Protected Critical Infrastructure Information (PCII) is information voluntarily shared by critical infrastructure owners and operators with the government to analyze data, secure critical infrastructure, identify vulnerabilities, develop risk assessments, and enhance recovery preparedness measures. Under the Critical Infrastructure Information Act of 2002, all PCII is protected from disclosure from the Freedom of Information Act (FOIA); state, tribal, and local disclosure laws; use in regulatory actions; and use in civil litigation so that sensitive or proprietary data is not exposed.
What Are the Requirements to Access PCII?
PCII is made available only to those Federal, State, tribal, and local government employees and their contractors who:
- Are trained in the proper handling and safeguarding of PCII;
- Have homeland security responsibilities as specified in the Critical Infrastructure Information Act of 2002, the Final Rule, and the policies and procedures issued by the PCII Program;
- Have a need to know the specific information; and
- Sign a Non-Disclosure Agreement (non-Federal employees).
In addition to the above requirements, government contractors must modify relevant contracts to comply with requirements of the PCII Program. The contract modification is not a prerequisite to accessing PCII; however, the contractor must contractually acknowledge its responsibilities with respect to PCII as soon as practicable. To avoid delay or interruption of access to PCII, contractors can be certified by the PCII Program Manager or a PCII Officer.
For more information, please see the PCII Program Procedures Manual.
How Is PCII Safeguarded from Disclosure?
"In general, safeguarding measures must ensure that—
- Precautions are taken to prevent unauthorized persons from overhearing conversations, observing PCII materials, or otherwise obtaining such information,
- PCII is accessed only by authorized users,
- To the extent feasible, submitted information is not at risk of inappropriate use, and
- PCII is not disseminated inappropriately.
"Recipients of PCII, including copies of PCII and derivative work products, must safeguard the PCII to ensure that PCII is:
- Accessed by authorized users who are properly trained in how to handle PCII, and
- Safeguarded in accordance with all the guidance from the PCII Program Manager."
See the PCII Program Procedures Manual.
Once submitted information is validated and marked as PCII, it may reside on a partnering federal entity's system and keep the protections afforded under the PCII Program. The PCII Program keeps a record of all submissions, including those made to an information-sharing partnership.
Is the PCII Program Ever Required to Disclose PCII?
- "Law enforcement agencies in furtherance of the investigation or prosecution of a criminal act,
- Either House of Congress, or to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee thereof, or subcommittee of any such joint committee, and
- The Comptroller General, or any authorized representative of the Comptroller General, in the course of the performance of the duties of the Government Accountability Office (GAO)."
"In addition, PCII may be provided to the DHS Inspector General.
"The PCII Program will not release PCII under these circumstances without taking measures to ensure that the individuals who receive PCII are authorized to receive it and are properly trained in its protection and use."
At What Point Does the PCII Program Protect Submissions from Disclosure?
Submissions are protected from public disclosure immediately upon receipt and throughout the validation process. If a submission meets the qualifications for protection, the submission retains protection. If a final determination is made that the submitted information does not qualify for PCII protection, the PCII Program will either return the information to the submitter in accordance with the submitting person or entity's written preference or destroy the submission in accordance with the Federal Records Act and DHS regulations.
Have the Protections of the Critical Infrastructure Information Act (CII Act) or the PCII Program Ever Been Successfully Challenged in Court?
No. Some state court opinions have discussed the PCII protections as a secondary issue, but none have overturned the protections or challenged the authority of the PCII Program.
How Is PCII Marked?
Only the PCII Program or the PCII Program Manager Designees may mark information as PCII and provide it with a submission identification number. Information that does not contain the requisite PCII markings and identification number is not PCII. All submissions are assigned an identification number that must be included on all original PCII, copies of original PCII, and products created from PCII.
To ensure appropriate protections on PCII:
- All forms of PCII are marked with "Protected Critical Infrastructure Information" in the headers and footers to alert users to the information's status and protection requirements.
- All PCII is marked with an identification number.
- The PCII Cover Sheet must be attached to all physical copies of PCII materials to alert individuals of the PCII; whether in storage, transit, or on a desk; even if that desk is in an environment where the most rigorous access controls are in place. "The Cover Sheet must—
- Be positioned in such a manner that the PCII cannot be viewed by individuals in the immediate area who are not working with the information,
- Remain with PCII materials at all times, and
- Be placed on top of a transmittal letter or memorandum."
See the PCII Program Procedures Manual for more information. The PCII markings remain until the PCII Program determines that the information no longer qualifies for PCII protection or the submitter requests that the protection be removed.
How Should I Protect the Work Products I Create with PCII?
Work products containing PCII are subject to the same handling, storage, and marking requirements as original PCII. When work products contain verbatim PCII or anything that explicitly or implicitly refers to the submitter or submitted CII, the work products must be labeled and handled as PCII; otherwise, PCII designation is not required or appropriate. The PCII must be taken from a PCII-protected source for the derivative product to be protected as well.
What Are the Penalties for Intentionally Mishandling PCII?
Federal employees who knowingly mishandle or misuse PCII are subject to loss of access, fines, and/or imprisonment and will be removed from office. Non-Federal employees who knowingly mishandle PCII may be subject to penalties including prosecution, loss of employment, and loss of access to PCII.
How Does the PCII Program Ensure Proper Procedures Are Being Followed?
All individuals with access to PCII are responsible for safeguarding it while it is in their possession or control. Participating government entities, in partnership with the PCII Program, ensure individuals adhere to safeguarding and handling requirements.
PCII accredited government entities must designate a PCII Officer to provide oversight and manage employees with access to PCII in their organization. The PCII Program works in conjunction with the PCII Officer to ensure PCII is being used appropriately by reviewing the results of self-inspection reports. Site visits and system audits might also be conducted as necessary.
In coordination with the DHS Office of Security and the Office of the General Counsel, the PCII Program Manager has established and implemented procedures for reporting and investigating the suspected loss, misplacement, or unauthorized disclosure of PCII. The Memorandum of Agreement that entities must enter into as part of the accreditation process requires Federal, State, tribal, and local entities to cooperate in these investigations.
Suspicious or inappropriate requests for information by any means (e.g., e-mail or verbal), must be reported immediately to the relevant PCII Officer, who must then report them to the PCII Program.
What Should I Do if I Receive PCII with Improper Markings or Missing a Submission Identification Number?
All PCII should be marked and accompanied by a PCII cover sheet that shows the identification number of the item. For specific marking procedures, please reference the PCII Program Procedures Manual.
If the PCII does not have a submission identification number or proper markings, please contact the PCII Program immediately at (202) 360-3023 or at email@example.com.
How Is PCII Protected in an Emergency Situation?
You are still encouraged to follow all the normal security procedures for PCII. If that is not possible, the normal protection requirements may be slightly relaxed during an emergency, allowing PCII to be shared via cell phone for example. Please contact the PCII Program if you have any questions at firstname.lastname@example.org or 202-360-3023.