Cover Image

Not for Sale



View/Hide Left Panel
Click for next page ( 49


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 48
48 ments or operational, procedural, transportation, and question whether submitting such information to cov- tactical planning or training manuals. ered federal agencies renders the information protected Information revealing surveillance techniques, from disclosure by the local agency that submits it. At personnel deployments, or operational and transporta- least one state court has distinguished between the ob- tion plans and protocols. ligation of the federal agency receiving protected CII to Information concerning threats against transpor- maintain confidentiality and that of the local agency tation. submitting information otherwise disclosable under For reviewing records that fall into the categories state law to keep such information confidential merely that might be CII/SSI, the guide recommends consider- because it was submitted to a federal agency. ing these factors about the need to protect CII/SSI: In addition, transit agencies must distinguish be- tween the obligation to control documents containing What impact could the information have if it were SSI and the obligation to disclose non-SSI information inadvertently transferred to an unintended audience? in such documents. For purposes of control, if a docu- Does the information provide details concerning ment contains SSI, the entire document must be se- security procedures and capabilities? cured while in agency control. For purposes of public Could someone use the information to target per- records requests, if a disclosure request is made for a sonnel, facilities, or operations? document containing SSI, many state laws require the How could someone intent on causing harm misuse agency to redact the SSI and release the unredacted the information? portion of the document, if reasonably feasible. Could the use of this information be dangerous if it Finally, transit agencies should be aware of the legal were combined with other publicly available informa- distinctions between SSI and restricted security infor- tion? mation (information that is not SSI but has been identi- fied as potentially harmful to security if disclosed), as The policy requires custodians to take reasonable SSI is protected under federal law but restricted secu- steps to minimize unauthorized access to CII/SSI dur- rity information is not. ing working hours and to secure it after working hours Moreover, the sometime conflicting public policy in a locked desk or file cabinet or similar secure con- purposes of the various requirements demand that pro- tainer. Each person who works with CII/SSI is person- curement personnel balance those purposes as they ally responsible for safeguarding it. Information con- develop and manage procurement documents. This sec- taining CII/SSI should only be released to persons with tion highlights several areas where that effect comes a legitimate VDOT-related need to know and who have into play. These include measures that may minimize signed VDOT's NDAs. It is uncertain whether the policy the need to balance competing needs for security and itself sets forth steps for establishing the need to know. disclosure; decisions on when security information VDOT requires contractors to sign individual NDAs should be disclosed; and procedures for maintaining before gaining access to VDOT CII/SSI. In addition, a contract records containing security information. company representative is required to sign a company agreement accepting responsibility on behalf of the A. Minimizing Need to Balance Security and company for the actions of all company employees in Transparency476 regard to VDOT CII/SSI in the company's custody or Good contract management procedures applied to control, acknowledging that all individuals involved management of SSI and restricted security information, with the project in question who will have access to just as applied to the handling of trade secrets and con- VDOT CII/SSI must sign an NDA before receiving such fidential financial information, will help balance the access; and acknowledging the need-to-know nature of public right to know and need to know. On the other the CII/SSI and penalties for failing to protect the in- hand, poor recordkeeping, such as lacking a contract formation. The agreement includes a list of responsibili- administration system or having no written record of ties in handling CII/SSI, including protection, use and procurement history,477 may create problems in properly storage, reproduction, disposal, and transmission. 476 The Florida Attorney General has provided a good analy- V. APPLYING SECURITY AND CONTRACT sis of the balancing issue and factors to consider in determin- MANAGEMENT REQUIREMENTS TO THE ing whether to disclose SSI in competitive bidding. Florida COMPETITIVE PROCUREMENT PROCESS Attorney General Advisory Legal Opinion AGO 2002-74--Nov. 4, 2002, The federal and state legal requirements discussed http://myfloridalegal.com/ago.nsf/Opinions/D4CFF22D8B492B above clearly have an effect on how procurement per- DF85256C6700541A22 (accessed Apr. 1, 2009); Summary: sonnel manage contract documents containing security http://brechner.org/reports/2002/12dec2002.pdf (accessed Apr. information, including how those personnel respond to 1, 2009). 477 requests for information under state public records U.S. GOV'T ACCOUNTABILITY OFFICE, PUBLIC laws. For example, infrastructure information submit- TRANSPORTATION: FTA'S TRIENNIAL REVIEW PROGRAM HAS ted to DHS or USDOT may become protected from dis- IMPROVED, BUT ASSESSMENTS OF GRANTEES' PERFORMANCE closure by those agencies. However, it is an evolving COULD BE ENHANCED 15 (2009) (citing deficiency codes in Tri- ennial Reviews), www.gao.gov/new.items/d09603.pdf.