National Academies Press: OpenBook

Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements (2010)

Chapter: V. APPLYING SECURITY AND CONTRACT MANAGEMENT REQUIREMENTS TO THE COMPETITIVE PROCUREMENT PROCESS

« Previous: IV. TRANSIT AGENCY PRACTICES
Page 48
Suggested Citation:"V. APPLYING SECURITY AND CONTRACT MANAGEMENT REQUIREMENTS TO THE COMPETITIVE PROCUREMENT PROCESS." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 48
Page 49
Suggested Citation:"V. APPLYING SECURITY AND CONTRACT MANAGEMENT REQUIREMENTS TO THE COMPETITIVE PROCUREMENT PROCESS." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 49
Page 50
Suggested Citation:"V. APPLYING SECURITY AND CONTRACT MANAGEMENT REQUIREMENTS TO THE COMPETITIVE PROCUREMENT PROCESS." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 50
Page 51
Suggested Citation:"V. APPLYING SECURITY AND CONTRACT MANAGEMENT REQUIREMENTS TO THE COMPETITIVE PROCUREMENT PROCESS." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 51
Page 52
Suggested Citation:"V. APPLYING SECURITY AND CONTRACT MANAGEMENT REQUIREMENTS TO THE COMPETITIVE PROCUREMENT PROCESS." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 52
Page 53
Suggested Citation:"V. APPLYING SECURITY AND CONTRACT MANAGEMENT REQUIREMENTS TO THE COMPETITIVE PROCUREMENT PROCESS." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 53

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

48 ments or operational, procedural, transportation, and tactical planning or training manuals. • Information revealing surveillance techniques, personnel deployments, or operational and transporta- tion plans and protocols. • Information concerning threats against transpor- tation. For reviewing records that fall into the categories that might be CII/SSI, the guide recommends consider- ing these factors about the need to protect CII/SSI: • What impact could the information have if it were inadvertently transferred to an unintended audience? • Does the information provide details concerning security procedures and capabilities? • Could someone use the information to target per- sonnel, facilities, or operations? • How could someone intent on causing harm misuse the information? • Could the use of this information be dangerous if it were combined with other publicly available informa- tion? The policy requires custodians to take reasonable steps to minimize unauthorized access to CII/SSI dur- ing working hours and to secure it after working hours in a locked desk or file cabinet or similar secure con- tainer. Each person who works with CII/SSI is person- ally responsible for safeguarding it. Information con- taining CII/SSI should only be released to persons with a legitimate VDOT-related need to know and who have signed VDOT’s NDAs. It is uncertain whether the policy itself sets forth steps for establishing the need to know. VDOT requires contractors to sign individual NDAs before gaining access to VDOT CII/SSI. In addition, a company representative is required to sign a company agreement accepting responsibility on behalf of the company for the actions of all company employees in regard to VDOT CII/SSI in the company’s custody or control, acknowledging that all individuals involved with the project in question who will have access to VDOT CII/SSI must sign an NDA before receiving such access; and acknowledging the need-to-know nature of the CII/SSI and penalties for failing to protect the in- formation. The agreement includes a list of responsibili- ties in handling CII/SSI, including protection, use and storage, reproduction, disposal, and transmission. V. APPLYING SECURITY AND CONTRACT MANAGEMENT REQUIREMENTS TO THE COMPETITIVE PROCUREMENT PROCESS The federal and state legal requirements discussed above clearly have an effect on how procurement per- sonnel manage contract documents containing security information, including how those personnel respond to requests for information under state public records laws. For example, infrastructure information submit- ted to DHS or USDOT may become protected from dis- closure by those agencies. However, it is an evolving question whether submitting such information to cov- ered federal agencies renders the information protected from disclosure by the local agency that submits it. At least one state court has distinguished between the ob- ligation of the federal agency receiving protected CII to maintain confidentiality and that of the local agency submitting information otherwise disclosable under state law to keep such information confidential merely because it was submitted to a federal agency. In addition, transit agencies must distinguish be- tween the obligation to control documents containing SSI and the obligation to disclose non-SSI information in such documents. For purposes of control, if a docu- ment contains SSI, the entire document must be se- cured while in agency control. For purposes of public records requests, if a disclosure request is made for a document containing SSI, many state laws require the agency to redact the SSI and release the unredacted portion of the document, if reasonably feasible. Finally, transit agencies should be aware