GAO-05-677, Transportation Security Administration: Clear Policies and Oversight Needed for Designation of Sensitive Security Information


This is the accessible text file for GAO report number GAO-05-677 
entitled 'Transportation Security Administration: Clear Policies and 
Oversight Needed for Designation of Sensitive Security Information' 
which was released on July 29, 2005. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 

GAO: 

June 2005: 

Transportation Security Administration: 

Clear Policies and Oversight Needed for Designation of Sensitive 
Security Information: 

GAO-05-677: 

GAO Highlights: 

Highlights of GAO-GAO-05-677, a report to congressional requesters: 

Why GAO Did This Study: 

Concerns have arisen about whether the Transportation Security 
Administration (TSA) is applying the Sensitive Security Information 
(SSI) designation consistently and appropriately. SSI is one category 
of “sensitive but unclassified” information—information generally 
restricted from public disclosure but that is not classified. GAO 
determined (1) TSA’s SSI designation and removal procedures, (2) TSA’s 
internal control procedures in place to ensure that it consistently 
complies with laws and regulations governing the SSI process and 
oversight thereof, and (3) TSA’s training to its staff that designate 
SSI.

What GAO Found: 

TSA does not have guidance and procedures, beyond its SSI regulations, 
providing criteria for determining what constitutes SSI or who can make 
the designation. Such guidance is required under GAO’s standards for 
internal controls. In addition, TSA has no policies on accounting for 
or tracking documents designated as SSI. As a result, TSA was unable to 
determine either the number of TSA employees actually designating 
information as SSI or the number of documents designated SSI. Further, 
apart from Freedom of Information Act (FOIA) requests or other requests 
for disclosure outside of TSA, there are no written policies and 
procedures or systematic reviews for determining if and when an SSI 
designation should be removed. 

TSA also lacks adequate internal controls to provide reasonable 
assurance that its SSI designation process is being consistently 
applied across TSA. Specifically, TSA has not established and 
documented policies and internal control procedures for monitoring 
compliance with the regulations, policies, and procedures governing its 
SSI designation process, including ongoing monitoring of the process. 
TSA officials told us that its new SSI Program Office will ultimately 
be responsible for ensuring that staff are consistently applying SSI 
designations. This office, which was established in February 2005, will 
also develop and implement all TSA policy concerning SSI handling, 
training, and protection. More detailed information on how this 
office’s activities will be operationalized was not yet available. 
Specifically, TSA officials provided no written policies formalizing 
the office’s role, responsibilities, and authority.

TSA has not developed policies and procedures for providing specialized 
training for all of its employees making SSI designations on how 
information is identified and evaluated for protected status. 
Development of such training for SSI designations is needed to help 
ensure consistent implementation of the designation authority across 
TSA. While TSA has provided a training briefing on SSI regulations to 
certain staff, such as the FOIA staff, it does not have specialized 
training in place to instruct employees on how to consistently 
designate information as SSI. In addition, TSA has no written policies 
identifying who is responsible for ensuring that employees comply with 
SSI training requirements.

What GAO Recommends: 

GAO recommends that the Secretary of Homeland Security direct TSA to 
establish clear guidance and procedures for using the TSA regulations 
to determine what constitutes SSI; establish clear responsibility for 
the identification and designation of SSI information; establish 
internal controls monitoring compliance with its SSI regulations, 
policies, and procedures, and communicate that responsibility for 
implementing the controls throughout TSA; and provide specialized 
training to those making SSI designations on how information is to be 
identified and evaluated for SSI status. The Department of Homeland 
Security generally concurred with our recommendations.

www.gao.gov/cgi-bin/getrpt?GAO-05-677.

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Laurie E. Ekstrand at 
(202) 512-8777 or ekstrandl@gao.gov.

[End of section] 

Contents: 

Letter: 

Background: 

Results: 

Conclusions: 

Recommendations: 

Agency Comments and Our Evaluation: 

Appendix I: Briefing Slides: 

Appendix II: Comments from the Department of Homeland Security: 

Abbreviations: 

ATSA: Aviation and Transportation Security Act: 

DHS: Department of Homeland Security: 

DOT: Department of Transportation: 

FAA: Federal Aviation Administration: 

FOIA: Freedom of Information Act: 

SBU: Sensitive But Unclassified: 

SSI: Sensitive Security Information: 

TSA: Transportation Security Administration: 

United States Government Accountability Office: 

Washington, DC 20548: 

June 29, 2005: 

The Honorable David Obey: 
Ranking Minority Member: 
Committee on Appropriations: 
House of Representatives: 

The Honorable Martin Olav Sabo: 
Ranking Minority Member: 
Subcommittee on Homeland Security: 
Committee on Appropriations: 
House of Representatives: 

The security of our transportation system is of vital importance to the 
nation. In line with keeping our transportation safe, some information 
that is related to threats to or protection of the transportation 
system must be held out of the public domain. On the other hand, the 
government must always be mindful of the public's legitimate interest 
in, and need to know, information related to threats to the 
transportation system and associated vulnerabilities. 

