Code of Federal Regulations

Transportation Security Administration, DHS
49 U.S.C. 40119. Upon the request of another Federal agency, TSA or the Secretary of DOT may designate as SSI information not otherwise described in
this section.
(c) Loss of SSI designation. TSA or the
Coast Guard may determine in writing
that information or records described
in paragraph (b) of this section do not
constitute SSI because they no longer
meet the criteria set forth in paragraph (a) of this section.
[69 FR 28082, May 18, 2004, as amended at 70
FR 41599, July 19, 2005; 71 FR 30507, May 26,
2006; 73 FR 72172, Nov. 26, 2008; 74 FR 47695,
Sept. 16, 2009]

Lhorne on DSK30JT082PROD with CFR

§ 1520.7

Covered persons.

Persons subject to the requirements
of part 1520 are:
(a) Each airport operator, aircraft operator, and fixed base operator subject
to the requirements of subchapter C of
this chapter, and each armed security
officer under subpart B of part 1562.
(b) Each indirect air carrier (IAC), as
described in 49 CFR part 1548; and each
certified cargo screening facility and
its personnel, as described in 49 CFR
part 1549.
(c) Each owner, charterer, or operator of a vessel, including foreign vessel owners, charterers, and operators,
required to have a security plan under
Federal or International law.
(d) Each owner or operator of a maritime facility required to have a security plan under the Maritime Transportation Security Act, (Pub.L. 107–295), 46
U.S.C. 70101 et seq., 33 CFR part 6, or 33
U.S.C. 1221 et seq.
(e) Each person performing the function of a computer reservation system
or global distribution system for airline passenger information.
(f) Each person participating in a national or area security committee established under 46 U.S.C. 70112, or a
port security committee.
(g) Each industry trade association
that represents covered persons and
has entered into a non-disclosure
agreement with the DHS or DOT.
(h) DHS and DOT.
(i) Each person conducting research
and development activities that relate
to aviation or maritime transportation
security and are approved, accepted,

§ 1520.9

funded, recommended, or directed by
DHS or DOT.
(j) Each person who has access to
SSI, as specified in § 1520.11.
(k) Each person employed by, contracted to, or acting for a covered person, including a grantee of DHS or
DOT, and including a person formerly
in such position.
(l) Each person for which a vulnerability assessment has been directed,
created, held, funded, or approved by
the DOT, DHS, or that has prepared a
vulnerability assessment that will be
provided to DOT or DHS in support of
a Federal security program.
(m) Each person receiving SSI under
§ 1520.15(d) or (e).
(n) Each railroad carrier, rail hazardous materials shipper, rail hazardous materials receiver, and rail
transit system subject to the requirements of part 1580 of this chapter.
[69 FR 28082, May 18, 2004, as amended at 70
FR 41600, July 19, 2005; 73 FR 72173, Nov. 26,
2008; 74 FR 47695, Sept. 16, 2009; 76 FR 51867,
Aug. 18, 2011]

§ 1520.9 Restrictions on the disclosure
of SSI.
(a) Duty to protect information. A covered person must—
(1) Take reasonable steps to safeguard SSI in that person’s possession
or control from unauthorized disclosure. When a person is not in physical
possession of SSI, the person must
store it a secure container, such as a
locked desk or file cabinet or in a
locked room.
(2) Disclose, or otherwise provide access to, SSI only to covered persons
who have a need to know, unless otherwise authorized in writing by TSA, the
Coast Guard, or the Secretary of DOT.
(3) Refer requests by other persons
for SSI to TSA or the applicable component or agency within DOT or DHS.
(4) Mark SSI as specified in § 1520.13.
(5) Dispose of SSI as specified in
§ 1520.19.
(b) Unmarked SSI. If a covered person
receives a record containing SSI that is
not marked as specified in § 1520.13, the
covered person must—
(1) Mark the record as specified in
§ 1520.13; and

307

VerDate Sep<11>2014

09:16 Nov 17, 2016

Jkt 238233

PO 00000

Frm 00317

Fmt 8010

Sfmt 8010

Y:\SGML\238233.XXX

238233

§ 1520.11

49 CFR Ch. XII (10–1–16 Edition)

Lhorne on DSK30JT082PROD with CFR

(2) Inform the sender of the record
that the record must be marked as
specified in § 1520.13.
(c) Duty to report unauthorized disclosure. When a covered person becomes
aware that SSI has been released to unauthorized persons, the covered person
must promptly inform TSA or the applicable DOT or DHS component or
agency.
(d) Additional Requirements for Critical
Infrastructure Information. In the case
of information that is both SSI and has
been designated as critical infrastructure information under section 214 of
the Homeland Security Act, any covered person who is a Federal employee
in possession of such information must
comply with the disclosure restrictions
and other requirements applicable to
such information under section 214 and
any implementing regulations.
§ 1520.11 Persons with a need to know.
(a) In general. A person has a need to
know SSI in each of the following circumstances:
(1) When the person requires access
to specific SSI to carry out transportation security activities approved, accepted, funded, recommended, or directed by DHS or DOT.
(2) When the person is in training to
carry out transportation security activities approved, accepted, funded,
recommended, or directed by DHS or
DOT.
(3) When the information is necessary
for the person to supervise or otherwise
manage individuals carrying out transportation security activities approved,
accepted, funded, recommended, or directed by the DHS or DOT.
(4) When the person needs the information to provide technical or legal
advice to a covered person regarding
transportation security requirements
of Federal law.
(5) When the person needs the information to represent a covered person
in connection with any judicial or administrative
proceeding
regarding
those requirements.
(b) Federal, State, local, or tribal government employees, contractors, and
grantees. (1) A Federal, State, local, or
tribal government employee has a need
to know SSI if access to the information is necessary for performance of

the employee’s official duties, on behalf or in defense of the interests of the
Federal, State, local, or tribal government.
(2) A person acting in the performance of a contract with or grant from a
Federal, State, local, or tribal government agency has a need to know SSI if
access to the information is necessary
to performance of the contract or
grant.
(c) Background check. TSA or Coast
Guard may make an individual’s access
to the SSI contingent upon satisfactory completion of a security background check or other procedures and
requirements for safeguarding SSI that
are satisfactory to TSA or the Coast
Guard.
(d) Need to know further limited by the
DHS or DOT. For some specific SSI,
DHS or DOT may make a finding that
only specific persons or classes of persons have a need to know.
[69 FR 28082, May 18, 2004, as amended at 70
FR 1382, Jan. 7, 2005; 73 FR 72173, Nov. 26,
2008]

§ 1520.13

Marking SSI.

