Sensitive Security Information - Transportation Security Administration

SSI Session for GAO Personnel 

U.S. Department of Homeland Security 

Transportation Security Administration 

Sensitive Security Information Program 

Presents: 

SSI Training for 

Surface Transportation 

Stakeholders 

Sensitive Security Information Branch 

Know It… Mark It… Share It… Lock It… Shred It… 1 

SENSITIVE SECURITY INFORMATION TRAINING 1


Defining Surface 

Transportation Stakeholders 

For the purposes of this training, the SSI Program is 

defining surface transportation stakeholders as non-aviation, 

non-maritime and non-rail transportation entities. This 

includes both public (state or local government) and private 

sector entities. 

Examples (not all inclusive): 

● 

● 

● 

● 

Mass transit (bus service only) 

Intercity and commuter bus service 

Highway (motor carriers, bridges, tunnels, etc.) 

Pipelines (oil and gas) 



SENSITIVE SECURITY INFORMATION BRIEFING 2


Objectives 

By the end of this training, you will be able to: 

● 

● 

● 

Explain the difference between Classified National 

Security Information and Sensitive Security Information 

(SSI) 

Discuss highlights from the SSI Federal 

Regulation (49 CFR Part 1520) that apply to 

Surface Transportation Stakeholders 

Safely share and protect SSI in accordance 

with requirements in the Federal Regulation 

and “Best Practices” 





Brief History of SSI 

SSI was not developed post-9/11 

Created in response to hijackings during the early 

1970s 

The Air Transportation Security Act of 1974: 

● 

● 

Required the FAA to establish a regulation 

for sharing SSI with airlines and airports 

The FAA published the first regulation 

regarding SSI in the Federal Register in 

1976 

After 9/11, SSI expanded to apply to all 

modes of transportation 





Classified Information 

vs. 

Sensitive Security Information 

(SSI) 





Categories of Information 

All information held by the government 

falls into two categories: 

• Classified National Security Information 

(a.k.a. Classified Information) 

(Confidential, Secret, Top Secret) 

or 

• Unclassified 

(SSI, For Official Use Only (FOUO), Public, etc.) 





Classified Information 

Information of which 

“unauthorized disclosure could 

reasonably be expected to cause 

identifiable or describable damage 

to the national security”* 

Example: 

A U.S. Special Operations Team conducts a raid, driven by 

intelligence, on an al-Qa'ida compound on the Afghanistan 

border. The identity of the “source” of data and the 

information he provided would both be classified. 

* Source: Executive Order 13526, Dec 09 





Unclassified Information Falls 

into Two Categories 

● Sensitive But Unclassified (SBU) 

A broad category that includes information protected by 

Federal Regulation such as SSI and information protected by 

agency or government policy such as For Official Use Only 

(FOUO) 

● Public Information 

All other information 





Sensitive Security Information 

Information obtained or developed which, if 

released publicly, would be detrimental to 

transportation security. 

Examples: 

● 

● 

Security Plan created by Tri-County 

Metropolitan Transportation District 

of Oregon (TriMET) 

Vulnerability assessment of 

pipelines issued by DOT 





For Official Use Only (FOUO) 

Information not protected by regulation that could 

adversely affect a Federal program if publicly released 

without authorization.* 

Example: 

Federal building security plans 

* Source: DHS Management Directive 11042.1 





Law Enforcement Sensitive (LES) 

Documents marked LES are intended for official 

use only. No portion of the document should be: 

● 

● 

Released to the media or the general public 

Posted to or sent via non-secure Internet servers 

Release of LES material could adversely affect or 

jeopardize investigative activities.* 

Example: 

FBI Intelligence Bulletins 

* Source: FBI’s website 





What are the differences? 

FOUO, LES, and SSI are all categories of 

Sensitive But Unclassified information, but: 

● SSI is based on U.S. law and protected by a Federal 

regulation; FOUO and LES are not 

● SSI protects information related to transportation 

security; FOUO and LES have no subject matter 

limitations 

● Unauthorized SSI disclosure may result in a civil 

penalty; FOUO and LES breaches cannot 




What Are the 

SSI 

Differences? 

Session for GAO Personnel 

(cont.) 

● In litigation, SSI has stronger protection from 

court-ordered production requests than LES and FOUO 

● SSI is protected from public release under a Freedom of 

Information Act (FOIA) request; FOUO or LES may be either 

protected or released under FOIA 

● SSI is always SSI regardless of who holds the information – in 

other words, JFK’s security program is always SSI whether 

held by TSA or the Port Authority of New York and New 

Jersey 

● Documents that contain SSI must be marked as SSI – not as 

FOUO or LES – when information is pulled from reports 

marked LES, FOUO, and SSI, the new report must be marked 

as SSI. 





What is PCII? 

After 9/11, the Government looked beyond aviation 

to other sectors that may be vulnerable to a terrorist 

attack. As part of Critical Infrastructure Information Act of 

2002, the Protected Critical Infrastructure Information 

(PCII) Program was created. 

PCII protections allow both private and public entities to 

submit information to the Federal government without that 

information being eligible for public release. 

For more information about PCII, please visit: 

http://www.dhs.gov/files/programs/editorial_0404.shtm 





Controlled Unclassified 

Information (CUI) 

The President signed an Executive 

Order on Controlled Unclassified 

Information (CUI) on November 4 th 

● SSI and PCII will become be a category of CUI. SSI will 

continue to exist and function in the same manner as it 

does today 

● DHS shall not implement CUI until such time as 

appropriate policies have been developed and training 

provided to DHS employees 





Focus on SSI Regulation 





16 SSI Categories 

In order for information to be SSI, the information 

must be related to transportation security, its release 

must be detrimental, and it must fall under the one 

of the 16 categories of SSI defined by 

the Federal Regulation (49 CFR Part 

1520.5(b)). 

This training will focus on the four 

categories that apply to Surface 

Transportation Stakeholders. 





Four SSI Categories 

(1) Security programs and contingency plans – 

Any security program or security contingency 

plan issued, established, required, or approved by 

DOT or DHS. 

Examples of documents protected under this category: 

● Security plan for a commuter bus 

service 

● Security plan for a company that runs 

pipelines 





Four SSI Categories (cont) 

(5) Vulnerability assessments – Reviews, audits, 

or other examinations of the security of a 

transportation system or asset to determine its 

vulnerabilities, including any countermeasures 

conducted, directed, or held by DOT or DHS 

Examples of information protected under this category: 

● Grant proposals sent to DHS that outline the vulnerabilities 

of a pipeline located near a seaport 

● Vulnerability assessment conducted by a metropolitan 

transit authority on its bridges 






(7) Threat information – Any information held 

by the Federal government concerning threats 

against transportation or transportation systems, 

and sources and methods used to gather or develop 

threat information, including threats against 

information technology 

Examples of documents protected under this category: 

Documents issued by the TSA Office of Intelligence 

that are marked as SSI and provide specific threat 

information regarding mass transit 






(16) Other Information – Any information 

not otherwise described in this section 

that TSA or the Secretary of DOT 

determines is SSI 

Explanation of this category: 

On a case-by-case basis, DOT or TSA may make a 

written determination that certain information should be 

protected as SSI under (16) 





Common Surface Transportation 

Stakeholders SSI Documents* 

● Security Plans by mass transit agencies, bus 

companies, pipelines, etc. 

● Vulnerability Assessments conducted by 

transportation asset seeking grants from the Federal 

government 

● Documents produced by TSA Office of Intelligence 

related to threats to surface transportation that are 

specifically marked as SSI 

* List not all inclusive 





Safety Information is NOT SSI* 

● 

● 

● 

● 

● 

Fire Evacuation Plans are not SSI 

Instructions on how to shut down a 

pipeline in an emergency are not SSI 

Construction plans are not SSI 

Training materials for employees on 

safety measures are not SSI 

Safety inspections of infrastructure 

are not SSI 

* List not all inclusive 





Covered Persons 

According to the SSI Federal Regulation, 

covered persons may access SSI. This includes airport 

and airline officials, maritime operators, surface 

transportation stakeholders, Federal employees, vendors, 

contractors, and grantees, among others. 





Persons with a 

“Need To Know” 

Covered persons have a need to know SSI if 

access to information is necessary for the performance 

of official duties. DHS or DOT may limit access to 

specific SSI to certain employees or covered persons. 

Example: 

A screening equipment vendor does not need to know 

which flights Federal Air Marshals are flying on. 





Media Requests for SSI 

Under the SSI regulation, 

members of the news media 

are not covered persons and do 

not have a “need to know” 

SSI. 

Requests for SSI from the 

media should be forwarded to 

TSA Public Affairs (571-227- 

2829) for review. 





Proper Marking and 

Handling of SSI 





SSI – Protective Marking 

Any person who creates a 

record containing SSI 

must include an SSI 

header and footer. 

Even if there is only one 

sentence containing SSI 

in a 50-page document, 

every page must have an 

SSI header and footer. 





Storing SSI: Lock it Up!!!! 

When not actually working with an SSI record 

(lunch break, end of the day, etc.), store the SSI 

record in a locked desk drawer or in a locked 

room to prevent unauthorized access by persons 

who do not have a “need to know.” 

ALL RECIPIENTS OF SSI ARE MANDATED TO LOCK IT UP!!! 





“Best Practices” for Non-DHS 

Employees in Protecting SSI 





Best Practices for Non-DHS 

Employees 

Other than locking SSI in a locked drawer or cabinet, 

which is a requirement, DHS stakeholders and other 

covered parties are mandated under the SSI 

regulation to take “reasonable steps” to prevent 

unauthorized disclosure of SSI. 

