Transportation Security Administration: Clear Policies and
Oversight Needed for Designation of Sensitive Security
Information (29-JUN-05, GAO-05-677).
Concerns have arisen about whether the Transportation Security
Administration (TSA) is applying the Sensitive Security
Information (SSI) designation consistently and appropriately. SSI
is one category of "sensitive but unclassified"
information--information generally restricted from public
disclosure but that is not classified. GAO determined (1) TSA's
SSI designation and removal procedures, (2) TSA's internal
control procedures in place to ensure that it consistently
complies with laws and regulations governing the SSI process and
oversight thereof, and (3) TSA's training to its staff that
designate SSI.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-05-677
ACCNO: A28378
TITLE: Transportation Security Administration: Clear Policies
and Oversight Needed for Designation of Sensitive Security
Information
DATE: 06/29/2005
SUBJECT: Accountability
Employee training
Federal regulations
Government information
Internal controls
Policy evaluation
Security classification (government
documents)
Policies and procedures
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-05-677
United States Government Accountability Office
GAO
Report to Congressional Requesters
June 2005
TRANSPORTATION SECURITY ADMINISTRATION
Clear Policies and Oversight Needed for Designation of Sensitive Security
Information
GAO-05-677
[IMG]
June 2005
TRANSPORTATION SECURITY ADMINISTRATION
Clear Policies and Oversight Needed for Designation of Sensitive Security
Information
What GAO Found
TSA does not have guidance and procedures, beyond its SSI regulations,
providing criteria for determining what constitutes SSI or who can make
the designation. Such guidance is required under GAO's standards for
internal controls. In addition, TSA has no policies on accounting for or
tracking documents designated as SSI. As a result, TSA was unable to
determine either the number of TSA employees actually designating
information as SSI or the number of documents designated SSI. Further,
apart from Freedom of Information Act (FOIA) requests or other requests
for disclosure outside of TSA, there are no written policies and
procedures or systematic reviews for determining if and when an SSI
designation should be removed.
TSA also lacks adequate internal controls to provide reasonable assurance
that its SSI designation process is being consistently applied across TSA.
Specifically, TSA has not established and documented policies and internal
control procedures for monitoring compliance with the regulations,
policies, and procedures governing its SSI designation process, including
ongoing monitoring of the process. TSA officials told us that its new SSI
Program Office will ultimately be responsible for ensuring that staff are
consistently applying SSI designations. This office, which was established
in February 2005, will also develop and implement all TSA policy
concerning SSI handling, training, and protection. More detailed
information on how this office's activities will be operationalized was
not yet available. Specifically, TSA officials provided no written
policies formalizing the office's role, responsibilities, and authority.
TSA has not developed policies and procedures for providing specialized
training for all of its employees making SSI designations on how
information is identified and evaluated for protected status. Development
of such training for SSI designations is needed to help ensure consistent
implementation of the designation authority across TSA. While TSA has
provided a training briefing on SSI regulations to certain staff, such as
the FOIA staff, it does not have specialized training in place to instruct
employees on how to consistently designate information as SSI. In
addition, TSA has no written policies identifying who is responsible for
ensuring that employees comply with SSI training requirements.
United States Government Accountability Office
Contents
Letter 1
Background 2
Results 3
Conclusions 7
Recommendations 7
Agency Comments and Our Evaluation 7
Appendix I Briefing Slides
Appendix II Comments from the Department of Homeland
Security
Abbreviations
ATSA Aviation and Transportation Security Act
DHS Department of Homeland Security
DOT Department of Transportation
FAA Federal Aviation Administration
FOIA Freedom of Information Act
SBU Sensitive But Unclassified
SSI Sensitive Security Information
TSA Transportation Security Administration
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office Washington, DC 20548
June 29, 2005
The Honorable David Obey
Ranking Minority Member
Committee on Appropriations
House of Representatives
The Honorable Martin Olav Sabo
Ranking Minority Member
Subcommittee on Homeland Security
Committee on Appropriations
House of Representatives
The security of our transportation system is of vital importance to the
nation. In line with keeping our transportation safe, some information
that
is related to threats to or protection of the transportation system must
be
held out of the public domain. On the other hand, the government must
always be mindful of the public's legitimate interest in, and need to
know,
information related to threats to the transportation system and associated
vulnerabilities.
Sensitive Security Information (SSI) is a specific category of information
related to transportation security that is deemed to require protection
against public disclosure. Although it is not classified national security
information, SSI is a category of sensitive but unclassified information
that, along with protected critical infrastructure information, is
specifically
exempted by statute from release under the Freedom of Information Act
(FOIA), and that it is to be disclosed only to covered persons on a need
to
know basis. While the Transportation Security Administration (TSA),
through its SSI authority, may share SSI with regulated entities, it
generally prohibits the public disclosure of information obtained or
developed in the conduct of security activities, which would constitute an
unwarranted invasion of privacy, reveal trade secrets or privileged or
confidential commercial or financial information, or be detrimental to the
security of transportation.
Questions have been raised about TSA's practices and procedures for
determining whether information should be protected as SSI. For example,
certain written responses to questions submitted by TSA to the House
Appropriations Homeland Security Subcommittee were designated as SSI.
However, 1 month earlier, the agency had not treated this same
information as sensitive. Further, in an October 2004 memorandum, TSA
itself recognized that the handling and identification of SSI had become
problematic.
In response to your request concerning TSA's handling of SSI, we are
reporting on (1) TSA's procedures for determining whether information
should be protected under the SSI designation, as well as procedures for
determining if and when the designation should be removed, (2) internal
control procedures in place to ensure that TSA consistently complies with
laws and regulations governing the designation of information as SSI and
how TSA oversees the procedures to ensure that they are consistently
applied, and (3) TSA's training to its staff who designate SSI.
To address our objectives, we reviewed applicable federal laws and
regulations, Department of Homeland Security (DHS) and TSA policies and
procedures, and other documents related to the SSI designation, and
oversight and training processes. We also interviewed TSA and DHS
officials involved in the SSI designation, oversight and training
processes. GAO's Standards for Internal Control in the Federal Government
provided benchmarks and standards against which we assessed TSA's SSI
designation policies and procedures. 1 Our work was conducted from January
2005 through April 2005 in accordance with generally accepted government
auditing standards.
On April 29, 2005, we provided your offices a briefing on the results of
our work. The briefing slides are included in appendix I.
In the aftermath of the terrorist attacks of September 11, 2001, TSA was
created to take responsibility for the security of all modes of public
transportation. Included in the responsibilities of this new agency was
the authority to designate information as SSI. Originally housed in the
Department of Transportation, TSA was transferred to DHS as a result of
the Homeland Security Act of 2002.2
1GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
2The Homeland Security Act of 2002 established 49 U.S.C. S: 114(s) as
TSA's SSI authority. TSA codified its SSI regulations at 49 C.F.R. part
1520.
Background
According to TSA officials, SSI designated information is created by TSA
and by airports, aircraft operators, and other regulated parties when they
are establishing or implementing security programs or documentation to
address security requirements. Information that is designated SSI can be
shared with those who have a need to know in order to participate in or
oversee the protection of the nation's transportation system. Those with a
need to know can include persons outside of TSA, such as airport
operators, aircraft operators, foreign vessel owners, and other persons.
SSI cannot be shared with the general public, and it is exempt from
disclosure under FOIA.
There are 16 categories of SSI. TSA has distinguished these 16 categories
into 3 types of SSI. Four categories are termed "categorical" and
automatically designated SSI. Eleven categories require a judgment or
analysis to determine if the SSI designation is warranted. One category
requires a written determination by an office with determination authority
to be deemed SSI. This category is "other information," which is a
catchall exemption for information that TSA may wish to designate SSI that
does not fit into the other 15 categories.3
Additional background information on the SSI regulatory authority,
including a list of the 16 categories, is included in appendix I.
Results
TSA does not have written policies and procedures, beyond its SSI
regulations, providing criteria for determining what constitutes SSI.
Written guidance for decision making such as this is a key element
included in GAO's Standards for Internal Control in the Federal
Government. Lack of such guidance could result in errors and
inconsistencies in determining the SSI designation. Indeed, in October
2004, TSA's Internal Security Policy Board concluded that TSA must
establish a framework to identify, control, and protect SSI. The board
concluded that essential elements of the framework should include, among
other things,
". . . exacting specificity with respect to what information is covered
and what is not covered. This specificity could be documented in a
classification guide type format because imprecision in this area causes a
significant impediment to determining SSI. Experience
3A subset of one of the judgment categories, 49 C.F.R. S: 1520.5(9)(iii),
also falls within this determination category.
has shown that employees unsure as to what constitutes SSI may err on the
side of caution and improperly and unnecessarily restrict information, or
may err inappropriately and potentially disastrously on the side of public
disclosure."
In addition to lacking written guidance concerning SSI designation, TSA
has no policies and procedures specifying clear responsibilities for
officials who can designate SSI.4 TSA's regulations allow anyone within
TSA to designate information SSI. Further, TSA has no policies on
accounting for or tracking documents designated as SSI. While TSA
officials told us that only a limited number of employees routinely make
SSI designations, they were unable to provide documentation to confirm
this. One consequence of a lack of control of personnel able to designate
documents as SSI is that TSA is unable to determine the number of
employees designating information as SSI or the volume of documents
designated SSI.
Once a document is designated SSI, it can remain designated as SSI in
perpetuity unless a FOIA request or other request for disclosure outside
of TSA results in removal of its SSI status. If a FOIA request is received
for an SSI designated document, or a document that contains some SSI
designated material, the SSI Program Office works in conjunction with the
FOIA Office to review its initial designation. If TSA officials determine
that the document should no longer be considered SSI, it can be released
to the FOIA requester. If TSA officials feel that the SSI designation
should remain but some portions of the document are not SSI, the FOIA
Office can determine whether it is appropriate to release the document
without the SSI material, or not to release the document at all.5 Other
than the FOIA process, no procedures exist for the review of allegations
that a document has been erroneously designated as SSI. If there is no
FOIA request for a particular document, according to TSA, documents marked
as SSI are reviewed for continued applicability upon any request for
disclosure outside of TSA. However, TSA officials provided us with no
information
4TSA identified two categories of information--S:S: 1520.5(b)(9)(iii) and
1520.5(b)(16)-that require a written determination by an office with
determination authority to be designated SSI.
5 According to a TSA official, TSA processed 99 FOIA requests involving or
related to SSI in 2003 and 129 requests in 2004. The TSA official said
that, of the total requests processed in 2003, no requests were granted in
whole, 63 requests were granted in part, and 36 requests were denied in
full. The official also said that, of those 129 requests processed in
2004, no requests were granted in whole, 92 requests were granted in part,
and 37 requests were denied in full.
on the number of documents released as a result of these requests for
public disclosure. TSA's SSI regulations indicate that TSA may determine
in writing that information should no longer be designated as SSI because
it no longer meets SSI criteria, but TSA has not done this to date.
TSA lacks adequate internal controls to provide reasonable assurance that
its SSI designation process is being consistently applied across TSA and
for monitoring compliance with the regulations governing the SSI
designation process, including ongoing monitoring of the process. GAO's
Standards for Internal Control call for (1) areas of authority and
responsibility to be clearly defined and appropriate lines of reporting
established, (2) transactions and other significant events to be
documented clearly and documentation to be readily available for
examination, and (3) controls generally to be designed to ensure that
ongoing monitoring occurs in the course of normal operations. In addition,
the standards also require that information be communicated within an
organization to enable individuals to carry out their internal control
responsibilities. However, our review of TSA's oversight activities noted
weaknesses in each of these areas.
First, TSA has not clearly defined responsibility for monitoring
compliance with regulations, policies and procedures governing the SSI
designation process and communicated that responsibility throughout TSA.
Without clearly identifying the responsibility for monitoring compliance
with regulations governing its SSI designation, this function may not
receive adequate attention, leaving TSA unable to provide reasonable
assurance that those making SSI designations within TSA are designating
documents properly.
In an October 14, 2004, memorandum designed to centralize the
administration of SSI within the agency, TSA's Internal Security Policy
Board recognized that the handling and identification of SSI had become
problematic:
"Lacking a central policy program office for SSI has led to confusion and
unnecessary classification of some materials as SSI. Adherence to handling
requirements within TSA has been inconsistent, and there have been
instances where SSI has been mishandled outside of TSA. Identification of
SSI has often appeared to be ad-hoc, marked by confusion and disagreement
depending on the viewpoint, experience, and training of the identifier.
Strictures on the release of SSI and other SSI policy or handling-related
problems have occasionally frustrated industry stakeholders, Congress, the
media, and our own employees trying to work within the confines of the
restrictions. Significant time and effort
has been devoted to SSI issues, and it is not likely that the current
approach to addressing such issues can be sustained."
TSA officials told us that its new SSI Program Office will ultimately be
responsible for ensuring that staff are consistently applying SSI
designations. This office, which was established in February 2005, will
also develop and implement all TSA policies concerning SSI handling,
training, and protection. Officials said that TSA is also currently
drafting a summary that provides a definition and brief overview of the
SSI authority and is designing materials that will further educate all TSA
employees on policies, procedures, responsibilities, and guidance for
identifying and designating SSI. More detailed information on how this
office's activities will be operationalized was not yet available.
Specifically, TSA currently does not have written policies formalizing the
office's role, responsibilities, and authority.
Second, TSA has not yet established policies and procedures for how it
will monitor compliance with the regulations governing the SSI designation
process. Without written policies and procedures documenting how it plans
to monitor compliance with the regulations governing the SSI designation
process, TSA is unable to demonstrate evidence of its monitoring
activities.
Third, TSA has no formally defined policies or procedures for ongoing
monitoring reviews to assess compliance with the laws and regulations
governing the process for designating information as SSI. Without clearly
defined policies and procedures for conducting periodic internal
monitoring to assess compliance with the regulations governing the SSI
designation process, TSA lacks structure to support continuous assurance
that those employees making SSI designations within TSA are designating
documents properly.
TSA has not developed policies and procedures for providing specialized
training for all of its employees making SSI designations on how
information is to be identified and evaluated for protected status.
Development of specialized training for SSI designations must be preceded
by the establishment of guidance and associated policies and procedures so
that an adequate training curriculum can be developed. It should also
include written policies defining who is responsible for ensuring that
employees comply with SSI training requirements. While TSA has provided a
training briefing on SSI regulations to certain staff such as the FOIA
staff and other units within TSA, it does not have specialized training in
place to instruct employees on how to consistently designate information
as SSI.
Conclusions
Recommendations
In order for TSA's SSI designation process to work effectively, there must
be clarity, structure, and accountability to help ensure that information
is not improperly and unnecessarily restricted or inappropriately
disclosed, and that the SSI designation process is being applied
consistently across TSA. The lack of clear and documented policies and
procedures for determining what constitutes SSI and specifying who may
make the designation could cause confusion and uncertainty for staff who
must administer the SSI designation process without written guidance.
Further, internal control policies and procedures for monitoring the
compliance with regulations governing the SSI designation process,
including internal controls for ongoing monitoring, communicated to all
staff, would help ensure accountability and consistency in the
implementation of TSA's SSI regulations. Specialized training designed to
familiarize those who are making SSI designations on how information is to
be identified and evaluated would reduce the likelihood that employees
improperly exempt information from public disclosure or inappropriately
disclose sensitive security information.
To help bring clarity, structure, and accountability to TSA's SSI
designation process, we recommend that the Secretary of the Department of
Homeland Security direct the Administrator of the Transportation Security
Administration to take the following four actions
o establish clear guidance and procedures for using the TSA regulations
to determine what constitutes SSI,
o establish clear responsibility for the identification and designation
of information that warrants SSI protection,
o establish internal controls that clearly define responsibility for
monitoring compliance with regulations, policies, and procedures governing
the SSI designation process and communicate that responsibility throughout
TSA, and
o establish policies and procedures within TSA for providing specialized
training to those making SSI designations on how information is to be
identified and evaluated for protected status.
Agency Comments We obtained written comments on a draft of this report
from the Department of Homeland Security. We have included a copy of the
and Our Evaluation
comments in their entirety in appendix II. In addition, DHS provided
technical comments, which we incorporated as appropriate.
In its June 14, 2005, comments, DHS generally concurred with our
recommendations and stated that they are consistent with ongoing TSA
efforts to improve sensitive security information program processes. In
its comments, DHS discussed the actions it has already taken and will
implement in response to the recommendations, including developing
internal controls and audit functions, which will define responsibility
for monitoring compliance with regulations, policies, and procedures
governing the SSI designation process, and which will be communicated
throughout TSA. However, as discussed below, DHS took exception to the
report's analyses and conclusions. While we disagree with the thrust of
DHS's comments, we believe we fairly and accurately characterize the
implementation and monitoring of SSI at DHS. We made clarifying changes
where appropriate.
DHS said that our report mischaracterized the nature of SSI by incorrectly
applying concepts associated with classified information management to SSI
information, which falls within a sensitive but unclassified information
category. DHS said that this construct may lead the reader to fundamental
misunderstandings regarding the issues surrounding SSI. Although mentioned
as a basis for comparison, neither the GAO review nor its report was
intended to apply concepts associated with classified information
management to SSI. Rather, our analyses were intended to provide a factual
summary of the key similarities and differences in the classified
information and SSI processes. We compare the two processes only to help
clarify the distinctions that exist and thereby avoid any
misunderstandings by readers who are familiar with the processes for
classified information. We included additional language in the report
clarifying that SSI is a form of sensitive but unclassified information,
rather than classified national security information.
DHS also stated that SSI is the only practical means for sharing security
information with regulated parties and that the absence of a robust SSI
program would degrade both the prompt distribution of security information
to persons with a need to know and the free exchange of ideas. We agree
that SSI is a practical means for sharing security information with
regulated parties. In fact, the findings and recommendations in this
report should help DHS improve the SSI process. That is, providing
specific procedures and guidelines on how individual employees are to
identify and evaluate information for SSI protected status is an intrinsic
part of DHS's responsibility for effectively managing
its SSI process and should provide both DHS and the regulated parties with
confidence that information is given the proper protective status.
DHS said that if a TSA employee incorrectly designates a document as SSI
while it remains within TSA, there is no impact on the public's right to
access because the FOIA review process will always result in an
independent determination regarding the SSI designation and that TSA and
DHS are committed to releasing as much information as possible. We view
the management improvements discussed in this report as helping to ensure
that information that should be withheld from the public is protected as
well as helping to ensure that other information is available to the
public. In addition, the fact that an incorrectly designated SSI document
remains within TSA does not obviate the fact it is wrongfully exempted
from disclosure. The potential lack of visibility to the public that SSI
documents exist and the time and expense to the public and TSA involved in
seeking disclosure of an SSI document through FOIA could inhibit the
release of information that could and possibly should have been in the
public domain but for an incorrect application of SSI.
DHS also states that we make no distinction between the obligation to
"mark" information as SSI, held by all TSA employees, and the authority to
"designate," held by only a very few high-level employees. It explains
that all employees can "mark" documents that fall within 15 categories as
SSI but only the high-level employees can "designate" the 16th category of
"other information" by documenting the designation as SSI. As we point out
in this report, the responsibility of all TSA employees goes beyond just
marking a document as SSI and includes making judgments about what
information should be marked as SSI. As we state on page 3, while TSA
requires a written determination by an office with determination authority
for information deemed SSI for 1 of its 16 SSI categories, according to
TSA, only 4 of the remaining 15 categories automatically becomes SSI
because of the type of document. The other 11 require a judgment or
analysis to be made to determine if the SSI designation is warranted by
any TSA employee. Therefore, we continue to believe that appropriate
guidance and controls are needed to effectively manage the process.
In addition, DHS said that its SSI designation processes are consistent
with every sensitive but unclassified system in the federal government.
While we did not review these other systems, we believe that the
management principles and controls discussed in this report are
appropriate for the TSA system and would be appropriate for similar
systems elsewhere.
DHS said that we made an implied suggestion to quantify and identify all
documents that have been marked as SSI, and to identify all personnel who
have marked such documents. We did note in our discussion of internal
controls that TSA has no policies on accounting for or tracking documents
designated as SSI. As DHS notes, we did not recommend that TSA provide an
inventory of the titles or numbers of SSI documents. In terms of
identifying staff that designate documents as SSI, since we are
recommending training for all those who designate SSI, identification of
all personnel who are going to be applying this designation would be
needed to ensure that all are trained.
Further, DHS states that we obliquely criticize TSA's ability to protect
SSI without a date by which the document automatically loses its SSI
status based on time duration requirements similar to those applicable to
classified information. We did not recommend that TSA should implement
time limits for SSI information. Our review showed that TSA has no written
policies and procedures or systematic reviews for determining if and when
an SSI designation should be removed. Moreover, other than the FOIA
request process and other requests for disclosure outside of TSA, no
procedures exist for a review to determine whether a document has been
appropriately designated as SSI. Such procedures would allow TSA to
periodically review SSI designations and identify and correct erroneously
marked SSI documents while still protecting those with valid reasons.
In commenting on our recommendation that DHS establish clear guidance and
procedures for using the TSA regulations to determine what constitutes
SSI, DHS said that TSA's SSI Program Office has already taken some steps
in line with our recommendation by developing internal guidance that
expands on the SSI regulation structure to provide examples of the types
of information that should fall within each SSI category. It expects to
publish the guidance for general use by TSA employees and regulated
parties in identifying and handling SSI.
In commenting on our recommendation that DHS establish clear
responsibility for the identification and designation of information that
warrants SSI protection, DHS stated that limiting the number of
individuals who may designate a document as SSI would lead to operational
bottlenecks, could lead to inappropriate release of security information,
and would not be operationally feasible. If it is properly done, we do not
see how establishing clear responsibility for performing a governmental
task would lead to these effects. We wish to make a distinction between a
set of personnel who would have responsibility for SSI and a potentially
much larger set of employees who would be able to
designate documents SSI. Those responsible for SSI would be accountable
for ensuring that those in their domain of responsibility have appropriate
training and are applying SSI appropriately. DHS would then be in a much
better position to ensure that those responsible for SSI are held
accountable, have appropriate training, and are applying SSI
appropriately.
DHS agreed with our recommendation for DHS to establish internal controls
that clearly define responsibility for monitoring compliance with
regulations, policies, and procedures governing the SSI designation
process and communicate that responsibility throughout TSA. DHS said it
had already undertaken action to develop internal controls, including
audit functions, which will define responsibility for monitoring
compliance with regulations, policies, and procedures governing the SSI
designation process and will communicate that responsibility throughout
TSA.
In commenting on our recommendation that DHS establish policies and
procedures within TSA for providing specialized training to those making
SSI designations on how information is to be identified and evaluated for
protected status, DHS said that it conducts specialized SSI training for
the SSI Program Office and FOIA staff, and other TSA offices making SSI
designations. In addition, it is expanding specialized training to those
offices within the agency that create the majority of SSI. This is a good
first step in addressing our recommendation, but falls short of its
overall intent because SSI regulations extend the SSI designation
authority to all TSA employees and does so without giving them specific
procedures and guidance, beyond the regulations, upon which to base their
judgments. Thus, policies and procedures for providing specialized
training to all TSA employees authorized to make an SSI designation will
still be needed. In this regard, in our report, we quote an October 14,
2004, TSA memorandum that says in part, "identification of SSI has often
appeared to be ad-hoc, marked by confusion and disagreement depending on
the viewpoint, experience, and training of the identifier." We believe
this statement speaks to the need for specialized training for all those
who designate materials as SSI.
As agreed with your offices, unless you publicly announce the contents of
this report earlier, we plan no further distribution until 30 days from
the report date. At that time, we will send copies of this report to other
interested congressional committees and to the Secretary of the Department
of Homeland Security and the Administrator of the Transportation Security
Administration. We will also make copies
available to others upon request. In addition, the report will be
available at no charge on GAO's Web site at http://www.gao.gov.
If you or your staff have any questions about this report, please contact
me at (202) 512-8777 or [email protected] Contact points for our Offices
of Congressional Relations and Public Affairs may be found on the last
page of this report. Key contributors to this report were Glenn G. Davis,
Vickie Miller, R. Rochelle Burns, Julian King, Thomas Lombardi, David
Hooper, David Plocher, Dolores McGhee, Nikki Clowers, Kim Gianopoulos,
Davi D'Agostino, Ann Borseth, William Cawood, Casey Keplinger, David
Alexander, Katherine Davis, and Larry Harrell.
Laurie E. Ekstrand, Director Homeland Security and Justice Issues
Appendix I: Briefing Slides
Transportation Security Administration's
Designation Process and Oversight of
Sensitive Security Information
Interim Briefing to the
House Committee on Appropriations
April 29, 2005
Appendix II: Comments from the Department of Homeland Security
GAO's Mission
Obtaining Copies of GAO Reports and Testimony
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site (www.gao.gov). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Contact:
Waste, and Abuse in Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected] Programs Automated answering system: (800)
424-5454 or (202) 512-7470
Gloria Jarmon, Managing Director, [email protected] (202)
512-4400Congressional U.S. Government Accountability Office, 441 G Street
NW, Room 7125 Relations Washington, D.C. 20548
Public Affairs Paul Anderson, Managing Director, [email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
PRINTED ON RECYCLED PAPER
*** End of document. ***
When paper records contain SSI it should be marked with the protective marking and distribution limitation statement in which of the following locations?For paper records, the protective marking must be at the top and the distribution limitation statement at the bottom of (1) the outside of any front and back cover, including a binder cover or folder, if the document has a front and back cover; (2) any title page; and (3) each page of the document.
Which of the following is an example of sensitive security information?Such information includes biometric data, medical information, personally identifiable financial information (PIFI) and unique identifiers such as passport or Social Security numbers.
|
Which of the following is the correct way to mark a sensitive security information (ssi) document?
zusammenhängende Posts
Urheberrechte © © 2024 ketiadaan Inc.
