GAO-08-232R, Transportation Security Administration's Processes for Designating and Releasing Sensitive Security Information


This is the accessible text file for GAO report number GAO-08-232R 
entitled 'Transportation Security Administration's Processes for 
Designating and Releasing Sensitive Security Information' which was 
released on December 3, 2007.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

GAO-08-232R: 

United States Government Accountability Office: 
GAO: 

November 30, 2007: 

The Honorable Robert C. Byrd:
Chairman:
The Honorable Thad Cochran:
Ranking Member:
Subcommittee on Homeland Security: 
Committee on Appropriations:
United States Senate: 

The Honorable David Price:
Chairman:
The Honorable Harold Rogers:
Ranking Member:
Subcommittee on Homeland Security: 
Committee on Appropriations:
House of Representatives: 

Subject: Transportation Security Administration's Processes for 
Designating and Releasing Sensitive Security Information: 

Since the September 11, 2001, terrorist attacks, federal agencies have 
faced the challenge of protecting sensitive information from terrorists 
and others without a need to know while sharing this information with 
parties who are determined to have such a need. One form of protection 
involves identifying and marking such information sensitive but 
unclassified--information that is generally restricted from public 
disclosure but not designated as classified national security 
information. 

As part of post-September 11 efforts to better share information 
critical to homeland protection, sensitive but unclassified information 
has undergone scrutiny by Congress and GAO. In March 2006, we reported 
results from our survey of 26 federal agencies, from which we found 
that most of the agencies lacked policies and procedures for 
designating and releasing sensitive but unclassified information. As a 
result, we recommended governmentwide implementation of (1) guidance 
for determining what information should be protected with sensitive but 
unclassified designations, (2) provisions for training on making 
designations and for controlling and sharing information with other 
entities, and (3) a review process to determine how well the program is 
working.[Footnote 1] 

The Department of Homeland Security's (DHS) Transportation Security 
Administration (TSA) requires that certain information be protected 
from public disclosure as part of its responsibility for securing all 
modes of transportation. TSA, through its authority to protect 
information as sensitive security information (SSI), prohibits the 
public disclosure of information obtained or developed in the conduct 
of security activities that, for example, would be detrimental to 
transportation security. According to TSA, SSI may be generated by TSA, 
other DHS agencies, airports, aircraft operators, and other regulated 
parties when they, for example, establish or implement security 
programs or create documentation to address security requirements. 

In February 2005, TSA established its SSI office to develop and 
implement TSA policies concerning the handling, training, and 
protection of such information. Through this office, TSA has 
established regulations that allow for the sharing of SSI with covered 
persons having a need to know--including airport and aircraft 
operators, foreign vessel owners, and TSA employees.[Footnote 2] If, 
however, persons who do not otherwise have a need to know request 
access to SSI, TSA may share or release such information if it 
determines the information no longer requires protection as SSI. Also, 
in the course of a civil proceeding, a requesting party or the party's 
attorney may be granted access to SSI after being cleared through a 
background check. This is permissible if the party has established that 
it has a substantial need for relevant SSI and that it is unable, 
without undue hardship, to obtain the substantial equivalent by other 
means. Furthermore, TSA or the judge in the civil proceeding must 
determine that the sensitivity of the information at issue does not 
present a risk of harm to the nation. 

Congress has had ongoing interest in whether TSA is consistently and 
appropriately designating information as SSI and balancing the trade- 
off between the need to protect SSI and the need to provide useful 
information to the public. Section 525 of the DHS Appropriations Act, 
2007 (Public Law 109-295), required the Secretary of DHS to revise 
Management Directive (MD) 11056, which establishes DHS policy regarding 
the recognition, identification, and safeguarding of SSI, to (1) review 
requests to publicly release SSI in a timely manner and establish 
criteria for the release of information that no longer requires 
safeguarding; (2) release certain SSI that is 3 years old, upon 
request, unless it is determined the information must remain SSI or is 
otherwise exempt from disclosure under applicable law; and (3) provide 
common and extensive examples of the 16 categories of SSI (see app. I 
for a list of the categories) to minimize and standardize judgment by 
persons identifying information as SSI.[Footnote 3] The law further 
prescribed steps that must be taken during the course of a civil 
proceeding in the U.S. District Courts to provide a party with access 
to relevant SSI. This provision also required us to report to the 
Committees on Appropriations of the Senate and House of Representatives 
on DHS's progress and procedures in implementing these requirements not 
later than 1 year from the date of the law's enactment (October 4, 
2006). 

In addition to answering this mandate, we are following up on a June 
2005 report in which we recommended that DHS direct the Administrator 
of TSA to establish (1) guidance and procedures for using TSA 
regulations to determine what constitutes SSI, (2) responsibility for 
the identification and determination of SSI, (3) policies and 
procedures within TSA for providing training to those making SSI 
determinations, and (4) internal controls[Footnote 4] that define 
responsibilities for monitoring compliance with SSI regulations, 
policies, and procedures and communicate these responsibilities 
throughout TSA.[Footnote 5] 

To respond to the mandate and update the status of all four of our 
recommendations, we assessed DHS's: 

* status in establishing criteria and examples for identifying SSI; 

* efforts in providing training to those that identify and designate 
SSI; 

* processes for responding to requests to release SSI, including the 
legislative mandate to review various types of requests to release SSI; 
and: 

* efforts in establishing internal controls that define 
responsibilities for monitoring SSI policies and procedures. 

