Protection of Sensitive Security Information

Federal Register: January 7, 2005 (Volume 70, Number 5)
Rules and Regulations
Page 1379-1382

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Office of the Secretary of Transportation

49 CFR Part 15

RIN 2105-AD33

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

49 CFR Part 1520

[Docket No. TSA-2003-15569; Amendment No. 1520-2]
RIN 1652-AA08

Protection of Sensitive Security Information; Technical Amendment

AGENCY: Office of the Secretary of Transportation (OST), Department of
Transportation, and Transportation Security Administration (TSA),
Department of Homeland Security.

ACTION: Technical amendment.

-----------------------------------------------------------------------

SUMMARY: OST and TSA are revising their regulations governing the
protection of sensitive security information (SSI) to remove an
unintended limitation on parties that have a need to know such
information. Specifically, this rule removes the limiting words
``aviation or maritime'' from 49 CFR 15.11 and 49 CFR 1520.11 in order
to clearly permit the sharing of vulnerability assessments and other
documents properly designated as SSI with covered persons who meet the
need to know requirements regardless of mode of transportation.

DATES: Effective January 7, 2005.

FOR FURTHER INFORMATION CONTACT: For questions on 49 CFR part 15:
Astrid Lopez-Goldberg, Senior Attorney, Office of the Chief Counsel,
Research and Special Programs Administration, Department of
Transportation, Washington, DC 20590; e-mail:
[email protected], telephone: (202) 366-4400.

[[Page 1380]]

For questions on 49 CFR part 1520: David Graceson, Acting Director,
Aviation Operations Litigation Support & Special Activities Staff, TSA-
7, Transportation Security Administration, 601 South 12th Street,
Arlington, VA 22202-4220; e-mail: [email protected], telephone:
(571) 227-2277.

SUPPLEMENTARY INFORMATION:

Availability of Final Rule

You can get an electronic copy using the Internet by--
(1) Searching the Department of Transportation's electronic Docket
Management System (DMS) Web page (http://dms.dot.gov/search). Use

Docket No. TSA-2003-15569;
(2) Accessing the Government Printing Office's Web page at http://www.access.gpo.gov/su_docs/aces/aces140.html; or

(3) Visiting TSA's Law and Policy Web page at http://www.tsa.dot.gov/public/index.jsp.

In addition, copies are available by writing or calling the
individuals in the FOR FURTHER INFORMATION CONTACT section. Make sure
to identify the docket number of this rulemaking.

Background

On May 18, 2004, TSA and OST published an interim final rule (IFR)
on the protection of sensitive security information (SSI) in the
Federal Register (69 FR 28066). The preamble to that rule provided a
full description of the statutory and regulatory background for the SSI
program. As explained there, the original SSI program provided for the
protection of SSI involved in aviation programs. However, the Aviation
and Transportation Security Act (ATSA) (Pub. L. 107-71), enacted two
months after the terrorist attacks of September 11, 2001, amended the
statutory authority underlying the aviation SSI program to mandate
coverage of appropriate security information in all modes of
transportation. By deleting ``air'' as a limiting word before
``transportation,'' in ATSA, Congress enlarged its specific direction
to issue protective regulations to encompass all modes of
transportation.
While the general focus of TSA's 2002 regulation to implement ATSA
remained on aviation programs, TSA's regulation also provided for the
protection of vulnerability assessments and certain other SSI
(including information concerning threats against transportation)
regardless of mode of transportation.\1\ Later in 2002, in the Homeland
Security Act (Pub. L. 107-296) that created the Department of Homeland
Security (DHS), Congress: (1) transferred TSA's authority to issue SSI
regulations to DHS, and (2) directed the Secretary of Transportation to
also prescribe SSI regulations. Also in 2002, the Maritime
Transportation Security Act (Pub. L. 107-295), which established a new
framework for maritime security, became law and called for the
preparation of many security-related documents that would need SSI
protection.
---------------------------------------------------------------------------

\1\ 67 FR 8351, Feb. 22, 2002. The TSA SSI regulation is
codified at 49 CFR part 1520.
---------------------------------------------------------------------------

The May 2004 IFR consisted of virtually identical TSA and OST rules
to implement Congressional direction that both agencies issue SSI
regulations. The IFR expanded the 2002 regulatory framework governing
information generally related to aviation security to also cover
information related to security in maritime transportation. This
expansion was the main theme of the IFR. However, the IFR also
continued the TSA 2002 regulation's coverage for vulnerability
assessments and, with some changes, certain other SSI for all modes.
For example, the TSA 2002 regulation coverage of ``Information
concerning threats against transportation'' was not limited by mode of
transportation. The May 2004 IFR continued that coverage for ``Threat
information'' regardless of the mode of transportation.

