Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 18
18
Even a brief text message with information about air tended by USDOT to apply to all modes of transporta-
security measures can constitute SSI.162 tion.167 The authorizing legislation for the USDOT and
To the extent that information must be kept confi- TSA provisions,168 discussed infra, is substantially simi-
dential, agencies need to make sure that both hard copy lar, as are the regulatory provisions themselves.169 TSA
and electronic systems are secure. defines SSI as information that is
obtained or developed in the conduct of security activities,
B. Critical Infrastructure Information/Sensitive including research and development, the disclosure of
Security Information which TSA has determined would--
CII is a defined term under federal law. In addition, (1) Constitute an unwarranted invasion of privacy (in-
the Department of Homeland Security (DHS) imple- cluding, but not limited to, information contained in any
menting regulation coined the term "PCII" to apply to personnel, medical, or similar file);
specific infrastructure information that is protected
(2) Reveal trade secrets or privileged or confidential in-
under federal law.163 The information must not only formation obtained from any person; or
relate to critical infrastructure, but as is discussed in-
170
fra, must meet specific statutory criteria, including be- (3) Be detrimental to the security of transportation.
ing voluntarily submitted to DHS. Thus, information Despite the fact that the USDOT provision refers to
about mass transit infrastructure that is critical to the information the disclosure of which would be "detrimen-
community in which it is located or to the nation at tal to transportation safety" rather than "detrimental to
large because of its interconnectedness with major eco- transportation security" as under the DHS provision,
nomic networks (such as the transit system in New the USDOT provision is interpreted as governing secu-
York City) is not necessarily protected CII for purposes rity issues as well as safety issues.171 Any security pro-
of the federal statute. However, as the FTA notes, tran- gram or security contingency plan "issued, established,
sit agencies "may come in contact with PCII through required, received, or approved by DOT or DHS" consti-
164
interaction with the Federal government." While CII, tutes SSI. Vulnerability assessments that are "directed,
let alone PCII, is likely to be of limited applicability to created, held, funded, or approved by the DOT [or]
most transit agencies, particularly in the context of DHS, or that will be provided to DOT or DHS in sup-
competitive bidding, a basic understanding of CII re-
quirements is relevant. Transit agencies may them-
selves voluntarily submit information to DHS that, pro- disclosure of information developed during research and devel-
opment that the FAA found would constitute unwarranted
viding it meets statutory requirements described infra,
invasion of personal privacy, reveal trade secrets or privileged
will be considered protected CII. Protection of such in- commercial information, or be detrimental to the safety of per-
formation applies to DHS, not to the submitting agency, sons traveling in air transportation. See TODD B. TATELMAN,
to the extent that the submitting agency uses its own INTERSTATE TRAVEL: CONSTITUTIONAL CHALLENGES TO THE
copy of the information and not the validated (and thus IDENTIFICATION REQUIREMENT AND OTHER TRANSPORTATION
165
protected) CII. SECURITY REGULATIONS, CRS Report for Congress, RL32664
The term SSI has evolved based on aviation security (2004),
requirements dating back to 1974,166 and has been ex- www.fas.org/sgp/crs/RL32664.pdf, for discussion of history of
law governing SSI.
167
Department of Homeland Security, Transportation Secu-
"suffered any adverse effect." Wemhoff v. District of Columbia, rity Administration, Interim Final Rule, Protection of Sensitive
887 A.2d 1004, 1013 (D.C. 2005), citing Schmidt v. Multimedia Security Information, Fed. Reg. 69, No. 96, 28066, May 18,
Holdings Corp., 361 F. Supp. 2d 1346, 1348, 1354 (M.D. Fla. 2004, http://edocket.access.gpo.gov/2004/pdf/04-11142.pdf;
2004). CHANDLER, SUTHERLAND & ELDREDGE, supra note 164, at 2,
162
MacLean, 543 F.3d 1145. http://transit-
163
6 C.F.R. § 29.2. safety.fta.dot.gov/publications/security/FTA%20SSI/Final%20F
164
KEVIN CHANDLER, PAMELA SUTHERLAND, & DONALD TA%20SSI%20%28072009%29%20revised.pdf, at 2.
168
ELDREDGE, SENSITIVE SECURITY INFORMATION (SSI): 49 U.S.C. § 40119(b); 49 U.S.C. § 114(s).
DESIGNATION, MARKINGS, AND CONTROL, RESOURCE 169
49 C.F.R. pt. 15; 49 C.F.R. pt. 1520.
DOCUMENT FOR TRANSIT AGENCIES 3 (2009), http://transit- 170
49 C.F.R. § 1520.5(a) Sensitive security information. The
safety.fta.dot.gov/publications/security/FTA%20SSI/Final%20F
corollary DOT provision is 49 C.F.R. § 15.5(a) Sensitive security
TA%20SSI%20%28072009%29%20revised.pdf.
165
information.
DEP'T OF HOMELAND SECURITY, HOW TO SUBMIT CRITICAL 171
CHANDLER, SUTHERLAND & ELDREDGE, supra note 164,
INFRASTRUCTURE INFORMATION (CII) FOR PCII PROTECTION,
at 1. See also Third Party Contracting Guidance: Notice of
www.dhs.gov/files/programs/gc_1193091627563.shtm (accessed
Final Circular, 73 Fed. Reg. 56896, 56906 (Sept. 30, 2008):
Sept. 2, 2009). See also PCII Program FAQ,
www.dhs.gov/xlibrary/assets/pcii_faqs.pdf; PCII PROGRAM FTA has determined that these laws and regulations [49
U.S.C. 40119(b), 49 C.F.R. 15; 49 U.S.C. 14(s), 49 C.F.R. 1520]
PROCEDURES MANUAL,
do apply to public transportation agencies and other FTA recipi-
www.dhsgov/xlibrary/assets/pcii__program_procedures_manual
ents that have sensitive security information, such as informa-
.pdf. tion related to vulnerability assessments (including any infor-
166
The Air Transportation Security Act of 1974 (Pub. L. No. mation addressing vulnerabilities or corrective actions)
93-366 § 316, 88 Stat. 409 (1974)) authorized the Federal Avia- conducted after September 11, 2001, and other information cov-
tion Administration (FAA) to issue regulations prohibiting ered by the regulations.
OCR for page 19
19
port of a Federal security program" are specifically in- Even where federal requirements are not directly
cluded in that category.172 In addition, TSA has issued a applicable, for example, for vulnerability assessments
Stakeholder Best Practices Quick Reference Guide in that are funded locally and not shared with federal
which the agency lists a wide range of information the agencies and thus do not meet the SSI statutory crite-
agency deems to constitute SSI.173 ria, transit agencies may have security information that
Managing SSI is more likely to be of concern to tran- should be protected. Thus, the federal requirements
sit agencies than is managing CII. A number of federal may nonetheless be instructive on issues for transit
requirements make it likely that transit agencies will agencies to consider in adopting their own policies.
need to comply with Federal SSI requirements, includ- Issues that arise concerning SSI designation include
ing the following: maintaining consistency in designating SSI, avoiding
the problem of over-designating information as SSI,
· Establishing a National Strategy for Public Trans- protecting SSI, reviewing SSI over time to determine
portation Security,174 including use of public transporta- whether its confidential status remains justified, and
tion security assessments. disposing of SSI. For example, DHS has been criticized
· Establishing a Transportation Security Informa- for asserting overly broad claims for withholding sensi-
175
tion Sharing Plan. tive information.177 As noted supra, in Gordon, the fed-
· Preparing assessments and plans that will result eral district court judge rejected the government's as-
in security assessments being submitted to DHS for sertion that requested material was SSI or otherwise
transit agencies at a high risk of attack and for repre- exempt from FOIA, finding rather that withheld mate-
sentative samples of non-high-risk transit agencies.176 rial was innocuous and in some instances publicly
available.178
This section reviews the authorizing legislation for
CII and SSI provisions, as well as federal programs,
172
49 C.F.R. § 15.5(b)(5); 49 C.F.R. § 1520.5(b)(5). requirements, and guidance related to CII and SSI by
173
TRANSP. SECURITY ADMIN., SENSITIVE STAKEHOLDER relevant agency. The purpose is to clarify the meaning
BEST PRACTICES QUICK REFERENCE GUIDE, included as App. B and applicability of these terms and their attendant
to Chandler, supra note 163. Information listed: security pro- requirements. This is particularly important since to
grams and contingency plans; security directives; information the extent that information comes within the definition
circulars; performance specifications; vulnerability assess- of CII or SSI, that information becomes exempt from
ments; security inspections or investigative information; threat state disclosure requirements.179
information; security measures; security screening informa-
tion; security training materials; identifying information of 1. Federal Legislation
certain transportation security personnel; critical infrastruc-
ture asset information; systems security information; confiden- Several pieces of legislation that passed after the
tial business information; research and development; and events of 9/11 vested the DHS, TSA, and USDOT with
other information as determined in writing by the TSA Admin- responsibility for administering CII and SSI require-
istrator. ments. The legislation is described below and included
174
Section 1404, Implementing Recommendations of the in Appendix A. Federal transit legislation that has im-
9/11 Commission Act of 2007, Pub. L. No. 110-53, 121 Stat.
