Sensitive Security Information (SSI)
What is Sensitive Security Information?
Sensitive Security Information (SSI) is a specific category of sensitive but unclassified (SBU) information that is governed by Federal law. SSI is information obtained or developed which, if released publicly, would be detrimental to transportation security. At TSA, our goal is to release as much information as possible publicly without compromising security.
SSI is not classified national security information and is not subject to the handling requirements governing such information, but is subject to the handling procedures required by the SSI Federal Regulation (49 CFR Part 1520). Unauthorized disclosure of SSI may result in civil penalties and other enforcement or corrective actions.
When was SSI created?
In response to increasing threats against aviation security, including hijackings in the 1960’s and 1970’s, Congress created the Air Transportation Act of 1974 which clarified that the airlines and airports would be responsible for aviation security. The Federal Aviation Administration’s (FAA) role was to approve the security plans provided by airlines and airports. Congress also mandated that FAA create SSI to protect the information in these security plans as well as other information related to aviation security. In 1976, FAA published the first SSI Federal regulation.
Since then, FAA and later TSA, has updated the regulation as the mandates of these agencies have changed over time. The current SSI regulation lists sixteen categories of information that are considered SSI including security plans, specifications for screening equipment, threat information, and details regarding security screening information.
Why was SSI created?
Certain sensitive transportation security information needs to be shared with our transportation partners, which are for the most part private companies such as airlines. The personnel associated with these companies require access to sensitive security information to properly perform their transportation security-related tasks.
If certain information was protected as “classified” information, for example, sharing of this information with private stakeholders would be very difficult. For example, “classified” information may only be shared with persons with a security clearance and there are many persons in the transportation industry who do not have a clearance. Thus, a new category of sensitive but unclassified information was created (SSI) so that the information could be both safely shared and protected as appropriate.
Where can I get a copy of the SSI Federal regulation?
Click here to read and/or print a copy of the SSI Federal Regulation.
What types of information are protected as SSI?
In order for information to be SSI it must be related to transportation security, the release of the information must be detrimental to transportation security, and it must fall under one of the sixteen categories of SSI. If the information does not meet all three criteria, then the information may not be protected as SSI.
Who has access to SSI?
The SSI regulation requires that only “covered persons with a need to know” may have access to SSI. Generally, covered persons have a need to know SSI when access to the information is necessary for the performance of their official duties. The SSI Federal regulation provides a list of covered persons.
How can I gain access to SSI?
Unless you are a covered person with a need to know, you will not be granted access to SSI. A covered person may be required to sign a non-disclosure agreement before gaining access to SSI.
Why can’t SSI be shared with persons who do not have a need-to-know?
SSI is information that would be detrimental to transportation security if publicly known. Therefore, the regulation specifically states that SSI is shared only with covered persons who have a need to know.
May I gain access to SSI information through a Freedom of Information Act (FOIA) request?
At TSA, our goal is to release as much information as possible publicly without compromising security. That said, under the FOIA statute, SSI is exempt. Should a requested document contain both SSI and public information, then TSA will redact (black-out) the SSI and the remaining public information will be provided.
Who needs to comply with the SSI regulation?
All covered persons who have access to SSI must comply with the SSI regulation. Those who have access to SSI are responsible for ensuring that records containing SSI are safeguarded at all times from disclosure to unauthorized persons.
What does it mean when a document has the marking, “Sensitive Security Information” at the top of each page?
The marking of “Sensitive Security Information” at the top of a document indicates that the document contains SSI. The document must also include the SSI footer which states:
WARNING: This record contains Sensitive Security Information that is controlled under 49 CFR parts 15 and 1520. No part of this record may be disclosed to persons without a “need to know,” as defined in 49 CFR parts 15 and 1520, except with the written permission of the Administrator of the Transportation Security Administration or the Secretary of Transportation. Unauthorized release may result in civil penalty or other action. For U.S. government agencies, public disclosure is governed by 5 U.S.C. 552 and 49 CFR parts 15 and 1520.