Transportation Security Administration's Processes for		 
Designating and Releasing Sensitive Security Information	 
(30-NOV-07, GAO-08-232R).					 
                                                                 
Since the September 11, 2001, terrorist attacks, federal agencies
have faced the challenge of protecting sensitive information from
terrorists and others without a need to know while sharing this  
information with parties who are determined to have such a need. 
One form of protection involves identifying and marking such	 
information sensitive but unclassified--information that is	 
generally restricted from public disclosure but not designated as
classified national security information. The Department of	 
Homeland Security's (DHS) Transportation Security Administration 
(TSA) requires that certain information be protected from public 
disclosure as part of its responsibility for securing all modes  
of transportation. TSA, through its authority to protect	 
information as sensitive security information (SSI), prohibits	 
the public disclosure of information obtained or developed in the
conduct of security activities that, for example, would be	 
detrimental to transportation security. According to TSA, SSI may
be generated by TSA, other DHS agencies, airports, aircraft	 
operators, and other regulated parties when they, for example,	 
establish or implement security programs or create documentation 
to address security requirements. Section 525 of the DHS	 
Appropriations Act, 2007 (Public Law 109-295), required the	 
Secretary of DHS to revise Management Directive (MD) 11056, which
establishes DHS policy regarding the recognition, identification,
and safeguarding of SSI, to (1) review requests to publicly	 
release SSI in a timely manner and establish criteria for the	 
release of information that no longer requires safeguarding; (2) 
release certain SSI that is 3 years old, upon request, unless it 
is determined the information must remain SSI or is otherwise	 
exempt from disclosure under applicable law; and (3) provide	 
common and extensive examples of the 16 categories of SSI to	 
minimize and standardize judgment by persons identifying	 
information as SSI. In addition to answering this mandate, we are
following up on a June 2005 report in which we recommended that  
DHS direct the Administrator of TSA to establish (1) guidance and
procedures for using TSA regulations to determine what		 
constitutes SSI, (2) responsibility for the identification and	 
determination of SSI, (3) policies and procedures within TSA for 
providing training to those making SSI determinations, and (4)	 
internal controls4 that define responsibilities for monitoring	 
compliance with SSI regulations, policies, and procedures and	 
communicate these responsibilities throughout TSA. To respond to 
the mandate and update the status of all four of our		 
recommendations, we assessed DHS's status in establishing	 
criteria and examples for identifying SSI; efforts in providing  
training to those that identify and designate SSI; processes for 
responding to requests to release SSI, including the legislative 
mandate to review various types of requests to release SSI; and  
efforts in establishing internal controls that define		 
responsibilities for monitoring SSI policies and procedures.	 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-232R					        
    ACCNO:   A78548						        
  TITLE:     Transportation Security Administration's Processes for   
Designating and Releasing Sensitive Security Information	 
     DATE:   11/30/2007 
  SUBJECT:   Federal regulations				 
	     Government information				 
	     Government information dissemination		 
	     Homeland security					 
	     Information classification 			 
	     Information disclosure				 
	     Information management				 
	     Information security				 
	     Information security management			 
	     Information security regulations			 
	     Policy evaluation					 
	     Security policies					 
	     Security threats					 
	     Terrorism						 
	     Policies and procedures				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-232R

   

     * [1]Back_Page.pdf

          * [2]GAO's Mission
          * [3]Obtaining Copies of GAO Reports and Testimony

               * [4]Order by Mail or Phone

          * [5]To Report Fraud, Waste, and Abuse in Federal Programs
          * [6]Congressional Relations
          * [7]Public Affairs

United States Government Accountability Office Washington, DC 20548

November 30, 2007

The Honorable Robert C. Byrd:
Chairman:
The Honorable Thad Cochran:
Ranking Member:
Subcommittee on Homeland Security: 
Committee on Appropriations:
United States Senate: 

The Honorable David Price:
Chairman:
The Honorable Harold Rogers:
Ranking Member:
Subcommittee on Homeland Security: 
Committee on Appropriations:
House of Representatives: 

Subject: Transportation Security Administration's Processes for
Designating and Releasing Sensitive Security Information

Since the September 11, 2001, terrorist attacks, federal agencies have
faced the challenge of protecting sensitive information from terrorists
and others without a need to know while sharing this information with
parties who are determined to have such a need. One form of protection
involves identifying and marking such information sensitive but
unclassified-- information that is generally restricted from public
disclosure but not designated as classified national security information.

As part of post-September 11 efforts to better share information critical
to homeland protection, sensitive but unclassified information has
undergone scrutiny by Congress and GAO. In March 2006, we reported results
from our survey of 26 federal agencies, from which we found that most of
the agencies lacked policies and procedures for designating and releasing
sensitive but unclassified information. As a result, we recommended
governmentwide implementation of (1) guidance for determining what
information should be protected with sensitive but unclassified
designations, (2) provisions for training on making designations and for
controlling and sharing information with other entities, and (3) a review
process to determine how well the program is working.^1

^1 GAO, Information Sharing: The Federal Government Needs to Establish
Policies and Processes for Sharing Terrorism-related and Sensitive but
Unclassified Information, [8]GAO-06-385 (Washington, D.C.: Mar. 17, 2006).

