Transportation Security Administration
Clear Policies and Oversight Needed for Designation of Sensitive Security Information Gao ID: GAO-05-677 June 29, 2005Concerns have arisen about whether the Transportation Security Administration (TSA) is applying the Sensitive Security Information (SSI) designation consistently and appropriately. SSI is one category of "sensitive but unclassified" information--information generally restricted from public disclosure but that is not classified. GAO determined (1) TSA's SSI designation and removal procedures, (2) TSA's internal control procedures in place to ensure that it consistently complies with laws and regulations governing the SSI process and oversight thereof, and (3) TSA's training to its staff that designate SSI.
TSA does not have guidance and procedures, beyond its SSI regulations, providing criteria for determining what constitutes SSI or who can make the designation. Such guidance is required under GAO's standards for internal controls. In addition, TSA has no policies on accounting for or tracking documents designated as SSI. As a result, TSA was unable to determine either the number of TSA employees actually designating information as SSI or the number of documents designated SSI. Further, apart from Freedom of Information Act (FOIA) requests or other requests for disclosure outside of TSA, there are no written policies and procedures or systematic reviews for determining if and when an SSI designation should be removed. TSA also lacks adequate internal controls to provide reasonable assurance that its SSI designation process is being consistently applied across TSA. Specifically, TSA has not established and documented policies and internal control procedures for monitoring compliance with the regulations, policies, and procedures governing its SSI designation process, including ongoing monitoring of the process. TSA officials told us that its new SSI Program Office will ultimately be responsible for ensuring that staff are consistently applying SSI designations. This office, which was established in February 2005, will also develop and implement all TSA policy concerning SSI handling, training, and protection. More detailed information on how this office's activities will be operationalized was not yet available. Specifically, TSA officials provided no written policies formalizing the office's role, responsibilities, and authority. TSA has not developed policies and procedures for providing specialized training for all of its employees making SSI designations on how information is identified and evaluated for protected status. Development of such training for SSI designations is needed to help ensure consistent implementation of the designation authority across TSA. While TSA has provided a training briefing on SSI regulations to certain staff, such as the FOIA staff, it does not have specialized training in place to instruct employees on how to consistently designate information as SSI. In addition, TSA has no written policies identifying who is responsible for ensuring that employees comply with SSI training requirements.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-05-677, Transportation Security Administration: Clear Policies and Oversight Needed for Designation of Sensitive Security Information
This is the accessible text file for GAO report number GAO-05-677
entitled 'Transportation Security Administration: Clear Policies and
Oversight Needed for Designation of Sensitive Security Information'
which was released on July 29, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
June 2005:
Transportation Security Administration:
Clear Policies and Oversight Needed for Designation of Sensitive
Security Information:
GAO-05-677:
GAO Highlights:
Highlights of GAO-GAO-05-677, a report to congressional requesters:
Why GAO Did This Study:
Concerns have arisen about whether the Transportation Security
Administration (TSA) is applying the Sensitive Security Information
(SSI) designation consistently and appropriately. SSI is one category
of ’sensitive but unclassified“ information”information generally
restricted from public disclosure but that is not classified. GAO
determined (1) TSA‘s SSI designation and removal procedures, (2) TSA‘s
internal control procedures in place to ensure that it consistently
complies with laws and regulations governing the SSI process and
oversight thereof, and (3) TSA‘s training to its staff that designate
SSI.
What GAO Found:
TSA does not have guidance and procedures, beyond its SSI regulations,
providing criteria for determining what constitutes SSI or who can make
the designation. Such guidance is required under GAO‘s standards for
internal controls. In addition, TSA has no policies on accounting for
or tracking documents designated as SSI. As a result, TSA was unable to
determine either the number of TSA employees actually designating
information as SSI or the number of documents designated SSI. Further,
apart from Freedom of Information Act (FOIA) requests or other requests
for disclosure outside of TSA, there are no written policies and
procedures or systematic reviews for determining if and when an SSI
designation should be removed.
TSA also lacks adequate internal controls to provide reasonable
assurance that its SSI designation process is being consistently
applied across TSA. Specifically, TSA has not established and
documented policies and internal control procedures for monitoring
compliance with the regulations, policies, and procedures governing its
SSI designation process, including ongoing monitoring of the process.
TSA officials told us that its new SSI Program Office will ultimately
be responsible for ensuring that staff are consistently applying SSI
designations. This office, which was established in February 2005, will
also develop and implement all TSA policy concerning SSI handling,
training, and protection. More detailed information on how this
office‘s activities will be operationalized was not yet available.
Specifically, TSA officials provided no written policies formalizing
the office‘s role, responsibilities, and authority.
TSA has not developed policies and procedures for providing specialized
training for all of its employees making SSI designations on how
information is identified and evaluated for protected status.
Development of such training for SSI designations is needed to help
ensure consistent implementation of the designation authority across
TSA. While TSA has provided a training briefing on SSI regulations to
certain staff, such as the FOIA staff, it does not have specialized
training in place to instruct employees on how to consistently
designate information as SSI. In addition, TSA has no written policies
identifying who is responsible for ensuring that employees comply with
SSI training requirements.
