Welcome to the Sensitive Security Information (SSI) Web Based Training for Airport Operator Employees.

This training should take about 15 minutes to complete. 

The MAA must handle Sensitive Security Information in a manner that complies with the Transportation Security Administration’s regulations.

It is important that all MAA employees, and other individuals who work within transportation security, understand how to handle SSI.

The procedures in this presentation are TSA requirements and best practices for covered persons to follow when handling SSI.

This presentation is organized to inform and explain:

1. What MAA means by SSI;
2. Who MAA considers SSI-covered employees;
3. Why it is important to properly handle SSI at MAA;
4. How SSI is to be protected, disseminated and destroyed;
5. Where is SSI to be stored for future reference;
6. When is SSI no longer considered SSI.

You will be presented with the presentation and then you will be asked a few questions to ensure retention.

By the end of this presentation, we want you to be able to:

Recognize SSI
Use the Protective Marking and Distribution Limitation Statement
Protect SSI
Share SSI
Package and Transmit SSI
Destroy SSI Properly

Introduction to Sensitive Security Information (SSI)

Definition

Sensitive Security Information is a category of information that requires protection because public disclosure would be detrimental to the security of transportation. SSI is considered Sensitive But Unclassified (SBU). SSI is used extensively by the government and private sectors. Civil penalties are assigned for unauthorized disclosure of SSI. Classified national security information is subject to more stringent handling requirements. Criminal penalties can be incurred for unauthorized release of classified national security information.

Introduction to Sensitive Security Information (SSI)

Access to SSI...

...is limited to "covered persons" listed in 49 CFR 1520.7 with a "need to know" as defined in 49 CFR 1520.11. "Need to know" is limited to persons who carry out, supervise, or are in training for transportation security activities, if necessary, for the performance of their job.

_{Source: 49 CFR 1520.7 and 49 CFR 1520.11}

16 Categories of SSI

1. Security Programs and Contingency Plans
2. Security Directives
3. Information Circulars
4. Performance Specifications
5. Vulnerability Assessments
6. Security Inspection or Investigative Information
7. Threat Information
8. Security Measures
9. Security Screening Information
10. Security Training Materials
11. Identifying Information of Certain Transportation Security Personnel
12. Critical Aviation or Maritime Infrastructure Asset Information
13. Systems Security Information
14. Confidential Business Information
15. Research and Development
16. Other Information

_{Source: 49 CFR 1520.5(b)}

Material

Material that would normally be recognized as SSI according to the regulation may no longer be considered SSI if it is readily available to the public through "open source" information.

Examples:

Statutes - Information released by TSA
Newspapers - Congressional or GAO Reports
Books & Magazines
Google
Trade Journals

Recognition of SSI

Using Reason

When analyzing information to identify SSI, ask:
"How might this information be detrimental to transportation security?"

SSI – Protective Marking and Distribution Limitation Statement

Any person who creates a record containing SSI shall include a protective marking and distribution limitation statement.

Even if there is only one sentence containing SSI in a 50-page document, the entire document must be marked accordingly.

All SSI documents shall contain the protective (header) "Sensitive Security Information". This protective marking should be stamped or typed in plain style bold text.

SSI – Protective Marking and Distribution Limitation Statement

The distribution limitation statement (footer) informs the viewer that the record must be protected from unauthorized disclosure.

"WARNING: This record contains Sensitive Security Information that is controlled under 49 CFR parts 15 and 1520. No part of this record may be disclosed to persons without a "need to know," as defined in 49 CFR parts 15 and 1520, except with the written permission of the Administrator of the Transportation Security Administration or the Secretary of Transportation. Unauthorized release may result in civil penalty or other action. For U.S. government agencies, public disclosure is governed by 5 U.S.C. 552 and 49 CFR parts 15 and 1520."

SSI – Protective Marking and Distribution Limitation Statement

What should I do if someone sends me a SSI document that is unmarked?

A person who receives an unmarked record containing SSI should apply the protective marking and distribution limitation statement, and inform the sender of the omission.