Sensitive Security Information (SSI) is a specific category of 
information related to transportation security that is deemed to 
require protection against public disclosure. Although it is not 
classified national security information, SSI is a category of 
sensitive but unclassified information that, along with protected 
critical infrastructure information, is specifically exempted by 
statute from release under the Freedom of Information Act (FOIA), and 
that it is to be disclosed only to covered persons on a need to know 
basis. While the Transportation Security Administration (TSA), through 
its SSI authority, may share SSI with regulated entities, it generally 
prohibits the public disclosure of information obtained or developed in 
the conduct of security activities, which would constitute an 
unwarranted invasion of privacy, reveal trade secrets or privileged or 
confidential commercial or financial information, or be detrimental to 
the security of transportation. 

Questions have been raised about TSA's practices and procedures for 
determining whether information should be protected as SSI. For 
example, certain written responses to questions submitted by TSA to the 
House Appropriations Homeland Security Subcommittee were designated as 
SSI. However, 1 month earlier, the agency had not treated this same 
information as sensitive. Further, in an October 2004 memorandum, TSA 
itself recognized that the handling and identification of SSI had 
become problematic. 

In response to your request concerning TSA's handling of SSI, we are 
reporting on (1) TSA's procedures for determining whether information 
should be protected under the SSI designation, as well as procedures 
for determining if and when the designation should be removed, (2) 
internal control procedures in place to ensure that TSA consistently 
complies with laws and regulations governing the designation of 
information as SSI and how TSA oversees the procedures to ensure that 
they are consistently applied, and (3) TSA's training to its staff who 
designate SSI. 

To address our objectives, we reviewed applicable federal laws and 
regulations, Department of Homeland Security (DHS) and TSA policies and 
procedures, and other documents related to the SSI designation, and 
oversight and training processes. We also interviewed TSA and DHS 
officials involved in the SSI designation, oversight and training 
processes. GAO's Standards for Internal Control in the Federal 
Government provided benchmarks and standards against which we assessed 
TSA's SSI designation policies and procedures.[Footnote 1] Our work was 
conducted from January 2005 through April 2005 in accordance with 
generally accepted government auditing standards. 

On April 29, 2005, we provided your offices a briefing on the results 
of our work. The briefing slides are included in appendix I. 

Background: 

In the aftermath of the terrorist attacks of September 11, 2001, TSA 
was created to take responsibility for the security of all modes of 
public transportation. Included in the responsibilities of this new 
agency was the authority to designate information as SSI. Originally 
housed in the Department of Transportation, TSA was transferred to DHS 
as a result of the Homeland Security Act of 2002.[Footnote 2]

According to TSA officials, SSI designated information is created by 
TSA and by airports, aircraft operators, and other regulated parties 
when they are establishing or implementing security programs or 
documentation to address security requirements. Information that is 
designated SSI can be shared with those who have a need to know in 
order to participate in or oversee the protection of the nation's 
transportation system. Those with a need to know can include persons 
outside of TSA, such as airport operators, aircraft operators, foreign 
vessel owners, and other persons. SSI cannot be shared with the general 
public, and it is exempt from disclosure under FOIA. 

There are 16 categories of SSI. TSA has distinguished these 16 
categories into 3 types of SSI. Four categories are termed 
"categorical" and automatically designated SSI. Eleven categories 
require a judgment or analysis to determine if the SSI designation is 
warranted. One category requires a written determination by an office 
with determination authority to be deemed SSI. This category is "other 
information," which is a catchall exemption for information that TSA 
may wish to designate SSI that does not fit into the other 15 
categories[Footnote 3].: 

Additional background information on the SSI regulatory authority, 
including a list of the 16 categories, is included in appendix I. 

Results: 

TSA does not have written policies and procedures, beyond its SSI 
regulations, providing criteria for determining what constitutes SSI. 
Written guidance for decision making such as this is a key element 
included in GAO's Standards for Internal Control in the Federal 
Government. Lack of such guidance could result in errors and 
inconsistencies in determining the SSI designation. Indeed, in October 
2004, TSA's Internal Security Policy Board concluded that TSA must 
establish a framework to identify, control, and protect SSI. The board 
concluded that essential elements of the framework should include, 
among other things,

". . . exacting specificity with respect to what information is covered 
and what is not covered. This specificity could be documented in a 
classification guide type format because imprecision in this area 
causes a significant impediment to determining SSI. Experience has 
shown that employees unsure as to what constitutes SSI may err on the 
side of caution and improperly and unnecessarily restrict information, 
or may err inappropriately and potentially disastrously on the side of 
public disclosure."

In addition to lacking written guidance concerning SSI designation, TSA 
has no policies and procedures specifying clear responsibilities for 
officials who can designate SSI.[Footnote 4] TSA's regulations allow 
anyone within TSA to designate information SSI. Further, TSA has no 
policies on accounting for or tracking documents designated as SSI. 
While TSA officials told us that only a limited number of employees 
routinely make SSI designations, they were unable to provide 
documentation to confirm this. One consequence of a lack of control of 
personnel able to designate documents as SSI is that TSA is unable to 
determine the number of employees designating information as SSI or the 
volume of documents designated SSI. 