What GAO Recommends:
GAO recommends that the Secretary of Homeland Security direct TSA to
establish clear guidance and procedures for using the TSA regulations
to determine what constitutes SSI; establish clear responsibility for
the identification and designation of SSI information; establish
internal controls monitoring compliance with its SSI regulations,
policies, and procedures, and communicate that responsibility for
implementing the controls throughout TSA; and provide specialized
training to those making SSI designations on how information is to be
identified and evaluated for SSI status. The Department of Homeland
Security generally concurred with our recommendations.
www.gao.gov/cgi-bin/getrpt?GAO-05-677.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Laurie E. Ekstrand at
(202) 512-8777 or ekstrandl@gao.gov.
[End of section]
Contents:
Letter:
Background:
Results:
Conclusions:
Recommendations:
Agency Comments and Our Evaluation:
Appendix I: Briefing Slides:
Appendix II: Comments from the Department of Homeland Security:
Abbreviations:
ATSA: Aviation and Transportation Security Act:
DHS: Department of Homeland Security:
DOT: Department of Transportation:
FAA: Federal Aviation Administration:
FOIA: Freedom of Information Act:
SBU: Sensitive But Unclassified:
SSI: Sensitive Security Information:
TSA: Transportation Security Administration:
United States Government Accountability Office:
Washington, DC 20548:
June 29, 2005:
The Honorable David Obey:
Ranking Minority Member:
Committee on Appropriations:
House of Representatives:
The Honorable Martin Olav Sabo:
Ranking Minority Member:
Subcommittee on Homeland Security:
Committee on Appropriations:
House of Representatives:
The security of our transportation system is of vital importance to the
nation. In line with keeping our transportation safe, some information
that is related to threats to or protection of the transportation
system must be held out of the public domain. On the other hand, the
government must always be mindful of the public's legitimate interest
in, and need to know, information related to threats to the
transportation system and associated vulnerabilities.
Sensitive Security Information (SSI) is a specific category of
information related to transportation security that is deemed to
require protection against public disclosure. Although it is not
classified national security information, SSI is a category of
sensitive but unclassified information that, along with protected
critical infrastructure information, is specifically exempted by
statute from release under the Freedom of Information Act (FOIA), and
that it is to be disclosed only to covered persons on a need to know
basis. While the Transportation Security Administration (TSA), through
its SSI authority, may share SSI with regulated entities, it generally
prohibits the public disclosure of information obtained or developed in
the conduct of security activities, which would constitute an
unwarranted invasion of privacy, reveal trade secrets or privileged or
confidential commercial or financial information, or be detrimental to
the security of transportation.
Questions have been raised about TSA's practices and procedures for
determining whether information should be protected as SSI. For
example, certain written responses to questions submitted by TSA to the
House Appropriations Homeland Security Subcommittee were designated as
SSI. However, 1 month earlier, the agency had not treated this same
information as sensitive. Further, in an October 2004 memorandum, TSA
itself recognized that the handling and identification of SSI had
become problematic.
In response to your request concerning TSA's handling of SSI, we are
reporting on (1) TSA's procedures for determining whether information
should be protected under the SSI designation, as well as procedures
for determining if and when the designation should be removed, (2)
internal control procedures in place to ensure that TSA consistently
complies with laws and regulations governing the designation of
information as SSI and how TSA oversees the procedures to ensure that
they are consistently applied, and (3) TSA's training to its staff who
designate SSI.
To address our objectives, we reviewed applicable federal laws and
regulations, Department of Homeland Security (DHS) and TSA policies and
procedures, and other documents related to the SSI designation, and
oversight and training processes. We also interviewed TSA and DHS
officials involved in the SSI designation, oversight and training
processes. GAO's Standards for Internal Control in the Federal
Government provided benchmarks and standards against which we assessed
TSA's SSI designation policies and procedures.[Footnote 1] Our work was
conducted from January 2005 through April 2005 in accordance with
generally accepted government auditing standards.
On April 29, 2005, we provided your offices a briefing on the results
of our work. The briefing slides are included in appendix I.
Background:
In the aftermath of the terrorist attacks of September 11, 2001, TSA
was created to take responsibility for the security of all modes of
public transportation. Included in the responsibilities of this new
agency was the authority to designate information as SSI. Originally
housed in the Department of Transportation, TSA was transferred to DHS
as a result of the Homeland Security Act of 2002.[Footnote 2]
According to TSA officials, SSI designated information is created by
TSA and by airports, aircraft operators, and other regulated parties
when they are establishing or implementing security programs or
documentation to address security requirements. Information that is
designated SSI can be shared with those who have a need to know in
order to participate in or oversee the protection of the nation's
transportation system. Those with a need to know can include persons
outside of TSA, such as airport operators, aircraft operators, foreign
vessel owners, and other persons. SSI cannot be shared with the general
public, and it is exempt from disclosure under FOIA.
There are 16 categories of SSI. TSA has distinguished these 16
categories into 3 types of SSI. Four categories are termed
"categorical" and automatically designated SSI. Eleven categories
require a judgment or analysis to determine if the SSI designation is
warranted. One category requires a written determination by an office
with determination authority to be deemed SSI. This category is "other
information," which is a catchall exemption for information that TSA
may wish to designate SSI that does not fit into the other 15
categories[Footnote 3].:
Additional background information on the SSI regulatory authority,
including a list of the 16 categories, is included in appendix I.
