TSA SSI designations database

Dear Transportation Security Administration:

This letter is a formal Freedom of Information Act request for the following records.

This request is by reference to DHS MD 11056.1: <https://www.dhs.gov/xlibrary/assets/foia/mgmt_directive_110561_sensitive_security_information.pdf>. Each item in part A of this request specifically refers to language in the corresponding subsection.

This request is NOT limited to records that are originated/ owned / etc by TSA. If MD 11056.1 applies, it's included, regardless of originating / owning / etc agency. See also "Forwarding; multi-agency / multi-component records" below.

A. Records mandated by MD 11056.1

I hereby request every & all:

1. "record ... of ... designation", § VI.A.3
2. "appointment record", § V.D.1 & V.E.5
3. "procedures and guidance", § V.D.4 & V.E.6
4. "guidance that significantly expands upon the descriptions for categories of information that must be marked and protected as SSI", § VI.B.2
5. "Component-specific SSI guidance", § VI.B.3
6. records marked as SSI though "not governed by a category of information under 1520.5(b)(1) through (15)", § VI.D.1
7. "report regarding this issue", § VI.D.2.c
8. "written determination that identifies a rational reason why the information must remain SSI", § VI.E.2.d
9. "policy and procedures relating to the loss of an SSI designation", § VI.E.3
10. "formal challenge", decision, "appeal to the decision", appeal decision, "further appeal to the decision", and further appeal decision, § VI.F.2
11. "policies, procedures, and guidance for the implementation and management of self-inspection programs for Components that access or generate SSI", "guidance and checklists to facilitate the conduct of selfinspections by SSI Program Manager’s and SSI Coordinators", and "means to monitor and track", § VI.G.3
12. "results of self-inspections", § VI.G.4 & VI.G.5
13. "additional guidance", § VI.I.1 & VI.I.2
14. "report", § VI.L.1
15. "report", § VI.M.1 & VI.M.2

All quoted terms have the meaning that they do in MD 11056.1 in the section(s) cited.

###
Fiat Fiendum FOIA template
Version 5.0
###

# FOIA template structure

All content after the version number line above, except for the contact details at the very end, is part of my standard FOIA request template and identical between all of my FOIA requests. The provisions below are generally applicable to all FOIA / Privacy Act requests that I make.

There is one exception: the contact details below my signature at the very bottom (provided by MuckRock) are different for each request. Please use the distinct contact details matching each request, to ensure that your responses are correctly tracked.

The template provisions specify e.g. additional requests relating to my FOIA/PA requests themselves, form and format, timing, redaction & review, rolling updates, § 508 compliance, identity, fee waiver, my identity, and the like. They apply to this request, but are not specific to it.

If anything in the request-specific section above explicitly overrides anything in this template section, the request-specific section controls. If there is any ambiguity about such an override, please ask me for clarification.

The version number above is provided to make it easier for you to process my requests. Since all content (except contact info) below identical version number lines is identical between my requests, you need track only the request-specific portions (at the top) and the latest version of my general provisions.

Please read each new version carefully, as updates generally contain substantive changes.

## Template version updates

If you receive any FOIA request from me with a newer template version number than any pending prior FOIA requests from me, please replace the template portion of all prior requests with the updated version, treat the update as a clarification of and/or extension to the prior request, and process each updated request accordingly. Do not close the original request or change its request date. If you are permitted by law to refuse to honor such an update, and you choose to exercise that refusal, please process any differences between the new version and the prior version as a new FOIA request in its own right.

# Additional FOIA requests

In addition to the records specified in the request-specific section above, I also request:

B. all records relating to the fulfillment of this request, such as FOIA logs, documentation of searches, referral emails, etc.

This part of the request is to be processed only after you have completed processing all of the above parts. This part does not request that you create any new record; rather, it requests the records that you will have created in processing the above parts, and will therefore exist before you conduct the search for this part. See McGehee v. CIA, 697 F. 2d 1095, 1100-05 (D.C. Cir. 1983) (agency must use time-of-search cut-off date, not time-of-request).

C. all records relating to any complaint(s), FOIA request(s)/appeal(s), and/or Privacy Act request(s)/appeal(s) made by me. This includes, but is not limited to:
1. all records relating to the processing my previous requests, complaints, etc;
2. all records containing the terms my name, email address(es), and other contact or identifying information, listed below my signature; and
3. all records containing any of my complaint, request or appeal identifiers.

Parts (B) and (C) must be processed only after you have processed the items above that line, i.e. such that at the time of the search, the records described will have already been created at the time you conduct the search. Part (C) must be processed after part (B) is completed.

Parts (B) and (C) may overlap with similar prior requests. However, the cut-off date is, at earliest, the date that you complete search on all of the above items. If you wish to administratively merge this request with a prior similar request, I consent on condition that you extend the cut-off date for the prior request, and provide rolling updates. Otherwise, you must treat this as a new request.

For all responsive records, I also request:

D.
1. all parts of the record (i.e. no portion of a record with some responsive portion may be considered "non-responsive");
2. all versions of the record, whether or not currently in use;
3. all record metadata, such as dates on which they were drafted, passed, went into effect, withdrawn, or similar events; person(s) / office(s) responsible; authors; IDs; revision numbers; etc.;
4. a detailed index of all claims of exemption/privilege, regardless of whether the record is claimed to be exempt in whole or in part;
access to inspect the record directly, in its native electronic format; and
5. if any classification applies, mandatory declassification review (MDR) under E.O. 13526, and the result of the MDR, including any declassified records.

"All parts of the record" means that the "record" should be considered to be the most comprehensive record with any responsive portion. For instance:
a) if any portion of an email is responsive, the entire contents of all email thread(s) to which that email belongs is also responsive (including attachments);
b) if a record is part of a larger record, such as a responsive table that is in a chapter of a report, then the entire larger record (e.g. the full report) is responsive, together with any appendices, amendments, etc.;
c) if a record is part of a book, the entire book is responsive;
d) if a record is part of a database, all related database records are responsive;
etc.

"Related database records" has the technical meaning used in relational database management systems (such as SQL). It recursively includes all directly and indirectly related records (starting with all responsive records, include as responsive the full row of each, and recursively include as responsive all rows for which any responsive record has a foreign key or is referenced by a foreign key), together with the schema for all responsive records.

Items in part (D) should be prioritized at the same level as the record they apply to.

# Timing

For all requests above, the "cut-off date" is, at the earliest, the date that you conduct the search.

The priority order listed above is only for items that may take extra time to respond to, and must not be taken as blocking response to an otherwise lower priority item that could be released more quickly than a higher priority item that is pending time-intensive search or review.

# FOIA IA notice

Please note that this request is made after the enactment of Public Law No. 114-185, S. 337 (114th), the FOIA Improvement Act of 2016 (FOIA IA). The revised statute, as specified in the FOIA IA, applies to this request. FOIA IA § 6.

In particular, please note that:
1. you must provide electronic format documents, §§ 552(a)(2) (undesignated preceding text), 552(a)(2)(E) (undesignated following text), 552(a)(3)(B), and 552(a)(3)(C);
2. you may not specify an appeal duration less than 90 days, § 552(a)(6)(C)(A)(i)(III)(aa);
3. you may not withhold any record unless "the agency reasonably foresees that disclosure would harm an interest protected by an exemption described in subsection (b), or disclosure is prohibited by law", § 552(a)(8)(A)(i);
4. you must segregate and partially release records where possible, §§ 552(a)(8)(A)(ii) and 552(b) (undesignated matter following (b)(9)); and
5. you may not claim deliberative process exemption for records more than 25 years old, § 552(b)(5).

# "Record" defined

For the purposes of this request, except as otherwise specified, "record" means any agreement, appendix, application, assessment, attachment, checklist, circular, contract, correspondence (including but not limited to email), data management plan, documentation of search parameters, email, email attachment, form, guide, handbook, index of records, information consent agreement, information sharing agreement, instruction, interpretation, kit, management instruction, manual, memorandum, memorandum of understanding, notice, notification, opinion, order, plan, policy, policy statement, processing note, publication, recording, referral, report, request certification form, request detail report, response, rule, script, standard operating procedure, submission, talking point, training document, video, or related record described, regardless of publication status.

# Anti-duplication exclusion

This request specifically excludes providing me with new copies of any records which have been already provided to me or published online for free (e.g. on the agency's online "reading room"), in full or identically to the form that would be provided to me under this request (i.e. with exactly the same format, redactions, and claimed exemptions).

This is only an exclusion on providing records under this request that are identical to those already provided to me or available online, and only if I am or have already been provided a link to the online version (if "available online").

This exclusion is only intended to limit unnecessary duplication or provision, not to limit what records are responsive to this request, nor to permit failure to disclose the location of a responsive record available online. If this exclusion would in any way increase the cost or duration to respond to this request, it is to be ignored to the extent it does so.

This request is to be treated as separate from all others that I have filed.

# Forwarding; multi-agency / multi-component records

Please forward this request to the FOIA office of every agency component and subcomponent that may have responsive records for independent processing, with a copy to me.

This request includes any records held jointly by your agency in conjunction with any other agency and/or department, in interagency and/or interdepartmental systems of records, or by other agencies or third parties (including contractors) acting pursuant to any agreement with your agency.

# Minimal redaction

Please note that the FOIA requires you to service the maximum extent of my request that can be done via e.g. partial redaction of exempt material. If you believe some portions of a record to be exempt because it contains Sensitive Security Information (SSI, 49 CFR 15 & 1520) or classified information (18 USC 798), please provide a version of the record redacted to the minimum extent necessary to remove exempt information (e.g. per 49 CFR 1520.15), along with adequate information to describe the reason for each specific exemption.

## Redaction of repeatedly occurring content

When redacting any content that appears more than once in the full set of responsive records, please assign a replacement identifier for each, so that your redaction does not obfuscate the commonality.

For example, suppose that responsive records include the names Alice, Bob, Charlie, and Diego, and you determine that each of those names are redactable (e.g. under (b)(7)(C)). Rather than redacting each with only the text "(b)(7)(C)", replace each instance of "Alice" with "(b)(7)(C) - Person 1", each instance of "Bob" with "(b)(7)(C) - Person 2", etc. This e.g. withholds Alice's identity while not withholding the fact of commonality between occurrences.

Please use reasonably descriptive identifiers. For instance, if Elizabeth's name is not redacted but her personal cellphone number is, and that cellphone number appears e.g. both in her email signature and elsewhere by itself, it should in both cases be redacted with the same descriptive identifier, such as "[Alice's cell #]". For documents, this can be specified in the margins. If space or file format does not permit you to do so, then please use a short code (e.g. "[#52]", and provide a table matching codes to full identifiers in your response letter.

If you make any such redactions, please keep but do not provide a table matching codes/identifiers to the redacted content, for use in case your redaction is examined or overturned on appeal or in litigation.

This is a form and format request pertaining to your process of redaction. Because it only applies in situations when you have already exercised the voluntary decision to alter the records from the original form requested, you have necessarily waived any objection to this section "creating a new record", since your act of redaction itself already "makes a new record" in that limited sense. This is only about how you do a redaction you have already decided to make.

This provision limits the scope of your redaction to the minimum possible extent, so that even if you decide to withhold some particular piece of content, you do not also withhold the fact of its being the same as the same content appearing elsewhere. That fact is itself metadata that is explicitly requested as part of this request.

If you decide that the mere fact of two pieces of content being the same is itself withholdable, then please redact it using an identifier that encodes only the reason, and provide a table matching those reason-only identifiers to justifications in your response letter.

# Estimates and rolling updates

In order to help tailor my request, please provide an upfront estimate of the time and cost it will take to complete this request, broken down any significant factors that would affect cost to service, number of records in each category, and your estimate of how many records in the category are likely to be exempt.

Please provide me with incremental updates, with updated estimates for fulfillment of the remainder, rather than having the entirety of the request be blocked until fully completed.

# No new records; electronic & original format

This request does not ask you to create new records.

If you determine that a response would require creating a new record that you do not want to create, please first contact me by email with an explanation of what records you have that would most closely match the information requested and might be acceptable substitutes, so that we can reasonably tailor the request.

In particular, I specifically request that you do not create new documents in response to this request that are modifications of a digital record, such as page-view images, print views, scans, or the like. No such creation or substitution is authorized by FOIA or the Privacy Act.

However, if the same or similar records are held in both electronic and paper formats, this request includes both the paper and electronic versions. The paper version and the digital version are distinct records, and each may contain distinct information such as handwritten or other markings on the paper copy and embedded metadata in the electronic version.

I specifically request both the original, electronic format record, and (if it contains any additional markings) the paper record.

To the extent that the native electronic format is proprietary or otherwise not in format accessible by widely available, open source software, I also request
1. an export of the proprietary format into a standard, open format, as described below, and
2. all proprietary software necessary to use and understand the original, proprietary format records.

# Rehab Act § 508 compliance

In accordance with 5 USC 552(a)(3)(B & C) (E-FOIA), Rehabilitation Act § 508, and FOIA IA, I demand that you respond using original, native format, electronic, machine-processable, accessible, open, and well structured records to the maximum extent possible — for both the content of your response, and any communications about the request (such as response letters).

This means, e.g.:
1. native, original format records rather than PDFs or other conversions (see note above re providing both native electronic records and scans of paper records, if both exist);
2. individual files per distinct source record (e.g. one .msg file per email), named clearly using the record's identifier, title, and date, rather than a single file containing multiple concatenated records;
3. records compliant with the Rehabilitation Act § 508, 36 CFR Part 1194, and I​SO 14289­-1;
4. fully digital text records rather than scans, rasterizations, or OCR;
5. complete electronic records, as held on any computer (including phones, servers, backup servers, mail servers, workstations, etc.), including all headers and attachments, fully expanded e-mail addresses, full addresses for address "aliases", full lists for "distribution list" aliases, all embedded and external metadata, complete bitwise digital copies of the original file, all file headers, and all other file content;
6. blackout rather than whiteout redactions, with every redaction marked with all exemption(s) claimed for that redaction;
7. digital redactions rather than black marker or rasterization;
8. lists and structured data as machine-processable spreadsheets (e.g. CSV, SQL, XSL) rather than word documents (e.g. DOC, PDF, TXT, RTF) or partial printouts (e.g. PDF),
9. open format records (e.g. PDF, AVI, MPG) rather than proprietary format records (e.g. WordPerfect, Microsoft Advanced Systems Format (ASF)) (note above re providing both original, proprietary format records and open format records);
10. scans rather than paper copies;
11. digital audio/video files rather than physical tapes;
12. upload to your Electronic Reading Room (or other publicly accessible server) rather than personal transfer (for all items other than the item requesting records related to me or my requests);
13. email or (S)FTP file transfer rather than CD;
14. email correspondence rather than physical mail; etc.

# Compression, passwords, and uploading large files

Multiple files may be sent in a combined, compressed form using standard ZIP, TAR, GZIP, BZIP2, and/or RAR formats, or sent as separate files, at your discretion.

Do not use any password on any files, including ZIP files etc., unless a password was present in the original, native format (in which case, leave it unaltered, and send me the password).

If there are any files you prefer not to transfer by email (e.g. if they are >10MB), please upload them to me via the link listed below my signature. Doing so is secure, completely free to you, and I will be notified of the upload.

# No physical "duplication"; inspection & direct access

Please note that this request does not request that you physically "duplicate" records, as I do not want you to create any paper or other physical copy for me — I only want electronic versions (or scans, for records that are not fully available in electronic form). As such, I expect there to be no duplication related costs.

Furthermore, I specifically request access for inspection of the records, including direct electronic access, in native format, to any electronic records.

# Request tracking numbers and estimated completion date

Upon receipt, and in every followup response, please state your tracking number(s) for this request, as well as your specific estimated completion date. 5 USC 552(a)(7).

# Communication about this request and method for responding

If you have any questions or updates about this request, please contact me by email, using only the MuckRock email address from which this request was sent. Please do not send responses to my personal or organizational email addresses unless I specifically request you to do so.

Please ensure that all of your responses comply with § 508 of the Rehabilitation Act, 36 CFR Part 1194, and I​SO 14289­-1.

In particular, please make all correspondence pursuant to this request — including notification and responsive records — by email, with native electronic format records, as specified in the request. I do not authorize you to send anything to me by physical mail unless I specifically state otherwise.

Do not respond using ZixCorp "Secure Mail" or any other method that "expires" records from being available. Use only actual email and direct attachments, or upload using the link below, unless I explicitly request otherwise.

# "Reasonable description" and tailoring

Please note that a request need only be "reasonably described" in the sense that you understand what is requested and where you can find it. A request is not improper merely because of the amount of responsive records. I will not agree to a limitation premised on this request asking for voluminous records. However, I may agree to a limitation premised on the difficulty of finding particular records or categories thereof, the quality of records available, paper vs electronic format, or similar issues.

If you believe that any of the requested items are not reasonably described, that they would be overly burdensome to fulfill, or that you need any further information, please be specific about what you consider vague.

Please include in any response about "reasonably described", or any request for narrowing, specific questions I can answer that would clarify matters for you; specific descriptions of what parts of the request more or less burdensome (and why) that could serve as the basis for negotiating a narrower request; and any indexes, finding guides, record categories, record storage practices, likely places that responsive records may be located, or similar information that would allow me to understand your concerns and better tailor the request.

# No fees agreed to; non-commercial status; journalistic & public interest waiver

I am not currently willing to pay for servicing this request. I may be willing to pay if it is necessary; please send a detailed explanation of the costs and their statutory justification, and service the maximum extent of the request that can be done for free in the meantime.

This request is a qualified request for journalistic, public interest purposes. As such, I request fully waived fees, including both public interest fee waiver and journalistic fee waiver.

1. Fiat Fiendum, Inc. (FF) is a 501(c)(3) nonprofit organization, organized for charitable, educational, scientific, and/or literary purposes.

This request is a part of FF's bona fide educational and scientific purpose activities, which are public interest purposes as a matter of law.

2. FF's actions in matters such as this request are non-commercial. My personal interest in the records is also non-commercial.

3. Both Fiat Fiendum as an organization, and I as an individual, are representatives of the news media and entitled to waiver of all search fees.

4. I intend and am able to host and publish all received records online to the general public at no charge, as well to publish highlights, analyses, summaries, commentaries, and other creative, original journalistic and scientific work about responsive records through multiple online publications, as part of Fiat Fiendum's work.

5. The records requested are of significant public interest, entitled to waiver of all duplication fees, since
a. they are requested for 501(c)(3) public interest purposes;
b. as above, I both am able and intend to disseminate the files widely;
c. they would contribute greatly to the public understanding of the operations & activities of your agency, in that they are records that directly describe agency operations & activities, as well as the issues and matters described at the top of this letter;
d. they are not currently readily available; and
e. they are likely to be requested by others.

6. As mentioned above, I am explicitly not asking for any physical duplication, but rather direct server-to-server file transfer or email (or posting on your website). FOIA authorizes "duplication" fees strictly limited to your agency's actual costs, and mandates that your agency use the cheapest available requested methods. I consider the actual costs for server-to-server file transfer to be reasonably estimated by, e.g., Amazon S3's pricing (https://aws.amazon.com/s3/pricing/).

7. I request that, pending fee waiver determination or appeal, you proceed with this request as if it were in the "other non-commercial requester" category.

# Requester

This request is made on behalf of both myself, Sai (in personal capacity) and Fiat Fiendum, Inc. (in official capacity).

“Sai” is my full legal name.

Please note that I am partially blind. I use screen readers (such as VoiceOver and TalkBack). I also need to process documents using computer code (which requires machine-readable data, including metadata). These facts must be considered as part of the basis for, and right to, the form and format requests detailed above.

Sincerely,
Sai
President, Fiat Fiendum, Inc.
Fiat Fiendum is a 501(c)(3) tax-exempt corporation devoted to public interest journalism, government transparency and accountability, individuals' civil rights, and related issues.

Upload link and physical mail address are below. (Again, do not physically mail responsive records without my explicit request; send all responses electronically.)

I appeal your functional denial of my request, your abject failure to address any part of it at all, and your violation of 5 USC 552(a)(6)(i) and (a)(7) (in entirety).

The request is very specific, by reference to DHS & TSA's own policies which require centralized record keeping.

If you wish to claim that you don't understand your own policies, or that they are too vague, please do so with particularity.

I insist that this be processed as an appeal of your adverse determination.

Sincerely,
Sai