Once a document is designated SSI, it can remain designated as SSI in 
perpetuity unless a FOIA request or other request for disclosure 
outside of TSA results in removal of its SSI status. If a FOIA request 
is received for an SSI designated document, or a document that contains 
some SSI designated material, the SSI Program Office works in 
conjunction with the FOIA Office to review its initial designation. If 
TSA officials determine that the document should no longer be 
considered SSI, it can be released to the FOIA requester. If TSA 
officials feel that the SSI designation should remain but some portions 
of the document are not SSI, the FOIA Office can determine whether it 
is appropriate to release the document without the SSI material, or not 
to release the document at all.[Footnote 5] Other than the FOIA 
process, no procedures exist for the review of allegations that a 
document has been erroneously designated as SSI. If there is no FOIA 
request for a particular document, according to TSA, documents marked 
as SSI are reviewed for continued applicability upon any request for 
disclosure outside of TSA. However, TSA officials provided us with no 
information on the number of documents released as a result of these 
requests for public disclosure. TSA's SSI regulations indicate that TSA 
may determine in writing that information should no longer be 
designated as SSI because it no longer meets SSI criteria, but TSA has 
not done this to date. 

TSA lacks adequate internal controls to provide reasonable assurance 
that its SSI designation process is being consistently applied across 
TSA and for monitoring compliance with the regulations governing the 
SSI designation process, including ongoing monitoring of the process. 
GAO's Standards for Internal Control call for (1) areas of authority 
and responsibility to be clearly defined and appropriate lines of 
reporting established, (2) transactions and other significant events to 
be documented clearly and documentation to be readily available for 
examination, and (3) controls generally to be designed to ensure that 
ongoing monitoring occurs in the course of normal operations. In 
addition, the standards also require that information be communicated 
within an organization to enable individuals to carry out their 
internal control responsibilities. However, our review of TSA's 
oversight activities noted weaknesses in each of these areas. 

First, TSA has not clearly defined responsibility for monitoring 
compliance with regulations, policies and procedures governing the SSI 
designation process and communicated that responsibility throughout 
TSA. Without clearly identifying the responsibility for monitoring 
compliance with regulations governing its SSI designation, this 
function may not receive adequate attention, leaving TSA unable to 
provide reasonable assurance that those making SSI designations within 
TSA are designating documents properly. 

In an October 14, 2004, memorandum designed to centralize the 
administration of SSI within the agency, TSA's Internal Security Policy 
Board recognized that the handling and identification of SSI had become 
problematic: 

"Lacking a central policy program office for SSI has led to confusion 
and unnecessary classification of some materials as SSI. Adherence to 
handling requirements within TSA has been inconsistent, and there have 
been instances where SSI has been mishandled outside of TSA. 
Identification of SSI has often appeared to be ad-hoc, marked by 
confusion and disagreement depending on the viewpoint, experience, and 
training of the identifier. Strictures on the release of SSI and other 
SSI policy or handling-related problems have occasionally frustrated 
industry stakeholders, Congress, the media, and our own employees 
trying to work within the confines of the restrictions. Significant 
time and effort has been devoted to SSI issues, and it is not likely 
that the current approach to addressing such issues can be sustained."

TSA officials told us that its new SSI Program Office will ultimately 
be responsible for ensuring that staff are consistently applying SSI 
designations. This office, which was established in February 2005, will 
also develop and implement all TSA policies concerning SSI handling, 
training, and protection. Officials said that TSA is also currently 
drafting a summary that provides a definition and brief overview of the 
SSI authority and is designing materials that will further educate all 
TSA employees on policies, procedures, responsibilities, and guidance 
for identifying and designating SSI. More detailed information on how 
this office's activities will be operationalized was not yet available. 
Specifically, TSA currently does not have written policies formalizing 
the office's role, responsibilities, and authority. 

Second, TSA has not yet established policies and procedures for how it 
will monitor compliance with the regulations governing the SSI 
designation process. Without written policies and procedures 
documenting how it plans to monitor compliance with the regulations 
governing the SSI designation process, TSA is unable to demonstrate 
evidence of its monitoring activities. 

Third, TSA has no formally defined policies or procedures for ongoing 
monitoring reviews to assess compliance with the laws and regulations 
governing the process for designating information as SSI. Without 
clearly defined policies and procedures for conducting periodic 
internal monitoring to assess compliance with the regulations governing 
the SSI designation process, TSA lacks structure to support continuous 
assurance that those employees making SSI designations within TSA are 
designating documents properly. 

TSA has not developed policies and procedures for providing specialized 
training for all of its employees making SSI designations on how 
information is to be identified and evaluated for protected status. 
Development of specialized training for SSI designations must be 
preceded by the establishment of guidance and associated policies and 
procedures so that an adequate training curriculum can be developed. It 
should also include written policies defining who is responsible for 
ensuring that employees comply with SSI training requirements. While 
TSA has provided a training briefing on SSI regulations to certain 
staff such as the FOIA staff and other units within TSA, it does not 
have specialized training in place to instruct employees on how to 
consistently designate information as SSI. 