Results:
TSA does not have written policies and procedures, beyond its SSI
regulations, providing criteria for determining what constitutes SSI.
Written guidance for decision making such as this is a key element
included in GAO's Standards for Internal Control in the Federal
Government. Lack of such guidance could result in errors and
inconsistencies in determining the SSI designation. Indeed, in October
2004, TSA's Internal Security Policy Board concluded that TSA must
establish a framework to identify, control, and protect SSI. The board
concluded that essential elements of the framework should include,
among other things,
". . . exacting specificity with respect to what information is covered
and what is not covered. This specificity could be documented in a
classification guide type format because imprecision in this area
causes a significant impediment to determining SSI. Experience has
shown that employees unsure as to what constitutes SSI may err on the
side of caution and improperly and unnecessarily restrict information,
or may err inappropriately and potentially disastrously on the side of
public disclosure."
In addition to lacking written guidance concerning SSI designation, TSA
has no policies and procedures specifying clear responsibilities for
officials who can designate SSI.[Footnote 4] TSA's regulations allow
anyone within TSA to designate information SSI. Further, TSA has no
policies on accounting for or tracking documents designated as SSI.
While TSA officials told us that only a limited number of employees
routinely make SSI designations, they were unable to provide
documentation to confirm this. One consequence of a lack of control of
personnel able to designate documents as SSI is that TSA is unable to
determine the number of employees designating information as SSI or the
volume of documents designated SSI.
Once a document is designated SSI, it can remain designated as SSI in
perpetuity unless a FOIA request or other request for disclosure
outside of TSA results in removal of its SSI status. If a FOIA request
is received for an SSI designated document, or a document that contains
some SSI designated material, the SSI Program Office works in
conjunction with the FOIA Office to review its initial designation. If
TSA officials determine that the document should no longer be
considered SSI, it can be released to the FOIA requester. If TSA
officials feel that the SSI designation should remain but some portions
of the document are not SSI, the FOIA Office can determine whether it
is appropriate to release the document without the SSI material, or not
to release the document at all.[Footnote 5] Other than the FOIA
process, no procedures exist for the review of allegations that a
document has been erroneously designated as SSI. If there is no FOIA
request for a particular document, according to TSA, documents marked
as SSI are reviewed for continued applicability upon any request for
disclosure outside of TSA. However, TSA officials provided us with no
information on the number of documents released as a result of these
requests for public disclosure. TSA's SSI regulations indicate that TSA
may determine in writing that information should no longer be
designated as SSI because it no longer meets SSI criteria, but TSA has
not done this to date.
TSA lacks adequate internal controls to provide reasonable assurance
that its SSI designation process is being consistently applied across
TSA and for monitoring compliance with the regulations governing the
SSI designation process, including ongoing monitoring of the process.
GAO's Standards for Internal Control call for (1) areas of authority
and responsibility to be clearly defined and appropriate lines of
reporting established, (2) transactions and other significant events to
be documented clearly and documentation to be readily available for
examination, and (3) controls generally to be designed to ensure that
ongoing monitoring occurs in the course of normal operations. In
addition, the standards also require that information be communicated
within an organization to enable individuals to carry out their
internal control responsibilities. However, our review of TSA's
oversight activities noted weaknesses in each of these areas.
First, TSA has not clearly defined responsibility for monitoring
compliance with regulations, policies and procedures governing the SSI
designation process and communicated that responsibility throughout
TSA. Without clearly identifying the responsibility for monitoring
compliance with regulations governing its SSI designation, this
function may not receive adequate attention, leaving TSA unable to
provide reasonable assurance that those making SSI designations within
TSA are designating documents properly.
In an October 14, 2004, memorandum designed to centralize the
administration of SSI within the agency, TSA's Internal Security Policy
Board recognized that the handling and identification of SSI had become
problematic:
"Lacking a central policy program office for SSI has led to confusion
and unnecessary classification of some materials as SSI. Adherence to
handling requirements within TSA has been inconsistent, and there have
been instances where SSI has been mishandled outside of TSA.
Identification of SSI has often appeared to be ad-hoc, marked by
confusion and disagreement depending on the viewpoint, experience, and
training of the identifier. Strictures on the release of SSI and other
SSI policy or handling-related problems have occasionally frustrated
industry stakeholders, Congress, the media, and our own employees
trying to work within the confines of the restrictions. Significant
time and effort has been devoted to SSI issues, and it is not likely
that the current approach to addressing such issues can be sustained."
TSA officials told us that its new SSI Program Office will ultimately
be responsible for ensuring that staff are consistently applying SSI
designations. This office, which was established in February 2005, will
also develop and implement all TSA policies concerning SSI handling,
training, and protection. Officials said that TSA is also currently
drafting a summary that provides a definition and brief overview of the
SSI authority and is designing materials that will further educate all
TSA employees on policies, procedures, responsibilities, and guidance
for identifying and designating SSI. More detailed information on how
this office's activities will be operationalized was not yet available.
