This article needs additional citations for verification .(July 2023) |
Sensitive security information (SSI) is a category of United States sensitive but unclassified information obtained or developed in the conduct of security activities, the public disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. It is not a form of classification under Executive Order 12958 as amended. SSI is not a security classification for national security information (eg. Top Secret, Secret). The safeguarding and sharing of SSI is governed by Title 49 Code of Federal Regulations (CFR) parts 15 and 1520. This designation is assigned to information to limit the exposure of the information to only those individuals that "need to know" in order to participate in or oversee the protection of the nation's transportation system. Those with a need to know can include persons outside of TSA, such as airport operators, aircraft operators, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, foreign vessel owners, and other persons. [1]
SSI was created to help share transportation-related information deemed too revealing for public disclosure between Federal government agencies; State, local, tribal, and foreign governments; U.S. and foreign air carriers; and others.
Information designated as SSI cannot be shared with the general public, and it is exempt from disclosure under the Freedom of Information Act (FOIA). [2]
SSI got its start in the Air Transportation Security Act of 1974 (Pub. L. No. 93-366), which, among other things, authorized the Federal Aviation Administration (FAA) to prohibit disclosure of information obtained whose disclosure would constitute an unwarranted invasion of personal privacy; reveal trade secrets or privileged or confidential commercial or financial information obtained from any person; or would reduce the safety of passengers — all notwithstanding the Freedom of Information Act. On June 28, 1976, FAA published a proposal to create Title 14 Code of Federal Regulations (CFR) Part 191 entitled "Withholding Security Information from Disclosure under the Air Transportation Security Act of 1974." Part 191 created the category of sensitive but unclassified information now known as Sensitive Security Information (SSI), and described the information to be protected from disclosure, including "the security program of any airport; the security program of any air carrier; any device for the detection of any explosive or incendiary device or weapon; and, any contingency security plan."
Less than a year after the December 21, 1988, bombing of Pan Am Flight 103 over Lockerbie, Scotland, the President's Commission on Aviation Security and Terrorism recommended improvements in FAA security bulletins, leading to the creation of Security Directives and Information Circulars. In 1990, section 9121 of the Aviation Safety and Capacity Expansion Act of 1990 (Pub. L. 101–508) broadened 14 CFR Part 191 to prohibit disclosure of "any information obtained in the conduct of security or research and development activities." The Aviation Security Improvement Act of 1990 (Pub. L. No. 101-604) required minimizing the number of people with access to information about threats, often contained in security directives (SDs) and information circulars (ICs). On March 21, 1997, FAA revised 14 CFR Part 191, and changed its title to "Protection of Sensitive Security Information." It also strengthened the existing rule to protect SSI from unauthorized disclosure, expanded its application to air carriers, airport operators, indirect air carriers, foreign air carriers, and individuals, and specified in more detail the information protected to include SDs, ICs, and inspection, incident, and enforcement-related SSI.
Following the September 11, 2001 terrorist attacks in the United States, Congress passed the Aviation and Transportation Security Act (Pub. L. No. 107-71) known as ATSA, which established the DOT Transportation Security Administration (TSA). The Act also transferred the responsibility for civil aviation security from FAA to TSA. On February 22, 2002, FAA and TSA published a joint final rule transferring the bulk of FAA's aviation security rules, including FAA's SSI regulation to TSA as 49 CFR Part 1520. It also specified in more detail which information is SSI, and protected vulnerability assessments for all modes of transportation. The Homeland Security Act of 2002 (Pub. L. No. 107-296) established the Department of Homeland Security (DHS) and transferred TSA from DOT to DHS. The Act also amended Title 49 U.S.C. §40119 to retain SSI authority for the Secretary of Transportation, and added subsection (s) to 49 U.S.C. § 114, reaffirming TSA's authority under DHS to prescribe SSI regulations. TSA and DOT expanded the SSI regulation to incorporate maritime security measures implemented by U.S. Coast Guard regulations and clarify preexisting SSI provisions in an interim final rule (IFR) issued on May 18, 2004. The DOT SSI regulation is at 49 CFR Part 15, and the TSA SSI regulation remains at 49 CFR Part 1520.
The REAL ID Act of 2005 Act of 2005 (Pub. L. No. 109–13) required DHS to establish standards for driver's licenses that Federal agencies could accept for official identification purposes, including "boarding federally regulated commercial aircraft." Title 6 CFR Part 37 was published January 29, 2008, and requires a security plan and related vulnerability assessments that are defined as SSI and governed by 49 CFR 1520.
