- Who Can Submit Information To The PCII Program?
- How Do I Know If A System Is Certified To Receive Or Store PCII?
- What Must Accompany A Submission So It Qualifies For Protection?
- How Do I Submit Information In An Emergency?
- Can PCII Ever Lose Its Protections?
Who Can Submit Information To The PCII Program?
Individuals or entities who have information about a critical infrastructure that is not customarily in the public domain can provide such information to the PCII Program so long as the information is submitted in good faith and is not submitted in lieu of compliance with any regulatory requirement. It is not required that a submitter own or operate the infrastructure in question, though individuals submitting on behalf of entities must be authorized to do so by that entity.
The PCII Program will accept submissions of information from any submitter who:
- Owns the information being submitted (or is an authorized representative of the owner of the information),
- Has sufficient knowledge of the information to affirm that it is being submitted voluntarily [i.e., in the absence of an exercise of legal authority by the Department of Homeland Security (DHS) to compel access to or submission of such information], and
- Has sufficient knowledge of the information to affirm in the Certification Statement that the information is not lawfully, properly, and regularly disclosed generally or broadly to the public.
Examples of potential submitters include, but are not limited to:
- State, tribal, and local government officials,
- Authorized representatives of privately or publicly owned companies,
- Industry associations (on behalf of their members),
- Individuals capable of providing an analytical observation of a critical infrastructure, and
- Working groups comprised of government and private sector representatives.
For more information, please see the PCII Program Procedures Manual.
State, tribal, and local governments can be both submitters and users of information, so they may find themselves in a situation where they are submitting information to share with the Federal Government or with other State, tribal, or local governments while simultaneously using PCII submitted by other State, tribal, and local governments or other categories of submitters.
Representatives of Federal entities may not submit information to the PCII.
Critical infrastructure information for PCII validation can be submitted in two ways:
- Through a partnering Federal Government entity, or
- Directly to the PCII Program.
In these specific partnerships, the PCII Program declares certain subject matter or types of information categorically protected as PCII and sets procedures for receiving and processing of this information.
How Do I Know If A System Is Certified To Receive Or Store PCII?
You should contact the PCII Program at firstname.lastname@example.org or 202-360-3023, which can provide you with a list of the tools, databases, software, and systems certified to receive or store PCII. Storing PCII on a system that has not been certified by the PCII Program increases the risk that the PCII may not be protected from unauthorized disclosures.
What Must Accompany A Submission So It Qualifies For Protection?
Two items must be included with information submitted for PCII protection under the Critical Infrastructure Information (CII) Act:
An Express Statement requesting the protection offered by the CII Act, and
A Certification Statement including the submitter's contact information and certifying that the information is not customarily in the public domain.
When accompanied by an Express Statement and a signed Certification Statement, the submission will be granted the presumption of protection throughout the entire process. If the Certification Statement is incomplete, the PCII Program will request that the submitter provide a complete Certification Statement within 30 calendar days of the submitter's receipt of the request. If the submitter does not remedy the deficiency within 30 days of the request, the PCII Program will either return the information to the submitter in accordance with the submitting person or entity's written preference or destroy the submission in accordance with the Federal Records Act and DHS regulations.
Submitters are encouraged to contact the PCII Program at 202-360-3023 or email@example.com prior to submitting their information to ensure that the PCII Program can accept the submission format and for any additional questions.
How Do I Submit Information In An Emergency?
If a submission is ever time-sensitive, the PCII Program will make every effort to validate it by the deadline, if possible. However, if CII is submitted during an emergency and it can't be validated by the PCII Program in time, a submitter can simply provide it to the user directly and request protection. The information will be protected as PCII during the emergency and then validated afterwards by the PCII Program. If it turns out that the CII does not qualify for protection, the submission will be destroyed or returned to the submitter. PCII can also be submitted by telephone, though it must be submitted in written format within 15 days of the telephone submission.
Can PCII Ever Lose Its Protections?
In some cases, the PCII Program Manager may discover that information validated as PCII was, at the time of validation, of a type customarily in the public domain. Under such circumstances, the PCII Program Manager will review the submission's PCII status and can remove the PCII protections. The submitter may also, either before or after the submission is validated, request in writing that their submitted information no longer be protected as PCII. Submitters should consider withdrawing out-of-date or erroneous submissions so that the information can be destroyed.
In the event that the PCII Program Manager determines that the information should not retain its PCII status or the submitter requests that his or her submitted information no longer be protected as PCII, the PCII Program will:
- Notify the submitter of the change in status and ask if the submission should be destroyed,
- Remove the PCII markings from the information, and
- Change the designation of the information in the PCII Management System.
If the PCII Program does not receive a response within 30 calendar days of notifying the submitter of the change in status, the PCII Program may retain the information without protection or destroy it.