Conclusions: 

In order for TSA's SSI designation process to work effectively, there 
must be clarity, structure, and accountability to help ensure that 
information is not improperly and unnecessarily restricted or 
inappropriately disclosed, and that the SSI designation process is 
being applied consistently across TSA. The lack of clear and documented 
policies and procedures for determining what constitutes SSI and 
specifying who may make the designation could cause confusion and 
uncertainty for staff who must administer the SSI designation process 
without written guidance. Further, internal control policies and 
procedures for monitoring the compliance with regulations governing the 
SSI designation process, including internal controls for ongoing 
monitoring, communicated to all staff, would help ensure accountability 
and consistency in the implementation of TSA's SSI regulations. 
Specialized training designed to familiarize those who are making SSI 
designations on how information is to be identified and evaluated would 
reduce the likelihood that employees improperly exempt information from 
public disclosure or inappropriately disclose sensitive security 
information. 

Recommendations: 

To help bring clarity, structure, and accountability to TSA's SSI 
designation process, we recommend that the Secretary of the Department 
of Homeland Security direct the Administrator of the Transportation 
Security Administration to take the following four actions: 

* establish clear guidance and procedures for using the TSA regulations 
to determine what constitutes SSI,

* establish clear responsibility for the identification and designation 
of information that warrants SSI protection,

* establish internal controls that clearly define responsibility for 
monitoring compliance with regulations, policies, and procedures 
governing the SSI designation process and communicate that 
responsibility throughout TSA, and: 

* establish policies and procedures within TSA for providing 
specialized training to those making SSI designations on how 
information is to be identified and evaluated for protected status. 

Agency Comments and Our Evaluation: 

We obtained written comments on a draft of this report from the 
Department of Homeland Security. We have included a copy of the 
comments in their entirety in appendix II. In addition, DHS provided 
technical comments, which we incorporated as appropriate. 

In its June 14, 2005, comments, DHS generally concurred with our 
recommendations and stated that they are consistent with ongoing TSA 
efforts to improve sensitive security information program processes. In 
its comments, DHS discussed the actions it has already taken and will 
implement in response to the recommendations, including developing 
internal controls and audit functions, which will define responsibility 
for monitoring compliance with regulations, policies, and procedures 
governing the SSI designation process, and which will be communicated 
throughout TSA. However, as discussed below, DHS took exception to the 
report's analyses and conclusions. While we disagree with the thrust of 
DHS's comments, we believe we fairly and accurately characterize the 
implementation and monitoring of SSI at DHS. We made clarifying changes 
where appropriate. 

DHS said that our report mischaracterized the nature of SSI by 
incorrectly applying concepts associated with classified information 
management to SSI information, which falls within a sensitive but 
unclassified information category. DHS said that this construct may 
lead the reader to fundamental misunderstandings regarding the issues 
surrounding SSI. Although mentioned as a basis for comparison, neither 
the GAO review nor its report was intended to apply concepts associated 
with classified information management to SSI. Rather, our analyses 
were intended to provide a factual summary of the key similarities and 
differences in the classified information and SSI processes. We compare 
the two processes only to help clarify the distinctions that exist and 
thereby avoid any misunderstandings by readers who are familiar with 
the processes for classified information. We included additional 
language in the report clarifying that SSI is a form of sensitive but 
unclassified information, rather than classified national security 
information. 

DHS also stated that SSI is the only practical means for sharing 
security information with regulated parties and that the absence of a 
robust SSI program would degrade both the prompt distribution of 
security information to persons with a need to know and the free 
exchange of ideas. We agree that SSI is a practical means for sharing 
security information with regulated parties. In fact, the findings and 
recommendations in this report should help DHS improve the SSI process. 
That is, providing specific procedures and guidelines on how individual 
employees are to identify and evaluate information for SSI protected 
status is an intrinsic part of DHS's responsibility for effectively 
managing its SSI process and should provide both DHS and the regulated 
parties with confidence that information is given the proper protective 
status. 

DHS said that if a TSA employee incorrectly designates a document as 
SSI while it remains within TSA, there is no impact on the public's 
right to access because the FOIA review process will always result in 
an independent determination regarding the SSI designation and that TSA 
and DHS are committed to releasing as much information as possible. We 
view the management improvements discussed in this report as helping to 
ensure that information that should be withheld from the public is 
protected as well as helping to ensure that other information is 
available to the public. In addition, the fact that an incorrectly 
designated SSI document remains within TSA does not obviate the fact it 
is wrongfully exempted from disclosure. The potential lack of 
visibility to the public that SSI documents exist and the time and 
expense to the public and TSA involved in seeking disclosure of an SSI 
document through FOIA could inhibit the release of information that 
could and possibly should have been in the public domain but for an 
incorrect application of SSI. 

DHS also states that we make no distinction between the obligation to 
"mark" information as SSI, held by all TSA employees, and the authority 
to "designate," held by only a very few high-level employees. It 
explains that all employees can "mark" documents that fall within 15 
categories as SSI but only the high-level employees can "designate" the 
16TH category of "other information" by documenting the designation as 
SSI. As we point out in this report, the responsibility of all TSA 
employees goes beyond just marking a document as SSI and includes 
making judgments about what information should be marked as SSI. As we 
state on page 3, while TSA requires a written determination by an 
office with determination authority for information deemed SSI for 1 of 
its 16 SSI categories, according to TSA, only 4 of the remaining 15 
categories automatically becomes SSI because of the type of document. 
The other 11 require a judgment or analysis to be made to determine if 
the SSI designation is warranted by any TSA employee. Therefore, we 
continue to believe that appropriate guidance and controls are needed 
to effectively manage the process. 

