When paper records contain SSI it should be marked with the protective marking and distribution limitation statement in which of the following locations?

1.3         Sensitive Security Information

This section applies to all persons and entities that have access to information classified by the Maryland Aviation Administration as Sensitive Security Information (SSI) and provides instructions on the procedures that must be strictly adhered to when working with SSI information.

All projects designed, procured and constructed at BWI Marshall and MTN shall comply with these requirements.

SSI electronic files submitted to MDOT MAA, such as drawings, specifications, engineering reports, etc., shall be named per Volume 2, Section 3.3 Standard File Naming Convention.

A.      The provisions of this section apply to the following physical security systems at the BWI Marshall Airport and their component data:

1.       Controlled Access Security System (CASS)

2.       Closed Circuit Television (CCTV)

3.       Flex Response System

4.       Computer Aided Dispatch (CAD)

B.      Additionally, this section applies to the following groups of personnel who interface with these systems and must manage their associated SSI:

1.       MDOT MAA Office of Engineering & Construction

2.       MDOT MAA Office of Airport Security

3.       MDOT MAA Office of Procurement

4.       MDOT MAA Office of Airport Operations

5.       MDOT MAA Office of Commercial Management

6.       MDOT MAA Office of Information Technology

7.       MDOT MAA Office of the Attorney General

8.       Consultants

9.       Construction Management and Inspection Consultants

10.   Construction Contractors

11.   Construction Subcontractors

12.   Sole Source System Contractors under contract to MDOT MAA

13.   Tenants and their consultants and contractors performing facility modifications under the authority of a MDOT MAA Building Permit

Personnel within these organizations that must handle SSI pursuant to discharging their professional responsibilities are considered “covered” with a “need to know.”

1.3.1            Protected SSI Systems

1.3.1.1            Controlled Access Security System (CASS)

A.      Description - The Controlled Access Security System (CASS) provides a means of opening and closing doors to secure areas through the use of a card reader and data contained on an access card (MDOT MAA Security Badge). The system produces an automated log of all activity and interfaces with other security systems. Additionally, there are subsystems which use the same components for limited, related applications.

B.      System Components

1.       CASS Reader

2.       Power Supply

3.       Control Panel

4.       Door Security Hardware

5.       Head-end Equipment

6.       Other Peripheral Devices

C.      System Administration

1.       System Manuals

2.       System Drawings

3.       Software

4.       Training Documents

Note: Data logs, the employee database and other system data may be considered SSI but are beyond the scope of this section.

1.3.1.2            Closed Circuit Television (CCTV)

A.      Description – The Closed Circuit Television (CCTV) System provides a means of viewing activity at various locations throughout the BWI Marshall campus through the use of a series of cameras and monitors. The system includes the capability to record video of images viewed through the remote camera. The system is integrated and can be controlled remotely. Additionally, there are subsystems which use the same components for limited, related applications (such as the Exit Lane Breach Detection System).

B.      System Components

1.       Cameras

2.       Monitors

3.       Power Supply

4.       Digital Video Recorders

5.       Fiber Optic Transceivers

6.       Head-end Equipment

7.       CCTV – CASS Interface

C.      System Administration

1.       System Manuals

2.       System Drawings

3.       System Codes

4.       Software

5.       Training Documents

1.3.1.3            Flex Response

A.      Description – The Flex Response System is a stand-alone audible and visual alarm system that provides a means of alerting law enforcement and airline gate personnel of a security concern arising from personnel activity or carry-on baggage screening at pier security checkpoints. There are two alert levels: amber and red. Additionally, the system can be activated by opening a door to an Automated External Defibrillator (AED) cabinet.

B.      System Components

1.       Strobe

2.       Audio alarm

3.       Power Source

4.       Head-end Equipment

5.       Activation switches

C.      System Administration

1.       System Manuals

2.       System Drawings

3.       Training Documents

1.3.1.4            Computer Aided Dispatch System (CAD)

A.      Description – The Computer Aided Dispatch (CAD) System is an automated point of entry which provides an integrated information gathering function from multiple call, alarm, and signaling sources and distributes that information to appropriate emergency response units for public safety purposes. Basic functions provided by CAD include resource management, call taking, location verification, dispatching, unit status management, and call disposition. Interface with mobile data computers and other external safety and security systems, along with local, state and federal information systems, benefit timely and effective response to emergency situations.