401, Aug. 3, 2007, codified at 6 U.S.C. § 1133. Section 1404
(d)(2) references already developed security and strategies:
177
National Infrastructure Protection Plan, E.g., Amicus Curiae Brief of Electronic Frontier Founda-
www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf (accessed Sept. 2, tion, American Association of Law Libraries, American Library
2009) required by Homeland Security Presidential Directive7; Association, Association of Research Libraries, Center for De-
Executive Order No. 13416: Strengthening Surface Transpor- mocracy and Technology, National Security Archive, Project on
tation Security, Dec. 5, 2006, Fed. Reg. 71, No. 235, 71033, Dec. Government Secrecy of the Federation of American Scientists,
7, 2009, Accessed Sept. 13, 2009, at and Special Libraries Association on Petition for Writ of Cer-
http://edocket.access.gpo.gov/2006/pdf/06-9619.pdf; the Memo- tiorari to the Court of Appeals for the Ninth Circuit, Gilmore v.
randum of Understanding between DHS and the DOT on Roles Gonzalez,
and Responsibilities dated Sept. 28, 2004. The sector-specific www.papersplease.org/gilmore/_dl/20061113/Gilmore%20v.%20
plan for mass transit is included as Annex C., Mass Transit, in Gonzales%20EFF%20amicus.pdf (accessed Oct. 6, 2009).
Transportation Systems Critical Infrastructure and Key Re- 178
Eric Lichtblau, Judge Scolds U.S. Officials Over Barring
sources Sector-Specific Plan as Input to the National Infra- Jet Travelers, N.Y. TIMES, June 16, 2004,
structure Protection Plan, May 2007, www.nytimes.com/2004/06/16/politics/16flight.html (accessed
www.dhs.gov/xlibrary/assets/Transportation_Base_Plan_5_21_ Mar. 24, 2009). The government ultimately settled, agreeing to
07.pdf (accessed Sept. 2, 2009). pay attorneys fees. TSA and FBI Ordered to Pay $200,000 to
175
Section 1203, Implementing Recommendations of the Settle "No Fly" Lawsuit, Jan. 24, 2006,
9/11 Commission Act of 2007, Pub. L. No. 110-53, 121 Stat. www.aclu.org/safefree/general/23926prs20060124.html (ac-
383, Aug. 3, 2007, codified at 49 U.S.C. § 114(u). cessed Aug. 1, 2009).
176 179
Section 1405, Implementing Recommendations of the See Charles Davis, More Daunting Tests Ahead Pitting
9/11 Commission Act of 2007, Pub. L. No. 110-53, 121 Stat. "Right To Know" Against "Need To Know," FOI Columns, Jan.
402, Aug. 3, 2007, codified at 6 U.S.C. § 1134 (National Transit Feb. 2004, www.ire.org/foi/janfeb2004.html (accessed Feb. 28,
Systems Security Act of 2007 is Title XIV of the public law.) 2009).
OCR for page 20
20
plications is referenced in II.B.2, Federal Agencies, in- other informational purpose [sic],"187 provided the in-
fra. formation is accompanied by the express statement re-
Aviation and Transportation Security Act of 2001 quired under the statute. Such protected CII is exempt
(ATSA).180--The ATSA transferred civil aviation secu- from disclosure under FOIA; prohibited from being used
rity responsibilities from the Federal Aviation Admini- for other official purposes except under very limited
stration (FAA) to TSA, including authority to conduct circumstances; and if shared with state and local gov-
research and development activities related to secu- ernments and agencies, exempt from disclosure under
rity.181 Section 101(e)(3) of the ATSA-modified Section state or local open records requirements. However, the
40119(b) contains a provision requiring nondisclosure of CIIA does not affect any entity's ability to lawfully ob-
certain safety-related information, by deleting the modi- tain CII in a manner not covered by subsection (a) and
fier "air" from "air transportation." DHS has inter- to use such information in any lawful manner. Thus
preted this change as expanding the scope of the provi- such information that is customarily in the public do-
sion to cover all modes of transportation.182 main (lawfully, properly, and regularly disclosed gener-
Homeland Security Act of 2002 (HSA).183--The HSA ally or broadly to the public) is not protected.188 DHS
adopted the USA PATRIOT Act's definition of critical may withdraw the protected status if it determines that
infrastructure: "systems and assets, whether physical at the time of submission the information was custom-
189
or virtual, so vital to the United States that the inca- arily in the public domain. Federal employees who
pacity or destruction of such systems and assets would knowingly disclose protected CII are subject to fine,
have a debilitating impact on security, national eco- imprisonment, and job loss.190 There is no private right
191
nomic security, national public health or safety, or any of action to enforce the CIIA.
184
combination of those matters." The HSA also added a At least one court has held that the CIIA does not
provision transferring TSA's SSI authority and vesting apply to submitters of PCII, so that the CIIA does not
SSI authority in the DOT Secretary.185 preempt requests for information made to the submit-
186 192
Critical Infrastructure Information Act of 2002. -- ting agency under state public records acts. The court
The CIIA was included as Title II of the HSA. Section noted that the CIIA prohibits disclosure of protected CII
211(3) defines "critical infrastructure information"; sub- under state or local public records acts, but only if the
section 214(a) of the CIIA protects CII voluntarily sub- protected CII is provided to a state or local government,
mitted to DHS for use regarding "the security of critical and interpreted this statutory language as distinguish-
infrastructure and protected systems, analysis, warn- ing between submission of CII and receipt of protected
ing, interdependency study, recovery, reconstitution, or CII for purposes of when a state or local agency may
disclose requested information: submitting CII to the
180 federal government does not require the submitting
Pub. L. No. 107-71, 115 Stat. 597, Nov. 19, 2001.
181
agency to then withhold that information under the
49 U.S.C. § 40119, Security and research and develop-
state public records law. The court also reviewed the
ment activities. Section 40119 authorized the FAA to conduct
implementing regulations, discussed infra, and found
research and development (R&D) activities aimed at protecting
that they also support this distinction between submis-
passengers and property against acts of criminal violence and
sion and receipt of protected CII for purposes of applica-
aircraft piracy. The provision prohibited disclosure of informa-
tion obtained or developed in carrying out specified security or
R&D activities under specified sections of Chapters 445 (Facili- 187
Section 214, Protection of voluntarily shared critical in-
ties, Personnel, and Research) and 449 (Security) of title 49, pro-
vided that the FAA decides that disclosing the information frastructure information, codified at 6 U.S.C. § 133; 6 C.F.R.
would: § 29.8. See James W. Conrad, Jr., Protecting Private Security-
Related Information from Disclosure by Government Agencies,
(A) be an unwarranted invasion of personal privacy;
57 ADMIN. L. REV. 715, nn. 8089 (2005); presented at ABA
(B) reveal a trade secret or privileged or confidential commer- meeting, Protection of Facility Security Information, Dec. 10,
cial or financial information; or 2004,
(C) be detrimental to transportation safety. http://meetings.abanet.org/webupload/commupload/AL316500/
182
Department of Homeland Security, Transportation Secu- newsletterpubs/Info%20protection.pdf (accessed in prepublica-
rity Administration, Interim Final Rule, Protection of Sensitive tion form Mar. 4, 2009).
188
Security Information, Fed. Reg. 69, No. 96, 28066, 28068, May 6 C.F.R. §§ 29.2, 29.5. Part 29 introduces the term "Pro-
18, 2004. tected Critical Infrastructure Information, or PCII," which is
183
Pub. L. No. 107-296, 116 Stat. 2135, Nov. 25, 2002. not a statutorily defined term. The regulation defines PCII as
184
Section 2(4), Definitions, citing § 1016(e) of Pub. L. No. CII that has been validated by DHS as meeting the statutory
10756 (42 U.S.C.§ 5195c(e)). criteria for protection.
189
185
Section 1601, Retention of Sensitive Security Information 6 C.F.R. § 29.6(g).
190
Authority at Department of Transportation, codified at 49 Section 214, Protection of voluntarily shared critical in-
U.S.C. § 114(s) and 49 U.S.C. § 40119(b)(1). frastructure information, codified at 6 U.S.C. § 133; 6 C.F.R. §
186
Tit. II, subtit. B, HSA, Pub. L. No. 107-296, 116 Stat. 29.9.