In addition, DHS said that its SSI designation processes are consistent 
with every sensitive but unclassified system in the federal government. 
While we did not review these other systems, we believe that the 
management principles and controls discussed in this report are 
appropriate for the TSA system and would be appropriate for similar 
systems elsewhere. 

DHS said that we made an implied suggestion to quantify and identify 
all documents that have been marked as SSI, and to identify all 
personnel who have marked such documents. We did note in our discussion 
of internal controls that TSA has no policies on accounting for or 
tracking documents designated as SSI. As DHS notes, we did not 
recommend that TSA provide an inventory of the titles or numbers of SSI 
documents. In terms of identifying staff that designate documents as 
SSI, since we are recommending training for all those who designate 
SSI, identification of all personnel who are going to be applying this 
designation would be needed to ensure that all are trained. 

Further, DHS states that we obliquely criticize TSA's ability to 
protect SSI without a date by which the document automatically loses 
its SSI status based on time duration requirements similar to those 
applicable to classified information. We did not recommend that TSA 
should implement time limits for SSI information. Our review showed 
that TSA has no written policies and procedures or systematic reviews 
for determining if and when an SSI designation should be removed. 
Moreover, other than the FOIA request process and other requests for 
disclosure outside of TSA, no procedures exist for a review to 
determine whether a document has been appropriately designated as SSI. 
Such procedures would allow TSA to periodically review SSI designations 
and identify and correct erroneously marked SSI documents while still 
protecting those with valid reasons. 

In commenting on our recommendation that DHS establish clear guidance 
and procedures for using the TSA regulations to determine what 
constitutes SSI, DHS said that TSA's SSI Program Office has already 
taken some steps in line with our recommendation by developing internal 
guidance that expands on the SSI regulation structure to provide 
examples of the types of information that should fall within each SSI 
category. It expects to publish the guidance for general use by TSA 
employees and regulated parties in identifying and handling SSI. 

In commenting on our recommendation that DHS establish clear 
responsibility for the identification and designation of information 
that warrants SSI protection, DHS stated that limiting the number of 
individuals who may designate a document as SSI would lead to 
operational bottlenecks, could lead to inappropriate release of 
security information, and would not be operationally feasible. If it is 
properly done, we do not see how establishing clear responsibility for 
performing a governmental task would lead to these effects. We wish to 
make a distinction between a set of personnel who would have 
responsibility for SSI and a potentially much larger set of employees 
who would be able to designate documents SSI. Those responsible for SSI 
would be accountable for ensuring that those in their domain of 
responsibility have appropriate training and are applying SSI 
appropriately. DHS would then be in a much better position to ensure 
that those responsible for SSI are held accountable, have appropriate 
training, and are applying SSI appropriately. 

DHS agreed with our recommendation for DHS to establish internal 
controls that clearly define responsibility for monitoring compliance 
with regulations, policies, and procedures governing the SSI 
designation process and communicate that responsibility throughout TSA. 
DHS said it had already undertaken action to develop internal controls, 
including audit functions, which will define responsibility for 
monitoring compliance with regulations, policies, and procedures 
governing the SSI designation process and will communicate that 
responsibility throughout TSA. 

In commenting on our recommendation that DHS establish policies and 
procedures within TSA for providing specialized training to those 
making SSI designations on how information is to be identified and 
evaluated for protected status, DHS said that it conducts specialized 
SSI training for the SSI Program Office and FOIA staff, and other TSA 
offices making SSI designations. In addition, it is expanding 
specialized training to those offices within the agency that create the 
majority of SSI. This is a good first step in addressing our 
recommendation, but falls short of its overall intent because SSI 
regulations extend the SSI designation authority to all TSA employees 
and does so without giving them specific procedures and guidance, 
beyond the regulations, upon which to base their judgments. Thus, 
policies and procedures for providing specialized training to all TSA 
employees authorized to make an SSI designation will still be needed. 
In this regard, in our report, we quote an October 14, 2004, TSA 
memorandum that says in part, "identification of SSI has often appeared 
to be ad-hoc, marked by confusion and disagreement depending on the 
viewpoint, experience, and training of the identifier." We believe this 
statement speaks to the need for specialized training for all those who 
designate materials as SSI. 

As agreed with your offices, unless you publicly announce the contents 
of this report earlier, we plan no further distribution until 30 days 
from the report date. At that time, we will send copies of this report 
to other interested congressional committees and to the Secretary of 
the Department of Homeland Security and the Administrator of the 
Transportation Security Administration. We will also make copies 
available to others upon request. In addition, the report will be 
available at no charge on GAO's Web site at http://www.gao.gov. 

If you or your staff have any questions about this report, please 
contact me at (202) 512-8777 or EkstrandL@gao.gov. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found 
on the last page of this report. Key contributors to this report were 
Glenn G. Davis, Vickie Miller, R. Rochelle Burns, Julian King, Thomas 
Lombardi, David Hooper, David Plocher, Dolores McGhee, Nikki Clowers, 
Kim Gianopoulos, Davi D'Agostino, Ann Borseth, William Cawood, Casey 
Keplinger, David Alexander, Katherine Davis, and Larry Harrell. 

