Sensitive Security Information

History

SSI got its start in the Air Transportation Security Act of 1974 (Pub. L. No. 93-366), which, among other things, authorized the Federal Aviation Administration (FAA) to prohibit disclosure of information obtained whose disclosure would constitute an unwarranted invasion of personal privacy; reveal trade secrets or privileged or confidential commercial or financial information obtained from any person; or would reduce the safety of passengers — all notwithstanding the Freedom of Information Act. On June 28, 1976, FAA published a proposal to create Title 14 Code of Federal Regulations (CFR) Part 191 entitled “Withholding Security Information from Disclosure under the Air Transportation Security Act of 1974.” Part 191 created the category of sensitive but unclassified information now known as Sensitive Security Information (SSI), and described the information to be protected from disclosure, including “the security program of any airport; the security program of any air carrier; any device for the detection of any explosive or incendiary device or weapon; and, any contingency security plan.”

Less than a year after the December 21, 1988, bombing of Pan Am Flight 103 over Lockerbie, Scotland, the President's Commission on Aviation Security and Terrorism recommended improvements in FAA security bulletins, leading to the creation of Security Directives and Information Circulars. In 1990, section 9121 of the Aviation Safety and Capacity Expansion Act of 1990 (Pub. L. 101-508) broadened 14 CFR Part 191 to prohibit disclosure of “any information obtained in the conduct of security or research and development activities.” The Aviation Security Improvement Act of 1990 (Pub. L. No. 101-604) required minimizing the number of people with access to information about threats, often contained in security directives (SDs) and information circulars (ICs). On March 21, 1997, FAA revised 14 CFR Part 191, and changed its title to “Protection of Sensitive Security Information.” It also strengthened the existing rule to protect SSI from unauthorized disclosure, expanded its application to air carriers, airport operators, indirect air carriers, foreign air carriers, and individuals, and specified in more detail the information protected to include SDs, ICs, and inspection, incident, and enforcement-related SSI.

Following the September 11, 2001, terrorist attacks in the United States, Congress passed the Aviation and Transportation Security Act (ATSA) (Pub. L. No. 107-71), which established the Transportation Security Administration (TSA) under the Department of Transportation and transferred the responsibility for civil aviation security from FAA to TSA. On February 22, 2002, FAA and TSA published 49 CFR Part 1520, which handed SSI and most other FAA aviation security duties to TSA. It also specified in more detail which information is SSI, and protected vulnerability assessments for all modes of transportation.

The Homeland Security Act of 2002 (Pub. L. No. 107-296) established the Department of Homeland Security (DHS) and transferred TSA from DOT to DHS. The Act also amended Title 49 U.S.C. §40119 to retain SSI authority for the Secretary of Transportation, and added subsection (s) to 49 U.S.C. § 114, reaffirming TSA’s authority under DHS to prescribe SSI regulations. TSA and DOT expanded the SSI regulation to incorporate maritime security measures implemented by U.S. Coast Guard regulations and clarify SSI provisions in an interim final rule (IFR) issued on May 18, 2004. The DOT SSI regulation is at 49 CFR Part 15, and the TSA SSI regulation remains at 49 CFR Part 1520.

Title 6 CFR Part 37, published January 29, 2008, requires a security plan and related vulnerability assessments that are defined as SSI and governed by 49 CFR 1520.

The Homeland Security Appropriations Act of 2006 (Pub. L. No. 109-90, codified at 6 U.S.C. § 114) required DHS to provide department-wide policies for designating, safeguarding, and marking documents as SSI, along with auditing and accountability procedures. The Act also required that DHS report to Congress the number of SSI Coordinators within DHS, and provide a list of documents designated as SSI in their entirety. It also required that DHS provide guidance that includes extensive examples of SSI to further define the categories found under 49 CFR section 1520.5(b)(1) through (16). The Act directed that such guidance serve as the primary basis and authority for protecting, sharing, and marking information as SSI.

The Homeland Security Appropriations Act of 2007 (Pub. L. No. 109-295) required DHS to revise its SSI directives and mandated timely review of SSI requests. It also contained reporting requirements, mandated expanded access to SSI in litigation, and required that all SSI over three years old, and not in current SSI categories, be released upon request unless the DHS Secretary [or designee] makes a written determination that the information must remain SSI.