of the legal distinctions between SSI and restricted security infor- mation (information that is not SSI but has been identi- fied as potentially harmful to security if disclosed), as SSI is protected under federal law but restricted secu- rity information is not. Moreover, the sometime conflicting public policy purposes of the various requirements demand that pro- curement personnel balance those purposes as they develop and manage procurement documents. This sec- tion highlights several areas where that effect comes into play. These include measures that may minimize the need to balance competing needs for security and disclosure; decisions on when security information should be disclosed; and procedures for maintaining contract records containing security information. A. Minimizing Need to Balance Security and Transparency476 Good contract management procedures applied to management of SSI and restricted security information, just as applied to the handling of trade secrets and con- fidential financial information, will help balance the public right to know and need to know. On the other hand, poor recordkeeping, such as lacking a contract administration system or having no written record of procurement history,477 may create problems in properly 476 The Florida Attorney General has provided a good analy- sis of the balancing issue and factors to consider in determin- ing whether to disclose SSI in competitive bidding. Florida Attorney General Advisory Legal Opinion AGO 2002-74—Nov. 4, 2002, http://myfloridalegal.com/ago.nsf/Opinions/D4CFF22D8B492B DF85256C6700541A22 (accessed Apr. 1, 2009); Summary: http://brechner.org/reports/2002/12dec2002.pdf (accessed Apr. 1, 2009). 477 U.S. GOV’T ACCOUNTABILITY OFFICE, PUBLIC TRANSPORTATION: FTA’S TRIENNIAL REVIEW PROGRAM HAS IMPROVED, BUT ASSESSMENTS OF GRANTEES’ PERFORMANCE COULD BE ENHANCED 15 (2009) (citing deficiency codes in Tri- ennial Reviews), www.gao.gov/new.items/d09603.pdf.

49 managing this information. In addition, state law may require that public records be designed to facilitate seg- regation to the extent practicable. Such requirements may support an approach of not scattering security in- formation throughout the documentation (assuming security information cannot be kept out of procurement documentation altogether). The drafting of bid specifications and other contract documents is a very good place to apply the “need to know” concept by asking: Is there a compelling need to include SSI/Restricted Security Information in the documents? For example, if bid documents related to a security project themselves only specify security pa- rameters—which are disclosable—as opposed to de- tailed operations requirements, 478 those bid documents can be made available for the same public inspection as bid documents that have no relation to security. This approach requires making any SSI/restricted security information needed for bid response available to bidders separately, presumably under properly controlled cir- cumstances. However, the practicability of keeping such information entirely out of contract documents will vary, largely depending on the particular procurement at issue, and to some extent on the tracking capabilities of the agency’s procurement process. Alternatively, SSI may be included in an appendix, which can be redacted from public records requests.479 It is important that the personnel structuring pro- curement documents understand these security issues. The authors of the Security and Emergency Prepared- ness Planning Guide, supra, recommend that the agency security manager have authority in overseeing security issues in the procurement process.480 B. Deciding Whether Information Should Be Disclosed Information that has been classified as SSI should not be disclosed to the public under state public records acts. However, circumstances may change over time so that information originally classified as SSI may no longer merit that classification when a particular re- quest is made. Restricted security information may or may not be exempt from disclosure, depending on state law. When a transit agency official considers a request for information in either category, the deciding official must consider whether 1) the requested information is covered by an exemption from disclosure requirements; 2) if covered, the official has the discretion to disclose the information; and 3) if the discretion exists, whether it should be exercised. In the case of information cov- ered solely by state law, this will depend on whether 478 E.g., Blank TSA vulnerability checklist is considered dis- closable. It does not become SSI until it has been completed with specific information. 479 CHANDLER, SUTHERLAND, & ELDREDGE, supra note 164, at 5. 480 BALOG, BOYD, & CATON, supra note 1, at 25–26 (2003), http://transit- safety.volpe.dot.gov/publications/security/PlanningGuide.pdf. applicable exemptions are mandatory or permissive.481 The question of how to release such information to per- sons with a need to know, subject to limitations, is dis- cussed below under V.C, Procedures for Maintaining Contract Records Containing CII/SSI/Restricted Secu- rity Information. 