Protected Critical Infrastructure Information (PCII) Program

An information-protection program to enhance information sharing between the private sector and the government.

Overview

Congress created the Protected Critical Infrastructure Information (PCII) Program under the Critical Infrastructure Information Act of 2002 (CII Act) to protect information voluntarily shared with the government on the security of private and state/local government critical infrastructure. Title 6 Code of Federal Regulations (CFR) part 29, Procedures for Handling Critical Infrastructure Information; Final Rule, establishes uniform procedures on the receipt, validation, handling, storage, marking, and use of critical infrastructure information (CII) voluntarily submitted to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS).

The protections offered by the PCII Program enhance the voluntary sharing of CII between infrastructure owners and operators and the government. The PCII Program protections provide homeland security partners confidence that sharing their information with the government will not expose sensitive or proprietary data to public disclosure.

How Does the PCII Program Support Infrastructure Protection?

The PCII Program protects information from public disclosure while allowing DHS/CISA and other federal, state, and local government security analysts to:

• Analyze and secure critical infrastructure and protected systems
• Identify vulnerabilities and develop risk assessments
• Enhance preparedness, resilience, and recovery measures

The CII Act of 2002 and its implementing regulation, 6 CFR part 29, “Procedures for Handling Critical Infrastructure Information” ensure critical infrastructure information voluntarily shared with the government and validated as PCII by DHS/CISA is protected from:

• Disclosure from Freedom of Information Act (FOIA) requests
• Disclosure under state and local disclosure laws
• Use in regulatory proceedings
• Use in civil actions

Only authorized federal, state, and local government employees or government contracted personnel who are trained and certified in the strict safeguarding and handling requirements, have a need-to-know, have homeland security responsibilities, and sign a Non-Disclosure Agreement (non-federal employees only) may access PCII.

Only the PCII Program Office or the PCII Program Manager Designees may mark information as PCII and assign a submission identification number. To ensure proper handling and safeguarding from disclosure:

• PCII documents include a PCII Program Green Cover Sheet outlining protection requirements
• PCII is marked with “PROTECTED CRITICAL INFRASTRUCTURE INFORMATION” in the headers and footers to alert users of the information’s status and protection requirements
• PCII is labeled with a unique identification number

The PCII marking remains until either the PCII Program Office determines the information no longer qualifies for PCII protection or the submitter requests the removal of protections. PCII is normally labeled with the following statement by the PCII Program Office to ensure the material is safeguarded and handled appropriately:

"This document contains Protected Critical Infrastructure Information. In accordance with the provisions of the Critical Infrastructure Information Act, 6 U.S.C. §§ 131 et seq., it is exempt from release under the Freedom of Information Act (5 U.S.C. § 552) and similar state and local disclosure laws. Unauthorized release may result in criminal and administrative penalties. PCII must be safeguarded and shared in accordance with the Critical Infrastructure Information Act, 6 U.S.C. §§ 131 et seq., the implementing regulation, 6 CFR part 29 and PCII Program requirements."

In some cases, the PCII Program Manager may discover information validated as PCII was at the time of validation shared previously in the public domain (See 6 CFR part 29 for greater explanation). Under such circumstances, the PCII Program Manager will review the submission’s PCII status and can remove the PCII protections.

The submitter may also, at any time after submission of critical infrastructure information, request in writing the submitted information no longer receive PCII protections. The PCII Program Manager will follow the submitter's directions under the following circumstances:

• Withdrawal of a Submission: If a submitter requests in writing to withdraw the submission, and the information is not yet validated, the PCII Program Office will return all such information to the submitting person/entity or destroy the information, depending on the written request of the submitter.
• Change of Status: If the submitter requests in writing the removal of PCII protections on a validated submission, the PCII Program Office will comply. In this case, the PCII Program Office will return it to the submitter or destroy the information, depending on the submitter’s instructions and availability.

If the PCII Program Manager determines the information should not retain its PCII protections or the submitter requests the removal of the protections the PCII Program Office will:

• Notify the submitter of the change in status
• Remove the PCII markings from the information
• Change the designation of the information in the PCII Management System (PCIIMS)

All individuals authorized access to PCII are responsible for safeguarding the material when in their possession or control. Participating government entities, in partnership with the PCII Program Office, ensure individuals adhere to safeguarding and handling requirements. The PCII Program Office conducts oversight of the PCII Program through Technical Assistance Visits (TAVs).

PCII accredited government entities must designate a PCII Officer to provide oversight and manage employees with access to PCII in their organization. The PCII Program Office works with the PCII Officer to ensure PCII is used appropriately by reviewing the self-inspections and conducting TAVs as necessary.

The PCII Officer’s administration of the PCII Program in the entity consists of:

• Monitoring ongoing compliance with PCII Program requirements
• Supervising PCII Authorized Users within the entity
• Performing periodic self-inspections
• Investigating any alleged or actual misuse or compromise of PCII
• Reporting any misuse or mishandling of PCII

In coordination with DHS and CISA’s Office of Security, Office of the General Counsel, and Office of Chief Counsel, the PCII Program Manager establishes and implements procedures for reporting and investigating the suspected loss, misplacement, or unauthorized disclosure of PCII.