The Rail Transportation Security Final Rule, published in the Federal Register on November 26, 2008, added rail-related terms and covered persons to Part 1520, including railroad carriers, rail facilities, rail hazardous materials shippers and receivers, and rail transit systems that are detailed in a new Part 1580. Although rail vulnerability assessments and threat information were already SSI under Part 1520, this rail final rule specifies that information on rail security investigations and inspections, security measures, security training materials, critical rail infrastructure assets, and research and development is also SSI.

Categories

The SSI regulation lists 16 categories of affected information, and allows the Secretary of Homeland Security and the Administrator of the Transportation Security Administration to designate other information as SSI.

The 16 SSI categories as listed in 49 CFR §1520.5(b) are:

1. Security programs and contingency plans.
2. Security Directives.
3. Information Circulars.
4. Performance specifications.
5. Vulnerability assessments.
6. Security inspection or investigative information.
7. Threat information.
8. Security measures.
9. Security screening information.
10. Security training materials.
11. Identifying information of certain transportation security personnel.
12. Critical aviation or maritime infrastructure asset information.
13. Systems security information.
14. Confidential business information.
15. Research and development.
16. Other information. (Determined in writing by DHS or DOT; rarely used.)

For example, SSI includes airport and aircraft operator security programs; the details of various aviation, maritime or rail transportation security measures including perimeter security and access control; procedures for the screening of passengers and their baggage; the results of vulnerability assessments of any mode of transportation; the technical specifications of certain screening equipment and the objects used to test such equipment; and, training materials that could be used to penetrate or circumvent security.

The SSI regulation restricts the release of SSI to people with a "need to know" (see 49 CFR §1520.11), defined generally as those who need the information to do their jobs in transportation security, for example: DHS and TSA officials, airport operators, airline personnel, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, and others as noted in 49 CFR §1520.7. SSI cannot be given to the public, and is exempt from disclosure under the Freedom of Information Act.

An agency Final Order on SSI can only be challenged in the United States court of appeals.

2005 U.S. Government Accountability Office report

A June 2005 report from the U.S. Government Accountability Office (GAO) titled "Clear Policies and Oversight Needed for Designation of Sensitive Security Information (SSI)," criticized TSA's monitoring controls, saying, "TSA has not established and documented policies and internal control procedures for monitoring compliance with the regulations, policies, and procedures governing its SSI designation process, including ongoing monitoring of the process."

The GAO report cited an October 14, 2004, TSA memo that said the agency’s Internal Security Policy Board recognized that handling and identifying SSI had become a problem:

However, in a November 30, 2007, report to Congress entitled Transportation Security Administration’s Processes for Designating and Releasing Sensitive Security Information, GAO said: "DHS, primarily through TSA’s SSI Office, has addressed all of the legislative mandates from the DHS Appropriations Act, 2007, and taken actions to satisfy all of the recommendations from our June 2005 report. DHS revised its MD (i.e., Management Directive) to address the need for updating SSI guidance, and TSA has established more extensive SSI criteria and examples that respond to requirements in the DHS Appropriations Act, 2007, and our 2005 recommendation that TSA establish guidance and procedures for using TSA regulations to determine what constitutes SSI. Further, TSA has documented the criteria and examples in various publications to serve as guidance for identifying and designating SSI. TSA has also shared its documentation of the criteria and examples with other DHS agencies."

On July 28, 2008, GAO went even further, telling Congress: "The Transportation Security Administration’s (TSA) program on managing information it designates as sensitive security information could serve as a model to guide other agencies’ implementation of CUI."

Legislation to curb secrecy contracts

During the 1980s, Congress and the White House clashed over nondisclosure agreements that said employees could be penalized for disclosing "classifiable" (rather than classified) information. The primary argument against was that a whistleblower could be retaliated against by a management decision to simply retroactive decide that they disclosed classified information - though it was not classified when the disclosure took place. Ironically, the decision to mark the information as sensitive would take place only after a disclosure. Furthermore, this would hold employees who disclosed to a higher standard than the person responsible for marking information that should be marked classified. Ultimately, the "classifiable" aspect of the government nondisclosure policies was dropped.