1. Determining When Disclosure Threatens Public Security482 The very existence of security measures is often pub- lic, while the operational details of the measures are not.483 For example, if a transit agency purchases closed circuit security cameras for buses, the existence of those cameras is likely to be readily apparent. If so, disclosing information about a contract to purchase readily dis- cernible security cameras is not likely to threaten pub- lic security. On the other hand, details of enhancements to those cameras, not readily apparent from observing the cameras in place, may not be publicly announced. Disclosing information about commercially available security systems, commercially available system effec- tiveness data, and accepted construction techniques is not likely to threaten public security, while disclosing unique information about methods to defeat those secu- rity systems could assist persons seeking to attack the systems. Even information identifying critical system elements is not likely to threaten public security if the equipment is readily observable to the public. The distinction between existence/parameters (dis- closable) and details of execution (sensitive) is critical in classifying information. For example, the release of ge- neric security criteria is not likely to threaten public security, while releasing site-specific information gen- erated from such criteria could be harmful. Similarly, releasing information about the general location of se- curity projects is not likely to result in harm, while re- vealing explicit details or capabilities could threaten public security. This is analogous to notice require- ments in the Fourth Amendment context, where requirements for conducting random searches must be disclosed, but not the manner in which the government will attempt to ensure that search requirements are not violated.484 State requirements for disclosing the results of bridge inspections illustrate the possible differences in 481 Maryland, for example, has both mandatory and discre- tionary exemptions, www.oag.state.md.us/Opengov/ChapterIII.pdf. 482 TRANSTECH MANAGEMENT, INC., supra note 1, at 3–4. 483 E.g., New Jersey purchase of buses with closed-circuit camera systems, enhancing Newark Penn Station: Jan. 23, 2007, Minutes of NJ Transit Board of Directors meeting, at 6, www.njtransit.com/pdf/Jan%2023%202007.pdf (accessed Feb. 28, 2009); Michael Fickes, Preventing Mass Transit Terror Attacks, GOVERNMENT SECURITY MAGAZINE, Oct. 1, 2005 (describing security measures taken by NYMTA), http://govtsecurity.com/transportation_security/preventing_ma ss_transit/ (accessed Feb. 28, 2009). 484 See, e.g., WAITE, supra note 10, at 23.

50 approaches to disclosure. Some states have taken the position that detailed bridge inspection reports would provide information to would-be terrorists concerning structural weaknesses; these states deny full access to such reports. Other states make such reports available to the public, although in some cases only at state of- fices.485 A number of reports and guidance documents sug- gest questions to ask in determining how to classify information and whether to release particular informa- tion.486 These questions, which should be considered in relation to each other, include: • Can the information be used to select a target for terrorist attack?487 • Does the information make its subject a more at- tractive target or increase the risk of attack? • Does the public need to know the information? If so, can the information that the public needs to know be separated from information that could increase the threat to system security? • Is the same or similar information readily avail- able from other sources, including first-hand observa- tion of public areas or via the Internet? • How does the agency normally treat this type of in- formation? Are the number of copies and location of copies tracked? • What is the agency’s threat environment? 2. Permissibility of Distinguishing Based on Requester’s Identity The requester’s identity could potentially enter into the assessment of the potential threat of releasing the information. Factors to consider include: • Some states require employees to report suspicious or unusual requests for information to legal counsel or other specified authorities on records management.488 The viability of this approach under a specific state law may depend on how the determination is made that a request is unusual or suspicious. • Denying requests based on the requester’s identity or the purpose of the request may be illegal under state law, although some states do require identification be- 485 Jeff Martin, Some States Close Bridge Inspection Data to Public, USA TODAY, July 24, 2008, www.usatoday.com/news/nation/2008-07-24- bridgereports_N.htm (accessed Feb. 28, 2009). 