B.      System Components

1.       Computer Hardware and Software

2.       Audio headsets

3.       Audio visual monitors

4.       Keyboards

5.       Cable connections

6.       Workstation units

7.       Integration of communication, safety, and alarm systems:

a.       Telephone

b.       State and Regional NCIC

c.       Fire Alarm System

d.       Controlled Access Security System (CASS)

e.       Closed Circuit Television System (CCTV)

f.        Flex Response System

g.       Fire Rescue Facility Alerting and Activation

h.       Messaging System

i.         Master Time Clock

j.         Records Management System (RMS)

C.      Systems Administration

1.       Systems Manuals

2.       Systems Drawings

3.       Systems Codes

4.       Software

5.       Training Documents

6.       Maintenance and Service

1.3.2            Security System Drawings

Security System design shall be produced as separate and unique sections in the Contract Drawings. Security Systems shall be defined as the Controlled Access Security System (CASS), the Digital Video Management System (DVMS) or Close Circuit Television (CCTV) system, and the supporting communication and storage systems including the Local Area Network (LAN), the fiber-optic backbone, system servers, and the Storage Area Network (SAN). With the prior written authorization of the MDOT MAA’s Office of Information Technology, infrastructure design elements that are located in secure telecommunication rooms or other secure locations may be kept in the general Contract Documents rather than be considered to be part of the Security System design. This authorization will be made on a contract by contract basis and does not alleviate the designer from any coordination required for the design of Security Systems.

All information pertaining to the Security System design must be clearly tagged as Security Sensitive Information (SSI). All Security System submittals and Contract Documents must be labeled, bound, and transmitted separately. These documents shall be protected when being transmitted or transferred using encrypted files with passwords to prevent unauthorized access. These documents must also carry the following statement:

WARNING: This record contains Sensitive Security Information that is controlled under 49 CFR Part 15 and 49 CFR Part 1520. No part of this record may be disclosed to persons without a "need to know", as defined in 49 CFR Part 15 and 49 CFR Part 1520, except with the written permission of the Administrator of the Transportation Security Administration or the Secretary of Transportation. Unauthorized release may result in civil penalty or other action. For U.S. government agencies, public disclosure is governed by 5 U.S.C. 552 and 49 CFR Part 15 and 49 CFR Part 1520.

1.3.3            SSI General Requirements

1.3.3.1            General SSI Requirements

The Maryland Aviation Administration maintains physical security systems which are contained within, and integrated into, various facilities. Even though these systems (which are listed above in Section 1.3) are maintained and operated by sole source system contractors, they may be affected by various construction projects.

The design and construction of these projects involve the disclosure, reproduction and distribution of SSI among the owner, consultant design team and the contractor team.

1.3.3.2            Access to SSI

Access to SSI is limited to “covered persons” listed in 49 CFR 1520.7 with a “need to know,” as defined in 49 CFR 1520.11. “Need to know” is limited to persons who carry out or supervise the maintenance or improvement of designated systems in the performance of their job.

1.3.3.3            Categories of SSI

There are sixteen categories of SSI. Five of those categories pertain to this section. These are highlighted below:

1.       Security Programs and Contingency Plans

2.       Security Directives

3.       Information Circulars

4.       Performance Specifications

5.       Vulnerability Assessments

6.       Security Inspection or Investigative Information

7.       Threat Information

8.       Security Measures

9.       Security Screening Information

10.   Security Training Materials

11.   Identifying Information of Certain Transportation Security Personnel

12.   Critical Aviation or Maritime Infrastructure Asset Information

13.   Systems Security Information

14.   Confidential Business Information

15.   Research and Development

16.   Other Information

1.3.3.4            Determination of SSI

Determination of SSI designation for design and construction projects shall be made in accordance with the provisions of this section by the Maryland Aviation Administration Director of Airport Security (DOAS). At each project design kick-off meeting, it shall be the responsibility of the assigned MDOT MAA Project Manager (Design) to discuss the project scope with the DOAS and obtain a preliminary SSI determination for the project. The DOAS shall be required to provide a written document outlining what portions of the design are considered SSI subject to the provisions of this section. The MDOT MAA Project Manager (Design) shall be responsible for ensuring that this documentation is obtained and distributed only to those team members with a “need to know,” and that all portions of the design designated by the DOAS as SSI are adequately marked in accordance with the provisions of this section.

If a subordinate MDOT MAA staff member or consultant design team member believes that the SSI designation has been omitted, he shall immediately inform the MDOT MAA Project Manager (Design) for a designation determination. In the absence of the MDOT MAA Project Manager, the next highest member of the chain of command shall be notified for a designation determination.

1.3.3.5            Control and Release of SSI

SSI may be released to federal, state and municipal government officials and employees, local law enforcement officials, and regulated parties who have a “need to know” as established by regulation, authorized by procedure established by the DOAS, or authorized by the TSA Administrator.

SSI requested under the Freedom of Information Act (FOIA) is exempt from disclosure under the FOIA based on Exemption 3, 5 USC 552(b)(3). Any decision to release SSI under the FOIA must have the concurrence of the TSA Administrator. Requests for Information that are addressed to regulated parties, such as requests under state and local freedom of information or open records acts, should be referred to the DOAS, who may need to refer the request to the TSA Administrator.

If a record contains SSI but also contains non-SSI that may be disclosed, the latter will be provided in response to a FOIA request, provided the record is not otherwise exempt from disclosure under FOIA, if it is practical to redact the requested information from the record.

Maryland State Government Article Section 10-611 et seq. grants the public a broad right of access to records that are in the possession of state and local government agencies. It has been a part of the Annotated Code of Maryland since its enactment as Chapter 698 of the Laws of Maryland 1970 and is similar in purpose to the FOIA, 5 USC. §552, and the public information and open records acts of other states. SSI is exempt from the provisions of PIA.

1.3.3.6            Protective Marking and Media Containing SSI

A.      General: - Any person who creates a record containing SSI shall include a protective marking and distribution limitation statement.

B.      Paper (“Hard Copy”): - All SSI documents shall contain the following protective marking in the document header:

Sensitive Security Information

This protective marking should be stamped or typed in plain style bold text.

The following distribution limitation statement shall be contained in the document footer and informs the viewer that the record must be protected from unauthorized disclosure.

WARNING: This record contains Sensitive Security Information that is controlled under 49 CFR Part 15 and 49 CFR Part 1520. No part of this record may be disclosed to persons without a "need to know", as defined in 49 CFR Part 15 and 49 CFR Part 1520, except with the written permission of the Administrator of the Transportation Security Administration or the Secretary of Transportation. Unauthorized release may result in civil penalty or other action. For U.S. government agencies, public disclosure is governed by 5 U.S.C. 552 and 49 CFR Part 15 and 49 CFR Part 1520.

The Header and Footer described above shall appear on the cover page of any document, report or specification that contains any SSI and on every page of the document containing SSI.

The distribution limitation statement described above shall be included on all project plan sheets, diagrams, shop drawings, record drawings or any other drawings that contain SSI about the affected systems or their component parts.

Charts, maps, and drawings designated as SSI must have the appropriate protective marking and the distribution limitation statement affixed in a manner that is plainly visible.

C.      Facsimile Cover Sheets: - Documents used to transmit SSI (such as facsimile cover sheets) but that do not themselves contain SSI, must be marked with the protective marking and distribution limitation statement. The following statements must be affixed to the front page of the cover sheet:

This facsimile is intended for the recipient only. If this is received by someone other than the intended recipient, the person receiving the message should immediately contact the sender for further instructions.

The protective marking SENSITIVE SECURITY INFORMATION and/or the distribution limitation statement on this page are cancelled when the attachments containing SSI are removed.

D.      Transmittal Letters: – Like facsimile cover letters, transmittal letters do not themselves contain SSI, but may cover other documents that do and must be marked with the protective marking and distribution limitation statement. The following statements must be affixed to the front page of the transmittal letter:

This transmittal letter is intended for the recipient only. If this is received by someone other than the intended recipient, the person receiving the message should immediately contact the sender for further instructions.

The protective marking SENSITIVE SECURITY INFORMATION and/or the distribution limitation statement on this page are cancelled when the attachments containing SSI are removed.

E.       Plans and Specifications containing SSI:

1.       Plans and Specifications containing SSI (hereafter also referred to as “plans and specifications”) - All project plans and specifications used in design and construction that contain SSI shall comply with the provisions of Volume 2, Section 3.1.2 Electronic documents containing Sensitive Security Information (SSI), Protective Marking of Media Containing SSI.

Plan and specification sets shall be numbered by the MDOT MAA Project Manager or his designee. Set numbers shall be recorded by the MDOT MAA Project Manager by project phase (design, procurement or construction).

In the case of plan sets or other cases in which these drawings are combined into a single bound document, the document cover page/sheet shall contain the protective marking and distribution limitation statement, and all project plans and specifications that contain SSI shall comply with the provisions of Volume 2, Section 3.1.2 Electronic documents containing Sensitive Security Information (SSI), Protective Marking of Media Containing SSI.

2.       Electronic media: - SSI contained on electronic media and magnetic media must have the protective marking and the distribution limitation statement applied at the beginning and end of the electronic and magnetic text; on each side of the disk and the disk sleeve / jacket; on the non-optical side of the CD-ROM, DVD or other format disk; and on both sides of the CD-ROM, DVD or other format disk case. Memory sticks that contain SSI shall be indelibly marked “SSI” on both sides of the device.

3.       Electronic Mail (e-mail): - SSI contained within an electronic mail message must include the protective marking within the subject line of the message and the distribution limitation statement applied at the end of the message text.

1.3.3.7            Protection and Safeguarding of SSI

All personnel possessing SSI are responsible for ensuring that such information is safeguarded at all times from disclosure to unauthorized personnel. When the information is not under the individual's direct physical control, the individual is responsible for ensuring that it is safeguarded and protected so that it is not physically or visually accessible to persons who do not have a need to know. When unattended, SSI must be secured in a locked container, office, or other restricted access area with access to the keys or combination limited to those with a “need to know.”

A person who receives an unmarked record containing SSI should apply the protective marking and distribution limitation statement and inform the sender of the omission.

Anyone possessing SSI is responsible for ensuring that the information and records containing SSI are protected at all times from disclosure to anyone who does not have a “need to know.”

When SSI is not under direct physical control, the covered person must ensure that it is protected in such a way that it is not physically or visually accessible to persons who do not have a “need to know.”

The authority to share SSI with any person or entity without a “need to know” is limited to the TSA Administrator.

Every covered person has the responsibility to safeguard SSI according to the CFR and TSA policies. If a covered person encounters a situation in which SSI has been inadvertently shared with a person without the “need to know,” immediately notify the MDOT MAA Project Manager.

1.3.3.8            Transmission of SSI

A.      Non-electronic methods:

1.       Mail – Material will be placed in a single opaque envelope or container and sufficiently sealed to prevent inadvertently opening and to show evidence of tempering. The envelope or container will bear the complete name and address of the sender and addressee. SSI materials will be mailed by US Postal Service First Class Mail or a reputable commercial delivery services such as Federal Express or UPS. The outside wrapping will NOT be marked as SSI.

2.       Interoffice mail – SSI must be sent using unmarked, opaque, sealed envelope so that SSI cannot be read through the envelope.

3.       Hand-carrying between buildings – SSI material carried by hand within or between buildings must be protected to prevent inadvertent visual disclosure.

B.      Electronic methods:

1.       Electronic mail - Prepare SSI information, marked accordingly, in a separate password protected document. Passwords should be sent separately with no subject line or shared either in person or via telephone. Use as attachment in email. SSI should not be sent to personal email accounts. Guidance for passwords:

a.       Be at least 8 characters in length

b.       Have at least one letter upper case and one letter lowercase

c.       Contain at least one special character

d.       Contain at least one number

e.       Not be a word in the dictionary

2.       Web Posting – MDOT MAA does not authorize the posting of SSI on Internet or Intranet sites, unless the site has met prescribed MDOT MAA security standards.

3.       Facsimile – Use marked coversheet, mark documents appropriately, and ensure receiver is available to retrieve information immediately. Preferable to be constant voice contact during transmission to confirm receipt.

Facsimiles sent to a controlled, secure area where unauthorized people cannot intercept the SSI material may be sent without requiring the recipient to be there.

4.       Telephone – Will be done carefully to prevent eavesdropping. Land lines in non-public locations are more secure that cellular telephones.

5.       CD’s AND DVD’s – Should be encrypted or password protected, and the SSI Header and Footer should be affixed to the CD or DVD.

6.       Electronic Presentations (e.g., PowerPoint) – Should be marked with the SSI Header on all pages and the SSI Footer on the first and last pages of the presentation.

7.       Video and Audio – Should be marked the SSI Header and the SSI Footer on the protective cover when able and the header and footer should be shown be shown and/or read at the beginning and ending of the program.

8.       When Leaving Your Desk or Computer – SSI must be secured in a locked container, office, or other restricted access area with access to the keys or combination limited to those with a need ‘to know” and the computer should be turned off.

9.       SSI Stored on Network Folders – Will either require a password to open or the network should limit the access to the folder to covered persons only.

1.3.3.9            Reproduction of SSI

The reproduction of SSI shall be kept to a minimum with only those with a “need to know” being allowed access to the subject files. Documents shall only be reproduced for the expressed use of personnel actively involved with work pertaining to the project. These electronic documents shall be shared via password protected files with the approval of the SSI coordinator. Hard copy reproduction should be avoided unless absolutely necessary and only allowed with the approval of the SSI coordinator. In the event a hard copy is approved by the SSI coordinator, only the trained person with the “need to know” shall be allowed to reproduce the document.

Documents containing SSI may be reproduced by an external organization (e.g., FedEx, Kinko’s, Staples, etc.). The individual(s) assigned to make the reproduction(s) must first sign a non-disclosure agreement (NDA) to be kept by whoever contracted for or purchases such services. A covered person* must be physically present to oversee the process and ensure that the person making the copies does not read or intentionally or unintentionally retain a copy of the SSI document.

* A covered person, as defined by 49 CFR Part 15 and 49 CFR Part 1520, may reproduce records containing SSI. Reproductions may only be shared with covered persons with a need to know.

1.3.3.10          The Project Process

A.      Project Responsibilities:

Responsibilities for SSI during the Project process are shown in the following table:

Note: * MDOT MAA Project Phase Management Staff will retain responsibility for the safeguarding and management of SSI by their respective team members from their first contact with SSI until the project is complete and all SSI is retained in archived documents or destroyed.

B.      The Pre-design Phase:

1.       General – At the project design kick-off meeting, a preliminary SSI determination will be made by the MDOT MAA Director of Airport Security (DOAS) The MDOT MAA Project Manager (Design) shall consult with the DOAS and the affected Sole Source System Contractor(s) in making this determination.

If the project is identified as containing SSI, the project management personnel (MDOT MAA and Consultant) and MDOT MAA reviewers shall obtain MDOT MAA Security (Red) Badges and successfully complete MDOT MAA SSI training prior to handling SSI throughout the project.

2.       MDOT MAA DOAS – The MDOT MAA DOAS is responsible for providing SSI training to project personnel and for issuing red security badges to project management personnel (MDOT MAA and Consultant). For MDOT MAA reviewers, the MDOT MAA DOAS is responsible for providing SSI training and for ensuring that reviewers pass a TSA Criminal History Record Check (CHRC) and a TSA Security Threat Assessment (STA).

C.      The Design Phase:

1.       MDOT MAA Project Manager (Design) – The MDOT MAA Project Manager (Design) is the responsible officer for the safeguarding of SSI generated and handled by the Design Team throughout the duration of the project. The MDOT MAA Project Manager (Design) assigned to a project that includes SSI shall be thoroughly familiar with the provisions of this section and shall ensure that the Design (Consultant) Project Manager receives a copy of this section for reference and compliance. The MDOT MAA Project Manager (Design) shall obtain signed “MDOT MAA Confidentiality and Non-Disclosure Agreement – Sensitive Security Information” forms (contained in Appendix 7A - Standard Forms) from all design team members, Design A/E’s, Construction Management and Inspection members and Sole Source System Contractor(s).

The MDOT MAA Project Manager (Design) shall also ensure that the contract documents prepared by the design team include the required SSI language in the Notice to Contractors and Specification 010007X_Sensitive Security Information (SSI) System Requirements During Construction, (contained in Appendix 7B - Standard Specifications) in the project specifications.

The MDOT MAA Project Manager (Design) shall ensure the accounting of all Plan and Specification review sets and their destruction. The MDOT MAA Project Manager (Design) shall maintain a master list of design team covered persons with “need to know” (including MDOT MAA reviewers) throughout the project and ensure that all design team project management staff comply with security badging and SSI training prior to handling SSI. The MDOT MAA Project Manager (Design) shall provide and account for final plans and specification sets provided to the affected Sole Source System Contractor(s) for use during design and the procurement phase.

2.       Design (Consultant) Project Manager – The Design (Consultant) Project Manager shall work under the direction of the MDOT MAA Project Manager (Design) and ensure compliance with all provisions of this section by all design team members.

3.       Design Review Conferences –The MDOT MAA Project Manager (Design) shall ensure that project stakeholders who have the “need to know” and participate in the design review process for projects with SSI understand and comply with SSI provisions contained herein. Plan and Specification sets used for staff review shall be numbered and accounted for by the MDOT MAA Project Manager (Design). Upon completion of all design reviews, all Plan and Specification sets shall be returned for destruction under the supervision of the MDOT MAA Project Manager (Design).

4.       Sole Source System Contractor – Affected Sole Source System Contractor(s) shall avail themselves to the MDOT MAA Project Manager (Design) for design coordination. Affected Sole Source System Contractor(s) shall attend and participate in all design review conferences.

D.      The Procurement Phase:

1.       General – Plan and Specification Sets will be sold only to Contractors and Subcontractors who meet all of the requirements listed within the Notice to Contractors (contained in Section 1.3.3 SSI General Requirements).

All advertisements for projects containing SSI shall include the language contained in Section 1.3.4 SSI Language to be included in the Notice to Contractors.

2.       MDOT MAA Project Manager (Procurement) – The MDOT MAA Project Manager (Procurement) is the responsible officer for the safeguarding of SSI generated and handled by the Procurement Team throughout the duration of the project. The MDOT MAA Project Manager (Procurement) shall maintain a master list of covered persons (including Contractors who purchase Plans and Specifications) with “need to know” during this phase of the project. The MDOT MAA Project Manager (Procurement) shall obtain signed MDOT MAA Confidentiality and Non-Disclosure Agreement – Sensitive Security Information forms (contained in Appendix 7A - Standard Forms) from all bidders and shall require a refundable deposit of $6,000 in the form of a certified check which shall be held until Plan and Specification sets are returned intact to MDOT MAA Procurement personnel. The MDOT MAA Project Manager (Procurement) shall schedule and conduct the pre-bid conference in accordance with requirements contained herein.

3.       Pre-Bid Conference – The pre-bid conference for a project that includes SSI within the Plans and Specifications shall include a briefing by the MDOT MAA Project Manager (Procurement) to all bidders on the SSI handling requirements contained herein, with special emphasis on the provisions of the MDOT MAA Confidentiality and Non-Disclosure Agreement – Sensitive Security Information, bidding, coordination with sole source system contractor(s), and control of SSI during the construction phase.

4.       Sole Source System Contractor - The bidder(s) and the SSSC will confirm task assignments and bid accordingly. Sole source system contractor(s) local representative(s) shall attend the pre-bid conference if their system is affected by the project and avail themselves to bidders to coordinate bid preparation.

E.       The Construction Phase:

1.       General – Plans and Specifications shall be used during the construction phase on a “need to know” basis with the disclosure and acknowledgement of the Contractor and Subcontractors and the assistance of the MDOT MAA Project Manager (Construction). The Contractor shall obtain the Project SSI Management Plan template from the DOAS to complete. The Contractor shall be required to submit the SSI Management Plan after receipt of a Notice of Recommended Award (NORA). The Contractor’s SSI Management Plan must be accepted by MDOT MAA before MDOT MAA will issue a Notice to Proceed (NTP) for the project.

The SSI Management Plan is subject to an MDOT MAA review and acceptance process wherein MDOT MAA has seven (7) calendar days to review and comment on the SSI Management Plan each time it is submitted for review. The Contractor shall be allowed up to thirty-five (35) calendar days from NORA (including MDOT MAA review periods) to prepare and gain approval of the SSI Management Plan. If acceptance of the SSI Management Plan occurs after thirty-five (35) calendar days from NORA, the Contract Performance Time specified elsewhere in the contract shall be reduced by the number of days of delay in MDOT MAA acceptance of the SSI Management Plan.

The Contractor’s designated Project SSI Coordinator and the designated alternate SSI Project Coordinator shall obtain MDOT MAA Security (Red) Badges and undergo MDOT MAA SSI training prior to handling Plan and Specification sets.

2.       MDOT MAA Project Manager (Construction) – The MDOT MAA Project Manager (Construction) is the responsible officer for the safeguarding of SSI generated and handled by the Construction Team throughout the duration of the project. The MDOT MAA Project Manager (Construction) shall maintain a master list of covered persons with a “need to know” during this phase of the project to ensure that all project management staff comply with security badging and SSI training prior to handling SSI. The MDOT MAA Project Manager (Construction) shall obtain signed MDOT MAA Confidentiality and Non-Disclosure Agreement – Sensitive Security Information forms (contained in Appendix 7A - Standard Forms) from all management-level members of the construction Management team (including the CM Management Consultant/Contractor and its Subcontractors and CMI staff who handle SSI). The MDOT MAA Project Manager (Construction) shall review and approve the Contractor’s Project SSI Management Plan. The MDOT MAA Project Manager (Construction) shall account for the return of all Plan and Specification sets.

3.       Construction Manager – The Construction Manager shall work under the direction of the MDOT MAA Project Manager (Construction) and ensure compliance with all provisions of this section by all Contractor and CMI team members.

4.       Pre-Construction Conference – The pre-construction conference for a project that includes SSI within the plans and specifications shall include a briefing by the MDOT MAA Project Manager (Construction) to the prime contractor and affected subcontractor(s) on coordination with sole source system contractor(s) and control of SSI during the construction phase.

5.       Sole Source System Contractor - Sole source system contractor local representatives shall attend the pre-construction conference if their system is affected by the project.

1.3.3.11          Destruction of SSI

When copies of records containing SSI are no longer needed, they must be promptly and completely destroyed. The objective of destruction is to preclude recognition or reconstruction of the information. Destroying SSI shall be done using a cross cut shredder. The applicable MDOT MAA Project Manager (Design, Procurement and Construction) shall supervise and coordinate the destruction of SSI from their applicable project phase and will ensure destruction at the earliest appropriate time.

When a Contractor or Consultant proposes to destroy records containing SSI, the Contractor or Consultant must first provide notification in writing, to the applicable MDOT MAA Project Manager (Design, Procurement and Construction), for approval. This notification must include the following minimum information: identification of information to be destroyed, quantity of copies, date and place of destruction, method of destruction, and residual SSI remaining in the custody of the Contractor or Consultant. After destruction of the documents, the Contractor or Consultant shall submit to the MDOT MAA Project Manager a certification and register of all documents destroyed.

1.3.3.12          Maintenance of Record Drawings and Specifications for Projects Containing SSI

Record Drawings and Specifications shall be maintained for all MDOT MAA projects containing SSI in accordance with established MDOT MAA procedures for the production of project record drawings. All project Record Drawings and Specifications shall be marked in accordance with this section and consolidated for storage in a secure area. The following notation shall be included in the header of SSI record drawings in place of the protective marking:

Sensitive Security Information –Record Drawings

Other record drawing notations required per Volume 2, Section 2.4.1 Record Drawing Preparation, shall be included as well.

The following notation shall be included in the header of SSI record specifications in place of the protective marking:

Sensitive Security Information –Specifications

Other contract documents containing SSI such as shop drawings, coordination drawings, Operations and Maintenance Manuals (O&M), Request for Information (RFI’s) and construction progress photographs shall be identified accordingly.

1.3.3.13          Enforcement of SSI

Civil penalties are assigned for unauthorized disclosure of SSI.

1.3.4            SSI Language to be Included in the Notice to Contractors

All advertisements for projects containing SSI shall include the latest version of the language located on the following pages. The Design (Consultant) Project Manager shall contact the Office of Procurement to obtain the latest version of the SSI language to be included in the Notice to Contractors. The Contractor Representative Information Form (contained in Appendix 7A - Standard Forms) should also be attached to the Notice to Contractors.

1.3.4.1            Sample SSI Language to be Included in the Notice to Contractors

Coordinate specific language with Office of Procurement.

Sample language below:

THIS PROJECT CONTAINS SENSITIVE SECURITY INFORMATION (SSI). ALL CONTRACTORS INTERESTED IN THIS SOLICITATION MUST COMPLY WITH THE FOLLOWING REQUIREMENTS PRIOR TO MDOT MAA GRANTING ACCESS TO VIEW AND/OR PURCHASE THE PROCUREMENT DOCUMENTS.

This project contains Sensitive Security Information (SSI) which shall be handled in accordance with 49 CFR Part 1520. To comply with 49 CFR Part 1520 requirements, MDOT MAA has instituted the following new procedure for bidders interested in this project.

1.3.4.2            Sample SSI Language for New Contract Document Purchase Procedures

Coordinate specific language with Office of Procurement.

Sample language below:

Interested bidders shall not be permitted to view or purchase contract documents for this project or attend the Pre-bid meeting until they have satisfactorily cleared the Transportation Security Administration (TSA) Security Background Verification process. There are two levels of security background verification as follows:

1.       To Purchase and Hold SSI Documents:

a.       Bidders who currently possess a valid Red BWI Security badge shall be required to submit to the Maryland Aviation Administration – Office of Procurement their Name, Company, Security Badge Number and Expiration date as it appears on the security badge. MDOT MAA will verify the validity of the bidders badge and Bidders will be notified of the results by email. Should notification not arrive within the specified period, bidders are urged to call Ms. Linda Marcucci, 410-859-7376 to inquire about their processing status.

b.       Bidders who do not currently possess a valid Red BWI Security badge must successfully complete a TSA Criminal History Record Check (CHRC) and a TSA Security Threat Assessment (STA). Bidders must complete the Application for Airport Identification Badge for all of their designated representatives that will be responsible for purchasing and handling SSI. Individuals who successfully complete a TSA CHRC and STA will be responsible for: protection of the SSI contained in the contract documents; return of all documents at the conclusion of the bidding process; and for any civil penalties incurred in the event that the requirements of 49 CFR Part 1520 are not complied with. Please be advised that MDOT MAA reserves the right to prohibit any bidder that does not pass the Transportation Security Administration (TSA) Security Background Verification from purchasing or holding SSI for this project.

Bidders shall submit an original signed copy of each completed Application for Airport Identification Badge to the Maryland Aviation Administration – Office of Procurement for processing. It is recommended that all bidders submit at least two individuals for processing. (Note: The MDOT MAA Office of Procurement will be the Authorized Signer for the Application, please do not place signatures in the Authorized Signer blocks.) Processing of the application will take at least fourteen (14) Calendar Days and Bidders will be notified of the results by email. Should notification not arrive within the specified period, bidders are urged to call Ms. Linda Marcucci, 410-859-7376 to inquire about their processing status.

NOTE: MDOT MAA CANNOT GUARANTEE TIMELY BIDDER APPROVAL AND/OR DOCUMENT DISTRIBUTION FOR LATE APPLICATIONS SUBMITTED. BIDDERS ARE ENCOURAGED TO SUBMIT APPLICATIONS AS EARLY AS POSSIBLE, PRIOR TO THE SCHEDULED PRE-BID DATE, TO ALLOW TIME FOR RECEIPT AND REVIEW OF DOCUMENTS PRIOR TO THE SCHEDULED BID DATE.

c.       Upon notification by MDOT MAA of successful Transportation Security Administration (TSA) Security Background Verification; or verification of the validity of the bidders red badge, the bidder’s approved representative (Contractor’s Representative hereafter) or red badge holder (Contractor’s Representative hereafter) shall be eligible to purchase the contract documents at the Maryland Aviation Administration – Office of Procurement. In addition, the Contractor’s Representative will be required to meet ALL of the following requirements to purchase a set(s) of plans and specifications:

1.       The Contractor’s representative purchasing the contract Plan and Specification Sets shall be required to provide proof of identification before being granted access to the documents. The representative shall present for MDOT MAA inspection, two forms of original identification documents (valid Driver’s License and Social Security Card, Etc.) matching the information supplied on the corresponding Application for Airport Identification Badge for the individual.

2.       The Contractor’s Representative shall provide documentation to demonstrate that his/her firm is licensed and registered to do business in the State of Maryland.

3.       The Contractor’s Representative shall provide documentation from a surety registered to do business in the State of Maryland demonstrating that his/her firm can secure a bond for the project in the amount specified in the Contract Documents.

4.       The Contractor must be registered in the eMaryland Marketplace as a vendor.

5.       The Contractor’s Representative will be required to execute an MDOT MAA Confidentiality and Non-Disclosure Agreement – Sensitive Security Information prior to purchasing project plans and specifications. (included in Appendix 7A - Standard Forms of this manual). The Contractor’s Representative shall provide a refundable deposit of $6,000/set of plans and specifications in the form of a certified check or money order made payable to the Maryland Aviation Administration. The certified check or money order shall be held by MDOT MAA until the Plan and Specification sets are returned fully intact to MDOT MAA Procurement personnel at which time the check or money order shall be returned to the Contractor.

2.       To View SSI Documents, attend Pre-bid Meeting or attend Field Site Visit:

a.       Bidders who currently possess a valid Red BWI Security badge

Interested bidders who possess a valid red badge shall be permitted to view contract documents, attend the Pre-bid Meeting or attend the Field Site Visit for this project provided they have submitted to the Maryland Aviation Administration Office of Procurement their Name, Company, Security Badge Number and Expiration date as it appears on the security badge; and received verification of the validity of the bidders badge. Bidders will be notified of the validity of their badge within ten (10) days by email. Should notification not arrive within the specified period, bidders are urged to call Ms. Linda Marcucci, 410-859-7376 o inquire about their processing status.

Interested bidders who possess a valid red badge and would like to view contract documents, attend the Pre-bid Meeting or attend the Field Site Visit shall be required to present a valid red badge before being granted access to the documents and/or meetings/site visits.

b.      Bidders who do not currently possess a valid Red BWI Security badge

Interested bidders shall not be permitted to view contract documents, attend the Pre-bid Meeting or attend the Field Site Visit for this project until they have satisfactorily cleared a TSA “No Fly List” Security Background Verification process. Bidders shall be required to complete the attached form titled Contractor Representative Information for all of their designated representatives that will be viewing the contract documents; and/or attending the pre-bid meeting and/or site inspection. Any individual submitting the Contractor Representative Information form shall be considered responsible for protection of the SSI contained in the contract documents and shall be responsible for any civil penalties incurred in the event that the requirements of 49 CFR Part 1520 are not complied with. Please be advised that MDOT MAA reserves the right to prohibit any bidder that does not pass the Transportation Security Administration (TSA) “No Fly List” Security Verification from viewing the contract documents; and/or attending the pre-bid meeting and/or site inspection for this project.

Bidders may submit the Contractor Representative Information form via email to the Office of Procurement to the attention of Ms. Linda Marcucci, . Processing of the Contractor Representative Information forms will take at least ten (10) Calendar Days and Bidders will be notified of the results by email. Should notification not arrive within the specified period, bidders are urged to call Ms. Linda Marcucci, 410-859-7376 to inquire about their processing status. It is recommended that all bidders submit at least two individuals for processing.

NOTE: MDOT MAA CANNOT GUARANTEE TIMELY BIDDER APPROVAL AND/OR DOCUMENT DISTRIBUTION FOR LATE APPLICATIONS SUBMITTED. BIDDERS ARE ENCOURAGED TO SUBMIT CONTRACTOR REPRESENTATIVE INFORMATION FORMS AS EARLY AS POSSIBLE, PRIOR TO THE SCHEDULED PRE-BID DATE, TO ALLOW TIME FOR RECEIPT AND REVIEW OF DOCUMENTS PRIOR TO THE SCHEDULED BID DATE.

Upon notification by MDOT MAA of successful Transportation Security Administration (TSA) Security “No Fly List” Background Verification, the Contractor’s representative shall be permitted to view contract documents, attend the Pre-bid Meeting or attend the Field Site Visit. In addition, the Contractor’s representative shall meet the following additional requirement:

The Contractor’s representative(s) viewing contract documents, attending the Pre-bid Meeting or attending the Field Site Visit shall be required to bring with him/her and present to MDOT MAA Office of Procurement the original signed Contractor Representative Information form and proof of identification before being granted access to the documents and/or meetings/site visits. The representative shall present for MDOT MAA inspection, original identification documents (valid Driver’s License and Social Security Card) matching the information supplied on the corresponding Contractor Representative Information form for the individual.

NOTE: PLANS AND SPECIFICATIONS FOR THIS PROJECT WILL BE NUMBERED AND ARE NOT AUTHORIZED FOR REPRODUCTION BY PROJECT BIDDERS. FAILURE TO RETURN ALL PLAN AND SPECIFICATION SETS FULLY INTACT, UNAUTHORIZED REPRODUCTION OF THE PLAN AND SPECIFICATION SETS OR FAILURE TO COMPLY WITH THE REQUIREMENTS OF THE ‘MDOT MAA CONFIDENTIALITY AND NON-DISCLOSURE AGREEMENT – SENSITIVE SECURITY INFORMATION’ SHALL RESULT IN THE FORFEITURE OF THE DEPOSIT AND MAY LEAD TO CIVIL PENALTIES.

What is the correct way to mark SSI?

Which of the following are approved methods for destroying documents containing sensitive security information SSI )?

Who is responsible for properly marking handling protecting storing and destroying SSI?

What are the consequences for unauthorized disclosure of sensitive security information SSI )? Check all that apply?