CISA PUBLISHES TECHNICAL RULE on PROTECTED CRITICAL INFRASTRUCTURE INFO

WASHINGTON—Today, the Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) are issuing a technical rule to improve and modernize aspects of the Protected Critical Infrastructure Information (PCII) Program, which provides legal protections for cyber and physical infrastructure information submitted to DHS. These non-substantive, technical edits amend the Protected Critical Infrastructure Information (PCII) Program regulation found at 6 CFR part 29, to help critical infrastructure owner/operators, state and local governments, and other important stakeholders more effectively use the PCII Program.

For info from CISA see these links PCII Program | CISA,

How Does PCII Protect My Information?

Authorities Governing PCII: The CII Act of 2002 and its implementing regulation, 6 CFR part 29, “Procedures for Handling Critical Infrastructure Information” ensure critical infrastructure information voluntarily shared with the government and validated as PCII by DHS/CISA is protected from:

Disclosure from Freedom of Information Act (FOIA) requests
Disclosure under state and local disclosure laws
Use in regulatory proceedings
Use in civil actions

Accessing PCII: Only authorized federal, state, and local government employees or government contracted personnel who are trained and certified in the strict safeguarding and handling requirements, have a need-to-know, have homeland security responsibilities, and sign a Non-Disclosure Agreement (non-federal employees only) may access PCII.

Marking PCII: Only the PCII Program Office or the PCII Program Manager Designees may mark information as PCII and assign a submission identification number. To ensure proper handling and safeguarding from disclosure:

PCII documents include a PCII Program Green Cover Sheet outlining protection requirements
PCII is marked with “PROTECTED CRITICAL INFRASTRUCTURE INFORMATION” in the headers and footers to alert users of the information’s status and protection requirements
PCII is labeled with a unique identification number

The PCII marking remains until either the PCII Program Office determines the information no longer qualifies for PCII protection or the submitter requests the removal of protections. PCII is normally labeled with the following statement by the PCII Program Office to ensure the material is safeguarded and handled appropriately.