The Transit Cooperative Research Program (TCRP) plans to award a contract for a study and report. Legal research reports sponsored by this project are published in TCRP's Legal Research Digest (LRD) series in electronic format. Publications are made available to some libraries and to approximately 4,000 transportation lawyers and officials through the TRB distribution network.
Transit agencies collect and maintain extensive information about the security, operations, facilities, critical infrastructure, and/or other assets or capital projects. Disclosure of this information could be detrimental to the security of transit operations, infrastructure, employees, or customers.
Recognizing the importance of protecting such information, the U.S. Department of Transportation (DOT) and the Department of Homeland Security (through the Transportation Security Administration [TSA]) have promulgated regulations that provide requirements for handling of sensitive security information (SSI) and protected critical infrastructure information (PCII). SSI and PCII are not subject to disclosure under the Freedom of Information Act and many state open records laws. SSI and PCII are also not available under discovery in federal litigation and is not required to be part of the record in federal rulemaking.
Sensitive Security Information (SSI)
The regulations governing SSI at 49 CFR Parts 15 (applicable to DOT) and 1520 (applicable to TSA) define SSI as information obtained or developed in the conduct of security activities, including research and development, the disclosure of which the Secretary of DOT has determined would (1) constitute an unwarranted invasion of privacy (including, but not limited to, information contained in any personnel, medical, or similar file); (2) reveal trade secrets or privileged or confidential information obtained from any person; or (3) be detrimental to transportation safety.
Although the SSI regulations typically apply to airports and vessels, transit agencies are generally “covered persons” under 49 C.F.R. Sections 15.7 and 1520.7 because they are either (1) a grantee of DOT and/or DHS); (2) a rail transit system subject to the requirements of 49 CFR Part 1580; and/or (3) a transit agency for which a vulnerability assessment has been directed, created, held, funded, provided to or approved by the DOT.
Protected Critical Infrastructure Information
PCII is a voluntary program for this category of federal “sensitive but unclassified” information. PCII is defined by 6 U.S.C. Section 131 as “information not customarily in the public domain and related to the security of critical infrastructure or protected systems.” Under 42 U.S.C. Section 5195c(e) (Homeland Security Act) and Section 1016(e) of the U.S. Patriot Act, PCII includes “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The definition of PCII is meant to be broad, covering a wide array of activities. The implementing regulations are at 6 CFR Part 29. In addition, certain state laws restrict access to “critical infrastructure” information. See, e.g., Colorado Rev. Stat. 24-72-204(2)(a)(VIII)(A).
Challenges Faced By Transit Agencies
Procedures for identifying, designating, and marking SSI are strictly circumscribed. PCII must be designated by TSA. While federal agencies have tried to provide advice as to what information may or may not be SSI, transit agencies sometimes have challenges in determining whether some types of information are covered and should be restricted from public disclosure. Further, determining whether to provide information to TSA to be classified as PCII may present challenges. Does a transit agency want TSA to make this determination? Does a transit agency want to turn over the information at all? Designating information as SSI or PCII gives rise to substantial protection, marking, and destruction obligations for such information, so such designations cannot be undertaken lightly.
The objectives of this research are to:
Review and identify SSI and PCII regulations and requirements relevant to transit agencies, focusing on federal requirements, but also highlighting representative state laws and regulations.
Identify potential legal and operational consequences for improper, too broad, or too restrictive designation of SSI.
Produce a report that includes best practices or common industry understandings or questions regarding the designation of potential protected information.
It is expected that the research consultant will obtain guidance that has been issued by DOT or TSA, and interview representatives of transit agencies to determine how the agencies have applied the regulations. The research should also include a confidential survey of a sample of transit agencies to determine what challenges those agencies may have faced in designating various types of information as SSI—or submitting information to TSA for classification as PCII, if at all.
The guidance provided should answer question, such as, to what extent do the federal agencies become directly involved with transit agencies regarding particular requests from the public?
This research will be conducted in four tasks pursuant to a firm fixed price agreement.
The tasks will be as follows:
Task 1. Research plan and detailed report outline. The consultant will conduct background research and collect relevant material. Based on the initial but complete review of the source material, consultant will propose a detailed report outline. The outline should be at least 8 to 12 pages, include a proposed survey if one is to be used, and contain sufficient detail to inform the TCRP project panel of what a 75- to 100-page report will contain. This outline should also contain the estimated pagination for each proposed section and/or subsection. This material will be submitted to TCRP for consideration and approval.
Task 2. After approval of the work plan, the consultant should conduct additional research, and case and statutory/regulatory analysis.
Task 3. Draft report in accordance with the approved work plan (including modifications required by TCRP).
Task 4. Revise report as necessary. The consultant should estimate that two revisions will be necessary. One revision may be required after review by the TCRP staff and members of a select subcommittee. Additional revisions may be required after the full committee has reviewed the report.
25% paid upon submission and approval of the Task 1 Report.
50% paid upon submission and approval of the Task 3 Report.
25% paid upon submission and approval of the Final Report (following revisions as required by TCRP).
An important factor in rating proposal offers will be the proposer’s commitment to promptly undertake and complete this study.
HOW TO PROPOSE
Proposals should be submitted as a single PDF with the following information and in the following order:
- A statement of interest and qualifications.
- Resume of key team members along with a description of responsibilities.
- A list of your relevant prior publications (you may enclose one or two samples).
- A statement of resources you will allocate to this project; any additions, deletions, or changes you may wish to suggest for undertaking the work; and your requested compensation.
- Proposals should not exceed a total of 25 pages (including writing samples).
- An executed, unaltered liability statement. Here is a printable version of the Liability Statement.
Proposals are evaluated by project panel members and TCRP staff consisting of individuals collectively knowledgeable in the problem area. Evaluations are based upon the proposers': (1) experience in the subject area; (2) understanding of the work (demonstrated by the commitment of resources); (3) prior relevant publications (including briefs); (4) schedule for completing the work; and (5) price.
by 5:00 p.m.(EST) on September 26, 2019. Proposals will not be accepted after this time.