To address these objectives, we reviewed applicable DHS management 
directives, policies and procedures, and other related documents, and 
interviewed TSA and DHS officials involved in, the SSI designation, 
training, document review, and oversight processes. While our review 
focused on the policies and procedures developed by TSA, we also 
interviewed officials involved in the SSI designation, training, 
document review, and oversight processes for four other DHS components 
to better understand the use of SSI throughout DHS. We compared the 
internal controls in place with the standards for internal control in 
the federal government to determine whether TSA's internal controls are 
designed to provide reasonable assurance that monitoring exists to help 
ensure compliance with SSI regulations, policies, and procedures. 
[Footnote 6] We also used as criteria GAO-developed core 
characteristics of a strategic training program to assess whether TSA 
has created and implemented the training necessary for staff to make 
SSI determinations.[Footnote 7] We determined that the data were 
sufficiently reliable for the purposes of our review. We based our 
decision on an assessment of existing documentation on program 
operations and interviews with knowledgeable officials about the source 
of the data and TSA's policies and procedures for collecting and 
maintaining the data. 

On October 4, 2007, we provided a copy of our briefing slides to your 
staff. This report conveys the information that was provided in these 
slides (see app. I). 

We conducted our work from May 2007 through October 2007 in accordance 
with generally accepted government auditing standards. 

Results: 

DHS, primarily through TSA's SSI Office, has addressed all of the 
legislative mandates from the DHS Appropriations Act, 2007, and taken 
actions to satisfy all of the recommendations from our June 2005 report. 

DHS revised its MD to address the need for updating SSI guidance, and 
TSA has established more extensive SSI criteria and examples that 
respond to requirements in the DHS Appropriations Act, 2007, and our 
2005 recommendation that TSA establish guidance and procedures for 
using TSA regulations to determine what constitutes SSI. Further, TSA 
has documented the criteria and examples in various publications to 
serve as guidance for identifying and designating SSI. TSA has also 
shared its documentation of the criteria and examples with other DHS 
agencies. For example, the U.S. Coast Guard and U.S. Customs and Border 
Protection either have developed or are in the process of developing 
their own SSI examples to correspond with the types of SSI that their 
agencies encounter. Additionally, officials we interviewed from other 
DHS components have recognized opportunities to adapt TSA's criteria to 
their offices' unique needs. Furthermore, TSA has appointed SSI 
coordinators at all program offices to, among other things, implement 
SSI determination policy. This action responds to our 2005 
recommendation that TSA establish responsibility for identifying and 
determining SSI. 

TSA's SSI Office is in the process of providing SSI training to all of 
TSA's employees and contractors in accordance with its recently 
established policies and procedures, an action that responds to our 
2005 recommendation. The office uses a "train the trainer" program in 
which it instructs SSI program managers and coordinators who are then 
expected to train appropriate staff in their respective agencies and 
programs. Several aspects of the SSI training program that we evaluated 
are consistent with GAO-identified components of a strategic training 
program. TSA has taken actions to incorporate stakeholder feedback and 
establish policies to collect data to evaluate its training program and 
foster a culture of continuous improvement. For example, the SSI Office 
assesses the accuracy of the designations made by various DHS agencies 
and contacts the agencies, when necessary, to correct any problems. 
Additionally, TSA has taken action to coordinate training activities 
within and among DHS agencies. For instance, the SSI Office shares its 
guidance with other DHS components so that program managers can create 
customized training programs that will meet the needs of their staff. 

Consistent with the legislative mandate, DHS has taken actions to 
update its processes to respond to requests to release SSI. 
Specifically, DHS revised MD 11056 in accordance with the DHS 
Appropriations Act, 2007, to incorporate a provision that all requests 
to publicly release SSI will be reviewed in a timely manner, including 
SSI that is at least 3 years old. Between February 2006 and January 
2007, the SSI Office received 490 requests to review records pertaining 
to the release of SSI, the majority of which came from government 
entities (62 percent). The SSI Office worked with the requesting 
government entity to agree upon a time frame for processing the 
request. Within the same 12-month period, 30 percent of requests were 
initiated by the public under the Freedom of Information Act 
(FOIA).[Footnote 8] The SSI Office has established a process for 
reviewing information requested through the FOIA process in 5 days, 
unless the information consists of more than 100 pages. The remaining 8 
percent of requests within the 12-month period came from individuals in 
connection with litigation, including civil proceedings within the U.S. 
District Courts. According to TSA, parties have sought SSI in nine 
civil proceedings since the enactment of the DHS Appropriations Act, 
2007, in October 2006. In one such proceeding, the litigant requested 
that TSA make a final determination on the request for access to SSI. 
TSA, in accordance with the law, made a final determination in which it 
released some of the requested SSI but withheld other SSI because of 
the sensitivity of the information or because it was not relevant to 
the litigation. TSA's SSI Office stated that all information that is at 
least 3 years old that does not warrant continued protection as SSI is 
released upon request. The SSI Office uses a controlled access database 
to document the completion of its steps in reviewing requests to 
release SSI, which serves as a quality control mechanism. 