The Department of Homeland Security's (DHS) Transportation Security
Administration (TSA) requires that certain information be protected from
public disclosure as part of its responsibility for securing all modes of
transportation. TSA, through its authority to protect information as
sensitive security information (SSI), prohibits the public disclosure of
information obtained or developed in the conduct of security activities
that, for example, would be detrimental to transportation security.
According to TSA, SSI may be generated by TSA, other DHS agencies,
airports, aircraft operators, and other regulated parties when they, for
example, establish or implement security programs or create documentation
to address security requirements.

In February 2005, TSA established its SSI office to develop and implement
TSA policies concerning the handling, training, and protection of such
information. Through this office, TSA has established regulations that
allow for the sharing of SSI with covered persons having a need to
know--including airport and aircraft operators, foreign vessel owners, and
TSA employees.^2 If, however, persons who do not otherwise have a need to
know request access to SSI, TSA may share or release such information if
it determines the information no longer requires protection as SSI. Also,
in the course of a civil proceeding, a requesting party or the party's
attorney may be granted access to SSI after being cleared through a
background check. This is permissible if the party has established that it
has a substantial need for relevant SSI and that it is unable, without
undue hardship, to obtain the substantial equivalent by other means.
Furthermore, TSA or the judge in the civil proceeding must determine that
the sensitivity of the information at issue does not present a risk of
harm to the nation.

Congress has had ongoing interest in whether TSA is consistently and
appropriately designating information as SSI and balancing the trade-off
between the need to protect SSI and the need to provide useful information
to the public. Section 525 of the DHS Appropriations Act, 2007 (Public Law
109-295), required the Secretary of DHS to revise Management Directive
(MD) 11056, which establishes DHS policy regarding the recognition,
identification, and safeguarding of SSI, to (1) review requests to
publicly release SSI in a timely manner and establish criteria for the
release of information that no longer requires safeguarding; (2) release
certain SSI that is 3 years old, upon request, unless it is determined the
information must remain SSI or is otherwise exempt from disclosure under
applicable law; and (3) provide common and extensive examples of the 16
categories of SSI (see app. I for a list of the categories) to minimize
and standardize judgment by persons identifying information as SSI.^3 The
law further prescribed steps that must be taken during the course of a
civil proceeding in the U.S. District Courts to provide a party with
access to relevant SSI. This provision also required us to report to the
Committees on Appropriations of the Senate and House of Representatives on
DHS's progress and procedures in implementing these requirements not later
than 1 year from the date of the law's enactment (October 4, 2006).

In addition to answering this mandate, we are following up on a June 2005
report in which we recommended that DHS direct the Administrator of TSA to
establish (1) guidance and procedures for using TSA regulations to
determine what constitutes SSI, (2) responsibility for the identification
and determination of SSI, (3) policies and procedures within TSA for
providing training to those making SSI determinations, and (4) internal
controls^4 that define responsibilities for monitoring compliance with SSI
regulations, policies, and procedures and communicate these
responsibilities throughout TSA.^5

^2"Covered person" is defined at 49 C.F.R. S 1520.7 and includes persons
permanently or temporarily assigned, attached, or detailed to, employed
by, or under contract with DHS. Section 1520.11 establishes the
circumstances under which a person has a need to know SSI, such as when a
person requires access to specific SSI to carry out transportation
security activities approved, accepted, funded, recommended, or directed
by DHS or the Department of Transportation.

^3See Pub. L. No. 109-295, S 525, 120 Stat. 1355, 1381-82 (2006).

To respond to the mandate and update the status of all four of our
recommendations, we assessed DHS's

     o status in establishing criteria and examples for identifying SSI;
     o efforts in providing training to those that identify and designate
       SSI;
     o processes for responding to requests to release SSI, including the
       legislative mandate to review various types of requests to release
       SSI; and
     o efforts in establishing internal controls that define responsibilities
       for monitoring SSI policies and procedures.

To address these objectives, we reviewed applicable DHS management
directives, policies and procedures, and other related documents, and
interviewed TSA and DHS officials involved in, the SSI designation,
training, document review, and oversight processes. While our review
focused on the policies and procedures developed by TSA, we also
interviewed officials involved in the SSI designation, training, document
review, and oversight processes for four other DHS components to better
understand the use of SSI throughout DHS. We compared the internal
controls in place with the standards for internal control in the federal
government to determine whether TSA's internal controls are designed to
provide reasonable assurance that monitoring exists to help ensure
compliance with SSI regulations, policies, and procedures.^6 We also used
as criteria GAO-developed core characteristics of a strategic training
program to assess whether TSA has created and implemented the training
necessary for staff to make SSI determinations.^7 We determined that the
data were sufficiently reliable for the purposes of our review. We based
our decision on an assessment of existing documentation on program
operations and interviews with knowledgeable officials about the source of
the data and TSA's policies and procedures for collecting and maintaining
the data.

On October 4, 2007, we provided a copy of our briefing slides to your
staff. This report conveys the information that was provided in these
slides (see app. I).

We conducted our work from May 2007 through October 2007 in accordance
with generally accepted government auditing standards.

^4 Internal control is an integral component of an organization's management
that provides reasonable assurance that the following objectives are
achieved: (1) effectiveness and efficiency of operations, (2) reliability
of financial reporting, and (3) compliance with applicable laws and
regulations.