191
2135, Nov. 25, 2002, codified at 6 U.S.C. §§ 13134. For a cri- Section 215, codified at 6 U.S.C. § 134.
192
tique of the strategy behind the CIIA, including the fact that County of Santa Clara v. Superior Court of Santa Clara
the FOIA exemptions hamper public oversight, see Bagley, County, 170 Cal. App. 4th 1301, 89 Cal. Rptr. 3d 374 (Cal. Ct.
supra note 39. App. 6th Dist. 2009).
OCR for page 21
21
tion of state public records requirements. The court tended the designation of "covered person" to a party in
concluded: civil litigation who can demonstrate both a substantial
Taken as a whole, this consistent and pervasive regula- need for relevant SSI in preparing the party's case and
tory language supports our construction of the relevant an undue hardship in obtaining equivalent information
provision of the CII Act, 6 United States Code section by other means, provided that the judge enters an order
133(a)(1)(E)(i). As we interpret that provision, it draws a protecting the SSI from unauthorized disclosure, the
distinction between the submission of CII and the receipt party undergoes a threat assessment including criminal
of PCII. In the hands of the submitter, the nature of the background check, and access does not present a risk of
information remains unchanged; in the hands of the gov- harm to the nation. GAO reports that the directive has
ernmental recipient, it is protected from disclosure. (foot-
193 been revised.198
note omitted)
Implementing Recommendations of the 9/11 Com-
The court also noted that if the contrary interpreta- 199
mission Act of 2007. --The Act contains several provi-
tion were correct, then the Geographic Information Sys- sions that will require generating information that
tem (GIS) Basemap at issue in the case could no longer could be considered to be CII or SSI because of the in-
be used by the county for any purpose other than those formation being shared with DHS and USDOT for secu-
enumerated under the CIIA. Accordingly, the prohibi- rity purposes. These include grant provisions that pub-
tion under the CIIA against disclosure under the Cali- lic transportation agencies implement in part through
fornia Public Records Act was held not to apply. contracts with private entities. The discussion here of
Department of Homeland Security Appropriations this Act are limited to those provisions that require
Act, 2006.194--This Act requires DHS to appoint at least information generation that might reasonably be ex-
one SSI coordinator in each DHS office that handles pected to result in procurement activity.200
SSI to ensure that documents marked as SSI meet the As noted, supra, Section 1203 requires DHS and
SSI criteria. It requires the Secretary to issue guidance USDOT, along with public and private stakeholders, to
that "includes common but extensive examples of SSI establish a Transportation Security Information Shar-
that further define the individual categories of informa- 201
ing Plan. Section 1305 requires DHS, in consultation
tion cited under 49 C.F.R. 1520(b)(1) through (16) and with USDOT, to establish a program to share informa-
eliminates judgment by covered persons in the applica- tion about transportation security technology with, in-
tion of the SSI marking."195 The Act also required the ter alia, public transportation agencies.202 Title XIV of
Government Accountability Office (GAO) to report on the Act, the National Transit Systems Security Act of
DHS progress in implementing the law's requirements. 2007 (NTSSA), requires DHS to develop and implement
Department of Homeland Security Appropriations the National Strategy for Public Transportation Secu-
Act, 2007.196--The Act requires DHS to revise its Man- rity. In meeting that requirement, DHS is required to
agement Directive (MD) 11056, which establishes DHS "use established and ongoing public transportation se-
policy regarding the recognition, identification, and curity assessments" and "consult with all relevant
safeguarding of SSI, as specified in the legislation, and stakeholders, including public transportation agen-
it requires GAO to report on DHS' progress in imple-
menting the law's requirements.197 The Act also ex-
193
Id. at 1318. information of designated transportation security personnel,
194 critical aviation or maritime infrastructure asset information,
Pub. L. No. 10990, 119 Stat. 2064, Oct. 18, 2005.
systems security information, confidential business information,
195
Id. Tit. V, § 537, codified at 6 U.S.C. § 114. The provision or research and development information shall be subject to re-
also required GAO to report on DHS progress in implementing lease upon request unless:
the law's requirements. (A) the Secretary or his designee makes a written determina-
196
Pub. L. No. 109295, 120 Stat. 1355, Oct. 4, 2006. tion that identifies a rational reason why the information must
197
Id. at § 525. Section 525 requires that MD 11056 be re- remain SSI; or
vised to provide as follows: (B) such information is otherwise exempt from disclosure un-
der applicable law.
(1) That when a lawful request is made to publicly release a
198
document containing information designated as sensitive secu- U.S. GOV'T ACCOUNTABILITY OFFICE, supra note 138, at 5.
rity information (SSI), the document shall be reviewed in a Some guidance may be available to transit agencies through
timely manner to determine whether any information contained FTA or TSA that is not publicly available, and therefore cannot
in the document meets the criteria for continued SSI protection be discussed in this report.
under applicable law and regulation and shall further provide 199
Pub. L. No. 110-53, 121 Stat. 266, Aug. 3, 2007.
that all portions that no longer require SSI designation be re-
200
leased, subject to applicable law, including sections 552 and Cf., § 1410, Information sharing, codified at 6 U.S.C.
552a of title 5, United States Code; § 1139 (requiring public transportation agencies at high risk of
(2) That sensitive security information that is three years old terrorist attack to participate in the Information Sharing and
and not incorporated in a current transportation security direc- Analysis Center for Public Transportation), which does not
tive, security plan, contingency plan, or information circular; or appear likely to result in procurement activity. See V.B.3, Con-
does not contain current information in one of the following SSI trols Within the Agency, infra this digest, for a discussion of the
categories: equipment or personnel performance specifications, NTSSA's requirements for security background checks.
vulnerability assessments, security inspection or investigative 201
Codified at 49 U.S.C. § 114(u).
information, threat information, security measures, security 202
screening information, security training materials, identifying Codified at 6 U.S.C. § 1114.
OCR for page 22
22
cies."203 The NTSSA also requires DHS to conduct cer- ing must develop training programs as specified under
tain public transportation security assessments. In ad- the statute.207
dition, the Act mandates that DHS require public The NTSSA also contains a provision covering secu-
transportation agencies determined by DHS to be at rity background checks of public transportation em-
high risk of terrorist attack to develop comprehensive ployees and contractors.208 The provision sets parame-
security plans, with technical assistance provided by ters for DHS guidance on background checks and
DHS. If DHS requires any other public transportation requires DHS regulation on background checks to pro-
agencies to prepare security plans, DHS must provide vide a redress process and prohibit specified adverse
technical assistance to those agencies as well. The stat- actions based on the background checks. In addition,
ute specifies the contents of such security plans, includ- the statute and its implementing regulation prohibit
ing requiring them to be consistent with security as- public transportation agencies from knowingly making
sessments developed by DHS and with the National false statements to employees concerning security back-
Strategy for Public Transportation Security. The re- ground checks.209
quirement for developing security assessments or secu-
rity plans may be recognized by DHS as being met by (K) purchase and placement of bomb-resistant trash cans
existing procedures, protocols, and standards of a public throughout public transportation facilities, including subway ex-
its, entrances, and tunnels;
transportation agency.204 Finally, the statute addresses
nondisclosure as follows: "Nothing in this section shall (L) capital costs associated with security awareness, security
preparedness, and security response training, including training
be construed as affecting any authority or obligation of
under section 1408 and exercises under section 1407;
a Federal agency to disclose any record or information
(M) security improvements for public transportation systems,
that the Federal agency obtains from a public transpor-
including extensions thereto, in final design or under construc-
tation agency under any other Federal law."205 tion;
The security assistance program established under
(N) security improvements for stations and other public
the NTSSA allows both capital and operating use of transportation infrastructure, including stations and other pub-
funding, with all funding to be awarded solely to ad- lic transportation infrastructure owned by State or local gov-
dress items included in a security assessment or to fur- ernments; and
ther a security plan.206 Agencies that receive such fund- (O) other capital security improvements determined appro-
priate by the Secretary.
