John Roth, inspector general for the Department of Homeland Security (DHS), lodged an objection to the way the Transportation Security Administration (TSA) handles information it deems Sensitive Security Information (SSI) in a recent report on IT system security.
The DHS Office of Inspector General (OIG) issued a draft of the “Summary on Audits of Security Controls for TSA Information Technology Systems at Airports” to TSA on Sept. 16 so that the agency could perform a sensitivity review on the document. TSA redacted six pieces of information that it considered SSI from the report. However, this information had already been publicly released in previous OIG reports. OIG’s full report, which includes Roth’s memorandum to TSA Administrator Peter Neffenger in which he challenges TSA’s proposed redactions, was publicly released Jan. 4.
“I can only conclude that TSA is abusing its stewardship of the SSI program,” Roth said in the report. “None of these redactions will make us safer and simply highlight the inconsistent and arbitrary nature of decisions that TSA makes regarding SSI information. This episode is more evidence that TSA cannot be trusted to administer the program in a reasonable manner.”
Roth’s complaint is preceded by a House Committee on Oversight and Government Reform bipartisan report issued in 2014. According to Roth, this report stated that TSA “had engaged in a pattern of improperly designating certain information as SSI in order to avoid its public release because of agency embarrassment and hostility to congressional oversight.”
A spokesperson from TSA stated that, while the agency is committed to working with DHS OIG, its decisions to redact certain pieces of information were justified. The spokesperson mentioned that one of TSA’s guiding principles is that pieces of information can be harmful when aggregated together.
“The TSA is committed to a strong and collaborative working relationship with the DHS inspector general. Still, it is vitally important to protect information that our experts deem potentially detrimental to the security of transportation if publicly released. In a letter addressed to TSA, the inspector general called into question the manner and process by which TSA protects sensitive information,” a representative from TSA said. “TSA stands by its determinations with respect to identifying sensitive information that should not be released to the public. We will work directly with the OIG to address specific concerns raised in his letter as well as the appropriate process for raising those concerns.”
DHS OIG’s audit examined three security control areas: operational controls, technical controls, and management controls. According to the report, TSA said that closed-circuit televisions and cameras at airports do not constitute IT equipment, and that the agency is therefore not responsible for maintaining these devices.
Previously, DHS OIG recommended that TSA rectify several IT systems deficiencies, such as inadequate physical security for TSA server rooms at airports, unpatched software, missing security documentation, and incomplete reporting of IT costs. Although DHS OIG stated that TSA has addressed many of these issues in its recent report, it has two new recommendations for the agency.
DHS OIG recommends that TSA assess the risk of not having redundant data communications capabilities and create a plan for nationwide security control reviews. According to the report, TSA concurred with both recommendations.
“There are plans to visit airports throughout the year to address the physical and environmental controls of the TSA Information System Restricted Access areas,” TSA said in response to the second recommendation, according to OIG’s report. “TSA will conduct reviews on a recurring basis nationwide.”