Technical Amendment

SSI rules limit the disclosure of vulnerability assessments and
other SSI to persons with a ``need to know.'' The TSA 2002 regulation
contained no modal-specific limits in its need-to-know provision (49
CFR 1520.5(b) (2002)). However, consistent with the May 2004 IFR's
focus on adding provisions for the maritime industry to existing,
mostly aviation-related, provisions, the IFR added a restriction of
``aviation or maritime'' at several locations in the need-to-know
section. (Under the regulation, Federal employees and persons acting in
the performance of a contract with or grant from DHS or DOT are not
subject to this restriction.) This led to unintended situations. For
example, transportation entities in land modes that transport hazardous
materials are required by 49 CFR subpart I to perform vulnerability
assessments (see 49 CFR 172.802--assessment of possible transportation
security risks for shipments of the hazardous materials listed in Sec.
172.800 and appropriate measures to address the assessed risks), but
the SSI regulation literally provides that, unless they were acting in
the performance of a contract with or grant from DHS or DOT, they may
share these assessments only with entities in the aviation or maritime
industries, because the language of the regulation defines only these
entities as having a ``need to know.''
More than one commenter to the docket on the May 2004 IFR brought
this issue to our attention. In light of the well-justified concern
about the vulnerability of all transportation modes to terrorist
activities, and the crucial need to share information to ``connect the
dots'' to forestall future attacks, DOT and DHS believe that this is a
technical problem that must be fixed. By removing the limiting words
``aviation or maritime'' from 49 CFR 15.11 and 1520.11, we correct this
mistake and restore the original intent of this aspect of the SSI
rule--to share vulnerability assessments and threat information with
entities in all transportation modes that need the information to help
forestall future attacks.
TSA and OST received many useful, constructive comments on the May
2004 IFR. We plan to publish in the Federal Register a rulemaking
document responding to comments related to subjects other than this
need to know issue.

Regulatory Analyses and Notices

Good Cause for Immediate Adoption

TSA and OST are issuing this technical amendment without prior
notice and opportunity for comment pursuant to the authority under
section 4(a) of the Administrative Procedure Act (APA) (5 U.S.C.
553(b)). This provision allows an agency to issue a regulatory action
without notice and opportunity for comment when the agency for good
cause finds that notice and comment procedures are ``impracticable,
unnecessary or contrary to the public interest.''
As noted previously, it is essential to fix this problem in the SSI
regulation immediately, lest the unintended restriction in the
regulation inhibit the exchange of vital security-related information.
In addition, the technical amendment will relieve a restriction on
regulated parties. For these reasons, TSA and OST have determined that
prior notice and an opportunity for comment would be impracticable,
unnecessary, and contrary to the public interest. This same rationale
provides good cause to make the technical amendment effective
immediately upon publication.

[[Page 1381]]

Paperwork Reduction Act

The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires
consideration of the impact of paperwork and other information
collection burdens imposed on the public. TSA and OST have determined
that there are no new information collection requirements associated
with this technical amendment.
As protection provided by the Paperwork Reduction Act, as amended,
an agency may not conduct or sponsor, and a person is not required to
respond to, a collection of information unless it displays a currently
valid Office of Management and Budget (OMB) control number.

Executive Order 12886 and DOT Regulatory Policies and Procedures

Executive Order 12866 (58 FR 51735, October 4, 1993), provides for
making determinations whether a regulatory action is ``significant''
and therefore subject to Office of Management and Budget (OMB) review
and to the requirements of the Executive Order. This is a
nonsignificant regulatory action under Executive Order 12866. The
technical amendment will not add any requirements or burdens on any
party. It simply relieves a restriction that would prevent
transportation entities from sharing certain information with those who
need to know, regardless of mode. This will enhance security by
allowing TSA and OST to share vital security information with regulated
parties. For the same reasons, this regulatory action is nonsignificant
under the Department of Transportation's Regulatory Policies and
Procedures.

Regulatory Flexibility Act Assessment

Pursuant to the Regulatory Flexibility Act (5 U.S.C. 601 et seq.,
as amended by the Small Business Regulatory Enforcement Fairness Act
(SBREFA) of 1996), an agency is required to prepare and make available
a regulatory flexibility analysis that describes the effect of the
regulatory action on small entities (i.e., small businesses, small
organizations, and small governmental jurisdictions). Because good
cause exists for issuing this regulation as a final technical
amendment, no regulatory flexibility analysis is required. However,
because this technical amendment will not impose any costs on any
entities, including small entities, we have determined and certify that
this regulatory action does not have a significant economic impact on a
substantial number of small entities.

Trade Impact Assessment

The Trade Agreement Act of 1979 prohibits Federal agencies from
engaging in any standards or related activities that create unnecessary
obstacles to the foreign commerce of the United States. Legitimate
domestic objectives, such as safety and security, are not considered
unnecessary obstacles. The Act also requires consideration of
international standards and, where appropriate, that they be the basis
for U.S. standards. We have assessed the potential effect of this
regulatory action and determined that it will have no effect on any
trade-sensitive activity and will not constitute a barrier to
international trade.

Unfunded Mandates Reform Act Assessment

The Unfunded Mandates Reform Act of 1995 is intended, among other
things, to curb the practice of imposing unfunded Federal mandates on
State, local, and tribal governments. Title II of the Act requires each
Federal agency to prepare a written statement assessing the effects of
any Federal mandate in a proposed or final agency rule that may result
in a $100 million or more expenditure (adjusted annually for inflation)
in any one year by State, local, and tribal governments, in the
aggregate, or by the private sector; such a mandate is deemed to be a
``significant regulatory action.''
This regulatory action does not contain such a mandate. The
requirements of Title II of the Act, therefore, do not apply and a
statement has not been prepared under the Act.

Executive Order 13132 (Federalism)

This regulatory action has been analyzed under the principles and
criteria of Executive Order 13132, Federalism. We have determined that
it would not have a substantial direct effect on the States, on the
relationship between the National Government and the States, or on the
distribution of power and responsibilities among the various levels of
government. Therefore, this regulatory action does not have federalism
implications.

Environmental Analysis

This action has been reviewed for purposes of the National
Environmental Policy Act of 1969 (NEPA) (42 U.S.C. 4321-4347), and we
have determined that it will not have a significant effect on the human
environment.

Energy Impact

The energy impact of this technical amendment has been assessed in
accordance with the Energy Policy and Conservation Act (EPCA), Public
Law 94-163, as amended (42 U.S.C. 6362). We have determined that this
technical amendment is not a major regulatory action under the
provisions of the EPCA.

Small Entity Inquiries

The Small Business Regulatory Enforcement Fairness Act (SBREFA) of
1996 requires an agency to comply with small entity requests for
information and advice about compliance with statutes and regulations
within the agency's jurisdiction. Any small entity that has a question
regarding this document may contact the individuals listed in FOR
FURTHER INFORMATION CONTACT for information. You can get further
information regarding SBREFA on the Small Business Administration's Web
page at http://www.sba.gov/advo/laws/law_lib.html.

List of Subjects

49 CFR Part 15

Air carriers, Aircraft, Airports, Maritime carriers, Reporting and
recordkeeping requirements, Security measures, Vessels, Vulnerability
assessments.

49 CFR Part 1520

Air carriers, Aircraft, Airports, Maritime carriers, Reporting and
recordkeeping requirements, Security measures, Vessels, Vulnerability
assessments.

Department of Transportation

Office of the Secretary of Transportation

0
For the reasons stated in the preamble, the Department of
Transportation amends title 49, Code of Federal Regulations, by
amending part 15 as follows:

PART 15--PROTECTION OF SENSITIVE SECURITY INFORMATION

0
1. The authority citation for part 15 continues to read as follows:

Authority: 49 U.S.C. 40119.

Sec. 15.11 [Amended]

0
2. In Sec. 15.11(a), remove the words ``aviation or maritime''
wherever those words appear.

[[Page 1382]]

Issued in Washington, DC, on January 4, 2005.
Norman Y. Mineta,
Secretary of Transportation.

Department of Homeland Security

Transportation Security Administration

49 CFR Chapter XII

0
For the reasons stated in the preamble, the Transportation Security
Administration amends chapter XII of title 49, Code of Federal
Regulations, by amending part 1520 as follows:

PART 1520--PROTECTION OF SENSITIVE SECURITY INFORMATION

0
1. The authority citation for part 1520 continues to read as follows:

Authority: 46 U.S.C. 70102-70106, 70117; 49 U.S.C. 114, 40113,
44901-44907, 44913-44914, 44916-44918, 44935-44936, 44942, 46105.

Sec. 1520.11 [Amended]

0
2. In Sec. 1520.11(a), remove the words ``aviation or maritime''
wherever those words appear.

Issued in Arlington, Virginia, on January 4, 2005.
David M. Stone,
Assistant Secretary of Homeland Security (Transportation Security
Administration).
[FR Doc. 05-366 Filed 1-6-05; 8:45 am]

BILLING CODE 4910-62-P