What is the Critical Infrastructure Partnership Advisory Council (CIPAC)?
CIPAC is an advisory council chartered by the Department of Homeland Security (DHS) that directly supports the implementation of the National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience. Utilizing the sector partnership structure, CIPAC provides a forum that enables members of the recognized Government Coordinating Councils (GCCs) and Sector Coordinating Councils (SCCs) to engage in discussions about joint critical infrastructure planning, coordination, implementation, and operational issues, along with other relevant matters.
As appropriate, members deliberate and develop consensus policy, advice, and recommendations on critical infrastructure protection, security, and resilience matters to be provided to DHS, the Sector-Specific Agency for each sector, and the other Federal departments and agencies supporting the critical infrastructure security and resilience mission under the NIPP.
CIPAC utilizes a trusted forum and environment that will:
- Facilitate the flow of advice and information concerning critical infrastructure protection and resilience.
- Foster effective information sharing.
- Mitigate the risk of compromising vulnerabilities.
- Promote necessary communications during emergencies.
Who are the members of CIPAC?
CIPAC membership is composed of organizations which represent the 16 Critical Infrastructure Sectors identified in the NIPP, with each SCC and GCC maintaining its own membership. Each member organization selects the appropriate representative(s) to participate in CIPAC activities.
SCCs are self-formed and self-governed entities serving as the principal private sector entity working with the government to coordinate activities in a given infrastructure sector. SCC members are critical infrastructure owners and operators and/or relevant trade organizations that are representative of their respective sector.
Similarly, GCCs are formed as the government counterpart to each SCC to enable interagency and cross-jurisdictional coordination. Each GCC is co-chaired by a representative from the designated Sector-Specific Agency and DHS/Office of Infrastructure Protection (IP) or its designee. GCC members are Federal, State, local, tribal, and territorial governmental entities, including their representative organizations with responsibilities for critical infrastructure activities.
Currently, CIPAC membership consists of more than 700 government and private sector member organizations, including more than 150 trade associations representing corporations of all sizes.
If I am not a member of an SCC or GCC, are there other ways to participate in CIPAC?
Due to the sensitive nature of the material discussed, CIPAC meetings will customarily be closed to the public. Nonmembers of an SCC or GCC cannot be members of CIPAC, but may attend CIPAC meetings and working groups by invitation of an SCC or GCC as subject matter experts (SMEs). CIPAC members may also invite SMEs on a standing or ad-hoc basis.
What does it mean that CIPAC is FACA exempt?
The Department of Homeland Security (DHS) published a Federal Register Notice on March 24, 2006, announcing the establishment of CIPAC pursuant to Section 871 of the Homeland Security Act and its exemption from the Federal Advisory Committee Act (FACA).
The Federal Advisory Committee Act (FACA), Public Law 42-463, defines the requirements and regulations for how a Federal advisory committee operates. FACA applies to any committee, council, or similar group established by statute or utilized by a Federal agency for the purpose of obtaining deliberative input, advice, or recommendations from the private sector. FACA meetings are open to the public and require access to meeting materials and timely notice of each meeting to be published in the Federal Register.
However, DHS was granted a FACA exemption for CIPAC meetings. Absent this exemption, CIPAC meetings would be open to the public, automatically disclosing any sensitive information presented in the meeting. Accordingly, DHS published a Federal Register Notice on March 24, 2006, announcing the establishment of CIPAC as a FACA-exempt body, pursuant to Section 871 of the Homeland Security Act. With this FACA exemption, CIPAC meetings can be closed to the public and there is no Federal Register Notice requirement prior to holding CIPAC meetings.
This framework provides for a relatively private environment by which sensitive matters can be openly discussed to achieve recommendations or policy guidance on discrete issues.
What are the requirements and conditions for a CIPAC meeting?
Proposed agendas for CIPAC meetings are submitted to the Designated Federal Officer (DFO) for validation that the meeting’s purpose, objectives, and outcomes are related to seeking consensus with respect to critical infrastructure protection, security, and/or resilience. Upon the DFO’s signature of a Notice of CIPAC Compliance, a high-level meeting agenda is posted on the publicly accessible website unless exigent circumstances prohibit doing so.
