The Protected Critical Infrastructure Information (PCII) Program's safeguards ensure that PCII is:
- Only accessed by authorized and properly trained individuals with a need to know
- Properly marked as PCII
- Used appropriately for threat analysis, vulnerabilities, and other homeland security purposes
- Protected from disclosure under the Freedom of Information Act (FOIA) and similar state and local disclosure laws
- Not used directly in civil litigation
- Not used for regulatory action
The PCII Program Office administers an accreditation program for federal, state, and local governments to ensure that uniform PCII Program standards and requirements are consistently applied by all participating entities. The Department's oversight of the PCII Program is conducted through PCII Compliance Reviews.
PCII is made available only to those federal, state, tribal, and local government employees and their contractors who:
- Are trained in the proper handling and safeguarding of PCII.
- Have homeland security responsibility as specified in the Critical Infrastructure Information (CII) Act of 2002, the Final Rule, and the policies and procedures issued by the PCII Program.
- Have a need to know the specific information.
- Sign a Non-Disclosure Agreement (nonfederal employees).
In addition to the above requirements, government contractors must modify relevant contracts to comply with requirements of the PCII Program. The contract modification is not a prerequisite to accessing PCII; however, the contractor must contractually acknowledge its responsibilities with respect to PCII as soon as practicable. To avoid delay or interruption of access to PCII, contractors can be certified by the PCII Program Manager or a PCII Officer. For more information, please see the PCII Program Procedures Manual.
Only the PCII Program Office or the PCII Program Manager Designees may mark information as PCII and provide it with a submission identification number. Information that does not contain the requisite PCII markings and identification number is not PCII.
To ensure appropriate protections on PCII:
- All forms of PCII are marked with “Protected Critical Infrastructure Information” in the headers and footers to alert users to the information’s status and protection requirements.
- All PCII is marked with an Identification Number.
- All PCII materials are labeled with the required Protection Statement.
The PCII marking remains until the PCII Program Office determines that the information no longer qualifies for PCII protection or the submitter requests that the protection be removed.
All PCII is labeled with the Protection Statement by the PCII Program Office or the PCII Program Manager Designee to help ensure the material is safeguarded and protected as PCII. If PCII does not have the Protection Statement, please notify the PCII Program Office at PCII-Assist@cisa.dhs.gov.
All PCII materials, or the cases or containers in which they are stored, must be labeled with the following statement:
This document contains Protected Critical Infrastructure Information. In accordance with the provisions of the Critical Infrastructure Information Act, 6 U.S.C. §§ 131 et seq., it is exempt from release under the Freedom of Information Act (5 U.S.C. § 552) and similar State and local disclosure laws. Unauthorized release may result in criminal and administrative penalties. It is to be safeguarded and disseminated in accordance with the Critical Infrastructure Information Act, 6 U.S.C. §§ 131 et seq., the implementing Regulation, 6 CFR Part 29 and PCII Program requirements.
PCII Cover Sheet
The PCII Cover Sheet must be attached to all physical copies of PCII materials to alert individuals of the PCII. PCII materials should always be protected with the Cover Sheet, whether in storage, transit, or on a desk, even if that desk is in an environment where the most rigorous access controls are in place. The Cover Sheet must:
- Be positioned in such a manner that the PCII cannot be viewed by individuals in the immediate area who are not working with the information.
- Remain with PCII materials at all times.
- Be placed on top of a transmittal letter or memorandum.
Safeguarding and Storing PCII
All PCII recipients share responsibility for ensuring that PCII is properly safeguarded in accordance with the Critical Infrastructure Information Act of 2002 (CII Act) and the Final Rule: Procedures for Handling Protected Critical Infrastructure Information (Final Rule).
Federal government employees who do not follow these safeguarding procedures may be subject to disciplinary action and to the civil and criminal penalties set forth in the CII Act of 2002.
In general, safeguarding measures must ensure that:
- Precautions are taken to prevent unauthorized persons from overhearing conversations, observing PCII materials, or otherwise obtaining such information.
- PCII is accessed only by authorized users.
- To the extent feasible, submitted information is not at risk of inappropriate use.
- PCII is not disseminated inappropriately.
Recipients of PCII, including copies of PCII and derivative work products, must safeguard the PCII to ensure that PCII is:
- Accessed by authorized users who are properly trained in how to handle PCII.
- Safeguarded in accordance with all the guidance from the PCII Program Manager.