486 E.g., TRANSTECH MANAGEMENT, INC., supra note 1, at 7– 8; VDOT’s CII/SSI Guide for Vendors and Contractors, http://www.virginiadot.org/business/resources/const/CII_SSIGu ideV6.0InterimRevisionFINAL.PDF. 487 For an example of information deemed disclosable, see the drawing included in a Port Authority of New York and New Jersey prequalification document. www.panynj.info/DoingBusinessWith/contractors/pdfs/RFQDO C_WTC224545.pdf. 488 TRANSTECH MANAGEMENT, INC., supra note 1, at 7. fore disclosure.489 Transit agencies are advised to ana- lyze whether flagging requests for certain types of in- formation for special review is consistent with state law, particularly if state law prohibits denying requests based on the requester’s identity. C. Procedures for Maintaining Contract Records Containing CII/SSI/Restricted Security Information490 The length of time that a transit agency must comply with record disclosure and management requirements will be governed by federal, state, and local record re- tention requirements, so obviously it is important to be aware of those requirements. The length of time that a record containing security information must be man- aged in a controlled fashion could affect the decision to include such information in procurement documenta- tion. There are important legal distinctions between man- aging federally-designated CII/SSI and managing re- stricted security information. Federal law imposes spe- cific requirements for protecting CII/SSI, along with liability for unauthorized disclosure. In addition, being classified as CII will arguably limit the agency’s use of the information so classified. A transit agency may, as a matter of policy, apply the same restrictions on disclo- sure to restricted security information as those required by law for CII/SSI. However, there should be no state statutory penalty for unauthorized disclosure of re- stricted security information unless state law prohibits the disclosure of the particular information at issue, in which case unauthorized disclosure would violate the state law containing the prohibition, with whatever penalty that law provides. While not required for transit agencies, GAO rec- ommendations for improving administration of SSI and congressional requirements for TSA set forth some principles to consider in managing SSI to ensure com- pliance with federal law and regulations. Steps recom- mended by GAO include establishing guidance and pro- cedures for using TSA regulations to determine what constitutes SSI, including offering examples of SSI; es- tablishing responsibility for the identification and des- ignation of SSI; creating and promulgating policies and procedures within TSA for providing training to those making SSI determinations; establishing internal con- trols that define responsibilities for monitoring compli- 489 Nevada imposes restrictions on persons who may inspect specified classes of documents that the governor has deter- mined are likely to “create a substantial likelihood of compro- mising, jeopardizing or otherwise threatening the public health, safety or welfare” if released. NEV. REV. STAT. 239C.210, Confidentiality of certain documents, records, or other items of information upon declaration of Governor; penal- ties; NEV. REV. STAT. 239C.220, Inspection of restricted docu- ments, www.leg.state.nv.us/NRS/NRS-239C.html. 490 See U.S. GOV’T ACCOUNTABILITY OFFICE, supra note 138, at 4.

51 ance with SSI regulations, policies, and procedures; and communicating these responsibilities throughout TSA.491 As noted, supra, Congress specifically required TSA to revise its management directive to review re- quests to publicly release SSI in a timely manner, in- cluding SSI that is at least 3 years old. GAO has also recommended that the Office of Management and Budget work to develop a government-wide directive that provides guidance on how to control sensitive but unclassified information, including SSI. GAO recom- mended that the guidance cover decisions on what in- formation to protect with sensitive but unclassified des- ignations; provisions for training on making designations, controlling, and sharing such information with other entities; and a review process to determine how well the program is working.492 To some extent approaches suggested by GAO may also apply to managing security information not cov- ered by federal requirements. Actual application of the principles may need to be modified depending on the size and organization of the transit agency. 1. Maintaining Contract Security Information Within the Transit Agency The transit agency should maintain contract security records within the agency using safeguards appropriate to the type of information involved. The need for secu- rity applies to transit agency employees, contractors, and auditors. Specific federal recommendations for con- trolling SSI were discussed in II.B.2, Federal Agencies, supra. General measures to ensure confidentiality of contract security records are reviewed here. (A) Physical Security.