Transportation Security Administration: Clear Policies and Oversight Needed for Designation of Sensitive Security Information
Highlights
Concerns have arisen about whether the Transportation Security Administration (TSA) is applying the Sensitive Security Information (SSI) designation consistently and appropriately. SSI is one category of "sensitive but unclassified" information--information generally restricted from public disclosure but that is not classified. GAO determined (1) TSA's SSI designation and removal procedures, (2) TSA's internal control procedures in place to ensure that it consistently complies with laws and regulations governing the SSI process and oversight thereof, and (3) TSA's training to its staff that designate SSI.
TSA does not have guidance and procedures, beyond its SSI regulations, providing criteria for determining what constitutes SSI or who can make the designation. Such guidance is required under GAO's standards for internal controls. In addition, TSA has no policies on accounting for or tracking documents designated as SSI. As a result, TSA was unable to determine either the number of TSA employees actually designating information as SSI or the number of documents designated SSI. Further, apart from Freedom of Information Act (FOIA) requests or other requests for disclosure outside of TSA, there are no written policies and procedures or systematic reviews for determining if and when an SSI designation should be removed. TSA also lacks adequate internal controls to provide reasonable assurance that its SSI designation process is being consistently applied across TSA. Specifically, TSA has not established and documented policies and internal control procedures for monitoring compliance with the regulations, policies, and procedures governing its SSI designation process, including ongoing monitoring of the process. TSA officials told us that its new SSI Program Office will ultimately be responsible for ensuring that staff are consistently applying SSI designations. This office, which was established in February 2005, will also develop and implement all TSA policy concerning SSI handling, training, and protection. More detailed information on how this office's activities will be operationalized was not yet available. Specifically, TSA officials provided no written policies formalizing the office's role, responsibilities, and authority. TSA has not developed policies and procedures for providing specialized training for all of its employees making SSI designations on how information is identified and evaluated for protected status. Development of such training for SSI designations is needed to help ensure consistent implementation of the designation authority across TSA. While TSA has provided a training briefing on SSI regulations to certain staff, such as the FOIA staff, it does not have specialized training in place to instruct employees on how to consistently designate information as SSI. In addition, TSA has no written policies identifying who is responsible for ensuring that employees comply with SSI training requirements.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Transportation Security Administration | To help bring clarity, structure, and accountability to TSA's SSI designation process, the Secretary of the Department of Homeland Security should direct the Administrator of the Transportation Security Administration to establish clear guidance and procedures for using the TSA regulations to determine what constitutes SSI. |
Closed – Implemented
In response to congressional concerns about whether the Transportation Security Administration (TSA) has been applying sensitive security information (SSI) designations consistently and appropriately, we completed a report in June 2005 with several recommendations. Using the designation appropriately is important to both protect sensitive information as well as to not discourage the sharing of such information by over protecting it. We reported that TSA did not have any criteria for determining what constitutes SSI nor any policies on accounting for or tracking documents designated as SSI. We recommended that TSA establish clear guidance and procedures for using the TSA regulations to determine what constitutes SSI. In February 2007, TSA reported to us that they responded to our recommendation by creating and developing a one-page summary list of citations with accompanying explanatory notes; a short guide to handling SSI; an advanced application guide with detailed descriptions of SSI; a reviewers' guide; and identification guides with examples supported by corresponding legal citations for SSI. These changes will allow TSA to better track the use of the SSI designations.
|
| Transportation Security Administration | To help bring clarity, structure, and accountability to TSA's SSI designation process, the Secretary of the Department of Homeland Security should direct the Administrator of the Transportation Security Administration to establish clear responsibility for the identification and designation of information that warrants SSI protection. |
Closed – Implemented
In June 2005, in response to growing concerns about whether TSA has been applying the sensitive security information (SSI) designation consistently and appropriately, we completed a report with several recommendations. We reported that TSA had not established policies and procedures for how it will monitor compliance with the regulations governing the SSI designation process. In an October 2004 memorandum, TSA itself recognized that the handling and identification of SSI had become problematic. Among other things, we recommended that TSA take action to establish clear responsibility for the identification and designation of information that warrants SSI protection. In February 2007, TSA officials reported to us that they responded to our recommendation by organizing and appointing SSI Coordinators with roles that align with SSI policy goals at all TSA Program and Federal Security Directors (FSD) Offices, have set SSI determination policy, and are continuously communicating updated information to SSI Coordinators.
|
| Transportation Security Administration | To help bring clarity, structure, and accountability to TSA's SSI designation process, the Secretary of the Department of Homeland Security should direct the Administrator of the Transportation Security Administration to establish internal controls that clearly define responsibility for monitoring compliance with regulations, policies, and procedures governing the SSI designation process and communicate that responsibility throughout TSA. |
Closed – Implemented
In response to a congressional request, we evaluated the Transportation Security Administration's internal controls for handling sensitive security information (SSI) and determined that TSA did not have any formally defined policies or procedures for monitoring compliance with the laws and regulations governing the process for designating information as SSI. Without clearly defined policies and procedures for assessing compliance with the regulations governing the SSI designation process, TSA lacks structure to support continuous assurance that those employees making SSI designations within TSA are designating documents properly. Therefore, we recommended in our June 2005 report to congressional requesters that TSA establish internal controls that clearly define responsibility for monitoring compliance with regulations, policies, and procedures governing the SSI designation process and communicate that responsibility throughout TSA. TSA reported to us in February 2007 that it had responded to our recommendation by designating Department of Homeland Security (DHS) SSI Program Managers and SSI Coordinators; establishing procedures for DHS-wide SSI auditing; and developing standard self-inspection and reporting methods for Program Managers to report every 18 months on audit and inspection results and for SSI Coordinators to report annually. These actions will help assure that TSA employees are making SSI designations properly.
|
| Transportation Security Administration | To help bring clarity, structure, and accountability to TSA's SSI designation process, the Secretary of the Department of Homeland Security should direct the Administrator of the Transportation Security Administration to establish policies and procedures within TSA for providing specialized training to those making SSI designations on how information is to be identified and evaluated for protected status. |
Closed – Implemented
In June 2005, we reported that Transportation Security Administration's new Sensitive Security Information Program Office, established in February 2005, had not developed policies and procedures for providing specialized training for all of its employees making SSI designations on how information is to be identified and evaluated for protected status. Specialized training designed to familiarize those who are making SSI designations on how information is to be identified and evaluated would reduce the likelihood that employees improperly exempt information from public disclosure or inappropriately disclose sensitive security information. In our report, we recommended that the Administrator of TSA establish policies and procedures for providing specialized training to those making SSI designations on how information is to be identified and evaluated for protected status. In February 2007, TSA reported to us that they responded to our recommendation by developing online SSI training that is introduced to all new TSA employees during orientation,developing a live, 60-minute presentation, and delivering training specifically tailored to individualized programs (e.g. airports, contractors, SSI Coordinators, and Freedom of Information Act staff). By taking these actions, TSA will have documentation that shows who is responsible for ensuring that employees comply with SSI training requirements and will help to ensure that employees are consistently and properly designating information as SSI.
|