Sensitive Security Information
Encyclopedia
Sensitive Security Information (SSI) is a category of sensitive but unclassified
Sensitive but unclassified
Sensitive But Unclassified is a designation of information in the United States federal government that, though unclassified, often requires strict controls over its distribution...

 information under the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...

 government's information sharing and control rules. SSI is information obtained in the conduct of security activities whose public disclosure would, in the judgement of specified government agencies, harm transportation security, be an unwarranted invasion of privacy, or reveal trade secrets or privileged or confidential information. SSI is governed by Title 49 of the Code of Federal Regulations
Code of Federal Regulations
The Code of Federal Regulations is the codification of the general and permanent rules and regulations published in the Federal Register by the executive departments and agencies of the Federal Government of the United States.The CFR is published by the Office of the Federal Register, an agency...

 (CFR), parts 15 and 1520.

SSI was created to help share transportation-related information deemed too revealing for public disclosure between Federal government agencies; State, local, tribal, and foreign governments; U.S. and foreign air carriers; and others.

SSI is not a form of classification under Executive Order 12958
Classified information in the United States
The United States government classification system is currently established under Executive Order 13526, the latest in a long series of executive orders on the topic. Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the...

 as amended; that is, it is not classified national security information in the sense of Top Secret, Secret or Confidential.

History

SSI got its start in the Air Transportation Security Act of 1974 (Pub. L. No. 93-366), which, among other things, authorized the Federal Aviation Administration
Federal Aviation Administration
The Federal Aviation Administration is the national aviation authority of the United States. An agency of the United States Department of Transportation, it has authority to regulate and oversee all aspects of civil aviation in the U.S...

 (FAA) to prohibit disclosure of information obtained whose disclosure would constitute an unwarranted invasion of personal privacy; reveal trade secrets or privileged or confidential commercial or financial information obtained from any person; or would reduce the safety of passengers — all notwithstanding the Freedom of Information Act. On June 28, 1976, FAA published a proposal to create Title 14 Code of Federal Regulations (CFR) Part 191 entitled “Withholding Security Information from Disclosure under the Air Transportation Security Act of 1974.” Part 191 created the category of sensitive but unclassified information now known as Sensitive Security Information (SSI), and described the information to be protected from disclosure, including “the security program of any airport; the security program of any air carrier; any device for the detection of any explosive or incendiary device or weapon; and, any contingency security plan.”

Less than a year after the December 21, 1988, bombing of Pan Am Flight 103
Pan Am Flight 103
Pan Am Flight 103 was Pan American World Airways' third daily scheduled transatlantic flight from London Heathrow Airport to New York's John F. Kennedy International Airport...

 over Lockerbie, Scotland, the President's Commission on Aviation Security and Terrorism recommended improvements in FAA security bulletins, leading to the creation of Security Directives and Information Circulars. In 1990, section 9121 of the Aviation Safety and Capacity Expansion Act of 1990 (Pub. L. 101-508) broadened 14 CFR Part 191 to prohibit disclosure of “any information obtained in the conduct of security or research and development activities.” The Aviation Security Improvement Act of 1990 (Pub. L. No. 101-604) required minimizing the number of people with access to information about threats, often contained in security directives (SDs) and information circulars (ICs). On March 21, 1997, FAA revised 14 CFR Part 191, and changed its title to “Protection of Sensitive Security Information.” It also strengthened the existing rule to protect SSI from unauthorized disclosure, expanded its application to air carriers, airport operators, indirect air carriers, foreign air carriers, and individuals, and specified in more detail the information protected to include SDs, ICs, and inspection, incident, and enforcement-related SSI.

Following the September 11, 2001, terrorist attacks in the United States, Congress passed the Aviation and Transportation Security Act (ATSA) (Pub. L. No. 107-71), which established the Transportation Security Administration
Transportation Security Administration
The Transportation Security Administration is an agency of the U.S. Department of Homeland Security that exercises authority over the safety and security of the traveling public in the United States....