^5 See [9]GAO-05-677 , Transportation Security
Administration: Clear Policies and Oversight Needed for Sensitive Security
Information (Washington, D.C.: June 29, 2005).

^6 GAO, Standards for
Internal Control in the Federal Government, [10]GAO/AIMD-00-21.3.1
(Washington, D.C.: November 1999).

^7GAO, A Guide for Assessing Strategic Training and Development Efforts in
the Federal Government, [11]GAO-04-546G (Washington, D.C.: March 2004).

                                    Results

DHS, primarily through TSA's SSI Office, has addressed all of the
legislative mandates from the DHS Appropriations Act, 2007, and taken
actions to satisfy all of the recommendations from our June 2005 report.

DHS revised its MD to address the need for updating SSI guidance, and TSA
has established more extensive SSI criteria and examples that respond to
requirements in the DHS Appropriations Act, 2007, and our 2005
recommendation that TSA establish guidance and procedures for using TSA
regulations to determine what constitutes SSI. Further, TSA has documented
the criteria and examples in various publications to serve as guidance for
identifying and designating SSI. TSA has also shared its documentation of
the criteria and examples with other DHS agencies. For example, the U.S.
Coast Guard and U.S. Customs and Border Protection either have developed
or are in the process of developing their own SSI examples to correspond
with the types of SSI that their agencies encounter. Additionally,
officials we interviewed from other DHS components have recognized
opportunities to adapt TSA's criteria to their offices' unique needs.
Furthermore, TSA has appointed SSI coordinators at all program offices to,
among other things, implement SSI determination policy. This action
responds to our 2005 recommendation that TSA establish responsibility for
identifying and determining SSI.

TSA's SSI Office is in the process of providing SSI training to all of
TSA's employees and contractors in accordance with its recently
established policies and procedures, an action that responds to our 2005
recommendation. The office uses a "train the trainer" program in which it
instructs SSI program managers and coordinators who are then expected to
train appropriate staff in their respective agencies and programs. Several
aspects of the SSI training program that we evaluated are consistent with
GAO-identified components of a strategic training program. TSA has taken
actions to incorporate stakeholder feedback and establish policies to
collect data to evaluate its training program and foster a culture of
continuous improvement. For example, the SSI Office assesses the accuracy
of the designations made by various DHS agencies and contacts the
agencies, when necessary, to correct any problems. Additionally, TSA has
taken action to coordinate training activities within and among DHS
agencies. For instance, the SSI Office shares its guidance with other DHS
components so that program managers can create customized training
programs that will meet the needs of their staff.

Consistent with the legislative mandate, DHS has taken actions to update
its processes to respond to requests to release SSI. Specifically, DHS
revised MD 11056 in accordance with the DHS Appropriations Act, 2007, to
incorporate a provision that all requests to publicly release SSI will be
reviewed in a timely manner, including SSI that is at least 3 years old.
Between February 2006 and January 2007, the SSI Office received 490
requests to review records pertaining to the release of SSI, the majority
of which came from government entities (62 percent). The SSI Office worked
with the requesting government entity to agree upon a time frame for
processing the request. Within the same 12-month period, 30 percent of
requests were initiated by the public under the Freedom of Information Act
(FOIA).^8 The SSI Office has established a process for reviewing
information requested through the FOIA process in 5 days, unless the
information consists of more than 100 pages. The remaining 8 percent of
requests within the 12-month period came from individuals in connection
with litigation, including civil proceedings within the U.S. District
Courts. According to TSA,
parties have sought SSI in nine civil proceedings since the enactment of
the DHS Appropriations Act, 2007, in October 2006. In one such proceeding,
the litigant requested that TSA make a final determination on the request
for access to SSI. TSA, in accordance with the law, made a final
determination in which it released some of the requested SSI but withheld
other SSI because of the sensitivity of the information or because it was
not relevant to the litigation. TSA's SSI Office stated that all
information that is at least 3 years old that does not warrant continued
protection as SSI is released upon request. The SSI Office uses a
controlled access database to document the completion of its steps in
reviewing requests to release SSI, which serves as a quality control
mechanism.

^8The Freedom of Information Act is the primary process for releasing
information to (and for withholding information from) information to the
public, as appropriate. See 5 U.S.C. S 552. SSI, by statute, is exempt
from disclosure under FOIA.

The internal controls that TSA designed for SSI are consistent with
governmentwide requirements and respond to our 2005 recommendation. For
example, standards for internal controls in the federal government state
that areas of authority and responsibility be clearly defined by a
supportive management structure and that controls be in place to ensure
that management's directives are carried out. The revised DHS MD 11056
outlined areas of authority for the monitoring of and compliance with SSI
policy. Further, the MD established managers and coordinators within DHS
agencies and programs, respectively, to communicate SSI responsibilities
to DHS staff. Standards for internal controls in the federal government
also call for monitoring activities to assess the quality of program
performance over time and ensure that problems raised during quality
reviews are promptly resolved. TSA program managers and coordinators are
required to periodically complete self-inspections on the use of SSI for
their respective office or agency.

                                Agency Comments

We provided a draft of this report to DHS for review and comment. DHS did
not submit any formal comments. However, TSA provided technical comments
and clarifications, which we incorporated, as appropriate.