However, the same situation has reared its head in the former TSA Federal Air Marshal Robert MacLean v. Department of Homeland Security national security whistleblower termination case, which revolves around the TSA's retroactive decision to label a disclosure from MacLean as "Sensitive Security Information," three years after he made his disclosure and four months after terminating him. MacLean argues that his disclosure was protected by the Whistleblower Protection Act, the TSA counters that SSI disclosures are not protected because violations of executive agency regulations are equal to a "violation of law."

According to this 1988 House report. "The Administration's most recent attempt to define 'classifiable' holds employees liable for disclosers of unclassified information, without any prior notice to them of its special status. Under Executive Order 12356, classified information is marked as such. Sec. 1.5. Even information that is in the process of a classification determination is given an interim classification marking for a 30-day period. Executive Order 12356, Sections 1.1(c), 1.(e). The employee is, therefore, aware of its special status. Without the classification markings on unclassified information, however, an employee cannot be sure that the nondisclosure agreements' restrictions apply to that material. Consequently, they must check with their supervisors, thereby alerting them to the disclosure. That invites a chilling effect. As then Congresswoman (now U.S. Senator) Barbara Boxer noted at the hearings:

It should be noted once again, however, that sensitive security information is governed by published regulations. If properly marked as SSI, a document clearly warns an employee to follow regulatory requirements and implementation guidance regarding disclosure.

Obama administration

John Podesta, chief of the Presidential transition of Barack Obama team, told U.S. lawmakers on September 16, 2008, that over the previous seven years, "the Bush administration has increased secrecy and curtailed access to information through a variety of means," including:

2014 bipartisan congressional oversight committee report

On May 29, 2014, United States House Committee on Oversight and Government Reform Republican Chairman Darrell Issa and Democrat Ranking Member Elijah Cummings issued a highly critical report about SSI. It cited these findings: "TSA improperly designated certain information as SSI in order to avoid its public release. TSA repeatedly released information to the public against the advice of the SSI office and without having produced suitable documentation to explain the decision. The structure and position of the SSI office within TSA has contributed to the difficulties the office has encountered in carrying out its mission. TSA has moved the office within the agency’s organizational structure several times. One official stated the office moves have effectively relegated it a 'throwaway office.'"

On Page 17 of the report, it cited in detail the pending U.S. Supreme Court case, Department of Homeland Security v. MacLean: "TSA’s release of information related to [Federal Air Marshals (FAM)] is particularly ironic given the agency’s treatment of whistleblower and former air marshal Robert MacLean. In 2003, MacLean blew the whistle on TSA’s plans to cancel FAM coverage on flights despite the threat of an imminent Al Qaeda hijacking plot. Numerous Members of Congress raised concerns, and DHS retracted the order to cancel FAM coverage, calling it 'a mistake.' Three years later, TSA retroactively labeled the information that MacLean had disclosed as SSI and fired MacLean for his disclosure."

The Committee concluded that "TSA made significant improvements to its SSI designation process following the Committee’s investigation."

Challenges

In Chowdhury v. TSA, the ACLU challenged the TSA's authority to withhold SSI from civil litigants and their attorneys in a Petition for Review pending before the U.S. Second Circuit Court of Appeals in New York. The ACLU sought to establish:

As of May 2005, the Second Circuit Court has yet to rule on the issue. However, the Homeland Security Appropriations Act of 2007 (Pub. L. No. 109-295), section 525(d) required: "That in civil proceedings in the United States District Courts, where a party seeking access to SSI demonstrates that the party has substantial need of relevant SSI in the preparation of the party’s case and that the party is unable without undue hardship to obtain the substantial equivalent of the information by other means, the party or party’s counsel shall be designated as a covered person under 49 CFR Part 1520.7 in order to have access to the SSI at issue in the case, provided that the overseeing judge enters an order that protects the SSI from unauthorized or unnecessary disclosure and specifies the terms and conditions of access..."