Sensitive security information


Sensitive security information is a category of United States sensitive but unclassified information obtained or developed in the conduct of security activities, the public disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. It is not a form of classification under Executive Order 12958 as amended. SSI is not a security classification for national security information. The safeguarding and sharing of SSI is governed by Title 49 Code of Federal Regulations parts 15 and 1520. This designation is assigned to information to limit the exposure of the information to only those individuals that "need to know" in order to participate in or oversee the protection of the nation's transportation system. Those with a need to know can include persons outside of TSA, such as airport operators, aircraft operators, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, foreign vessel owners, and other persons.
SSI was created to help share transportation-related information deemed too revealing for public disclosure between Federal government agencies; State, local, tribal, and foreign governments; U.S. and foreign air carriers; and others.
Information designated as SSI cannot be shared with the general public, and it is exempt from disclosure under the Freedom of Information Act.

Background: Legislative and regulatory history

SSI got its start in the Air Transportation Security Act of 1974, which, among other things, authorized the Federal Aviation Administration to prohibit disclosure of information obtained whose disclosure would constitute an unwarranted invasion of personal privacy; reveal trade secrets or privileged or confidential commercial or financial information obtained from any person; or would reduce the safety of passengers — all notwithstanding the Freedom of Information Act. On June 28, 1976, FAA published a proposal to create Title 14 Code of Federal Regulations Part 191 entitled "Withholding Security Information from Disclosure under the Air Transportation Security Act of 1974." Part 191 created the category of sensitive but unclassified information now known as Sensitive Security Information, and described the information to be protected from disclosure, including "the security program of any airport; the security program of any air carrier; any device for the detection of any explosive or incendiary device or weapon; and, any contingency security plan."
Less than a year after the December 21, 1988, bombing of Pan Am Flight 103 over Lockerbie, Scotland, the President's Commission on Aviation Security and Terrorism recommended improvements in FAA security bulletins, leading to the creation of Security Directives and Information Circulars. In 1990, section 9121 of the Aviation Safety and Capacity Expansion Act of 1990 broadened 14 CFR Part 191 to prohibit disclosure of "any information obtained in the conduct of security or research and development activities." The Aviation Security Improvement Act of 1990 required minimizing the number of people with access to information about threats, often contained in security directives and information circulars. On March 21, 1997, FAA revised 14 CFR Part 191, and changed its title to "Protection of Sensitive Security Information." It also strengthened the existing rule to protect SSI from unauthorized disclosure, expanded its application to air carriers, airport operators, indirect air carriers, foreign air carriers, and individuals, and specified in more detail the information protected to include SDs, ICs, and inspection, incident, and enforcement-related SSI.
Following the September 11, 2001 terrorist attacks in the United States, Congress passed the Aviation and Transportation Security Act known as ATSA, which established the DOT Transportation Security Administration. The Act also transferred the responsibility for civil aviation security from FAA to TSA. On February 22, 2002, FAA and TSA published a joint final rule transferring the bulk of FAA's aviation security rules, including FAA's SSI regulation to TSA as 49 CFR Part 1520. It also specified in more detail which information is SSI, and protected vulnerability assessments for all modes of transportation. The Homeland Security Act of 2002 established the Department of Homeland Security and transferred TSA from DOT to DHS. The Act also amended Title 49 U.S.C. §40119 to retain SSI authority for the Secretary of Transportation, and added subsection to 49 U.S.C. § 114, reaffirming TSA's authority under DHS to prescribe SSI regulations. TSA and DOT expanded the SSI regulation to incorporate maritime security measures implemented by U.S. Coast Guard regulations and clarify preexisting SSI provisions in an interim final rule issued on May 18, 2004. The DOT SSI regulation is at 49 CFR Part 15, and the TSA SSI regulation remains at 49 CFR Part 1520.
The REAL ID Act of 2005 Act of 2005 required DHS to establish standards for driver's licenses that Federal agencies could accept for official identification purposes, including "boarding federally regulated commercial aircraft." Title 6 CFR Part 37 was published January 29, 2008, and requires a security plan and related vulnerability assessments that are defined as SSI and governed by 49 CFR 1520.
The Homeland Security Appropriations Act of 2006 required DHS to provide department-wide policies for designating, safeguarding, and marking documents as SSI, along with auditing and accountability procedures. The Act also required that DHS report to Congress the number of SSI Coordinators within DHS, and provide a list of documents designated as SSI in their entirety. It also required that DHS provide guidance that includes extensive examples of SSI to further define the individual categories found under 49 CFR section 1520.5 through. The Act directed that such guidance serve as the primary basis and authority for protecting, sharing, and marking information as SSI.
The Homeland Security Appropriations Act of 2007 required DHS to revise its SSI directives and mandated timely review of SSI requests. It also contained reporting requirements, mandated expanded access to SSI in litigation, and required that all SSI over three years old, and not in current SSI categories, be released upon request unless the DHS Secretary makes a written determination that the information must remain SSI.
The Rail Transportation Security Final Rule, published in the Federal Register on November 26, 2008, adds rail-related terms and covered persons to Part 1520, including railroad carriers, rail facilities, rail hazardous materials shippers and receivers, and rail transit systems that are detailed in a new Part 1580. Although rail vulnerability assessments and threat information were already SSI under Part 1520, this rail final rule specifies that information on rail security investigations and inspections, security measures, security training materials, critical rail infrastructure assets, and research and development is also SSI.

Categories

The SSI regulation lists 16 categories of affected information, and allows the Secretary of Homeland Security and the Administrator of the Transportation Security Administration to designate other information as SSI.
The 16 SSI categories as listed in 49 CFR §1520.5 are:
  1. Security programs and contingency plans.
  2. Security Directives.
  3. Information Circulars.
  4. Performance specifications.
  5. Vulnerability assessments.
  6. Security inspection or investigative information.
  7. Threat information.
  8. Security measures.
  9. Security screening information.
  10. Security training materials.
  11. Identifying information of certain transportation security personnel.
  12. Critical aviation or maritime infrastructure asset information.
  13. Systems security information.
  14. Confidential business information.
  15. Research and development.
  16. Other information.
For example, SSI includes airport and aircraft operator security programs; the details of various aviation, maritime or rail transportation security measures including perimeter security and access control; procedures for the screening of passengers and their baggage; the results of vulnerability assessments of any mode of transportation; the technical specifications of certain screening equipment and the objects used to test such equipment; and, training materials that could be used to penetrate or circumvent security.
The SSI regulation restricts the release of SSI to people with a "need to know", defined generally as those who need the information to do their jobs in transportation security, for example: DHS and TSA officials, airport operators, airline personnel, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, and others as noted in 49 CFR §1520.7. SSI cannot be given to the public, and is exempt from disclosure under the Freedom of Information Act.

Determining Sensitive Security Information

Information receiving SSI designation includes but is not limited to:
  • Security programs and contingency plans regarding any aircraft operator, airport operator, or fixed-base operator security program.
  • Security contingency plans regarding any vessel, maritime facility, or port area.
  • National or area security plans.
  • Security incident response plans.
  • Security Directives issued by the TSA
  • Driver license security designs, descriptions of security features and private keys for encrypted machine-readable data contained therein.
  • Information pertaining to advanced methods of authenticating State issued driver licenses and identification cards.
  • State government Driver License & Identification Card Security Plans.
  • Methods of assessing vulnerabilities in government issued secure documents