In response to congressional concerns about whether the Transportation Security Administration (TSA) has been applying sensitive security information (SSI) designations consistently and appropriately, we completed a report in June 2005 with several recommendations. Using the designation appropriately is important to both protect sensitive information as well as to not discourage the sharing of such information by over protecting it. We reported that TSA did not have any criteria for determining what constitutes SSI nor any policies on accounting for or tracking documents designated as SSI. We recommended that TSA establish clear guidance and procedures for using the TSA regulations to determine what constitutes SSI. In February 2007, TSA reported to us that they responded to our recommendation by creating and developing a one-page summary list of citations with accompanying explanatory notes; a short guide to handling SSI; an advanced application guide with detailed descriptions of SSI; a reviewers’ guide; and identification guides with examples supported by corresponding legal citations for SSI. These changes will allow TSA to better track the use of the SSI designations.
In June 2005, in response to growing concerns about whether TSA has been applying the sensitive security information (SSI) designation consistently and appropriately, we completed a report with several recommendations. We reported that TSA had not established policies and procedures for how it will monitor compliance with the regulations governing the SSI designation process. In an October 2004 memorandum, TSA itself recognized that the handling and identification of SSI had become problematic. Among other things, we recommended that TSA take action to establish clear responsibility for the identification and designation of information that warrants SSI protection. In February 2007, TSA officials reported to us that they responded to our recommendation by organizing and appointing SSI Coordinators with roles that align with SSI policy goals at all TSA Program and Federal Security Directors (FSD) Offices, have set SSI determination policy, and are continuously communicating updated information to SSI Coordinators.
In response to a congressional request, we evaluated the Transportation Security Administration’s internal controls for handling sensitive security information (SSI) and determined that TSA did not have any formally defined policies or procedures for monitoring compliance with the laws and regulations governing the process for designating information as SSI. Without clearly defined policies and procedures for assessing compliance with the regulations governing the SSI designation process, TSA lacks structure to support continuous assurance that those employees making SSI designations within TSA are designating documents properly. Therefore, we recommended in our June 2005 report to congressional requesters that TSA establish internal controls that clearly define responsibility for monitoring compliance with regulations, policies, and procedures governing the SSI designation process and communicate that responsibility throughout TSA. TSA reported to us in February 2007 that it had responded to our recommendation by designating Department of Homeland Security (DHS) SSI Program Managers and SSI Coordinators; establishing procedures for DHS-wide SSI auditing; and developing standard self-inspection and reporting methods for Program Managers to report every 18 months on audit and inspection results and for SSI Coordinators to report annually. These actions will help assure that TSA employees are making SSI designations properly.
In June 2005, we reported that Transportation Security Administration’s new Sensitive Security Information Program Office, established in February 2005, had not developed policies and procedures for providing specialized training for all of its employees making SSI designations on how information is to be identified and evaluated for protected status. Specialized training designed to familiarize those who are making SSI designations on how information is to be identified and evaluated would reduce the likelihood that employees improperly exempt information from public disclosure or inappropriately disclose sensitive security information. In our report, we recommended that the Administrator of TSA establish policies and procedures for providing specialized training to those making SSI designations on how information is to be identified and evaluated for protected status. In February 2007, TSA reported to us that they responded to our recommendation by developing online SSI training that is introduced to all new TSA employees during orientation,developing a live, 60-minute presentation, and delivering training specifically tailored to individualized programs (e.g. airports, contractors, SSI Coordinators, and Freedom of Information Act staff). By taking these actions, TSA will have documentation that shows who is responsible for ensuring that employees comply with SSI training requirements and will help to ensure that employees are consistently and properly designating information as SSI.