Can Information Be Both PCII And Sensitive Security Information (SSI)?
Yes. Information can be both PCII and SSI. Disclosure of information that is both SSI and PCII is governed both by PCII and SSI requirements. Therefore, users handling materials that are marked as both PCII and SSI should observe all PCII handling, safeguarding, and dissemination requirements. Users should remember that PCII cannot be used for regulatory purposes, even if it is also SSI.
If A Document Contains Both PCII & SSI, How Must It Be Protected?
If a document is both SSI and PCII it should be protected as both PCII and SSI. If those requirements conflict, users should contact either the PCII Program or the SSI Program for further guidance.
Can A Private Sector Submitter Disclose SSI Information If A Copy Has Also Been Validated As PCII?
The private sector entity would not have a marked copy of PCII. Therefore the entity's copy would be SSI but not PCII. While there are no PCII safeguarding or handling requirements for unmarked copies of validated PCII retained by a submitter, the entity is still required to comply with all SSI handling and safeguarding requirements that are applicable to the information. The private sector entity therefore can disclose the information only to a Covered Person as defined in the SSI Regulation.
Can A State Or Local Government Entity Submit SSI For Validation as PCII?
Yes. The copy of the information the entity retains, however, is SSI and is not PCII and must be handled and safeguarded in accordance with SSI requirements, including the SSI Regulation.
Can Information That Has Been Submitted For PCII Protections Also Have SSI Protections?
Yes. A submitting entity retains control over the information and products it has generated and may handle the unmarked copy of the information as it chooses. That copy is not PCII and is not subject to the PCII handling and safeguarding requirements. If the information falls within the categories of SSI, the entity will need to comply with SSI handling, safeguarding and dissemination requirements. For marked copies of PCII that a State or local government entity might hold, that entity may only share those copies in accordance with PCII handling and safeguarding requirement. Validated PCII will be marked as such and have a submission identification number provided by the PCII Program. If the information is SSI and marked as PCII as well, the information is governed by both PCII and SSI handling, safeguarding, use, and dissemination requirements.
Would the same document ever be marked as Chemical-Vulnerability Information (CVI) and PCII at the same time?
No. The same underlying information might be submitted to both programs, but then that would create a set of CVI-marked and protected copies and a set of PCII-marked and protected copies. Each category of information would be used for separate purposes.
Can a facility disclose information that has been validated as PCII in order to comply with the Chemical Facility Anti-Terrorism Standards (CFATS)?
Yes. Copies of the information the facility holds may be shared by the facility with anyone, including Federal regulators, even if that information has also been submitted as PCII.
However, a facility should not provide its PCII-marked and protected copies of their information to comply with CFATS, so it can avoid confusion about whether PCII information is being improperly disclosed. PCII-marked and protected information is not allowed to be used for regulatory purposes, including CFATS, and sharing a marked copy may give the impression that this requirement has been violated.
At any time after their submission is validated, submitters can request an unmarked copy of their submission be returned to them. This copy is not subject to the PCII handling and safeguarding requirements.
Will Federal government employees or contractors who work on CFATS have access to PCII relating to a covered facility?