U.S. Department of Homeland Security 
Washington, DC 20472 


Grant Programs Directorate Information Bulletin 
No. 359 
April 5, 2011 
TO: All State Administrative Agency Heads 
All State Administrative Agency Points of Contact 
All Urban Areas Security Initiative Points of Contact 
All State Homeland Security Directors 
All State Emergency Management Agency Directors 
All Eligible Regional Transit Agencies 
All Private Sector Transportation Security Partners 
All Public and Private Sector Port Security Partners 
All Tribal Nation Points of Contact 
FROM: Elizabeth M. Harman 
Assistant Administrator 
Grant Programs Directorate 
SUBJECT: Sensitive Security Information Guidance 

Treatment of Sensitive Security Information (SSI) 

FEMA is issuing this bulletin to emphasize the importance of properly marking SSI in grant 
application materials and in submissions of data and information under transparency requirements or 
for reporting under the American Recovery and Reinvestment Act of 2009 (ARRA), P.L.111 - 5. 

SSI is a specific category of sensitive but unclassified information (SBU) that must be protected as 
required by 49 Code of Federal Regulations (CFR) Part 1520 and Department of Homeland Security 
(DHS) Management Directive 11056.1. This category of protection was developed to prevent 
unauthorized disclosure of information that would be detrimental to the security of transportation, 
while at the same time allowing it to be shared with individuals who have a legitimate need to know. 
It is important to note that while SSI is not classified information, there are specific policies and 
procedures for recognizing, marking, protecting, safely sharing and destroying SSI. 

Awareness of the proper handling and safeguarding SSI is required of all DHS and component 
organization employees and contractors, as well as all other stakeholders including FEMA grantees. 
Unauthorized disclosure of SSI information may be grounds for civil penalties and other 
enforcement or corrective actions including disciplinary actions and/or monetary fines. Since 
FEMA, through the Grant Programs Directorate (GPD), and its grantees develop and maintain a 
number of documents that potentially contain SSI, GPD has implemented review processes for those 
documents to ensure compliance of the requirements identified under 49 CFR Part 1520. These 

www.fema.gov 


processes will ultimately improve interactions between GPD and its stakeholders, by increasing 
security in the exchange of information while mitigating potential risks surrounding the release of 
that information. 

SSI is typically information associated with transportation security activities. The following 
information constitutes SSI in 16 SSI Categories, under 49 CFR Part 1520: 

1. 
Security Programs & Contingency Plans 
2. 
Security Directives 
3. 
Information Circulars 
4. 
Performance Specifications 
5. 
Vulnerability Assessments 
6. 
Security Inspections or Investigative Information 
7. 
Threat Information 
8. 
Security Measures 
9. 
Security Screening Information 
10. Security Training Materials 
11. Identifying Information of certain Transportation Security Personnel 
12. Critical Aviation or Maritime Infrastructure Asset Information 
13. Systems Security Information 
14. Confidential Business Information 
15. Research & Development 
16. Other information as determined in writing by the TSA Administrator 
Many of FEMA’s grantees handle information listed here as a regular part of their management and 
administration of FEMA grants. Additionally, this list may be altered as necessary, according to 49 CFR Part 
1520, by the Administrator of the Transportation Security Agency (TSA). It is important to understand that 
even though you may not consider yourself currently affected by this list, it is subject to change. Moreover, 
49 CFR Part 1520 is comprehensive in its identification and inclusion of parties potentially affected by SSI. 
For a full list of covered persons, please review 49 CFR Part 1520.7 “Covered Persons”. 

Specific Documents Related to Grant Programs 

GPD has completed a review of materials specifically related to its grant programs, and found that 
the following could either be potentially perceived as or categorically defined as containing SSI: 

1. 
Infrastructure specific grantee applications 
2. 
Infrastructure specific Investment Justifications 
3. 
Semi-Annual Program Progress Reports and Attachments 
4. 
Grant Reporting Tool (GRT) Submissions 
5. 
Non Disaster Grants System submissions 
6. 
Grants.gov submissions 
7. 
American Response and Recovery Act (ARRA) -specific reporting at 
www.federalreporting.gov 
8. 
Environmental and Historic Preservation (EHP) submissions, specifically those involving 
geospatial data 
These are examples of grantee-submitted data which may contain sensitive information covered 
under 49 CFR Part 1520. Grantees should err on the side of caution in the labelling and tracking of 
SSI materials and follow the protocols described in 49 CFR Part 1520. 


Labeling and Tracking of SSI Materials 

All SSI materials must be properly marked. Even when only a small portion of a document contains SSI, 
every page of the document must be marked with the SSI header and footer shown below. (In instances 
where SSI documents are maintained on portable digital media, the media (including but not limited to: 
compact discs, universal serial bus sticks, digital tapes) containing SSI information must also be marked with 
a label that contains the SSI Footer.) The process of labeling documents as SSI should not be restricted to 
items you intend to transmit or release to other entities with a need to know; all SSI documentation 
must be labeled as such. 

“Protective Marking (header): SENSITIVE SECURITY INFORMATION 

Distribution Limitation (footer): 

WARNING: This record contains Sensitive Security Information that is controlled under 49 CFR parts 15 and 1520. No part of 
this record may be disclosed to persons without a ‘‘need to know’’, as defined in 49 CFR parts 15 and 1520, except with the 
written permission of the Administrator of the Transportation Security Administration or the Secretary of transportation. 
Unauthorized release may result in civil penalty or other action. For U.S. government agencies, public disclosure is governed 
by 5 U.S.C. 552 and 49 CFR parts 15 and 1520.” 

GPD is committed to protection of SSI and may reject application and other documents not properly marked. 
Should you suspect any activity that may include unauthorized disclosures or poor security practices, please 
report them immediately to the GPD SSI Coordinator, Nancy Anne Baugher, at nancy.baugher@fema.gov or 
202-786-9438.