Cover Image

Not for Sale

View/Hide Left Panel
Click for next page ( 51

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement

Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 50
50 approaches to disclosure. Some states have taken the fore disclosure.489 Transit agencies are advised to ana- position that detailed bridge inspection reports would lyze whether flagging requests for certain types of in- provide information to would-be terrorists concerning formation for special review is consistent with state structural weaknesses; these states deny full access to law, particularly if state law prohibits denying requests such reports. Other states make such reports available based on the requester's identity. to the public, although in some cases only at state of- fices.485 A number of reports and guidance documents sug- C. Procedures for Maintaining Contract Records gest questions to ask in determining how to classify Containing CII/SSI/Restricted Security information and whether to release particular informa- Information490 tion.486 These questions, which should be considered in The length of time that a transit agency must comply relation to each other, include: with record disclosure and management requirements will be governed by federal, state, and local record re- Can the information be used to select a target for tention requirements, so obviously it is important to be terrorist attack?487 aware of those requirements. The length of time that a Does the information make its subject a more at- record containing security information must be man- tractive target or increase the risk of attack? aged in a controlled fashion could affect the decision to Does the public need to know the information? If include such information in procurement documenta- so, can the information that the public needs to know be tion. separated from information that could increase the There are important legal distinctions between man- threat to system security? aging federally-designated CII/SSI and managing re- Is the same or similar information readily avail- stricted security information. Federal law imposes spe- able from other sources, including first-hand observa- cific requirements for protecting CII/SSI, along with tion of public areas or via the Internet? liability for unauthorized disclosure. In addition, being How does the agency normally treat this type of in- classified as CII will arguably limit the agency's use of formation? Are the number of copies and location of the information so classified. A transit agency may, as a copies tracked? matter of policy, apply the same restrictions on disclo- What is the agency's threat environment? sure to restricted security information as those required by law for CII/SSI. However, there should be no state statutory penalty for unauthorized disclosure of re- 2. Permissibility of Distinguishing Based on Requester's stricted security information unless state law prohibits Identity the disclosure of the particular information at issue, in The requester's identity could potentially enter into which case unauthorized disclosure would violate the the assessment of the potential threat of releasing the state law containing the prohibition, with whatever information. Factors to consider include: penalty that law provides. While not required for transit agencies, GAO rec- Some states require employees to report suspicious ommendations for improving administration of SSI and or unusual requests for information to legal counsel or congressional requirements for TSA set forth some 488 other specified authorities on records management. principles to consider in managing SSI to ensure com- The viability of this approach under a specific state law pliance with federal law and regulations. Steps recom- may depend on how the determination is made that a mended by GAO include establishing guidance and pro- request is unusual or suspicious. cedures for using TSA regulations to determine what Denying requests based on the requester's identity constitutes SSI, including offering examples of SSI; es- or the purpose of the request may be illegal under state tablishing responsibility for the identification and des- law, although some states do require identification be- ignation of SSI; creating and promulgating policies and procedures within TSA for providing training to those 485 making SSI determinations; establishing internal con- Jeff Martin, Some States Close Bridge Inspection Data to trols that define responsibilities for monitoring compli- Public, USA TODAY, July 24, 2008, 489 Nevada imposes restrictions on persons who may inspect bridgereports_N.htm (accessed Feb. 28, 2009). 486 specified classes of documents that the governor has deter- E.g., TRANSTECH MANAGEMENT, INC., supra note 1, at 7 mined are likely to "create a substantial likelihood of compro- 8; VDOT's CII/SSI Guide for Vendors and Contractors, mising, jeopardizing or otherwise threatening the public health, safety or welfare" if released. NEV. REV. STAT. ideV6.0InterimRevisionFINAL.PDF. 239C.210, Confidentiality of certain documents, records, or 487 For an example of information deemed disclosable, see other items of information upon declaration of Governor; penal- the drawing included in a Port Authority of New York and New ties; NEV. REV. STAT. 239C.220, Inspection of restricted docu- Jersey prequalification document. ments, C_WTC224545.pdf. 490 See U.S. GOV'T ACCOUNTABILITY OFFICE, supra note 138, 488 TRANSTECH MANAGEMENT, INC., supra note 1, at 7. at 4.