 (TSA) under the Department of Transportation
Department of Transportation
The Department of Transportation is the most common name for a government agency in North America devoted to transportation. The largest is the United States Department of Transportation, which oversees interstate travel. All U.S. states, Canadian provinces, and many local agencies also have...

 and transferred the responsibility for civil aviation security from FAA to TSA. On February 22, 2002, FAA and TSA published 49 CFR Part 1520, which handed SSI and most other FAA aviation security duties to TSA. It also specified in more detail which information is SSI, and protected vulnerability assessments for all modes of transportation.

The Homeland Security Act of 2002 (Pub. L. No. 107-296) established the Department of Homeland Security (DHS) and transferred TSA from DOT to DHS. The Act also amended Title 49 U.S.C. §40119 to retain SSI authority for the Secretary of Transportation, and added subsection (s) to 49 U.S.C. § 114, reaffirming TSA’s authority under DHS to prescribe SSI regulations. TSA and DOT expanded the SSI regulation to incorporate maritime security measures implemented by U.S. Coast Guard regulations and clarify SSI provisions in an interim final rule (IFR) issued on May 18, 2004. The DOT SSI regulation is at 49 CFR Part 15, and the TSA SSI regulation remains at 49 CFR Part 1520.

Title 6 CFR Part 37, published January 29, 2008, requires a security plan and related vulnerability assessments that are defined as SSI and governed by 49 CFR 1520.

The Homeland Security Appropriations Act of 2006 (Pub. L. No. 109-90, codified at 6 U.S.C. § 114) required DHS to provide department-wide policies for designating, safeguarding, and marking documents as SSI, along with auditing and accountability procedures. The Act also required that DHS report to Congress the number of SSI Coordinators within DHS, and provide a list of documents designated as SSI in their entirety. It also required that DHS provide guidance that includes extensive examples of SSI to further define the categories found under 49 CFR section 1520.5(b)(1) through (16). The Act directed that such guidance serve as the primary basis and authority for protecting, sharing, and marking information as SSI.

The Homeland Security Appropriations Act of 2007 (Pub. L. No. 109-295) required DHS to revise its SSI directives and mandated timely review of SSI requests. It also contained reporting requirements, mandated expanded access to SSI in litigation, and required that all SSI over three years old, and not in current SSI categories, be released upon request unless the DHS Secretary [or designee] makes a written determination that the information must remain SSI.

The Rail Transportation Security Final Rule, published in the Federal Register on November 26, 2008, added rail-related terms and covered persons to Part 1520, including railroad carriers, rail facilities, rail hazardous materials shippers and receivers, and rail transit systems that are detailed in a new Part 1580. Although rail vulnerability assessments and threat information were already SSI under Part 1520, this rail final rule specifies that information on rail security investigations and inspections, security measures, security training materials, critical rail infrastructure assets, and research and development is also SSI.

Categories

The SSI regulation lists 16 categories of affected information, and allows the Secretary of Homeland Security and the Administrator of the Transportation Security Administration
Transportation Security Administration
The Transportation Security Administration is an agency of the U.S. Department of Homeland Security that exercises authority over the safety and security of the traveling public in the United States....

 to designate other information as SSI.

The 16 SSI categories as listed in 49 CFR §1520.5(b) are:
  1. Security programs and contingency plans.
  2. Security Directives.
  3. Information Circulars.
  4. Performance specifications.
  5. Vulnerability assessments.
  6. Security inspection or investigative information.
  7. Threat information.
  8. Security measures.
  9. Security screening information.
  10. Security training materials.
  11. Identifying information of certain transportation security personnel.
  12. Critical aviation or maritime infrastructure asset information.
  13. Systems security information.
  14. Confidential business information.
  15. Research and development.
  16. Other information. (Determined in writing by DHS or DOT; rarely used.)