The internal controls that TSA designed for SSI are consistent with 
governmentwide requirements and respond to our 2005 recommendation. For 
example, standards for internal controls in the federal government 
state that areas of authority and responsibility be clearly defined by 
a supportive management structure and that controls be in place to 
ensure that management's directives are carried out. The revised DHS MD 
11056 outlined areas of authority for the monitoring of and compliance 
with SSI policy. Further, the MD established managers and coordinators 
within DHS agencies and programs, respectively, to communicate SSI 
responsibilities to DHS staff. Standards for internal controls in the 
federal government also call for monitoring activities to assess the 
quality of program performance over time and ensure that problems 
raised during quality reviews are promptly resolved. TSA program 
managers and coordinators are required to periodically complete self- 
inspections on the use of SSI for their respective office or agency. 

Agency Comments: 

We provided a draft of this report to DHS for review and comment. DHS 
did not submit any formal comments. However, TSA provided technical 
comments and clarifications, which we incorporated, as appropriate. 

We are sending copies of this report to other interested congressional 
committees and to the Secretary of the Department of Homeland Security 
and the Administrator of the Transportation Security Administration. We 
will also make copies available to others upon request. In addition, 
the report will be available at no charge on GAO's Web site at 
[hyperlink, http://www.gao.gov]. 

If you or your staff have any questions concerning this report, please 
contact me at (202) 512-6510 or by e-mail at Larencee@gao.gov. Contact 
points for our Offices of Congressional Relations and Public Affairs 
may be found on the last page of this report. Key contributors to this 
report were Glenn Davis, Assistant Director; Brian Sklar; Nicole 
Harris; Thomas Lombardi; Katherine Davis; Carolyn Ikeda; and Michele 
Fejfar. 

Signed by: 

Eileen R. Larence, Director:
Homeland Security and Justice Issues: 

Enclosure: 

[End of section] 

Appendix I: Information for Congressional Committees: 

Transportation Security Administration’s (TSA) Processes for 
Designating and Releasing Sensitive Security Information (SSI): 

Briefing to the Appropriations Committees: October 4, 2007: 

Introduction: 

* After the terrorist attacks of September 11, 2001, the Aviation and 
Transportation Security Act (ATSA) was enacted on November 19, 2001, 
with the primary goal of strengthening the security of the nation’s 
aviation system; 

* ATSA created TSA as the agency responsible for the security of all 
modes of transportation and extended most civil aviation security 
responsibilities, including authority to designate Sensitive Security 
Information, from the Federal Aviation Administration (FAA) to TSA; 
and; 

* TSA’s SSI authority is codified at 49 U.S.C. § 114(s) and its SSI 
regulations are codified at 49 C.F.R. part 1520. 

* SSI constitutes one category of “Sensitive but Unclassified” (SBU) 
information – information generally restricted from public disclosure 
but that is not classified national security information.
- SSI is an SBU category specifically required by statute (other 
examples include Protected Critical Infrastructure Information and 
Privacy Act information).
- Categories of SBU information not specifically mandated by statute 
include For Official Use Only and Law Enforcement Sensitive 
Information. 

* The Freedom of Information Act (FOIA) is the primary process for 
releasing information to (and for withholding information from) the 
public, as appropriate. See 5 U.S.C. § 552. SSI, by statute, is exempt 
from disclosure under FOIA. 

* TSA, through its SSI authority, prohibits the public disclosure of 
information obtained or developed in the conduct of security activities 
that would be detrimental to transportation security. 

* According to TSA, SSI is generated by TSA, other DHS agencies, 
airports, aircraft operators, and other regulated parties, when they 
are establishing or implementing security programs or documentation to 
address security requirements. 

* SSI regulations allow for the sharing of SSI with covered persons 
having a need to know–including airport operators, aircraft operators, 
foreign vessel owners, TSA employees, and other persons.[Footnote 9] 

* According to TSA, safeguarding information as SSI allows controlled 
information sharing with covered persons to meet TSA’s mission to 
protect the nation’s transportation systems. 

TSA’s SSI Office: 

* Was established in February 2005 to develop and implement TSA 
policies concerning SSI handling, training, and protection. 

* Provides guidance and training to other DHS agencies that use SSI, 
such as U.S. Customs and Border Protection, and serves as the Chair of 
the SSI Oversight Committee, which meets monthly to share SSI guidance 
and best practices. 

* Reviews requests for SSI, including FOIA requests that might contain 
SSI. 

* Is not responsible for ensuring the appropriate use of SSI markings 
by other DHS agencies. The exception to this rule occurs when the SSI 
Office is asked by other agencies to assist in responding to a request 
to release SSI. In such cases, the SSI Office reviews the information 
and provides a determination to the other agency as to whether the 
information has been appropriately marked as SSI. 

