What is SSI?
Sensitive Security Information is information that, if publicly released, would be detrimental to transportation security, as defined by Federal Regulation 49 C.F.R. Part 1520.
As persons receiving SSI in order to carry out responsibilities related to transportation security, TSA stakeholders and non-DHS government employees and contractors, are considered “covered persons” under the SSI regulation and have special obligations to protect this information from unauthorized disclosure.
What should I know about SSI Protections?
Read our SSI Best Practices and Quick Reference guides for a quick introduction to SSI handling, sharing, and destroying procedures.
- SSI Best Practices Guide for Non-DHS Employees and Contractors
- SSI Quick Reference Guide for DHS Employees and Contractors
- 49 C.F.R. part 1520: Protection of Sensitive Security Information (printable version of the SSI Federal Regulation)
Visit the US Government Publishing Office at GPO.gov for the latest version of the SSI Federal Regulation.
TSA Maintains SSI training for a variety of stakeholders to include: air cargo, transit bus, highway/motor carrier, maritime, pipeline, rail and mass transit, law enforcement, and fusion center, as well as expanded guidance and best practices for handling and protecting SSI.
Click on the links below for more information.
- SSI Training for Air Cargo Stakeholders
- SSI Training for Aviation Stakeholders
- SSI Training for Public Transportation –Transit Bus
- SSI Training for Fusion Centers
- SSI Training for Highway and Motor Carrier Operators
- SSI Training for Law Enforcement
- SSI Training for Maritime Stakeholders
- SSI for Rail and Mass Transit Stakeholders
- SSI Training for Pipelines Stakeholders
Marking Templates and Cover Sheets
SSI Cover Sheet DHS Form 11054 (PDF format | Image format)
SSI Coversheet - Landscape
SSI Excel Example
SSI PowerPoint Example
SSI Word Template
Best-Practices and Quick References
Brochure - Remote Work Best Practices
SSI Best Practices Guide for Non DHS Employees
SSI Quick Reference Guide for DHS Employees and Contractors
What is SSI?
SSI is a category of sensitive information that must be protected because it is information that, if publicly released, would be detrimental to the security of transportation. In other words, SSI is information that could be used by our adversaries to bypass or defeat transportation security measures. For detailed categories of SSI, see the SSI Regulation, 49 C.F.R. § 1520.5(b)(1) - (16).
Note: Under 49 C.F.R. § 1520.5(a), the SSI Regulation also provides other reasons for protecting information as SSI. TSA, however, primarily uses the criterion of “detrimental to the security of transportation” when determining whether information is SSI.
Who may mark a document as SSI?
All covered persons have a duty to mark and safeguard SSI against unauthorized disclosure (See 49 C.F.R. § 1520.9(a)(4)). This includes adding the SSI header and footer (See 49 C.F.R. § 1520.13). For more information, see sample pre-marked templates.
Where do I submit documents to identify SSI?
Requests for SSI Assessments (Is it SSI?) or SSI Reviews (Where is the SSI?) can be submitted to the SSI Program at SSI@tsa.dhs.gov.
Are there any requirements for the type of lock used when storing SSI?
There is no required type of lock or specific way to secure SSI. It must be reasonably secured such that only those covered persons who have a need to know the information can have access to it. Keys should be stored in an alternate location from the SSI.
May all covered persons redact their own SSI?
No, the SSI Federal Regulation, 49 C.F.R. § 1520.9(a)(3), requires covered persons to refer requests by other persons for SSI to TSA, or the applicable DHS component or agency. Typically requests received from covered persons are tied to State Open Records Requests or court-order production requests due to litigation. See the SSI training presentation slides on “Processing Record Requests” for more information on submitting these requests to the SSI Program for review and redaction.
What are the requirements for passwords?
The SSI Regulation does not have any requirements regarding covered persons and their use of passwords. We recommend, however, that they follow theSSI Best Practices Guide for Non-DHS Employeeswhen creating passwords to protect SSI.
Do all computers containing SSI need to be “TSA approved?”
No. All covered persons (e.g., airlines, pipelines) must take reasonable steps to safeguard SSI in their possession or control from unauthorized disclosure (49 C.F.R. § 1520.9). Covered persons must limit access to SSI to other covered persons who have a need to know the information. Therefore, any stakeholder computer system that provides such access limitations to SSI would be acceptable. Please refer to the SSI Best Practices Guide for Non-DHS Employees for more information.
Are there restrictions to specific types of email systems when sending SSI?
No. However, covered parties are encouraged to use official company or government email when sending SSI. For more information, see SSI Best Practices Guide for Non-DHS Employees.
What should I do if I receive a suspicious request for SSI?
Suspicious requests for SSI should be reported immediately to your primary TSA point of contact.
How do we handle requests for SSI information from covered persons?
It is permitted to share SSI with another covered person who has a need to know the information in performance of their duties. The record must be marked as SSI and remains SSI. The covered person with a need to know is now obligated by the SSI Federal Regulation to protectthe SSI record entrusted to their care. Of note, some records come with instructions that limit further distribution. If it comes with a limitation, follow the instructions in the record for permission to share.
What should I do when a company, government, transportation authority, or other covered person receives requests for SSI from the media or other non-covered persons?
Requests for SSI fall into two categories, sharing and releasing. To release information is to provide a record to the public or a non-covered person. Release of SSI is prohibited and a violation of the SSI Regulation. Therefore, prior to releasing records which may contain SSI to persons who are not authorized to access SSI under the SSI Federal Regulation, the SSI language must be removed/redacted by the TSA SSI Program office.
A company, government, transportation authority, or other covered person receiving requests for SSI must submit the information to the SSI Program for a full SSI Review and redaction prior to sharing with non-covered persons. These records may be submitted through the SSI Coordinator or field counsel at your local Federal Security Director (FSD’s) office or sent directly to SSI@tsa.dhs.gov. Requests for TSA records must be referred to TSA FOIA (FOIA@tsa.dhs.gov).
What should we do if we get a request for TSA records?
Requests for TSA records must be referred to TSA FOIA (FOIA@tsa.dhs.gov).
Is SSI permitted to be shared with vendor partners that need to be engaged in helping achieve required actions?
Yes, covered persons may share SSI with specific vendors if the vendors have a need to know in order to perform their official duties or to provide technical advice to covered persons to meet security requirements. Accordingly, covered persons must only provide specific information that is relevant and necessary for the vendor to complete their work. Each person with access to SSI under 49 CFR §1520.11 becomes a covered person who is required to protect SSI from unauthorized disclosure and each person employed by, contracted to, or acting for a covered person likewise becomes a covered person (see 49 CFR §§ 15020.7(j), 1520.7(k) and 1520.9).
Vendors are not authorized to re-distribute SSI and must maintain the SSI markings, properly dispose of SSI, and protect SSI from unauthorized disclosure (see 49 CFR §§ 1520.9, 1520.13, 1520.19). If a covered person provides SSI to vendors, they must include the SSI protection requirements so that the vendors are formally advised of their regulatory requirements to protect the information. Unauthorized disclosure of SSI by covered persons or their vendors is grounds for enforcement action by TSA, including civil penalty actions, under 49 CFR § 1520.17.
Where do I learn more about SSI?
The TSA SSI Program has SSI Training available on its public website. The training presentations do NOT contain SSI and may be distributed to the employees of various company, state, or transportation entities as needed along with the SSI Coversheet, SSI Best-Practices Guide, and SSI templates. Please contact us at SSI@tsa.dhs.gov for more information.
For example, SSI includes airport and aircraft operator security programs; the details of various aviation, maritime or rail transportation security measures including perimeter security and access control; procedures for the screening of passengers and their baggage; the results of vulnerability assessments of any ...What is considered sensitive security information? ›
Sensitive Security Information (SSI) is information that, if publicly released, would be detrimental to transportation security, as defined by Federal regulation 49 C.F.R. part 1520.Who are the 4 sensitive security information SSI can be shared with? ›
Further, pursuant to 49 CFR §1520.11(b)(1), SSI must be shared with members of Congress, their staffs, DHS or TSA management, the Comptroller General (Government Accountability Office), the TSA Office of Internal Affairs and Program Review, the DHS Office of Inspector General, Freedom of Information Act (FOIA) offices, ...How do I contact TSA with questions? ›
Contact us 72 hours prior to traveling with questions about screening policies, procedures and what to expect at the security checkpoint. You may call (855) 787-2227 or submit an online form.What are the four types of sensitive data? ›
Regulated, Business, Confidential, and High-Risk Data.