For example, SSI includes airport and aircraft operator security programs; the details of various aviation, maritime or rail transportation security measures including perimeter security and access control; procedures for the screening of passengers and their baggage; the results of vulnerability assessments of any mode of transportation; the technical specifications of certain screening equipment and the objects used to test such equipment; and, training materials that could be used to penetrate or circumvent security.

The SSI regulation restricts the release of SSI to people with a "need to know" (see 49 CFR §1520.11), defined generally as those who need the information to do their jobs in transportation security, for example: DHS and TSA officials, airport operators, airline personnel, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, and others as noted in 49 CFR §1520.7. SSI cannot be given to the public, and is exempt from disclosure under the Freedom of Information Act
Freedom of Information Act (United States)
The Freedom of Information Act is a federal freedom of information law that allows for the full or partial disclosure of previously unreleased information and documents controlled by the United States government. The Act defines agency records subject to disclosure, outlines mandatory disclosure...

.

An agency Final Order on SSI can only be challenged in the United States court of appeals
United States court of appeals
The United States courts of appeals are the intermediate appellate courts of the United States federal court system...

.

2006 GAO report

A June 2005 report from the U.S. Government Accountability Office
Government Accountability Office
The Government Accountability Office is the audit, evaluation, and investigative arm of the United States Congress. It is located in the legislative branch of the United States government.-History:...

 (GAO) titled "Clear Policies and Oversight Needed for Designation of Sensitive Security Information (SSI)," criticized TSA's monitoring controls, saying, "TSA has not established and documented policies and internal control procedures for monitoring compliance with the regulations, policies, and procedures governing its SSI designation process, including ongoing monitoring of the process."

The GAO report cited an October 14, 2004, TSA memo that said the agency’s Internal Security Policy Board recognized that handling and identifying SSI had become a problem:
However, in a November 30, 2007, report to Congress entitled Transportation Security Administration’s Processes for Designating and Releasing Sensitive Security Information, GAO said: "DHS, primarily through TSA’s SSI Office, has addressed all of the legislative mandates from the DHS Appropriations Act, 2007, and taken actions to satisfy all of the recommendations from our June 2005 report. DHS revised its MD (i.e., Management Directive) to address the need for updating SSI guidance, and TSA has established more extensive SSI criteria and examples that respond to requirements in the DHS Appropriations Act, 2007, and our 2005 recommendation that TSA establish guidance and procedures for using TSA regulations to determine what constitutes SSI. Further, TSA has documented the criteria and examples in various publications to serve as guidance for identifying and designating SSI. TSA has also shared its documentation of the criteria and examples with other DHS agencies."

On July 28, 2008, GAO went even further, telling Congress: "The Transportation Security Administration’s (TSA) program on managing information it designates as sensitive security information could serve as a model to guide other agencies’ implementation of CUI."

Legislation to curb secrecy contracts

During the 1980s, Congress and the White House clashed over nondisclosure agreements that said employees could be penalized for disclosing "classifiable" (rather than classified) information. The primary argument against was that a whistleblower could be retaliated against by a management decision to simply retroactive decide that they disclosed classified information - though it was not classified when the disclosure took place. Ironically, the decision to mark the information as sensitive would take place only after a disclosure. Furthermore, this would hold employees who disclosed to a higher standard than the person responsible for marking information that should be marked classified. Ultimately, the "classifiable" aspect of the government nondisclosure policies was dropped.

However, the same situation has reared its head in the former TSA Federal Air Marshal Robert MacLean
Robert MacLean
On August 25, 2011, the United States Office of Special Counsel declared former TSA Federal Air Marshal Robert MacLean a whistleblower. On July 28, 2003, MacLean made a disclosure exposing the Transportation Security Administration's cost-cutting plan that would have violated federal law 49 USC...

 vs. Department of Homeland Security national security whistleblower termination case, which revolves around the TSA's retroactive decision to label a disclosure from MacLean as "Sensitive Security Information," three years after he made his disclosure and four months after terminating him. MacLean argues that his disclosure was protected by the Whistleblower Protection Act
Whistleblower Protection Act
-Whistleblower Protection Act of 1989:The Whistleblower Protection Act of 1989 is a United States federal law that protects federal whistleblowers who work for the government and report agency misconduct...

