to TSA. On February 22, 2002, FAA and TSA published a joint final rule transferring the bulk of FAA's aviation security rules, including FAA's SSI regulation to TSA as 49 CFR Part 1520. It also specified in more detail which information is SSI, and protected vulnerability assessments for all modes of transportation. The Homeland Security Act of 2002 (Pub. L. No. 107-296) established the Department of Homeland Security (DHS) and transferred TSA from DOT to DHS. The Act also amended Title 49 U.S.C. §40119 to retain SSI authority for the Secretary of Transportation, and added subsection (s) to 49 U.S.C. § 114, reaffirming TSA's authority under DHS to prescribe SSI regulations. TSA and DOT expanded the SSI regulation to incorporate maritime security measures implemented by U.S. Coast Guard regulations and clarify preexisting SSI provisions in an interim final rule (IFR) issued on May 18, 2004. The DOT SSI regulation is at 49 CFR Part 15, and the TSA SSI regulation remains at 49 CFR Part 1520.

The REAL ID Act of 2005 Act of 2005 (Pub. L. No. 109–13) required DHS to establish standards for driver's licenses that Federal agencies could accept for official identification purposes, including "boarding federally regulated commercial aircraft." Title 6 CFR Part 37 was published January 29, 2008, and requires a security plan and related vulnerability assessments that are defined as SSI and governed by 49 CFR 1520.

The Homeland Security Appropriations Act of 2006 (Pub. L. No. 109-90, codified at 6 U.S.C. § 114) required DHS to provide department-wide policies for designating, safeguarding, and marking documents as SSI, along with auditing and accountability procedures. The Act also required that DHS report to Congress the number of SSI Coordinators within DHS, and provide a list of documents designated as SSI in their entirety. It also required that DHS provide guidance that includes extensive examples of SSI to further define the individual categories found under 49 CFR section 1520.5(b)(1) through (16). The Act directed that such guidance serve as the primary basis and authority for protecting, sharing, and marking information as SSI.

The Homeland Security Appropriations Act of 2007 (Pub. L. No. 109-295) required DHS to revise its SSI directives and mandated timely review of SSI requests. It also contained reporting requirements, mandated expanded access to SSI in litigation, and required that all SSI over three years old, and not in current SSI categories, be released upon request unless the DHS Secretary [or designee] makes a written determination that the information must remain SSI.

The Rail Transportation Security Final Rule, published in the Federal Register on November 26, 2008, adds rail-related terms and covered persons to Part 1520, including railroad carriers, rail facilities, rail hazardous materials shippers and receivers, and rail transit systems that are detailed in a new Part 1580. Although rail vulnerability assessments and threat information were already SSI under Part 1520, this rail final rule specifies that information on rail security investigations and inspections, security measures, security training materials, critical rail infrastructure assets, and research and development is also SSI.

Categories
The SSI regulation lists 16 categories of affected information, and allows the Secretary of Homeland Security and the Administrator of the Transportation Security Administration to designate other information as SSI.

The 16 SSI categories as listed in 49 CFR §1520.5(b) are:


 * 1) Security programs and contingency plans.
 * 2) Security Directives.
 * 3) Information Circulars.
 * 4) Performance specifications.
 * 5) Vulnerability assessments.
 * 6) Security inspection or investigative information.
 * 7) Threat information.
 * 8) Security measures.
 * 9) Security screening information.
 * 10) Security training materials.
 * 11) Identifying information of certain transportation security personnel.
 * 12) Critical aviation or maritime infrastructure asset information.
 * 13) Systems security information.
 * 14) Confidential business information.
 * 15) Research and development.
 * 16) Other information. (Determined in writing by DHS or DOT; rarely used.)

For example, SSI includes airport and aircraft operator security programs; the details of various aviation, maritime or rail transportation security measures including perimeter security and access control; procedures for the screening of passengers and their baggage; the results of vulnerability assessments of any mode of transportation; the technical specifications of certain screening equipment and the objects used to test such equipment; and, training materials that could be used to penetrate or circumvent security.

The SSI regulation restricts the release of SSI to people with a "need to know" (see 49 CFR §1520.11), defined generally as those who need the information to do their jobs in transportation security, for example: DHS and TSA officials, airport operators, airline personnel, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, and others as noted in 49 CFR §1520.7. SSI cannot be given to the public, and is exempt from disclosure under the Freedom of Information Act.

Determining Sensitive Security Information
Information receiving SSI designation includes but is not limited to:
 * Security programs and contingency plans regarding any aircraft operator, airport operator, or fixed-base operator security program.
 * Security contingency plans regarding any vessel, maritime facility, or port area.
 * National or area security plans.
 * Security incident response plans.
 * Security Directives issued by the TSA
 * Driver license security designs, descriptions of security features and private keys for encrypted machine-readable data contained therein.
 * Information pertaining to advanced methods of authenticating State issued driver licenses and identification cards.
 * State government Driver License & Identification Card Security Plans.
 * Methods of assessing vulnerabilities in government issued secure documents

2005 U.S. Government Accountability Office report
A June 2005 report from the U.S. Government Accountability Office (GAO) titled "Clear Policies and Oversight Needed for Designation of Sensitive Security Information (SSI)," criticized TSA's monitoring controls, saying, "TSA has not established and documented policies and internal control procedures for monitoring compliance with the regulations, policies, and procedures governing its SSI designation process, including ongoing monitoring of the process."

The GAO report cited an October 14, 2004, TSA memo that said the agency's Internal Security Policy Board recognized that handling and identifying SSI had become a problem:

"Lacking a central policy program office for SSI has led to confusion and unnecessary classification of some materials as SSI. Adherence to handling requirements within TSA has been inconsistent, and there have been instances where SSI has been mishandled outside of TSA. Identification of SSI has often appeared to be ad-hoc, marked by confusion and disagreement depending on the viewpoint, experience, and training of the identifier. Strictures on the release of SSI and other SSI policy or handling–related problems have occasionally frustrated industry stakeholders, Congress, the media, and our own employees trying to work within the confines of the restrictions. Significant time and effort has been devoted to SSI issues, and it is not likely that the current approach to addressing such issues can be sustained."

However, in a November 30, 2007, report to Congress entitled Transportation Security Administration's Processes for Designating and Releasing Sensitive Security Information, GAO said: "DHS, primarily through TSA's SSI Office, has addressed all of the legislative mandates from the DHS Appropriations Act, 2007, and taken actions to satisfy all of the recommendations from our June 2005 report. DHS revised its MD (i.e., Management Directive) to address the need for updating SSI guidance, and TSA has established more extensive SSI criteria and examples that respond to requirements in the DHS Appropriations Act, 2007, and our 2005 recommendation that TSA establish guidance and procedures for using TSA regulations to determine what constitutes SSI.  Further, TSA has documented the criteria and examples in various publications to serve as guidance for identifying and designating SSI.  TSA has also shared its documentation of the criteria and examples with other DHS agencies."

On July 28, 2008, GAO went even further, telling Congress: "The Transportation Security Administration's (TSA) program on managing information it designates as sensitive security information could serve as a model to guide other agencies' implementation of CUI."

Legislation to curb secrecy contracts
During the 1980s, Congress and the White House clashed over nondisclosure agreements that said employees could be penalized for disclosing "classifiable" (rather than classified) information. The primary argument against was that a whistleblower could be retaliated against by a management decision to simply retroactively decide that they disclosed classified information - though it was not classified when the disclosure took place. The decision to mark the information as sensitive would have taken place only after a disclosure. Furthermore, this would have held employees who disclosed to a higher standard than the person responsible for marking information that should be marked classified. Ultimately, the "classifiable" aspect of the government nondisclosure policies was dropped.

However, the same situation has reared its head in the former TSA Federal Air Marshal Robert MacLean v. Department of Homeland Security national security whistleblower termination case, which revolves around the TSA's retroactive decision to label a disclosure from MacLean as "Sensitive Security Information," three years after he made his disclosure and four months after terminating him. MacLean argues that his disclosure was protected by the Whistleblower Protection Act; the TSA counters that SSI disclosures are not protected because violations of executive agency regulations are equal to a "violation of law."

According to this 1988 House report. "The Administration's most recent attempt to define 'classifiable' holds employees liable for disclosers of unclassified information, without any prior notice to them of its special status. Under Executive Order 12356, classified information is marked as such. Sec. 1.5. Even information that is in the process of a classification determination is given an interim classification marking for a 30-day period. Executive Order 12356, Sections 1.1(c), 1.(e). The employee is, therefore, aware of its special status. Without the classification markings on unclassified information, however, an employee cannot be sure that the nondisclosure agreements' restrictions apply to that material. Consequently, they must check with their supervisors, thereby alerting them to the disclosure. That invites a chilling effect.  As then Congresswoman (now U.S. Senator) Barbara Boxer noted at the hearings:

"I am concerned this will force would-be whistleblowers to have to ask their superiors about classification determinations. This would act to stop the whistleblower."

It should be noted once again, however, that sensitive security information is governed by published regulations. If properly marked as SSI, a document clearly warns an employee to follow regulatory requirements and implementation guidance regarding disclosure.

2004 House Appropriations Committee audit
In September 2004, two members of the House Appropriations Committee requested that auditors review how the Homeland Security Department is using its authority to withhold transportation security information from the public. The concern is that material needs to be protected, but the public also needs to be advised of information that affects their safety and security.

Some examples in question were:
 * The TSA had written responses to questions that were designated as sensitive security information, but did not treat the same information as sensitive the month earlier.
 * The TSA had said certain information related to the electronic screening of checked baggage at airports was SSI where this information had already been exposed to the public domain.

It was determined that the TSA's application of the SSI regulations has resulted in some disputes over airport security procedures, employee accountability, passenger screening, and airport secrecy agreements. Some believe that too much information has been withheld from the public regarding some of these circumstances.

The resulting opinion was that sensitive material needs to be protected, but the public also needs to be informed of information that affects safety and security. "Although the release of certain sensitive information could put the nation's citizens and infrastructure at risk, the federal government should be mindful of the public's legitimate interest in, and right to know, information related to threats to the transportation system and associated vulnerabilities. Accordingly, access to this information should only be limited when it is necessary to guard against those who pose a threat and their ability to develop techniques to subvert security measures."

Obama administration
John Podesta, chief of the Presidential transition of Barack Obama team, told U.S. lawmakers on September 16, 2008, that over the previous seven years, "the Bush administration has increased secrecy and curtailed access to information through a variety of means," including:
 * An explosion in the use of "controlled unclassified" markings, most of which have never been authorized by statute, to restrict access to unclassified information.
 * Threatening journalists, whistleblowers, and other private citizens with criminal prosecution for the possession or publication of national security information; and the issuance of secret orders and legal opinions to shield illegal actions from public scrutiny.

2014 bipartisan congressional oversight committee report
On May 29, 2014, United States House Committee on Oversight and Government Reform Republican Chairman Darrell Issa and Democrat Ranking Member Elijah Cummings issued a highly critical report about SSI. It cited these findings: "TSA improperly designated certain information as SSI in order to avoid its public release. TSA repeatedly released information to the public against the advice of the SSI office and without having produced suitable documentation to explain the decision. The structure and position of the SSI office within TSA has contributed to the difficulties the office has encountered in carrying out its mission. TSA has moved the office within the agency's organizational structure several times. One official stated the office moves have effectively relegated it a 'throwaway office.'"

On Page 17 of the report, it cited in detail the pending U.S. Supreme Court case, Department of Homeland Security v. MacLean: "TSA's release of information related to [Federal Air Marshals (FAM)] is particularly ironic given the agency's treatment of whistleblower and former air marshal Robert MacLean. In 2003, MacLean blew the whistle on TSA's plans to cancel FAM coverage on flights despite the threat of an imminent Al Qaeda hijacking plot. Numerous Members of Congress raised concerns, and DHS retracted the order to cancel FAM coverage, calling it 'a mistake.' Three years later, TSA retroactively labeled the information that MacLean had disclosed as SSI and fired MacLean for his disclosure." The Committee concluded that "TSA made significant improvements to its SSI designation process following the Committee's investigation."

Challenges
In Chowdhury v. TSA, the ACLU challenged the TSA's authority to withhold SSI from civil litigants and their attorneys in a Petition for Review pending before the U.S. Second Circuit Court of Appeals in New York. The ACLU sought to establish:
 * Whether the TSA has the requisite statutory authority to withhold SSI from civil litigants and their attorneys, where TSA has determined that such disclosure would be detrimental to transportation security.
 * Whether the TSA's expert judgment to withhold SSI from civil litigants and their attorneys constitutes "actions committed to agency discretion by law"
 * Whether a TSA Final Order on SSI deprives the Plaintiff in this case of a constitutionally protected property interest without due process of law.

As of May 2005, the Second Circuit Court has yet to rule on the issue. However, the Homeland Security Appropriations Act of 2007 (Pub. L. No. 109-295), section 525(d) required: "That in civil proceedings in the United States District Courts, where a party seeking access to SSI demonstrates that the party has substantial need of relevant SSI in the preparation of the party's case and that the party is unable without undue hardship to obtain the substantial equivalent of the information by other means, the party or party's counsel shall be designated as a covered person under 49 CFR Part 1520.7 in order to have access to the SSI at issue in the case, provided that the overseeing judge enters an order that protects the SSI from unauthorized or unnecessary disclosure and specifies the terms and conditions of access ..."