Specifically, TSA currently does not have written policies formalizing
the office's role, responsibilities, and authority.
Second, TSA has not yet established policies and procedures for how it
will monitor compliance with the regulations governing the SSI
designation process. Without written policies and procedures
documenting how it plans to monitor compliance with the regulations
governing the SSI designation process, TSA is unable to demonstrate
evidence of its monitoring activities.
Third, TSA has no formally defined policies or procedures for ongoing
monitoring reviews to assess compliance with the laws and regulations
governing the process for designating information as SSI. Without
clearly defined policies and procedures for conducting periodic
internal monitoring to assess compliance with the regulations governing
the SSI designation process, TSA lacks structure to support continuous
assurance that those employees making SSI designations within TSA are
designating documents properly.
TSA has not developed policies and procedures for providing specialized
training for all of its employees making SSI designations on how
information is to be identified and evaluated for protected status.
Development of specialized training for SSI designations must be
preceded by the establishment of guidance and associated policies and
procedures so that an adequate training curriculum can be developed. It
should also include written policies defining who is responsible for
ensuring that employees comply with SSI training requirements. While
TSA has provided a training briefing on SSI regulations to certain
staff such as the FOIA staff and other units within TSA, it does not
have specialized training in place to instruct employees on how to
consistently designate information as SSI.
Conclusions:
In order for TSA's SSI designation process to work effectively, there
must be clarity, structure, and accountability to help ensure that
information is not improperly and unnecessarily restricted or
inappropriately disclosed, and that the SSI designation process is
being applied consistently across TSA. The lack of clear and documented
policies and procedures for determining what constitutes SSI and
specifying who may make the designation could cause confusion and
uncertainty for staff who must administer the SSI designation process
without written guidance. Further, internal control policies and
procedures for monitoring the compliance with regulations governing the
SSI designation process, including internal controls for ongoing
monitoring, communicated to all staff, would help ensure accountability
and consistency in the implementation of TSA's SSI regulations.
Specialized training designed to familiarize those who are making SSI
designations on how information is to be identified and evaluated would
reduce the likelihood that employees improperly exempt information from
public disclosure or inappropriately disclose sensitive security
information.
Recommendations:
To help bring clarity, structure, and accountability to TSA's SSI
designation process, we recommend that the Secretary of the Department
of Homeland Security direct the Administrator of the Transportation
Security Administration to take the following four actions:
* establish clear guidance and procedures for using the TSA regulations
to determine what constitutes SSI,
* establish clear responsibility for the identification and designation
of information that warrants SSI protection,
* establish internal controls that clearly define responsibility for
monitoring compliance with regulations, policies, and procedures
governing the SSI designation process and communicate that
responsibility throughout TSA, and:
* establish policies and procedures within TSA for providing
specialized training to those making SSI designations on how
information is to be identified and evaluated for protected status.
Agency Comments and Our Evaluation:
We obtained written comments on a draft of this report from the
Department of Homeland Security. We have included a copy of the
comments in their entirety in appendix II. In addition, DHS provided
technical comments, which we incorporated as appropriate.
In its June 14, 2005, comments, DHS generally concurred with our
recommendations and stated that they are consistent with ongoing TSA
efforts to improve sensitive security information program processes. In
its comments, DHS discussed the actions it has already taken and will
implement in response to the recommendations, including developing
internal controls and audit functions, which will define responsibility
for monitoring compliance with regulations, policies, and procedures
governing the SSI designation process, and which will be communicated
throughout TSA. However, as discussed below, DHS took exception to the
report's analyses and conclusions. While we disagree with the thrust of
DHS's comments, we believe we fairly and accurately characterize the
implementation and monitoring of SSI at DHS. We made clarifying changes
where appropriate.
DHS said that our report mischaracterized the nature of SSI by
incorrectly applying concepts associated with classified information
management to SSI information, which falls within a sensitive but
unclassified information category. DHS said that this construct may
lead the reader to fundamental misunderstandings regarding the issues
surrounding SSI. Although mentioned as a basis for comparison, neither
the GAO review nor its report was intended to apply concepts associated
with classified information management to SSI. Rather, our analyses
were intended to provide a factual summary of the key similarities and
differences in the classified information and SSI processes. We compare
the two processes only to help clarify the distinctions that exist and
thereby avoid any misunderstandings by readers who are familiar with
the processes for classified information. We included additional
language in the report clarifying that SSI is a form of sensitive but
unclassified information, rather than classified national security
information.
DHS also stated that SSI is the only practical means for sharing
security information with regulated parties and that the absence of a
robust SSI program would degrade both the prompt distribution of
security information to persons with a need to know and the free
exchange of ideas. We agree that SSI is a practical means for sharing
security information with regulated parties. In fact, the findings and
recommendations in this report should help DHS improve the SSI process.
That is, providing specific procedures and guidelines on how individual
employees are to identify and evaluate information for SSI protected
status is an intrinsic part of DHS's responsibility for effectively
managing its SSI process and should provide both DHS and the regulated
parties with confidence that information is given the proper protective
status.