Once submitted information is validated and marked as PCII, it may reside on a partnering federal entity's system and keep the protections afforded under the PCII Program.
The PCII Program Office keeps a record of all submissions, including those made to an information-sharing partnership. All partnering entities must adhere to the strict safeguarding, handling and storing requirements detailed in the CII Act of 2002 and the Final Rule.
Change in PCII Status
In some cases, the PCII Program Manager may discover that information validated as PCII was, at the time of validation, of a type customarily in the public domain. Under such circumstances, the PCII Program Manager will review the submission’s PCII status and can remove the PCII protections.
The submitter may also, at any time after submission of critical infrastructure information (CII), request in writing that his or her submitted information no longer be protected as PCII. The PCII Program Manager or the Designee will follow the submitter's directions under the following circumstances:
- Withdrawal of Submissions: If a submitter wishes to withdraw the submission, and that information has not completed the validation process, the PCII Program Office will return all such information to the submitting person or entity or destroy the information, depending on the written request of the submitter.
- Change of Status: If the submitter requests in writing that the PCII protections be removed on a submission that has already been validated, the PCII Program Office will do so. In this case, the PCII Program Office may destroy the information or return it to the submitter, depending on the submitter’s instructions and availability. Recipients of that PCII will be notified of the final change in status.
In the event that the PCII Program Manager determines that the information should not retain its PCII status or the submitter requests that his or her submitted information no longer be protected as PCII, the PCII Program Office will:
- Notify the submitter of the change in status.
- Remove the PCII markings from the information.
- Change the designation of the information in PCII Management System.
- Notify users of the information’s change in status.
If there is no indication that the information has been used as PCII, the PCII Program Office will notify the submitter of the change in status and ask him or her to specify whether the information should be destroyed or retained without protection under the CII Act of 2002. If the PCII Program Office does not receive a response to this request within 30 calendar days of notifying the submitter of the change in status, the PCII Program Office may retain the information without protection or destroy it in a manner consistent with the appropriate National Archives and Records Administration records disposition schedule.
Oversight and Compliance
All individuals with access to PCII are responsible for safeguarding it while it is in their possession or control. Participating government entities, in partnership with the PCII Program Office, ensure individuals adhere to safeguarding and handling requirements. The PCII Program Office conducts the Department's oversight of the PCII Program through PCII Compliance Reviews.
PCII accredited government entities must designate a PCII Officer to provide oversight and manage employees with access to PCII in their organization. The PCII Program Office works in conjunction with the PCII Officer to ensure PCII is being used appropriately by reviewing the annual reports and self-inspections and conducting site visits as necessary.
The PCII Officer’s oversight of the PCII Program in his or her entity consists of:
- Monitoring ongoing compliance with PCII Program requirements
- Supervising PCII authorized users within the entity
- Performing periodic self-inspections
- Fulfilling an annual reporting requirement
- Investigating any alleged or actual misuse or compromise of PCII
- Undertaking site visits
- Conducting system audits
- Reporting any misuse or mishandling of PCII
In coordination with the Department of Homeland Security Office of Security and the Office of the General Counsel, the PCII Program Manager has established and implemented procedures for reporting and investigating the suspected loss, misplacement, or unauthorized disclosure of PCII. The Memorandum of Agreement that entities must enter into as part of the accreditation process, requires federal, state, and local entities to cooperate in these investigations.
Suspicious or inappropriate requests for information by any means (e.g., email or verbal), must be reported immediately to the relevant PCII Officer, who must then report them to the PCII Program Office.
Penalties for Mishandling PCII
All federal, state, and local government employees and contractors with access to PCII must ensure that PCII is properly safeguarded according to official program procedures.
Individuals who do not follow these procedures may be subject to disciplinary action, including criminal and civil penalties and loss of employment. State laws governing theft, conspiracy and trade secrets may apply to government employees and contractors who intentionally mishandle PCII. The penalties for mismanagement are detailed further in the Final Rule.
Download the printer-friendly Penalties for Violations of the PCII Program fact sheet.
Reporting Violations of PCII Protections
Report any suspected violation of PCII security procedures, the loss or misplacement of PCII, or any suspected unauthorized disclosure of PCII to both the PCII Program Manager and the PCII Officer.
To learn more about how the PCII Program can support your organization's homeland security efforts, please contact PCII-Assist@cisa.dhs.gov.