BACKGROUND
Transit agencies collect and maintain extensive information about the security, operations, facilities, critical infrastructure, and/or other assets or capital projects. Disclosure of this information could be detrimental to the security of transit operations, infrastructure, employees, or customers.
Recognizing the importance of protecting such information, the U.S. Department of Transportation (DOT) and the Department of Homeland Security (through the Transportation Security Administration [TSA]) have promulgated regulations that provide requirements for handling of sensitive security information (SSI) and protected critical infrastructure information (PCII). SSI and PCII are not subject to disclosure under the Freedom of Information Act and many state open records laws. SSI and PCII are also not available under discovery in federal litigation and is not required to be part of the record in federal rulemaking.
Sensitive Security Information (SSI)
The regulations governing SSI at 49 CFR Parts 15 (applicable to DOT) and 1520 (applicable to TSA) define SSI as information obtained or developed in the conduct of security activities, including research and development, the disclosure of which the Secretary of DOT has determined would (1) constitute an unwarranted invasion of privacy (including, but not limited to, information contained in any personnel, medical, or similar file); (2) reveal trade secrets or privileged or confidential information obtained from any person; or (3) be detrimental to transportation safety.
Although the SSI regulations typically apply to airports and vessels, transit agencies are generally “covered persons” under 49 C.F.R. Sections 15.7 and 1520.7 because they are either (1) a grantee of DOT and/or DHS); (2) a rail transit system subject to the requirements of 49 CFR Part 1580; and/or (3) a transit agency for which a vulnerability assessment has been directed, created, held, funded, provided to or approved by the DOT.
Protected Critical Infrastructure Information (PCII)
PCII is a voluntary program for this category of federal “sensitive but unclassified” information. PCII is defined by 6 U.S.C. Section 131 as “information not customarily in the public domain and related to the security of critical infrastructure or protected systems.” Under 42 U.S.C. Section 5195c(e) (Homeland Security Act) and Section 1016(e) of the U.S. Patriot Act, PCII includes “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The definition of PCII is meant to be broad, covering a wide array of activities. The implementing regulations are at 6 CFR Part 29. In addition, certain state laws restrict access to “critical infrastructure” information. See, e.g., Colorado Rev. Stat. 24-72-204(2)(a)(VIII)(A).
Challenges Faced By Transit Agencies
Procedures for identifying, designating, and marking SSI are strictly circumscribed. PCII must be designated by TSA. While federal agencies have tried to provide advice as to what information may or may not be SSI, transit agencies sometimes have challenges in determining whether some types of information are covered and should be restricted from public disclosure. Further, determining whether to provide information to TSA to be classified as PCII may present challenges. Does a transit agency want TSA to make this determination? Does a transit agency want to turn over the information at all? Designating information as SSI or PCII gives rise to substantial protection, marking, and destruction obligations for such information, so such designations cannot be undertaken lightly.
OBJECTIVES
The objectives of this research are to:
-
Review and identify SSI and PCII regulations and requirements relevant to transit agencies, focusing on federal requirements, but also highlighting representative state laws and regulations.
-
Identify potential legal and operational consequences for improper, too broad, or too restrictive designation of SSI.
-
Produce a report that includes best practices or common industry understandings or questions regarding the designation of potential protected information.
It is expected that the research consultant will obtain guidance that has been issued by DOT or TSA, and interview representatives of transit agencies to determine how the agencies have applied the regulations. The research should also include a confidential survey of a sample of transit agencies to determine what challenges those agencies may have faced in designating various types of information as SSI—or submitting information to TSA for classification as PCII, if at all.
The guidance provided should answer question, such as, to what extent do the federal agencies become directly involved with transit agencies regarding particular requests from the public?
Status: Research is completed.