Cover Image

Not for Sale



View/Hide Left Panel
Click for next page ( 19


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 18
18 Even a brief text message with information about air tended by USDOT to apply to all modes of transporta- security measures can constitute SSI.162 tion.167 The authorizing legislation for the USDOT and To the extent that information must be kept confi- TSA provisions,168 discussed infra, is substantially simi- dential, agencies need to make sure that both hard copy lar, as are the regulatory provisions themselves.169 TSA and electronic systems are secure. defines SSI as information that is obtained or developed in the conduct of security activities, B. Critical Infrastructure Information/Sensitive including research and development, the disclosure of Security Information which TSA has determined would-- CII is a defined term under federal law. In addition, (1) Constitute an unwarranted invasion of privacy (in- the Department of Homeland Security (DHS) imple- cluding, but not limited to, information contained in any menting regulation coined the term "PCII" to apply to personnel, medical, or similar file); specific infrastructure information that is protected (2) Reveal trade secrets or privileged or confidential in- under federal law.163 The information must not only formation obtained from any person; or relate to critical infrastructure, but as is discussed in- 170 fra, must meet specific statutory criteria, including be- (3) Be detrimental to the security of transportation. ing voluntarily submitted to DHS. Thus, information Despite the fact that the USDOT provision refers to about mass transit infrastructure that is critical to the information the disclosure of which would be "detrimen- community in which it is located or to the nation at tal to transportation safety" rather than "detrimental to large because of its interconnectedness with major eco- transportation security" as under the DHS provision, nomic networks (such as the transit system in New the USDOT provision is interpreted as governing secu- York City) is not necessarily protected CII for purposes rity issues as well as safety issues.171 Any security pro- of the federal statute. However, as the FTA notes, tran- gram or security contingency plan "issued, established, sit agencies "may come in contact with PCII through required, received, or approved by DOT or DHS" consti- 164 interaction with the Federal government." While CII, tutes SSI. Vulnerability assessments that are "directed, let alone PCII, is likely to be of limited applicability to created, held, funded, or approved by the DOT [or] most transit agencies, particularly in the context of DHS, or that will be provided to DOT or DHS in sup- competitive bidding, a basic understanding of CII re- quirements is relevant. Transit agencies may them- selves voluntarily submit information to DHS that, pro- disclosure of information developed during research and devel- opment that the FAA found would constitute unwarranted viding it meets statutory requirements described infra, invasion of personal privacy, reveal trade secrets or privileged will be considered protected CII. Protection of such in- commercial information, or be detrimental to the safety of per- formation applies to DHS, not to the submitting agency, sons traveling in air transportation. See TODD B. TATELMAN, to the extent that the submitting agency uses its own INTERSTATE TRAVEL: CONSTITUTIONAL CHALLENGES TO THE copy of the information and not the validated (and thus IDENTIFICATION REQUIREMENT AND OTHER TRANSPORTATION 165 protected) CII. SECURITY REGULATIONS, CRS Report for Congress, RL32664 The term SSI has evolved based on aviation security (2004), requirements dating back to 1974,166 and has been ex- www.fas.org/sgp/crs/RL32664.pdf, for discussion of history of law governing SSI. 167 Department of Homeland Security, Transportation Secu- "suffered any adverse effect." Wemhoff v. District of Columbia, rity Administration, Interim Final Rule, Protection of Sensitive 887 A.2d 1004, 1013 (D.C. 2005), citing Schmidt v. Multimedia Security Information, Fed. Reg. 69, No. 96, 28066, May 18, Holdings Corp., 361 F. Supp. 2d 1346, 1348, 1354 (M.D. Fla. 2004, http://edocket.access.gpo.gov/2004/pdf/04-11142.pdf; 2004). CHANDLER, SUTHERLAND & ELDREDGE, supra note 164, at 2, 162 MacLean, 543 F.3d 1145. http://transit- 163 6 C.F.R. 29.2. safety.fta.dot.gov/publications/security/FTA%20SSI/Final%20F 164 KEVIN CHANDLER, PAMELA SUTHERLAND, & DONALD TA%20SSI%20%28072009%29%20revised.pdf, at 2. 168 ELDREDGE, SENSITIVE SECURITY INFORMATION (SSI): 49 U.S.C. 40119(b); 49 U.S.C. 114(s). DESIGNATION, MARKINGS, AND CONTROL, RESOURCE 169 49 C.F.R. pt. 15; 49 C.F.R. pt. 1520. DOCUMENT FOR TRANSIT AGENCIES 3 (2009), http://transit- 170 49 C.F.R. 1520.5(a) Sensitive security information. The safety.fta.dot.gov/publications/security/FTA%20SSI/Final%20F corollary DOT provision is 49 C.F.R. 15.5(a) Sensitive security TA%20SSI%20%28072009%29%20revised.pdf. 165 information. DEP'T OF HOMELAND SECURITY, HOW TO SUBMIT CRITICAL 171 CHANDLER, SUTHERLAND & ELDREDGE, supra note 164, INFRASTRUCTURE INFORMATION (CII) FOR PCII PROTECTION, at 1. See also Third Party Contracting Guidance: Notice of www.dhs.gov/files/programs/gc_1193091627563.shtm (accessed Final Circular, 73 Fed. Reg. 56896, 56906 (Sept. 30, 2008): Sept. 2, 2009). See also PCII Program FAQ, www.dhs.gov/xlibrary/assets/pcii_faqs.pdf; PCII PROGRAM FTA has determined that these laws and regulations [49 U.S.C. 40119(b), 49 C.F.R. 15; 49 U.S.C. 14(s), 49 C.F.R. 1520] PROCEDURES MANUAL, do apply to public transportation agencies and other FTA recipi- www.dhsgov/xlibrary/assets/pcii__program_procedures_manual ents that have sensitive security information, such as informa- .pdf. tion related to vulnerability assessments (including any infor- 166 The Air Transportation Security Act of 1974 (Pub. L. No. mation addressing vulnerabilities or corrective actions) 93-366 316, 88 Stat. 409 (1974)) authorized the Federal Avia- conducted after September 11, 2001, and other information cov- tion Administration (FAA) to issue regulations prohibiting ered by the regulations.