—Transit agencies should re- strict access to facilities (or portions thereof) where se- curity information is stored, as well as visual inspection of facilities that could reveal security information. To the extent that information must be kept confidential, 491 Id. GAO cited TSA’s own Internal Security Policy Board on the importance of providing specific guidance about what material is and is not covered: The board concluded that essential elements of the frame- work [to identify, control, and protect SSI] should include, among other things, “…exacting specificity with respect to what information is covered and what is not covered. This specificity could be documented in a classification guide type format be- cause imprecision in this area causes a significant impediment to determining SSI. Experience has shown that employees un- sure as to what constitutes SSI may err on the side of caution and improperly and unnecessarily restrict information, or may err inappropriately and potentially disastrously on the side of public disclosure.” Id. at 3–4. GAO has reported that TSA has taken actions to address those GAO recommendations and has addressed the legislative mandates from the DHS Appropriations Act, 2007. U.S. GOV’T ACCOUNTABILITY OFFICE, supra note 138, at 5. 492 U.S. GOV’T ACCOUNTABILITY OFFICE, INFORMATION SHARING: THE FEDERAL GOVERNMENT NEEDS TO ESTABLISH POLICIES AND PROCESSES FOR SHARING TERRORISM-RELATED AND SENSITIVE BUT UNCLASSIFIED INFORMATION 29 (2006), www.gao.gov/new.items/d06385.pdf (accessed Oct. 10, 2009). agencies should make sure that both hard copy and electronic systems are secure. (B) Other Controls Within the Agency.—It may be useful to have SSI program managers/coordinators to communicate SSI responsibilities to other employees.493 In any event, it is advisable for transit agency policy to ensure that employees who may have access to security information, either by creating it or handling it, under- stand the legal requirements associated with that in- formation. It may be useful to ensure that such employ- ees are knowledgeable enough to recognize what might be SSI or other security information and refer such in- formation to the agency’s designated SSI office(r).494 A number of measures are available to put employ- ees on notice of security requirements and the penalties for violating those requirements. These include requir- ing NDAs and/or background checks for employees with access to security information, requiring tracking of the location of security documents, restricting copying, and prohibiting removal of security documents from transit agency premises or project location. Background checks must comply with federal law. NDAs often include or incorporate by reference the security measures that security information is subject to. In addition to stan- dard agreement provisions such as choice of laws, an NDA may also include some or all of the following ele- ments: recitation of the confidential nature of informa- tion to be disclosed; categories of information to be cov- ered by confidentiality requirements; requirements for protecting SSI and penalties for violating those re- quirements; marking requirements and how to treat documents so marked; restricted uses allowed for in- formation provided under the NDA; restricted access to information provided under the NDA; standard of care for information provided under the NDA; requirements for responding to any requests directed to recipient for information provided under the NDA; setting forth the recipient’s obligations to return information provided under the NDA; and reserving the disclosing party’s rights to seek injunctive relief to enforce the NDA. (C) Releasing Information to Contractors.—There are a number of steps that transit agencies may take to maintain the confidentiality of security information, including SSI. For example, the transit agency may require NDAs and criminal background checks before contractors receive bid documents, participate in site inspections, or are otherwise allowed access to agency security information.495 Some of these measures may 493 U.S. GOV’T ACCOUNTABILITY OFFICE, supra note 138, at 13. 494 See CHANDLER, SUTHERLAND, & ELDREDGE, supra note 164, at 7. 495 See, e.g., VDOT requirement for Non-Disclosure Agree- ment and criminal background check before allowing tunnel site visit. Downtown Tunnel/Midtown Tunnel/MLK Freeway Extension Project Site Visit No. 2, www.virginiadot.org/projects/resources/hampton_roads/MTCP PPTA_SiteVisit2_Registration_rtp_080630.pdf (accessed Apr. 1, 2009); VDOT requirement for fingerprint-based Criminal History Background Checks for contractor employees who will

52 take place as part of the prequalification process before bids are submitted.496 These types of requirements are common in situations where individuals have a bona fide need to know information not commonly available outside the disclosing agency.497 The transit agency may also require that contractors adopt specific security procedures for handling the agency’s security information. Such procedures often include the requirement that the contractors designate security officers to be responsible for managing the transit agency’s security information. Transit agencies may maintain secure Web sites for storing, sharing, and distributing security-related pro- ject documentation. If so, the agencies may require pro- spective contractors to designate security information managers to ensure that access is limited to contractor employees who have passed required background checks and/or signed access agreements.498 (D) Releasing Information for Contract Reviews, Other Governmental Authorizations (including Trien- nial Reviews).