Yes, covered persons may share SSI with specific vendors if the vendors have a need to know in order to perform their official duties or to provide technical advice to covered persons to meet security requirements. Accordingly, covered persons must only provide specific information that is relevant and necessary for the vendor to complete their work. Each person with access to SSI under 49 CFR §1520.11 becomes a covered person who is required to protect SSI from unauthorized disclosure and each person employed by, contracted to, or acting for a covered person likewise becomes a covered person (see 49 CFR §§ 15020.7(j), 1520.7(k) and 1520.9).
Vendors are not authorized to re-distribute SSI and must maintain the SSI markings, properly dispose of SSI, and protect SSI from unauthorized disclosure (see 49 CFR §§ 1520.9, 1520.13, 1520.19). If a covered person provides SSI to vendors, they must include the SSI protection requirements so that the vendors are formally advised of their regulatory requirements to protect the information. Unauthorized disclosure of SSI by covered persons or their vendors is grounds for enforcement action by TSA, including civil penalty actions, under 49 CFR § 1520.17.