OCR for page 18
19 port of a Federal security program" are specifically in- Even where federal requirements are not directly cluded in that category.172 In addition, TSA has issued a applicable, for example, for vulnerability assessments Stakeholder Best Practices Quick Reference Guide in that are funded locally and not shared with federal which the agency lists a wide range of information the agencies and thus do not meet the SSI statutory crite- agency deems to constitute SSI.173 ria, transit agencies may have security information that Managing SSI is more likely to be of concern to tran- should be protected. Thus, the federal requirements sit agencies than is managing CII. A number of federal may nonetheless be instructive on issues for transit requirements make it likely that transit agencies will agencies to consider in adopting their own policies. need to comply with Federal SSI requirements, includ- Issues that arise concerning SSI designation include ing the following: maintaining consistency in designating SSI, avoiding the problem of over-designating information as SSI, Establishing a National Strategy for Public Trans- protecting SSI, reviewing SSI over time to determine portation Security,174 including use of public transporta- whether its confidential status remains justified, and tion security assessments. disposing of SSI. For example, DHS has been criticized Establishing a Transportation Security Informa- for asserting overly broad claims for withholding sensi- 175 tion Sharing Plan. tive information.177 As noted supra, in Gordon, the fed- Preparing assessments and plans that will result eral district court judge rejected the government's as- in security assessments being submitted to DHS for sertion that requested material was SSI or otherwise transit agencies at a high risk of attack and for repre- exempt from FOIA, finding rather that withheld mate- sentative samples of non-high-risk transit agencies.176 rial was innocuous and in some instances publicly available.178 This section reviews the authorizing legislation for CII and SSI provisions, as well as federal programs, 172 49 C.F.R. 15.5(b)(5); 49 C.F.R. 1520.5(b)(5). requirements, and guidance related to CII and SSI by 173 TRANSP. SECURITY ADMIN., SENSITIVE STAKEHOLDER relevant agency. The purpose is to clarify the meaning BEST PRACTICES QUICK REFERENCE GUIDE, included as App. B and applicability of these terms and their attendant to Chandler, supra note 163. Information listed: security pro- requirements. This is particularly important since to grams and contingency plans; security directives; information the extent that information comes within the definition circulars; performance specifications; vulnerability assess- of CII or SSI, that information becomes exempt from ments; security inspections or investigative information; threat state disclosure requirements.179 information; security measures; security screening informa- tion; security training materials; identifying information of 1. Federal Legislation certain transportation security personnel; critical infrastruc- ture asset information; systems security information; confiden- Several pieces of legislation that passed after the tial business information; research and development; and events of 9/11 vested the DHS, TSA, and USDOT with other information as determined in writing by the TSA Admin- responsibility for administering CII and SSI require- istrator. ments. The legislation is described below and included 174 Section 1404, Implementing Recommendations of the in Appendix A. Federal transit legislation that has im- 9/11 Commission Act of 2007, Pub. L. No. 110-53, 121 Stat. 401, Aug. 3, 2007, codified at 6 U.S.C. 1133. Section 1404 (d)(2) references already developed security and strategies: 177 National Infrastructure Protection Plan, E.g., Amicus Curiae Brief of Electronic Frontier Founda- www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf (accessed Sept. 2, tion, American Association of Law Libraries, American Library 2009) required by Homeland Security Presidential Directive7; Association, Association of Research Libraries, Center for De- Executive Order No. 13416: Strengthening Surface Transpor- mocracy and Technology, National Security Archive, Project on tation Security, Dec. 5, 2006, Fed. Reg. 71, No. 235, 71033, Dec. Government Secrecy of the Federation of American Scientists, 7, 2009, Accessed Sept. 13, 2009, at and Special Libraries Association on Petition for Writ of Cer- http://edocket.access.gpo.gov/2006/pdf/06-9619.pdf; the Memo- tiorari to the Court of Appeals for the Ninth Circuit, Gilmore v. randum of Understanding between DHS and the DOT on Roles Gonzalez, and Responsibilities dated Sept. 28, 2004. The sector-specific www.papersplease.org/gilmore/_dl/20061113/Gilmore%20v.%20 plan for mass transit is included as Annex C., Mass Transit, in Gonzales%20EFF%20amicus.pdf (accessed Oct. 6, 2009). Transportation Systems Critical Infrastructure and Key Re- 178 Eric Lichtblau, Judge Scolds U.S. Officials Over Barring sources Sector-Specific Plan as Input to the National Infra- Jet Travelers, N.Y. TIMES, June 16, 2004, structure Protection Plan, May 2007, www.nytimes.com/2004/06/16/politics/16flight.html (accessed www.dhs.gov/xlibrary/assets/Transportation_Base_Plan_5_21_ Mar. 24, 2009). The government ultimately settled, agreeing to 07.pdf (accessed Sept. 2, 2009). pay attorneys fees. TSA and FBI Ordered to Pay $200,000 to 175 Section 1203, Implementing Recommendations of the Settle "No Fly" Lawsuit, Jan. 24, 2006, 9/11 Commission Act of 2007, Pub. L. No. 110-53, 121 Stat. www.aclu.org/safefree/general/23926prs20060124.html (ac- 383, Aug. 3, 2007, codified at 49 U.S.C. 114(u). cessed Aug. 1, 2009). 176 179 Section 1405, Implementing Recommendations of the See Charles Davis, More Daunting Tests Ahead Pitting 9/11 Commission Act of 2007, Pub. L. No. 110-53, 121 Stat. "Right To Know" Against "Need To Know," FOI Columns, Jan. 402, Aug. 3, 2007, codified at 6 U.S.C. 1134 (National Transit Feb. 2004, www.ire.org/foi/janfeb2004.html (accessed Feb. 28, Systems Security Act of 2007 is Title XIV of the public law.) 2009).

OCR for page 18
20 plications is referenced in II.B.2, Federal Agencies, in- other informational purpose [sic],"187 provided the in- fra. formation is accompanied by the express statement re- Aviation and Transportation Security Act of 2001 quired under the statute. Such protected CII is exempt (ATSA).180--The ATSA transferred civil aviation secu- from disclosure under FOIA; prohibited from being used rity responsibilities from the Federal Aviation Admini- for other official purposes except under very limited stration (FAA) to TSA, including authority to conduct circumstances; and if shared with state and local gov- research and development activities related to secu- ernments and agencies, exempt from disclosure under rity.181 Section 101(e)(3) of the ATSA-modified Section state or local open records requirements. However, the 40119(b) contains a provision requiring nondisclosure of CIIA does not affect any entity's ability to lawfully ob- certain safety-related information, by deleting the modi- tain CII in a manner not covered by subsection (a) and fier "air" from "air transportation." DHS has inter- to use such information in any lawful manner. Thus preted this change as expanding the scope of the provi- such information that is customarily in the public do- sion to cover all modes of transportation.182 main (lawfully, properly, and regularly disclosed gener- Homeland Security Act of 2002 (HSA).183--The HSA ally or broadly to the public) is not protected.188 DHS adopted the USA PATRIOT Act's definition of critical may withdraw the protected status if it determines that infrastructure: "systems and assets, whether physical at the time of submission the information was custom- 189 or virtual, so vital to the United States that the inca- arily in the public domain. Federal employees who pacity or destruction of such systems and assets would knowingly disclose protected CII are subject to fine, have a debilitating impact on security, national eco- imprisonment, and job loss.190 There is no private right 191 nomic security, national public health or safety, or any of action to enforce the CIIA. 184 combination of those matters." The HSA also added a At least one court has held that the CIIA does not provision transferring TSA's SSI authority and vesting apply to submitters of PCII, so that the CIIA does not SSI authority in the DOT Secretary.185 preempt requests for information made to the submit- 186 192 Critical Infrastructure Information Act of 2002. -- ting agency under state public records acts. The court The CIIA was included as Title II of the HSA. Section noted that the CIIA prohibits disclosure of protected CII 211(3) defines "critical infrastructure information"; sub- under state or local public records acts, but only if the section 214(a) of the CIIA protects CII voluntarily sub- protected CII is provided to a state or local government, mitted to DHS for use regarding "the security of critical and interpreted this statutory language as distinguish- infrastructure and protected systems, analysis, warn- ing between submission of CII and receipt of protected ing, interdependency study, recovery, reconstitution, or CII for purposes of when a state or local agency may disclose requested information: submitting CII to the 180 federal government does not require the submitting Pub. L. No. 107-71, 115 Stat. 597, Nov. 19, 2001. 181 agency to then withhold that information under the 49 U.S.C. 40119, Security and research and develop- state public records law. The court also reviewed the ment activities. Section 40119 authorized the FAA to conduct implementing regulations, discussed infra, and found research and development (R&D) activities aimed at protecting that they also support this distinction between submis- passengers and property against acts of criminal violence and sion and receipt of protected CII for purposes of applica- aircraft piracy. The provision prohibited disclosure of informa- tion obtained or developed in carrying out specified security or R&D activities under specified sections of Chapters 445 (Facili- 187 Section 214, Protection of voluntarily shared critical in- ties, Personnel, and Research) and 449 (Security) of title 49, pro- vided that the FAA decides that disclosing the information frastructure information, codified at 6 U.S.C. 133; 6 C.F.R. would: 29.8. See James W. Conrad, Jr., Protecting Private Security- Related Information from Disclosure by Government Agencies, (A) be an unwarranted invasion of personal privacy; 57 ADMIN. L. REV. 715, nn. 8089 (2005); presented at ABA (B) reveal a trade secret or privileged or confidential commer- meeting, Protection of Facility Security Information, Dec. 10, cial or financial information; or 2004, (C) be detrimental to transportation safety. http://meetings.abanet.org/webupload/commupload/AL316500/ 182 Department of Homeland Security, Transportation Secu- newsletterpubs/Info%20protection.pdf (accessed in prepublica- rity Administration, Interim Final Rule, Protection of Sensitive tion form Mar. 4, 2009). 188 Security Information, Fed. Reg. 69, No. 96, 28066, 28068, May 6 C.F.R. 29.2, 29.5. Part 29 introduces the term "Pro- 18, 2004. tected Critical Infrastructure Information, or PCII," which is 183 Pub. L. No. 107-296, 116 Stat. 2135, Nov. 25, 2002. not a statutorily defined term. The regulation defines PCII as 184 Section 2(4), Definitions, citing 1016(e) of Pub. L. No. CII that has been validated by DHS as meeting the statutory 10756 (42 U.S.C. 5195c(e)). criteria for protection. 189 185 Section 1601, Retention of Sensitive Security Information 6 C.F.R. 29.6(g). 190 Authority at Department of Transportation, codified at 49 Section 214, Protection of voluntarily shared critical in- U.S.C. 114(s) and 49 U.S.C. 40119(b)(1). frastructure information, codified at 6 U.S.C. 133; 6 C.F.R. 186 Tit. II, subtit. B, HSA, Pub. L. No. 107-296, 116 Stat. 29.9. 191 2135, Nov. 25, 2002, codified at 6 U.S.C. 13134. For a cri- Section 215, codified at 6 U.S.C. 134. 192 tique of the strategy behind the CIIA, including the fact that County of Santa Clara v. Superior Court of Santa Clara the FOIA exemptions hamper public oversight, see Bagley, County, 170 Cal. App. 4th 1301, 89 Cal. Rptr. 3d 374 (Cal. Ct. supra note 39. App. 6th Dist. 2009).