—Contractors conducting Triennial Re- views should be familiar enough with required proce- dure not to ask for copies of SSI. Nonetheless, agency personnel should be aware that controlled access ap- plies to these reviewers. Any examination of SSI should be on a need-to-know basis and conducted on site. handle CII/SSI under contract. RFP for Interstate 64 Widening Route 143 (east) to Route 199 (west) NEPA and Design Ser- vices, www.virginiadot.org/business/resources/RFP_I- 64_Hampton_Roads.pdf. 496 E.g., The Port Authority of New York and New Jersey, Request for Pre-Qualification Information for WTC-General Site Work Via Work Order Contract, Apr. 2009, RFQ Number 18271 (issued before issuance of project RFPs, www.panynj.gov/DoingBusinessWith/contractors/pdfs/RFQI_18 271.pdf; The Port Authority of New York and New Jersey, Re- quest for Qualification Information for Greenwich Street Cor- ridor Construction, May 2009, Contract Number WTC-224.545, www.panynj.info/DoingBusinessWith/contractors/pdfs/RFQDO C_WTC224545.pdf. 497 For example, TSA requires a criminal background check before allowing litigants in civil proceedings with a substantial need for SSI to receive the requested SSI. U.S. GOV’T ACCOUNTABILITY OFFICE, supra note 491, at 20. The Washing- ton Suburban Sanitary Commission (WSSC) has used back- ground security checks before it allowed inspection of plans and drawings showing the location of water and wastewater systems and also requires background checks for applicants for new water and sewer service before the applicants are allowed access to the WSSC’s electronic records management system to access plans and specifications in order to design and construct system expansions. July 31, 2007, letter from WSSC to the Maryland Attorney General, included in GANSLER, supra note 53. 498 E.g., The Port Authority of New York and New Jersey, Request for Pre-Qualification Information for WTC-General Site Work Via Work Order Contract, Apr. 2009, RFQ Number 18271, at 5 (III: General Requirements: L. Name and Phone Number of Security Information Manager), www.panynj.gov/DoingBusinessWith/contractors/pdfs/RFQI_18 271.pdf. (E) Disposal of Security Information.—At the end of the required period for agency record retention, the transit agency should dispose of records as required by state or local law. Assuming that the transit agency has the authority to destroy the records (as opposed to being required to archive them), any documentation still deemed to be SSI/restricted security information should be destroyed securely so that the information is unus- able. Contractors should be required to return any such information to the transit agency or destroy it securely when the information is no longer required for the pur- poses for which it was disclosed to the contractor. Un- der no circumstances should SSI/restricted security information be disposed of in an unsecure manner (such as leaving it in trash cans at the project site). 2. Handling FOIA Requests Employees responsible for responding to FOIA re- quests may need more detailed guidance about classify- ing SSI than is necessary to generally educate employ- ees about the need to protect SSI. It may be advisable to limit employees tasked with evaluating FOIA requests for SSI/restricted security information to security offi- cers or legal counsel, regardless of which employees were originally authorized to designate the information as security sensitive. For example, TSA requires its SSI Office to review requests to release SSI, regardless of which office originally identified the information as SSI.499 There is a distinction between control and release of information. If part of a record constitutes SSI or oth- erwise protected security information, the entire record should be treated as confidential in terms of mainte- nance and release to contractors. However, this does not mean that the entire record is exempt from disclo- sure. If a request is made for a record that contains SSI or otherwise protected security information, most state laws require that to the extent feasible the sensitive portion be redacted and the remainder released (assum- ing no other exemption requires nondisclosure). 3. Consider Instituting Review to Determine Whether Previously Designated Security Information Should Still Be Classified as Security Information When TSA instituted a policy of reviewing SSI documents to determine their status, 282 documents determined to be SSI in their entirety (as reported to Congress in 2006) were determined to no longer war- rant such continued protection.500 By making records publicly available once their disclosure no longer poses a security threat, periodic review of records categorized as SSI or otherwise protected as security sensitive fur- thers the public interest in maximum disclosure consis- tent with public security. Alternatives for adopting such a review procedure include periodic reviews, reviews upon request for the 499 U.S. GOV’T ACCOUNTABILITY OFFICE, supra note 138, at 21. 500 Id. at 14.