DHS said that if a TSA employee incorrectly designates a document as
SSI while it remains within TSA, there is no impact on the public's
right to access because the FOIA review process will always result in
an independent determination regarding the SSI designation and that TSA
and DHS are committed to releasing as much information as possible. We
view the management improvements discussed in this report as helping to
ensure that information that should be withheld from the public is
protected as well as helping to ensure that other information is
available to the public. In addition, the fact that an incorrectly
designated SSI document remains within TSA does not obviate the fact it
is wrongfully exempted from disclosure. The potential lack of
visibility to the public that SSI documents exist and the time and
expense to the public and TSA involved in seeking disclosure of an SSI
document through FOIA could inhibit the release of information that
could and possibly should have been in the public domain but for an
incorrect application of SSI.
DHS also states that we make no distinction between the obligation to
"mark" information as SSI, held by all TSA employees, and the authority
to "designate," held by only a very few high-level employees. It
explains that all employees can "mark" documents that fall within 15
categories as SSI but only the high-level employees can "designate" the
16TH category of "other information" by documenting the designation as
SSI. As we point out in this report, the responsibility of all TSA
employees goes beyond just marking a document as SSI and includes
making judgments about what information should be marked as SSI. As we
state on page 3, while TSA requires a written determination by an
office with determination authority for information deemed SSI for 1 of
its 16 SSI categories, according to TSA, only 4 of the remaining 15
categories automatically becomes SSI because of the type of document.
The other 11 require a judgment or analysis to be made to determine if
the SSI designation is warranted by any TSA employee. Therefore, we
continue to believe that appropriate guidance and controls are needed
to effectively manage the process.
In addition, DHS said that its SSI designation processes are consistent
with every sensitive but unclassified system in the federal government.
While we did not review these other systems, we believe that the
management principles and controls discussed in this report are
appropriate for the TSA system and would be appropriate for similar
systems elsewhere.
DHS said that we made an implied suggestion to quantify and identify
all documents that have been marked as SSI, and to identify all
personnel who have marked such documents. We did note in our discussion
of internal controls that TSA has no policies on accounting for or
tracking documents designated as SSI. As DHS notes, we did not
recommend that TSA provide an inventory of the titles or numbers of SSI
documents. In terms of identifying staff that designate documents as
SSI, since we are recommending training for all those who designate
SSI, identification of all personnel who are going to be applying this
designation would be needed to ensure that all are trained.
Further, DHS states that we obliquely criticize TSA's ability to
protect SSI without a date by which the document automatically loses
its SSI status based on time duration requirements similar to those
applicable to classified information. We did not recommend that TSA
should implement time limits for SSI information. Our review showed
that TSA has no written policies and procedures or systematic reviews
for determining if and when an SSI designation should be removed.
Moreover, other than the FOIA request process and other requests for
disclosure outside of TSA, no procedures exist for a review to
determine whether a document has been appropriately designated as SSI.
Such procedures would allow TSA to periodically review SSI designations
and identify and correct erroneously marked SSI documents while still
protecting those with valid reasons.
In commenting on our recommendation that DHS establish clear guidance
and procedures for using the TSA regulations to determine what
constitutes SSI, DHS said that TSA's SSI Program Office has already
taken some steps in line with our recommendation by developing internal
guidance that expands on the SSI regulation structure to provide
examples of the types of information that should fall within each SSI
category. It expects to publish the guidance for general use by TSA
employees and regulated parties in identifying and handling SSI.
In commenting on our recommendation that DHS establish clear
responsibility for the identification and designation of information
that warrants SSI protection, DHS stated that limiting the number of
individuals who may designate a document as SSI would lead to
operational bottlenecks, could lead to inappropriate release of
security information, and would not be operationally feasible. If it is
properly done, we do not see how establishing clear responsibility for
performing a governmental task would lead to these effects. We wish to
make a distinction between a set of personnel who would have
responsibility for SSI and a potentially much larger set of employees
who would be able to designate documents SSI. Those responsible for SSI
would be accountable for ensuring that those in their domain of
responsibility have appropriate training and are applying SSI
appropriately. DHS would then be in a much better position to ensure
that those responsible for SSI are held accountable, have appropriate
training, and are applying SSI appropriately.
DHS agreed with our recommendation for DHS to establish internal
controls that clearly define responsibility for monitoring compliance
with regulations, policies, and procedures governing the SSI
designation process and communicate that responsibility throughout TSA.
DHS said it had already undertaken action to develop internal controls,
including audit functions, which will define responsibility for
monitoring compliance with regulations, policies, and procedures
governing the SSI designation process and will communicate that
responsibility throughout TSA.
In commenting on our recommendation that DHS establish policies and
procedures within TSA for providing specialized training to those
making SSI designations on how information is to be identified and
evaluated for protected status, DHS said that it conducts specialized
SSI training for the SSI Program Office and FOIA staff, and other TSA
offices making SSI designations. In addition, it is expanding
specialized training to those offices within the agency that create the
majority of SSI. This is a good first step in addressing our
recommendation, but falls short of its overall intent because SSI
regulations extend the SSI designation authority to all TSA employees
and does so without giving them specific procedures and guidance,
beyond the regulations, upon which to base their judgments. Thus,
policies and procedures for providing specialized training to all TSA
employees authorized to make an SSI designation will still be needed.