Signed by: 

Laurie E. Ekstrand, 
Director: 
Homeland Security and Justice Issues: 

[End of section]

Appendix I: Briefing Slides: 

[See PDF for images] 

[End of slide presentation] 

[End of section]

Appendix II: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

June 14, 2005: 

Ms. Laurie E. Ekstrand: 
Director, Homeland Security and Justice Issues: 
U.S. Government Accountability Office: 
441 G Street, N.W.: 
Washington, D.C. 20548: 

Dear Ms. Ekstrand: 

RE: Draft Report GAO 05-677, Transportation Security Administration: 
Clear Policies and Oversight Needed for Designation of Sensitive 
Security Information: (Job Code 440363): 

Thank you for the opportunity to review and comment on the subject 
draft report. The Department of Homeland Security (DHS) generally 
concurs with the GAO recommendations, which are consistent with on- 
going Transportation Security Administration (TSA) efforts to improve 
Sensitive Security Information (SSI) program processes. However, we 
take strong exception with the analyses and conclusions. Specifically, 
the report mischaracterizes the nature of SSI by incorrectly applying 
concepts associated with classified information management to SSI 
information, which falls within a Sensitive But Unclassified (SBU) 
information category. SBU information includes such broadly used 
categories as For Official Use Only (FOLIO) and Law Enforcement 
Sensitive (LES). This construct colors the entire report and may lead 
the reader to fundamental misunderstandings regarding the issues 
surrounding SSI. The SSI designation covers such information as airport 
and seaport security plans, screening procedures, operating parameters 
of screening equipment, vulnerability assessments, and other 
information that could be exploited by terrorists to harm the public 
and the nation's transportation systems. 

The following discussion supports our position that GAO's analyses and 
conclusions are not valid because of how GAO evaluated the SSI program. 

SSI is the Only Practical Means for Sharing Security Information with 
Regulated Parties. 

SSI is primarily an information management tool that allows TSA to 
share information regarding transportation security with industry and 
foreign entities that have a need to know the information, but might 
not possess security clearances necessary for them to receive 
classified information. Sensitive information regarding transportation 
security can be shared with regulated parties without the limitations 
that would be imposed if the information were treated as a form of 
classified information. For example, TSA can distribute essential 
Security Directives and screening procedures in a timely manner to the 
multitude of airport and aircraft operators, both domestic and foreign, 
that transport the public. Detailed screening procedures can be 
provided to 45,000 TSA screeners without classified materials security 
clearances and without onerous handling limitations required for 
classified information including specifically approved safes and 
security logs. The absence of a robust SSI program would degrade both 
the prompt distribution of security information to persons with a need 
to know the information, and the free exchange of ideas among regulated 
parties to further transportation security. 

SSI is also a mechanism for protecting transportation security 
information from indiscriminate release to those individuals who may 
seek to use government transparency as a means for obtaining 
information to harm the general public and the nation's transportation 
infrastructure. It has been widely reported that public source 
information has been specifically identified as an Al-Qaeda information 
resource.[NOTE 1] Congress recognized the tension between this 
demonstrated need to protect certain information, and the mandate to 
support transparency in government operations, and concluded that SSI 
must be exempt from the Freedom of Information Act (FOIA), 5 U.S.C. 
§552. [NOTE 2] 

While the ability to protect SSI from release under FOIA is a critical 
component of SSI, it is ultimately a small part of the SSI system and 
subsumed within the overall purpose of sharing information with 
regulated parties that TSA would otherwise not be able to readily 
provide. It is through this protection under a statutory FOIA exemption 
that such information as Airport Security Plans, Security Directives, 
screening equipment limitations, vulnerability assessments, Federal Air 
Marshal deployment information, and other security information are 
protected from release to any person who files a request for documents 
under FOIA. Accordingly, TSA conducts a three-part SSI review of every 
document requested by the public to determine the appropriateness of 
any redaction that results in the withholding of SSI from the public. 
Through this process, TSA ensures that the public's right to access 
information about TSA operations is fully implemented. It is also 
through this process that TSA validates its identification of SSI 
documents, because it is only at this point that SSI restrictions most 
impact the public. If a TSA employee incorrectly marks a document as 
SSI while it remains within TSA, there is no impact on the public's 
right to access because the FOIA review process will always result in 
an independent determination regarding the SSI marking. Similar 
procedures exist for other avenues through which the public receives 
information, including Congressional, media, or litigation-related 
requests. In every case, TSA and DHS are committed to releasing as much 
information as possible. 

