Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
54 ⢠Employees may become lax in following procedures that require tracking seemingly inconsequential infor- mation. 4. Managing Contractorsâ Use of Needed Security Information ⢠The policy should clearly establish the range of op- tions that are available to maintain confidentiality of SSI and other security information in contract docu- ments and otherwise available to contractors. ⢠Confidentiality requirements, including training, NDAs, and logs, should be applied objectively rather than on the basis of personal knowledge of the contrac- tor. ⢠Even if bid/contract documents themselves are free from SSI and restricted security information, the policy should address other parts of the competitive procure- ment process that exposes security information, such as site visits or on-site examination of plans. 5. Taking Steps to Protect Security Information Internally ⢠The security protocol can be expected to include training. It is advisable that the required training cov- ers the procurement process. ⢠Security requirements such as signing NDAs should be uniformly required throughout the agency, including senior level personnel. ⢠Requirements for tracking the location of security documents should be uniformly required throughout the agency, including senior level personnel. ⢠If the transit agency expects to generate restricted security information, it may be useful to distinguish under its security policy between CII/SSI and restricted security information, particularly in terms of making clear the federal penalties for making unauthorized disclosure of CII/SSI. ⢠Protocol should make clear that careless handling of security information may affect the ability to assert state exemptions. ⢠It may be advisable to audit security procedures within the agency. 6. How to Exercise Available Discretion Concerning Public Disclosure ⢠Depending on state law, the agency may have dis- cretion as to whether to withhold restricted security information under state public records exemptions. ⢠The transit agency may consider reviewing secu- rity information to determine whether release of a spe- cific document may cause harm, as opposed to withhold- ing information based on document classification. Such a distinction may in fact be required under state law. ⢠This approach may also be possible in designating security information, including SSI. VI. CONCLUSIONS Historically, transit agencies have had to be mindful of confidentiality in the procurement process, perhaps most notably in maintaining the confidentiality of trade secrets and confidential business information. More recently, maintaining the confidentiality of security information, including SSI, has come to the fore. The new federal requirements for security-related informa- tion raise more complex disclosure and records man- agement issues than those many transit agencies have traditionally faced in the procurement process. While security information concerns are most obvi- ous when dealing with security contracts, transit agency personnel should also be aware of the potential for security information being included in competitive bidding documents for other types of contracts. There are several major stages of the procurement process at which it is important to be cognizant of security re- quirements: developing the procurement documentation (whether to include SSI or restricted security informa- tion); allowing site visits and access to ancillary docu- ments not part of the procurement documentation, ei- ther before or after contract award; responding to requests for information from parties other than bid- ders and contractors; and managing procurement documents. It is important that transit agencies provide the decisional infrastructure necessary for adequate consideration of security issues at those various stages. At the bidding stage, personnel should be aware of legal requirements governing disclosure of security in- formation to contractors, for maintaining the confiden- tiality of security information, and governing disclosure of security information to members of the public. Con- tract personnel, as well as any personnel with signifi- cant input into procurement documents, should be trained on these requirements, including the disclosure and management ramifications of including SSI/restricted security information in procurement documents. Such ramificationsâwhich may vary de- pending on state lawâinclude the possibility that the information may be disclosable under state law and the obligation to physically and electronically secure the information. Moreover, it is advisable that the need to include SSI/restricted security information in procure- ment documents be assessed by personnel knowledge- able about the ramifications of such inclusion. The obligation to safeguard security information, particularly SSI, extends to contract management, and transit agencies are advised to ensure that their records management policies, including those for procurement records, are structured accordingly. In particular, it is important to ensure that existing SSI procedures, such as those required for major capital projects, are ade- quately coordinated with the agencyâs procurement and records management procedures. Procedures should
55 ensure that personnel with the requisite expertise, such as legal counsel or records managers, review any public record requests for documents containing SSI/restricted security information. Such personnel should be familiar with state as well as federal disclosure and records management requirements.