There is ongoing congressional interest in whether TSA is applying the 
SSI criteria consistently and appropriately and balancing the trade-off 
between the need to protect SSI and the need to provide useful 
information to the public. 

One example of an instance is when an individual might seek SSI in 
connection with a civil proceeding in a U.S. District Court. TSA will 
make an initial determination on whether the party has a substantial 
need for any of the specific SSI to which access is sought and whether 
the sensitivity of the issue is such that any provisions of access 
would present a risk of harm to the nation. 

Section 525 of the DHS Appropriations Act, 2007 (Public Law 109-295), 
requires the Secretary of DHS to revise Management Directive (MD) 
11056–which establishes the department’s policy regarding the 
recognition, identification, and safeguarding of SSI–to provide for the 
following:[Footnote 10] 

* review requests to publicly release SSI in a timely manner and 
release information that no longer requires safeguarding as SSI; 

* release certain SSI that is 3 years old upon request unless it is 
determined the information must remain SSI or is otherwise exempt from 
disclosure under applicable law; and; 

* provide common and extensive examples of the 16 categories of SSI 
(see attachment 1 for a list of the categories) to minimize and 
standardize judgment by persons identifying information as SSI. 

The law further prescribes steps that must be taken during the course 
of a civil proceeding in the U.S. District Courts when a party seeking 
access to SSI demonstrates a substantial need for the information and 
cannot, without undue hardship, obtain the substantial equivalent of 
the information by other means. 

This law also requires GAO to report to the Committees on 
Appropriations of the Senate and the House of Representatives on DHS 
progress and procedures in implementing these requirements not later 
than 1 year from the date of enactment of the Act (October 4, 2006). 
This briefing responds to that mandate. 

In June 2005,[Footnote 11] we recommended that DHS direct the 
Administrator of TSA to establish: 

* guidance and procedures for using TSA regulations to determine what 
constitutes SSI; 

* responsibility for the identification and determination of SSI; 

* policies and procedures within TSA for providing training to those 
making SSI determinations; and; 

* internal controls that define responsibilities for monitoring 
compliance with SSI regulations, policies, and procedures and 
communicate these responsibilities throughout TSA. 

Objectives: 

To respond to the mandate and update the status of our recommendations, 
we established four objectives. Specifically, we assessed DHS’s: 

1. status in establishing criteria and examples for the identification 
of SSI; 

2. efforts in providing training to those that identify and designate 
SSI; 

3. processes for responding to requests to release SSI, including the 
legislative mandate to review various types of requests to release SSI; 
and; 

4. efforts in establishing internal controls that define 
responsibilities for monitoring SSI policies and procedures. 

Scope and Methodology: 

To address the objectives we: 

* reviewed applicable DHS management directives, policies and 
procedures, and other documents related to SSI designation, training, 
document review, and the oversight process, and; 

* interviewed TSA and DHS officials involved in the SSI designation, 
training, document review, and oversight process. 

Our review focused on the policies and procedures developed by TSA’s 
SSI Office, but we also interviewed officials from four additional DHS 
agencies to better understand the use of SSI throughout DHS. 

We compared the internal controls in place with the standards for 
internal control in the federal government to determine whether TSA’s 
internal controls are designed to provide assurance that monitoring is 
in place and a control environment and activities have been 
established.[Footnote 12] 

We also used as criteria GAO-developed core characteristics of a 
strategic training program to assess whether TSA has created and 
implemented the training necessary for staff to make SSI 
determinations.[Footnote 13] 

We determined that the data were sufficiently reliable for the purposes 
of our review. We based our decision on an assessment of existing 
documentation on program operations, and interviews with knowledgeable 
officials about the source of the data and TSA’s policies and 
procedures for collecting and maintaining the data. 

We conducted our work from May 2007 through October 2007 in accordance 
with generally accepted government auditing standards. 

Results in Brief: 

TSA has established SSI criteria and examples, and several DHS agencies 
have recognized opportunities to adapt the SSI criteria to their unique 
needs: 

* DHS revised its MD to address the need for SSI criteria and examples 
in accordance with the law; 

* TSA has shared its documentation of SSI criteria and examples with 
other DHS agencies to help them identify and designate SSI;[Footnote 
14] 

* Officials we interviewed from DHS agencies that work with or generate 
SSI products stated that they have developed, or are in the process of 
developing, their own SSI examples to correspond with the types of SSI 
that their agencies encounter. 

TSA is providing SSI training, and aspects of the training program are 
consistent with several GAO-identified components of a high-quality 
training program: 

* The SSI Office has developed an SSI training program and has shared 
this program with DHS agencies that use and generate SSI; 

* TSA documentation from mid-September 2007 shows that 93.5 percent of 
TSA personnel (all employees and contractors) assigned to headquarters 
and 95.5 percent of TSA personnel assigned to airports have completed 
online SSI training;[Footnote 15] 

* The SSI Office uses a “train the trainer” model in which it trains 
SSI program managers and coordinators who are then expected to train 
appropriate staff in their agency; 

* Several aspects of the SSI training program are consistent with GAO-
identified components of a high-quality training program. For example, 
TSA is soliciting feedback to evaluate the quality of the SSI training 
that it is providing. 