(2) Operating uses of funds, including--
(A) security training, including training under section 1408
203
Section 1404, National Strategy for Public Transporta- and training developed by institutions of higher education and
tion Security, codified at 6 U.S.C. § 1133. by nonprofit employee labor organizations, for public transpor-
204 tation employees, including frontline employees;
Section 1405, Security assessments and plans, codified at
6 U.S.C. § 1134. The statute prohibits requiring security plans (B) live or simulated exercises under section 1407;
under § 1405 from public transportation agencies not receiving (C) public awareness campaigns for enhanced public trans-
grants under § 1406 of the Act, although the exemption may be portation security;
waived for high-risk agencies with appropriate notification to (D) canine patrols for chemical, radiological, biological, or ex-
Congress. plosives detection;
205
Section 1405(h)(2), codified as 6 U.S.C. § 1134(h)(1). (E) development of security plans under section 1405;
206
Section 1406, Public transportation security assistance,
(F) overtime reimbursement including reimbursement of
codified at 6 U.S.C. § 1135. Subsection (b) provides that allow- State, local, and tribal governments, for costs for enhanced secu-
able uses of funds under this section are as follows: rity personnel during significant national and international pub-
(1) Capital uses of funds, including-- lic events;
(A) tunnel protection systems; (G) operational costs, including reimbursement of State, local,
and tribal governments for costs for personnel assigned to full-
(B) perimeter protection systems, including access control, in- time or part-time security or counterterrorism duties related to
stallation of improved lighting, fencing, and barricades; public transportation, provided that this expense totals no more
(C) redundant critical operations control systems; than 10 percent of the total grant funds received by a public
transportation agency in any 1 year; and
(D) chemical, biological, radiological, or explosive detection
systems, including the acquisition of canines used for such de- (H) other operational security costs determined appropriate
tection; by the Secretary, excluding routine, ongoing personnel costs,
other than those set forth in this section.
(E) surveillance equipment; 207
Section 1408, Public transportation security training
(F) communications equipment, including mobile service
program, codified at 6 U.S.C. § 1137.
equipment to provide access to wireless Enhanced 911 (E911) 208
emergency services in an underground fixed guideway system; Section 1414, Security Background Checks of Covered
Individuals for Public Transportation, Pub. L. No. 110-53, 121
(G) emergency response equipment, including personal pro-
Stat. 419, codified at 6 U.S.C. § 1143.
tective equipment;
209
6 U.S.C. § 1143(e); 49 C.F.R. pt. 1570; Department of
(H) fire suppression and decontamination equipment;
Homeland Security, Transportation Security Administration,
(I) global positioning or tracking and recovery equipment, Interim Final Rule, False Statements Regarding Security Back-
and other automated-vehicle-locator-type system equipment; ground Check, Fed. Reg. 73, No. 148, 44665, July 31, 2008,
(J) evacuation improvements; http://edocket.access.gpo.gov/2008/pdf/E8-17515.pdf.
OCR for page 23
23
2. Federal Agencies other federal agencies to disclose the information sub-
The DHS, TSA, USDOT, and FTA have issued rule- mitted to them.213 DHS rejected comments requesting
makings and guidance related to CII and SSI that are that the regulation provide for segregating submitted
applicable, either directly or by analogy, to treatment of information so that only information absolutely neces-
security information in competitive bidding. This sec- sary to protect critical infrastructure is withheld.214
tion discusses these federal activities on an agency-by- The CII regulation was amended in 2006 when DHS
agency basis. issued a final rule amending the 2004 IFR. The final
DHS/TSA.--DHS has issued several rulemakings rule's procedures apply to "all Federal, State, local, and
related to CII and SSI. The first was the final rule that tribal government agencies and contractors that have
transferred aviation security authority from FAA to access to, handle, use, or store critical infrastructure
TSA. The second related to the PCII Program. The third information that enjoys protection under the Critical
related to SSI procedures. Those aspects of the rule- Infrastructure Information Act of 2002."215 DHS noted
makings most relevant to the arena of competitive bid- that it had added a definition of "in the public domain"
ding are summarized here. Nonregulatory activities to the final rule, drawing in part on the statutory lan-
that may prove helpful in developing policies for han- guage and adding "information regarding systems, fa-
dling security information in the competitive bidding cilities, or operational security, or that is proprietary,
context are also addressed. business sensitive, or which might be used to identify a
Transfer of aviation security authority:210 Under the submitting person or entity."216 DHS rejected comments
rule, the thenUnder Secretary (now TSA Administra- that called for excluding from the definition of "volun-
tor) has authority for determining what information is tary" information submitted to other federal agencies
SSI and what persons are required to protect it, while pursuant to their legal authority.217 Thus information
the modal administrators are responsible for protecting that otherwise meets the definition of CII, is required to
the information. The rule expands the persons respon- be submitted to another agency, and is voluntarily
sible for protecting SSI beyond the universe covered by submitted to DHS must still be treated as CII by DHS
14 C.F.R. § 191.5 because the rule covers each person and any entity to which DHS discloses the information.
for which a vulnerability assessment has been "author- However, it appears that if information is submitted to
ized, approved, or funded by DOT, irrespective of mode another agency, that agency need not treat the informa-
of transportation."211 tion as confidential, even if the information is identical
CII: DHS issued a notice of proposed rulemaking to information submitted to DHS as CII.218
(NPRM) on establishing procedures to implement Sec- DHS again rejected comments requiring what it
tion 214 of the HSA in April 2003. DHS issued an in- terms "portion marking" (segregating CII and non-CII)
terim final rule (IFR) the following year. In the notice and extended CII protection to "any information, state-
promulgating the IFR, DHS stated that in the case of ments or other material reasonably necessary to explain
information that qualified as both CII and SSI, federal the CII, put the CII in context, or describe the impor-
employees must comply with the more stringent CII tance or use of the CII."219 DHS highlighted criminal
requirements. However, the department noted: and administrative penalties for unauthorized release
of information.220 In addition, DHS eliminated two crite-
In practice, the situations in which information consti-
ria for allowing a loss of protected status: The fact that
tutes both SSI and Protected CII may be limited. For the
most part, information that is SSI is created by TSA or is
the information "is publicly available through legal
required to be submitted to TSA or to another part of the
Federal government. Therefore, it ordinarily will not be 213
voluntarily submitted, which is a required element for Id.
214
Protected CII designation. In addition, SSI might or Id. at 807879.
212
might not relate to critical infrastructure assets. 215
Department of Homeland Security, Office of the Secre-
In addition, the notice made clear that while the tary, Final Rule, 6 C.F.R. pt. 29, Procedures for Handling
regulation covers information that DHS did not exercise Critical Infrastructure Information, Fed. Reg. 71, No. 170,
52262, Sept. 1, 2006, http://edocket.access.gpo.gov/2006/pdf/06-
legal authority to obtain even if it was involuntarily
7378.pdf. See STEVENS & TATELMAN, supra note 34, at CRS-
submitted to other agencies, submission of such infor-
1819.
mation to DHS does not affect the obligation of such 216
Id. at 5226263.
217
210
Department of Transportation, Federal Aviation Admini- Id.
218
stration, Transportation Security Administration, Civil Avia- Nicholas Bagley, Benchmarking, Critical Infrastructure
tion Security Rules, Fed. Reg. 67, No. 36, 8340, Feb. 22, 2002, Security, and the Regulatory War on Terror, 43 HARV. J. ON
http://frwebgate.access.gpo.gov/cgi- LEGISLATION 47, 68 (2006), at 57 (citing 6 C.F.R. § 29.3(a)
bin/getdoc.cgi?dbname=2002_register&docid=02-4081-filed.pdf. (2005)).
211 219
Id. at 8342. Department of Homeland Security, Office of the Secre-
212
Department of Homeland Security, Office of the Secre- tary, Final Rule, 6 C.F.R. pt. 29, Procedures for Handling
tary, Interim Final Rule, 6 C.F.R. pt. 29, Procedures for Han- Critical Infrastructure Information, Fed. Reg. 71, No. 170,
dling Critical Infrastructure Information, Fed. Reg. 69, No. 34, 52262, 52264, Sept. 1, 2006,
8074, 8076, Feb. 20, 2004, http://edocket.access.gpo.gov/2006/pdf/06-7378.pdf.
220
http://edocket.access.gpo.gov/2004/pdf/04-3641.pdf. Id. at 52267.