OCR for page 18
21 tion of state public records requirements. The court tended the designation of "covered person" to a party in concluded: civil litigation who can demonstrate both a substantial Taken as a whole, this consistent and pervasive regula- need for relevant SSI in preparing the party's case and tory language supports our construction of the relevant an undue hardship in obtaining equivalent information provision of the CII Act, 6 United States Code section by other means, provided that the judge enters an order 133(a)(1)(E)(i). As we interpret that provision, it draws a protecting the SSI from unauthorized disclosure, the distinction between the submission of CII and the receipt party undergoes a threat assessment including criminal of PCII. In the hands of the submitter, the nature of the background check, and access does not present a risk of information remains unchanged; in the hands of the gov- harm to the nation. GAO reports that the directive has ernmental recipient, it is protected from disclosure. (foot- 193 been revised.198 note omitted) Implementing Recommendations of the 9/11 Com- The court also noted that if the contrary interpreta- 199 mission Act of 2007. --The Act contains several provi- tion were correct, then the Geographic Information Sys- sions that will require generating information that tem (GIS) Basemap at issue in the case could no longer could be considered to be CII or SSI because of the in- be used by the county for any purpose other than those formation being shared with DHS and USDOT for secu- enumerated under the CIIA. Accordingly, the prohibi- rity purposes. These include grant provisions that pub- tion under the CIIA against disclosure under the Cali- lic transportation agencies implement in part through fornia Public Records Act was held not to apply. contracts with private entities. The discussion here of Department of Homeland Security Appropriations this Act are limited to those provisions that require Act, 2006.194--This Act requires DHS to appoint at least information generation that might reasonably be ex- one SSI coordinator in each DHS office that handles pected to result in procurement activity.200 SSI to ensure that documents marked as SSI meet the As noted, supra, Section 1203 requires DHS and SSI criteria. It requires the Secretary to issue guidance USDOT, along with public and private stakeholders, to that "includes common but extensive examples of SSI establish a Transportation Security Information Shar- that further define the individual categories of informa- 201 ing Plan. Section 1305 requires DHS, in consultation tion cited under 49 C.F.R. 1520(b)(1) through (16) and with USDOT, to establish a program to share informa- eliminates judgment by covered persons in the applica- tion about transportation security technology with, in- tion of the SSI marking."195 The Act also required the ter alia, public transportation agencies.202 Title XIV of Government Accountability Office (GAO) to report on the Act, the National Transit Systems Security Act of DHS progress in implementing the law's requirements. 2007 (NTSSA), requires DHS to develop and implement Department of Homeland Security Appropriations the National Strategy for Public Transportation Secu- Act, 2007.196--The Act requires DHS to revise its Man- rity. In meeting that requirement, DHS is required to agement Directive (MD) 11056, which establishes DHS "use established and ongoing public transportation se- policy regarding the recognition, identification, and curity assessments" and "consult with all relevant safeguarding of SSI, as specified in the legislation, and stakeholders, including public transportation agen- it requires GAO to report on DHS' progress in imple- menting the law's requirements.197 The Act also ex- 193 Id. at 1318. information of designated transportation security personnel, 194 critical aviation or maritime infrastructure asset information, Pub. L. No. 10990, 119 Stat. 2064, Oct. 18, 2005. systems security information, confidential business information, 195 Id. Tit. V, 537, codified at 6 U.S.C. 114. The provision or research and development information shall be subject to re- also required GAO to report on DHS progress in implementing lease upon request unless: the law's requirements. (A) the Secretary or his designee makes a written determina- 196 Pub. L. No. 109295, 120 Stat. 1355, Oct. 4, 2006. tion that identifies a rational reason why the information must 197 Id. at 525. Section 525 requires that MD 11056 be re- remain SSI; or vised to provide as follows: (B) such information is otherwise exempt from disclosure un- der applicable law. (1) That when a lawful request is made to publicly release a 198 document containing information designated as sensitive secu- U.S. GOV'T ACCOUNTABILITY OFFICE, supra note 138, at 5. rity information (SSI), the document shall be reviewed in a Some guidance may be available to transit agencies through timely manner to determine whether any information contained FTA or TSA that is not publicly available, and therefore cannot in the document meets the criteria for continued SSI protection be discussed in this report. under applicable law and regulation and shall further provide 199 Pub. L. No. 110-53, 121 Stat. 266, Aug. 3, 2007. that all portions that no longer require SSI designation be re- 200 leased, subject to applicable law, including sections 552 and Cf., 1410, Information sharing, codified at 6 U.S.C. 552a of title 5, United States Code; 1139 (requiring public transportation agencies at high risk of (2) That sensitive security information that is three years old terrorist attack to participate in the Information Sharing and and not incorporated in a current transportation security direc- Analysis Center for Public Transportation), which does not tive, security plan, contingency plan, or information circular; or appear likely to result in procurement activity. See V.B.3, Con- does not contain current information in one of the following SSI trols Within the Agency, infra this digest, for a discussion of the categories: equipment or personnel performance specifications, NTSSA's requirements for security background checks. vulnerability assessments, security inspection or investigative 201 Codified at 49 U.S.C. 114(u). information, threat information, security measures, security 202 screening information, security training materials, identifying Codified at 6 U.S.C. 1114.

OCR for page 18
22 cies."203 The NTSSA also requires DHS to conduct cer- ing must develop training programs as specified under tain public transportation security assessments. In ad- the statute.207 dition, the Act mandates that DHS require public The NTSSA also contains a provision covering secu- transportation agencies determined by DHS to be at rity background checks of public transportation em- high risk of terrorist attack to develop comprehensive ployees and contractors.208 The provision sets parame- security plans, with technical assistance provided by ters for DHS guidance on background checks and DHS. If DHS requires any other public transportation requires DHS regulation on background checks to pro- agencies to prepare security plans, DHS must provide vide a redress process and prohibit specified adverse technical assistance to those agencies as well. The stat- actions based on the background checks. In addition, ute specifies the contents of such security plans, includ- the statute and its implementing regulation prohibit ing requiring them to be consistent with security as- public transportation agencies from knowingly making sessments developed by DHS and with the National false statements to employees concerning security back- Strategy for Public Transportation Security. The re- ground checks.209 quirement for developing security assessments or secu- rity plans may be recognized by DHS as being met by (K) purchase and placement of bomb-resistant trash cans existing procedures, protocols, and standards of a public throughout public transportation facilities, including subway ex- its, entrances, and tunnels; transportation agency.204 Finally, the statute addresses nondisclosure as follows: "Nothing in this section shall (L) capital costs associated with security awareness, security preparedness, and security response training, including training be construed as affecting any authority or obligation of under section 1408 and exercises under section 1407; a Federal agency to disclose any record or information (M) security improvements for public transportation systems, that the Federal agency obtains from a public transpor- including extensions thereto, in final design or under construc- tation agency under any other Federal law."205 tion; The security assistance program established under (N) security improvements for stations and other public the NTSSA allows both capital and operating use of transportation infrastructure, including stations and other pub- funding, with all funding to be awarded solely to ad- lic transportation infrastructure owned by State or local gov- dress items included in a security assessment or to fur- ernments; and ther a security plan.206 Agencies that receive such fund- (O) other capital security improvements determined appro- priate by the Secretary. (2) Operating uses of funds, including-- (A) security training, including training under section 1408 203 Section 1404, National Strategy for Public Transporta- and training developed by institutions of higher education and tion Security, codified at 6 U.S.C. 1133. by nonprofit employee labor organizations, for public transpor- 204 tation employees, including frontline employees; Section 1405, Security assessments and plans, codified at 6 U.S.C. 1134. The statute prohibits requiring security plans (B) live or simulated exercises under section 1407; under 1405 from public transportation agencies not receiving (C) public awareness campaigns for enhanced public trans- grants under 1406 of the Act, although the exemption may be portation security; waived for high-risk agencies with appropriate notification to (D) canine patrols for chemical, radiological, biological, or ex- Congress. plosives detection; 205 Section 1405(h)(2), codified as 6 U.S.C. 1134(h)(1). (E) development of security plans under section 1405; 206 Section 1406, Public transportation security assistance, (F) overtime reimbursement including reimbursement of codified at 6 U.S.C. 1135. Subsection (b) provides that allow- State, local, and tribal governments, for costs for enhanced secu- able uses of funds under this section are as follows: rity personnel during significant national and international pub- (1) Capital uses of funds, including-- lic events; (A) tunnel protection systems; (G) operational costs, including reimbursement of State, local, and tribal governments for costs for personnel assigned to full- (B) perimeter protection systems, including access control, in- time or part-time security or counterterrorism duties related to stallation of improved lighting, fencing, and barricades; public transportation, provided that this expense totals no more (C) redundant critical operations control systems; than 10 percent of the total grant funds received by a public transportation agency in any 1 year; and (D) chemical, biological, radiological, or explosive detection systems, including the acquisition of canines used for such de- (H) other operational security costs determined appropriate tection; by the Secretary, excluding routine, ongoing personnel costs, other than those set forth in this section. (E) surveillance equipment; 207 Section 1408, Public transportation security training (F) communications equipment, including mobile service program, codified at 6 U.S.C. 1137. equipment to provide access to wireless Enhanced 911 (E911) 208 emergency services in an underground fixed guideway system; Section 1414, Security Background Checks of Covered Individuals for Public Transportation, Pub. L. No. 110-53, 121 (G) emergency response equipment, including personal pro- Stat. 419, codified at 6 U.S.C. 1143. tective equipment; 209 6 U.S.C. 1143(e); 49 C.F.R. pt. 1570; Department of (H) fire suppression and decontamination equipment; Homeland Security, Transportation Security Administration, (I) global positioning or tracking and recovery equipment, Interim Final Rule, False Statements Regarding Security Back- and other automated-vehicle-locator-type system equipment; ground Check, Fed. Reg. 73, No. 148, 44665, July 31, 2008, (J) evacuation improvements; http://edocket.access.gpo.gov/2008/pdf/E8-17515.pdf.