In this regard, in our report, we quote an October 14, 2004, TSA
memorandum that says in part, "identification of SSI has often appeared
to be ad-hoc, marked by confusion and disagreement depending on the
viewpoint, experience, and training of the identifier." We believe this
statement speaks to the need for specialized training for all those who
designate materials as SSI.
As agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies of this report
to other interested congressional committees and to the Secretary of
the Department of Homeland Security and the Administrator of the
Transportation Security Administration. We will also make copies
available to others upon request. In addition, the report will be
available at no charge on GAO's Web site at http://www.gao.gov.
If you or your staff have any questions about this report, please
contact me at (202) 512-8777 or EkstrandL@gao.gov. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. Key contributors to this report were
Glenn G. Davis, Vickie Miller, R. Rochelle Burns, Julian King, Thomas
Lombardi, David Hooper, David Plocher, Dolores McGhee, Nikki Clowers,
Kim Gianopoulos, Davi D'Agostino, Ann Borseth, William Cawood, Casey
Keplinger, David Alexander, Katherine Davis, and Larry Harrell.
Signed by:
Laurie E. Ekstrand,
Director:
Homeland Security and Justice Issues:
[End of section]
Appendix I: Briefing Slides:
[See PDF for images]
[End of slide presentation]
[End of section]
Appendix II: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
June 14, 2005:
Ms. Laurie E. Ekstrand:
Director, Homeland Security and Justice Issues:
U.S. Government Accountability Office:
441 G Street, N.W.:
Washington, D.C. 20548:
Dear Ms. Ekstrand:
RE: Draft Report GAO 05-677, Transportation Security Administration:
Clear Policies and Oversight Needed for Designation of Sensitive
Security Information: (Job Code 440363):
Thank you for the opportunity to review and comment on the subject
draft report. The Department of Homeland Security (DHS) generally
concurs with the GAO recommendations, which are consistent with on-
going Transportation Security Administration (TSA) efforts to improve
Sensitive Security Information (SSI) program processes. However, we
take strong exception with the analyses and conclusions. Specifically,
the report mischaracterizes the nature of SSI by incorrectly applying
concepts associated with classified information management to SSI
information, which falls within a Sensitive But Unclassified (SBU)
information category. SBU information includes such broadly used
categories as For Official Use Only (FOLIO) and Law Enforcement
Sensitive (LES). This construct colors the entire report and may lead
the reader to fundamental misunderstandings regarding the issues
surrounding SSI. The SSI designation covers such information as airport
and seaport security plans, screening procedures, operating parameters
of screening equipment, vulnerability assessments, and other
information that could be exploited by terrorists to harm the public
and the nation's transportation systems.
The following discussion supports our position that GAO's analyses and
conclusions are not valid because of how GAO evaluated the SSI program.
SSI is the Only Practical Means for Sharing Security Information with
Regulated Parties.
SSI is primarily an information management tool that allows TSA to
share information regarding transportation security with industry and
foreign entities that have a need to know the information, but might
not possess security clearances necessary for them to receive
classified information. Sensitive information regarding transportation
security can be shared with regulated parties without the limitations
that would be imposed if the information were treated as a form of
classified information. For example, TSA can distribute essential
Security Directives and screening procedures in a timely manner to the
multitude of airport and aircraft operators, both domestic and foreign,
that transport the public. Detailed screening procedures can be
provided to 45,000 TSA screeners without classified materials security
clearances and without onerous handling limitations required for
classified information including specifically approved safes and
security logs. The absence of a robust SSI program would degrade both
the prompt distribution of security information to persons with a need
to know the information, and the free exchange of ideas among regulated
parties to further transportation security.
SSI is also a mechanism for protecting transportation security
information from indiscriminate release to those individuals who may
seek to use government transparency as a means for obtaining
information to harm the general public and the nation's transportation
infrastructure. It has been widely reported that public source
information has been specifically identified as an Al-Qaeda information
resource.[NOTE 1] Congress recognized the tension between this
demonstrated need to protect certain information, and the mandate to
support transparency in government operations, and concluded that SSI
must be exempt from the Freedom of Information Act (FOIA), 5 U.S.C.
§552. [NOTE 2]
While the ability to protect SSI from release under FOIA is a critical
component of SSI, it is ultimately a small part of the SSI system and
subsumed within the overall purpose of sharing information with
regulated parties that TSA would otherwise not be able to readily
provide. It is through this protection under a statutory FOIA exemption
that such information as Airport Security Plans, Security Directives,
screening equipment limitations, vulnerability assessments, Federal Air
Marshal deployment information, and other security information are
protected from release to any person who files a request for documents
under FOIA. Accordingly, TSA conducts a three-part SSI review of every
document requested by the public to determine the appropriateness of
any redaction that results in the withholding of SSI from the public.
Through this process, TSA ensures that the public's right to access
information about TSA operations is fully implemented. It is also
through this process that TSA validates its identification of SSI
documents, because it is only at this point that SSI restrictions most
impact the public. If a TSA employee incorrectly marks a document as
SSI while it remains within TSA, there is no impact on the public's
right to access because the FOIA review process will always result in
an independent determination regarding the SSI marking. Similar
procedures exist for other avenues through which the public receives
information, including Congressional, media, or litigation-related
requests. In every case, TSA and DHS are committed to releasing as much
information as possible.
