Sensitive Security Information

Best Practices Guide for Non-DHS Employees and Contractors

SSI Requirements

The SSI regulation mandates specic and general requirements for handling and protecting SSI.

You Must – Lock Up All SSI: Store SSI in a secure container such as a locked le cabinet or drawer (as

dened by Federal regulation 49 C.F.R. part 1520.9 (a)(1)).

You Must – When No Longer Needed, Destroy SSI: Destruction of SSI must be complete to preclude

recognition or reconstruction of the information (as dened by Federal regulation 49 C.F.R. part

1520.19).

You Must – Mark SSI: The regulation requires that even when only a small portion of a paper

document contains SSI, every page of the document must be marked with the SSI header and footer

shown at left (as dened by Federal regulation 49 C.F.R. part 1520.13). Alteration of the footer is not

authorized.

Use an SSI cover sheet on all SSI materials. Ì

Electronic presentations (e.g., PowerPoint) should be marked Ì

with the SSI header on all pages and the SSI footer on the

rst and last pages of the presentation.

Spreadsheets should be marked with the SSI header on Ì

every page and the SSI footer on every page or at the end

of the document.

Video and audio should be marked with the SSI header and Ì

footer on the protective cover when able and the header

and footer should be shown and/or read at the beginning

and end of the program.

CDs/DVDs should be encrypted or password-protected Ì

and the header and footer should be afxed to the CD/DVD.

Portable drives including “ash” or “thumb” drives should not Ì

themselves be marked, but the drive itself should be

encrypted or all SSI documents stored on it should be

password protected.

When leaving your computer or desk you must lock up all SSI Ì

and you should lock or turn off your computer.

Taking SSI home is not recommended. If necessary, get Ì

permission from a supervisor and lock up all SSI at home.

Don’t handle SSI on computers that have peer-to-peer Ì

software installed on them or on your home computer.

What is SSI?

Sensitive Security Information (SSI) is information that, if publicly released, would be detrimental to

transportation security, as dened by Federal regulation 49 C.F.R. part 1520.

Although SSI is not classied information, there are specic procedures for recognizing, marking,

protecting, safely sharing, and destroying SSI. As persons receiving SSI in order to carry out

responsibilities related to transportation security, you are considered “covered persons” under the SSI

regulation and have special obligations to protect this information from unauthorized disclosure.

The purpose of this hand-out is to provide transportation security stakeholders and non-DHS

government employees and contractors with best practices for handling SSI. Best practices are not

to be construed as legally binding requirements of, or ofcial implementing guidance for, the SSI

regulation.

Transmit SSI via email only in a password protected Ì

attachment, not in the body of the email. Send the password

without identifying information in a separate email or

by phone.

Passwords for SSI documents should contain at least eight Ì

characters, have at least one uppercase and one lowercase

letter, contain at least one number, one special character

and not be a word in the dictionary.

Faxing of SSI should be done by rst verifying the fax Ì

number and that the intended recipient will be available

promptly to retrieve the SSI.

SSI should be mailed by U.S. First Class mail or other Ì

traceable delivery service using an opaque envelope or

wrapping. The outside wrapping (i.e. box or envelope)

should not be marked as SSI.

Interofce mail should be sent using an unmarked, opaque, Ì

sealed envelope so that the SSI cannot be read through the

envelope.

SSI stored in network folders should either require a Ì

password to open or the network should limit access

to the folder to only those with a need to know.

Properly destroy SSI using a cross-cut shredder or by cutting Ì

manually into less than ½ inch squares.

Properly destroy electronic records using any method that Ì

will preclude recognition or reconstruction.

Best Practices Guide

Reasonable steps must be taken to safeguard SSI. While the regulation does not dene reasonable steps, the TSA SSI Branch offers

these best practices as examples of reasonable steps:

SENSITIVE SECURITY

INFORMATION

Safely Sharing Information

Phone: (571) 227-3513 • Fax: (571) 227-2945

[email protected]

WARNING: This record contains Sensitive Security

Information that is controlled under 49 CFR parts

15 and 1520. No part of this record may be

disclosed to persons without a “need to know,”

as deﬁned in 49 CFR parts 15 and 1520, except

with the written permission of the Administrator

of the Transportation Security Administration or

the Secretary of Transportation. Unauthorized

release may result in civil penalty or other action.

For U.S. government agencies, public disclosure

is governed by 5 USC 552 and 49 CFR parts 15

and 1520.