The next set of slides describes “Best Practices” 

stakeholders may use in handling and 

protecting SSI. 

These “Best Practices” are based on policies 

and procedures developed for DHS personnel 

to protect SSI. 





Best Practices: 

SSI Transmission in E-Mail 

SSI information transmitted by e-mail should be in a 

separate password-protected record, and not in the body of 

an e-mail. Passwords should be sent separately, and should: 

● 

● 

● 

● 

Be at least eight characters in length 

Have at least one letter capitalized 

Contain at least one number and 

one special character 

Not be a word in the dictionary 






Web Posting SSI 

TSA does NOT post 

SSI on its public 

website (i.e., Internet) 

or on the agency-wide 

intranet portal that all 

TSA employees and 

contractors can access. 






Mailing SSI 

● 

● 

SSI should be mailed by U.S. 

First Class mail or other 

traceable delivery service using 

an opaque envelope or wrapping. 

The outside wrapping (i.e., box 

or envelope) should not be 

marked as SSI. 

Interoffice mail should be sent using an unmarked, 

opaque, sealed envelope so that the SSI cannot be read 

through the envelope. 






Storing SSI on CDs 

SSI documents saved on compact 

discs (CDs) should be password 

protected. 

The CD’s outside jacket should be 

marked with a label that contains the 

SSI footer. 

CDs should be protected same as 

documents (i.e., store the CD in a 

locked drawer). 





Best Practices: Storing SSI on 

Flash (Thumb) Drives 

Personnel should use only encrypted thumb drives or 

password-protect documents that contain SSI. 

Portable drives are convenient, small, and can store a 

large volume of information. They are also easily lost 

or misplaced. 

Be careful about: what information is 

placed on these devices; how they are 

stored; and who is walking out the door 

with them. 






Taking SSI Records out of the Office 

It is not recommended! 

However, if taking SSI out of the 

office is necessary, employees 

should have the permission of the 

supervisor and should ensure that 

SSI is locked away at night to 

prevent unauthorized access of 

persons who do not have a “need to 

know.” 






Processing 

electronic SSI 

records at home 

According to TSA’s Information Technology (IT) 

Security Policy, TSA requires that only TSA-approved 

computers may be used to process or store SSI. 

This means that the use of personal or home computers 

to process or store SSI records is prohibited for TSA 

employees. 





Destruction of SSI 





What Does the SSI 

Regulation Say? 

“A covered person must destroy SSI completely 

to preclude recognition or reconstruction of the 

information when the covered person no longer needs 

the SSI to carry out transportation security measures.”* 

In other words, throwing SSI in any garbage can is not 

acceptable under the SSI Federal Regulation! 

* 49 CFR Part 1520.19(b)(1) 






Destruction of SSI 

The most common 

methods used to destroy 

SSI material include: 

● 

● 

● 

Cross-cut shredders 

Contract with a shredding 

company 

Cutting or tearing into pieces that 

are no longer than ½ inch on a 

side 





Summary 





You are Responsible for SSI! 

Everyone is responsible for properly marking, handling, 

protecting, storing, and destroying SSI. 





Discussing SSI in Public Areas 

is Not Recommended!! 

Personnel must be very careful when discussing 

SSI in public areas. 

You never know who is listening 

and not everyone has a “need to 

know” the information. 

Remember: Terrorists do not care how they receive SSI 

as long as they get the information they need to plan an 

attack. 






DO’s – SSI Handling 

Do – Lock up material containing SSI 

Do – Turn off or lock down your computer (pressing the 

Windows Key and L at the same time) whenever you 

walk away from it 

Do – Be conscious of surroundings when discussing SSI; 

remember not everyone has a “need to know” SSI 






DON’T’s – SSI Handling 

Don’t… Leave SSI unattended 

Don’t… Discuss SSI with individuals 

who do not have a “need to 

know” 

Don’t… Put SSI in the body of an e-mail 

Don’t… Throw SSI away in any garbage can or 

recycling bin 





Consequences of Unauthorized 

Disclosure of SSI 

● 

● 

Lost lives – terrorists could use the 

information to plan an attack 

Lost jobs – for Federal employees, 

appropriate personnel action may be 

a letter of reprimand, suspension, or 

even dismissal, depending on the 

circumstances 

● 

Lost money – the government can 

impose a $10,000 civil penalty per 

offense on stakeholders 





Information on SSI available at 

www.tsa.gov/SSI 





Safely Sharing Information 

SSI Program 

Office of Security Services and Assessments 

Office of Law Enforcement/ 

Federal Air Marshal Service 

Transportation Security Administration 

601 S. 12th Street, East Tower 

Arlington, VA 20598-6031 

E-Mail: SSI@dhs.gov 

Phone: 571-227-3513 

Fax: 571-227-2945

Sensitive Security Information - Transportation Security Administration

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?