Summary

Since the September 11, 2001, terrorist attacks, federal agencies have faced the challenge of protecting sensitive information from terrorists and others without a need to know while sharing this information with parties who are determined to have such a need. One form of protection involves identifying and marking such information sensitive but unclassified--information that is generally restricted from public disclosure but not designated as classified national security information. The Department of Homeland Security's (DHS) Transportation Security Administration (TSA) requires that certain information be protected from public disclosure as part of its responsibility for securing all modes of transportation. TSA, through its authority to protect information as sensitive security information (SSI), prohibits the public disclosure of information obtained or developed in the conduct of security activities that, for example, would be detrimental to transportation security. According to TSA, SSI may be generated by TSA, other DHS agencies, airports, aircraft operators, and other regulated parties when they, for example, establish or implement security programs or create documentation to address security requirements. Section 525 of the DHS Appropriations Act, 2007 (Public Law 109-295), required the Secretary of DHS to revise Management Directive (MD) 11056, which establishes DHS policy regarding the recognition, identification, and safeguarding of SSI, to (1) review requests to publicly release SSI in a timely manner and establish criteria for the release of information that no longer requires safeguarding; (2) release certain SSI that is 3 years old, upon request, unless it is determined the information must remain SSI or is otherwise exempt from disclosure under applicable law; and (3) provide common and extensive examples of the 16 categories of SSI to minimize and standardize judgment by persons identifying information as SSI. In addition to answering this mandate, we are following up on a June 2005 report in which we recommended that DHS direct the Administrator of TSA to establish (1) guidance and procedures for using TSA regulations to determine what constitutes SSI, (2) responsibility for the identification and determination of SSI, (3) policies and procedures within TSA for providing training to those making SSI determinations, and (4) internal controls4 that define responsibilities for monitoring compliance with SSI regulations, policies, and procedures and communicate these responsibilities throughout TSA. To respond to the mandate and update the status of all four of our recommendations, we assessed DHS's status in establishing criteria and examples for identifying SSI; efforts in providing training to those that identify and designate SSI; processes for responding to requests to release SSI, including the legislative mandate to review various types of requests to release SSI; and efforts in establishing internal controls that define responsibilities for monitoring SSI policies and procedures.

DHS, primarily through TSA's SSI Office, has addressed all of the legislative mandates from the DHS Appropriations Act, 2007, and taken actions to satisfy all of the recommendations from our June 2005 report. DHS revised its MD to address the need for updating SSI guidance, and TSA has established more extensive SSI criteria and examples that respond to requirements in the DHS Appropriations Act, 2007, and our 2005 recommendation that TSA establish guidance and procedures for using TSA regulations to determine what constitutes SSI. TSA's SSI Office is in the process of providing SSI training to all of TSA's employees and contractors in accordance with its recently established policies and procedures, an action that responds to our 2005 recommendation. The office uses a "train the trainer" program in which it instructs SSI program managers and coordinators who are then expected to train appropriate staff in their respective agencies and programs. Several aspects of the SSI training program that we evaluated are consistent with GAO-identified components of a strategic training program. TSA has taken actions to incorporate stakeholder feedback and establish policies to collect data to evaluate its training program and foster a culture of continuous improvement. Consistent with the legislative mandate, DHS has taken actions to update its processes to respond to requests to release SSI. Specifically, DHS revised MD 11056 in accordance with the DHS Appropriations Act, 2007, to incorporate a provision that all requests to publicly release SSI will be reviewed in a timely manner, including SSI that is at least 3 years old. Between February 2006 and January 2007, the SSI Office received 490 requests to review records pertaining to the release of SSI, the majority of which came from government entities (62 percent). The SSI Office worked with the requesting government entity to agree upon a time frame for processing the request. Within the same 12-month period, 30 percent of requests were initiated by the public under the Freedom of Information Act (FOIA). The SSI Office has established a process for reviewing information requested through the FOIA process in 5 days, unless the information consists of more than 100 pages. The remaining 8 percent of requests within the 12-month period came from individuals in connection with litigation, including civil proceedings within the U.S. District Courts. The internal controls that TSA designed for SSI are consistent with governmentwide requirements and respond to our 2005 recommendation.