A DHS Compliance Liaison Official (CLO) certified by the DFO is assigned and attends all CIPAC meetings to ensure compliance, including confirmation that SCC and GCC member representation is present. The CLO restricts attendance to the member representatives and invited subject matter experts identified on the meeting roster.
Pursuant to the August 13, 2014, guidance issued by the Office of Management and Budget, the 2010 presidential ban on lobbyist participation in CIPAC meetings has been lifted. The revised CIPAC Charter signed by the Secretary of Homeland Security on December 7, 2014, allows for the participation of federally registered lobbyists as long as that participation is in a representative capacity.
What are the guidelines to navigate regulatory discussions within the context of CIPAC meetings?
The CIPAC framework provides for a relatively private environment by which sensitive matters can be discussed to achieve consensus on recommendations or policy guidance on discrete issues related to the safety, security, and resiliency of our critical infrastructure.
The Administrative Procedure Act (APA), Public Law 79–404, 60 Stat. 237, enacted on June 11, 1946, is the United States Federal statute that governs the way in which administrative agencies of the Federal Government of the United States may propose and establish regulations. The APA provides, among other things, that Federal rulemaking be transparent. As CIPAC meetings are generally not open to the public, they are not necessarily the appropriate forum in which to discuss prospective rulemaking issues. However, CIPAC meetings may seek feedback from relevant participants prior to the publication of a new or modified rule in the Federal Register.
Is CIPAC a rulemaking body?
Per the CIPAC Charter, a CIPAC meeting is not a forum to create Federal policy. Rather, it is an opportunity for public and private owner/operator representatives of critical infrastructure to discuss a discrete subject and work together to provide recommendations or consensus policy guidance. Those recommendations or policy guidance are not law. The CIPAC body does not have authority to implement action. Its function is to provide recommendations which are then presented to the Federal official of the governing body responsible for that sector or issue. Only Federal officials of the relevant agency can decide whether to accept the recommendation and implement a policy as a result.
What is the Freedom of Information Act (FOIA) and how is it relevant to CIPAC?
The Freedom of Information Act of 1974 (FOIA) 5 U.S.C. § 552, provides for disclosure of Federal agency records and information to the public, unless that information is exempt from disclosure under statutory language and/or any accompanying regulatory and case law. CIPAC records produced at or for CIPAC meetings are subject to FOIA. However, all or part of those records may be exempt from public disclosure due to the applicability of one or more of the FOIA exemptions.
Although FOIA has somewhat different ramifications for private sector participants than State and local government participants, possible disclosure of either party’s information could affect information sharing within CIPAC. Thus, FOIA provides for nine exemptions from public disclosure. The most relevant to CIPAC include:
- Exemption 1 – Information that is properly classified in the interest of national security, pursuant to Executive Order 12958.
- Exemption 3 – Information exempted from release by statute.
- Exemption 4 – Trade secrets and commercial or financial information which could harm the competitive posture or business interests of a company.
- Exemption 5 – Deliberative process privileged information that is withheld to prevent injury to the quality of agency decision-making.
- Exemption 7(E) – Information pertaining to law enforcement techniques that if disclosed could be used to circumvent the law.
- Exemption 7(F) – Information that if disclosed could reasonably be used to endanger the life or physical safety of any individual.
Determining when information falls under one of the FOIA exemptions is a multistep process. However, the final determination as to which records will or will not be released rests with the FOIA Office, in accordance with the Department’s internal review process.
Just as FOIA ensures some degree of Federal Government transparency, each of the 50 States, plus Washington, D.C., has a similar law that applies to information received by State and local governments. These State laws are generally known as “open records” or “sunshine” laws and, although similar, do not completely mirror FOIA in terms of what information is protected from disclosure. State open records laws run the gamut from no explicit protection to full protection of information related to critical infrastructure. Therefore, even if information is exempt from disclosure under FOIA, it could potentially be released to the public if the information is considered a public record of a State and the State does not have any applicable exemptions to its open records law.
Generally, State, local, tribal, and territorial participants in CIPAC should contact their immediate agency’s attorney and/or their individual attorney general’s office to determine the laws in their jurisdiction.