OCR for page 24
24
means" was deleted because this was not a basis under expanded definition, if a covered person creates a vul-
the CIIA. The fact that DHS requires the information nerability assessment at his or her own initiative, but
was rejected as a basis for allowing a loss of protected intends to provide the vulnerability assessment to
status because DHS interprets the definition of volun- USDOT or DHS in support of a federal security pro-
tary to be retrospective only.221 Finally, DHS clarified gram, the vulnerability assessment is SSI.228 The in-
that contractors of state and local governments can re- terim rule also:
ceive CII under the same conditions as federal contrac-
tors, i.e., engaged in the performance of services in sup- · Introduced the concept of "covered person."229
port of the purposes of the CIIA, with strict limitations · Designated contract proposals and attendant nego-
on further disclosure of the information.222 tiations for grants and contracts to the extent that the
223
SSI Interim Final Rule: In 2004 DHS issued an subject matter relates to specific aviation or maritime
IFR on SSI, which promulgated identical regulatory transportation security measures.230
standards for USDOT and TSA under 49 C.F.R. Parts · Clarified that the agency may determine that in-
15 and 1520.224 The rule was intended to extend the formation is not SSI, even though it might appear to be
protection of aviation SSI to maritime SSI generated covered by one of the regulatory categories.
pursuant to the Maritime Transportation Security Act · Is applicable in particular when due to changes in
225
of 2002. The Federal Register notice described the circumstances information is no longer sensitive.231
rules as requiring employees, contractors, grantees, and · Added marking requirements for SSI.232
agents of both departments to follow the rules' SSI re- · Clarified that if information is both CII and SSI,
quirements.226 The notice stated that the rule largely any covered person who is a federal employee must
incorporated the substance of the existing regulation, comply with the more restrictive CII requirements.233
but streamlined and consolidated some provisions and · Added provisions describing when federal employ-
expanded others. For example, the IFR expanded the ees and contractors have need to know SSI.234
227
definition of vulnerability assessment. Under this · Added a provision permitting TSA/Coast Guard to
require security background check and imposition of
safeguard requirements/procedures before providing
221
Id. at 52265. SSI.235
222
Id. at 5226869. · Added provisions allowing the department to au-
223
See MITCHEL A. SOLLENBERGER, SENSITIVE SECURITY thorize conditional disclosure of specific records and
INFORMATION (SSI) AND TRANSPORTATION SECURITY: making clear that such disclosures are not public re-
BACKGROUND AND CONTROVERSIES, CRS Report to Congress leases of information for FOIA purposes.236
(2004), www.fas.org/sgp/crs/RS21727.pdf. · Added a provision governing required destruction
224
Department of Transportation, Office of the Secretary, of SSI, which allows state and local government agen-
Department of Homeland Security, Transportation Security cies to preserve information required to be preserved
Administration, Interim Final Rule, Protection of Sensitive under state or local law.
237
Security Information, Fed. Reg. 69, No. 96, 28066, May 18,
2004, http://edocket.access.gpo.gov/2004/pdf/04-11142.pdf.
225
Although the IFR established a broad category of
Pub. L. No. 107-295, 116 Stat. 2064, Nov. 25, 2002. See
covered persons, TSA noted that persons who fell
also Department of Homeland Security, Coast Guard, Final
within the coverage but did not have possession of SSI
Rule, Vessel Security, Fed. Reg. 68, No. 204, 60483, Oct. 22,
2003; Department of Homeland Security, Coast Guard, Final would not have to meet the disclosure restrictions of 49
Rule, Facility Security, Fed. Reg. 68, No. 204, 60515, Oct. 22, C.F.R. § 1520.9.238 The notice made clear that records
2003. that contain SSI and non-SSI may be segregated, with
226
Department of Transportation, Office of the Secretary, the non-SSI disclosed, provided that the non-SSI is not
Department of Homeland Security, Transportation Security
Administration, Interim Final Rule, Protection of Sensitive
228
Security Information, Fed. Reg. 69, No. 96, 28066, May 18, Department of Transportation, Office of the Secretary,
2004, http://edocket.access.gpo.gov/2004/pdf/04-11142.pdf. Department of Homeland Security, Transportation Security
227
Id. at 28070, 28079, 28082. Before the interim final rule, Administration, Interim Final Rule, Protection of Sensitive
vulnerability assessment was defined as "any examination of a Security Information, Fed. Reg. 69, No. 96, 28066, 28071, May
transportation system, vehicle, or facility to determine its vul- 18, 2004, http://edocket.access.gpo.gov/2004/pdf/04-11142.pdf.
229
nerability to unlawful interference." As revised under the final Id.
230
rule, the definition became: Id. at 28072.
231
any review, audit, or other examination of the security of a Id.
transportation infrastructure asset; airport; maritime facility, 232
Id. at 28074.
port area, vessel, aircraft, train, commercial motor vehicle, or 233
pipeline, or a transportation-related automated system or net- Id.
234
work, to determine its vulnerability to unlawful interference, Id.
whether during the conception, planning, design, construction, 235
Id.
operation, or decommissioning phase. A vulnerability assessment 236
may include proposed, recommended, or directed actions or Id. at 28075.
237
countermeasures to address security concerns. Id.
238
49 C.F.R. §§ 15.3, 1520.3. Id. at 28074.
OCR for page 25
25
otherwise properly exempt from disclosure.239 This as- ber of people allowed to designate SSI. The comment
sertion is somewhat undercut by the statement "if it is also expressed concern that the requirements for mark-
impractical to redact the requested information from ing SSI did not call for segregating non-SSI, thereby
the record, the entire record is withheld."240 The IFR did effectively sealing off entire documents regardless of
not address the issue of establishing that specific mate- security implications.
rial constitutes SSI, as the rule deems categories of in- The Silha Center for the Study of Media Ethics and
formation to be SSI. Law also commented on the dangers of over-designating
A number of parties filed comments in response to information as SSI. Specifically the center argued that
the request for comments to the IFR. Although TSA did the IFR should be modified to more narrowly define
not respond to the comments, some of the comments SSI, reduce the scope of "covered persons" to those ac-
illuminate issues of interest in handling SSI in competi- tually having access to SSI, and to require the review of
tive bidding situations. SSI after a set time, potentially declassifying rather
Some commenters urged expanded coverage. For ex- than destroying it. Moreover, the center took the posi-
ample, the Port Authority of New York and New Jer- tion that to prevent over-withholding of information,
sey241 asked that the definition of covered person be ex- information should be reviewed to determine whether
panded to facilitate information sharing with other its disclosure presents an actual danger to transporta-
governmental entities and that modes such as rail and tion security, rather than automatically conferring SSI
bus transportation be explicitly covered as well. The designation on classes of information. In addition, the
Massachusetts Port Authority (Massport)242 specifically center argued against labeling an entire record SSI
requested that the regulations provide authority similar when only a portion of the record actually contains SSI.
to that in Section 15.11(b)(2) for public agencies to In particular, the center argued against allowing the
share SSI with bidders and contractors, rather than IFR to trump state disclosure laws by requiring the
requiring the agencies to rely on subparagraphs withholding of information the release of which has not
15.11(a)(1) and (a)(4). Massport also recommended ex- been shown to cause substantial harm to transportation
panding specifications under Section 15.5(b)(4). safety.244
The Coalition of Journalists for Open Government In 2005 DHS issued a correction to the IFR, elimi-
(CJOG)243 commented that the rule would result in too nating "aviation or maritime" from 49 C.F.R. § 15.11
much information being designated SSI. CJOG specifi- and 49 C.F.R. § 1520.11 to make clear that regardless of
cally raised the concern that local and state officials mode, vulnerability assessments and other documents
may be required to deny access to records that would properly designated as SSI may be shared with covered
otherwise be available under state and local open re- persons who meet the need to know requirements.245
246
cords requirements. Other CJOG points relevant to Rail Security Rule: In December 2006, TSA issued
procurement include the following recommendations: an NPRM for Rail Transportation Security.247 Much of
the notice related to security inspections, but the notice
· The regulation require that limited numbers of also proposed clarifications to SSI requirements. TSA
trained individuals be assigned to designate SSI. noted that the proposed rule was consistent with the
· The regulation provide criteria for SSI designation. Memorandum of Understanding executed between DHS
· Lists of infrastructure assets submitted by state and USDOT248 to ensure collaboration as required under
249
and local government agencies not be automatically Homeland Security Presidential Directive 7. The no-
deemed SSI without some evaluation of whether the
assets have some relation to security.
· Records that deal with contracts, public funding, 244
Comments of the Silha Center for the Study of Media
and operational issues that implicate accountability Ethics and Law on Interim Final Rule, Protection of Sensitive
issues be subject to special review. Security Information, July 16, 2004, TSA-2003-15569-0013,
· The regulation adopt the Department of Justice's www.regulations.gov/search/Regs/home.html#documentDetail?
(DOJ) standard of withholding nonexempt information R=0900006480313ddb (accessed Sept. 10, 2009).
along with exempt information only if the two are "inex- 245
Protection of Sensitive Security Information; Technical
tricably intertwined." Amendment, 70 Fed. Reg. 1379 (Jan. 7, 2005),
http://edocket.access.gpo.gov/2005/pdf/05-366.pdf.
CJOG cautioned that allowing the government to 246
49 C.F.R. pts. 1520 and 1580.
designate "other information" as SSI was an invitation 247
Department of Homeland Security, Transportation Secu-
to abuse, particularly given the potentially large num- rity Administration, Proposed Rule, Rail Transportation Secu-
rity, Fed. Reg. 71, No. 245, 76852, Dec. 21, 2006,
239 http://edocket.access.gpo.gov/2006/pdf/E6-21512.pdf.