The Homeland Security Appropriations Act of 2006 (Pub. L. No. 109-90, codified at 6 U.S.C. § 114) required DHS to provide department-wide policies for designating, safeguarding, and marking documents as SSI, along with auditing and accountability procedures. The Act also required that DHS report to Congress the number of SSI Coordinators within DHS, and provide a list of documents designated as SSI in their entirety. It also required that DHS provide guidance that includes extensive examples of SSI to further define the individual categories found under 49 CFR section 1520.5(b)(1) through (16). The Act directed that such guidance serve as the primary basis and authority for protecting, sharing, and marking information as SSI.
The Homeland Security Appropriations Act of 2007 (Pub. L. No. 109-295) required DHS to revise its SSI directives and mandated timely review of SSI requests. It also contained reporting requirements, mandated expanded access to SSI in litigation, and required that all SSI over three years old, and not in current SSI categories, be released upon request unless the DHS Secretary [or designee] makes a written determination that the information must remain SSI.
The Rail Transportation Security Final Rule, published in the Federal Register on November 26, 2008, adds rail-related terms and covered persons to Part 1520, including railroad carriers, rail facilities, rail hazardous materials shippers and receivers, and rail transit systems that are detailed in a new Part 1580. Although rail vulnerability assessments and threat information were already SSI under Part 1520, this rail final rule specifies that information on rail security investigations and inspections, security measures, security training materials, critical rail infrastructure assets, and research and development is also SSI.
The SSI regulation lists 16 categories of affected information, and allows the Secretary of Homeland Security and the Administrator of the Transportation Security Administration to designate other information as SSI. [3]
The 16 SSI categories as listed in 49 CFR §1520.5(b) are:
For example, SSI includes airport and aircraft operator security programs; the details of various aviation, maritime or rail transportation security measures including perimeter security and access control; procedures for the screening of passengers and their baggage; the results of vulnerability assessments of any mode of transportation; the technical specifications of certain screening equipment and the objects used to test such equipment; and, training materials that could be used to penetrate or circumvent security.
The SSI regulation restricts the release of SSI to people with a "need to know" (see 49 CFR §1520.11), defined generally as those who need the information to do their jobs in transportation security, for example: DHS and TSA officials, airport operators, airline personnel, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, and others as noted in 49 CFR §1520.7. SSI cannot be given to the public, and is exempt from disclosure under the Freedom of Information Act.
Information receiving SSI designation includes but is not limited to:
A June 2005 report from the U.S. Government Accountability Office (GAO) titled "Clear Policies and Oversight Needed for Designation of Sensitive Security Information (SSI)," criticized TSA's monitoring controls, saying, "TSA has not established and documented policies and internal control procedures for monitoring compliance with the regulations, policies, and procedures governing its SSI designation process, including ongoing monitoring of the process." [3]
The GAO report cited an October 14, 2004, TSA memo that said the agency's Internal Security Policy Board recognized that handling and identifying SSI had become a problem:
Lacking a central policy program office for SSI has led to confusion and unnecessary classification of some materials as SSI. Adherence to handling requirements within TSA has been inconsistent, and there have been instances where SSI has been mishandled outside of TSA. Identification of SSI has often appeared to be ad-hoc, marked by confusion and disagreement depending on the viewpoint, experience, and training of the identifier. Strictures on the release of SSI and other SSI policy or handling–related problems have occasionally frustrated industry stakeholders, Congress, the media, and our own employees trying to work within the confines of the restrictions. Significant time and effort has been devoted to SSI issues, and it is not likely that the current approach to addressing such issues can be sustained. [3]
However, in a November 30, 2007, report to Congress entitled Transportation Security Administration's Processes for Designating and Releasing Sensitive Security Information, GAO said: "DHS, primarily through TSA's SSI Office, has addressed all of the legislative mandates from the DHS Appropriations Act, 2007, and taken actions to satisfy all of the recommendations from our June 2005 report. DHS revised its MD (i.e., Management Directive) to address the need for updating SSI guidance, and TSA has established more extensive SSI criteria and examples that respond to requirements in the DHS Appropriations Act, 2007, and our 2005 recommendation that TSA establish guidance and procedures for using TSA regulations to determine what constitutes SSI. Further, TSA has documented the criteria and examples in various publications to serve as guidance for identifying and designating SSI. TSA has also shared its documentation of the criteria and examples with other DHS agencies."
On July 28, 2008, GAO went even further, telling Congress: "The Transportation Security Administration's (TSA) program on managing information it designates as sensitive security information could serve as a model to guide other agencies' implementation of CUI."
