Cover Image

Not for Sale



View/Hide Left Panel
Click for next page ( 48


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 47
47 completed NDAs and Information and Responsibility United States. Agency E administers the county's bus Request forms covering security questions. and paratransit public transportation system. Agency E requires all employees working on vulner- D. Transit Agency D472 ability assessments, security plans, and security en- Agency D is a large multimodal transit agency. As of hancement plans to execute confidentiality agreements October 2009, Agency D was in the process of develop- specifically regarding requirements for maintaining ing its own SSI policy. Departments involved in the confidentiality of material and acknowledging penalties development process include capital programs, capital for noncompliance. Agency E's Security/Safety Section program management, legal, procurement, and engi- reviews only security-related bids for CII/SSI. neering. The policy will cover procurement as well as other issues. F. Virginia Department of Transportation475 Agency D does protect information other than SSI The Virginia Department of Transportation's from disclosure based on security grounds, and controls (VDOT) Critical Infrastructure Information/Sensitive access to all information pertaining to construction pro- Security Information (CII/SSI) Policy is an internal jects. To date the agency has only had occasion to re- document. However, elements of the policy are de- view security-related projects for CII/SSI. However, as scribed in publicly available documents, such as it develops its SSI policy, Agency D intends to require VDOT's guide to identifying CII/SSI. In addition, the review of all projects to determine the need for con- VDOT's CII/SSI Guide for Vendors and Contractors is trolling access to procurement documents based on the publicly available. nature of the project. Rather than focusing on whether The guide cautions that if the information is custom- the project provides security, the policy will focus on arily public knowledge or the general public has a need whether information in the procurement is sensitive. to know the information, then it is not CII/SSI. The For example, a procurement for a project to place cam- guide is based on the criteria on the safety and security eras in a visible manner in a public area may not re- exemptions in the Virginia Freedom of Information Act, quire restricted access to procurement information, which provides that records falling under the exemp- while a procurement to do structural work on a subway tions are excluded from the mandatory disclosure provi- tunnel may require restricted access because of the sions of the act, but may be disclosed at the custodian's need to review sensitive structural information to bid discretion unless otherwise required by law. and to carry out the contract. This approach allows for The guide lists categories of information that might the prioritization of security information by the incre- be CII/SSI. These include: mental damage a threat source would gain by knowing the information. Engineering and construction drawings and plans Agency D controls contractor access to SSI and other that would reveal critical structural components or se- security information by requiring prospective vendors curity equipment and systems, if disclosure would jeop- to register with FedBizOpps,473 the federal contracting ardize the health or safety of any person or structure. Web site database. Registration on this Web site re- Documentation describing the design, function, op- quires getting cleared to receive sensitive material. eration or access control features of any security sys- Agency D is also considering carrying out some secu- tem, manual or automated, used to control access to or rity-related construction work in-house, which would use of any automated data processing or telecommuni- avoid the need to manage contractor access to security cations system. information. Plans and information to prevent or respond to Agency D does have a single point of contact in each terrorist activity, if disclosure would jeopardize the of its major groups for handling SSI. Procedurally, pro- safety of any person, including vulnerability assess- ject design managers review project information for SSI and notify procurement of the SSI classification. This 475 requires both engineers and procurement personnel to The description of VDOT's sensitive information protec- tion procedures is based on a review of several publicly avail- be trained on SSI classification and management. able documents: Location and Design Division's Instructional and Informational Memorandum on Procedures for Protecting E. Agency E474 Sensitive Information, Agency E is a transportation authority responsible www.extranet.vdot.state.va.us/locdes/electronic%20pubs/Bridg for surface transportation in a county in the western e%20Manuals/IIM/SBIIM71.pdf (accessed Apr. 1, 2009); VDOT's CII/SSI Guide for Vendors and Contractors, http://www.virginiadot.org/business/resources/const/CII_SSIGu 472 ideV6.0InterimRevisionFINAL.PDF; VDOT's Critical Infra- The description of Agency D's security/procurement prac- structure Information (CII) Sensitive Security Information tices is based on responses from the agency to questions posed (SSI) Agreement to Establish a Company Representative, by the author. Responses are maintained in the author's files. http://vdotforms.vdot.virginia.gov/SearchResults.aspx?filename 473 www.fbo.gov/. =CII%20Company%20Rep%20V5.pdf (accessed Apr. 1, 2009); 474 The description of Agency E's security/procurement prac- VDOT's Guide to identifying CII/SSI, tices is based on responses from the agency to questions posed http://vdotforms.vdot.virginia.gov/SearchResults.aspx?filename by the author. Responses are maintained in the author's files. =Guide%20to%20Identifying%20CII%20SSI.pdf.