TSA has policies and procedures to respond to all three types of SSI 
requests, and a mechanism is in place to document its processes: 

* The SSI Office has a procedure in place to respond to requests from 
government entities, FOIA-related requests, and requests stemming from 
civil proceedings; 

* TSA plans to publish a Notice of Proposed Rulemaking to articulate 
the process for providing SSI to parties in connection with civil 
proceedings in U.S. District Courts; 

* The SSI Office has a process for recording its steps when reviewing 
requests to release SSI that serves as a quality control mechanism. 

TSA has established internal controls for SSI and created mechanisms to 
communicate these controls, which are consistent with internal control 
standards for the federal government: [Footnote 16] 

* DHS revised its MD to define responsibilities for monitoring the 
compliance with SSI regulations, policies, and procedures; 

* The MD establishes SSI program managers and coordinators to 
communicate SSI responsibilities with staff in their respective offices 
and agencies; 

* Various tools are used to monitor the compliance with SSI 
regulations, policies, and procedures including self-inspections, 
agency audits, and SSI Office reviews based on requests to release SSI; 

* The internal controls TSA designed for monitoring compliance with SSI 
regulations, policies, and procedures are consistent with internal 
control standards for the federal government. 

Objective #1–Criteria and Examples for the Identification of SSI: 

DHS revised MD 11056 in accordance with section 525 of the DHS 
Appropriations Act, 2007, to address the need for common and extensive 
examples of individual categories of SSI. In response to this mandate, 
as well as GAO’s past recommendation, DHS issued a revised MD (MD 
11056.1) and the TSA SSI Office issued the following guidance: 

* Advanced Application Guide: provides SSI criteria and examples for 
each of the categories; 

* One-Page Summary List of SSI Criteria: provides SSI criteria and 
explanatory notes for each category; 

* SSI Identification Guides: provide guidance for identifying SSI 
within the context of specific DHS programs, and; 

* SSI Reviewers’ Guide: provides a more detailed version of the 
Advanced Application Guide that SSI Office analysts use to review 
requests for SSI. 

TSA has shared its SSI criteria and examples with other DHS agencies to 
help them identify and designate SSI. 

Officials we interviewed from DHS agencies that work with or generate 
SSI products stated that they have developed, or are in the process of 
developing, their own SSI examples to correspond with the types of SSI 
that their agencies encounter. For example: 

* U.S. Coast Guard worked with the SSI Office to develop an SSI 
Identification Guide that provides examples of the application of SSI 
criteria to documents generated by the Coast Guard; and; 

* U.S. Customs and Border Protection has identified the need to create 
its own SSI Identification Guide and is currently working with the SSI 
Office to create the guidance. 

Using the SSI criteria and examples provided by the SSI Office, DHS 
agencies that use SSI identify certain records as containing SSI. 
Section 537 of the DHS Appropriations Act, 2006 (Public Law 109-90), 
enacted October 2005, mandated that DHS provide an annual list of all 
DHS documents that are designated SSI in their entirety for the period 
October 1, 2005, through December 31, 2005. Beginning on January 31, 
2007 (and annually thereafter), the DHS Secretary is to provide a 
report on all documents designated SSI in their entirety for the prior 
calendar year. Therefore, the report provided to Congress in 2006 
covered a 3-month period (it was due no later than January 31, 2006), 
whereas the report provided in January 2007 covered the entire prior 
calendar year, 2006. 

There were 118 documents in the report provided by DHS in 2007. 
[Footnote 17] Below are the DHS agencies that generated documents from 
the 2006 list and their relative percentage of documents generated: 

* Coast Guard (50 percent); 
* Office of Science and Technology (37 percent), and; 
* TSA (13 percent). 

As a result of policy updates made by the SSI Office, 282 documents 
generated by TSA determined to be SSI in their entirety as reported to 
Congress in 2006 no longer met the criteria for continued SSI 
protection in their entirety. Therefore, if requested, some of the 
information contained in these documents could be publicly released. 
The removal of the 282 documents also helps to explain the smaller 
number of SSI documents DHS reported to Congress in 2007, particularly 
from TSA. 

Objective #2–Training for Those Who Generate and Use SSI: 

In response to GAO’s recommendation to provide training to staff that 
generate SSI, TSA: 

* Requires new employees to take 60-minute online SSI training within 
the first week of employment. TSA documentation from mid-September 2007 
shows that 93.5 percent of TSA personnel (all employees and 
contractors) assigned to headquarters and 95.5 percent of TSA personnel 
assigned to airports have completed the online training or completed 
the live training;[Footnote 18] 

* Provides recurring training to SSI coordinators from offices within 
DHS agencies that use SSI; 

* Provides 60-minute live training to TSA and selected DHS employees; 

* Develops specialized training for TSA contractors, SSI coordinators, 
and others as needed. 

