Critical infrastructure information (CII) protected as Protected Critical Infrastructure Information (PCII) is a key component of the homeland security effort. However, PCII must be used and shared in accordance with the Critical Infrastructure Information (CII) Act of 2002, the Final Rule, and other policies and procedures issued by the PCII Program.
PCII is made available only to those federal, state, tribal, and local government employees and their contractors who:
- Are trained in the proper handling and safeguarding of PCII.
- Have homeland security responsibility as specified in the Critical Infrastructure Information (CII) Act of 2002, the Final Rule, and the policies and procedures issued by the PCII Program.
- Have a need to know the specific information.
- Sign a Non-Disclosure Agreement (nonfederal employees).
In addition to the above requirements, government contractors must modify relevant contracts to comply with requirements of the PCII Program. The contract modification is not a prerequisite to accessing PCII; however, the contractor must contractually acknowledge its responsibilities with respect to PCII as soon as practicable. To avoid delay or interruption of access to PCII, contractors can be certified by the PCII Program Manager or a PCII Officer. For more information, please see the PCII Program Procedures Manual.
Using PCII in Analysis
The PCII Program protects information from public disclosure while allowing the Department of Homeland Security (DHS) and other federal, state, tribal, and local government security analysts to use PCII to:
- Analyze and secure critical infrastructure and protected systems.
- Identify vulnerabilities and develop risk assessments.
- Enhance recovery preparedness measures.
PCII is a critical component in the Department’s vulnerability assessments and risk management tools, such as the IP Gateway, that allow federal, state, and local government security analysts to enhance the security and resilience of the nation’s critical infrastructure by finding weaknesses and identifying risks in critical infrastructure.
Using PCII in Work Products
In the course of conducting homeland security duties, it may be necessary to create a work product that quotes or references PCII. Generally, as long as a work product contains any PCII, the entire product must be protected as PCII and is subject to the same handling, storage, and marking requirements as original PCII. If you want to use other pieces of information from within that work document that are not PCII, you can either take them from an independent source that does not contain PCII or sanitize the information you wish to use of any PCII. For the purposes of the PCII Program, "sanitization" means distilling the information so it is not traceable to the submitter and does not reveal any information that:
- Is proprietary, business-sensitive, or a trade secret.
- Relates specifically to the submitting person or entity (explicitly or implicitly).
- Is otherwise not customarily in the public domain.
The PCII Program does not currently require PCII documents to be portion marked to indicate which items of information are PCII and which are not. For example, some items of information from a vulnerability assessment that may not appear sensitive on its own may become sensitive in combination with other pieces of information. Please consult the PCII Program (PCII-Assist@hq.dhs.gov) for guidance.
Information Available from Both a Non-PCII Source and a PCII-Protected Document
Sometimes you will find the same information in two documents, one of which is marked and protected as PCII and one of which that is not. You may use the information as freely as the non-PCII source allows, provided that you do not reveal any additional PCII from the protected document in the process. If you are working from a PCII-protected document, you should assume that the item must be handled as PCII until you can show otherwise and follow the instructions within the Work Products Guide, an appendix to the PCII Program Procedures Manual.
When sharing or disseminating PCII, you must follow all applicable safeguarding, transmission, and access requirements laid out in the CII Act, Final Rule, and policies and procedures issued by the PCII Program. If you have any questions or concerns, please contact the PCII Program at PCII-Assist@hq.dhs.gov.
Sharing PCII in an Emergency
You are still encouraged to follow all the normal security procedures for PCII during an emergency. However, during an emergency, an individual who has not yet completed the requirements for authorization can become a temporary Authorized User by:
- Reading the PCII cover sheet attached to the information.
- Informally agreeing to protect the PCII by the PCII rules.
- Informally agreeing to take the PCII Authorized User training within 30 days.
If you are sharing PCII outside of the standard process, you should inform the PCII Program in the most expedient fashion available that you are sharing PCII in an emergency. As you share the PCII, you should also track what you shared and with whom you shared it so that the PCII Program can follow up and ensure that all users are properly trained. While the PCII Program understands that first responders might be busy and distracted during an emergency, a lack of proper tracking may hinder the PCII Program's responsibility to ensure that all PCII is being disseminated responsibly and used appropriately.
Sharing PCII with a Tribal Representative
Tribal entities can become accredited, and tribal representatives can become Authorized Users. The same procedures for dissemination and safeguarding apply to tribal entities and representatives.
Sharing PCII with a Foreign Government
Generally, PCII should not be shared with a foreign government. To share PCII with a foreign government, DHS would either need the submitter's permission to share their information or would need to issue a sanitized (i.e. a non-PCII) warning or advisory to the concerned government. If a submitter provides permission to share information with a foreign government, protections for the copy of the information may vary.
Responding to Inquiries About What PCII You Hold
In addition to protecting the information within a validated document, the CII Act also protects the submitter's identity as PCII. Authorized Users should not reveal the identity of a submitting entity or facility, but may offer more general information, such as the fact that submissions exist within a particular geographic region or sector. If one could easily deduce the identity of a submitting entity or facility from those facts (e.g., there is only one electrical utility in that county), then even that information is too specific and must be withheld.
Requirements to Disclose PCII
- Law enforcement agencies in furtherance of the investigation or prosecution of a criminal act
- Either House of Congress, or to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee thereof, or subcommittee of any such joint committee
- Comptroller General, or any authorized representative of the Comptroller General, in the course of the performance of the duties of the Government Accountability Office (GAO)
- DHS Inspector General
The PCII Program will not release PCII under these circumstances without taking measures to ensure that the individuals who receive PCII are authorized to receive it and are properly trained in its protection and use.
Some state court opinions have discussed the PCII protections as a secondary issue, but none have overturned PCII protections or challenged the authority of the PCII Program.
Reporting Violations of PCII Protections
Report any suspected violation of PCII security procedures, the loss or misplacement of PCII, or any suspected unauthorized disclosure of PCII to both the PCII Program Manager and the PCII Officer.
To learn more about how the PCII Program can support your organization's homeland security efforts, please contact PCII-Assist@hq.dhs.gov.