OCR for page 18
23 2. Federal Agencies other federal agencies to disclose the information sub- The DHS, TSA, USDOT, and FTA have issued rule- mitted to them.213 DHS rejected comments requesting makings and guidance related to CII and SSI that are that the regulation provide for segregating submitted applicable, either directly or by analogy, to treatment of information so that only information absolutely neces- security information in competitive bidding. This sec- sary to protect critical infrastructure is withheld.214 tion discusses these federal activities on an agency-by- The CII regulation was amended in 2006 when DHS agency basis. issued a final rule amending the 2004 IFR. The final DHS/TSA.--DHS has issued several rulemakings rule's procedures apply to "all Federal, State, local, and related to CII and SSI. The first was the final rule that tribal government agencies and contractors that have transferred aviation security authority from FAA to access to, handle, use, or store critical infrastructure TSA. The second related to the PCII Program. The third information that enjoys protection under the Critical related to SSI procedures. Those aspects of the rule- Infrastructure Information Act of 2002."215 DHS noted makings most relevant to the arena of competitive bid- that it had added a definition of "in the public domain" ding are summarized here. Nonregulatory activities to the final rule, drawing in part on the statutory lan- that may prove helpful in developing policies for han- guage and adding "information regarding systems, fa- dling security information in the competitive bidding cilities, or operational security, or that is proprietary, context are also addressed. business sensitive, or which might be used to identify a Transfer of aviation security authority:210 Under the submitting person or entity."216 DHS rejected comments rule, the thenUnder Secretary (now TSA Administra- that called for excluding from the definition of "volun- tor) has authority for determining what information is tary" information submitted to other federal agencies SSI and what persons are required to protect it, while pursuant to their legal authority.217 Thus information the modal administrators are responsible for protecting that otherwise meets the definition of CII, is required to the information. The rule expands the persons respon- be submitted to another agency, and is voluntarily sible for protecting SSI beyond the universe covered by submitted to DHS must still be treated as CII by DHS 14 C.F.R. 191.5 because the rule covers each person and any entity to which DHS discloses the information. for which a vulnerability assessment has been "author- However, it appears that if information is submitted to ized, approved, or funded by DOT, irrespective of mode another agency, that agency need not treat the informa- of transportation."211 tion as confidential, even if the information is identical CII: DHS issued a notice of proposed rulemaking to information submitted to DHS as CII.218 (NPRM) on establishing procedures to implement Sec- DHS again rejected comments requiring what it tion 214 of the HSA in April 2003. DHS issued an in- terms "portion marking" (segregating CII and non-CII) terim final rule (IFR) the following year. In the notice and extended CII protection to "any information, state- promulgating the IFR, DHS stated that in the case of ments or other material reasonably necessary to explain information that qualified as both CII and SSI, federal the CII, put the CII in context, or describe the impor- employees must comply with the more stringent CII tance or use of the CII."219 DHS highlighted criminal requirements. However, the department noted: and administrative penalties for unauthorized release of information.220 In addition, DHS eliminated two crite- In practice, the situations in which information consti- ria for allowing a loss of protected status: The fact that tutes both SSI and Protected CII may be limited. For the most part, information that is SSI is created by TSA or is the information "is publicly available through legal required to be submitted to TSA or to another part of the Federal government. Therefore, it ordinarily will not be 213 voluntarily submitted, which is a required element for Id. 214 Protected CII designation. In addition, SSI might or Id. at 807879. 212 might not relate to critical infrastructure assets. 215 Department of Homeland Security, Office of the Secre- In addition, the notice made clear that while the tary, Final Rule, 6 C.F.R. pt. 29, Procedures for Handling regulation covers information that DHS did not exercise Critical Infrastructure Information, Fed. Reg. 71, No. 170, 52262, Sept. 1, 2006, http://edocket.access.gpo.gov/2006/pdf/06- legal authority to obtain even if it was involuntarily 7378.pdf. See STEVENS & TATELMAN, supra note 34, at CRS- submitted to other agencies, submission of such infor- 1819. mation to DHS does not affect the obligation of such 216 Id. at 5226263. 217 210 Department of Transportation, Federal Aviation Admini- Id. 218 stration, Transportation Security Administration, Civil Avia- Nicholas Bagley, Benchmarking, Critical Infrastructure tion Security Rules, Fed. Reg. 67, No. 36, 8340, Feb. 22, 2002, Security, and the Regulatory War on Terror, 43 HARV. J. ON http://frwebgate.access.gpo.gov/cgi- LEGISLATION 47, 68 (2006), at 57 (citing 6 C.F.R. 29.3(a) bin/getdoc.cgi?dbname=2002_register&docid=02-4081-filed.pdf. (2005)). 211 219 Id. at 8342. Department of Homeland Security, Office of the Secre- 212 Department of Homeland Security, Office of the Secre- tary, Final Rule, 6 C.F.R. pt. 29, Procedures for Handling tary, Interim Final Rule, 6 C.F.R. pt. 29, Procedures for Han- Critical Infrastructure Information, Fed. Reg. 71, No. 170, dling Critical Infrastructure Information, Fed. Reg. 69, No. 34, 52262, 52264, Sept. 1, 2006, 8074, 8076, Feb. 20, 2004, http://edocket.access.gpo.gov/2006/pdf/06-7378.pdf. 220 http://edocket.access.gpo.gov/2004/pdf/04-3641.pdf. Id. at 52267.