Although the SSI Office provides training to all SSI program managers 
and coordinators from the DHS agencies that use or generate SSI, the 
program manager from each DHS agency that handles SSI is responsible 
for customizing and evaluating the sufficiency of his or her SSI 
training to meet the agency’s unique program needs. 

The SSI Office is utilizing a “train the trainer” model in which it 
trains SSI program managers and coordinators who are then expected to 
tailor the materials to train the appropriate staff in their agency or 
office. 

TSA’s training and development efforts reflect the following core 
characteristics that GAO has identified for a strategic training 
process:[Footnote 19] 

* Stakeholder Involvement, Accountability, and Recognition: incorporate 
stakeholder feedback throughout the training process and establish 
accountability mechanisms to hold managers and employees responsible 
for learning in new ways: 
- The SSI Office collects stakeholder feedback on its training program 
through training evaluation forms, its e-mail address, over the phone, 
and through the DHS SSI Oversight Committee; 
- In an attempt to establish accountability for whether training has 
led to accurate SSI identifications, the SSI Office requires program 
managers and coordinators to complete self-evaluations that include 
evaluations of a selection of SSI designations in their respective 
office or agency; 
- SSI coordinators are required to complete a self-inspection every 12 
months, and SSI program managers are required to complete a self-
inspection every 18 months;  

* Effective Resource Allocation and Partnerships and Learning from 
Others: provide the appropriate level of funding and resources to 
ensure that training is achieving its missions and goals, and 
coordinate within and among agencies to achieve economies of scale: 
- The creation of the DHS SSI Oversight Committee provides a mechanism 
for interagency coordination; 
- The SSI Office shares its guidance with other DHS components so that 
program managers can create customized training programs that will meet 
the needs of their staff; 
- According to TSA officials, additional funding would allow the SSI 
Office to provide more training and to create a national conference for 
SSI coordinators; 

* Data Quality Assurance and Continuous Performance Improvement: 
establish policies to collect quality data and use these data to 
evaluate the training program, and foster a culture of continuous 
improvement by assessing and refining the training program: 
- The SSI Office provides all DHS staff that complete live SSI training 
with a training evaluation form to evaluate both the content of the 
training and the quality of instruction; 
- During its process of responding to requests to release SSI, the SSI 
Office evaluates the accuracy of designations made by various DHS 
agencies. If the SSI Office finds that the information has been 
inaccurately identified as being SSI, it can contact the DHS agency 
that made the original designation to identify the error. This allows 
DHS agencies to follow up with refined training to correct the problem 
as necessary; 
- The SSI Office began conducting audits within TSA in September 2007 
to evaluate whether SSI is being appropriately marked and protected at 
various airports. The SSI Office invited other program managers to 
attend the audits so that lessons learned from the audits may be 
incorporated by other DHS agencies. 

The aspects of the SSI training program evaluated in this study are 
consistent with GAO identified components of a high-quality training 
program. 

Objective #3–Processes for Responding to Requests to Release SSI: 

Between February 2006 and January 2007, the SSI Office received 490 
requests to review records pertaining to the release of SSI. For 
January 2007 through April 2007, the SSI Office reported the percentage 
of the total requests to review records by each type of request it 
processes, as follows: 

1. requests from government entities (62 percent); 2. FOIA requests 
that may contain SSI (30 percent); and; 3. requests from individuals in 
connection with litigation, including civil proceedings, within U.S. 
District Courts (8 percent).[Footnote 20] 

On most occasions, the SSI Office is able to respond to all types of 
requests within 7-14 days. TSA documentation indicates that the SSI 
Office is able to meet this goal in 92 percent of all requests. The SSI 
Office stated that it is not able to complete all requests within its 7-
14 days due to the size and complexity of certain requests, as well as 
the client’s needs and the SSI Office’s workload. 

Objective #3–Requests for SSI by Government Entities: 

Requests for SSI from government entities can include requests from 
federal, state, local, or tribal governments. 

The SSI Office works with the requesting government entity to agree 
upon a time frame for processing the request. 

All requests for SSI, including requests from government entities, are 
reviewed by the SSI Office through a nine-step process (see attachment 
II for more details on this process). 

Objective #3–Requests for SSI through the Freedom of Information Act: 

The SSI Office has established a process for reviewing information 
requested through the FOIA process in 5 days, unless the request 
contains more than 100 pages. 

The SSI Office and FOIA Office coordinate to establish deadlines for 
FOIA requests that contain more than 100 pages. 

Officials from the TSA FOIA Office stated that the SSI Office responds 
to FOIA requests in a timely manner. 

The SSI Office has provided training to the department’s FOIA Office 
staff members so that they can make basic determinations on whether a 
FOIA request might include SSI. 

Objective #3–Process for Responding to Requests to Release SSI That Is 
at Least 3 Years Old: 

The information that should be designated as SSI, based on the 
application of the current identification (ID) guidance, may change 
over time, given changing circumstances. For example, the TSA 
Administrator may decide to publicly disclose information previously 
designated as SSI to increase public awareness of an issue or security 
program. 