SSI Designation Processes are Appropriate and Consistent with Every SBU
Management System in Federal Government:
Like all SBU programs across the government, it is the obligation of
every regulated person, whether TSA employee or employee of an entity
covered by the SSI regulation, to mark as SSI those documents that
clearly fall within defined SSI categories set out in the SSI
regulation at 49 C.F.R. Part 1520, Protection of Sensitive Security
Information. Thus, if an employee creates a vulnerability assessment of
a transportation facility, there is no requirement for that employee to
obtain permission from the equivalent of an original classification
authority to mark and protect that document as SSI, because TSA has
already designated vulnerability assessments as SSI in its published
regulation. This marking obligation is no different from the obligation
of any Federal employee in any Federal agency to mark as "FOUO" a
sensitive document intended to be distributed for official use within
the government. TSA is not aware of any examples of more effective or
tightly tracked SBU systems within the Government.
The power to designate documents that may not clearly fall within the
defined categories at 49 C.F.R. §§1520.5(b)(1)-(15), however, is
limited to only seven TSA senior-level employees. That designation must
be accompanied by a formal memorandum explaining the basis for
designating the document as SSI. That form of designation, beyond the
fifteen categories established by regulation, is used by TSA for only
four items of information. GAO's report makes no distinction between
the obligation to mark information as SSI, held by all employees, and
the authority to designate, held by only a very few high level
employees. [NOTE 3]
It is for this reason that GAO's implied suggestion to quantify and
identify (to GAO standards) all documents that have been marked as SSI,
and all personnel who have marked such documents, is unworkable. The
Government requires that agencies report the numbers and classification
levels (Top Secret, Secret, or Confidential) of classified documents,
but does not require reporting the titles of classified documents at
any level, including Top Secret. We note that GAO did not recommend
that TSA provide an inventory of the titles or numbers of SSI
documents. Performing such inventories would impose enormous,
administrative burdens that would require a vastly enlarged bureaucracy
to implement. So long as the document falls within an SSI category
established by regulation, it is the obligation of anyone who creates a
document falling within that category to mark the document as SSI. In
addition, SSI documents are created by non-TSA individuals including
industry, Coast Guard, and the Federal Aviation Administration (FAA)
personnel. Given that all documents that contain SSI created by any of
these individuals must be marked and protected, developing a system to
identify and track each potential and actual user, document, and title
is not viable.
Similarly, limiting the number of personnel who mark a document SSI
would also be unworkable. In a classified information system, an
original classification authority uses a classification guide to
determine whether a document should be classified. Within the SSI
system, the SSI regulation serves a function similar to a
classification guide by providing a framework for what should or should
not be SSI. Since security information pervades TSA's mission and daily
operations, limiting the ability to mark documents as SSI to a few
individuals would create an information bottleneck without appreciably
reducing the number of documents ultimately marked as SSI. Furthermore,
it would risk the potentially inappropriate release of security
information that should remain protected, as unmarked SSI documents are
more difficult to protect and handle appropriately. The GAO report does
not contest the substance of the SSI regulation covering the categories
under which TSA appropriately marks SSI documents.
Finally, while the report does not recommend that TSA implement time
limits for SSI information, GAO obliquely criticizes TSA's ability to
protect SSI without a date by which the document automatically loses
its SSI status. The reasons for designating information as SSI often
remain valid for an indefinite period of time. While much classified
information is time sensitive because it exists to protect sources of
intelligence as much as the intelligence itself, SSI-designated
operating procedures or screening equipment capabilities, for example,
will remain sensitive so long as those procedures or that equipment
remains in use, and do not become "stale" simply through the passage of
time. Conversely, the SSI information may become obsolete much more
rapidly than classified information if the procedures change
substantially and could be de-designated before it would under a set
schedule. As the GAO report acknowledges, the SSI regulation provides a
mechanism for determining that a document should no longer be SSI. (49
C.F.R. § 1520.5(c)).
GAO Recommendations and TSA Response:
GAO Recommendation: Establish clear guidance and procedures for using
the TSA regulations to determine what constitutes SSI.
TSA Response: TSA SSI regulations already provide a framework for
determining what constitutes SSI. The TSA SSI Program office, created
in February of this year within the Office of the Chief of Staff and
assigned SSI policy and training functions, has also developed internal
guidance that expands on the SSI regulation structure to provide
examples of the types of information that should fall within each
category. That guidance is an on-going effort that reflects the
continued experience of the office with FOIA review, litigation support
efforts, and general outreach with regulated parties. The SSI Program
office expects to publish the guidance for general use by TSA employees
and regulated parties in identifying and handling SSI.
GAO Recommendation: Establish clear responsibility for the
identification and designation of information that warrants SSI
protection.
TSA Response: Currently, only seven senior-level TSA employees have the
authority to designate as SSI a document that does not fall within one
of the fifteen categories specified in 49 C.F.R. §1520.5(b). Each
covered person, including TSA employees, has an obligation to
appropriately mark documents that fall within the fifteen categories.
Those obligations are spelled out in the regulation, and in mandatory
SSI training provided to every TSA employee.