We are sending copies of this report to other interested congressional
committees and to the Secretary of the Department of Homeland Security and
the Administrator of the Transportation Security Administration. We will
also make copies available to others upon request. In addition, the report
will be available at no charge on GAO's Web site at http://www.gao.gov.

If you or your staff have any questions concerning this report, please
contact me at (202) 512-6510 or by e-mail at [email protected]. Contact
points for our Offices of Congressional Relations and Public Affairs may
be found on the last page of this report. Key contributors to this report
were Glenn Davis, Assistant Director; Brian Sklar; Nicole Harris; Thomas
Lombardi; Katherine Davis; Carolyn Ikeda; and Michele Fejfar.

Eileen R. Larence, Director
	Homeland Security and Justice Issues

Enclosure

                    Information for Congressional Committees

  Transportation Security Administration's (TSA) Processes for Designating and
                    Releasing Sensitive Security Information

                                     (SSI)

           Briefing to the Appropriations Committees October 4, 2007

                                       1

                                  Introduction

     o After the terrorist attacks of September 11, 2001, the Aviation and
       Transportation Security Act (ATSA) was enacted on November 19, 2001,
       with the primary goal of strengthening the security of the nation's
       aviation system;
     o ATSA created TSA as the agency responsible for the security of all
       modes of transportation and extended most civil aviation security
       responsibilities, including authority to designate Sensitive Security
       Information, from the Federal Aviation Administration (FAA) to TSA;
       and
     o TSA's SSI authority is codified at 49 U.S.C. S 114(s) and its SSI
       regulations are codified at 49 C.F.R. part 1520.

                                       2

                                  Introduction

        * SSI constitutes one category of "Sensitive but Unclassified" (SBU)
          information - information generally restricted from public
          disclosure but that is not classified national security
          information.

             o SSI is an SBU category specifically required by statute (other
               examples include Protected Critical Infrastructure Information
               and Privacy Act information).
             o Categories of SBU information not specifically mandated by
               statute include For Official Use Only and Law Enforcement
               Sensitive Information.

     o The Freedom of Information Act (FOIA) is the primary process for
       releasing information to (and for withholding information from) the
       public, as appropriate. See 5 U.S.C. S 552. SSI, by statute, is exempt
       from disclosure under FOIA.

                                       3

                                  Introduction

     o TSA, through its SSI authority, prohibits the public disclosure of
       information obtained or developed in the conduct of security
       activities that would be detrimental to transportation security.
     o According to TSA, SSI is generated by TSA, other DHS agencies,
       airports, aircraft operators, and other regulated parties, when they
       are establishing or implementing security programs or documentation to
       address security requirements.
     o SSI regulations allow for the sharing of SSI with covered persons
       having a need to know-including airport operators, aircraft operators,
       foreign vessel owners, TSA employees, and other persons.^1
     o According to TSA, safeguarding information as SSI allows controlled
       information sharing with covered persons to meet TSA's mission to
       protect the nation's transportation systems.

^1 "Covered person" is defined at 49 C.F.R. S 1520.7 and includes persons
permanently or temporarily assigned, attached, or detailed to, employed
by, or under contract with DHS. Section 1520.11 establishes the
circumstances under which a person has a need to know SSI,
such as when a person requires access to specific SSI to carry out
transportation security activities approved, accepted, funded,
recommended, or directed by DHS or the Department of Transportation.

TSA's SSI Office:

     o Was established in February 2005 to develop and implement TSA policies
       concerning SSI handling, training, and protection.

          * Provides guidance and training to other DHS agencies that use
            SSI, such as
          * U.S. Customs and Border Protection, and serves as the Chair of
            the SSI Oversight Committee, which meets monthly to share SSI
            guidance and best practices.

     o Reviews requests for SSI, including FOIA requests that might contain
       SSI.
     o Is not responsible for ensuring the appropriate use of SSI markings by
       other DHS agencies. The exception to this rule occurs when the SSI
       Office is asked by other agencies to assist in responding to a request
       to release SSI. In such cases, the SSI Office reviews the information
       and provides a determination to the other agency as to whether the
       information has been appropriately marked as SSI.

     o There is ongoing congressional interest in whether TSA is applying the
       SSI criteria consistently and appropriately and balancing the
       trade-off between the need to protect SSI and the need to provide
       useful information to the public.
     o One example of an instance is when an individual might seek SSI in
       connection with a civil proceeding in a U.S. District Court. TSA will
       make an initial determination on whether the party has a substantial
       need for any of the specific SSI to which access is sought and whether
       the sensitivity of the issue is such that any provisions of access
       would present a risk of harm to the nation.

Section 525 of the DHS Appropriations Act, 2007 (Public Law 109-295),
requires the Secretary of DHS to revise Management Directive (MD)
11056-which establishes the department's policyregarding the recognition,
identification, and safeguarding of SSI-to provide for the following:2

     o review requests to publicly release SSI in a timely manner and release
       information that no longer requires safeguarding as SSI;

          * release certain SSI that is 3 years old upon request unless it is
            determined the information
          * must remain SSI or is otherwise exempt from disclosure under
            applicable law; and

     o provide common and extensive examples of the 16 categories of SSI (see
       attachment 1 for

a list of the categories) to minimize and standardize judgment by persons
identifying information as SSI.