Id. at 28075. 248
240 Memorandum of Understanding Between the Depart-
Id. at 28074.
241
ment of Homeland Security and the Department of Transpor-
TSA-2003-15569-0011. Accessible from tation on Roles and Responsibilities, Sept. 2004. Accessed Sept.
www.regulations.gov/search/Regs/home.html#docketDetail?R= 13, 2009, at www.dot.gov/ost/ogc/DHS-DOT.PDF.
TSA-2003-15569. 249
242
Homeland Security Presidential Directive 7: Critical In-
Id. at 15569-0020. frastructure Identification, Prioritization, and Protection
243
Id. at 15569-0010. (HSPD7), Dec. 17, 2003,
OCR for page 26
26
tice made clear TSA's position that although 49 C.F.R. that rail security information be accorded "enhanced"
Part 1520 primarily relates to aviation and maritime protection status.256 The City of Cleveland suggested
security information, vulnerability assessments and that the rule require employees of covered entities to
threat assessments for all modes of transportation are undergo background investigations, using a federally-
considered SSI.250 TSA proposed to extend the definition established list of disqualifying crimes in hiring.257 The
258 259
of covered persons to include rail transit systems, ex- Texas and Florida DOTs also raised concerns that
plicitly requiring them to restrict "distribution, disclo- the proposed requirements for SSI would inhibit ex-
sure, and availability of SSI to persons with a need to change of information with state oversight agencies.
know, and refer all requests for SSI by other persons to On the other hand, CJOG raised concerns that the
TSA or the applicable component or agency within DOT rule would result in a vast range of information about
or DHS." 251 In addition, TSA proposed to clarify that rail and transit management and operations being
"any review, audit, or other examination of the secu- shielded from public view, eliminating public oversight.
rity" of a rail transit system or facility "that is directed, In particular, CJOG questioned the fact that the pro-
created, held, funded, or approved by DOT or DHS, or posed rule would allow the operators to determine what
that will be provided to DOT or DHS in support of a information is included in vulnerability assessments
Federal security program, is SSI." TSA also proposed to and automatically treated as SSI, potentially resulting
extend coverage to specific details of rail transportation in the withholding of information traditionally disclosed
security measures, security training materials for those at the state and local level. CJOG suggested that TSA
carrying out rail transportation security measures re- narrow the definition of SSI and review filings and
quired or recommended by DHS or USDOT, and lists identify information that does not warrant protection.
identifying critical rail infrastructure assets. TSA also Finally, CJOG advocated for sunsetting the SSI desig-
sought comment on whether it should protect as SSI nation, subject to potentially extending the protection
"any other information that may be created under this for specific information for which, based on subsequent
252
rule." TSA noted that the training materials contain review, further withholding was deemed necessary.260
descriptions of security measures that could be used by In November of 2008, TSA issued the final rule.261
terrorists to defeat security procedures. In addition, TSA made two changes to the NPRM provisions on
while TSA proposed to expand the lists of critical infra- SSI.262 First, TSA added rail to the categories of re-
structure assets to include rail transportation, the in- search and development information protected under 49
formation would only be covered if it is prepared by C.F.R. § 1520.5(b)(15). Second, TSA added state, local,
DHS or USDOT or prepared by a state or local govern-
ment agency and submitted to DHS or USDOT.253
While most of the transit comments related to con- www.regulations.gov/search/Regs/home.html#documentDetail?
cerns about unannounced inspections and other opera- R=09000064802aa7e6.
256
tional requirements, a number of the comments related New Jersey Office of Homeland Security & Preparedness,
to SSI. The Oregon DOT commented that the expansion Richard L. Canas, Director, Feb. 20, 2007, at 2, TSA-2006-
of the "need to know" requirement raises issues con- 26514-0072,
www.regulations.gov/search/Regs/home.html#documentDetail?
cerning the need for states to access information now
R=09000064802aa810.
required under partnership programs with the Federal 257
254 Shirley A. Tomasello, Assistant Law Director, Depart-
Railroad Administration and FTA. Chicago also sug-
ment of Law, City of Cleveland, Feb. 16, 2007, at 7, TSA-2006-
gested that the rule should specify that state and local
26514-0067,
governments have access to SSI.255 New Jersey asked www.regulations.gov/search/Regs/home.html#documentDetail?
R=09000064802aa80a.
258
Texas Department of Transportation, Michael W.
www.dhs.gov/xabout/laws/gc_1214597989952.shtm#1. HSPD7 Behrens, P.E., Executive Director, Feb. 20, 2007, TSA-2006-
required the Secretary of DHS to coordinate protection activi- 26514-0078,
ties for specified critical infrastructure sectors, including mass www.regulations.gov/search/Regs/home.html#documentDetail?
transit. R=09000064802aa815.
250
Department of Homeland Security, Transportation Secu- 259
Florida Department of Transportation, Mike Johnson,
rity Administration, Proposed Rule, Rail Transportation Secu- Administrator, Transit Operations, Feb. 1, 2007, TSA-2006-
rity, Fed. Reg. 71, No. 245, 76852, 76862, Dec. 21, 2006, 26514-0012,
http://edocket.access.gpo.gov/2006/pdf/E6-21512.pdf. www.regulations.gov/search/Regs/home.html#documentDetail?
251
Id. R=09000064802aa7c5.
252 260
Id. Coalition of Journalists for Open Government, Pete Weit-
253
Id. at 76867. zel, Feb. 20, 2007, TSA-2006-26514-0053,
254
Oregon Department of Transportation, Kelly Taylor, Rail www.regulations.gov/search/Regs/home.html#documentDetail?
Division Administrator, Feb. 20, 2007, at 3, TSA-2006-26514- R=09000064802aa7fb.
261
0095, Department of Homeland Security, Transportation Secu-
www.regulations.gov/search/Regs/home.html#documentDetail? rity Administration, Final Rule, Rail Transportation Security,
R=09000064802aa82c. Fed. Reg. 73, No. 229, 72130, Nov. 26, 2008,
255
Chicago Department of Transportation, Cheri Heramb, http://edocket.access.gpo.gov/2008/pdf/E8-27287.pdf.
262
Acting Commissioner, Jan. 15, 2007, TSA-2006-26514-0038, Id. at 72134.
OCR for page 27
27
and tribal government employees, contractors, and Second, TSA has implemented a process for conducting
grantees to the list under 49 C.F.R. § 1520.11(b) of per- SSI Access Threat Assessments.270 These threat assess-
sons with a potential need to know SSI. In its response ments are conducted on any persons seeking access to
to comments, TSA reiterated: "TSA does not intend to SSI for use in a civil proceeding under Section 525(d) of
protect information as SSI that would not be detrimen- the Department of Homeland Security Appropriations
tal to transportation security if publicly disclosed."263 Act of 2007, supra. The assessments include a finger-
Directives: TSA has issued a number of directives print-based Criminal History Records Check and a
that provide guidance on managing SSI. These direc- name-based check against terrorism and other data-
tives are not publicly available,264 and so are not sum- bases to determine "whether the individual poses or is
marized here. Transit agencies should be able to obtain suspected of posing a threat to transportation or na-
them directly from TSA. tional security."271 TSA provides a Privacy Act notice to
Guidance: DHS has issued guidance for public each party seeking access to SSI for civil court proceed-
transportation agencies on conducting background ings to obtain informed consent before TSA conducts
checks.265 DHS suggests that transit agencies may use the threat assessment. TSA notifies covered individuals
criminal background checks for employees and contract if the agency determines, based on the threat assess-
workers with unmonitored access to designated critical ment, that the individuals are not eligible to access par-
infrastructure. DHS suggests that in structuring those ticular SSI. The individuals may then appeal the deci-
requirements, the agencies look to the federal security sion, including making requests to correct errors in the
requirements for hazardous material drivers and port individuals' records.
266
transportation workers. DHS also suggests that tran- USDOT--USDOT has issued several rulemakings
sit agencies consider using the Social Security Number related to SSI. The first was the final rule that trans-
Verification System and the Systematic Alien Verifica- ferred aviation security authority from FAA to TSA.
tion for Entitlements database to determine a nonciti- The second was the series of rulemaking related to SSI
zen's immigration status, as well as periodically rein- procedures.
vestigating employees and contractors, "particularly Transfer of aviation security authority: See discus-
those with access to sensitive information or security sion under DHS/TSA, supra.
critical facilities."267 Protection of SSI regulation: The USDOT regulation,
Nonregulatory activity: DHS/TSA nonregulatory ac- issued jointly with the TSA regulation, was virtually
tivity may provide models for transit authorities in con- identical to the TSA regulation. See discussion under
trolling access to security information. Two activities DHS/TSA, supra.
may be of particular interest. First, DHS requires its FTA--Regulations, circulations, and guidance issued
employees and contractors to sign nondisclosure agree- by FTA cover documentation related to various transit
ments (NDAs), prohibiting them from disclosing a wide security plans and designs. Such documentation clearly
range of sensitive but unclassified information to the raises FOIA/SSI issues; to the extent that contractors
public.268 The scope of those NDAs was challenged.269 are involved in either preparing or executing the plans
and designs, procurement security is also implicated.
