The Protected Critical Infrastructure Information (PCII) Program mandates that all information validated and marked as PCII can only be accessed by certified and trained individuals in accordance with strict safeguarding and handling requirements as described in 6 Code of Federal Regulations (CFR) Part 29, Procedures for Handling Protected Critical Infrastructure Information; Final Rule. The Department of Homeland Security has oversight over the PCII Program to ensure that all authorized users and entities are in compliance with the safeguarding and handling requirements. The Department’s oversight is conducted through PCII Compliance Reviews.
What are PCII Compliance Reviews?
The overall purpose of a PCII Compliance Review is to evaluate an accredited entity’s compliance with Section 214 of the Critical Infrastructure Information Act of 2002 (CII Act of 2002) and 6 CFR Part 29, Procedures for Handling Protected Critical Infrastructure Information; Final Rule. A PCII Compliance Review identifies areas of noncompliance or deficiencies requiring corrective action and improves future entity capabilities.
What to Expect During a PCII Compliance Review
PCII Compliance Reviews are conducted by a PCII Oversight and Compliance Team through onsite and offsite visits with appropriate entity officials and employees. The PCII Oversight and Compliance Team will:
- As necessary, request copies of select records prior to a Compliance Review.
- Review and analyze the entity’s data and records, such as operational manuals and other records associated with the administration and management of the PCII Program, to gain firsthand knowledge of an entity’s operational practices and to identify any weaknesses in the entity’s procedures for administering requirements as stated in the Final Rule.
- As necessary, conduct interviews with the PCII officer, disclosure officers, contractors, and other individuals associated with the entity’s program for clarity on entity’s data, records, or management of the PCII Program.
- Frame required actions and recommendations that will strengthen the entity’s future compliance.
- If noncompliance results in unauthorized disclosure, loss, or misuse of PCII, determine the extent to which any weaknesses in the entity’s administration subjected critical infrastructure owner/operators and the critical infrastructure community to potential or actual harm.
- Recommend corrective measures the entity should take in order to rectify any infractions, violations, or systemic weaknesses that threaten the secure sharing of PCII.
To learn more about PCII Oversight and Compliance or to schedule a PCII Compliance Review, contact PCII-Assist@hq.dhs.gov.