[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]


 
  HAS THE TSA BREACH JEOPARDIZED NATIONAL SECURITY? AN EXAMINATION OF 
                         WHAT HAPPENED AND WHY 

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TRANSPORTATION SECURITY
                     AND INFRASTRUCTURE PROTECTION

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                           DECEMBER 16, 2009

                               __________

                           Serial No. 111-49

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

              [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                                     

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html

                               __________

                       U.S. GOVERNMENT PRINTING OFFICE 

56-188 PDF                       WASHINGTON : 2010 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 


















                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Loretta Sanchez, California          Peter T. King, New York
Jane Harman, California              Lamar Smith, Texas
Peter A. DeFazio, Oregon             Mark E. Souder, Indiana
Eleanor Holmes Norton, District of   Daniel E. Lungren, California
    Columbia                         Mike Rogers, Alabama
Zoe Lofgren, California              Michael T. McCaul, Texas
Sheila Jackson Lee, Texas            Charles W. Dent, Pennsylvania
Henry Cuellar, Texas                 Gus M. Bilirakis, Florida
Christopher P. Carney, Pennsylvania  Paul C. Broun, Georgia
Yvette D. Clarke, New York           Candice S. Miller, Michigan
Laura Richardson, California         Pete Olson, Texas
Ann Kirkpatrick, Arizona             Anh ``Joseph'' Cao, Louisiana
Ben Ray Lujan, New Mexico            Steve Austria, Ohio
William L. Owens, New York
Bill Pascrell, Jr., New Jersey
Emanuel Cleaver, Missouri
Al Green, Texas
James A. Himes, Connecticut
Mary Jo Kilroy, Ohio
Eric J.J. Massa, New York
Dina Titus, Nevada
                    I. Lanier Avant, Staff Director
                     Rosaline Cohen, Chief Counsel
                     Michael Twinchek, Chief Clerk
                Robert O'Connor, Minority Staff Director
                                 ------                                

 SUBCOMMITTEE ON TRANSPORTATION SECURITY AND INFRASTRUCTURE PROTECTION

                 Sheila Jackson Lee, Texas, Chairwoman
Peter A. DeFazio, Oregon             Charles W. Dent, Pennsylvania
Eleanor Holmes Norton, District of   Daniel E. Lungren, California
    Columbia                         Pete Olson, Texas
Ann Kirkpatrick, Arizona             Candice S. Miller, Michigan
Ben Ray Lujan, New Mexico            Steve Austria, Ohio
Emanuel Cleaver, Missouri            Peter T. King, New York (Ex 
James A. Himes, Connecticut              Officio)
Eric J.J. Massa, New York
Dina Titus, Nevada
Bennie G. Thompson, Mississippi (Ex 
    Officio)
                     Michael Beland, Staff Director
                   Natalie Nixon, Deputy Chief Clerk
              Joseph Vealencis, Minority Subcommittee Lead

















                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas, and Chairwoman, Subcommittee on 
  Transportation Security and Infrastructure Protection..........     1
The Honorable Charles W. Dent, a Representative in Congress From 
  the State of Pennsylvania, and Ranking Member, Subcommittee on 
  Transportation Security and Infrastructure Protection..........     5
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security..............................................     8

                               Witnesses

Ms. Gale Rossides, Acting Administrator, Transportation Security 
  Administration, Department of Homeland Security:
  Oral Statement.................................................     9
  Prepared Statement.............................................    11

                             For the Record

The Honorable Charles W. Dent, a Representative in Congress From 
  the State of Pennsylvania, and Ranking Member, Subcommittee on 
  Transportation Security and Infrastructure Protection:
  Statement of the Federal Law Enforcement Officers Association..     5
  Letter From Honorable Charles W. Dent and Honorable Gus M. 
    Bilirakis, December 11, 2009.................................     7


  HAS THE TSA BREACH JEOPARDIZED NATIONAL SECURITY? AN EXAMINATION OF 
                         WHAT HAPPENED AND WHY

                              ----------                              


                      Wednesday, December 16, 2009

             U.S. House of Representatives,
                    Committee on Homeland Security,
Subcommittee on Transportation Security and Infrastructure 
                                                Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:16 p.m., in 
Room 311, Cannon House Office Building, Hon. Sheila Jackson Lee 
[Chairwoman of the subcommittee] presiding.
    Present: Representatives Jackson Lee, Thompson, Cleaver, 
Himes, Dent, Lungren, and Austria.
    Also present: Representative Bilirakis.
    Ms. Jackson Lee [Presiding]. The subcommittee will come to 
order.
    Let me acknowledge the presence of the Chairman of the full 
committee, Mr. Thompson of Mississippi, and Ranking Member, Mr. 
Dent of Pennsylvania.
    Let me welcome those who are here and take a moment of 
personal privilege to acknowledge the family of Mr. Ed Kelly, 
who, in this business, is considered family.
    Many of us gathered after 9/11 in our respective positions. 
Members of this committee gathered as Members of the Select 
Committee on Homeland Security. Many of us were there from the 
start. Mr. Kelly, comfortably retired, having served as part of 
the excellence of corporate America, decided to render that, if 
you will, for another day and accepted the call to become part 
of the fighting men and women who serve in the Department of 
Homeland Security. We owe him an enormous debt of gratitude for 
his service.
    I was privileged to join my colleagues, Mr. Chairman, Mr. 
Dent, the full committee Ranking Member, Mr. King, to send a 
letter of sympathy and was additionally privileged to rise to 
the floor of the House to be able to give him the tribute that 
he deserves as an American hero.
    I would like to have, if I am indulged with unanimous 
consent, to have his family stand at this time so that they 
might be acknowledged by all of us.
    [Applause.]
    I believe that is Mrs. Kelly, Ed Kelly's sister, and niece 
who are present with us today. Thank you all so very much for 
your presence here.
    The subcommittee is meeting today to receive testimony on 
TSA's inadvertent disclosure of security information related to 
airports. Our witness will help us to assess what transpired 
and lay the groundwork for ensuring that this never happens 
again.
    Remember, the title of this hearing is, ``Has the TSA 
Breach Jeopardized National Security? An Examination of What 
Happened and Why.''
    That is our task, and that is our duty, to protect the 
homeland. The way to do that is to determine what and why and 
to say, ``Never again.''
    I now recognize myself for an opening statement. Before I 
do that, we will have aired a film that has been presented 
previously on network television.
    [Begin video clip.]
    Mr. Orr. The breach reveals some of the Government's most 
sensitive aviation security secrets. The 93-page manual 
prepared for Federal airport screeners shows samples of law 
enforcement and official credentials--Federal air marshals, CIA 
officers, and Members of Congress--IDs which criminals or 
terrorists could copy.
    The document also reveals travelers from a dozen 
countries--including Cuba, North Korea, Somalia, and Yemen--are 
always subjected to extra screening.
    The Transportation Security Administration says the 
security playbook, prepared in May of 2008, is out of date and 
the sensitive methods have been updated six times, adding in a 
statement, ``TSA is confident screening procedures currently in 
place remain strong.''
    Still, the TSA never meant for this information to be 
public. Each page of the report carries this notice, ``Warning: 
This record contains Sensitive Security Information. No part 
may be disclosed without a need to know.''
    The TSA says the whole report was improperly posted by the 
agency on a Government jobs site, with redactions.
    But Wired Magazine editor John Abell says savvy bloggers 
easily restored the blacked-out test.
    Mr. Abell. Clearly, this was a rookie mistake, so let's 
just call this a very early Christmas present to the kinds of 
people that traffic in this kind of secret information.
    Some of the compromised information is just routine common 
sense: ``An on-duty airport-assigned law enforcement officer 
may be cleared without undergoing screening.''
    But other guidance may be less intuitive. For example, 
searches for explosive residue are not required for 
wheelchairs, prosthetic devices, and orthopedic shoes.
    The TSA is investigating and says it takes the failure 
seriously. But critics say, with aviation a known terrorist 
target, it is a little late to get serious.
    Mr. Orr. Bob Orr, CBS News, Washington.
    [End video clip.]
    Ms. Jackson Lee. The only early Christmas present that 
terrorists will get will be the resolve of the men and women of 
the Department of Homeland Security, the President of the 
United States, and the men and women of the United States 
Congress. That is why we are here today, to ensure that going 
forward in this holiday season we have the opportunity to cure 
quickly the unfortunate and vast mistake that has been made.
    So I hope, as we proceed in this hearing, we will hear that 
steps are being taken to ensure the safe travel of the families 
who will be visiting their families during what I hope will be 
a very happy holiday season.
    We are here today, as well, to discuss last week's 
revelation that a TSA manual containing Sensitive Security 
Information was posted by TSA on the internet without proper 
technical safeguards. As a result, sensitive information about 
our airports and screening policies was made available for the 
world to see.
    My colleagues and I were alarmed by this development, as it 
sent shockwaves across Capitol Hill. This subcommittee takes 
its oversight of TSA very seriously; after all, TSA was 
constructed to help protect the American people from the very 
type of events that transpired on September 11, 2001.
    When events, such as last week's, are made public, it 
becomes all too clear that more must be done and that TSA must 
keep its eye on the ball. We must also be assured that 
contractors of varying types are, again, vetted, trained, 
questioned, queried, and if necessary, be part of the 
inquisition, because the security of America is paramount.
    Today, we will be evaluating how this happened, the 
security ramifications of this misstep, and how we are going to 
avoid similar lapses in the future, and as well, to ensure that 
those missteps, if they can be characterized as such, do not, 
in fact, jeopardize the National security of the American 
people.
    Before we go further, let me be clear that, although this 
was a serious breach in the management of sensitive 
information, I have been assured by TSA that additional 
personnel and procedures have been put in place at airports 
across the country to ensure the safety of the traveling 
public.
    In essence, terrorists, watch out. Any terrorist group or 
individual wishing to exploit this situation should be aware 
and beware that the United States will continue to use all 
available resources to protect the flying public. During this 
busy holiday season, the American people should know that it is 
safe to fly, along with the courtesies that we expect to be 
offered by the Transportation Security Administration officers, 
we do expect for them to do their duty.
    Last week, Chairman Thompson and I sent a letter to TSA 
urging a third-party review of this incident. I am happy to 
learn that Secretary Napolitano responded and requested that 
the inspector general investigate, take over completely, and 
provide recommendations regarding this incident. I look forward 
to a quick and immediate response.
    In addition, I commend TSA for taking steps in response to 
this incident. For example, I have been informed by TSA that 
five people have been placed on administrative leave. This 
subcommittee, however, also needs assurance that TSA is 
reviewing its processes for handling and posting of Sensitive 
Security Information and making a full inventory search of all 
of its staff around these issues and ensuring that this is not 
permeated beyond the five that were engaged in this unfortunate 
set of circumstances.
    Questions we have include: Who is in TSA's management--who 
in TSA's management is ultimately responsible for this process? 
Is there a manual for training employees on how to post such 
information? What is the role of contract employees in the 
handling and disseminating of sensitive security? What new 
steps are being put in place to vet those individuals on their 
training, their instincts, their knowledge, and as well, their 
ability to adhere to rules and safety precautions? Is there 
sufficient training for contract employees?
    I would also like to know how broadly contract employees 
are solicited, and how far is the reach, and are we using small 
and minority-owned businesses? Are we using the same ones over 
and over again, therefore, committing the same mistakes over 
and over again?
    One of the lessons made clear by this incident is that TSA 
needs permanent, effective leadership. Our witness today, 
Acting Administrator Rossides, has led TSA during a very active 
year, and we thank her for her service. But the person 
nominated by the President to lead TSA, Mr. Erroll Southers, 
has had his confirmation held up in the Senate.
    Let me be very clear: We understand the duties and the 
constitutional privileges of the Senate, advise and consent. 
But what they are engaging in, in a partisan, one-sided 
approach is jeopardizing the security of the American people. 
We need action on his nomination immediately, and I hope all 
stakeholders will also call for his swift confirmation. Our 
homeland security efforts can no longer afford delay.
    On a personal note, I have already mentioned the passing of 
a TSA family member. But, again, as I close, let me acknowledge 
that Ed Kelly managed TSA's cargo screening program and 
testified before this subcommittee just this past March. Ed was 
an incredibly dedicated individual and a consummate 
professional who left retirement, as I said, after September 11 
attacks in order to work on behalf of our Nation's homeland 
security efforts.
    Many in the industry said that he reformed the industry. He 
made leaps and bounds of change and outstanding contributions 
to the security of America.
    Again, on behalf of the subcommittee Members and staff, my 
condolences are expressed to his family and to his colleagues 
at TSA.
    Finally, I would like to point out that this subcommittee 
understands the enormity and importance of TSA's mission and 
the dedication of its employees, but after last week's 
announcement about the disclosure--and, unfortunately, other 
incidences--I think we can all agree that TSA can do better, 
and that is why we are here today. After a complete analysis of 
this incident, we will determine how to make the agency and its 
employees perform better and give the American people more 
confidence in the TSA.
    I am considering legislation that will help provide a 
firewall over the issuance and distribution of data like this, 
along with additional oversight on contractors and the 
utilization of them.
    Without objection, the Chairwoman is authorized to deem the 
subcommittee resolved into Executive Session to receive 
additional testimony, if necessary.
    Hearing no objection, it is so ordered.
    The Chairwoman now recognizes the Ranking Member, the 
gentleman from Pennsylvania, Mr. Dent, who, by the way, joined 
this in his sympathies for Mr. Kelly, but I also note that Mr. 
Kelly has come from his region, if not his particular district.
    Mr. Dent, you are now recognized for your opening 
statement.
    Mr. Dent. Thank you, Madam Chairwoman.
    I, too, want to add my condolences and sympathies to the 
Kelly family. Ed was a wonderful public servant, served the 
Department of Homeland Security so well and this Nation so 
well, and our sympathies--I know I am speaking not only on my 
behalf, but on behalf of the entire community in expressing our 
condolences to his wife, Ann, his sister, Rosemary, and I 
believe his niece, Elizabeth, is here, as well, so, again, from 
all of us, our heartfelt condolences.
    Again, thanks, Madam Chairwoman. For one thing, too, I note 
the family has a strong connection to northeastern 
Pennsylvania, Lake Ariel, and a very special place for the 
family and for many of us who know Pennsylvania well.
    Again, Madam Chairwoman, I just want to thank you for 
holding this important hearing today. I agree that the TSA's 
disclosure of this Sensitive Security Information is, indeed, 
unfortunate, and I would add that, based on my review of the 
situation, TSA's mistake has undoubtedly weakened our aviation 
security.
    While we have many layers in our aviation security 
processes, some of those layers have been exposed after having 
the aviation security screening management's standard operating 
procedures posted on a public website for the past 9 months. I 
agree with comments made last week from the Federal Law 
Enforcement Officers Association, which stated, ``Air marshals 
and TSOs proudly shoulder considerable risk by virtue of their 
jobs. Their agency should not compound this risk with flawed 
internal controls and dismissive excuses.''
    I ask unanimous consent to include their statement in the 
record. Madam Chair, I would like to ask unanimous consent to 
include their statement in the record.
    Ms. Jackson Lee. Without objection, so ordered.
    [The information follows:]
     Statement of the Federal Law Enforcement Officers Association
                            December 9, 2009
    Today, J. Adler, National President for the Federal Law Enforcement 
Officers Association (FLEOA) announced that he is asking House Homeland 
Security Chairman Bennie Thompson to hold a private hearing on TSA HQ'S 
security breech. According to Adler, ``Both TSA's posting of sensitive 
security information and their unwillingness to grasp the seriousness 
of this are unacceptable. A discreet hearing should be held so Congress 
can determine why TSA posted this information, and why TSA attempted to 
minimize the importance of the information as ``outdated.'' The so-
called ``outdated'' information should not be recklessly discounted 
like a college textbook that is last year's edition.
    Unfortunately, in response to this serious unwarranted disclosure, 
TSA HQ has offered more ``layers'' of excuses than assurances of 
protection. Contrary to their efforts to deflect their responsibility 
for making a serious security breach, they do not have sound security 
procedures in play. What they have is a dedicated workforce that is 
tasked with overcompensating for a flawed system. Air Marshals and 
TSO'S proudly shoulder considerable risk by virtue of their jobs; their 
agency shouldn't compound this risk with flawed internal controls and 
dismissive excuses. Furthermore, the careless posting of information 
pertaining to law enforcement officers flying armed only serves to 
compromise their safety.
    FLEOA takes great exception to the remarks attributed to former TSA 
Administrator Edmund ``Kip'' Hawley. His suggestion that no one should 
``hyperventilate'' over the breach is offensive and epitomizes the 
hypocrisy of his tenure at TSA. To wit, he unfortunately did not 
hyperventilate when an external hard drive containing employee 
personnel data disappeared. Instead, he condoned management's pursuit 
and termination of dedicated Air Marshals who disclosed serious officer 
safety issues to the news media. One can only conclude that TSA HQ has 
their own set of rules that exempts them from accepting responsibility 
for serious security disclosures.
    FLEOA expects Chairman Thompson and Ranking Member King will 
embrace the seriousness of the disclosure, as well TSA'S propensity for 
managing by double-standard. TSA HQ should be held accountable for this 
breach, and a discreet, closed-door hearing would be the appropriate 
forum to properly address this serious matter. FLEOA is confident that 
the committee will be able to persuade TSA HQ to conduct a 
comprehensive review of this situation, and provide them with a 
meaningful damage-control assessment.

    Mr. Dent. As terrible as this--as the very public nature on 
which TSA's mistake was disclosed, I am pleased that we know 
the mistake was actually made in the document was accidentally 
released. Now TSA has an opportunity to learn from that 
mistake. The question is, will they?
    Ms. Rossides, I am confident that TSA will.
    While I understand that people make mistakes, my review of 
this incident over the course of the past week has led me to 
one simple conclusion: This was not the failure of an 
individual, but rather that of a failure of a system.
    An individual in TSA's SSI review office failed to comply 
with the National Security Agency's processes for 
electronically redacting sensitive information. That 
individual's supervisors failed to notice it. The Office of 
Acquisition failed to review the document before posting it on 
the General Services Administration's FedBizOpps website. 
Finally, management failed to ask why it was necessary to post 
a security-related document on-line for a contract and failed 
to consider viable alternatives.
    On his second day in office, President Obama said, 
``Transparency and the rule of law will be the touchstones of 
this presidency.'' Why then, after more than a week of phone 
calls, e-mails, letters, and in-person requests does this 
committee still not have the most recent version of the 
standard operating procedures? Section 114(r)(2) of Title 49, 
United States Code, specifically states that designating a 
document as Sensitive Security Information does not authorize 
information to be withheld from a committee of Congress 
authorized to have the information. That is what the code says.
    While I appreciate that my staff was given a 1-hour meeting 
with an additional hour to review the most recent version of 
the standard operating procedures, that is not particularly 
transparent, in my view. After 4 days of asking nicely for the 
SOPs, Ranking Member Bilirakis and I authored a letter to Ms. 
Rossides insisting she provide the committee the document. 
Again, I ask unanimous consent to introduce that letter into 
the record.
    Ms. Jackson Lee. Without objection, so ordered.
    [The information follows:]
      Letter For the Record Submitted by Honorable Charles W. Dent
                                                  December 11, 2009
Ms. Gale Rossides,
Acting Administrator, Transportation Security Administration, 601 South 
        12th Street, Arlington, VA 28598
    Dear Acting Administrator Rossides: We are writing to formally 
request an immediate copy of the most current version of the 
Transportation Security Administration's (TSA's) Aviation Security 
Screening Management Standard Operating Procedures. The TSA has 
repeatedly ignored our requests for this document since Tuesday, 
December 8th. TSA's unwillingness to provide the document is 
unproductive and a violation of law,
    We would remind you that while section 114 of Title 49, United 
States Code, authorizes the Transportation Security Administration to 
issue regulations protecting sensitive security information from public 
disclosure, that same provision specifically states that it ``does not 
authorize information to be withheld from a committee of Congress 
authorized to have the information.''\1\ We would further remind you 
that pursuant to House Rule X(i) of the Rules of the House of 
Representatives, the Committee on Homeland Security oversees ``overall 
homeland security policy'' and ``transportation security.'' As such, 
the law explicitly prohibits TSA's dilatory tactics.
---------------------------------------------------------------------------
    \1\ 49 USC  114(r)(2).
---------------------------------------------------------------------------
    As you are aware, in addition to our review, the Subcommittee on 
Transportation Security and Infrastructure Protection will be holding a 
hearing on TSA's improper disclosure of sensitive airport screening 
procedures on Wednesday, December 16, 2009. The Subcommittee needs 
sufficient time to review the current version of the released document 
to gauge the real impact of TSA's security failure.
    Thank you for your immediate and personal attention to this matter.
            Sincerely,
                                           Charles W. Dent,
       Ranking Member, Subcommittee on Transportation Security and 
                                         Infrastructure Protection.
                                          Gus M. Bilirakis,
   Ranking Member, Subcommittee on Management, Investigations, and 
                                                         Oversight.

    Mr. Dent. Thank you, Madam Chairwoman.
    In the end, you know, a lot of things went wrong, but a lot 
of things are now going right. I understand TSA is taking some 
risk mitigation measures and has taken some immediate common-
sense actions to prevent any further disclosures. I would hope 
to the extent possible you could highlight some of these during 
your testimony this afternoon.
    Finally, to those who re-posted this security information 
on the internet, you should share in the blame should security 
be breached as a result of this disclosure. In the future, I 
would ask that you please, please use the whistleblower process 
Congress has created for you. Call the Department. Call the 
inspector general. Call Congress and its committees. But, 
please, do not circulate sensitive security documents. Rest 
assured, we will hold the Department to account.
    Ms. Rossides, I want you to know that I continue to believe 
that the men and women of TSA, including yourself and your 
staff, are giving your best efforts to improve the security of 
the traveling public. While the accidental disclosure was 
certainly disappointing and the lack of transparency provided 
by this administration is frustrating, I am committed to 
working with you to improve the Transportation Security 
Administration and the services it provides to our traveling 
public.
    With that, I would yield back the balance of my time.
    Ms. Jackson Lee. I thank the gentleman for yielding back.
    It is my privilege to acknowledge and recognize the 
Chairman of the full committee, the gentleman from Mississippi, 
Mr. Thompson, for an opening statement. Mr. Chairman.
    Mr. Thompson. Thank you very much. Madam Chairwoman, I 
appreciate the holding of this hearing.
    I would also like to take the opportunity to express my 
condolences to the Ed Kelly family, as well as his TSA 
colleagues who are here. Ed was a dedicated public servant, and 
his efforts in the cargo security will never be forgotten.
    There is no doubt that the events that transpired last week 
raise several questions about TSA's operational procedures and 
practices in handling sensitive information. Perhaps more 
importantly, this incident also raises concerns about the 
security of our entire transportation system.
    No actions, legislation, or press statement can undo the 
disclosure of this information. However, we can learn from this 
incident and move forward with security measures that ensure 
sensitive information will not be made available to the public.
    The events from last week serve as a reminder of how 
critical it is to have accountability at the Department of 
Homeland Security.
    I think it was the right decision for Secretary Napolitano 
to request that the DHS inspector general begin an 
investigation of this incident. The review and investigation by 
the inspector general is an important first step in learning 
the details that will be essential in helping TSA improve 
procedures for handling and posting sensitive material.
    However, as I have said before, to get TSA to improve its 
operational performance in all program areas and at all levels 
of management, it is essential that TSA have permanent, 
effective leadership. The President has nominated Erroll 
Southers to be TSA administrator, and I think we have waited 
long enough for his confirmation.
    His law enforcement background and operational experience 
will be essential in improving TSA and strengthening our 
homeland security efforts. With strong leadership is in place, 
incidents such as these are less likely to happen.
    Nevertheless, today's hearing provides us in Congress with 
an opportunity to express our concerns and to hear from TSA 
about what it plans to do. I am sure that we will need follow-
up briefings and perhaps another hearing to review the 
inspector general's report and to assess steps going forward.
    Madam Chairwoman, there are some questions that I have 
after we have heard from our witness that would more or less 
enlighten us, I think, on this situation. But I am concerned 
about it. I will express those concerns during the question-
and-answer period. I yield back.
    Ms. Jackson Lee. To the Chairman of the full committee, let 
me also express my appreciation for the astuteness and the 
detail of which the committee, with you as Chair, and the staff 
has taken to securing the homeland. I think this committee 
reflects that, and your cooperation and agreement with this 
subcommittee's intent to hold a hearing is much appreciated. 
Again, thank you very much for your leadership.
    I wish to recognize--I think both of us are going to speak 
in tandem here on the gentleman from Florida, Mr. Dent.
    Mr. Dent. Madam Chairwoman, I was going to ask unanimous 
consent that Ranking Member Bilirakis of the Management, 
Investigations and Oversight Subcommittee be authorized to join 
us on the dais and ask questions of the witnesses.
    Ms. Jackson Lee. As you ask, I am ordering that Mr. 
Bilirakis be allowed to sit on this committee and participate 
with questions through the unanimous consent.
    Any objection? So ordered.
    Let me acknowledge Mr. Bilirakis' presence, Mr. Austria's 
presence, and Mr. Cleaver's presence, and thank them for being 
here today.
    Other Members of the subcommittee remind me that under 
committee rules opening statements may be submitted for the 
record.
    Our witness today, Ms. Gale Rossides, is the acting 
administrator of TSA. As I indicated previously, we are 
grateful for her service, her long-standing service. As acting 
administrator, Ms. Rossides oversees a workforce of 50,000 
people and the security operations of 450 federalized airports 
throughout the USA, as well as the Federal security regime for 
highways, railroads, ports, and mass transit systems.
    Ms. Rossides was one of the six original Federal executives 
hand-picked in 2002 to build TSA. Let me say that deserves 
commendation, and we thank you for that longevity of service.
    Without objection, the witness's full statement will be 
inserted in the record. I now ask Ms. Rossides to summarize her 
statement for 5 minutes.
    You are recognized for 5 minutes.

     STATEMENT OF MS. GALE ROSSIDES, ACTING ADMINISTRATOR, 
TRANSPORTATION SECURITY ADMINISTRATION, DEPARTMENT OF HOMELAND 
                            SECURITY

    Ms. Rossides. Good afternoon, Chairwoman Jackson Lee, 
Ranking Member Dent, and Chairman Thompson, and distinguished 
Members of the subcommittee.
    First of all, I want to thank you for recognizing the 
services of Ed Kelly and his family. He was truly one of our 
heroes in TSA.
    I appreciate your giving me the opportunity today to speak 
with you about the recent website posting of an improperly 
redacted version of a management standard operating procedure, 
or SOP, on a Federal website. I regret this occurred and take 
full responsibility for this mistake. Our response was swift, 
decisive, and comprehensive, because our priority first and 
foremost is the safety of the traveling public.
    I want to reassure all Members of this committee and the 
traveling public that our aviation system is strong and the 
passengers will fly safely this holiday season and every day 
because of the layered security system we have in place.
    From cutting-edge new technology to retraining our entire 
workforce to the implementation of new security programs, we 
have evolved and substantially strengthened security in the 
year-and-a-half since this document was drafted.
    On Sunday, December 6, I became aware that the screening 
management SOP was posted to the Federal Business Opportunities 
website without having the Sensitive Security Information, or 
SSI, properly redacted. The document was an attachment to a 
screening partnership program contract solicitation.
    We took immediate action. I convened a teleconference with 
TSA's senior executives, and we notified DHS headquarters on 
Sunday night. Also on Sunday night, we removed the document 
from the Government website within hours, thanks to prompt work 
by the General Services Administration.
    I then directed TSA's Office of Inspection to immediately 
begin a review of what happened and how, and that review has 
since been passed on to the DHS inspector general. Our Security 
Operations Office conducted an operational assessment of any 
potential vulnerabilities that this disclosure may have caused. 
Out of an abundance of caution, we quickly put mitigation 
measures in place to close any potential gaps.
    I directed an audit of sensitive information posted both 
internally and externally to be conducted by the chief 
information officer. We consulted with our Federal and law 
enforcement partners and stakeholders throughout the aviation 
domain, and all have been tremendously supportive.
    There have been numerous and significant changes in our 
evolving security program that are not contained in the May 
2008 version of this SOP.
    As a point of reference, this document provides 
instructions on who and what needs to be screened. It does not 
include the specific procedures used by our transportation 
security officers to screen members of the traveling public.
    Today, TSA's 12 other standard operating procedures, 
including the ones that cover an officer's screening 
procedures, remain secure. The strength of our dynamic security 
system is in our own people, our technology, our stakeholder 
partnerships, and our multilayered and complex protocols.
    We take this matter very seriously and look forward to the 
inspector general's report. Our response to their 
recommendations will also be swift. We will hold individuals 
accountable as appropriate. At this time, five TSA employees 
have been placed on administrative leave, pending the outcome 
of the continued investigation.
    This has been a critical incident for TSA, and we have 
managed it as such. From an exhaustive internal review, we will 
emerge with stronger internal document control measures for all 
employees. We will strengthen the electronic processes we use 
for sharing information. Most importantly, we will continue to 
evolve our security programs in light of intelligence and our 
own testing and training regime to ensure the on-going security 
of the system.
    In closing, I want to again assure Members of this 
committee, the traveling public, and our partners that our 
Nation's aviation system is strong. We have closed any 
potential gaps, and we will continue to apply measures that 
enhance our complex security system.
    I am happy to answer your questions and can discuss any 
sensitive material in the closed session to follow. Thank you.
    [The statement of Ms. Rossides follows:]
                 Prepared Statement of Gale D. Rossides
                           December 16, 2009
    Good afternoon Chairwoman Jackson Lee, Ranking Member Dent, and 
distinguished Members of the subcommittee. Thank you for the 
opportunity to appear today to discuss the recent website posting of an 
improperly redacted version of a 2008 Transportation Security 
Administration (TSA) Screening Management Standard Operating Procedure 
(SOP). I appreciate the subcommittee's continued involvement in the 
security operations of TSA, and look forward to working closely with 
Congress in fulfilling our on-going mission to safeguard all sectors of 
transportation on behalf of the American people.
    Let me begin by assuring the Members of the subcommittee and the 
traveling public that our aviation security procedures remain strong. 
The duties performed by TSA's dedicated workforce of Transportation 
Security Officers (TSOs), Federal Air Marshals, canine teams, and 
others have not been adversely impacted by this incident. TSA will 
continue to ensure the same high standard of security during the 
upcoming holiday season that was evident throughout the Thanksgiving 
Day travel period. Our workforce is responsive, accountable, and 
dedicated to safeguarding the traveling public, and neither our 
capability nor our resolve has been diminished by this incident.
    Those who seek to infiltrate airport security will find no roadmap 
from the redacted text that was improperly released. This document, 
which was outdated, provides procedural information for managers. It is 
not the SOP used by our TSOs at airport checkpoints to screen members 
of the traveling public. Because we continually adjust our SOPs and our 
security protocols based on the receipt of intelligence information and 
the testing of our security regimen, there have been six newer versions 
since this SOP was drafted. Our TSO screening procedures have not been 
compromised, and our multi-layered transportation security system 
remains intact. Nonetheless, out of an abundance of caution, we have 
undertaken an operational assessment of any potential vulnerabilities 
that this disclosure may have caused, and have taken swift action to 
prevent the information from the SOP from being used to defeat a single 
point in our multi-layered security system.
    That being said, TSA, and I personally, take this incident very 
seriously. This was a mistake and we are very sorry it occurred. I 
would like to provide a brief summary of the events surrounding this 
incident. On Sunday, December 6, TSA's Blog Team learned that a 2008 
Screening Management SOP posted on the General Services 
Administration's (GSA) Federal Business Opportunities website contained 
redacted information that had not been properly protected. The SOP had 
been posted by TSA on the GSA contracting website for a contract 
solicitation under TSA's Screening Partnership Program. Such 
documents--when properly redacted--are used in contract solicitations 
to guarantee fairness in the procurement process. Unfortunately, the 
redaction on this particular document had been performed incorrectly, 
enabling readers to view the redacted portions as well as the headers 
and footers indicating that the document contained Sensitive Security 
Information (SSI).
    TSA takes any breach of its security programs very seriously, and 
we reacted swiftly. I convened a Sunday evening senior staff conference 
call as soon as I learned of the improperly redacted document, notified 
the Department of Homeland Security's headquarters, and ordered that 
GSA be notified and immediate steps be taken to remove the document 
from the GSA website. Although this happened promptly and GSA 
cooperated fully with our request within 2 hours, outside individuals 
had already downloaded the document and made it available on their 
websites.
    We initiated an extensive internal review through the TSA Office of 
Inspection and placed the employees who were involved with the 
redacting of the document on administrative leave pending completion of 
the review. Secretary Napolitano also asked the Department's Inspector 
General (IG) to conduct a thorough investigation of the matter, which 
we are currently engaged in now.
    Since this incident, we have also instituted even more stringent 
new safeguards for all sensitive operational documents to ensure that 
no SSI is improperly released.
    In closing, I deeply regret that this incident occurred. We have 
taken immediate actions and look forward to working with the IG on 
implementing any recommended actions in the future.
    I am confident that through an exhaustive review of the facts and 
circumstances surrounding this incident, TSA will emerge a stronger 
agency.
    Thank you for your continued assistance to TSA and for the 
opportunity to discuss this matter with you today. I would be pleased 
to respond to your questions.

    Ms. Jackson Lee. Allow me to thank you for your testimony 
and to now yield myself 5 minutes for questioning.
    Before I do that, let me acknowledge the presence of Mr. 
Himes, a Member of the committee. Other Members will be 
recognized in the order in which they have arrived.
    Ms. Rossides, thank you for the initial steps that have 
been taken. Let me just ask one pointed question, because when 
we started this unfortunate incident, and a lot of hysteria was 
created, both in terms of the media reporting it really looked 
devastating. Tell me what level of participation now is the IG? 
How comprehensive is the IG's investigation?
    Ms. Rossides. Madam Chairwoman, they are specifically 
looking at what happened, who was involved, how did it happen, 
and what measures and recommendations can they make to TSA so 
that it does not happen again. They are looking at both papers, 
and they are doing an extensive forensics on the technology, 
looking at the electronic transmission of the document.
    Ms. Jackson Lee. On the SOP, did you indicate that Members 
could have individual classified or confidential briefings on 
the new procedures?
    Ms. Rossides. Yes, Madam. We have offered and we will 
continue to offer, as we go through this process, briefings to 
any of the Members or their staff on the current SOP that is in 
place across the aviation system so that the Members can get a 
full understanding and appreciation of the fact that many 
systems improvements have been put in place since that version 
in 2008 was drafted.
    Ms. Jackson Lee. What is your best assessment of whether or 
not the lives of Americans are now presently at jeopardy or in 
jeopardy because of information that is already disseminated? 
What we are speaking of here is a pullback of what occurred and 
an investigation of why. But now that information has been 
disseminated, where are we with respect to security, as it 
relates to the traveling public?
    Ms. Rossides. Madam Chairwoman, the system is very strong, 
and I am very confident in saying that for several reasons. 
First of all, there were six versions or updates to the 
document that was released that had very significant changes to 
the way we conduct the screening procedures.
    Secondly, this was a management's standard operating 
procedure; in other words, it had a lot of checklists of what 
to do to start the day at the checkpoint. It did not have a lot 
of Sensitive Security Information on how to actually do certain 
procedures at the checkpoint.
    That being said, I appreciate the gravity and the 
significance with which people regarded this. But we knew and 
our immediate reaction was to begin to do a line-by-line review 
of that document, compare it to measures in place today, and, 
frankly, even with the confidence we had, out of an abundance 
of caution, we immediately took some additional measures which 
we do any time we get information that says, ``Let's put an 
additional set of measures in place in order to be that much 
more confident in the system.''
    Ms. Jackson Lee. Is it safe to say that you have changed 
the review procedures? Is it also--I am asking several 
questions at once, so you might want to make note. The review--
or the process that administers the SSI--meaning the document--
prior to making the document available to the general public, 
to review those procedures, is it safe to say that, as the 
public is traveling, that there are new schemes and procedures 
that no one knows about?
    Lastly, let me just hold this up. This is an example of the 
kinds of cards that were displayed. Some others dealt with law 
enforcement officers who need to have confidentiality and 
privacy. The question is, should we begin to change all of 
these IDs in order to ensure the safety of those who are in the 
service of their Government?
    Ms. Rossides. Madam Chairwoman, let me answer your 
questions and make sure that I am fully responding to your 
several questions.
    First of all, with respect to the review of the procedures, 
there were several things we did. We began our information 
protection oversight board, which is a board we established 
several years ago, to look at incidents like this. We also--I 
asked that, even though SOPs be treated in their entirety as 
SSI, I asked that we just hold and not release any other SOPs 
until we could get a complete review of what had been released 
and what the circumstances were.
    I also directed the Office of Acquisition to look at all of 
their current and recent postings for procurement solicitations 
and take down any that had any other relevant SSI or sensitive 
information in them and to make sure that they looked 
completely at those, which, to the best of my knowledge, we had 
no other.
    We put in a number of measures, mitigation measures that 
are part of the flexibilities that we have across the system. 
Federal security directors on Monday morning were directed to 
implement some of those other flexible provisions so that we 
would ensure the safety of the traveling public.
    I would like to specifically, you know, describe the ID 
that you show. Although, you know, we take full responsibility 
and we are not at all pleased that this document was released, 
those IDs in the document are photocopies. I just want to 
assure you and the traveling public and our law enforcement 
partners, there are other aspects to those identifications and 
credentials that have security features to them, and we have 
extensive procedures in place to validate the authenticity of 
persons traveling through that represent themselves as law 
enforcement officers. In fact, some of those improvements we 
have made have been at the direct urging of this committee.
    Ms. Jackson Lee. I thank you, Administrator, and now yield 
5 minutes to the Ranking Member, Mr. Dent.
    Mr. Dent. Thank you, Madam Chairwoman.
    Thanks, Ms. Rossides, for being here today. The President, 
as you know, has stated repeatedly that the administration 
would embrace the spirit of transparency. The day after his 
inauguration, the President stated, ``Transparency and rule of 
law will be the touchstones of this presidency.''
    Are you familiar with Section 114(r), which authorizes TSA 
to prescribe regulations prohibiting the disclosure of 
Sensitive Security Information?
    Ms. Rossides. Yes, sir, I am.
    Mr. Dent. Can you please explain your interpretation of the 
Congressional exemption included in Section 114(r)(2)?
    Ms. Rossides. My understanding is that, when TSA receives a 
request like this, we are required to provide it to the 
Congress when it is received from the leadership of a 
committee, and we do that when we are properly requested.
    Mr. Dent. Do you have a certain date when you will be 
transmitting to the Committee on Homeland Security a copy of 
the current document, such as today, you know, next week, you 
know, any date certain after the new year?
    Ms. Rossides. Mr. Congressman, what I will pledge to you is 
that, in the aftermath, the immediate aftermath of this, we 
wanted to exercise the absolute operational security over all 
of these SOPs. My commitment to you is, once we are through the 
traveling holiday season, I will come back and I will talk with 
you and the leadership of this committee about how to make all 
of that information available to you. In the meantime, we will 
sit and give briefings to any Members or their staff that 
requested on this document specifically.
    Mr. Dent. You know, I certainly appreciate that TSA 
provided my staff about an hour briefing on the differences 
between these two documents. Then I think there was about an 
hour to review the latest version of the document, but I want 
to make sure that I am clear that I still would like to have a 
hard copy of the document for a thorough review.
    I guess the question still is why does TSA not want to 
provide the committee with a hard copy of this document, given 
that we have asked for thousands of pages of Sensitive Security 
Information in the past and TSA has provided them? Why is this 
different?
    Ms. Rossides. The only reason this is different right now 
is in the immediate aftermath of this incident. I was very 
concerned to maintain the tightest controls over the current 
version, because it does have very significant changes to what 
was released. I just wanted to take the absolute measures to 
protect that information, and that is why a hard copy wouldn't 
be presented, but we were very, very willing to provide the 
information and actually explain the difference in the versions 
from one document to the other.
    Mr. Dent. I thank you for that answer. I keep hearing that 
the administration is reviewing our request for an unclassified 
document, and I guess the question is, where are you in that 
review? Who, if anybody, would be holding up the documents from 
being provided to our committee? Is it the TSA? Is it DHS, the 
White House?
    Ms. Rossides. Right now, sir, it is--basically, the request 
is pending and that ultimate decision would be mine or the 
Secretary's to make. Those are the--under the regulation, we 
are the two officials with the authority to make the decision 
to release it.
    Mr. Dent. Well, speaking for the Republican side of this 
committee, I just really would, again, request that we get a 
date certain for that document. As I have said, we have 
received, thousands of pages of--Sensitive Security Information 
and it has never been an issue, but this one seems to be. I 
understand the issue that you and I have talked about with the 
travel season being upon us here, but certainly it would be, I 
thought, reasonable to have a date certain, some time early in 
the new year.
    Ms. Rossides. I will get back to you, sir.
    Mr. Dent. Finally, after the TSA asked the General Services 
Administration to review the document from its website, it 
removed it in about 2 hours, but not before being captured and 
then reposted by various other websites. Do the current 
regulations provide you a mechanism to keep individuals from 
reposting this information on other websites?
    Ms. Rossides. No, sir, they do not. We do not have any 
authority to ask non-Government or non-DHS sites to take it 
down.
    Mr. Dent. What action did TSA intend to take against those 
who are reposting this sensitive document that should not be in 
the public domain?
    Ms. Rossides. Well, right now, there really isn't any 
authoritative action we can take. Honestly, persons that have 
posted it, I would, you know, hope that out of their patriotic 
sense of duty to, you know, their fellow countrymen, they would 
take it down. But, honestly, I have no authority to direct them 
and order them to take it down.
    Mr. Dent. So there is nothing in current regulations that 
provide you a mechanism to compel they remove this information?
    Ms. Rossides. No.
    Mr. Dent. I yield back.
    Ms. Jackson Lee. Thank you very much.
    Just as I yield to Chairman Thompson, let me be very clear, 
Administrator Rossides, that there is a view by the majority--
and I appreciate the comments of the Ranking Member--that we 
want to see the inspector general's work completed before any 
public distribution of these items, the SOP in particular, 
because there is concern about the impact on National security.
    I would encourage Members to take full advantage of the 
personal review of documents, but we ask you to urgently move 
forward, as our Ranking Member has indicated, and we are going 
to be following this through the holiday season and into the 
beginning of the year.
    I now am pleased to yield 5 minutes to the Chairman of the 
full committee, Mr. Thompson.
    Mr. Thompson. Thank you very much, Madam Chairwoman.
    Just for timeline purposes, Ms. Rossides, can you tell the 
committee when this particular posting went up on the web and 
when TSA found out about it?
    Ms. Rossides. Yes, sir. It went up in March 2009. It was 
part of a solicitation for the SPP program. It came to my 
attention and senior leadership's attention on Sunday, December 
6, in the early evening.
    Mr. Thompson. So this particular item was in the public 
domain from March until December?
    Ms. Rossides. Yes, sir.
    Mr. Thompson. Well, I guess one of my concerns is you said 
you took swift, decisive, and comprehensive action. That is 
after you found out.
    Ms. Rossides. Correct.
    Mr. Thompson. So before that, it was in wherever. I guess, 
what are the--can you explain to the committee the protocols 
for putting items on the web?
    Ms. Rossides. Yes, sir. At least through the acquisition 
process, there are two approaches when we post procurement 
actions. One is to--when we have any kind of sensitive 
information, one is to post it to the secure side of the GSA 
FedBizOpps site, which means that it is password-protected or 
otherwise secured. The other is solicitations get posted to 
FedBizOpps' unsecured side.
    This particular solicitation got posted on their unsecured 
side and then was not properly redacted. The--there are other 
ways that we also will give potential vendors the opportunity 
to look at SSI information and procurement actions. We might 
have a physical reading room where we invite the vendors in, 
and then they can look at that--any SSI material in a physical 
reading room.
    Mr. Thompson. Thank you. Now, was this a private contract, 
who did this, who did this posting?
    Ms. Rossides. That is within the scope of the IG's review 
right now. I can't really comment, because of the IG's due 
diligence on determining exactly who did what postings. There 
was a contractor under the SSI office at the time, a contract 
company under contract with the SSI office.
    Mr. Thompson. Why would we have a contractor in the SSI 
office?
    Ms. Rossides. Small contracts like that often just provide 
clerical support. Sometimes they provide research support. 
Sometimes they provide some technical support. They are not 
people that are making the decisions on the technical aspects 
of a job, in terms of like the redactions.
    Mr. Thompson. Are they required to have clearances?
    Ms. Rossides. Yes, sir, they are.
    Mr. Thompson. Did all these employees in question here have 
clearances?
    Ms. Rossides. That I cannot answer specifically, but during 
the scope of the IG review, we will know exactly what 
clearances everybody did have and the particular people 
involved.
    Mr. Thompson. Well, you have already suspended five people.
    Ms. Rossides. Yes, sir.
    Mr. Thompson. I would hope that part of your review would 
have looked at whether or not these clearances were in effect.
    Ms. Rossides. The five people who were put on 
administrative leave do have clearances, yes, sir.
    Mr. Thompson. Well, but the--to your knowledge, these are 
not all the people who had access to what we are talking about. 
Am I correct?
    Ms. Rossides. Exactly, sir. As part of the IG's review, 
they will determine if it was confined to just these five or 
if, in fact, there are more people who are responsible for this 
error.
    Mr. Thompson. For the committee's point of information, how 
did we find out about this--how did TSA find out about this 
posting?
    Ms. Rossides. I found out from a blogger notifying our blog 
team. We have a TSA blog team. A blogger who frequently blogs 
on TSA's blog called and sent an e-mail to one of our bloggers 
and pointed it out. That followed a chain of events of my being 
notified of it.
    Mr. Thompson. So the particular software that was used to 
do the redacting, is that a TSA-approved software?
    Ms. Rossides. Any of the software on TSA computers are 
approved by our chief information officer.
    Mr. Thompson. Did that chief information officer understand 
that it could be unredacted on the web?
    Ms. Rossides. That will be part of what we learn in the IG 
review, exactly which software, what version of the software, 
and what version was on the various computers that actually 
touched this document.
    Mr. Thompson. So we don't know?
    Ms. Rossides. I do not know yet.
    Mr. Thompson. I would take that you have talked to the 
chief information officer?
    Ms. Rossides. Yes. They are going through and looking at 
all of the versions of the software on TSA computers now, and 
they are going through that inventory right now, with the goal 
being that we will ultimately have the same software on all 
computers, and everybody will be properly trained to that 
software.
    Mr. Thompson. Is there a software presently being used by 
TSA that can't be unredacted?
    Ms. Rossides. Yes, sir, there is.
    Mr. Thompson. Have we made that software available to 
everyone who is doing posting on the web for TSA?
    Ms. Rossides. Yes, sir, we have. We are going back and 
making sure that everybody who is using that software is 
properly trained and knows, again, how to properly use that 
software. If I could add, had this software been properly used, 
it would have worked on this document, so we are making sure 
that everybody who deals with SSI information----
    Mr. Thompson. Wait a minute. You just told me you don't 
know which software--you mean, this----
    Ms. Rossides. The software in use, the software that our 
CIO uses today and authorizes, if that software was used----
    Mr. Thompson. Okay. I got you now.
    Ms. Rossides [continuing]. It would have worked.
    Mr. Thompson. But you don't know which software was used?
    Ms. Rossides. Exactly.
    Mr. Thompson. Okay. Thank you very much.
    I yield back, Madam Chairwoman.
    Ms. Jackson Lee. I thank the Chairman.
    Now I recognize Mr. Austria.
    Mr. Austria. Thank you, Madam Chairwoman and Ranking Member 
Dent. I would just like to lend my voice to those who are 
deeply troubled by this incident. It is extremely concerning to 
me that here we sit, 8 years after 9/11, and our Government, 
whether it be accidental or carelessness, can make such a 
mistake as posting sensitive information on a website.
    I am very concerned about that. I am very concerned with 
the fact that TSA posted the standard operating procedures, 
that the Federal Government with this incident may have 
inadvertently helped those that we don't want to see this 
information, terrorists, others, do their homework for them, so 
to speak. I am very concerned about that.
    So let me--if I may, I have a number of questions here. I 
am going to get right to my questions. But, Ms. Rossides, thank 
you for your testimony today.
    Let me, first of all, ask you--kind of following up on the 
Chairman's questions on redaction--how often does the TSA post 
redacted standard operating procedures on the internet? What is 
the purpose of that?
    Ms. Rossides. Sir, this was the first time that we had ever 
posted a standard operating procedure for a procurement 
solicitation, and it was done specifically for the procurement, 
for companies to compete for privatizing airports in the State 
of Montana.
    Mr. Austria. Let me follow up on that answer, because my 
next question would be, why would TSA post any of its standard 
operating procedures, sensitive or not? I understand that the 
entire document may not have been security sensitive, but there 
were parts that the general public should not have seen. Why 
would you post anything? Why would you give anyone the 
opportunity to learn anything about TSA's aviation security 
procedures?
    Ms. Rossides. In the course of that particular 
solicitation, any vendors will have to be able to prove that 
they can provide the security procedures at those airports. So 
they needed to know what kind of requirements we would have at 
checkpoints for them to be able to demonstrate their 
qualification to be a qualified vendor to be considered for 
this contract.
    Beyond that, one of the questions that the IG is asking is, 
why did we take the steps that we did? They are reviewing that 
decision in terms of, why was it posted?
    Mr. Austria. Let me follow up on this question again, but 
what is the purpose of posting this? Why does TSA post this on 
the internet? What is the purpose of that?
    Ms. Rossides. The purpose was for a procurement action. It 
is not something that we post routinely. It was for a specific 
procurement action that this particular SOP was posted.
    Mr. Austria. So going forward, will TSA continue to use the 
internet to post redacted Sensitive Security Information for 
potential contractors or vendors? Or have you changed the way 
you are doing business?
    Ms. Rossides. We have immediately--I have immediately 
directed the Office of Acquisition to not post any SOPs like 
this. What we will review with the General Services 
Administration is ensuring that if we ever do have to post 
solicitations again--say, for the technology purchases that we 
are doing--that would contain any SSI information, we will 
verify that that is in a secure environment on their secure 
website.
    We are also looking at other measures, physically inviting 
potential vendors in to look at material, as opposed to doing 
any postings at all.
    Mr. Austria. Okay. I appreciate that answer.
    Let me kind of follow up a little bit on what the Chairman 
was talking about as far as redacting the sensitive documents, 
because I think that is very important. Can you tell us, as a 
committee, what TSA's normal process and procedures are for 
redacting sensitive documents?
    Ms. Rossides. Yes, sir. The normal process is that within 
program offices that have SSI information, there is a 
designated individual who is trained to properly redact the 
materials. The chief information office puts out the 
instructions on how to properly redact information, based upon 
the technology that is on each individual's computer.
    That process now we are going back and reviewing, both as 
part of the IG review, in terms of how did this actually 
happen, and then now, what our CIO is also doing is making sure 
that the same software for redacting is on all computers, so 
that the training is consistent from office to office to 
office.
    Mr. Austria. Okay. One last question I have--I know my time 
is up, Madam Chairwoman.
    Ms. Rossides, based on what has happened here, do you 
believe that our aviation security has been compromised or 
weakened because of this incident?
    Ms. Rossides. No, sir, I do not.
    Mr. Austria. Thank you, Madam Chairwoman.
    Ms. Jackson Lee. Thank you.
    The gentleman from Missouri is recognized, Mr. Cleaver, for 
5 minutes.
    Mr. Cleaver. Ms. Rossides, thank you for being here.
    To follow with Mr. Austria's, the answer to that question 
would have been what you just said no matter what, right?
    Ms. Rossides. Yes, sir. I believe that our system is very 
strong.
    Mr. Cleaver. No, no, no. I mean, but even if it weren't, 
that that would be the answer, right?
    Ms. Rossides. I don't understand.
    Mr. Cleaver. I mean, you wouldn't have sat here in front 
of, you know, TV cameras that our system has been compromised.
    Ms. Rossides. I believe that the system is very strong and 
it was not compromised as a result of this, sir.
    Mr. Cleaver. Okay. I understand why you won't answer the 
question, which is why I asked the question. But that was 
somewhat of an answer. Has there been a--see, I don't--I am not 
sure you can answer my questions here, because I don't--
because----
    Ms. Rossides. I can--perhaps when we get into the closed 
session, I can answer and give you more examples as to why I am 
confident in our systems.
    Mr. Cleaver. Well, generally, whether it is science or 
theology or anthropology or epidemiology, we all build on what 
was. So it seems to me that any new versions were built on 
older versions. Am I right about that?
    Ms. Rossides. Yes, sir.
    Mr. Cleaver. Okay. So if I am correct, then there obviously 
is information that is out there that is in the latest 
iteration.
    Ms. Rossides. That is true. But that--the bulk of that 
information is not SSI information. It is checklists. It is 
routine standard procedures.
    Mr. Cleaver. The SSI material was posted on the fob.com on 
March 3, but it was not discovered by TSA until December 6. 
What was the--what happened differently in between time?
    Ms. Rossides. The procurement solicitation was up on the 
FedBizOpps website. In fact, the procurement went through its 
whole process. A contractor was selected for that procurement. 
Then the normal routine is, once the contract is awarded, the 
GSA keeps the procurement award posted on the FedBizOpps and 
advises the public, who actually won the contract.
    Mr. Cleaver. Okay. Unfortunately, it sounds like we have 
been called to vote. The questions that I have, based on what 
you are saying, I am not sure I want answered. I mean, I don't 
think you will answer it in front of everybody in the first 
place.
    So I don't want to ask it, because then I get frustrated, 
because you can't answer it. On top of that, I appreciate you 
not answering it--sounds clear.
    Ms. Rossides. Well, if we have the opportunity to go into 
the Executive Session, perhaps I can give you some answers that 
won't frustrate you and will be able to give you more 
information.
    Mr. Cleaver. But you understand the----
    Ms. Rossides. Yes, sir, I do. I understand.
    Mr. Cleaver. Madam Chairwoman, thank you.
    Ms. Jackson Lee. I thank the gentleman.
    The gentlelady is correct. If we are prepared to go into 
Executive Session--we are called for a vote. We are going to 
continue for a period of time.
    I do want to ask the administrator on her time 
circumstances here. I see the number of Members, but we do want 
to pose that question to you. What is your time circumstance, 
please?
    Ms. Rossides. You know, probably, Madam Chairwoman, I have 
got to be out of here by about 4:15.
    Ms. Jackson Lee. 4:15.
    Ms. Rossides. Yes, ma'am.
    Ms. Jackson Lee. Let me now recognize--and we will 
contemplate what our next step is. Let me recognize Mr. Lungren 
for 5 minutes. He is not a Member of the committee--yield to--
but we are graciously accepting him, but we are going to 
Members first.
    Mr. Himes is recognized.
    Mr. Himes. Thank you, Madam Chairwoman. A couple of quick 
questions.
    First, I share my colleagues' concern, obviously, with this 
disclosure of sensitive information. Of course, no organization 
doesn't make mistakes. The measure of an organization is how 
well you learn from your mistakes. It sounds like you have 
taken a fairly aggressive approach to that.
    Here's a slightly off-the-wall question, but one that I 
think is important. We know that, through a couple of different 
mechanisms, this information is now in the public domain. Are 
you or is anybody looking to see who has subsequently 
downloaded it?
    Ms. Rossides. I believe that is part of what the IG is 
looking at. We do know--we have in our--our CIO shop has done 
an initial review of who did download it and has it on their 
websites, the non-Government, non-DHS websites. We do know 
that.
    Mr. Himes. Thank you. Yes, no, I am just intrigued by the 
possibility that you might cross-check a list of those end-
users, not just cross-posters, but end-users who downloaded it 
perhaps with other lists that could--from which we could maybe 
make some inferences.
    When we get classified information on this committee, each 
page is usually marked with some degree of classification. 
Sometimes each paragraph has actually indicated some level of 
classification. Do you follow a similar protocol on a hard 
copy? Would SSI be always indicated as such?
    Ms. Rossides. Yes, sir. If appropriately marked, the SSI 
document would be marked and the pages would have a header and 
a footer on them that said it is SSI information.
    Mr. Himes. Not having seen the SSI that was disclosed, was 
that, in fact, appropriately marked as such?
    Ms. Rossides. No, sir, it was not, no. That was part of the 
problem.
    Mr. Himes. So the failure was one of marking.
    Ms. Rossides. And redacting.
    Mr. Himes. And redacting, okay. Do you have a sense for 
what your overall rate of compliance is with respect to marking 
appropriately your documents?
    Ms. Rossides. Well, sir, we do a number of self-assessments 
as part of our SSI program, and we do those routinely. We also 
had a very extensive review by GAO at the end of 2007 who 
actually gave very good grade to TSA for how we do--our program 
office addresses SSI.
    Mr. Himes. Thank you. I yield back the balance of my time.
    Ms. Jackson Lee. I thank the gentleman from Connecticut.
    I would like to now recognize Mr. Bilirakis for 5 minutes.
    Mr. Bilirakis. Yes, I will go ahead and ask my questions 
during the Executive Session, Madam Chairwoman. Thank you.
    Ms. Jackson Lee. Let me----
    Mr. Dent. May I ask your indulgence, Madam Chairwoman? I 
know we have a few minutes before the vote, but before we go 
into Executive Session, I am struggling a little bit with the 
underlying premise of Ms. Rossides' response.
    By refusing to give a document to this committee because 
you are concerned about public disclosure, that is implying 
that the subcommittee will disclose the document. That is what 
troubles me the most: The implication that this subcommittee is 
not taking security of these documents that seriously, and I 
think we all agree that we know that is not the case.
    For the record, I am glad the inspector general is doing 
his investigation, but that is not particularly relevant to our 
request for this document. We are a separate and equal branch 
of Government responsible for overseeing TSA's activities. I am 
frustrated by, again, a willingness to provide us a date 
certain for delivering this critical document to the 
subcommittee.
    So I feel like I have been left with no choice. I feel like 
we have given the administration every opportunity to provide 
this document. I appreciate the fact that our staff has been 
able to look at this for a few hours.
    I think, somewhat reluctantly, along with Ranking Member 
Bilirakis, Mr. Lungren and Mr. King, and others, you know, I 
will be introducing a resolution of inquiry demanding that the 
Secretary provide the House of Representatives with this 
document. I think it is only appropriate, and I would rather 
not do it. If I had a date certain, I would not ask for this 
resolution.
    Ms. Jackson Lee. The gentleman--if the gentleman's finished 
his remarks--let me ask you, Administrator Rossides, if you 
have a definitive date or whether you could submit a definitive 
date of the completion of the IG report?
    Ms. Rossides. No, Madam. I am sorry. I do not. I do not 
know when the IG will definitively be finished. I know that 
they have this on an expedited track, but I don't have a 
specific date. I couldn't speak----
    Ms. Jackson Lee. Do you have a close, proximate date?
    Ms. Rossides. All I know is when they first began the 
engagement and took it over from our office of inspection, they 
said they wanted to have it done in a matter of a couple weeks, 
so that they started that, you know, earlier, right after--they 
started it on December 9.
    Ms. Jackson Lee. Okay, well, let me just say that I am very 
moved by the sincerity of Mr. Dent's request and intent to 
offer a resolution of inquiry, but I am aware that the Chairman 
of the full committee has authority to move forward, and it 
would seem, Mr. Dent, that you would raise that question with 
the Chairman of the full committee. I think that would be the 
appropriate next step and not a resolution of inquiry.
    I might also say that part of our concern has been that, in 
disclosing the SOP, it is possible for leaks. Of course, it 
sounds maybe that it is ironic that I would use the term leaks, 
because, obviously, we have had a breach. But there have been 
many, many Members of the House and the Senate that have asked 
for this document, and there is no doubt this is a high-profile 
document, but our job is to ensure that there are no further 
leaks equally egregious.
    So I would ask that you ask the Chairman of the full 
committee as a first step, but more importantly, I would say 
that I would like Ms. Rossides to come back in the next 24 
hours, if she can be in touch with the Secretary and the IG, to 
get a more definitive time. I know answering today may be 
difficult, but I would think the inspector general would be 
open to the fact that this is urgent. Mr. Dent has indicated it 
is urgent. There is a suggestion of a resolution of inquiry, 
which I think is premature.
    But even so, that shows the urgency of the matter. We need 
to, in essence, respond to that. So I would suggest that the 
first response for Mr. Dent and his colleagues is a request to 
the Chairman of the full committee, Mr. Thompson. Then I would 
want to have the additional information for our subcommittee as 
to the time that you believe this might occur.
    Ms. Rossides. Yes, ma'am, I will do that.
    Ms. Jackson Lee. The IG's report.
    Mr. Dent. Madam Chairwoman, the only thing I would ask----
    Ms. Jackson Lee. I yield to the gentleman for a response.
    Mr. Dent. The only thing I would ask, respectfully, is that 
we be given a date certain as to when we would receive this 
document, then I would quite happily withdraw the motion for 
the resolution of inquiry. I do feel that the inspector general 
investigation is irrelevant to our request for that particular 
document. As I said previously, we have received, many 
thousands of pages of sensitive and security information, and I 
think our committee has handled them well and we certainly will 
make a request to the Chairman.
    I would just like to keep this resolution out there for 
consideration. Hopefully in the intervening time, we can get a 
date certain. If we were to get a date certain for the release 
of document, then we could at that time withdraw the 
resolution.
    Ms. Jackson Lee. I think we found some measure of 
reconciliation or a moment that we can reconsider.
    Let me quickly--I think there are one or two Members that 
are going to be here. I am continuing the hearing because of 
the time constraints of Ms. Rossides. So anyone that is 
interested in the--going forward on the Executive Session, they 
need to hurry back, because the first vote--let me just 
proceed--I assume all Members have gone forward. I will yield 
myself for a second round until we convene into the Executive 
Session.
    Do you believe that any actions taken by the individuals 
that you have put on administrative leave or have disposed of 
in another manner--and I do need to get a correct 
interpretation--were some of these individuals contract 
employees?
    Ms. Rossides. Madam Chairwoman, at the time in March 2009, 
one of the individuals was a contractor, but he is now a TSA 
employee, and he is one of the five TSA employees that is on 
administrative leave.
    Ms. Jackson Lee. Do you believe that any actions by these 
employees was intentional?
    Ms. Rossides. I would have to wait for the IG report, but 
my honest assessment is no.
    Ms. Jackson Lee. But you----
    Ms. Rossides. I think this was an accident.
    Ms. Jackson Lee. Your honest assessment is no, but you do 
not know?
    Ms. Rossides. I don't know for sure until the IG gives us 
the report.
    Ms. Jackson Lee. One of the employees was a contractor, and 
you are representing to this committee that that individual is 
now employed. But are you also representing that that 
individual went through the normal security checks?
    Ms. Rossides. Yes. If he was hired as a TSA employee, he 
would have had a background check.
    Ms. Jackson Lee. What do we learn from the idea--not the 
idea, but the actual happening of this incident occurring in 
March 2009 and this was exposed in the last 3 weeks? What do we 
learn from that?
    Ms. Rossides. I think that--
    Ms. Jackson Lee. As you answer that question, can you 
comprehend the disappointment that we have in that issue?
    Ms. Rossides. Yes, Madam Chairwoman. I think there are a 
number of things that we learned from this. Our learnings from 
this are that we definitely need better processes in place and 
tighter controls on how we handle sensitive information. In the 
size of TSA, as large of an organization it is, where this 
information is shared across the organization, we are going to 
have to make sure that we have designated personnel who are 
properly managing--and managing this information and treating 
it in the manner in which it should be. We need to make sure 
that our personnel are trained and really truly understand.
    If there is a lesson that the entire TSA organization has 
learned in this, it shows that, you know, the accident or the 
mistake of one or a few can tremendously impact the whole 
agency and our credibility with the American public. So we are 
taking it very, very seriously. I think that our front-line 
officers, our FAMs, our inspectors, our TSOs are very much 
aware of their responsibility now because a document like this 
has been put out there.
    So I think there will be a number of lessons that we will 
learn. I also think that there are technology solutions that 
hopefully will come from the IG's report about the right 
technology to use, the right versions to use when redacting 
information.
    Ms. Jackson Lee. Let me say this. I will recess this 
committee, and keeping in mind your schedule, we will return 
quickly, but my intent is to write legislation, first of all, 
with a great deal of respect for the reliance of this 
Government overall, not just Department of Homeland Security, 
on contract employees, from Blackwater employees to a number of 
others.
    It is clear that there needs to be standards utilized for 
the hiring, retaining, and utilizing of contract employees. It 
will be my thought, it will be my legislative initiative to 
insist that contract employees not be used to handle Sensitive 
Security Information, period.
    Then we are looking to craft legislation that puts a 
firewall around certain technology, because as I was listening 
to the Chairman, if this is unique technology that ultimately 
will prevent redacting from showing up again on a website, then 
I don't want random individuals having access to that, because 
then you can be exploited.
    So I will introduce legislation in the early part of the 
year to establish that criteria, and we will also have to find 
a better pathway of informing the Members of this House and 
Senate, and I would imagine the White House, on issues of 
breach of security.
    With that, this hearing remains in recess. We may start 
back in--with a brief open session, but we will then go into 
the Executive Session. Thank you. This hearing is now in 
recess.
    [Recess.]
    Ms. Jackson Lee. Committee is called to order.
    Ms. Rossides, I would like to pursue a line of questioning. 
This is not the Executive Session, which we will go into very 
shortly.
    Would you please share, again, with the explanation as to 
whether or not we had a different software in March 2009, but 
we now have a different software in December 2009, dealing with 
this particular issue?
    Ms. Rossides. Madam Chairwoman, I can't answer that 
question with any specificity, because I do not know, and that 
is what the IG's forensic team is looking at, as they are 
looking at all of the computers that were used by people in 
this action, so I cannot answer that. That will be part of the 
IG's review.
    Ms. Jackson Lee. Do you have information--and if you have 
said it before, if you could say it again--that the policies of 
dealing with SSI have now changed, is there a review process of 
several individuals that are now as we speak looking at 
Sensitive Security Information and making a paper trail 
decision, meaning that you will know who made the decision, on 
what goes onto the web?
    Ms. Rossides. Yes. That is really--I would give you a 
couple of answers to that. First of all, our procedures for how 
SSI information is handled internally is part of our review and 
our lessons learned. We will look again at those procedures.
    The SSI office maintains very detailed records of how they 
look at the documents and then how the documents are passed 
forward to other offices. The acquisition office is also 
looking at their procedures. Then most importantly, the CIO, 
our chief information officer, is looking at both the 
technology that should be used across the whole agency in 
handling redacted material. We have actually asked the NSA to 
come in and help us ensure, give us a certification that any 
tool we use for redacting material electronically will meet 
their certification standards. So we are taking that added 
measure.
    Ms. Jackson Lee. As you do that, you are going to have 
written criteria, some roadmap to go forward on the handling of 
these materials so that we can assure the American people that 
this will not happen again?
    Ms. Rossides. We will do a exhaustive review--and I commit 
to you that we will make sure we have procedures in writing 
that we train the appropriate personnel and that we raise every 
employee awareness about the importance of handling SSI 
material appropriately.
    Ms. Jackson Lee. All right. As I indicated with respect to 
contractors, is there any determination that contractors would 
be outside the realm of sensitive security materials?
    Ms. Rossides. No. Madam Chairwoman, right now, I believe 
that we do have some contractors that handle SSI material, but 
if they do, they are subject to the exact same procedures that 
any employee in handling SSI is subject to.
    Ms. Jackson Lee. Well, I, frankly, believe that we should 
leave our SSI materials to employees of Homeland Security. I 
know that this Government has become very dependent in many 
areas--and in some areas, it is very effective. I have no 
problem with who builds our highways and bridges. It may be 
very difficult for the Government to engage in construction.
    But I certainly have concern about the use of non-
Government employees in the handling of Sensitive Security 
Information. I am going to raise that with the Department. I am 
raising it with you. I would like you to raise it with your 
team. We will have to come to some resolution on that, because 
there is little reprimand, I believe, under the circumstances 
for a contract employee who is getting paid by tax dollars, but 
then is, unfortunately, in a breach such as this, which we have 
not determined whether or not it was intentional. Certainly, I 
appreciate your representation at the level that it was at.
    Then final question before we enter into this session, the 
individuals that you were dealing with that have been, I guess, 
suspended----
    Ms. Rossides. Placed on administrative----
    Ms. Jackson Lee [continuing]. Administrative leave, what 
level civil service rank would they have been at? What was 
their level?
    Ms. Rossides. I would have to get back to you and confirm. 
They are at the mid-level and one, I believe, is at a senior 
management level. But I could have--I would have to confirm 
all--all five of them. I know that--that one, the high--the 
highest level one was at a senior management level. It is the K 
band in TSA's pay system.
    Ms. Jackson Lee. Okay. With that in mind, thank you. The 
subcommittee will now resolve into Executive Session. I ask the 
clerk to prepare the room.
    [Whereupon, at 3:52 p.m., the subcommittee proceeded in 
Executive Session, and subsequently adjourned the hearing at 
4:14 p.m.]

                                 
