Sensitive Security Information

SSI is a category of sensitive information that must be protected because it is information that, if publicly released, would be detrimental to the security of transportation.  In other words, SSI is information that could be used by our adversaries to bypass or defeat transportation security measures.  For detailed categories of SSI, see the SSI Regulation, 49 C.F.R. § 1520.5(b)(1) - (16).

Note: Under 49 C.F.R. § 1520.5(a), the SSI Regulation also provides other reasons for protecting information as SSI.  TSA, however, primarily uses the criterion of “detrimental to the security of transportation” when determining whether information is SSI.

All covered persons have a duty to mark and safeguard SSI against unauthorized disclosure (See 49 C.F.R. § 1520.9(a)(4)).  This includes adding the SSI header and footer (See 49 C.F.R. § 1520.13).  For more information, see sample pre-marked templates.

Requests for SSI Assessments (Is it SSI?) or SSI Reviews (Where is the SSI?) can be submitted to the SSI Program at SSI@tsa.dhs.gov.

There is no required type of lock or specific way to secure SSI.  It must be reasonably secured such that only those covered persons who have a need to know the information can have access to it.  Keys should be stored in an alternate location from the SSI.

No, the SSI Federal Regulation, 49 C.F.R. § 1520.9(a)(3), requires covered persons to refer requests by other persons for SSI to TSA, or the applicable DHS component or agency.  Typically requests received from covered persons are tied to State Open Records Requests or court-order production requests due to litigation.  See the SSI training presentation slides on “Processing Record Requests” for more information on submitting these requests to the SSI Program for review and redaction.

The SSI Regulation does not have any requirements regarding covered persons and their use of passwords. We recommend, however, that they follow the SSI Best Practices Guide for Non-DHS Employees when creating passwords to protect SSI.

No. All covered persons (e.g., airlines, pipelines) must take reasonable steps to safeguard SSI in their possession or control from unauthorized disclosure (49 C.F.R. § 1520.9). Covered persons must limit access to SSI to other covered persons who have a need to know the information. Therefore, any stakeholder computer system that provides such access limitations to SSI would be acceptable. Please refer to the SSI Best Practices Guide for Non-DHS Employees for more information.

No. However, covered parties are encouraged to use official company or government email when sending SSI. For more information, see SSI Best Practices Guide for Non-DHS Employees.

Suspicious requests for SSI should be reported immediately to your primary TSA point of contact.

It is permitted to share SSI  with another covered person who has a need to know the information in performance of their duties.  The record must be marked as SSI and remains SSI.  The covered person with a need to know is now obligated by the SSI Federal Regulation to protect the SSI record entrusted to their care.  Of note, some records come with instructions that limit further distribution.  If it comes with a limitation, follow the instructions in the record for permission to share.

Requests for SSI fall into two categories, sharing and releasing. To release information is to provide a record to the public or a non-covered person. Release of SSI is prohibited and a violation of the SSI Regulation. Therefore, prior to releasing records which may contain SSI to persons who are not authorized to access SSI under the SSI Federal Regulation, the SSI language must be removed/redacted by the TSA SSI Program office.

A company, government, transportation authority, or other covered person receiving requests for SSI must submit the information to the SSI Program for a full SSI Review and redaction prior to sharing with non-covered persons. These records may be submitted through the SSI Coordinator or field counsel at your local Federal Security Director (FSD’s) office or sent directly to SSI@tsa.dhs.gov. Requests for TSA records must be referred to TSA FOIA (FOIA@tsa.dhs.gov).

Requests for TSA records must be referred to TSA FOIA (FOIA@tsa.dhs.gov).

Yes, covered persons may share SSI with specific vendors if the vendors have a need to know in order to perform their official duties or to provide technical advice to covered persons to meet security requirements. Accordingly, covered persons must only provide specific information that is relevant and necessary for the vendor to complete their work. Each person with access to SSI under 49 CFR §1520.11 becomes a covered person who is required to protect SSI from unauthorized disclosure and each person employed by, contracted to, or acting for a covered person likewise becomes a covered person (see 49 CFR §§ 15020.7(j), 1520.7(k) and 1520.9).

Vendors are not authorized to re-distribute SSI and must maintain the SSI markings, properly dispose of SSI, and protect SSI from unauthorized disclosure (see 49 CFR §§ 1520.9, 1520.13, 1520.19). If a covered person provides SSI to vendors, they must include the SSI protection requirements so that the vendors are formally advised of their regulatory requirements to protect the information. Unauthorized disclosure of SSI by covered persons or their vendors is grounds for enforcement action by TSA, including civil penalty actions, under 49 CFR § 1520.17.

The TSA SSI Program has SSI Training available on its public website. The training presentations do NOT contain SSI and may be distributed to the employees of various company, state, or transportation entities as needed along with the SSI Coversheet, SSI Best-Practices Guide, and SSI templates. Please contact us at SSI@tsa.dhs.gov for more information.