Furthermore, limiting the number of individuals that may mark a
document as SSI would lead to operational bottlenecks and to the
potentially inappropriate release of security information that should
remain protected. There would be no increase in the number of documents
released to the public, since documents falling within the SSI
regulation would ultimately still be marked SSI. Such a limitation
impairs the utility of SSI as a system of shared, secure information,
and would not be operationally feasible. As noted earlier, GAO did not
recommend that TSA provide an inventory of the titles or numbers of SSI
documents. To reiterate, performing such inventories would impose
enormous administrative burdens requiring a vastly enlarged
bureaucracy. So long as the document falls within an SSI category
established by regulation, it is the obligation of anyone who creates a
document falling within that category to mark the document as SSI. In
addition, SSI documents are created by non-TSA individuals including
industry, Coast Guard, and FAA personnel. Because all documents that
contain SSI created by any of these individuals must be marked and
protected, developing a system to identify and track each potential and
actual user, document, and title is not viable. The TSA SSI Program
Office is currently designing materials that will further educate all
TSA employees and other covered persons through clear policies,
procedures, responsibilities, and guidance for identifying and marking
SSI.
GAO Recommendation: Establish internal controls that clearly define
responsibility for monitoring compliance with regulations, policies,
and procedures governing the SSI designation process and communicate
that responsibility throughout TSA.
TSA Response: TSA recognized shortcomings in SSI practices in the
beginning of 2004 and charged the Internal Security Policy Board to
make recommendations to improve TSA SSI practices. That Board
recommended on October 14, 2004 that a central SSI Program Office be
created and staffed, which has been accomplished. The SSI Program
Office is currently developing internal controls, including audit
functions, which will define responsibility for monitoring compliance
with regulations, policies, and procedures governing the SSI
designation process and will communicate that responsibility throughout
TSA.
GAO Recommendation: Establish policies and procedures within TSA for
providing specialized training to those making SSI designations on how
information is to be identified and evaluated for protected status.
TSA Response: TSA already conducts specialized SSI training for SSI
Program Office and FOIA staff, who review all FOIA requests prior to
release to the public, and other TSA offices. TSA also has provided and
is expanding specialized training to those offices within the agency
that create the majority of SSI. TSA will continue to develop and
provide more substantive training throughout TSA, including
dramatically expanded guidance on identification and marking.
Thank you again for the opportunity to comment on this draft report. We
are providing technical comments to your office under separate cover
and trust that they will be considered for inclusion in the final
report. We believe that most of the comments provide added context,
background, and support for our position. 4:
Sincerely,
Signed by:
Steven J. Pecinovsky:
Director, Departmental GAO/OIG Liaison Office:
Office of the Chief Financial Officer:
MMCP:
NOTES:
[1] On January 14, 2003, the Department of Defense reported that an Al
Qaeda training manual recovered in Afghanistan stated that "Using
public sources openly and without resorting to illegal means, it is
possible to gather at least 80% of information about the enemy."
http://www.ioss.gov/docs/rumsfeld_14jan03.html.
[2] 49 U.S.C. §114(s).
[3] Designation authority is currently limited to the Assistant
Secretary for Transportation Security (TSA Administrator), Deputy
Assistant Secretary, SSI Program Office Director, Chief Technology
Officer, Assistant Administrator for Transportation Security
Intelligence Service, Assistant Administrator for Intermodal Programs,
and Assistant Administrator for Aviation Programs.
[4] In its technical comments, TSA addresses one incident that left a
negative perception of TSA SSI practices. The GAO draft report noted an
incident in which TSA prepared responses to questions submitted to the
House Appropriations Homeland Security Subcommittee that were marked
SSI, but that one month earlier had not been so marked. The incident
was the result of an expedited review to accommodate a House
Appropriations Committee schedule under which the normal SSI review
process could not be accommodated. The result was that certain
responses out of 373 questions were marked SSI because the materials
fell within certain categories of the SSI regulation and there was no
time to undertake a public source review that would have shown that the
material was in the public domain. Once a review was undertaken, it was
determined that 7 of the responses should not have been marked SSI.
Given the unique circumstances of this particular request, where
judgment had to be exercised quickly, favoring the preservation of
security seemed the most appropriate course.
[End of section]
FOOTNOTES
[1] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
[2] The Homeland Security Act of 2002 established 49 U.S.C. § 114(s) as
TSA's SSI authority. TSA codified its SSI regulations at 49 C.F.R. part
1520.
[3] A subset of one of the judgment categories, 49 C.F.R. §
1520.5(9)(iii), also falls within this determination category.
[4] TSA identified two categories of information--§§ 1520.5(b)(9)(iii)
and 1520.5(b)(16)--that require a written determination by an office
with determination authority to be designated SSI.
[5] According to a TSA official, TSA processed 99 FOIA requests
involving or related to SSI in 2003 and 129 requests in 2004. The TSA
official said that, of the total requests processed in 2003, no
requests were granted in whole, 63 requests were granted in part, and
36 requests were denied in full. The official also said that, of those
129 requests processed in 2004, no requests were granted in whole, 92
requests were granted in part, and 37 requests were denied in full.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
