How Is PCII Used by the Federal Government?
Information protected as PCII is a key component of DHS vulnerability assessment programs such as the Buffer Zone Protection Program, Enhanced Critical Infrastructure Protection security surveys, and Site Assistance Visits, as well as risk management tools such as the Computer-Based Assessment Tool, the Voluntary Chemical Assessment Tool, and the Automated Critical Asset Management System. PCII protections are also used by the DHS Office of Cybersecurity and Communications (CS&C) to protect information on cyberattacks, cyber mitigation efforts, and response and recovery work. PCII protections are used within the Department of Defense to protect information about the defense industrial base and within the Department of Health and Human Services to protect information about vulnerabilities in our Nation's public health infrastructure. In these areas and others, being able to protect infrastructure information as PCII has allowed the Federal Government, as well as State and local governments, to work closely with infrastructure owners and operators to share vital data
How Do I Use an Item of Information from a Protected Document?
Generally, an entire document is protected as PCII as long as it contains any items of PCII. If you want to use other pieces of information from within that document, you can either take them from an independent source which does not contain PCII or sanitize the information you wish to use of any PCII. For the purposes of the PCII Program, "sanitization" means distilling the information so it is not traceable to the submitter and does not reveal any information that:
- Is proprietary, business-sensitive, or a trade secret;
- Relates specifically to the submitting person or entity (explicitly or implicitly); or
- Is otherwise not customarily in the public domain.
The PCII Program does not currently require PCII documents to be portion marked to indicate which items of information are PCII and which are not. Some items of information from a vulnerability assessment for example, that may not appear sensitive on its own, may become sensitive in combination. Please consult the PCII Program for guidance.
How Can I Use an Item of Information That Is Available from Both a Non-PCII Source and a PCII-Protected Document?
Sometimes you will find the same information in two documents, one of which is marked and protected as PCII and one of which that is not. You may use the information as freely as the non-PCII source allows, provided that you do not reveal any additional PCII from the protected document in the process. If you are working from a PCII-protected document, you should assume that the item must be handled as PCII until you can show otherwise, and follow the instructions within the Work Products Guide, attached as an appendix to the PCII Program Procedures Manual and attached to this website.
What Can a Submitter Do with Their Own Versions of Submitted Information?
Information that is held by the submitter is not subject to the handling and dissemination restrictions of the PCII regime, even if the same information has been validated by DHS and is protected as PCII. A submitter may use their copy of the information as they see fit, but we encourage submitters to consider information access and information security as part of that decision. Generally, copies of submitted documents retained by the submitter are not available for disclosure in civil litigation
Can Private Sector Owners and Operators Receive a Copy of Their Own Information from the Automated Critical Asset Management System (ACAMS) or Another DHS System?
Anyone granted access rights to an asset within ACAMS can receive an unmarked copy of certain ACAMS reports on ACAMS on their asset. They may also be able to request a copy of their own information from other DHS systems.
Can PCII Be Used for Regulatory Purposes?
No. PCII may not be used for regulatory or rule-making purposes. There may be instances where the underlying information has been submitted both to the PCII Program for validation and to a regulatory authority in compliance with a regulatory requirement. In those cases the PCII version of the information will still not be used for regulatory purposes.
Can a Submitter Provide Information to the PCII Program to Fulfill a Regulatory Requirement?
No. Submitters may not submit information to the PCII Program to comply with a statutory or regulatory requirement.
Can PCII Be Shared with a Tribal Representative?
Yes. Tribal entities can become accredited and tribal representatives can become Authorized Users. The same procedures for dissemination and safeguarding would apply.
How Do State or Tribal Government Records Laws Affect PCII Protections from Disclosure?
Protections from disclosure apply to any information received from DHS. Information collected for submission to DHS may be subject to records management and disclosure laws that vary by State or within different tribes, territories, or localities. This may lead to a situation where a submission is validated and marked as PCII, but the original records cannot be destroyed by the submitting State, tribal, or local entity due to records retention rules. Those original records could still be used for regulatory purposes, but they would also still fall under these disclosure rules and could be requested by the public. A failure to understand the different status of marked and non-marked copies can lead to a mistaken belief that every copy is protected once one copy is submitted to the PCII Program.
How Do You Share PCII in an Emergency?
To receive PCII, a recipient must be an authorized user. In emergencies, an individual who has not yet completed the requirements for authorization can become a temporary authorized user by:
- Reading the PCII cover sheet attached to the information,
- Informally agreeing to protect the PCII by the PCII rules, and
- Informally agreeing to take the PCII Authorized User training within 30 days.
If you are sharing PCII outside of the standard process, you should inform the PCII Program in the most expedient fashion available that you are sharing PCII in an emergency. As you share the PCII, you should also track what you shared and with whom you shared it, so the PCII Program can follow up and ensure that all users are properly trained. While the PCII Program understands that first responders might be busy and distracted during an emergency, a lack of proper tracking may hinder the PCII Program's responsibility to ensure that all PCII is being disseminated responsibly and used appropriately.
Can PCII Be Shared with a Foreign Government?
No. To share PCII, DHS would either need the submitter's permission to share their information or would need to issue a sanitized (i.e. a non-PCII) warning or advisory to the concerned government. If the submitter did give permission to share their information with the foreign government, protections for the copy of the information in the foreign government's hands may vary.
How Should PCII Authorized Users Respond to Inquiries About What PCII They Hold?
In addition to protecting the information within a validated document, the CII Act also protects the submitter's identity as PCII. Authorized users should not reveal the identity of a submitting entity or facility, but may offer more general information, such as the fact that submissions exist within a particular geographic region or sector. If one could easily deduce the identity of a submitting entity or facility from those facts (e.g. there is only one electrical utility in that county) then even that information is too specific and must be withheld.