SSI Designation Processes are Appropriate and Consistent with Every SBU 
Management System in Federal Government: 

Like all SBU programs across the government, it is the obligation of 
every regulated person, whether TSA employee or employee of an entity 
covered by the SSI regulation, to mark as SSI those documents that 
clearly fall within defined SSI categories set out in the SSI 
regulation at 49 C.F.R. Part 1520, Protection of Sensitive Security 
Information. Thus, if an employee creates a vulnerability assessment of 
a transportation facility, there is no requirement for that employee to 
obtain permission from the equivalent of an original classification 
authority to mark and protect that document as SSI, because TSA has 
already designated vulnerability assessments as SSI in its published 
regulation. This marking obligation is no different from the obligation 
of any Federal employee in any Federal agency to mark as "FOUO" a 
sensitive document intended to be distributed for official use within 
the government. TSA is not aware of any examples of more effective or 
tightly tracked SBU systems within the Government. 

The power to designate documents that may not clearly fall within the 
defined categories at 49 C.F.R. §§1520.5(b)(1)-(15), however, is 
limited to only seven TSA senior-level employees. That designation must 
be accompanied by a formal memorandum explaining the basis for 
designating the document as SSI. That form of designation, beyond the 
fifteen categories established by regulation, is used by TSA for only 
four items of information. GAO's report makes no distinction between 
the obligation to mark information as SSI, held by all employees, and 
the authority to designate, held by only a very few high level 
employees. [NOTE 3] 

It is for this reason that GAO's implied suggestion to quantify and 
identify (to GAO standards) all documents that have been marked as SSI, 
and all personnel who have marked such documents, is unworkable. The 
Government requires that agencies report the numbers and classification 
levels (Top Secret, Secret, or Confidential) of classified documents, 
but does not require reporting the titles of classified documents at 
any level, including Top Secret. We note that GAO did not recommend 
that TSA provide an inventory of the titles or numbers of SSI 
documents. Performing such inventories would impose enormous, 
administrative burdens that would require a vastly enlarged bureaucracy 
to implement. So long as the document falls within an SSI category 
established by regulation, it is the obligation of anyone who creates a 
document falling within that category to mark the document as SSI. In 
addition, SSI documents are created by non-TSA individuals including 
industry, Coast Guard, and the Federal Aviation Administration (FAA) 
personnel. Given that all documents that contain SSI created by any of 
these individuals must be marked and protected, developing a system to 
identify and track each potential and actual user, document, and title 
is not viable. 

Similarly, limiting the number of personnel who mark a document SSI 
would also be unworkable. In a classified information system, an 
original classification authority uses a classification guide to 
determine whether a document should be classified. Within the SSI 
system, the SSI regulation serves a function similar to a 
classification guide by providing a framework for what should or should 
not be SSI. Since security information pervades TSA's mission and daily 
operations, limiting the ability to mark documents as SSI to a few 
individuals would create an information bottleneck without appreciably 
reducing the number of documents ultimately marked as SSI. Furthermore, 
it would risk the potentially inappropriate release of security 
information that should remain protected, as unmarked SSI documents are 
more difficult to protect and handle appropriately. The GAO report does 
not contest the substance of the SSI regulation covering the categories 
under which TSA appropriately marks SSI documents. 

Finally, while the report does not recommend that TSA implement time 
limits for SSI information, GAO obliquely criticizes TSA's ability to 
protect SSI without a date by which the document automatically loses 
its SSI status. The reasons for designating information as SSI often 
remain valid for an indefinite period of time. While much classified 
information is time sensitive because it exists to protect sources of 
intelligence as much as the intelligence itself, SSI-designated 
operating procedures or screening equipment capabilities, for example, 
will remain sensitive so long as those procedures or that equipment 
remains in use, and do not become "stale" simply through the passage of 
time. Conversely, the SSI information may become obsolete much more 
rapidly than classified information if the procedures change 
substantially and could be de-designated before it would under a set 
schedule. As the GAO report acknowledges, the SSI regulation provides a 
mechanism for determining that a document should no longer be SSI. (49 
C.F.R. § 1520.5(c)). 

GAO Recommendations and TSA Response: 

GAO Recommendation: Establish clear guidance and procedures for using 
the TSA regulations to determine what constitutes SSI. 

TSA Response: TSA SSI regulations already provide a framework for 
determining what constitutes SSI. The TSA SSI Program office, created 
in February of this year within the Office of the Chief of Staff and 
assigned SSI policy and training functions, has also developed internal 
guidance that expands on the SSI regulation structure to provide 
examples of the types of information that should fall within each 
category. That guidance is an on-going effort that reflects the 
continued experience of the office with FOIA review, litigation support 
efforts, and general outreach with regulated parties. The SSI Program 
office expects to publish the guidance for general use by TSA employees 
and regulated parties in identifying and handling SSI. 

GAO Recommendation: Establish clear responsibility for the 
identification and designation of information that warrants SSI 
protection. 

TSA Response: Currently, only seven senior-level TSA employees have the 
authority to designate as SSI a document that does not fall within one 
of the fifteen categories specified in 49 C.F.R. §1520.5(b). Each 
covered person, including TSA employees, has an obligation to 
appropriately mark documents that fall within the fifteen categories. 
Those obligations are spelled out in the regulation, and in mandatory 
SSI training provided to every TSA employee. 

