At the request of the Secretary for the Department of Homeland Security, we reviewed the events surrounding the release of Sensitive Security Information contained in the Transportation Security Administration’s Screening Management Standard Operating Procedures. The Transportation Security Administration posted the document on March 3, 2009, and reposted it on March 16, 2009, to the Federal Business Opportunities, or FedBizOpps.gov, website, as part of a solicitation to privatize seven airports in the State of Montana. The objectives of our review were to determine how and why the release occurred, and whether management controls are in place and operational to ensure that a similar event would not recur. We determined that for the two documents in question, the redactions were not applied properly, and appropriate quality control procedures were not in place to protect against inadvertent disclosure. Consequently, Sensitive Security Information was visible in a public document posted on the internet. The Transportation Security Administration is conducting an internal vulnerabilities assessment of the effect of the standard operating procedures disclosure.
Transportation Security Administration officials received email messages on December 5, 2009, advising of a potential Sensitive Security Information breach. These notifications were made by a Transportation Security Administration employee to the Office of Sensitive Security Information, several Transportation Security Administration Sensitive Security Information Coordinators, the Transportation Security Administration Contact Center, as well as an external entity, the United States Computer Emergency Readiness Team. At this time, we are unaware of what actions TSA took in response to these notifications.
On December 6, 2009, at 4:28 p.m., the Transportation Security Administration Blog Team also received an email message indicating that unredacted Sensitive Security Information in its Screening Management Standard Operating Procedures was on the internet and visible to the public. Transportation Security Administration senior leadership did not receive notification until December 6, 2009, at 8:40 p.m. After receiving notification, the Acting Administrator took immediate actions and began intermediate and long-term measures to mitigate vulnerabilities. The Transportation Security Administration requested that the General Services Administration remove the website posting at 10:30 p.m. The
TSA’s Breach of Sensitive Security Information
General Services Administration removed the solicitation, including the Screening Management Standard Operating Procedures from FedBizOpps.gov. Appendix D reflects the evolution and history of the redacted Screening Management Standard Operating Procedures.