, the TSA counters that SSI disclosures are not protected because violations of executive agency regulations are equal to a "violation of law."

According to this 1988 House report.
"The Administration's most recent attempt to define 'classifiable' holds employees liable for disclosers of unclassified information, without any prior notice to them of its special status. Under Executive Order 12356, classified information is marked as such. Sec. 1.5. Even information that is in the process of a classification determination is given an interim classification marking for a 30-day period. Executive Order 12356, Sections 1.1(c), 1.(e). The employee is, therefore, aware of its special status. Without the classification markings on unclassified information, however, an employee cannot be sure that the nondisclosure agreements' restrictions apply to that material. Consequently, they must check with their supervisors, thereby alerting them to the disclosure. That invites a chilling effect. As then Congresswoman (now U.S. Senator) Barbara Boxer
Barbara Boxer
Barbara Levy Boxer is the junior United States Senator from California . A member of the Democratic Party, she previously served in the U.S. House of Representatives ....

 noted at the hearings:

It should be noted once again, however, that sensitive security information is governed by published regulations. If properly marked as SSI, a document clearly warns an employee to follow regulatory requirements and implementation guidance regarding disclosure.

Obama administration

John Podesta
John Podesta
John David Podesta was the fourth and final White House Chief of Staff under President Bill Clinton, from 1998 until 2001. He is the president of the Center for American Progress, a liberal think tank in Washington, D.C., and is also a Visiting Professor of Law at the Georgetown University Law...

, chief of the Presidential transition of Barack Obama
Presidential transition of Barack Obama
The presidential transition of Barack Obama began when he won the United States presidential election on November 4, 2008, and became the President-Elect. He was formally elected by the Electoral College on December 15, 2008...

 team, told U.S. lawmakers on September 16, 2008, that over the previous seven years, "the Bush administration has increased secrecy and curtailed access to information through a variety of means," including:
  • An explosion in the use of "controlled unclassified" markings, most of which have never been authorized by statute, to restrict access to unclassified information.
  • Threatening journalists, whistleblowers, and other private citizens with criminal prosecution for the possession or publication of national security information; and the issuance of secret orders and legal opinions to shield illegal actions from public scrutiny.

Challenges

In Chowdhury v. TSA, the ACLU challenged the TSA's authority to withhold SSI from civil litigants and their attorneys in a Petition for Review pending before the U.S. Second Circuit Court of Appeals in New York. The ACLU sought to establish:
  • Whether the TSA has the requisite statutory authority to withhold SSI from civil litigants and their attorneys, where TSA has determined that such disclosure would be detrimental to transportation security.
  • Whether the TSA's expert judgment to withhold SSI from civil litigants and their attorneys constitutes "actions committed to agency discretion by law"
  • Whether a TSA Final Order on SSI deprives the Plaintiff in this case of a constitutionally protected property interest without due process of law.


As of May 2005, the Second Circuit Court has yet to rule on the issue. However, the Homeland Security Appropriations Act of 2007 (Pub. L. No. 109-295), section 525(d) required: "That in civil proceedings in the United States District Courts, where a party seeking access to SSI demonstrates that the party has substantial need of relevant SSI in the preparation of the party’s case and that the party is unable without undue hardship to obtain the substantial equivalent of the information by other means, the party or party’s counsel shall be designated as a covered person under 49 CFR Part 1520.7 in order to have access to the SSI at issue in the case, provided that the overseeing judge enters an order that protects the SSI from unauthorized or unnecessary disclosure and specifies the terms and conditions of access..."
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK