The National Academies

TCRP J-05/Topic 19-03 [RFP]

Navigating the Complexities of Sensitive Security Information (SSI) and Protected Critical Infrastructure Information (PCII)
[ TCRP J-05 (Legal Aspects of Transit and Intermodal Transportation Programs) ]

Posted Date: 7/22/2019

  Project Data
Funds: $50,000
Contract Time: (12 Months)
Authorization to Begin Work: 1/7/2020 -- estimated
Staff Responsibility: Gwen Chisholm-Smith
   Phone: 202-334-3246
   Email: gsmith@nas.edu
Comments: RFP
RFP Close Date: 9/26/2019
Fiscal Year: 2018


The Transit Cooperative Research Program (TCRP) plans to award a contract for a study and report. Legal research reports sponsored by this project are published in TCRP's Legal Research Digest (LRD) series in electronic format. Publications are made available to some libraries and to approximately 4,000 transportation lawyers and officials through the TRB distribution network.
Transit agencies collect and maintain extensive information about the security, operations, facilities, critical infrastructure, and/or other assets or capital projects. Disclosure of this information could be detrimental to the security of transit operations, infrastructure, employees, or customers.
Recognizing the importance of protecting such information, the U.S. Department of Transportation (DOT) and the Department of Homeland Security (through the Transportation Security Administration [TSA]) have promulgated regulations that provide requirements for handling of sensitive security information (SSI) and protected critical infrastructure information (PCII). SSI and PCII are not subject to disclosure under the Freedom of Information Act and many state open records laws. SSI and PCII are also not available under discovery in federal litigation and is not required to be part of the record in federal rulemaking.
Sensitive Security Information (SSI)
The regulations governing SSI at 49 CFR Parts 15 (applicable to DOT) and 1520 (applicable to TSA) define SSI as information obtained or developed in the conduct of security activities, including research and development, the disclosure of which the Secretary of DOT has determined would (1) constitute an unwarranted invasion of privacy (including, but not limited to, information contained in any personnel, medical, or similar file); (2) reveal trade secrets or privileged or confidential information obtained from any person; or (3) be detrimental to transportation safety.
 Although the SSI regulations typically apply to airports and vessels, transit agencies are generally “covered persons” under 49 C.F.R. Sections 15.7 and 1520.7 because they are either (1) a grantee of DOT and/or DHS); (2) a rail transit system subject to the requirements of 49 CFR Part 1580; and/or (3) a transit agency for which a vulnerability assessment has been directed, created, held, funded, provided to or approved by the DOT.
Protected Critical Infrastructure Information
PCII is a voluntary program for this category of federal “sensitive but unclassified” information. PCII is defined by 6 U.S.C. Section 131 as “information not customarily in the public domain and related to the security of critical infrastructure or protected systems.” Under 42 U.S.C. Section 5195c(e) (Homeland Security Act) and Section 1016(e) of the U.S. Patriot Act, PCII includes “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The definition of PCII is meant to be broad, covering a wide array of activities. The implementing regulations are at 6 CFR Part 29. In addition, certain state laws restrict access to “critical infrastructure” information. See, e.g., Colorado Rev. Stat. 24-72-204(2)(a)(VIII)(A).
Challenges Faced By Transit Agencies
Procedures for identifying, designating, and marking SSI are strictly circumscribed. PCII must be designated by TSA. While federal agencies have tried to provide advice as to what information may or may not be SSI, transit agencies sometimes have challenges in determining whether some types of information are covered and should be restricted from public disclosure. Further, determining whether to provide information to TSA to be classified as PCII may present challenges. Does a transit agency want TSA to make this determination? Does a transit agency want to turn over the information at all? Designating information as SSI or PCII gives rise to substantial protection, marking, and destruction obligations for such information, so such designations cannot be undertaken lightly.
 The objectives of this research are to:
  • Review and identify SSI and PCII regulations and requirements relevant to transit agencies, focusing on federal requirements, but also highlighting representative state laws and regulations.
  • Identify potential legal and operational consequences for improper, too broad, or too restrictive designation of SSI.
  • Produce a report that includes best practices or common industry understandings or questions regarding the designation of potential protected information.
It is expected that the research consultant will obtain guidance that has been issued by DOT or TSA, and interview representatives of transit agencies to determine how the agencies have applied the regulations. The research should also include a confidential survey of a sample of transit agencies to determine what challenges those agencies may have faced in designating various types of information as SSI—or submitting information to TSA for classification as PCII, if at all. 
The guidance provided should answer question, such as, to what extent do the federal agencies become directly involved with transit agencies regarding particular requests from the public?

This research will be conducted in four tasks pursuant to a firm fixed price agreement.
The tasks will be as follows:
Task 1. Research plan and detailed report outline. The consultant will conduct background research and collect relevant material. Based on the initial but complete review of the source material, consultant will propose a detailed report outline. The outline should be at least 8 to 12 pages, include a proposed survey if one is to be used, and contain sufficient detail to inform the TCRP project panel of what a 75- to 100-page report will contain. This outline should also contain the estimated pagination for each proposed section and/or subsection. This material will be submitted to TCRP for consideration and approval.
Task 2. After approval of the work plan, the consultant should conduct additional research, and case and statutory/regulatory analysis.
Task 3. Draft report in accordance with the approved work plan (including modifications required by TCRP).
Task 4. Revise report as necessary. The consultant should estimate that two revisions will be necessary. One revision may be required after review by the TCRP staff and members of a select subcommittee. Additional revisions may be required after the full committee has reviewed the report.
Funding: $50,000
Payment Schedule
25% paid upon submission and approval of the Task 1 Report.
50% paid upon submission and approval of the Task 3 Report.
25% paid upon submission and approval of the Final Report (following revisions as required by TCRP).
An important factor in rating proposal offers will be the proposer’s commitment to promptly undertake and complete this study.
Proposals should be submitted as a single PDF with the following information and in the following order:
  1. Summary sheet. Here is the summary sheet .
  2. A statement of interest and qualifications.
  3. Resume of key team members along with a description of responsibilities.
  4. A list of your relevant prior publications (you may enclose one or two samples).
  5. A statement of resources you will allocate to this project; any additions, deletions, or changes you may wish to suggest for undertaking the work; and your requested compensation.
  6. Proposals should not exceed a total of 25 pages (including writing samples).
  7. An executed, unaltered liability statement. Here is a printable version of the Liability Statement.
Proposals are evaluated by project panel members and TCRP staff consisting of individuals collectively knowledgeable in the problem area. Evaluations are based upon the proposers': (1) experience in the subject area; (2) understanding of the work (demonstrated by the commitment of resources); (3) prior relevant publications (including briefs); (4) schedule for completing the work; and (5) price.
Proposals should be uploaded via this link: https://www.dropbox.com/request/OIQDGVrbKIsWB5D3eUZF
by 5:00 p.m.(EST) on September 26, 2019. Proposals will not be accepted after this time.

Proposals are due not later than 5:00 p.m. on 9/26/2019.

This is a firm deadline, and extensions are not granted. In order to be considered for award, the agency's proposal accompanied by the executed, unmodified Liability Statement must be in our offices not later than the deadline shown, or the proposal will be rejected.

Liability Statement

The signature of an authorized representative of the proposing agency is required on the unaltered statement in order for TRB to accept the agency's proposal for consideration. Proposals submitted without this executed and unaltered statement by the proposal deadline will be summarily rejected. An executed, unaltered statement indicates the agency's intent and ability to execute a contract that includes the provisions in the statement.

Here is a printable version of the Liability Statement (pdf). A free copy of the Adobe Acrobat PDF reader is available at http://www.adobe.com.

General Notes

1. According to the provisions of Title 49, Code of Federal Regulations, Part 21, which relates to nondiscrimination in federally assisted programs, all parties are hereby notified that the contract entered into pursuant to this announcement will be awarded without discrimination on the grounds of race, color, religion, sex, national origin, or disability.

2. The essential features required in a proposal for research are detailed in the current brochure entitled "Information and Instructions for Preparing Proposals" (updated March 2018). Proposals must be prepared according to this document, and attention is directed specifically to Section V for mandatory requirements. Proposals that do not conform with these requirements will be rejected. This brochure is available here.

3. The total funds available are made known in the project statement, and line items of the budget are examined to determine the reasonableness of the allocation of funds to the various tasks. If the proposed total cost exceeds the funds available, the proposal is rejected.

4. All proposals become the property of the Transportation Research Board. Final disposition will be made according to the policies thereof, including the right to reject all proposals.

5. Potential proposers should understand that follow-on activities for this project may be carried out through either a contract amendment modifying the scope of work with additional time and funds, or through a new contract (via sole source, full, or restrictive competition).

To create a link to this page, use this URL: http://apps.trb.org/cmsfeed/TRBNetProjectDisplay.asp?ProjectID=4820