CISA PUBLISHES TECHNICAL RULE on PROTECTED CRITICAL INFRASTRUCTURE INFO
WASHINGTON—Today, the Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) are issuing a technical rule to improve and modernize aspects of the Protected Critical Infrastructure Information (PCII) Program, which provides legal protections for cyber and physical infrastructure information submitted to DHS. These non-substantive, technical edits amend the Protected Critical Infrastructure Information (PCII) Program regulation found at 6 CFR part 29, to help critical infrastructure owner/operators, state and local governments, and other important stakeholders more effectively use the PCII Program.
For info from CISA see these links PCII Program | CISA,
How Does PCII Protect My Information?
Authorities Governing PCII: The CII Act of 2002 and its implementing regulation, 6 CFR part 29, “Procedures for Handling Critical Infrastructure Information” ensure critical infrastructure information voluntarily shared with the government and validated as PCII by DHS/CISA is protected from:
- Disclosure from Freedom of Information Act (FOIA) requests
- Disclosure under state and local disclosure laws
- Use in regulatory proceedings
- Use in civil actions
Accessing PCII: Only authorized federal, state, and local government employees or government contracted personnel who are trained and certified in the strict safeguarding and handling requirements, have a need-to-know, have homeland security responsibilities, and sign a Non-Disclosure Agreement (non-federal employees only) may access PCII.
Marking PCII: Only the PCII Program Office or the PCII Program Manager Designees may mark information as PCII and assign a submission identification number. To ensure proper handling and safeguarding from disclosure:
- PCII documents include a PCII Program Green Cover Sheet outlining protection requirements
- PCII is marked with “PROTECTED CRITICAL INFRASTRUCTURE INFORMATION” in the headers and footers to alert users of the information’s status and protection requirements
- PCII is labeled with a unique identification number
The PCII marking remains until either the PCII Program Office determines the information no longer qualifies for PCII protection or the submitter requests the removal of protections. PCII is normally labeled with the following statement by the PCII Program Office to ensure the material is safeguarded and handled appropriately.
PCII Program Documents
- Critical Infrastructure Information Act of 2002 as Amended (pdf, 1.01MB)
- 6 CFR part 29, “Procedures for Handling Critical Infrastructure Information”; Final Rule – December 2022 (pdf, 266KB)
- PCII Program Procedures Manual (pdf, 1.69MB)
- PCII Program Fact Sheet (pdf, 175KB)
- Express and Certification Statement (pdf, 504KB)
- PCII Green Coversheet (pdf, 135KB)
- PCII Management System (PCIIMS) Fact Sheet (pdf, 135KB)
- How To Email PCII (pdf, 522KB)
- Safeguarding PCII (pdf, 1.27MB)
- Unofficial Redline of PCII Final Rule – October 2022 (pdf, 421KB)