|U.S. Department of Transportation|
|Federal Highway Administration|
|Subject:||GUIDANCE: Interim Policies and Procedures for 49 CFR Part 15, Protection of Sensitive Security Information||
|June 7, 2005|
Vincent T. Taylor
Heads of Operating Administrations
This memorandum provides interim policy and procedures, pending issuance of a final U.S. Department of Transportation (DOT) order, for the designation, maintenance, safeguarding, and disclosure of records and information that DOT or the Department of Homeland Security/Transportation Security Administration (DHS/TSA) has determined to be Sensitive Security Information (SSI).
The interim policy and procedures in this memorandum are the minimum standards for designating, marking, storing, controlling, transmitting, releasing, and destroying SSI under 49 CFR Part 15, Protection of Sensitive Security Information, 69 Fed. Reg. 28066 (May 18, 2004), as amended by 70 Fed. Reg. 1379 (January 7, 2005). DOT issued Part 15 concurrently with TSA's issuance of 49 CFR Part 1520, a parallel rule. On January 18, 2005 (70 Fed. Reg. 2819), DOT amended a provision of 49 CFR § 1.45 to permit delegation of SSI authority. For further reference, a current copy of 49 CFR Part 15 and 49 CFR § 1.45 is attached to this memorandum.
The Director of the Office of Intelligence, Security, and Emergency Response (S-60) is the principal policy official for SSI within DOT. The Office of the Assistant Secretary for Administration is issuing the following policy and procedures, with the concurrence of both S-60 and the Office of the General Counsel, under its authority to establish policy for the general protection of all types of sensitive information within DOT.
"Sensitive Security Information" (SSI) is defined by 49 CFR 15.5 as sensitive but unclassified information obtained or developed in the conduct of security activities, including research and development, the unauthorized disclosure of which would be an unwarranted invasion of privacy, reveal trade secrets or privileged information, or be detrimental to transportation safety.
Designation of information as SSI is based on the categories of information and records set forth in 49 CFR 15.5. If a specific item of information falls within one or more of the listed categories, it qualifies as SSI. For example, "security programs and contingency plans," "threat information," and "vulnerability assessments" are some of the categories listed in section 15.5(b)(1)-(I5). If information fits into one of these categories, it qualifies as SSI. Section 15.5(b)(1)-(15) lists all the categories of information constituting SSI.
Each DOT operating administration should examine section 15.5(b)(1)-(15) to determine which specific information created, collected, or maintained under its purview should be designated and maintained as SSI. Information identified as SSI must be marked and safeguarded in conformity with Part 15 and the policies and procedures in this memorandum. Each operating administration should implement appropriate procedures to protect SSI.
Information designated SSI requires protection against improper disclosure, and its dissemination is restricted to authorized persons, as outlined below. Limiting access to SSI is necessary to guard against persons and entities who pose a threat to transportation security, thereby diminishing their ability to circumvent security measures. The designation of information as SSI shall be balanced against the public's legitimate interest in, and right to know, information about transportation and how its government operates.
Although SSI is subject to certain disclosure limitations, it is not classified national security information ("classified information") as defined by Executive Order 12958, Classified National Security Information, as amended, and is not subject to the requirements of that order. Most notably, a person does not need a security clearance in order to have access to SSI. In addition, Part 15 does not apply to information designated Critical Infrastructure Information (CII) under section 214 of the Homeland Security Act.
Finally, note that SSI is only one type of sensitive unclassified information. In general, sensitive unclassified information is information that reasonably could be expected to cause harm to government programs or facilities or to the public if improperly disclosed. Under 49 U.S.C. 40119(b)(1), information that is SSI is exempted from disclosure by exemption 3 of the Freedom of Information Act (FOIA) (records exempted from disclosure by a statute). Other sensitive unclassified information, while not covered by exemption 3 and not the subject of this memorandum, also can and should be protected from public disclosure - in some cases by using other FOIA exemptions.
Other definitions contained in 49 CFR 15.3 that are important to the policy and procedures in this memorandum include:
"record," which is defined as any means by which information is preserved, irrespective of format, including book, paper, drawing, map, recording, tape, film, photo, machine-readable material, and information stored in electronic format, and includes drafts and proposed or recommended changes to a record; and
"covered person,"which is defined as any organization, entity, individual, or person, as specified in section 15.7, subject to the requirements of 49 CFR Part 15. All DOT employees are covered persons, as are contractors, grantees, consultants, licensees, and regulated entities that require access to SSI to perform work.
This policy and these procedures apply to all DOT employees and to all DOT contractors, grantees, consultants, licensees, and regulated entities that have access to or receive SSI. Such employees, individuals, persons, entities, and organizations are subject to the safeguarding and non-disclosure restrictions of 49 CFR Part 15 and the policy and procedures set out in this interim guidance. They are referred to as "covered persons,"and that term includes all persons employed by, contracted to, or acting for a covered person, as well as persons formerly in such positions. Details regarding covered persons are set out in section 15.7.
Although not everyone will have access to SSI, everyone should be aware that some of the information that DOT manages may be SSI and must be afforded sufficient protection. Therefore, all DOT operating administrations, offices, and programs shall provide maximum distribution of this policy and procedures throughout their organizations and among all of their contractors, grantees, consultants, licensees, and regulated entities.
All DOT contracts, grants, and consulting agreements that will result in access to SSI shall include provisions for handling and protecting SSI as specified in this policy and procedures, and be consistent with 49 CFR Part 15
The Secretary has delegated to the Director of the Office of Intelligence, Security, and Emergency Response (S-60) the authority to establish SSI policy that is binding on all parts of DOT. In addition, the Secretary has delegated to S-60 and to the General Counsel (C-1) the authority to make SSI determinations on any matter within the purview of DOT and to resolve disputes about SSI in any part of DOT. The Secretary has also delegated to all Administrators the authority to designate information within their agency's purview as SSI. This authority may be further delegated in writing to responsible personnel within each operating administration or organization. Administrators may designate as SSI only the types of information specified in Section 15.5 (b)(1)-(15). Requests for designating information beyond the scope of 15.5 (b)(1)-(15) as SSI shall be made in writing through the Director of Intelligence, Security, and Emergency Response. Information that is pending a possible designation as SSI shall be protected as SSI until the determination has been made.
The standard for determining access to SSI is "need to know", which means that access to SSI is limited to authorized persons with a legitimate requirement for the information in order to perform their official duties; carry out the requirements of a Federal contract, agreement, grant, or license; operate as a regulated entity; or perform transportation security tasks as directed by DOT. Section 15.11 specifies circumstances under which a person has the need to know. Each person with access to SSI under section 15.11 is a "covered person" under section 15.17, responsible for the maintenance and safeguarding of SSI.
In appropriate cases, DOT may further limit persons with a need to know by determining that only specific persons or classes of persons have a need to know a particular piece or category of SSI.
Having access to SSI invokes certain obligations, and a covered person has the duty to:
Covered persons who violate these provisions may be subject to administrative, civil, and/or criminal action for failure to properly handle or protect SSI. Section 15.9 states possible consequences of unauthorized disclosure.
DOT organizations shall ensure that the positions of all DOT employees and contractor employees having access to SSI are properly designated as to risk and sensitivity level as prescribed in DOT Order 1630.2B, Personnel Security Management. The organizations should ensure that the appropriate background investigation has been either completed or initiated before granting a DOT employee or contractor employee access to SSI. Organizations should designate as at least moderate risk those positions requiring regular SSI access.
DOT operating administrations and programs shall advise contractors, grantees, consultants, licensees, and regulated entities in writing of their obligations under Part 15 to safeguard SSI and of the penalties for unauthorized disclosure. In appropriate cases, access to SSI may be authorized subject to additional conditions, established by the Secretary of Transportation or by an Administrator.
To ensure proper handling and protection of SSI, section 15.13 requires that it be properly marked and contain a distribution limitation statement, as specified below.
Responsibilities. A person who creates a record containing SSI or who determines that an existing record contains SSI shall, in accordance with section 15.13 and this memorandum, place or cause to be placed on the record the protective marking and limited distribution statement indicated below. A person who receives a record containing SSI that is not marked in accordance with this section shall apply such marking and inform the sender of its omission.
Protective Marking. The protective marking "SENSITIVE SECURITY INFORMATION" shall be applied to all records that contain SSI. On paper records, including charts, maps, and drawings, this statement should be written or stamped in plain style bold type, such as Times New Roman, and with a font size of at least 14.
Distribution Limitation Statement. The distribution limitation statement shown below shall be applied to all records that contain SSI. On paper records, including charts, maps, and drawings, this statement should be written or stamped in plain style bold type, Times New Roman and with a font size of at least 8, or an equivalent style and font size.
WARNING: This record contains Sensitive Security Information that is controlled under 49 CFR parts 15 and 1520. No part of this record may be disclosed to persons without a "need to know," as defined in 49 CFR parts 15 and 1520, except with the written permission of the Administrator of the Transportation Security Administration or the Secretary of Transportation. Unauthorized release may result in civil penalty or other action. For U.S. Government agencies, public disclosure is governed by 5 U.S.C. 552 and 49 CFR parts 15 and 1520.
Marking Requirements for SSI Documentation. These marking requirements apply to all records containing SSI that are created subsequent to the date of this policy memorandum, and to all existing records determined to be, in whole or in part, SSI, prior to providing access or public release.
Paper Records. The protective marking shall be placed conspicuously at the top of the outside of any front or back cover, on any title page, and on each page of the record. The distribution limitation statement shall be placed at the bottom of any cover, on any title page, and on each page.
Charts, Maps and Drawings. The protective marking and distribution limitation statement shall be affixed in a manner that makes them plainly visible.
Motion Picture Films, Video, and Audio Recordings.
1) Protective Marking and Distribution Limitation Statement. The protective marking and distribution limitation statement shall be applied at the beginning and end of the medium on each reel and affixed in such a manner that it is fully visible on the screen or monitor.
2) Motion Picture Reels. Motion picture reels that are kept in film cans or other containers shall have protective markings and distribution limitation statements applied to each side of each reel and to all sides of each can or other storage container. In addition to reproducing the protective marking and distribution limitation statement on the beginning and end portions of the film, if the motion picture film has a soundtrack, audible warnings that describe the protective marking and distribution limitation statement shall, if practicable, be included at the beginning and at the end of the film.
3) Videotape Recordings. Videotape recordings that contain SSI shall include on the recordings conspicuous visual protective markings and distribution limitation statements at both the beginning and the end, if practicable. Protective markings and the distribution limitation statement shall also be applied on the front and back and on each side of the video case and storage containers.
4) Audio Recordings. Audio recordings that contain SSI shall include on the recordings clear and conspicuous audio messages stating the protective marking and distribution limitation statement at both the beginning and the end, if practicable. Protective markings and the distribution limitation statement shall also be applied on the front and back and on each side of the audio recording case and storage containers.
Electronic and Magnetic Media.
1) Media Containing Information. SSI contained on electronic and magnetic media shall have protective markings and the distribution limitation statement applied at the beginning and end of the electronic and magnetic text. The protective marking and distribution limitation statement shall be displayed in such a manner that both are fully visible on a screen or monitor to anyone viewing the text. The protective marking and distribution limitation statement shall also be applied to each side of a disk and a disk sleeve/jacket, on the non-optical side of the CD-ROM, and both sides of a CD-ROM case. If the electronic/magnetic text has a soundtrack, audible warnings that describe the protective marking and distribution limitation statement shall, if possible, be included in the introduction and at the end of this text.
2) Printed Information Extracted from Media. The protective marking and distribution limitation statement may be automatically applied by the printing equipment itself on the face of a page containing SSI, provided that they are clearly distinguishable from the printed text. Information and records in the form of compiled lists shall have the protective marking affixed to the top and bottom of the first and last pages, to the top and bottom of any covers, to the top and bottom of each page containing SSI, and to the outside of the back page or cover. The distribution limitation statement shall appear on the bottom of each page containing SSI and to any cover page or back page.
Transmittal Documents. Documents that are used to transmit SSI but do not themselves contain SSI shall be marked with the protective marking and distribution limitation statement. In addition, the following statement shall be affixed to the front page of the transmittal document:
"The protective marking SENSITIVE SECURITY INFORMATION and/or the distribution limitation statement on this document are canceled when the attachments containing SSI are removed."
Portion Marking. In records containing both SSI and non-SSI data, DOT organizations shall mark only the specific portions of a record that are SSI in order to assist in the future review, redaction, and possible release (or partial release) of the record. "SSI" shall appear in parentheses at the front of each paragraph or other portion of a document that actually contains SSI. Pictures, tables, and figures should have "SSI" in parentheses at the beginning of the associated caption. In lieu of this specific portion marking, a clarifying statement may be added to each record that identifies the SSI. Such a statement is useful where a compilation of non-sensitive information meets the criteria for designation as SSI, even though the individual items by themselves are not SSI. Non-paper records shall contain written or oral annotations attached to the media or within the content of the media to enable a reviewer to differentiate SSI material from non-SSI material. Documents that are received from organizations outside DOT and that are not portion-marked do not need to have portion marking added.
Information that is SSI for a Limited Period of Time. In some cases organizations are able to predict a future event or time after which information designated as SSI no longer warrants that designation. In such cases DOT organizations should add an additional statement with the distribution limitation statement as to the anticipated expiration date or event when the information will no longer be SSI; e.g., "The SSI designation for this information expires on [date]," or "The SSI designation for this information expires when the facility to which it pertains is closed." As with portion marking, such statements will assist in future review of records for possible release.
General Requirement. All persons with access to SSI have a duty to protect it from improper disclosure; and persons with actual custody of SSI record(s) are responsible for taking reasonable steps to safeguard them and are under an affirmative duty to report any known security breaches.
When a person is not in physical possession of SSI, he/she shall store it in a secure container, such as a locked desk or file cabinet, or in a locked room.. SSI shall not be left exposed and unattended in areas where there is a possibility that it can be viewed by persons who do not have a need to know.
When an individual responsible for SSI places the material in. a locked container, the individual is responsible for ensuring that positive measures are in force to restrict access to the container keys or combination to only individuals with a need to know.
When individuals store SSI on computers, including portable computing devices, they should carefully safeguard the equipment at all times when it is not stored in a locked container or room. They should use passwords to protect SSI and exercise proper care in protecting any storage medium (e.g., CD-ROM or other disk) containing it.
Packing and Transmission.
General. When assembling a package containing SSI for transmission, it is the responsibility of the individual preparing the package to ensure that all SSI has the appropriate protective markings and distribution limitation statements.
Mail. SSI may be transmitted by U.S. Postal Service first class mail or regular parcel post, or by commercial delivery services (Federal Express, UPS, etc). SSI that is to be sent by mail or by a delivery service shall be wrapped in opaque envelopes, wrappings, or cartons. The mail should be addressed only to a person or position who the sender is reasonably sure is a covered person with a need to know. The outside of the package or envelope shall contain a notation that it is to be opened only by the addressee.
Interoffice mail. When sent by interoffice mail, SSI shall be transmitted in a sealed envelope in such a manner as to prevent inadvertent visual disclosure. The outside of the package or envelope shall contain a notation that it is to be opened only by the addressee.
Hand carrying within or between buildings. SSI that is carried by hand within or between buildings shall be protected (by a cover sheet, briefcase, protective folder, distribution pouch, etc.) to prevent inadvertent visual disclosure.
Packaging material. Envelopes or containers shall be of such strength and durability that they provide physical protection during transit and prevent items from breaking out of the containers or envelopes.
Electronic Mail (e-mail). SSI transmitted via e-mail shall be in a password-protected attachment. The password shall be communicated to the recipient by means other than the text of the e-mail.
Web Posting. DOT organizations, contractors, grantees, consultants, licensees and regulated entities should be especially careful to ensure that no SSI is available on any internet or intranet site, except for postings on secure sites where all persons with access have a need to know the SSI.
Facsimile. When sending SSI via facsimile, the sender should confirm that the fax number of the recipient is current and valid and should ensure that either the intended recipient is present to promptly receive the fax or that the receiving fax machine is in a controlled area where unauthorized persons will not have access to it. Fax transmittal sheets should be used that describe the sensitivity of the contents and provide instructions in the event the fax is received by someone other than the intended person.
Telephone. A person providing SSI via the telephone shall ensure that the person receiving the SSI is an authorized recipient. The risk of interception and monitoring of conversations is greater when using cellular telephones and when using cordless telephones, which transmit the conversation to a base unit. Individuals needing to pass SSI by telephone shall avoid these devices unless the circumstances are exigent or the transmissions are encoded or otherwise protected. Secure communications equipment is ideal for transmitting SSI.
Conversations. SSI may be discussed in offices or other locations where the parties to the conversation are reasonably sure that the conversations cannot be overheard by anyone without a need to know.
DOT organizations shall ensure that the contents of Sections 15.7, 15.9, and 15.11, including the above measures for the protection of SSI and the disclosure limitations, are communicated to all contractors, grantees, consultants, licensees, and regulated entities that employ or may employ, "covered persons" before such covered persons have access to SSI.
DOT personnel may be required to retain some SSI information under Federal record retention laws. SSI not subject to such requirements may be destroyed when no longer needed to carry out agency functions or transportation safety measures.
Other covered persons, including DOT contractors, grantees, consultants, and regulated entities, are not authorized to retain SSI permanently and should destroy it when no longer required to carry out their work or project. All contracts and agreements for work that require or may require access to or custody of SSI shall specify that at the conclusion of work the other covered persons shall either destroy or return to DOT all SSI that was obtained or prepared as the result of work under the contract or agreement. However, State and local governments are not required to destroy SSI if the records must be preserved under State or local law.
Destruction may be by shredding, burning, pulping or any other method to make the information unrecognizable and preclude its reconstruction. For paper records, tearing in half is not a sufficient means of destroying SSI. Existing strip shredders may be used, but any new shredding equipment shall employ a cross-cut feature. For large records, only portions that actually contain SSI must be destroyed in this manner. Any other pages being disposed of in a normal manner should first have the SSI annotations marked out. It is acceptable to dispose of SSI in containers that are designed to accept it and where it will be disposed of properly under controlled conditions.
In general, records containing SSI are not available for public inspection or copying, and release of SSI is limited to persons or entities with a need to know the information.
Except as provided in this memorandum, the authority to release SSI to persons who are not otherwise eligible, such as individual Members of Congress, is limited to S-60, with the concurrence of the Office of the General Counsel (C).
A covered person may disclose SSI only to another covered person with a need to know, with certain exceptions listed in Section 15.15. Unauthorized disclosures of SSI are subject to civil penalty, administrative action, or, in appropriate cases, criminal prosecution. Authorized access to SSI shall be accompanied by an explanation, which may be oral, of the restrictions that apply to the use and further dissemination of the SSI, and the penalties for improper use or dissemination. Access shall be denied if the recipient indicates an inability or unwillingness to abide by the restrictions.
Requests by non-covered persons for SSI should normally be denied or referred to the applicable component or agency within DOT or the Department of Homeland Security (DHS) if DHS originated the SSI designation.
DOT employees and all other covered persons shall promptly report in writing any instances where SSI has been released to unauthorized persons. DOT organizations shall identify a point of contact to receive and process such reports and shall ensure that all covered persons know how to report the information. The point of contact shall inform S-60 and the Director, Office of Security (M-40), in writing of all unauthorized releases of SSI information. S-60 will ensure that the originating organization is aware of the release. M-40 will be responsible for conducting and/or coordinating investigations of all such alleged instances within DOT and its contractors, grantees, consultants, licensees, and regulated entities.
Disclosure of SSI to a foreign government and/or other foreign or international entity shall be approved by S-60 upon the request of the DOT operating administration or program or the contractor, grantee, consultant, licensee, or regulated entity in possession of the SSI.
Disclosure of SSI to committees of Congress, the Government Accountability Office (GAO), and the Comptroller General is authorized without prior approval, but shall be reported to S-60. Any such release shall comply with all elements of this guidance, including the marking and distribution limitation statement requirements. In addition, any release to GAO or the Comptroller General requires concurrence by the Departmental Audit Liaison, M-1. Any other release of SSI to non-covered persons or entities shall have prior approval of S-60, with the concurrence of C. Requests may be made through the originating organization.
Freedom of Information Act (FOIA) Requests. Records and information determined to be SSI under Part 15 are exempt from public disclosure under FOIA pursuant to exemption 3 (5 U.S.C. 552(b)(3)), although reasonably segregable, non-SSI portions of the record must be disclosed.
1) Authority to deny FOIA requests. FOIA requests for SSI are processed by the appropriate DOT agency/entity (see 49 CFR Part 7), except that any decision to release SSI shall have the concurrence of the Chief Counsel of the affected operating administration and the General Counsel.
2) Information requests received by regulated parties. Requests for SSI that are addressed to regulated parties, such as under State or local freedom of information or open records acts, are addressed in 49 CFR section 15.15.
3) Release of records containing both SSI and non-SSI. If a record contains information exempt from disclosure under part 15 but also contains information that may be disclosed, the latter information will be provided in response to a FOIA request, provided the record is not otherwise exempt from disclosure under FOIA, if it is practical to redact the requested information from the record. Records from which information has been redacted will so indicate by a legible statement in the margin indicating redaction under the authority of Part 15. If it is not practical to redact SSI, the entire record will be withheld from public disclosure
Enforcement Proceedings. Access to SSI may be provided in enforcement proceedings when, in the sole discretion of the Secretary of Transportation, access is necessary for responding to enforcement allegations or to serve the interests of justice.
Rulemaking. Information submitted to a DOT rulemaking docket that is claimed by the submitter, or determined by DOT, to be SSI shall be handled as follows:
1) A copy of the docket submission noting where the SSI information is located, but without the SSI information itself, shall be filed in the docket.
2) A copy of the docket submission noting where the SSI information is located and including the SSI information shall be filed in a sealed envelope that complies with the handling instructions above and includes on its outer surface the number of the docket to which it is being submitted and the identity of the submitter.
Critical Infrastructure Information (CII). Disclosure of information that is both SSI and as CII under section 214 of the Homeland Security Act is governed solely by the requirements of section 214 and any implementing regulations.
If you have any questions, please contact Richard Thompson in the Office of Security (M-40) at 202-366-4678; or Bob Ross, Office of the General Counsel, at 202-366-9156.