The law further prescribes steps that must be taken during the course of a
civil proceeding in the U.S. District Courts when a party seeking access
to SSI demonstrates a substantial need for the information and cannot,
without undue hardship, obtain the substantial equivalent of the
information by other means.

This law also requires GAO to report to the Committees on Appropriations
of the Senate and the House of Representatives on DHS progress and
procedures in implementing these requirements not later than 1 year from
the date of enactment of the Act (October 4, 2006).This briefing responds
to that mandate.

2 See Pub. L. No. 109-295, S 525, 120 Stat 1355, 1381-82 (2006).

In June 2005,^3 we recommended that DHS direct the Administrator of TSA to
establish:

     o guidance and procedures for using TSA regulations to determine what
       constitutes SSI;
     o responsibility for the identification and determination of SSI;
     o policies and procedures within TSA for providing training to those
       making SSI determinations; and
     o internal controls that define responsibilities for monitoring
       compliance with SSI regulations, policies, and procedures and
       communicate these responsibilities throughout TSA.

^3 See GAO-05-677, Transportation  Security Administration: Clear  Policies
and Oversight Needed for Sensitive Security Information (Washington, D.C.:
June 29, 2005).

                                   Objectives

To respond to the mandate and update the status of our

recommendations, we established four objectives. Specifically, we

assessed DHS's:

    1. status in establishing criteria and examples for the identification of
       SSI;
    2. efforts in providing training to those that identify and designate
       SSI;
    3. processes for responding to requests to release SSI, including the
       legislative mandate to review various types of requests to release
       SSI; and
    4. efforts in establishing internal controls that define responsibilities
       for monitoring SSI policies and procedures.

                             Scope and Methodology

To address the objectives we:

     o reviewed applicable DHS management directives, policies and
       procedures, and other documents related to SSI designation, training,
       document review, and the oversight process, and
     o interviewed TSA and DHS officials involved in the SSI designation,
       training, document review, and oversight process.
     o Our review focused on the policies and procedures developed by TSA's
       SSI Office, but we also interviewed officials from four additional DHS
       agencies to better understand the use of SSI throughout DHS.
     o We compared the internal controls in place with the standards for
       internal control in the federal government to determine whether TSA's
       internal controls are designed to provide assurance that monitoring is
       in place and a control environment and activities have been
       established.4
     o We also used as criteria GAO-developed core characteristics of a
       strategic training program to assess whether TSA has created and
       implemented the training necessary for staff to make SSI
       determinations.5
     o We determined that the data were sufficiently reliable for the
       purposes of our review. We based our decision on an assessment of
       existing documentation on program operations, and interviews with
       knowledgeable officials about the source of the data and TSA's
       policies and procedures for collecting and maintaining the data.
     o We conducted our work from May 2007 through October 2007 in accordance
       with generallyaccepted government auditing standards.

^4  GAO,  Standards  for  Internal  Control  in  the  Federal   Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).

^5 GAO, A Guide for Assessing Strategic Training and Development Efforts in
the Federal Government, GAO-04-546G (Washington, D.C.: 11 March 2004).

                                Results in Brief

TSA has established SSI criteria and examples, and several DHS
agencies have recognized opportunities to adapt the SSI criteria to
their unique needs:

     o DHS revised its MD to address the need for SSI criteria and examples
       in accordance with the law.
     o TSA has shared its documentation of SSI criteria and examples with
       other DHS agencies to help them identify and designate SSI.^6
     o Officials we interviewed from DHS agencies that work with or generate
       SSI products stated that they have developed, or are in the process of
       developing, their own SSI examples to correspond with the types of SSI
       that their agencies encounter.

^6 In the context of this research, we use the term "designate" to  include
the identification and marking of information  as SSI. It should be  noted
that the SSI  Office uses  the term "designate"  to mean  an original  SSI
determination in writing. See 49  C.F.R. S 1520.5(b)(9)(iii), (16).  Under
the DHS
MD, only the DHS Secretary, the TSA Administrator, and the Director of the
SSI Office have the authority to designate SSI.

TSA is providing SSI training, and aspects of the training program are
consistent with several GAO-identified components of a high-quality
training program:

        * The SSI Office has developed an SSI training program and has shared
          this
        * program with DHS agencies that use and generate SSI.

     o TSA documentation from mid-September 2007 shows that 93.5 percent of
       TSA personnel (all employees and contractors) assigned to headquarters and 95.5
percent of TSA personnel assigned to airports have completed online SSI
training.7

o The SSI Office uses a "train the trainer" model in which it trains SSI program
managers and coordinators who are then expected to train appropriate staff
in their agency.

o Several aspects of the SSI training program are consistent with GAO-identified
components of a high-quality training program. For example, TSA is
soliciting feedback to evaluate the quality of the SSI training that it is providing.

^7The SSI  Office stated  that all  TSA employees  have not  completed  the
online SSI  training  because of  normal  attrition, military  leave,  and
disability leave.

TSA has policies and procedures to respond to all three types of SSI
requests, and a mechanism is in place to document its processes:

     o The SSI Office has a procedure in place to respond to requests from
       government entities, FOIA-related requests, and requests stemming from
       civil proceedings.
     o TSA plans to publish a Notice of Proposed Rulemaking to articulate the
       process for providing SSI to parties in connection with civil
       proceedings in U.S. District Courts.
     o The SSI Office has a process for recording its steps when reviewing
       requests to release SSI that serves as a quality control mechanism.

TSA has established internal controls for SSI and created
mechanisms to communicate these controls, which are consistent
with internal control standards for the federal government:^8

        * DHS revised its MD to define responsibilities for monitoring the
        * compliance with SSI regulations, policies, and procedures.

     o The MD establishes SSI program managers and coordinators to
communicate SSI responsibilities with staff in their respective offices
and agencies.

    o Various tools are used to monitor the compliance with SSI regulations,
policies, and procedures including self-inspections, agency audits, and
SSI Office reviews based on requests to release SSI.

    o The internal controls TSA designed for monitoring compliance with SSI
regulations, policies, and procedures are consistent with internal
control standards for the federal government.

^8 GAO/AIMD-00-21.3.1.

DHS revised MD 11056 in accordance with section 525 of the DHS
Appropriations Act, 2007, to address the need for common and extensive
examples of individual categories of SSI. In response to this mandate, as
well as GAO's past recommendation, DHS issued a revised MD (MD 11056.1)
and the TSA SSI Office issued the following guidance:

        * Advanced Application Guide: provides SSI criteria and examples for
        each of the categories,

        * One-Page Summary List of SSI Criteria: provides SSI criteria and
        explanatory notes for each category,

        * SSI Identification Guides: provide guidance for identifying SSI
          within the context of specific DHS programs, and

     o SSI Reviewers' Guide: provides a more detailed version of the
Advanced Application Guide that SSI Office analysts use to review
requests for SSI.

     o TSA has shared its SSI criteria and examples with other DHS agencies
       to help them identify and designate SSI.

          * Officials we interviewed from DHS agencies that work with or
            generate SSI products stated that they have developed, or are in
            the process of developing, their own SSI examples to correspond
            with the types of SSI that their agencies encounter. For example:

               o U.S. Coast Guard worked with the SSI Office to develop an
                 SSI Identification Guide that provides examples of the
                 application of SSI criteria to documents generated by the
                 Coast Guard; and
               o U.S. Customs and Border Protection has identified the need
                 to create its own SSI Identification Guide and is currently
                 working with the SSI Office to create the guidance.

     o Using the SSI criteria and examples provided by the SSI Office, DHS
       agencies that use SSI identify certain records as containing SSI.
       Section 537 of the DHS Appropriations Act, 2006 (Public Law 109-90),
       enacted October 2005, mandated that DHS provide an annual list of all
       DHS documents that are designated SSI in their entirety for the period
       October 1, 2005, through December 31, 2005. Beginning on January 31,
       2007 (and annually thereafter), the DHS Secretary is to provide a
       report on all documents designated SSI in their entirety for the prior
       calendar year. Therefore, the report provided to Congress in 2006
       covered a 3-month period (it was due no later than January 31, 2006),
       whereas the report provided in January 2007covered the entire prior
       calendar year, 2006.

          * There were 118 documents in the report provided by DHS in 2007.9
            Below are the DHS agencies that generated documents from the 2006
            list and their relative percentage of documents generated:

               o Coast Guard (50 percent),
               o Office of Science and Technology (37 percent), and
               o TSA (13 percent).

     o As a result of policy updates made by the SSI Office, 282 documents
       generated by TSA determined to be SSI in their entirety as reported to
       Congress in 2006 no longer met the criteria for continued SSI
       protection in their entirety. Therefore, if requested, some of the
       information contained in these documents could be publicly released.
       The removal of the 282 documents also helps to explain the smaller
       number of SSI documents DHS reported to Congress in 2007, particularly
       from TSA.

^9 According to the report DHS  provided to Congress in 2007, U.S.  Customs
and Border Protection did not report  any documents that it generated  and
determined were SSI in their entirety.

Objective #2-Training for Those Who Generate and Use SSI

In response  to GAO's  recommendation to  provide training  to staff  that
generate SSI, TSA:

o Requires new employees to take 60-minute online SSI training within
the first week of employment. TSA documentation from mid-
September 2007 shows that 93.5 percent of TSA personnel (all
employees and contractors) assigned to headquarters and 95.5
percent of TSA personnel assigned to airports have completed the
online training or completed the live training.10

        * Provides recurring training to SSI coordinators from offices within
          DHS agencies that use SSI.

     o Provides 60-minute live training to TSA and selected DHS employees.
     o Develops specialized training for TSA contractors, SSI coordinators,
and others as needed.

^10 TSA  documentation shows  that  3,097 out  of  3,309 TSA  personnel  in
headquarters and 49,626 out of 51,930 personnel assigned to airports  have
completed online SSI training.

     o Although the SSI Office provides training to all SSI program managers
       and coordinators from the DHS agencies that use or generate SSI, the
       program manager from each DHS agency that handles SSI is responsible
       for customizing and evaluating the sufficiency of his or her SSI
       training to meet the agency's unique program needs.
     o The SSI Office is utilizing a "train the trainer" model in which it
       trains SSI program managers and coordinators who are then expected to
       tailor the materials to train the appropriate staff in their agency or
       office.

TSA's training and development efforts reflect the following core
characteristics that GAO has identified for a strategic training
process:^11

  Stakeholder Involvement, Accountability, and Recognition: incorporate
stakeholder feedback throughout the training process and establish
accountability mechanisms to hold managers and employees responsible for
learning in new ways.

o The SSI Office collects stakeholder feedback on its training program
through training evaluation forms, its e-mail address, over the phone, and through
the DHS SSI Oversight Committee.

o In an attempt to establish accountability for whether training has led
to accurate SSI identifications, the SSI Office requires program managers and
coordinators to complete self-evaluations that include evaluations of a selection of
SSI designations in their respective office or agency.

o SSI coordinators are required to complete a self-inspection every 12
months, and SSI program managers are required to complete a self-inspection every
months.

^11 GAO-04-546G.

Effective Resource Allocation and Partnerships and Learning from Others :
provide the appropriate level of funding and resources to ensure that
training is achieving its missions and goals, and coordinate within and
among agencies to achieve economies of scale.

     o The creation of the DHS SSI Oversight Committee provides a mechanism
       for interagency coordination.
     o The SSI Office shares its guidance with other DHS components so that
       program managers can create customized training programs that will
       meet the needs of their staff.
     o According to TSA officials, additional funding would allow the SSI
       Office to provide more training and to create a national conference
       for SSI coordinators.

Data Quality Assurance and  Continuous Performance Improvement:  establish
policies to  collect quality  data  and use  these  data to  evaluate  the
training program,  and  foster  a culture  of  continuous  improvement  by
assessing and refining the training program.

     o The SSI Office provides all DHS staff that complete live SSI
          training with a training evaluation form to evaluate both the
			 content of the training and the quality of instruction.

     o During its process of responding to requests to release SSI, the SSI
       Office evaluates the accuracy of designations made by various
 		 DHS agencies. If the SSI  Office finds that the information has
		 been inaccurately identified as being SSI, it can  contact the DHS
		 agency that made the original designation to identify the error. This
		 allows  DHS agencies to follow up with refined training to correct the
		 problem as necessary.

o The SSI Office began conducting  audits within TSA in September 2007  to
evaluate whether SSI is being appropriately marked  and protected at various
airports.  The SSI Office invited other program managers to attend the  audits
so that lessons learned  from  the audits may be incorporated by other DHS agencies.

The aspects  of the  SSI  training program  evaluated  in this  study  are
consistent with  GAO  identified  components of  a  high-quality  training
program.

Objective #3-Processes for Responding to Requests to Release SSI

Between February 2006 and January 2007, the SSI Office received 490
requests to review records pertaining to the release of SSI. For January
2007 through April 2007, the SSI Office reported the percentage of the
total requests to review records by each type of request it processes, as
follows:

    1. requests from government entities (62 percent);
    2. FOIA requests that may contain SSI (30 percent); and
    3. requests from individuals in connection with litigation, including

         civil proceedings, within U.S. District Courts (8 percent).^12

On most occasions, the SSI Office is able to respond to all types of
requests within 7-14 days. TSA documentation indicates that the SSI Office
is able to meet this goal in 92 percent of all requests. The SSI Office
stated that it is not able to complete all requests within its 7-14 days
due to the size and complexity of certain requests, as well as the
client's needs and the SSI Office's workload.

^12 According to  TSA, additional  programming to the  SSI Office  database
would be  required to  show the  percentage  for the  three types  of  SSI
requests (litigation, FOIA, and other) for February 2006 - January 2007.

     o Requests for SSI from government entities can include requests from
       federal, state, local, or tribal governments.
     o The SSI Office works with the requesting government entity to agree
       upon a time frame for processing the request.
     o All requests for SSI, including requests from government entities, are
       reviewed by the SSI Office through a nine-step process (see attachment
       II for more details on this process).

Objective #3-Requests for SSI through the Freedom of Information Act

     o The SSI Office has established a process for reviewing information
       requested through the FOIA process in 5 days, unless the request
       contains more than 100 pages.
     o The SSI Office and FOIA Office coordinate to establish deadlines for
       FOIA requests that contain more than 100 pages.
     o Officials from the TSA FOIA Office stated that the SSI Office responds
       to FOIA requests in a timely manner.
     o The SSI Office has provided training to the department's FOIA Office
       staff members so that they can make basic determinations on whether a
       FOIA request might include SSI.

  Objective #3-Process for Responding  to Requests to Release  SSI That Is  at
  Least 3 Years Old

o The information that should be designated as SSI, based on the
application of the current identification (ID) guidance, may change over
time, given changing circumstances. For example, the TSA Administrator may
decide to publicly disclose information previously designated as SSI to increase
public awareness of an issue or security program.

        * At the time of a request to release SSI, all requested information
          is to be reviewed against the SSI categories and current precedents
          for applying each category. This process is to occur with all requested SSI,
          regardless of the age of the information.

        * According to SSI Office officials, the content of the information
          being requested is the relevant factor to be considered, not the age of the
          information.

     o All SSI that is at least 3 years old that does not warrant continued
       protection as SSI is released upon request.

