USA Flag

Official website of the Department of Homeland Security

Statute and Regulation History

Sensitive Security Information (SSI)

1974Air Transportation Security Act (Summary)
(Pub. L. No. 93-366)
This law directed that U.S. airport operators establish security programs that include law enforcement personnel from State, local, and private sources. The law mandated that the Department of Transportation’s Federal Aviation Administration (DOT/FAA) prescribe regulations requiring weapons-detecting screening of all passengers and carry-on property. The law specifically authorized FAA to issue regulations that, notwithstanding the Freedom of Information Act, would prohibit disclosure of any information obtained or developed in the conduct of research and development activities if the disclosure of such information (1) would constitute an unwarranted invasion of personal privacy; (2) would reveal trade secrets or privileged or confidential commercial or financial information obtained from any person; or (3) would be detrimental to the safety of persons traveling in air transportation. Pursuant to this authority, FAA promulgated regulations that created a category of sensitive but unclassified information known as Sensitive Security Information (SSI).
1976Title 14, Code of Federal Regulations (CFR) Part 191
(Notice of Proposed Rulemaking)
On June 18, 1976, FAA published a notice of proposed rulemaking to create 14 CFR Part 191 entitled “Withholding Security Information from Disclosure under the Air Transportation Security Act of 1974.” Part 191 describes what information is protected from disclosure by the FAA. Among records prohibited from public release were “the security program of any airport; the security program of any air carrier; any device for the detection of any explosive or incendiary device or weapon; and, any contingency security plan.”
1990Aviation Security Improvement Act (Summary)
(Pub. L. No. 101-604)
The bombing of Pan Am Flight 103 over Lockerbie, Scotland on December 21, 1988, stimulated significant changes in aviation security. In 1989, the President's Commission on Aviation Security and Terrorism recommended improvements in the FAA security bulletin process. As a result, Security Directives (SDs) and Information Circulars (ICs) were created. This 1990 Act later required procedures to minimize the number of individuals having access to security threat information, such as SDs and ICs.
199714 CFR Parts 107 et al., including Part 191 (Sensitive Security Information)
(14 CFR Part 191 – Final Rule)
On March 21, 1997, FAA published the final rule on 14 CFR Part 191, changing its title to “Protection of Sensitive Security Information,” which strengthened existing rules to protect SSI from unauthorized disclosure, and expanded its application to air carriers, airport operators, indirect air carriers, foreign air carriers, and individuals, specifying in more detail the information they must protect. In specifying what information constituted SSI, the final rule at Part 191 expanded the 1976 rule to specifically protect SDs, ICs, and inspection, incident, and enforcement-related SSI.
2001Aviation and Transportation Security Act
(Pub. L. No. 107-71)
Following the 9/11 terrorist attacks in the United States, Congress passed the Aviation and Transportation Security Act (ATSA) on November 19, 2001, which established the Transportation Security Administration (TSA). The Act transferred the responsibility for civil aviation security from FAA to TSA. The statute also provided authority to TSA to designate information as SSI.
2002Civil Aviation Security Rules
(14 CFR Parts 91, et al., and 49 CFR Parts 1500, et al., including Part 1520 – Protection of Sensitive Security Information) Final Rule
On February 22, 2002, FAA and TSA published a final rule transferring the bulk of FAA's aviation security rules, including FAA's SSI regulation, to TSA. It also specified in more detail which information is SSI, and protected vulnerability assessments for all modes of transportation.
2002Homeland Security Act (HSA) of 2002
(Pub. L. No. 107-296)
The Homeland Security Act of 2002 (HSA), signed on November 25, 2002, established the Department of Homeland Security (DHS) and transferred TSA from DOT to DHS. The HSA also amended 49 U.S.C. §40119 to retain SSI authority for the Secretary of Transportation, and added subsection (s) (now (r)) to 49 U.S.C. § 114 reaffirming TSA’s authority under DHS to prescribe SSI regulations.
200449 CFR Part 1520 (Interim Final Rule)TSA and DOT expanded the SSI regulation to incorporate maritime security measures implemented by U.S. Coast Guard regulations and clarify preexisting SSI provisions in an interim final rule (IFR) issued on May 18, 2004. The DOT SSI regulation is at 49 CFR Part 15, and the TSA SSI regulation remains at 49 CFR Part 1520.
200549 CFR Part 1520 (Technical Amendment)TSA and DOT issued a technical amendment to the SSI regulation on January 7, 2005, to remove the limiting words “aviation or maritime” from 49 CFR 1520.11 (persons with a need to know) to clarify that entities in all transportation modes are persons with a need to know specific SSI, i.e., vulnerability assessments and threat information, to help forestall future attacks.
200549 CFR Part 1520 (Interim Final Rule)TSA issued an IFR on July 19, 2005, expanding the SSI regulation to protect information related to the reopening of Ronald Reagan Washington National Airport (DCA) to specified General Aviation flights.
2005Homeland Security Appropriations Act of 2006 § 537
(Pub. L. No. 109-90, codified at 6 U.S.C. § 114)
This Act, signed on October 18, 2005, required DHS to provide department-wide policies for designating, safeguarding, and marking documents as SSI, along with auditing and accountability procedures. The Act also required that DHS report to Congress the number of SSI Coordinators within DHS, and provide a list of documents designated as SSI in their entirety. It also required that DHS provide guidance that includes extensive examples of SSI to further define the individual categories found under 1520.5(b)(1) through (16). The Act directed that such guidance serve as the primary basis and authority for protecting, sharing, and marking information as SSI.
2006Air Cargo Security Requirements
(49 CFR Parts 1520, 1540, 1542, et al.) Final Rule
TSA issued a Final Rule on May 29, 2006, clarifying that Security Directives and Information Circulars issued to Indirect Air Carriers (cargo freight forwarders) were SSI, as were the performance specifications of devices used by the Federal Government or any other person pursuant to aviation or maritime transportation security requirements to detect persons.
2006Homeland Security Appropriations Act of 2007 § 525
(Pub. L. No. 109-295)
This Act, signed on October 4, 2006, required DHS to revise its SSI MD to include the Advanced SSI Application Guide and mandated timely review of SSI requests. It also contained reporting requirements, mandated expanded access to SSI in litigation, and required that all SSI over three years old, and not in current SSI categories, be released upon request unless the DHS Secretary [or designee] makes a written determination that the information must remain SSI.
2008Real ID or Minimum Standards for Driver’s Licenses and ID Cards Acceptable by Federal Agencies for Official Purposes
(6 CFR 37 – Final Rule)
The REAL ID Act of 2005 (Pub. L. No. 109–13) required DHS to establish standards for state-issued driver’s licenses that Federal agencies could accept for official identification purposes, including “boarding federally regulated commercial aircraft.” Title 6 CFR Part 37, published on January 29, 2008, implements the REAL ID Act and requires states to provide to DHS security plans and related vulnerability assessments on state facilities where cards will be produced. These security plans and assessments are SSI and must be handled in accordance with 49 CFR 1520.
2008Rail Transportation Security
(49 CFR Part 1520 and 1580 – Final Rule)
The Rail Transportation Security Final Rule, published in the Federal Register on November 26, 2008, adds rail-related terms and covered persons to Part 1520, including railroad carriers, rail facilities, rail hazardous materials shippers and receivers, and rail transit systems that are described in new Part 1580. Although rail vulnerability assessments and threat information were already SSI under Part 1520, this rail final rule specifies that information on rail security investigations and inspections, security measures, security training materials, critical rail infrastructure assets, and research and development is also SSI.
Latest revision: 16 December 2012