OCR for page 18
24 means" was deleted because this was not a basis under expanded definition, if a covered person creates a vul- the CIIA. The fact that DHS requires the information nerability assessment at his or her own initiative, but was rejected as a basis for allowing a loss of protected intends to provide the vulnerability assessment to status because DHS interprets the definition of volun- USDOT or DHS in support of a federal security pro- tary to be retrospective only.221 Finally, DHS clarified gram, the vulnerability assessment is SSI.228 The in- that contractors of state and local governments can re- terim rule also: ceive CII under the same conditions as federal contrac- tors, i.e., engaged in the performance of services in sup- Introduced the concept of "covered person."229 port of the purposes of the CIIA, with strict limitations Designated contract proposals and attendant nego- on further disclosure of the information.222 tiations for grants and contracts to the extent that the 223 SSI Interim Final Rule: In 2004 DHS issued an subject matter relates to specific aviation or maritime IFR on SSI, which promulgated identical regulatory transportation security measures.230 standards for USDOT and TSA under 49 C.F.R. Parts Clarified that the agency may determine that in- 15 and 1520.224 The rule was intended to extend the formation is not SSI, even though it might appear to be protection of aviation SSI to maritime SSI generated covered by one of the regulatory categories. pursuant to the Maritime Transportation Security Act Is applicable in particular when due to changes in 225 of 2002. The Federal Register notice described the circumstances information is no longer sensitive.231 rules as requiring employees, contractors, grantees, and Added marking requirements for SSI.232 agents of both departments to follow the rules' SSI re- Clarified that if information is both CII and SSI, quirements.226 The notice stated that the rule largely any covered person who is a federal employee must incorporated the substance of the existing regulation, comply with the more restrictive CII requirements.233 but streamlined and consolidated some provisions and Added provisions describing when federal employ- expanded others. For example, the IFR expanded the ees and contractors have need to know SSI.234 227 definition of vulnerability assessment. Under this Added a provision permitting TSA/Coast Guard to require security background check and imposition of safeguard requirements/procedures before providing 221 Id. at 52265. SSI.235 222 Id. at 5226869. Added provisions allowing the department to au- 223 See MITCHEL A. SOLLENBERGER, SENSITIVE SECURITY thorize conditional disclosure of specific records and INFORMATION (SSI) AND TRANSPORTATION SECURITY: making clear that such disclosures are not public re- BACKGROUND AND CONTROVERSIES, CRS Report to Congress leases of information for FOIA purposes.236 (2004), www.fas.org/sgp/crs/RS21727.pdf. Added a provision governing required destruction 224 Department of Transportation, Office of the Secretary, of SSI, which allows state and local government agen- Department of Homeland Security, Transportation Security cies to preserve information required to be preserved Administration, Interim Final Rule, Protection of Sensitive under state or local law. 237 Security Information, Fed. Reg. 69, No. 96, 28066, May 18, 2004, http://edocket.access.gpo.gov/2004/pdf/04-11142.pdf. 225 Although the IFR established a broad category of Pub. L. No. 107-295, 116 Stat. 2064, Nov. 25, 2002. See covered persons, TSA noted that persons who fell also Department of Homeland Security, Coast Guard, Final within the coverage but did not have possession of SSI Rule, Vessel Security, Fed. Reg. 68, No. 204, 60483, Oct. 22, 2003; Department of Homeland Security, Coast Guard, Final would not have to meet the disclosure restrictions of 49 Rule, Facility Security, Fed. Reg. 68, No. 204, 60515, Oct. 22, C.F.R. 1520.9.238 The notice made clear that records 2003. that contain SSI and non-SSI may be segregated, with 226 Department of Transportation, Office of the Secretary, the non-SSI disclosed, provided that the non-SSI is not Department of Homeland Security, Transportation Security Administration, Interim Final Rule, Protection of Sensitive 228 Security Information, Fed. Reg. 69, No. 96, 28066, May 18, Department of Transportation, Office of the Secretary, 2004, http://edocket.access.gpo.gov/2004/pdf/04-11142.pdf. Department of Homeland Security, Transportation Security 227 Id. at 28070, 28079, 28082. Before the interim final rule, Administration, Interim Final Rule, Protection of Sensitive vulnerability assessment was defined as "any examination of a Security Information, Fed. Reg. 69, No. 96, 28066, 28071, May transportation system, vehicle, or facility to determine its vul- 18, 2004, http://edocket.access.gpo.gov/2004/pdf/04-11142.pdf. 229 nerability to unlawful interference." As revised under the final Id. 230 rule, the definition became: Id. at 28072. 231 any review, audit, or other examination of the security of a Id. transportation infrastructure asset; airport; maritime facility, 232 Id. at 28074. port area, vessel, aircraft, train, commercial motor vehicle, or 233 pipeline, or a transportation-related automated system or net- Id. 234 work, to determine its vulnerability to unlawful interference, Id. whether during the conception, planning, design, construction, 235 Id. operation, or decommissioning phase. A vulnerability assessment 236 may include proposed, recommended, or directed actions or Id. at 28075. 237 countermeasures to address security concerns. Id. 238 49 C.F.R. 15.3, 1520.3. Id. at 28074.

OCR for page 18
25 otherwise properly exempt from disclosure.239 This as- ber of people allowed to designate SSI. The comment sertion is somewhat undercut by the statement "if it is also expressed concern that the requirements for mark- impractical to redact the requested information from ing SSI did not call for segregating non-SSI, thereby the record, the entire record is withheld."240 The IFR did effectively sealing off entire documents regardless of not address the issue of establishing that specific mate- security implications. rial constitutes SSI, as the rule deems categories of in- The Silha Center for the Study of Media Ethics and formation to be SSI. Law also commented on the dangers of over-designating A number of parties filed comments in response to information as SSI. Specifically the center argued that the request for comments to the IFR. Although TSA did the IFR should be modified to more narrowly define not respond to the comments, some of the comments SSI, reduce the scope of "covered persons" to those ac- illuminate issues of interest in handling SSI in competi- tually having access to SSI, and to require the review of tive bidding situations. SSI after a set time, potentially declassifying rather Some commenters urged expanded coverage. For ex- than destroying it. Moreover, the center took the posi- ample, the Port Authority of New York and New Jer- tion that to prevent over-withholding of information, sey241 asked that the definition of covered person be ex- information should be reviewed to determine whether panded to facilitate information sharing with other its disclosure presents an actual danger to transporta- governmental entities and that modes such as rail and tion security, rather than automatically conferring SSI bus transportation be explicitly covered as well. The designation on classes of information. In addition, the Massachusetts Port Authority (Massport)242 specifically center argued against labeling an entire record SSI requested that the regulations provide authority similar when only a portion of the record actually contains SSI. to that in Section 15.11(b)(2) for public agencies to In particular, the center argued against allowing the share SSI with bidders and contractors, rather than IFR to trump state disclosure laws by requiring the requiring the agencies to rely on subparagraphs withholding of information the release of which has not 15.11(a)(1) and (a)(4). Massport also recommended ex- been shown to cause substantial harm to transportation panding specifications under Section 15.5(b)(4). safety.244 The Coalition of Journalists for Open Government In 2005 DHS issued a correction to the IFR, elimi- (CJOG)243 commented that the rule would result in too nating "aviation or maritime" from 49 C.F.R. 15.11 much information being designated SSI. CJOG specifi- and 49 C.F.R. 1520.11 to make clear that regardless of cally raised the concern that local and state officials mode, vulnerability assessments and other documents may be required to deny access to records that would properly designated as SSI may be shared with covered otherwise be available under state and local open re- persons who meet the need to know requirements.245 246 cords requirements. Other CJOG points relevant to Rail Security Rule: In December 2006, TSA issued procurement include the following recommendations: an NPRM for Rail Transportation Security.247 Much of the notice related to security inspections, but the notice The regulation require that limited numbers of also proposed clarifications to SSI requirements. TSA trained individuals be assigned to designate SSI. noted that the proposed rule was consistent with the The regulation provide criteria for SSI designation. Memorandum of Understanding executed between DHS Lists of infrastructure assets submitted by state and USDOT248 to ensure collaboration as required under 249 and local government agencies not be automatically Homeland Security Presidential Directive 7. The no- deemed SSI without some evaluation of whether the assets have some relation to security. Records that deal with contracts, public funding, 244 Comments of the Silha Center for the Study of Media and operational issues that implicate accountability Ethics and Law on Interim Final Rule, Protection of Sensitive issues be subject to special review. Security Information, July 16, 2004, TSA-2003-15569-0013, The regulation adopt the Department of Justice's www.regulations.gov/search/Regs/home.html#documentDetail? (DOJ) standard of withholding nonexempt information R=0900006480313ddb (accessed Sept. 10, 2009). along with exempt information only if the two are "inex- 245 Protection of Sensitive Security Information; Technical tricably intertwined." Amendment, 70 Fed. Reg. 1379 (Jan. 7, 2005), http://edocket.access.gpo.gov/2005/pdf/05-366.pdf. CJOG cautioned that allowing the government to 246 49 C.F.R. pts. 1520 and 1580. designate "other information" as SSI was an invitation 247 Department of Homeland Security, Transportation Secu- to abuse, particularly given the potentially large num- rity Administration, Proposed Rule, Rail Transportation Secu- rity, Fed. Reg. 71, No. 245, 76852, Dec. 21, 2006, 239 http://edocket.access.gpo.gov/2006/pdf/E6-21512.pdf. Id. at 28075. 248 240 Memorandum of Understanding Between the Depart- Id. at 28074. 241 ment of Homeland Security and the Department of Transpor- TSA-2003-15569-0011. Accessible from tation on Roles and Responsibilities, Sept. 2004. Accessed Sept. www.regulations.gov/search/Regs/home.html#docketDetail?R= 13, 2009, at www.dot.gov/ost/ogc/DHS-DOT.PDF. TSA-2003-15569. 249 242 Homeland Security Presidential Directive 7: Critical In- Id. at 15569-0020. frastructure Identification, Prioritization, and Protection 243 Id. at 15569-0010. (HSPD7), Dec. 17, 2003,