At the time of a request to release SSI, all requested information is 
to be reviewed against the SSI categories and current precedents for 
applying each category. This process is to occur with all requested 
SSI, regardless of the age of the information. 

According to SSI Office officials, the content of the information being 
requested is the relevant factor to be considered, not the age of the 
information. 

All SSI that is at least 3 years old that does not warrant continued 
protection as SSI is released upon request. 

Objective #3–Requests for SSI during Civil Proceedings: 

According to TSA’s Office of Chief Counsel, persons who do not 
otherwise have a “need to know” sought SSI 48 times in connection with 
civil proceedings since TSA was established. Since the enactment of 
Public Law 109-295 in October 2006, 9 such requests for SSI have been 
made in connection with civil proceedings. 

Prior to the passage of Public Law 109-295, TSA did not permit SSI 
access in civil proceedings by persons who did not otherwise have a 
need to know. TSA did submit SSI to courts for in camera review. 
[Footnote 21] 

Section 525(d) of Public Law 109-295 prescribes steps that must be 
taken during the course of a civil proceeding in the U.S. District 
Courts when a party seeking access to SSI demonstrates a substantial 
need for the information and that it cannot, without undue hardship, 
obtain the substantial equivalent of the information by other means. 

Since the enactment of this provision, one litigant has requested that 
TSA make a final determination on a request for SSI access in 
connection with civil proceedings. TSA complied with this request and, 
in accordance with the law, issued a final determination releasing some 
of the requested SSI while withholding other SSI because of the 
sensitivity of the information or because it was not relevant to the 
litigation. 

According to TSA documentation: 

* If TSA or the judge decides that a party in a civil proceeding has 
demonstrated that it has a substantial need for relevant SSI and that 
it is unable without undue hardship to obtain the substantial 
equivalent of the information by other means, and if TSA or the judge 
has determined that the sensitivity of the SSI at issue does not 
present a risk of harm to the nation, TSA will begin a background check 
of the requesting party or the party’s attorney who has been designated 
to view the SSI; 

* Once TSA has received a party’s payment to conduct the background 
check, and the party has completed an SSI threat assessment 
questionnaire and been fingerprinted, it takes approximately 3 weeks to 
complete the background check; 

* If TSA determines that there is risk to the nation to provide a party 
or a party’s attorney with SSI based on the results of the background 
check, TSA will deny the applicant’s request. At that time, the party 
may designate a new attorney to access SSI on its behalf. If this 
occurs, TSA will conduct a background check on the new attorney; 

* The determination of whether SSI will be released to a party in civil 
proceedings is a joint determination made by TSA’s Office of Chief 
Counsel and the SSI Office. 

Objective #3–SSI Office Efforts to Establish Quality Controls for 
Responding to SSI Requests: 

The SSI Office’s use of a controlled access database to document the 
completion of its steps in the review of requests to release SSI serves 
as a quality control mechanism. This is achieved by: 

* incorporating controls in the database so that the previous step must 
be documented before information can be entered in the next step of the 
review process; and; 

* requiring that a senior analyst within the SSI Office approve the SSI 
review and document his or her approval in the database prior to 
releasing information formerly protected as SSI. 

TSA is also currently drafting a Notice of Proposed Rulemaking in 
anticipation of establishing its processes and procedures for 
responding to requests for SSI during civil proceedings. 

Objective #4–DHS SSI Internal Controls Are Consistent with Internal 
Control Standards for the Federal Government: 

TSA has established internal controls for SSI and created mechanisms to 
communicate these controls that are consistent with internal control 
standards for the federal government. [Footnote 22] 

Control Environment and Control Activities: areas of authority and 
responsibility to be clearly defined by a supportive management 
structure and controls in place to ensure that management’s directives 
are carried out: 

* Areas of authority for the monitoring and compliance of SSI policy 
are outlined in the revised DHS MD (MD 11056.1) and other agency and 
departmental guidance; 

* SSI program managers and coordinators have been established in the MD 
to communicate SSI responsibilities with DHS staff. 

Monitoring: information is used to assess the quality of program 
performance over time and problems raised during quality reviews are 
promptly resolved: 

* Controls are in place to provide oversight for each agency’s 
generation and designation of SSI including self-inspection reporting 
methods. The self inspection process requires SSI program managers and 
coordinators to, among other monitoring activities, evaluate a portion 
of records marked as containing SSI; 

* Agencies may also utilize audits of the identification and use of 
SSI. TSA is in the process of conducting such an audit; 

* The SSI Office reviews information in response to requests to release 
SSI, regardless of the agency that originally identified the 
information as SSI. 

The aspects of the SSI internal controls for monitoring activities that 
we evaluated are consistent with internal control standards for the 
federal government. 

Attachment #1–Categories of SSI as Established by TSA at 49 C.F.R. § 
1520.5(b): 

1. Security program and contingency plans; 2. security directives;
3. information circulars;
4. performance specifications;
5. vulnerability assessments;
6. security inspections or investigative information; 7. threat 
information;
8. security measures;
9. security screening information; 10. security training materials;
11. identifying information of certain transportation security 
personnel; 12. critical aviation or maritime infrastructure asset 
information; 13. systems security information;
14. confidential business information; 15. research and development; and
16. other information determined to be SSI in accordance with the 
statute (as designated in writing by the DHS Secretary, the TSA 
Administrator, or the Director of the SSI Office). 

