SSI Celebrates its 50th Anniversary: The Nexus of Sensitive Security Information

Thursday, August 22, 2024

TSA SSI lanyard and pins. (Collection/image courtesy of Deirdre O'Sullivan)

This month marks the 50th anniversary of the creation of the Sensitive Security Information (SSI) requirements. The SSI protocol is designed to help safeguard transportation security measures and to provide a systemic security review of operations and information to protect the traveling public from potential threats.

The genesis of SSI began after a series of hijackings in the late 1960s and terrorists using aviation security to draw attention to their causes starting in the 1970s. Congress took action in response to public outcry and increased concerns, by passing the Air Transportation Security Act of 1974 and sanctioning the FAA's universal screening rule. This new legislation required all U.S. airports to adopt metal-detection screening portals for passengers and X-ray inspection systems for carry-on bags.

Protecting our aviation system was not limited to airport screening. Along with universal screening, the Act introduced the initial version of the requirements for safeguarding information, known as a sensitive but unclassified category of information. This category would later be identified as Sensitive Security Information (SSI). Among the aviation records that would be prohibited from public release were the security program of any airport; the security program of any air carrier; any mechanism for the detection of any explosive or incendiary device or weapon; and any contingency security plan.

After the events of September 11th, legislators passed the Aviation and Transportation Security Act mandating SSI as a shared responsibility between the U.S. Department of Transportation and the then newly created Transportation Security Administration (TSA).

SSI protections pertained to only aviation until 2004 when TSA updated SSI Federal Regulation in the Federal Register, to protect vulnerability assessments for all modes of transportation. In 2008, rail-related articles and covered persons were added to SSI coverage, and the SSI Program expanded to include other modes of travel and infrastructure, e.g., pipeline.

Protecting SSI across the transportation sector is the responsibility of everyone. The SSI Federal Regulation allows TSA to share sensitive information with our transportation partners, but it also obligates each person with access to SSI, to prevent it from ending up in the public domain. The SSI Federal Regulation requires that each person "take reasonable steps to safeguard SSI." This includes:

A Lufthansa Boeing 737, similar to the aircraft involved in the 1973 hijacking at Rome Airport (Image courtesy of Ralf Manteufel)

• Do not post SSI on the internet,
• Lock SSI in a secure container such as a locked desk,
• Mark SSI with the SSI Header and SSI Footer, and
• Destroy SSI completely when no longer needed.

While the SSI Federal Regulation allows for TSA to share SSI with stakeholders, it also outlines the consequences for stakeholders failing to protect SSI entrusted to their care, which includes a civil penalty of up to $14,000 per offense.