OCR for page 18
26 tice made clear TSA's position that although 49 C.F.R. that rail security information be accorded "enhanced" Part 1520 primarily relates to aviation and maritime protection status.256 The City of Cleveland suggested security information, vulnerability assessments and that the rule require employees of covered entities to threat assessments for all modes of transportation are undergo background investigations, using a federally- considered SSI.250 TSA proposed to extend the definition established list of disqualifying crimes in hiring.257 The 258 259 of covered persons to include rail transit systems, ex- Texas and Florida DOTs also raised concerns that plicitly requiring them to restrict "distribution, disclo- the proposed requirements for SSI would inhibit ex- sure, and availability of SSI to persons with a need to change of information with state oversight agencies. know, and refer all requests for SSI by other persons to On the other hand, CJOG raised concerns that the TSA or the applicable component or agency within DOT rule would result in a vast range of information about or DHS." 251 In addition, TSA proposed to clarify that rail and transit management and operations being "any review, audit, or other examination of the secu- shielded from public view, eliminating public oversight. rity" of a rail transit system or facility "that is directed, In particular, CJOG questioned the fact that the pro- created, held, funded, or approved by DOT or DHS, or posed rule would allow the operators to determine what that will be provided to DOT or DHS in support of a information is included in vulnerability assessments Federal security program, is SSI." TSA also proposed to and automatically treated as SSI, potentially resulting extend coverage to specific details of rail transportation in the withholding of information traditionally disclosed security measures, security training materials for those at the state and local level. CJOG suggested that TSA carrying out rail transportation security measures re- narrow the definition of SSI and review filings and quired or recommended by DHS or USDOT, and lists identify information that does not warrant protection. identifying critical rail infrastructure assets. TSA also Finally, CJOG advocated for sunsetting the SSI desig- sought comment on whether it should protect as SSI nation, subject to potentially extending the protection "any other information that may be created under this for specific information for which, based on subsequent 252 rule." TSA noted that the training materials contain review, further withholding was deemed necessary.260 descriptions of security measures that could be used by In November of 2008, TSA issued the final rule.261 terrorists to defeat security procedures. In addition, TSA made two changes to the NPRM provisions on while TSA proposed to expand the lists of critical infra- SSI.262 First, TSA added rail to the categories of re- structure assets to include rail transportation, the in- search and development information protected under 49 formation would only be covered if it is prepared by C.F.R. 1520.5(b)(15). Second, TSA added state, local, DHS or USDOT or prepared by a state or local govern- ment agency and submitted to DHS or USDOT.253 While most of the transit comments related to con- www.regulations.gov/search/Regs/home.html#documentDetail? cerns about unannounced inspections and other opera- R=09000064802aa7e6. 256 tional requirements, a number of the comments related New Jersey Office of Homeland Security & Preparedness, to SSI. The Oregon DOT commented that the expansion Richard L. Canas, Director, Feb. 20, 2007, at 2, TSA-2006- of the "need to know" requirement raises issues con- 26514-0072, www.regulations.gov/search/Regs/home.html#documentDetail? cerning the need for states to access information now R=09000064802aa810. required under partnership programs with the Federal 257 254 Shirley A. Tomasello, Assistant Law Director, Depart- Railroad Administration and FTA. Chicago also sug- ment of Law, City of Cleveland, Feb. 16, 2007, at 7, TSA-2006- gested that the rule should specify that state and local 26514-0067, governments have access to SSI.255 New Jersey asked www.regulations.gov/search/Regs/home.html#documentDetail? R=09000064802aa80a. 258 Texas Department of Transportation, Michael W. www.dhs.gov/xabout/laws/gc_1214597989952.shtm#1. HSPD7 Behrens, P.E., Executive Director, Feb. 20, 2007, TSA-2006- required the Secretary of DHS to coordinate protection activi- 26514-0078, ties for specified critical infrastructure sectors, including mass www.regulations.gov/search/Regs/home.html#documentDetail? transit. R=09000064802aa815. 250 Department of Homeland Security, Transportation Secu- 259 Florida Department of Transportation, Mike Johnson, rity Administration, Proposed Rule, Rail Transportation Secu- Administrator, Transit Operations, Feb. 1, 2007, TSA-2006- rity, Fed. Reg. 71, No. 245, 76852, 76862, Dec. 21, 2006, 26514-0012, http://edocket.access.gpo.gov/2006/pdf/E6-21512.pdf. www.regulations.gov/search/Regs/home.html#documentDetail? 251 Id. R=09000064802aa7c5. 252 260 Id. Coalition of Journalists for Open Government, Pete Weit- 253 Id. at 76867. zel, Feb. 20, 2007, TSA-2006-26514-0053, 254 Oregon Department of Transportation, Kelly Taylor, Rail www.regulations.gov/search/Regs/home.html#documentDetail? Division Administrator, Feb. 20, 2007, at 3, TSA-2006-26514- R=09000064802aa7fb. 261 0095, Department of Homeland Security, Transportation Secu- www.regulations.gov/search/Regs/home.html#documentDetail? rity Administration, Final Rule, Rail Transportation Security, R=09000064802aa82c. Fed. Reg. 73, No. 229, 72130, Nov. 26, 2008, 255 Chicago Department of Transportation, Cheri Heramb, http://edocket.access.gpo.gov/2008/pdf/E8-27287.pdf. 262 Acting Commissioner, Jan. 15, 2007, TSA-2006-26514-0038, Id. at 72134.

OCR for page 18
27 and tribal government employees, contractors, and Second, TSA has implemented a process for conducting grantees to the list under 49 C.F.R. 1520.11(b) of per- SSI Access Threat Assessments.270 These threat assess- sons with a potential need to know SSI. In its response ments are conducted on any persons seeking access to to comments, TSA reiterated: "TSA does not intend to SSI for use in a civil proceeding under Section 525(d) of protect information as SSI that would not be detrimen- the Department of Homeland Security Appropriations tal to transportation security if publicly disclosed."263 Act of 2007, supra. The assessments include a finger- Directives: TSA has issued a number of directives print-based Criminal History Records Check and a that provide guidance on managing SSI. These direc- name-based check against terrorism and other data- tives are not publicly available,264 and so are not sum- bases to determine "whether the individual poses or is marized here. Transit agencies should be able to obtain suspected of posing a threat to transportation or na- them directly from TSA. tional security."271 TSA provides a Privacy Act notice to Guidance: DHS has issued guidance for public each party seeking access to SSI for civil court proceed- transportation agencies on conducting background ings to obtain informed consent before TSA conducts checks.265 DHS suggests that transit agencies may use the threat assessment. TSA notifies covered individuals criminal background checks for employees and contract if the agency determines, based on the threat assess- workers with unmonitored access to designated critical ment, that the individuals are not eligible to access par- infrastructure. DHS suggests that in structuring those ticular SSI. The individuals may then appeal the deci- requirements, the agencies look to the federal security sion, including making requests to correct errors in the requirements for hazardous material drivers and port individuals' records. 266 transportation workers. DHS also suggests that tran- USDOT--USDOT has issued several rulemakings sit agencies consider using the Social Security Number related to SSI. The first was the final rule that trans- Verification System and the Systematic Alien Verifica- ferred aviation security authority from FAA to TSA. tion for Entitlements database to determine a nonciti- The second was the series of rulemaking related to SSI zen's immigration status, as well as periodically rein- procedures. vestigating employees and contractors, "particularly Transfer of aviation security authority: See discus- those with access to sensitive information or security sion under DHS/TSA, supra. critical facilities."267 Protection of SSI regulation: The USDOT regulation, Nonregulatory activity: DHS/TSA nonregulatory ac- issued jointly with the TSA regulation, was virtually tivity may provide models for transit authorities in con- identical to the TSA regulation. See discussion under trolling access to security information. Two activities DHS/TSA, supra. may be of particular interest. First, DHS requires its FTA--Regulations, circulations, and guidance issued employees and contractors to sign nondisclosure agree- by FTA cover documentation related to various transit ments (NDAs), prohibiting them from disclosing a wide security plans and designs. Such documentation clearly range of sensitive but unclassified information to the raises FOIA/SSI issues; to the extent that contractors public.268 The scope of those NDAs was challenged.269 are involved in either preparing or executing the plans and designs, procurement security is also implicated. This section discusses guidance related, directly or indi- rectly, to SSI and other security documentation; secu- 263 Id. at 72147. rity-related circulars and regulations for major capital 264 49 C.F.R. Part 659 Reference Guide, June 22, 2005, at 27, investments and fixed rail; grant requirements and http://transit- recommendations related to security procurements; and safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ third party contracting security requirements. 49CFR659_Reference_Guide.pdf (accessed Sept. 15, 2009). 265 General Document Control Guidance: Following the Additional Guidance on Background Checks, Redress and events of 9/11, FTA issued general guidance concerning Immigration Status, document control measures that transit agencies should www.tsa.dhs.gov/assets/pdf/guidance_employee_background_ch undertake for security critical systems and facilities. ecks.pdf. 266 These measures included maintaining an appropriate Disqualifying crimes applicable to hazardous material level of security around plans and designs of operating drivers and transportation workers at ports: 49 C.F.R. 1572.103; appeal and waiver process: 49 C.F.R. pt. 1515. and maintenance facilities and infrastructure (e.g., 267 tunnels, bridges, electrical substations), and maintain- Additional Guidance on Background Checks, Redress and Immigration Status, www.tsa.dhs.gov/assets/pdf/guidance_employee_background_ch 269 ecks.pdf. Unions Challenge Department of Homeland Security Non- 268 PATRICE MCDERMOTT, WHO NEEDS TO KNOW?: THE Disclosure Agreement, CANADIAN DIMENSION 39.1 (Jan.Feb. STATE OF PUBLIC ACCESS TO FEDERAL GOVERNMENT 2005), at 8(2); Hsu, supra note 268. 270 INFORMATION 135 (2007); Spencer S. Hsu, Homeland Security Dep't of Homeland Security, Privacy Impact Assessment Employees Required to Sign Secrecy Pledge, WASH. POST, Nov. for Threat Assessments for Access to Sensitive Security Infor- 16, 2004, at A23, www.washingtonpost.com/wp- mation for Use in Litigation, Dec. 28, 2006, dyn/articles/A52977-2004Nov15.html (accessed Mar. 4, 2009); www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_ssi.pdf Department of Homeland Security Non-Disclosure Agreement, (accessed Sept. 23, 2009). 271 www.tsa.gov/assets/pdf/NDA_v2.pdf. See App. F, infra. Id. at 4.

OCR for page 18
28 ing an appropriate level of security around documenta- According to the guidance, if a portion of a document tion for security detection systems.272 is SSI, the entire document must be controlled as SSI, Designation, Marking, and Control of SSI:273 FTA's and can only be released if the SSI is redacted.278 If the SSI guidance was issued with the express purpose of SSI is placed in an appendix that can be separated from helping transit agencies to prevent "the unauthorized the rest of the document, the remainder of the docu- disclosure or dissemination of SSI while preserving the ment can be more widely distributed once the appendix public's `right to know' about transit systems and opera- is redacted.279 This approach clearly applies to contract tions."274 Under this guidance document, FTA defines documents. transit SSI as "any information or record whose disclo- The guidance suggests a two-step process under sure may compromise the security of the traveling pub- which employees who may generate SSI are knowl- lic, transit employees, or transit infrastructure," includ- edgeable enough to recognize potential SSI and to refer ing "data, documents, engineering drawings and it to the employee or committee designated to make SSI specifications, and other records whose disclosure could determinations for the agency. Making the determina- increase the agency's risk of harm."275 The types of re- tion that information could be SSI requires considera- cords that apply to transit agencies are identified:276 tion of the agency's threat environment, the public's need to know the information, the availability of similar Security programs and contingency plans issued, information from other sources, and the utility of the established, required, received, or approved by USDOT information to someone intent on causing harm.280 For or DHS. example, procurement personnel should be sufficiently Vulnerability assessments that are directed, cre- knowledgeable about SSI requirements to understand ated, held, funded, or approved by USDOT or DHS, or when to refer material to the SSI employee/committee that will be provided to either agency in support of a and how to structure contract documents that relate to federal security program. SSI. The FTA's examples of SSI and non-SSI are in- Threat information held by the federal government cluded as Appendix F, infra. concerning transportation, transportation systems, and Any information that is determined to be SSI must cyber infrastructure, including sources and methods be marked to warn that the information is controlled used to gather or develop the information. and may only be distributed to persons with a need to know. The guidance provides the mandatory advisory 281 Both the TSA Administrator and the Secretary of marking, included the required language to use. Only USDOT may determine that additional information a covered person with a need to know may access SSI. constitutes SSI. "Need to know" includes requiring the SSI to perform In addition to appropriately handling the SSI listed official duties pursuant to a contract or grant. "Covered above, the transit agency is advised to review the fol- person" includes the following four categories applicable 277 lowing records for SSI: to transit agencies:282 Security program plans and procedures that in- Persons who have access to SSI. clude vulnerability records or specific tactics for secu- Persons employed by, contracted to, or acting for a rity operations. covered person, including a grantee of DHS or USDOT, Security contingency plans and records. and persons formerly in such a position. Records that reveal system or facility vulnerabili- Persons for whom a vulnerability assessment has ties (e.g., maps, detailed facility drawings, detailed ac- been directed, created, held, funded, or approved by the tion items from drills and exercises). USDOT or DHS, or who have prepared a vulnerability assessment that will be provided to either agency in support of a federal security program. Persons receiving SSI. 272 TSA/FTA Security and Emergency Action Items for Transit Agencies, Document Control, Items 15 and 16, FTA advises that transit agencies establish rules for http://transit- disseminating SSI to contractors and suggests control- safety.volpe.dot.gov/security/SecurityInitiatives/ActionItems/ac ling access by using prequalification, including nondis- tionlist.asp#Document_Control; FED. TRANSIT ADMIN., U.S. closure forms; maintaining secure locations for review DEP'T OF TRANSP., FY 2009 TRIENNIAL REVIEW WORKSHOPS WORKBOOK 1913, of SSI; and covering SSI handling in contracts, includ- www.fta.dot.gov/documents/FY2009_TriennialReview_Workboo ing "use, storage, reproduction, dissemination, and re- k.pdf; TRANSTECH MANAGEMENT, INC., supra note 1, at chs. 2, turn, both on and off of transit property."283 3, and Appendices. 278 273 CHANDLER, SUTHERLAND, & ELDREDGE, supra note 164, Id. at 8. 279 at 3. Id. at 5. 274 280 Id. at 1. Id. at 78. 275 281 Id. at 3. Id. at 10. 276 282 Id. at 5. Id. at 1112. 277 283 Id. Id. at 13.

OCR for page 18
29 The following points concerning SSI control284 will Identifying any security analyses contractors must apply to bid/contract SSI: perform for the construction site. SSI must be stored securely. If possible, the SSI Section 2, Chapter IV, of the circular provides that should be stored by the owner or originator. the SSMP include procedures for managing SSI. Con- When SSI is in use, the custodian, if required to tracting out any of the activities provided for under suspend work temporarily, must secure the records. Chapter II or the development of procedures required Reproduction must be kept to the minimum re- under Chapter IV could have ramifications for pro- quired for agency business, with copies protected as the curement security. originals. Chapter II of Circular 5800.1 expressly addresses Transmission must protect against unauthorized protection of SSI. Recipients with major capital projects disclosure. covered by 49 C.F.R. Part 633 are directed to document Return of SSI must be assured. or reference their procedures for managing SSI in the Destruction must be by a method that precludes SSMP, which procedures are expected to extend to their recognition or reconstruction. project contractors. In addition, any SSI submitted to Employees and contractors likely to handle SSI FTA and project management oversight contractors should be trained on handling requirements. during the project management oversight process will be exempt from disclosure under FOIA.286 Finally the FTA Circular 5800.1: Under 49 U.S.C. 5327(a), ap- circular directs the recipient to have SSI handling pro- plicants and recipients of major capital project funding cedures.287 must address safety and security management as part Although SSMPs are required by law only for major of their project management plan. FTA has imple- capital investment projects, FTA encourages all transit mented this statutory mandate by issuing guidance systems to develop transit system security program that calls on recipients to prepare a Safety and Security plans. Such plans are also considered SSI. FTA's Trien- Management Plan (SSMP) as part of the project man- nial Review contractors may only examine them on site agement plan required by 49 U.S.C. 5327(a).285 Chap- at the time of the Triennial Review.288 ter II of FTA Circular 5800.1 includes the following State Safety Oversight of Rail Fixed Guideway Sys- provisions: tems: 289 The regulation requires transit agencies to de- velop system security plans for rail fixed guideway sys- Establishing a program that identifies and as- tems and state oversight agencies to review those plans. sesses security vulnerabilities throughout the project The plans must contain five elements,290 which may development process. include SSI: Establishing a process for documenting and track- ing actions taken to address the vulnerability assess- Identification of policies, goals, and objectives for ment. the security program. Establishing security requirements for the project, Documentation of the rail transit agency's threat based on applicable safety and security codes, guide- and vulnerability process. lines, and standards established by government agen- Identification of controls in place that address the cies and industry associations. personal security of passengers and employees. Developing documentation to convey security rules Documentation of the agency's process for conduct- and procedures for the project to employees, contrac- ing internal security reviews to evaluate compliance tors, and oversight agencies. Documents may include and measure effectiveness of the system security plan. security plans, as well as operating and maintenance Documentation of the agency's process for making procedures and manuals. its system security plan and accompanying procedures Establishing qualifications and training programs available to the oversight agency for review and ap- for operating and maintenance personnel, which pro- proval. grams must address security elements. 284 Id. at 1517. 286 FTA Circular 5800.1, II.4, at II-5. 285 Safety and Security Management for Major Capital Pro- 287 FTA Circular 5800.1, IV.2.b., at IV-2. See also FED. jects: Notice of Final Circular, 72 Fed. Reg. 34339 (June 21, TRANSIT ADMIN., supra note 272, at 19-7, noting requirement 2007), http://edocket.access.gpo.gov/2007/pdf/E7-11970.pdf; to review security and emergency management plans. FTA Circular 5800.1, Safety and Security Management Guid- 288 FED. TRANSIT ADMIN., supra note 272, at 19-7. ance for Major Capital Projects (Aug. 1, 2007), 289 www.transportation.org/sites/scopt/docs/FTA%20C%205800%2 49 U.S.C. 5330; 49 C.F.R. pt. 659, Rail fixed guideway 01%20- systems; State safety oversight, %20FINAL%20Safety%20and%20Security%20Management%2 www.access.gpo.gov/nara/cfr/waisidx_08/49cfr659_08.html; 49 0Plan-1.pdf. See also Frequently Asked Questions, C.F.R. Part 659 Reference Guide, http://transit- http://transit- safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ safety.volpe.dot.gov/publications/security/Safety%20%20Securi 49CFR659_Reference_Guide.asp. 290 ty%20frequent%20questions.pdf. 49 C.F.R 659.23, System security plan: contents.

OCR for page 18
30 The requirements governing state oversight of the sary.299 Eligible projects under 49 U.S.C. 5307 include security of rail fixed guideway systems through desig- increased lighting, increased camera surveillance, pro- nated oversight agencies do raise confidentiality issues viding emergency telephone lines, and "any other pro- concerning the state agency's handling of security ject intended to increase the security and safety of an plans, for example if such plans are considered public existing or planned public transportation system."300 records under state public records law. The regulation FTA guidance provides the following more specific ex- does not require public availability of the system secu- amples of appropriate security expenditures: "facility rity plan;291 does require the oversight agency to explain perimeter security and access control systems (e.g., how it will protect the system security plan from public fencing, lighting, gates, card reader systems, etc.), disclosure; 292 and authorizes the oversight agency to closed circuit television camera systems (at stations, prohibit a transit agency from publicly disclosing the platforms, bus stops and on-board vehicles), security 293 system security plan. FTA recommends that the over- and emergency management planning, training and sight agency only take possession of a system security drills."301 Agencies may also expend funds to purchase plan if the agency can maintain the plan's confidential- explosive detection equipment. For example, the New ity under state sunshine laws.294 As FTA notes in its York Police Department, which conducts random pas- Part 659 guidance, the review of system security plans senger searches on the New York City subway system, 295 must comply with 49 C.F.R. Part 1520. According to has purchased hand-held devices that can be used "to FTA guidance, the process required under Section detect and identify explosives, chemical warfare agents, 659.23(e) must be documented "according to procedures and toxic industrial chemicals."302 established to prevent public disclosure of these mate- Third Party Contracting Security Requirements: rials."296 These oversight requirements also raise pro- Grant recipients are generally responsible for extending 303 curement concerns if a state contracts out its oversight federal requirements to third party contractors. responsibilities or if a transit agency contracts out the While this alone might be sufficient to require grant 297 298 development or review of its systems security plan. recipients to require SSI protection from their contrac- tors, SSI requirements are specifically referenced in Procurement of Security-Related Goods and Services: FTA's third party contracting circular: third party con- There are a number of grant requirements and FTA tractors must protect SSI to ensure compliance with the recommendations that result in transit agencies procur- DHS/USDOT statutes and implementing regulations ing security-related goods and services and having to discussed earlier. This requirement includes taking manage information related to those procurements. For measures to ensure that subcontractors at each tier example, recipients of Urbanized Area Formula Grants protect SSI in accordance with applicable law and regu- must certify annually that they are spending 1 percent lation.304 of Urbanized Area Formula Grant Program funds on Both the common grant rule and FTA's authorizing security projects or that those projects are not neces- legislation305 require third party procurement proce- dures that require full and open competition. This re- quirement covers prequalification,306 a method that may 299 291 49 U.S.C. 659.11, Confidentiality of investigation re- FTA Master Agreement MA(16), Oct. 1, 2009, at 61, 39: ports and security plans. Special Provisions for the Urbanized Area Formula Program, e. 292 49 C.F.R. 659.15(b)(9). Public Transportation Security, 293 http://www.fta.dot.gov/documents/16-Master.pdf. 49 C.F.R. 659.21(b). 300 294 49 U.S.C. 5307(d)(1)(J). 49 C.F.R. Part 659 Reference Guide, June 22, 2005, at 13, 301 http://transit- FED. TRANSIT ADMIN., supra note 272, at 19-4. 302 safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ New York City Police Deploy Trace Detectors From 49CFR659_Reference_Guide.pdf (accessed Sept. 15, 2009). Smiths Detection, THE POLICE CHIEF, vol. 73, no. 9, Sept. 2006, 295 49 C.F.R. Part 659 Reference Guide, June 22, 2005, at http://policechiefmagazine.org/magazine/index.cfm?fuseaction= 2627, http://transit- display_arch&article_id=1005&issue_id=92006 (Sept. 23, safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ 2009). 303 49CFR659_Reference_Guide.pdf (accessed Sept. 15, 2009). FTA Master Agreement MA(16), Oct. 1, 2009, at 15, 2: Compliance with 49 C.F.R. pts. 15 and 1520, to the extent ap- Project Implementation, e. Recipient's Responsibility to Extend plicable, are grants requirements. FTA Master Agreement Federal Requirements to Other Entities, MA(16), 10-1-2009, at 59, Section 37: Protection of Sensitive http://www.fta.dot.gov/documents/16-Master.pdf. Security Information, 304 FTA Circular 4220.1F, ch. IV, The Recipient's Property www.fta.dot.gov/documents/16-Master.pdf . and Services Needs and Federal Requirements Affecting Those 296 49 C.F.R. Part 659 Reference Guide, June 22, 2005, at 28, Needs 2.a(7), at IV-7; Third Party Contracting Guidance: http://transit- Notice of Final Circular, 73 Fed. Reg. 56896, 56906 (Sept. 30, safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ 2008), http://edocket.access.gpo.gov/2008/pdf/E8-22914.pdf. 49CFR659_Reference_Guide.pdf (accessed Sept. 15, 2009). 305 49 U.S.C. 5325(a). 297 49 C.F.R. 659.21 System security plan: general re- 306 FTA Circular 4220.1F, ch. VI, Procedural Guidance for quirements, 659.23 System security plan: contents. Open Market Procurements, 1.(c), at VI-2. For a discussion of 298 49 C.F.R. 659.25(b)(9). prequalification procedures in general, see Daniel D. McMillan