This section discusses guidance related, directly or indi-
rectly, to SSI and other security documentation; secu-
263
Id. at 72147. rity-related circulars and regulations for major capital
264
49 C.F.R. Part 659 Reference Guide, June 22, 2005, at 27, investments and fixed rail; grant requirements and
http://transit- recommendations related to security procurements; and
safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ third party contracting security requirements.
49CFR659_Reference_Guide.pdf (accessed Sept. 15, 2009).
265
General Document Control Guidance: Following the
Additional Guidance on Background Checks, Redress and events of 9/11, FTA issued general guidance concerning
Immigration Status,
document control measures that transit agencies should
www.tsa.dhs.gov/assets/pdf/guidance_employee_background_ch
undertake for security critical systems and facilities.
ecks.pdf.
266 These measures included maintaining an appropriate
Disqualifying crimes applicable to hazardous material
level of security around plans and designs of operating
drivers and transportation workers at ports: 49 C.F.R.
§ 1572.103; appeal and waiver process: 49 C.F.R. pt. 1515. and maintenance facilities and infrastructure (e.g.,
267 tunnels, bridges, electrical substations), and maintain-
Additional Guidance on Background Checks, Redress and
Immigration Status,
www.tsa.dhs.gov/assets/pdf/guidance_employee_background_ch 269
ecks.pdf. Unions Challenge Department of Homeland Security Non-
268
PATRICE MCDERMOTT, WHO NEEDS TO KNOW?: THE Disclosure Agreement, CANADIAN DIMENSION 39.1 (Jan.Feb.
STATE OF PUBLIC ACCESS TO FEDERAL GOVERNMENT 2005), at 8(2); Hsu, supra note 268.
270
INFORMATION 135 (2007); Spencer S. Hsu, Homeland Security Dep't of Homeland Security, Privacy Impact Assessment
Employees Required to Sign Secrecy Pledge, WASH. POST, Nov. for Threat Assessments for Access to Sensitive Security Infor-
16, 2004, at A23, www.washingtonpost.com/wp- mation for Use in Litigation, Dec. 28, 2006,
dyn/articles/A52977-2004Nov15.html (accessed Mar. 4, 2009); www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_ssi.pdf
Department of Homeland Security Non-Disclosure Agreement, (accessed Sept. 23, 2009).
271
www.tsa.gov/assets/pdf/NDA_v2.pdf. See App. F, infra. Id. at 4.
OCR for page 28
28
ing an appropriate level of security around documenta- According to the guidance, if a portion of a document
tion for security detection systems.272 is SSI, the entire document must be controlled as SSI,
Designation, Marking, and Control of SSI:273 FTA's and can only be released if the SSI is redacted.278 If the
SSI guidance was issued with the express purpose of SSI is placed in an appendix that can be separated from
helping transit agencies to prevent "the unauthorized the rest of the document, the remainder of the docu-
disclosure or dissemination of SSI while preserving the ment can be more widely distributed once the appendix
public's `right to know' about transit systems and opera- is redacted.279 This approach clearly applies to contract
tions."274 Under this guidance document, FTA defines documents.
transit SSI as "any information or record whose disclo- The guidance suggests a two-step process under
sure may compromise the security of the traveling pub- which employees who may generate SSI are knowl-
lic, transit employees, or transit infrastructure," includ- edgeable enough to recognize potential SSI and to refer
ing "data, documents, engineering drawings and it to the employee or committee designated to make SSI
specifications, and other records whose disclosure could determinations for the agency. Making the determina-
increase the agency's risk of harm."275 The types of re- tion that information could be SSI requires considera-
cords that apply to transit agencies are identified:276 tion of the agency's threat environment, the public's
need to know the information, the availability of similar
· Security programs and contingency plans issued, information from other sources, and the utility of the
established, required, received, or approved by USDOT information to someone intent on causing harm.280 For
or DHS. example, procurement personnel should be sufficiently
· Vulnerability assessments that are directed, cre- knowledgeable about SSI requirements to understand
ated, held, funded, or approved by USDOT or DHS, or when to refer material to the SSI employee/committee
that will be provided to either agency in support of a and how to structure contract documents that relate to
federal security program. SSI. The FTA's examples of SSI and non-SSI are in-
· Threat information held by the federal government cluded as Appendix F, infra.
concerning transportation, transportation systems, and Any information that is determined to be SSI must
cyber infrastructure, including sources and methods be marked to warn that the information is controlled
used to gather or develop the information. and may only be distributed to persons with a need to
know. The guidance provides the mandatory advisory
281
Both the TSA Administrator and the Secretary of marking, included the required language to use. Only
USDOT may determine that additional information a covered person with a need to know may access SSI.
constitutes SSI. "Need to know" includes requiring the SSI to perform
In addition to appropriately handling the SSI listed official duties pursuant to a contract or grant. "Covered
above, the transit agency is advised to review the fol- person" includes the following four categories applicable
277
lowing records for SSI: to transit agencies:282
· Security program plans and procedures that in- · Persons who have access to SSI.
clude vulnerability records or specific tactics for secu- · Persons employed by, contracted to, or acting for a
rity operations. covered person, including a grantee of DHS or USDOT,
· Security contingency plans and records. and persons formerly in such a position.
· Records that reveal system or facility vulnerabili- · Persons for whom a vulnerability assessment has
ties (e.g., maps, detailed facility drawings, detailed ac- been directed, created, held, funded, or approved by the
tion items from drills and exercises). USDOT or DHS, or who have prepared a vulnerability
assessment that will be provided to either agency in
support of a federal security program.
· Persons receiving SSI.
272
TSA/FTA Security and Emergency Action Items for
Transit Agencies, Document Control, Items 15 and 16, FTA advises that transit agencies establish rules for
http://transit- disseminating SSI to contractors and suggests control-
safety.volpe.dot.gov/security/SecurityInitiatives/ActionItems/ac ling access by using prequalification, including nondis-
tionlist.asp#Document_Control; FED. TRANSIT ADMIN., U.S.
closure forms; maintaining secure locations for review
DEP'T OF TRANSP., FY 2009 TRIENNIAL REVIEW WORKSHOPS
WORKBOOK 1913,
of SSI; and covering SSI handling in contracts, includ-
www.fta.dot.gov/documents/FY2009_TriennialReview_Workboo ing "use, storage, reproduction, dissemination, and re-
k.pdf; TRANSTECH MANAGEMENT, INC., supra note 1, at chs. 2, turn, both on and off of transit property."283
3, and Appendices.
278
273
CHANDLER, SUTHERLAND, & ELDREDGE, supra note 164, Id. at 8.
279
at 3. Id. at 5.
274 280
Id. at 1. Id. at 78.
275 281
Id. at 3. Id. at 10.
276 282
Id. at 5. Id. at 1112.
277 283
Id. Id. at 13.
OCR for page 29
29
The following points concerning SSI control284 will · Identifying any security analyses contractors must
apply to bid/contract SSI: perform for the construction site.
· SSI must be stored securely. If possible, the SSI Section 2, Chapter IV, of the circular provides that
should be stored by the owner or originator. the SSMP include procedures for managing SSI. Con-
· When SSI is in use, the custodian, if required to tracting out any of the activities provided for under
suspend work temporarily, must secure the records. Chapter II or the development of procedures required
· Reproduction must be kept to the minimum re- under Chapter IV could have ramifications for pro-
quired for agency business, with copies protected as the curement security.
originals. Chapter II of Circular 5800.1 expressly addresses
· Transmission must protect against unauthorized protection of SSI. Recipients with major capital projects
disclosure. covered by 49 C.F.R. Part 633 are directed to document
· Return of SSI must be assured. or reference their procedures for managing SSI in the
· Destruction must be by a method that precludes SSMP, which procedures are expected to extend to their
recognition or reconstruction. project contractors. In addition, any SSI submitted to
· Employees and contractors likely to handle SSI FTA and project management oversight contractors
should be trained on handling requirements. during the project management oversight process will
be exempt from disclosure under FOIA.286 Finally the
FTA Circular 5800.1: Under 49 U.S.C. § 5327(a), ap- circular directs the recipient to have SSI handling pro-
plicants and recipients of major capital project funding cedures.287
must address safety and security management as part Although SSMPs are required by law only for major
of their project management plan. FTA has imple- capital investment projects, FTA encourages all transit
mented this statutory mandate by issuing guidance systems to develop transit system security program
that calls on recipients to prepare a Safety and Security plans. Such plans are also considered SSI. FTA's Trien-
Management Plan (SSMP) as part of the project man- nial Review contractors may only examine them on site
agement plan required by 49 U.S.C. § 5327(a).285 Chap- at the time of the Triennial Review.288
ter II of FTA Circular 5800.1 includes the following State Safety Oversight of Rail Fixed Guideway Sys-
provisions: tems: 289 The regulation requires transit agencies to de-
velop system security plans for rail fixed guideway sys-
· Establishing a program that identifies and as- tems and state oversight agencies to review those plans.
sesses security vulnerabilities throughout the project The plans must contain five elements,290 which may
development process. include SSI:
· Establishing a process for documenting and track-
ing actions taken to address the vulnerability assess- · Identification of policies, goals, and objectives for
ment. the security program.