During the 1980s, Congress and the White House clashed over nondisclosure agreements that said employees could be penalized for disclosing "classifiable" (rather than classified) information. The primary argument against was that a whistleblower could be retaliated against by a management decision to simply retroactively decide that they disclosed classified information - though it was not classified when the disclosure took place. The decision to mark the information as sensitive would have taken place only after a disclosure. Furthermore, this would have held employees who disclosed to a higher standard than the person responsible for marking information that should be marked classified. Ultimately, the "classifiable" aspect of the government nondisclosure policies was dropped.
However, the same situation has reared its head in the former TSA Federal Air Marshal Robert MacLean v. Department of Homeland Security national security whistleblower termination case, which revolves around the TSA's retroactive decision to label a disclosure from MacLean as "Sensitive Security Information," three years after he made his disclosure and four months after terminating him. MacLean argues that his disclosure was protected by the Whistleblower Protection Act; the TSA counters that SSI disclosures are not protected because violations of executive agency regulations are equal to a "violation of law." [4]
According to this 1988 House report. [5] "The Administration's most recent attempt to define 'classifiable' holds employees liable for disclosers of unclassified information, without any prior notice to them of its special status. Under Executive Order 12356, classified information is marked as such. Sec. 1.5. Even information that is in the process of a classification determination is given an interim classification marking for a 30-day period. Executive Order 12356, Sections 1.1(c), 1.(e). The employee is, therefore, aware of its special status. Without the classification markings on unclassified information, however, an employee cannot be sure that the nondisclosure agreements' restrictions apply to that material. Consequently, they must check with their supervisors, thereby alerting them to the disclosure. That invites a chilling effect. As then Congresswoman (now U.S. Senator) Barbara Boxer noted at the hearings:
I am concerned this will force would-be whistleblowers to have to ask their superiors about classification determinations. This would act to stop the whistleblower.
It should be noted once again, however, that sensitive security information is governed by published regulations. If properly marked as SSI, a document clearly warns an employee to follow regulatory requirements and implementation guidance regarding disclosure.
In September 2004, two members of the House Appropriations Committee requested that auditors review how the Homeland Security Department is using its authority to withhold transportation security information from the public. The concern is that material needs to be protected, but the public also needs to be advised of information that affects their safety and security.
Some examples in question were:
It was determined that the TSA's application of the SSI regulations has resulted in some disputes over airport security procedures, employee accountability, passenger screening, and airport secrecy agreements. Some believe that too much information has been withheld from the public regarding some of these circumstances. [6]
The resulting opinion was that sensitive material needs to be protected, but the public also needs to be informed of information that affects safety and security. "Although the release of certain sensitive information could put the nation's citizens and infrastructure at risk, the federal government should be mindful of the public's legitimate interest in, and right to know, information related to threats to the transportation system and associated vulnerabilities. Accordingly, access to this information should only be limited when it is necessary to guard against those who pose a threat and their ability to develop techniques to subvert security measures." [7]
John Podesta, chief of the Presidential transition of Barack Obama team, told U.S. lawmakers on September 16, 2008, that over the previous seven years, "the Bush administration has increased secrecy and curtailed access to information through a variety of means," including:
On May 29, 2014, United States House Committee on Oversight and Government Reform Republican Chairman Darrell Issa and Democrat Ranking Member Elijah Cummings issued a highly critical report [9] about SSI. It cited these findings: "TSA improperly designated certain information as SSI in order to avoid its public release. TSA repeatedly released information to the public against the advice of the SSI office and without having produced suitable documentation to explain the decision. The structure and position of the SSI office within TSA has contributed to the difficulties the office has encountered in carrying out its mission. TSA has moved the office within the agency's organizational structure several times. One official stated the office moves have effectively relegated it a 'throwaway office.'"
On Page 17 of the report, it cited in detail the pending U.S. Supreme Court case, Department of Homeland Security v. MacLean: "TSA's release of information related to [Federal Air Marshals (FAM)] is particularly ironic given the agency's treatment of whistleblower and former air marshal Robert MacLean. In 2003, MacLean blew the whistle on TSA's plans to cancel FAM coverage on flights despite the threat of an imminent Al Qaeda hijacking plot. Numerous Members of Congress raised concerns, and DHS retracted the order to cancel FAM coverage, calling it 'a mistake.' [10] Three years later, TSA retroactively labeled the information that MacLean had disclosed as SSI and fired MacLean for his disclosure."
The Committee concluded that "TSA made significant improvements to its SSI designation process following the Committee's investigation."
