Transportation Security Administration's Processes for Designating and Releasing Sensitive Security Information

GAO-08-232R Published: Nov 30, 2007. Publicly Released: Nov 30, 2007.
Jump To:
Skip to Highlights

Since the September 11, 2001, terrorist attacks, federal agencies have faced the challenge of protecting sensitive information from terrorists and others without a need to know while sharing this information with parties who are determined to have such a need. One form of protection involves identifying and marking such information sensitive but unclassified--information that is generally restricted from public disclosure but not designated as classified national security information. The Department of Homeland Security's (DHS) Transportation Security Administration (TSA) requires that certain information be protected from public disclosure as part of its responsibility for securing all modes of transportation. TSA, through its authority to protect information as sensitive security information (SSI), prohibits the public disclosure of information obtained or developed in the conduct of security activities that, for example, would be detrimental to transportation security. According to TSA, SSI may be generated by TSA, other DHS agencies, airports, aircraft operators, and other regulated parties when they, for example, establish or implement security programs or create documentation to address security requirements. Section 525 of the DHS Appropriations Act, 2007 (Public Law 109-295), required the Secretary of DHS to revise Management Directive (MD) 11056, which establishes DHS policy regarding the recognition, identification, and safeguarding of SSI, to (1) review requests to publicly release SSI in a timely manner and establish criteria for the release of information that no longer requires safeguarding; (2) release certain SSI that is 3 years old, upon request, unless it is determined the information must remain SSI or is otherwise exempt from disclosure under applicable law; and (3) provide common and extensive examples of the 16 categories of SSI to minimize and standardize judgment by persons identifying information as SSI. In addition to answering this mandate, we are following up on a June 2005 report in which we recommended that DHS direct the Administrator of TSA to establish (1) guidance and procedures for using TSA regulations to determine what constitutes SSI, (2) responsibility for the identification and determination of SSI, (3) policies and procedures within TSA for providing training to those making SSI determinations, and (4) internal controls4 that define responsibilities for monitoring compliance with SSI regulations, policies, and procedures and communicate these responsibilities throughout TSA. To respond to the mandate and update the status of all four of our recommendations, we assessed DHS's status in establishing criteria and examples for identifying SSI; efforts in providing training to those that identify and designate SSI; processes for responding to requests to release SSI, including the legislative mandate to review various types of requests to release SSI; and efforts in establishing internal controls that define responsibilities for monitoring SSI policies and procedures.

Full Report