Attachment #2–SSI Office’s Nine-Step Process for Reviewing Document 
Requests[Footnote 23]: 

1) Request: requester submits record for review; 

2) Incoming: request is logged into the SSI Office database and shared 
drive system; 

3) Assignment: request is assigned to review team; 

4) Planning: record is assessed for general content, completeness, 
legibility, etc.; 

5) Analysis: record is reviewed for SSI and working copy is created; 

6) Approval/Final Review: review findings are finalized (return to step 
five if not approved); 

7) Production: visible redaction and/or releasable copies are created 
and quality assurance is performed; 

8) Delivery And Closeout: findings provided to requester, file/document 
management completed; 

9) Re-Evaluation: as needed, additional review work is completed to 
address any requester questions or concerns (return to step five if 
needed). 

(440627): 

[End of section] 

Footnotes: 

[1] GAO, Information Sharing: The Federal Government Needs to Establish 
Policies and Processes for Sharing Terrorism-related and Sensitive but 
Unclassified Information, GAO-06-385 (Washington, D.C.: Mar. 17, 2006). 

[2] "Covered person" is defined at 49 C.F.R. § 1520.7 and includes 
persons permanently or temporarily assigned, attached, or detailed to, 
employed by, or under contract with DHS. Section 1520.11 establishes 
the circumstances under which a person has a need to know SSI, such as 
when a person requires access to specific SSI to carry out 
transportation security activities approved, accepted, funded, 
recommended, or directed by DHS or the Department of Transportation. 

[3] See Pub. L. No. 109-295, § 525, 120 Stat. 1355, 1381-82 (2006). 

[4] Internal control is an integral component of an organization's 
management that provides reasonable assurance that the following 
objectives are achieved: (1) effectiveness and efficiency of 
operations, (2) reliability of financial reporting, and (3) compliance 
with applicable laws and regulations. 

[5] See GAO-05-677, Transportation Security Administration: Clear 
Policies and Oversight Needed for Sensitive Security Information 
(Washington, D.C.: June 29, 2005). 

[6] GAO, Standards for Internal Control in the Federal Government, GAO/ 
AIMD-00-21.3.1 (Washington, D.C.: November 1999). 

[7] GAO, A Guide for Assessing Strategic Training and Development 
Efforts in the Federal Government, GAO-04-546G (Washington, D.C.: March 
2004). 

[8] The Freedom of Information Act is the primary process for releasing 
information to (and for withholding information from) information to 
the public, as appropriate. See 5 U.S.C. § 552. SSI, by statute, is 
exempt from disclosure under FOIA. 

[9] “Covered person” is defined at 49 C.F.R. § 1520.7 and includes 
persons permanently or temporarily assigned, attached, or detailed to, 
employed by, or under contract with DHS. Section 1520.11 establishes 
the circumstances under which a person has a need to know SSI, such as 
when a person requires access to specific SSI to carry out 
transportation security activities approved, accepted, funded, 
recommended, or directed by DHS or the Department of Transportation. 

[10] See Pub. L. No. 109-295, § 525, 120 Stat 1355, 1381-82 (2006). 

[11] See GAO-05-677, Transportation Security Administration: Clear 
Policies and Oversight Needed for Sensitive Security Information 
(Washington, D.C.: June 29, 2005). 

[12] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). 

[13] GAO, A Guide for Assessing Strategic Training and Development 
Efforts in the Federal Government, GAO-04-546G (Washington, D.C.: March 
2004). 

[14] In the context of this research, we use the term “designate” to 
include the identification and marking of information as SSI. It should 
be noted that the SSI Office uses the term “designate” to mean an 
original SSI determination in writing. See 49 C.F.R. §520.5(b)(9)(iii), 
(16). Under the DHS MD, only the DHS Secretary, the TSA Administrator, 
and the Director of the SSI Office have the authority to designate SSI. 

[15] The SSI Office stated that all TSA employees have not completed 
the online SSI training because of normal attrition, military leave, 
and disability leave. 

[16] GAO/AIMD-00-21.3.1. 

[17] According to the report DHS provided to Congress in 2007, U.S. 
Customs and Border Protection did not report any documents that it 
generated and determined were SSI in their entirety. 

[18] TSA documentation shows that 3,097 out of 3,309 TSA personnel in 
headquarters and 49,626 out of 51,930 personnel assigned to airports 
have completed online SSI training. 

[19] GAO-04-546G. 

[20] According to TSA, additional programming to the SSI Office 
database would be required to show the percentage for the three types 
of SSI requests (litigation, FOIA, and other) for February 2006 – 
January 2007. 

[21] In camera review means a trial judge’s private consideration of 
evidence. 

[22] GAO/AIMD-00-21.3.1. 

[23] GAO analysis of information provided by the TSA SSI Office. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: