Sensitive Security Information (SSI) is a control designation used by the Department of Homeland Security, and particularly the Transportation Security Administration. It is applied to information about security programs, vulnerability and threat assessments, screening processes, technical specifications of certain screening equipment and objects used to test screening equipment, and equipment used for communicating security information relating to air, land, or maritime transportation. The applicable information is spelled out in greater detail in 49 CFR 1520.7.
The SSI applies to information that the government obtains from the private sector or develops on its own while carrying out certain security or research and development activities relating to any mode of transportation. It protects information that, if disclosed, would be an unwarranted invasion of personal privacy, reveal a trade secret or privileged or confidential commercial or financial information, or make it easier for hostile elements to avoid security controls.
Statutory/Regulatory Responsibilities & Obligations
The Transportation Security Administration (TSA) has oversight responsibility for protecting Sensitive Security Information.
Access to SSI
Access to SSI is based on need to know. A Federal employee has a need to know SSI when access to the information is necessary for the employee to accomplish official duties. A contractor employee has a need to know SSI when access to the information is necessary for the employee to carry out a requirement of a Federal contract relating to transportation security.
Any person who creates a document containing SSI must include a protective marking and limited distribution statement that clearly identifies the information as SSI and specifies the distribution limitation required. A person who receives a record containing SSI that is not marked accordingly must add such marking and inform the sender of its omission.
The protective marking, "SENSITIVE SECURITY INFORMATION' must be written or stamped in plan style bold type, such as Times New Roman font size 16 or an equivalent style and font size. For documents, it must be applied at the top of the outside of any front cover (including a binder or folder), on the top of any title page, on the top of the first page and each subsequent page, and on the top of the outside of any back cover (including a binder or folder). This marking should be placed in a comparable location on charts, maps, or drawings and on film, video, or electronic media
A distribution limitation statement must be applied at the bottom of the outside cover of any front cover (including a binder or folder), on the bottom of any title page, on the bottom of the first page and each subsequent page, and on the bottom of the outside of any back cover (including a binder or folder). It should be placed in a comparable location on other forms of media. The distribution limitation statement should be written or stamped in plain style bold type using Times New Roman and a font size of 8 or an equivalent style and font size. This statement must read as follows:
Documents that transmit SSI but do not themselves contain SSI must be marked with the distribution limitation statement. In addition, the following statement must be affixed to the front page of the transmittal document.
All personnel possessing SSI are responsible for ensuring that such information is safeguarded at all times from disclosure to unauthorized personnel. When the information is not under the individual's direct physical control, the individual is responsible for ensuring that it is safeguarded and protected so that it is not physically or visually accessible to persons who do not have a need to know. When unattended, SSI must be secured in a locked container, office, or other restricted access area with access to the keys or combination limited to those with a need to know.
Control and Release of SSI
SSI may be released to federal, state and municipal government officials/employees, local law enforcement officials, and regulated parties who have a need to know as established by regulation or authorized by the TSA Administrator.
SSI requested under the Freedom of Information Act is exempt from disclosure under the FOIA based on Exemption 3, 5 USC 552(b)(3). Any decision to release SSI under the FOIA must have the concurrence of the TSA Administrator.
Requests for information that are addressed to regulated parties, such as requests under State and local freedom of information or open records acts, should be referred to the TSA Administrator. TSA works with operators, carriers, and other affected entities to determine what records or portions of records should remain undisclosed and what may be released.
If a record contains SSI but also contains non-SSI that may be disclosed, the latter will be provided in response to a FOIA request, provided the record is not otherwise exempt from disclosure under FOIA, if it is practical to redact the requested information from the record.
When a contractor needs to make copies of SSI, the contractor must prior prior notification in writing, through the Contracting Office, to the originator of the SSI.
Packaging and Transmitting SSI
SSI May be transmitted by U.S. Postal Service first class mail or regular parcel post, or by other delivery services such as Federal Express or UPS. It must be enclosed in an opaque envelop or other opaque wrapping. Addressing the package with an attention line containing the name and office of the recipient helps to ensure that the SSI material is received and opened only by authorized personnel. When hand carried within or between buildings, SSI must be protected by ac over sheet, protective folder, distribution pouch, or other method to prevent visual disclosure.
When transmitted by e-mail, SSI must be in a password-protected attachment. The passwords and procedures must comply with standards set by the TSA Office of Information Security.
When sending SSI by fax, the sender must assure that the receiving fax machine is in a secure area or that an authorized recipient is at the receiving fax machine to promptly retrieve the information.
When communicating SSI by telephone, the caller must ensure that the person receiving the SSI is an authorized recipient. Cellular and cordless telephones should be avoided if at all possible, because such conversations are easier to intercept and monitor.
Posting of SSI on Internet or intranet sites is permitted only on sites approved by the TSA Office of Information Security. Such sites must meet prescribed security standards.
Destruction of SSI
SSI should be destroyed in a manner that ensures recovery of the sensitive information is difficult, if not impossible. Any means approved for the destruction of national security classified material may also be used for SSI. If no such means is available, SSI may be destroyed by tearing it into small pieces and assimilating it with other waste material. When destroying SSI by hand, it must be cut or torn into pieces measuring not more than 1/2 inch on a side and then mixed with other wastepaper.
When a contractor proposes to destroy records containing SSI, the contractor must first provide notification in writing, through the Contracting Office, to the information originator. This notification must include the following minimum information: identification of information to be destroyed, quantities of copies, date and place of destruction, method of destruction, and residual SSI remaining in custody of the contractor.
Relationship to Other Document Designations
SSI is one of a number of categories of information that are commonly referred to as "sensitive but unclassified" information. Some of these categories, such as SSI, Protected Critical Infrastructure Information (Protected CII), and Privacy Act Information are defined by legislation. One prominent category -- For Official Use Only (FOUO) -- is not defined by legislation; its usage varies from one agency to another. Because SSI is defined by legislation, rules for marking and handling SSI take precedence over agency procedures for handling FOUO. No document should ever be marked both SSI and FOUO.
It is possible, however, for the same document to be marked both SSI and Protected CII. This will happen when the SSI document also meets the requirement for Protected CCI, that is, it is provided to the government voluntarily rather than in response to a government requirement. As a general rule, SSI is either created by TSA or required to be submitted to TSA or another part of the Federal government. If a document carries both markings, it must be handled according to the more stringent Protected CII rules.
Violation is a civil offense as compared with PCII which is a criminal offense. Need more information here.
Legal & Regulatory Authorities