(a) Marking of paper records. In the
case of paper records containing SSI, a
covered person must mark the record
by placing the protective marking conspicuously on the top, and the distribution limitation statement on the bottom, of—
(1) The outside of any front and back
cover, including a binder cover or folder, if the document has a front and
back cover;
(2) Any title page; and
(3) Each page of the document.
(b) Protective marking. The protective
marking is: SENSITIVE SECURITY
INFORMATION.
(c) Distribution limitation statement.
The distribution limitation statement
is:
WARNING: This record contains Sensitive
Security Information that is controlled
under 49 CFR parts 15 and 1520. No part of
this record may be disclosed to persons without a ‘‘need to know’’, as defined in 49 CFR
parts 15 and 1520, except with the written
permission of the Administrator of the
Transportation Security Administration or
the Secretary of Transportation. Unauthorized release may result in civil penalty or
other action. For U.S. government agencies,

308

VerDate Sep<11>2014

09:16 Nov 17, 2016

Jkt 238233

PO 00000

Frm 00318

Fmt 8010

Sfmt 8003

Y:\SGML\238233.XXX

238233

Transportation Security Administration, DHS
public disclosure is governed by 5 U.S.C. 552
and 49 CFR parts 15 and 1520.

Lhorne on DSK30JT082PROD with CFR

(d) Other types of records. In the case
of non-paper records that contain SSI,
including motion picture films, videotape recordings, audio recording, and
electronic and magnetic records, a covered person must clearly and conspicuously mark the records with the protective marking and the distribution
limitation statement such that the
viewer or listener is reasonably likely
to see or hear them when obtaining access to the contents of the record.
§ 1520.15 SSI disclosed by TSA or the
Coast Guard.
(a) In general. Except as otherwise
provided in this section, and notwithstanding the Freedom of Information
Act (5 U.S.C. 552), the Privacy Act (5
U.S.C. 552a), and other laws, records
containing SSI are not available for
public inspection or copying, nor does
TSA or the Coast Guard release such
records to persons without a need to
know.
(b) Disclosure under the Freedom of Information Act and the Privacy Act. If a
record contains both SSI and information that is not SSI, TSA or the Coast
Guard, on a proper Freedom of Information Act or Privacy Act request,
may disclose the record with the SSI
redacted, provided the record is not
otherwise exempt from disclosure
under the Freedom of Information Act
or Privacy Act.
(c) Disclosures to committees of Congress and the General Accounting Office.
Nothing in this part precludes TSA or
the Coast Guard from disclosing SSI to
a committee of Congress authorized to
have the information or to the Comptroller General, or to any authorized
representative of the Comptroller General.
(d) Disclosure in enforcement proceedings—(1) In general. TSA or the
Coast Guard may provide SSI to a person in the context of an administrative
enforcement proceeding when, in the
sole discretion of TSA or the Coast
Guard, as appropriate, access to the
SSI is necessary for the person to prepare a response to allegations contained in a legal enforcement action
document issued by TSA or the Coast
Guard.

§ 1520.19

(2) Security background check. Prior to
providing SSI to a person under paragraph (d)(1) of this section, TSA or the
Coast Guard may require the individual or, in the case of an entity, the
individuals representing the entity,
and their counsel, to undergo and satisfy, in the judgment of TSA or the
Coast Guard, a security background
check.
(e) Other conditional disclosure. TSA
may authorize a conditional disclosure
of specific records or information that
constitute SSI upon the written determination by TSA that disclosure of
such records or information, subject to
such limitations and restrictions as
TSA may prescribe, would not be detrimental to transportation security.
(f) Obligation to protect information.
When an individual receives SSI pursuant to paragraph (d) or (e) of this section that individual becomes a covered
person under § 1520.7 and is subject to
the obligations of a covered person
under this part.
(g) No release under FOIA. When TSA
discloses SSI pursuant to paragraphs
(b) through (e) of this section, TSA
makes the disclosure for the sole purpose described in that paragraph. Such
disclosure is not a public release of information under the Freedom of Information Act.
(h) Disclosure of Critical Infrastructure
Information. Disclosure of information
that is both SSI and has been designated as critical infrastructure information under section 214 of the Homeland Security Act is governed solely by
the requirements of section 214 and any
implementing regulations.
§ 1520.17 Consequences of unauthorized disclosure of SSI.
Violation of this part is grounds for a
civil penalty and other enforcement or
corrective action by DHS, and appropriate personnel actions for Federal
employees. Corrective action may include issuance of an order requiring retrieval of SSI to remedy unauthorized
disclosure or an order to cease future
unauthorized disclosure.
§ 1520.19 Destruction of SSI.
(a) DHS. Subject to the requirements
of the Federal Records Act (5 U.S.C.
105), including the duty to preserve

309

VerDate Sep<11>2014

09:16 Nov 17, 2016

Jkt 238233

PO 00000

Frm 00319

Fmt 8010

Sfmt 8010

Y:\SGML\238233.XXX

238233