Objective #3-Requests for SSI during Civil Proceedings

     o According to TSA's Office of Chief Counsel, persons who do not
       otherwise have a "need to know" sought SSI 48 times in connection with
       civil proceedings since TSA was established. Since the enactment of
       Public Law 109-295 in October 2006, 9 such requests for SSI have been
       made in connection with civil proceedings.
     o Prior to the passage of Public Law 109-295, TSA did not permit SSI
       access in civil proceedings by persons who did not otherwise have a
       need to know. TSA did submit SSI to courts for in camera review.13

     o Section 525(d) of Public Law 109-295 prescribes steps that must
            be taken during the course of a civil proceeding in the U.S.
            District Courts when a party seeking access to SSI demonstrates a
            substantial need for the information and that it cannot, without
            undue hardship, obtain the substantial equivalent of the information
				by other means.

     o Since the enactment of this provision, one litigant has requested that
       TSA make a final determination on a request for SSI access in
       connection with civil proceedings. TSA complied with this request and,
       in accordance with the law, issued a final determination releasing
       some of the requested SSI while withholding other SSI because of the
       sensitivity of the information or because it was not relevant to the
       litigation.

^13 In  camera  review  means  a trial  judge's  private  consideration  of
evidence.

Objective #3-Requests for SSI during Civil Proceedings

According to TSA documentation:

     o If TSA or the judge decides that a party in a civil proceeding has
       demonstrated that it has a substantial need for relevant SSI and that
       it is unable without undue hardship to obtain the substantial
       equivalent of the information by other means, and if TSA or the judge
       has determined that the sensitivity of the SSI at issue does not
       present a risk of harm to the nation, TSA will begin a background
       check of the requesting party or the party's attorney who has been
       designated to view the SSI.
     o Once TSA has received a party's payment to conduct the background
       check, and the party has completed an SSI threat assessment
       questionnaire and been fingerprinted, it takes approximately 3 weeks
       to complete the background check.
     o If TSA determines that there is risk to the nation to provide a party
       or a party's attorney with SSI based on the results of the background
       check, TSA will deny the applicant's request. At that time, the party
       may designate a new attorney to access SSI on its behalf. If this
       occurs, TSA will conduct a background check on the new attorney.
     o The determination of whether SSI will be released to a party in civil
       proceedings is a joint determination made by TSA's Office of Chief
       Counsel and the SSI Office.

  Objective #3-SSI Office Efforts to Establish Quality Controls for Responding
  to SSI Requests

The SSI Office's use of a controlled access database to document the
completion of its steps in the review of requests to release SSI serves as
a quality control mechanism. This is achieved by:

o incorporating controls in the database so that the previous step
must be documented before information can be entered in the next
step of the review process; and

o requiring that a senior analyst within the SSI Office approve the
SSI review and document his or her approval in the database prior
to releasing information formerly protected as SSI.

TSA is also currently drafting a Notice of Proposed Rulemaking in
anticipation of establishing its processes and procedures for responding
to requests for SSI during civil proceedings.

  Objective #4-DHS SSI Internal Controls Are Consistent with Internal Control
  Standards for the Federal Government

TSA has established internal controls for SSI and created mechanisms to
communicate these controls that are consistent with internal control
standards for the federal government.^14

Control Environment and Control Activities: areas of authority and
responsibility to be clearly defined by a supportive management structure
and controls in place to ensure that management's directives are carried
out.

     o Areas of authority for the monitoring and compliance of SSI policy are
       outlined in the revised DHS MD (MD 11056.1) and other agency and
       departmental guidance.
     o SSI program managers and coordinators have been established in the MD
       to communicate SSI responsibilities with DHS staff.

^14 GAO/AIMD-00-21.3.1.

    Objective #4-DHS SSI Internal Controls Are Consistent with Internal Control
    Standards for the Federal Government

Monitoring:  information  is  used  to  assess  the  quality  of   program
performance over
time and problems raised during quality reviews are promptly resolved.

 o Controls are in place to provide oversight for each agency's generation and
designation of SSI including self-inspection reporting methods. The self
inspection process  requires SSI  program  managers and  coordinators  to,
among other monitoring  activities,  evaluate a  portion  of records  marked  as
containing SSI.

 o Agencies may also utilize audits of the identification and use of SSI. TSA is in
the process of conducting such an audit.

 o The SSI Office reviews information in response to requests to release
SSI, regardless of the agency that originally identified the information as SSI.

The aspects of the SSI internal controls for monitoring activities that we
evaluated are consistent with internal  control standards for the  federal
government.

Attachment #1-Categories of SSI as Established by TSA at 49 C.F.R. S 1520.5(b)

    1. Security program and contingency plans;
    2. security directives;
    3. information circulars;
    4. performance specifications;
    5. vulnerability assessments;

    6. security inspections or investigative information;

    7. threat information;
    8. security measures;

    9. security screening information;
   10. security training materials;

   11. identifying information of certain transportation security personnel;

   12. critical aviation or maritime infrastructure asset information;

   13. systems security information;
   14. confidential business information;
   15. research and development; and
   16. other information determined to be SSI in accordance with the statute
       (as designated in writing by the DHS Secretary, the TSA Administrator, or the
Director of the SSI Office)

Attachment #2ï¿½SSI Officeï¿½s Nine-Step Process for Reviewing Document Requests^15 

^15 GAO analysis of information provided by the TSA SSI Office.

(440627)

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

References

Visible links
8. http://www.gao.gov/cgi-bin/getrpt?GAO-06-385
9. http://www.gao.gov/cgi-bin/getrpt?GAO-05-677
  10. http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1
  11. http://www.gao.gov/cgi-bin/getrpt?GAO-04-546G
*** End of document. ***