· Establishing security requirements for the project, · Documentation of the rail transit agency's threat
based on applicable safety and security codes, guide- and vulnerability process.
lines, and standards established by government agen- · Identification of controls in place that address the
cies and industry associations. personal security of passengers and employees.
· Developing documentation to convey security rules · Documentation of the agency's process for conduct-
and procedures for the project to employees, contrac- ing internal security reviews to evaluate compliance
tors, and oversight agencies. Documents may include and measure effectiveness of the system security plan.
security plans, as well as operating and maintenance · Documentation of the agency's process for making
procedures and manuals. its system security plan and accompanying procedures
· Establishing qualifications and training programs available to the oversight agency for review and ap-
for operating and maintenance personnel, which pro- proval.
grams must address security elements.
284
Id. at 1517. 286
FTA Circular 5800.1, II.4, at II-5.
285
Safety and Security Management for Major Capital Pro- 287
FTA Circular 5800.1, IV.2.b., at IV-2. See also FED.
jects: Notice of Final Circular, 72 Fed. Reg. 34339 (June 21, TRANSIT ADMIN., supra note 272, at 19-7, noting requirement
2007), http://edocket.access.gpo.gov/2007/pdf/E7-11970.pdf; to review security and emergency management plans.
FTA Circular 5800.1, Safety and Security Management Guid- 288
FED. TRANSIT ADMIN., supra note 272, at 19-7.
ance for Major Capital Projects (Aug. 1, 2007), 289
www.transportation.org/sites/scopt/docs/FTA%20C%205800%2 49 U.S.C. § 5330; 49 C.F.R. pt. 659, Rail fixed guideway
01%20- systems; State safety oversight,
%20FINAL%20Safety%20and%20Security%20Management%2 www.access.gpo.gov/nara/cfr/waisidx_08/49cfr659_08.html; 49
0Plan-1.pdf. See also Frequently Asked Questions, C.F.R. Part 659 Reference Guide, http://transit-
http://transit- safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/
safety.volpe.dot.gov/publications/security/Safety%20%20Securi 49CFR659_Reference_Guide.asp.
290
ty%20frequent%20questions.pdf. 49 C.F.R § 659.23, System security plan: contents.
OCR for page 30
30
The requirements governing state oversight of the sary.299 Eligible projects under 49 U.S.C. § 5307 include
security of rail fixed guideway systems through desig- increased lighting, increased camera surveillance, pro-
nated oversight agencies do raise confidentiality issues viding emergency telephone lines, and "any other pro-
concerning the state agency's handling of security ject intended to increase the security and safety of an
plans, for example if such plans are considered public existing or planned public transportation system."300
records under state public records law. The regulation FTA guidance provides the following more specific ex-
does not require public availability of the system secu- amples of appropriate security expenditures: "facility
rity plan;291 does require the oversight agency to explain perimeter security and access control systems (e.g.,
how it will protect the system security plan from public fencing, lighting, gates, card reader systems, etc.),
disclosure; 292 and authorizes the oversight agency to closed circuit television camera systems (at stations,
prohibit a transit agency from publicly disclosing the platforms, bus stops and on-board vehicles), security
293
system security plan. FTA recommends that the over- and emergency management planning, training and
sight agency only take possession of a system security drills."301 Agencies may also expend funds to purchase
plan if the agency can maintain the plan's confidential- explosive detection equipment. For example, the New
ity under state sunshine laws.294 As FTA notes in its York Police Department, which conducts random pas-
Part 659 guidance, the review of system security plans senger searches on the New York City subway system,
295
must comply with 49 C.F.R. Part 1520. According to has purchased hand-held devices that can be used "to
FTA guidance, the process required under Section detect and identify explosives, chemical warfare agents,
659.23(e) must be documented "according to procedures and toxic industrial chemicals."302
established to prevent public disclosure of these mate- Third Party Contracting Security Requirements:
rials."296 These oversight requirements also raise pro- Grant recipients are generally responsible for extending
303
curement concerns if a state contracts out its oversight federal requirements to third party contractors.
responsibilities or if a transit agency contracts out the While this alone might be sufficient to require grant
297 298
development or review of its systems security plan. recipients to require SSI protection from their contrac-
tors, SSI requirements are specifically referenced in
Procurement of Security-Related Goods and Services: FTA's third party contracting circular: third party con-
There are a number of grant requirements and FTA tractors must protect SSI to ensure compliance with the
recommendations that result in transit agencies procur- DHS/USDOT statutes and implementing regulations
ing security-related goods and services and having to discussed earlier. This requirement includes taking
manage information related to those procurements. For measures to ensure that subcontractors at each tier
example, recipients of Urbanized Area Formula Grants protect SSI in accordance with applicable law and regu-
must certify annually that they are spending 1 percent lation.304
of Urbanized Area Formula Grant Program funds on Both the common grant rule and FTA's authorizing
security projects or that those projects are not neces- legislation305 require third party procurement proce-
dures that require full and open competition. This re-
quirement covers prequalification,306 a method that may
299
291
49 U.S.C. § 659.11, Confidentiality of investigation re- FTA Master Agreement MA(16), Oct. 1, 2009, at 61, § 39:
ports and security plans. Special Provisions for the Urbanized Area Formula Program, e.
292
49 C.F.R. § 659.15(b)(9). Public Transportation Security,
293 http://www.fta.dot.gov/documents/16-Master.pdf.
49 C.F.R. § 659.21(b). 300
294 49 U.S.C. § 5307(d)(1)(J).
49 C.F.R. Part 659 Reference Guide, June 22, 2005, at 13, 301
http://transit- FED. TRANSIT ADMIN., supra note 272, at 19-4.
302
safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ New York City Police Deploy Trace Detectors From
49CFR659_Reference_Guide.pdf (accessed Sept. 15, 2009). Smiths Detection, THE POLICE CHIEF, vol. 73, no. 9, Sept. 2006,
295
49 C.F.R. Part 659 Reference Guide, June 22, 2005, at http://policechiefmagazine.org/magazine/index.cfm?fuseaction=
2627, http://transit- display_arch&article_id=1005&issue_id=92006 (Sept. 23,
safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ 2009).
303
49CFR659_Reference_Guide.pdf (accessed Sept. 15, 2009). FTA Master Agreement MA(16), Oct. 1, 2009, at 15, § 2:
Compliance with 49 C.F.R. pts. 15 and 1520, to the extent ap- Project Implementation, e. Recipient's Responsibility to Extend
plicable, are grants requirements. FTA Master Agreement Federal Requirements to Other Entities,
MA(16), 10-1-2009, at 59, Section 37: Protection of Sensitive http://www.fta.dot.gov/documents/16-Master.pdf.
Security Information, 304
FTA Circular 4220.1F, ch. IV, The Recipient's Property
www.fta.dot.gov/documents/16-Master.pdf . and Services Needs and Federal Requirements Affecting Those
296
49 C.F.R. Part 659 Reference Guide, June 22, 2005, at 28, Needs § 2.a(7), at IV-7; Third Party Contracting Guidance:
http://transit- Notice of Final Circular, 73 Fed. Reg. 56896, 56906 (Sept. 30,
safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ 2008), http://edocket.access.gpo.gov/2008/pdf/E8-22914.pdf.
49CFR659_Reference_Guide.pdf (accessed Sept. 15, 2009). 305
49 U.S.C. § 5325(a).
297
49 C.F.R. §§ 659.21 System security plan: general re- 306
FTA Circular 4220.1F, ch. VI, Procedural Guidance for
quirements, 659.23 System security plan: contents. Open Market Procurements, § 1.(c), at VI-2. For a discussion of
298
49 C.F.R. § 659.25(b)(9). prequalification procedures in general, see Daniel D. McMillan