In Chowdhury v. TSA, the ACLU challenged the TSA's authority to withhold SSI from civil litigants and their attorneys in a Petition for Review pending before the U.S. Second Circuit Court of Appeals in New York. The ACLU sought to establish:
As of May 2005, the Second Circuit Court has yet to rule on the issue. However, the Homeland Security Appropriations Act of 2007 (Pub. L. No. 109-295), section 525(d) required: "That in civil proceedings in the United States District Courts, where a party seeking access to SSI demonstrates that the party has substantial need of relevant SSI in the preparation of the party's case and that the party is unable without undue hardship to obtain the substantial equivalent of the information by other means, the party or party's counsel shall be designated as a covered person under 49 CFR Part 1520.7 in order to have access to the SSI at issue in the case, provided that the overseeing judge enters an order that protects the SSI from unauthorized or unnecessary disclosure and specifies the terms and conditions of access ..."
The Federal Aviation Administration (FAA) is a U.S. federal government agency within the U.S. Department of Transportation which regulates civil aviation in the United States and surrounding international waters. Its powers include air traffic control, certification of personnel and aircraft, setting standards for airports, and protection of U.S. assets during the launch or re-entry of commercial space vehicles. Powers over neighboring international waters were delegated to the FAA by authority of the International Civil Aviation Organization.
The United States Department of Transportation is one of the executive departments of the U.S. federal government. It is headed by the secretary of transportation, who reports directly to the president of the United States and is a member of the president's Cabinet.
The Federal Aviation Regulations (FARs) are rules prescribed by the Federal Aviation Administration (FAA) governing all aviation activities in the United States. The FARs comprise Title 14 of the Code of Federal Regulations. A wide variety of activities are regulated, such as aircraft design and maintenance, typical airline flights, pilot training activities, hot-air ballooning, lighter-than-air aircraft, human-made structure heights, obstruction lighting and marking, model rocket launches, commercial space operations, model aircraft operations, Unmanned Aircraft Systems (UAS) and kite flying. The rules are designed to promote safe aviation, protecting pilots, flight attendants, passengers and the general public from unnecessary risk.
The Computer-Assisted Passenger Prescreening System (CAPPS) is a counter-terrorism system in place in the United States air travel industry that matches passenger information with other data sources. The United States Transportation Security Administration (TSA) maintains a watchlist, pursuant to 49 USC § 114 (h)(2), of "individuals known to pose, or suspected of posing, a risk of air piracy or terrorism or a threat to airline or passenger safety." The list is used to pre-emptively identify terrorists attempting to buy airline tickets or board aircraft traveling in the United States, and to mitigate perceived threats.
The Federal Air Marshal Service (FAMS) is a United States federal law enforcement agency under the supervision of the Transportation Security Administration (TSA) of the United States Department of Homeland Security (DHS).
Transport Canada is the department within the Government of Canada responsible for developing regulations, policies and services of road, rail, marine and air transportation in Canada. It is part of the Transportation, Infrastructure and Communities (TIC) portfolio. The current Minister of Transport is Pablo Rodriguez. Transport Canada is headquartered in Ottawa, Ontario.
The Homeland Security Act (HSA) of 2002, was introduced in the aftermath of the September 11 attacks and subsequent mailings of anthrax spores. The HSA was cosponsored by 118 members of Congress. The act passed the U.S. Senate by a vote of 90–9, with one Senator not voting. It was signed into law by President George W. Bush in November 2002.
The United States Office of Special Counsel (OSC) is a permanent independent federal investigative and prosecutorial agency whose basic legislative authority comes from four federal statutes: the Civil Service Reform Act, the Whistleblower Protection Act, the Hatch Act, and the Uniformed Services Employment and Reemployment Rights Act (USERRA). OSC's primary mission is the safeguarding of the merit system in federal employment by protecting employees and applicants from prohibited personnel practices (PPPs), especially reprisal for "whistleblowing." The agency also operates a secure channel for federal whistleblower disclosures of violations of law, rule, or regulation; gross mismanagement; gross waste of funds; abuse of authority; and substantial and specific danger to public health and safety. In addition, OSC issues advice on the Hatch Act and enforces its restrictions on partisan political activity by government employees. Finally, OSC protects the civilian employment and reemployment rights of military service members under USERRA. OSC has around 140 staff, and the Special Counsel is an ex officio member of Council of Inspectors General on Integrity and Efficiency (CIGIE), an association of inspectors general charged with the regulation of good governance within the federal government.
The National Security Whistleblowers Coalition (NSWBC), founded in 2004 by former FBI translator Sibel Edmonds in league with over 50 former and current United States government officials from more than a dozen agencies, is an independent, nonpartisan alliance of whistleblowers who have come forward to address weaknesses of US security agencies.
Sensitive But Unclassified (SBU) is a designation of information in the United States federal government that, though unclassified, often requires strict controls over its distribution. SBU is a broad category of information that includes material covered by such designations as For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive Homeland Security Information, Sensitive Security Information (SSI), Critical Infrastructure Information (CII), etc. It also includes Internal Revenue Service materials like individual tax records, systems information, and enforcement procedures. Some categories of SBU information have authority in statute or regulation while others, including FOUO, do not.
Secure Flight is an airline passenger pre-screening program, implemented from August 2009 by the United States Transportation Security Administration (TSA). Secure Flight matches passenger information against watch lists maintained by the federal government. The initial implementation phase of Secure Flight resulted in the complete transfer of responsibility for passenger watch list matching to TSA from aircraft operators whose flights operate within the United States. The second phase of Secure Flight will result in the transfer of responsibility for passenger watch list matching to TSA for flights into, out of, and over the United States.
A Federal Flight Deck Officer (FFDO) is a Part 121 Airline Pilot who is trained and licensed to carry weapons and defend commercial aircraft against criminal activity and terrorism. The Federal Flight Deck Officer program is run by the Federal Air Marshal Service, and an officer's jurisdiction is the flight deck or cabin of a commercial airliner or a cargo aircraft while on duty. FFDOs are federal law enforcement officers sworn and deputized by the U.S. Department of Homeland Security.
The Alien Flight Student Program or Flight Training Security Program is a program operated by the United States Transportation Security Administration to screen prospective flight student candidates who are not citizens of the United States, before they are allowed to undergo pilot training. This program was created in response to the September 11, 2001 attacks, in recognition of the fact that the individuals who piloted the hijacked aircraft first learned to fly at US flight schools.
The Whistleblower Protection Act of 1989, 5 U.S.C. 2302(b)(8)-(9), Pub.L. 101-12 as amended, is a United States federal law that protects federal whistleblowers who work for the government and report the possible existence of an activity constituting a violation of law, rules, or regulations, or mismanagement, gross waste of funds, abuse of authority or a substantial and specific danger to public health and safety. A federal agency violates the Whistleblower Protection Act if agency authorities take retaliatory personnel action against any employee or applicant because of disclosure of information by that employee or applicant.
Robert J. MacLean is a former United States Federal Air Marshal and whistleblower.
Security Identification Display Area, or SIDA, is a special security area designated by an airport operator in the US to comply with Transportation Security Administration (TSA) requirements in CFR 49 1542.205. An identification system must be used in this area. Before allowing unescorted access to this area, a person must be trained and their background investigated. Normally, the flight ramp and other sensitive operational areas of a US commercial airport are designated as a SIDA.
Controlled Unclassified Information (CUI) is a category of unclassified information within the U.S. Federal government. The CUI program was created by President Obama’s Executive Order 13556 to create a streamlined method for information sharing and safeguarding. The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA) of the National Archives and Records Administration (NARA), and is responsible for oversight of the CUI program. The ISOO monitors the implementation of the CUI program by executive branch agencies. CUI will replace agency specific labels such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES) on new data and some data with legacy labels will also qualify as Controlled Unclassified Information. Federal contractors who handle CUI will be required to self-assess with the Cybersecurity Maturity Model Certification (CMMC) under the Cyber AB.
A Visible Intermodal Prevention and Response team, sometimes Visible Intermodal Protection and Response (VIPR) is a Transportation Security Administration program. Various government sources have differing descriptions of VIPR's exact mission. It is specifically authorized by
which says that the program is to "augment the security of any mode of transportation at any location within the United States". Authority for the program is under the Secretary of Homeland Security. The program falls under TSA's Office of Law Enforcement/Federal Air Marshal Service. TSA OLE/FAMS shares responsibility for the program with the Office of Security Operations and Transportation Sector Network Management.The Acquisition Management System (AMS) provides policy and guidance on lifecycle acquisition management by the United States Federal Aviation Administration (FAA). The self-stated objectives of the AMS "are to increase the quality, reduce the time, manage the risk, and minimize the cost of delivering safe and secure services to the aviation community and flying public." The AMS applies to acquisitions by the FAA in place of the Federal Acquisition Regulation (FAR) and various other provisions of Federal acquisition law.
Transportation in the United States is governed by laws and regulations of the federal government. The Department of Transportation is responsible for carrying out federal transportation policy, and the Department of Homeland Security is responsible for security in transportation.
{{cite web}}
: External link in |work=
(help){{cite web}}
: External link in |work=
(help)