SSI – Protective Marking and Distribution Limitation Statement

Placement: Charts, Maps, and Drawings

Charts, maps, and drawings designated as SSI must have the appropriate protective marking and the distribution limitation statement affixed in a manner that is plainly visible.

SSI – Protective Marking and Distribution Limitation Statement

Placement: Electronic and Magnetic Media

SSI contained on electronic media and magnetic media must have the protective marking and the distribution limitation statement applied at the beginning and end of the electronic and magnetic text; on each side of the disk and the disk sleeve/jacket; on the non-optical side of the CD-ROM, DVD or other format disk; and on both sides of the CD-ROM, DVD or other format disk case.

SSI – Protective Marking and Distribution Limitation Statement

Transmittal Documents

Documents used to transmit SSI (like fax cover sheets,) but do not themselves contain SSI, must be marked with the protective marking and distribution limitation statement. The following statements must be affixed to the front page of the cover sheet:

"This facsimile is intended for the recipient only. If this is received by someone other than the intended recipient, the person receiving the message should immediately contact the sender for further instructions."

"The protective marking SENSITIVE SECURITY INFORMATION and/or the distribution limitation statement on this page are canceled when the attachments containing SSI are removed."

Who is responsible for protecting SSI?

Anyone possessing SSI is responsible for ensuring that the information and records containing SSI are protected at all times from disclosure to anyone who does not have a "need to know."

What do I do when SSI is on the computer or desk and not under my direct physical control?

When SSI is not under your direct physical control, you must ensure that it is protected in such a way that it is not physically or visually accessible to persons who do not have a "need to know."

Sharing of SSI

SSI may be shared with "covered persons" with a "need to know."

Covered Person:
A covered person is an individual or entity with transportation security or transportation security-related responsibilities. Covered persons include State employees, contractors, as well as stakeholders and industry partners.

Persons with a "Need to Know":
An individual or entity has a need to know SSI when they require access to that specific SSI to accomplish assigned transportation security or transportation security-related tasks, as determined by an authorized holder of SSI.

Authority to Share SSI
The authority to share SSI with any person or entity without a "need to know" is limited to the TSA Administrator.

Unauthorized Sharing of SSI
Every covered party has the responsibility to safeguard SSI according to the CFR and TSA policies. If you encounter SSI that has been inadvertently shared, immediately notify the Airport Security Division.

Packaging and Transmission of SSI

Physical Transmission of SSI

The non-electronic methods of transmitting SSI materials are:

• Mail – SSI may be transmitted by First class mail, regular parcel post, or by delivery services (Federal Express, UPS, or DHL).
• Interoffice mail – SSI must be transmitted in a sealed envelope to prevent inadvertent visual disclosure.
• Hand-carrying between buildings – SSI material carried by hand within or between buildings must be protected to prevent inadvertent visual disclosure.

SSI Transmission: E-Mail

SSI information transmitted by e-mail should be password protected. Passwords used must:

• Have eight character minimum length
• Have at least one letter capitalized
• Contain at least one number

SSI Transmission

Web Posting SSI is not authorized for posting on the internet, or on industry partner intranets, except for postings on secure sites specifically authorized by TSA.

Facsimile
The sender of faxed SSI must confirm that the fax number of the recipient is current and valid and the intended recipient can promptly retrieve the information.
Facsimiles sent to a controlled, secure area where unauthorized people cannot intercept the SSI material may be sent without requiring the recipient to be there.

Telephone
For SSI communicated via telephone, the caller must ensure that the person receiving the SSI is a "covered person" with a "need to know."

People transmitting SSI via telephone should avoid cellular or cordless phones.

Destruction of SSI

When copies of records containing SSI are no longer needed, they must be promptly and completely destroyed. The objective of destruction is to preclude recognition or reconstruction of the information.

The most common methods used to destroy SSI material include:

• SSI bins
• Cross-cut shredders
• Cutting or tearing into pieces that are no longer than 1/2 inch on a side

Now, let's see what you have learned about SSI...