53 information regardless of the age of the information, and reviews before public records are removed from active files. 4. Auditing Records Management Procedures Developing and implementing adequate procedures for managing security information, particularly SSI, is a necessary step. However, procedures are only useful to the extent that they are actually followed.501 Areas that may be of particular concern include maintaining a complete list of individuals authorized to access security information and being able to locate all security docu- ments. D. Issues to Consider in Establishing/Reviewing Security Protocol for Procurement Process The broader areas of concern discussed in the pre- ceding subsections may be broken down into several issues that transit agencies may wish to consider in establishing a security protocol for handling security information in the procurement process. These issues are also relevant in reviewing an existing protocol. These issues are covered in checklist format in Appen- dix G. Applicability of the points raised below will depend in part on the size and organizational structure of the transit agency. The job descriptions of personnel who appropriately carry out functions identified below will also vary according to agency size and organizational structure. Agency counsel should of course review the suitability of adopting any of these approaches. 1. Record Retention Requirements • Federal, state, and local (whichever is most strin- gent) records retention requirements will affect the length of time that the protocol must be observed for specific documents. • It may be advisable to ensure that decision-makers understand the parameters of these requirements so that they can take into account the burdens that may be incurred by including various types of security in- formation in procurement documentation. 2. Record Disclosure Requirements 501 The New York State Comptroller audited the Metropoli- tan Transportation Authority’s (MTA’s) controls over the dis- semination of security-sensitive information for the capital projects program and found that while the MTA’s guidelines provided a reasonable control framework, certain procedures were not being consistently followed. MTA took action in re- sponse to the Comptroller’s recommendations. Office of the New York State Comptroller, Metropolitan Transportation Authority Controls Over Security-Sensitive Information for the Capital Projects Program, Report 2006-S-6, Sept. 6, 2006, www.osc.state.ny.us/audits/allaudits/093006/06s6.htm. • In addition to record managers, it may be useful for any personnel with control over development of con- tract documentation to understand the requirements of state FOIA law, so that they are aware of what infor- mation included in the procurement documentation may be subject to disclosure. • In particular, it would be useful to understand what exemptions applicable to contract documentation, if any, may be used to protect security information, and the standards for applying those exemptions, including the need, if any, to provide substantiation of a finding of endangerment of public safety (or statutory equivalent) to support the application of an exemption.502 3. Relationship Between General Policy for Managing Security Information and Procurement Process • Effectiveness of the management of security in- formation will hinge in part on the effectiveness of the process for designating security information to begin with. • It may be advisable to have a single point of con- tact for designating SSI and restricted security infor- mation, either agency-wide or for each department. DHS, for example, is required to have at least one SSI coordinator in each DHS office that handles SSI. • It may also be advisable to ensure that the agency FOIA officer coordinates with the SSI designa- tor/personnel. • If the agency’s legal counsel is not routinely in- volved in FOIA requests, it may be advisable to at least involve counsel in requests for certain types of security information.503 • Authority to designate need-to-know status is im- portant to the effectiveness of security protocol. • Need to know must have some limits to be mean- ingful. If most or all personnel working on a project need to know specified information, it is reasonable to question the sensitivity of the information. In addition, the more people who have access to information, the harder it is to track that access. • Overclassifying information as SSI or restricted security information may lead to two problems: track- ing system bloat and the “boy who cried wolf” syn- drome. • If the tracking system becomes too cluttered with information that is not truly sensitive, information that is truly sensitive becomes more difficult to track. 502 State security exemptions may set forth broad categories of documents that fall within the exemption, but require a finding of public endangerment as to a specific document. For example, Maryland’s statute only exempts vulnerability as- sessments and specified related documents to the extent that inspection would jeopardize facility security, facilitate planning of a terrorist attack, or endanger life or physical safety. See III.B.2, Vulnerability Assessments, supra this digest. 503 For example, as of 2002, the Texas Department of Trans- portation required legal counsel review before any requests for bridge design or plans could be released to the public. TRANSTECH MANAGEMENT, INC., supra note 1, at App. B.

Next: VI. CONCLUSIONS »
Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

TRB‘s Transit Cooperative Research Program (TCRP) Legal Research Digest 32: Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements highlights the legal requirements that are relevant to the transit procurement process of balancing the competing needs of open government and public security. The report explores federal and state requirements concerning record retention and disclosure, as well as practices transit agencies have adopted to meet their responsibilities in balancing these competing public policy interests.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!