OCR for page 50
51 ance with SSI regulations, policies, and procedures; and agencies should make sure that both hard copy and communicating these responsibilities throughout electronic systems are secure. TSA.491 As noted, supra, Congress specifically required (B) Other Controls Within the Agency.--It may be TSA to revise its management directive to review re- useful to have SSI program managers/coordinators to quests to publicly release SSI in a timely manner, in- communicate SSI responsibilities to other employees.493 cluding SSI that is at least 3 years old. GAO has also In any event, it is advisable for transit agency policy to recommended that the Office of Management and ensure that employees who may have access to security Budget work to develop a government-wide directive information, either by creating it or handling it, under- that provides guidance on how to control sensitive but stand the legal requirements associated with that in- unclassified information, including SSI. GAO recom- formation. It may be useful to ensure that such employ- mended that the guidance cover decisions on what in- ees are knowledgeable enough to recognize what might formation to protect with sensitive but unclassified des- be SSI or other security information and refer such in- ignations; provisions for training on making formation to the agency's designated SSI office(r).494 designations, controlling, and sharing such information A number of measures are available to put employ- with other entities; and a review process to determine ees on notice of security requirements and the penalties how well the program is working.492 for violating those requirements. These include requir- To some extent approaches suggested by GAO may ing NDAs and/or background checks for employees with also apply to managing security information not cov- access to security information, requiring tracking of the ered by federal requirements. Actual application of the location of security documents, restricting copying, and principles may need to be modified depending on the prohibiting removal of security documents from transit size and organization of the transit agency. agency premises or project location. Background checks must comply with federal law. NDAs often include or 1. Maintaining Contract Security Information Within incorporate by reference the security measures that the Transit Agency security information is subject to. In addition to stan- The transit agency should maintain contract security dard agreement provisions such as choice of laws, an records within the agency using safeguards appropriate NDA may also include some or all of the following ele- to the type of information involved. The need for secu- ments: recitation of the confidential nature of informa- rity applies to transit agency employees, contractors, tion to be disclosed; categories of information to be cov- and auditors. Specific federal recommendations for con- ered by confidentiality requirements; requirements for trolling SSI were discussed in II.B.2, Federal Agencies, protecting SSI and penalties for violating those re- supra. General measures to ensure confidentiality of quirements; marking requirements and how to treat contract security records are reviewed here. documents so marked; restricted uses allowed for in- (A) Physical Security.--Transit agencies should re- formation provided under the NDA; restricted access to strict access to facilities (or portions thereof) where se- information provided under the NDA; standard of care curity information is stored, as well as visual inspection for information provided under the NDA; requirements of facilities that could reveal security information. To for responding to any requests directed to recipient for the extent that information must be kept confidential, information provided under the NDA; setting forth the recipient's obligations to return information provided under the NDA; and reserving the disclosing party's 491 rights to seek injunctive relief to enforce the NDA. Id. GAO cited TSA's own Internal Security Policy Board (C) Releasing Information to Contractors.--There are on the importance of providing specific guidance about what a number of steps that transit agencies may take to material is and is not covered: maintain the confidentiality of security information, The board concluded that essential elements of the frame- including SSI. For example, the transit agency may work [to identify, control, and protect SSI] should include, among other things, "...exacting specificity with respect to what require NDAs and criminal background checks before information is covered and what is not covered. This specificity contractors receive bid documents, participate in site could be documented in a classification guide type format be- inspections, or are otherwise allowed access to agency 495 cause imprecision in this area causes a significant impediment security information. Some of these measures may to determining SSI. Experience has shown that employees un- sure as to what constitutes SSI may err on the side of caution 493 and improperly and unnecessarily restrict information, or may U.S. GOV'T ACCOUNTABILITY OFFICE, supra note 138, at err inappropriately and potentially disastrously on the side of 13. public disclosure." 494 See CHANDLER, SUTHERLAND, & ELDREDGE, supra note Id. at 34. GAO has reported that TSA has taken actions to 164, at 7. address those GAO recommendations and has addressed the 495 See, e.g., VDOT requirement for Non-Disclosure Agree- legislative mandates from the DHS Appropriations Act, 2007. ment and criminal background check before allowing tunnel U.S. GOV'T ACCOUNTABILITY OFFICE, supra note 138, at 5. site visit. Downtown Tunnel/Midtown Tunnel/MLK Freeway 492 U.S. GOV'T ACCOUNTABILITY OFFICE, INFORMATION Extension Project Site Visit No. 2, SHARING: THE FEDERAL GOVERNMENT NEEDS TO ESTABLISH POLICIES AND PROCESSES FOR SHARING TERRORISM-RELATED PPTA_SiteVisit2_Registration_rtp_080630.pdf (accessed Apr. AND SENSITIVE BUT UNCLASSIFIED INFORMATION 29 (2006), 1, 2009); VDOT requirement for fingerprint-based Criminal (accessed Oct. 10, 2009). History Background Checks for contractor employees who will