Furthermore, limiting the number of individuals that may mark a 
document as SSI would lead to operational bottlenecks and to the 
potentially inappropriate release of security information that should 
remain protected. There would be no increase in the number of documents 
released to the public, since documents falling within the SSI 
regulation would ultimately still be marked SSI. Such a limitation 
impairs the utility of SSI as a system of shared, secure information, 
and would not be operationally feasible. As noted earlier, GAO did not 
recommend that TSA provide an inventory of the titles or numbers of SSI 
documents. To reiterate, performing such inventories would impose 
enormous administrative burdens requiring a vastly enlarged 
bureaucracy. So long as the document falls within an SSI category 
established by regulation, it is the obligation of anyone who creates a 
document falling within that category to mark the document as SSI. In 
addition, SSI documents are created by non-TSA individuals including 
industry, Coast Guard, and FAA personnel. Because all documents that 
contain SSI created by any of these individuals must be marked and 
protected, developing a system to identify and track each potential and 
actual user, document, and title is not viable. The TSA SSI Program 
Office is currently designing materials that will further educate all 
TSA employees and other covered persons through clear policies, 
procedures, responsibilities, and guidance for identifying and marking 
SSI. 

GAO Recommendation: Establish internal controls that clearly define 
responsibility for monitoring compliance with regulations, policies, 
and procedures governing the SSI designation process and communicate 
that responsibility throughout TSA. 

TSA Response: TSA recognized shortcomings in SSI practices in the 
beginning of 2004 and charged the Internal Security Policy Board to 
make recommendations to improve TSA SSI practices. That Board 
recommended on October 14, 2004 that a central SSI Program Office be 
created and staffed, which has been accomplished. The SSI Program 
Office is currently developing internal controls, including audit 
functions, which will define responsibility for monitoring compliance 
with regulations, policies, and procedures governing the SSI 
designation process and will communicate that responsibility throughout 
TSA. 

GAO Recommendation: Establish policies and procedures within TSA for 
providing specialized training to those making SSI designations on how 
information is to be identified and evaluated for protected status. 

TSA Response: TSA already conducts specialized SSI training for SSI 
Program Office and FOIA staff, who review all FOIA requests prior to 
release to the public, and other TSA offices. TSA also has provided and 
is expanding specialized training to those offices within the agency 
that create the majority of SSI. TSA will continue to develop and 
provide more substantive training throughout TSA, including 
dramatically expanded guidance on identification and marking. 

Thank you again for the opportunity to comment on this draft report. We 
are providing technical comments to your office under separate cover 
and trust that they will be considered for inclusion in the final 
report. We believe that most of the comments provide added context, 
background, and support for our position. 4: 

Sincerely,

Signed by: 

Steven J. Pecinovsky: 

Director, Departmental GAO/OIG Liaison Office: 
Office of the Chief Financial Officer: 

MMCP: 

NOTES: 

[1] On January 14, 2003, the Department of Defense reported that an Al 
Qaeda training manual recovered in Afghanistan stated that "Using 
public sources openly and without resorting to illegal means, it is 
possible to gather at least 80% of information about the enemy." 
http://www.ioss.gov/docs/rumsfeld_14jan03.html. 

[2] 49 U.S.C. §114(s). 

[3] Designation authority is currently limited to the Assistant 
Secretary for Transportation Security (TSA Administrator), Deputy 
Assistant Secretary, SSI Program Office Director, Chief Technology 
Officer, Assistant Administrator for Transportation Security 
Intelligence Service, Assistant Administrator for Intermodal Programs, 
and Assistant Administrator for Aviation Programs. 

[4] In its technical comments, TSA addresses one incident that left a 
negative perception of TSA SSI practices. The GAO draft report noted an 
incident in which TSA prepared responses to questions submitted to the 
House Appropriations Homeland Security Subcommittee that were marked 
SSI, but that one month earlier had not been so marked. The incident 
was the result of an expedited review to accommodate a House 
Appropriations Committee schedule under which the normal SSI review 
process could not be accommodated. The result was that certain 
responses out of 373 questions were marked SSI because the materials 
fell within certain categories of the SSI regulation and there was no 
time to undertake a public source review that would have shown that the 
material was in the public domain. Once a review was undertaken, it was 
determined that 7 of the responses should not have been marked SSI. 
Given the unique circumstances of this particular request, where 
judgment had to be exercised quickly, favoring the preservation of 
security seemed the most appropriate course. 

[End of section] 

FOOTNOTES

[1] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). 

[2] The Homeland Security Act of 2002 established 49 U.S.C. § 114(s) as 
TSA's SSI authority. TSA codified its SSI regulations at 49 C.F.R. part 
1520. 

[3] A subset of one of the judgment categories, 49 C.F.R. § 
1520.5(9)(iii), also falls within this determination category. 

[4] TSA identified two categories of information--§§ 1520.5(b)(9)(iii) 
and 1520.5(b)(16)--that require a written determination by an office 
with determination authority to be designated SSI. 

[5] According to a TSA official, TSA processed 99 FOIA requests 
involving or related to SSI in 2003 and 129 requests in 2004. The TSA 
official said that, of the total requests processed in 2003, no 
requests were granted in whole, 63 requests were granted in part, and 
36 requests were denied in full. The official also said that, of those 
129 requests processed in 2004, no requests were granted in whole, 92 
requests were granted in part, and 37 requests were denied in full. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: