TSA recently updated its guidance to the air cargo industry regarding the handling of Sensitive Security Information (SSI). The new guidance, which can be accessed here,  applies to Indirect Air Carriers (IACs) and Certified Cargo Screening Facilities (CCSFs), along with other businesses regulated by the agency.

• Background on SSI. SSI is a category of sensitive transportation security information governed by 49 C.F.R. Part 1520. In short, SSI is information that, if publicly released, would be detrimental to transportation security. Section 1520.5(b) lists 16 specific categories of SSI, including security programs, Security Directives, Information Circulars, vulnerability assessments, screening procedures, and threat information. Those who possess SSI are “covered persons” under § 1520.7 and must, among other things, appropriately mark SSI (§ 1520.13), safeguard SSI (§ 1520.9), limit access to SSI on a need-to-know basis (§ 1520.11), and destroy SSI when no longer needed (§ 1520.19). Unauthorized disclosure can trigger civil penalties under § 1520.17.
• Why this Matters to IACs and CCSFs. Much of the data and documents that IACs and CCSFs handle every day is SSI by definition. This includes the terms of the Indirect Air Carrier Standard Security Program (IACSSP), the Certified Cargo Screening Standard Security Program (CCSSSP), and the Standard Screening Procedures for Air Cargo (SSPAC). But it can also include TSA inspection and investigation correspondence, information regarding cargo intended for air transportation, Standard Operating Procedures, and even lists of individuals within an enterprise that have cargo-access rights. TSA’s guidance is a reminder that SSI status attaches based on the substance of a piece of data or a document, regardless of whether the document is marked as SSI, and that every covered person, from the Security Coordinator and Cybersecurity Coordinator down to warehouse personnel and dock workers, shares the duty to mark, protect, and properly destroy SSI in their possession.
• Practical Handling Expectations. The updated SSI materials reiterate TSA’s core compliance pillars and modernize them for today’s hybrid workforce. SSI must carry a specific TSA-provided header and footer on every page, even where only a single sentence is sensitive. Physical documents containing SSI must be locked up when not in use, encrypted when transmitted by email (with the password sent separately), and shredded when no longer needed. Personal devices, personal email accounts, public Wi-Fi, and unsecured video-conferencing tools are off-limits. The guidance further cautions against discussing SSI within earshot of ambient “virtual assistants” (e.g., Alexa) and underscores the regulatory duty under § 1520.9(c) to report any unauthorized disclosure to TSA promptly. Authorized Representatives who receive SSI to perform work for IACs or CCSFs become “covered persons” themselves and must be contractually advised of their Part 1520 obligations.
• Guidance on AI. The most notable addition to the SSI guidance is an explicit prohibition on the use of publicly available artificial intelligence tools to process SSI. TSA states categorically that uploading SSI and other sensitive information into publicly available AI on the internet is strictly prohibited and warns that commercial AI tools may ingest user inputs into their databases and surface them to other users through the AI-training process. Per TSA, any such upload “will result in an unauthorized disclosure and a violation of Part 1520 Regulations.” The position is consistent with the longstanding directive that SSI should never be posted to the internet, but now TSA has spoken directly to generative AI, AI assistants, and similar tools. For IACs and CCSFs, any operational use of AI must run on an enterprise-controlled tool with appropriate access restrictions, not on an open AI platform (e.g., ChatGPT, Google Gemini, Claude AI, etc.). Additionally, any proprietary AI systems developed by the company must be submitted to, and approved by, TSA prior to use with SSI. Companies should update acceptable-use and AI policies, training, and vendor agreements accordingly, and consider whether their existing SSI safeguards adequately address inadvertent disclosure through AI features now embedded in everyday productivity software.
• Requirements v. Recommendations. While 49 C.F.R. Part 1520 plainly carries the force of law, the same cannot be said of every document TSA publishes to the air cargo industry. The agency’s Best Practices Guides, Quick Reference materials, training decks, FAQs, and recent pronouncements—including its categorical statement that Sensitive Security Information may not be entered into publicly available AI tools—occupy a murkier space. They were not promulgated through notice-and-comment rulemaking, are not codified, and on their face read as guidance rather than binding obligations. Yet TSA often presents them as though they were extensions of the regulation itself, and regulated parties are left to guess whether a deviation invites only an enforcement conversation or an actual civil penalty under § 1520.17.

The Scopelitis Air Cargo Team is available to assist IACs, CCSFs, and others subject to the SSI regulations with compliance questions and enforcement cases.