OCR for page 50
52 take place as part of the prequalification process before (E) Disposal of Security Information.--At the end of bids are submitted.496 These types of requirements are the required period for agency record retention, the common in situations where individuals have a bona transit agency should dispose of records as required by fide need to know information not commonly available state or local law. Assuming that the transit agency has outside the disclosing agency.497 the authority to destroy the records (as opposed to being The transit agency may also require that contractors required to archive them), any documentation still adopt specific security procedures for handling the deemed to be SSI/restricted security information should agency's security information. Such procedures often be destroyed securely so that the information is unus- include the requirement that the contractors designate able. Contractors should be required to return any such security officers to be responsible for managing the information to the transit agency or destroy it securely transit agency's security information. when the information is no longer required for the pur- Transit agencies may maintain secure Web sites for poses for which it was disclosed to the contractor. Un- storing, sharing, and distributing security-related pro- der no circumstances should SSI/restricted security ject documentation. If so, the agencies may require pro- information be disposed of in an unsecure manner (such spective contractors to designate security information as leaving it in trash cans at the project site). managers to ensure that access is limited to contractor employees who have passed required background 2. Handling FOIA Requests checks and/or signed access agreements.498 Employees responsible for responding to FOIA re- (D) Releasing Information for Contract Reviews, quests may need more detailed guidance about classify- Other Governmental Authorizations (including Trien- ing SSI than is necessary to generally educate employ- nial Reviews).--Contractors conducting Triennial Re- ees about the need to protect SSI. It may be advisable to views should be familiar enough with required proce- limit employees tasked with evaluating FOIA requests dure not to ask for copies of SSI. Nonetheless, agency for SSI/restricted security information to security offi- personnel should be aware that controlled access ap- cers or legal counsel, regardless of which employees plies to these reviewers. Any examination of SSI should were originally authorized to designate the information be on a need-to-know basis and conducted on site. as security sensitive. For example, TSA requires its SSI Office to review requests to release SSI, regardless of which office originally identified the information as handle CII/SSI under contract. RFP for Interstate 64 Widening SSI.499 Route 143 (east) to Route 199 (west) NEPA and Design Ser- There is a distinction between control and release of vices, information. If part of a record constitutes SSI or oth- 64_Hampton_Roads.pdf. erwise protected security information, the entire record 496 E.g., The Port Authority of New York and New Jersey, should be treated as confidential in terms of mainte- Request for Pre-Qualification Information for WTC-General nance and release to contractors. However, this does Site Work Via Work Order Contract, Apr. 2009, RFQ Number not mean that the entire record is exempt from disclo- 18271 (issued before issuance of project RFPs, sure. If a request is made for a record that contains SSI 271.pdf; The Port Authority of New York and New Jersey, Re- or otherwise protected security information, most state quest for Qualification Information for Greenwich Street Cor- laws require that to the extent feasible the sensitive ridor Construction, May 2009, Contract Number WTC-224.545, portion be redacted and the remainder released (assum- ing no other exemption requires nondisclosure). C_WTC224545.pdf. 497 For example, TSA requires a criminal background check 3. Consider Instituting Review to Determine Whether before allowing litigants in civil proceedings with a substantial Previously Designated Security Information Should Still need for SSI to receive the requested SSI. U.S. GOV'T Be Classified as Security Information ACCOUNTABILITY OFFICE, supra note 491, at 20. The Washing- ton Suburban Sanitary Commission (WSSC) has used back- When TSA instituted a policy of reviewing SSI ground security checks before it allowed inspection of plans documents to determine their status, 282 documents and drawings showing the location of water and wastewater determined to be SSI in their entirety (as reported to systems and also requires background checks for applicants for Congress in 2006) were determined to no longer war- 500 new water and sewer service before the applicants are allowed rant such continued protection. By making records access to the WSSC's electronic records management system to publicly available once their disclosure no longer poses access plans and specifications in order to design and construct a security threat, periodic review of records categorized system expansions. July 31, 2007, letter from WSSC to the as SSI or otherwise protected as security sensitive fur- Maryland Attorney General, included in GANSLER, supra note thers the public interest in maximum disclosure consis- 53. 498 tent with public security. E.g., The Port Authority of New York and New Jersey, Request for Pre-Qualification Information for WTC-General Alternatives for adopting such a review procedure Site Work Via Work Order Contract, Apr. 2009, RFQ Number include periodic reviews, reviews upon request for the 18271, at 5 (III: General Requirements: L. Name and Phone 499 Number of Security Information Manager), U.S. GOV'T ACCOUNTABILITY OFFICE, supra note 138, at 21. 500 271.pdf. Id. at 14.