CISA Publishes Technical Rule to Update Protected Critical Infrastructure Information (PCII) Program


WASHINGTON—Today, the Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) are issuing a technical rule to improve and modernize aspects of the Protected Critical Infrastructure Information (PCII) Program, which provides legal protections for cyber and physical infrastructure information submitted to DHS. These non-substantive, technical edits amend the Protected Critical Infrastructure Information (PCII) Program regulation found at 6 CFR part 29, to help critical infrastructure owner/operators, state and local governments, and other important stakeholders more effectively use the PCII Program.

On September 1, 2006, DHS published the PCII Program regulation, 6 CFR part 29, “Procedures for Handling Critical Infrastructure Information; Final Rule.” Established as part of major security reforms following the 9/11 terror attacks, the PCII Program has become a cornerstone of CISA’s public-private partnership to secure our Nation’s cybersecurity and critical infrastructure by providing legal protections for information shared with the government by the private sector for homeland security purposes. This technical rule represents the first-ever update to the PCII regulations since their initial publication in 2006. Since then, the implementing component within DHS underwent substantial reorganization (i.e., transitioning the National Protection and Programs Directorate into CISA). As a result of this change, several technical revisions to 6 CFR part 29 were required to reflect updates to organization and to address typographical and other errors in the 2006 final rule. These improvements help to modernize the Program and further position CISA as the Nation’s lead cyber defense agency.   These technical, non-substantive revisions qualify for publication as a final rule without the notice and comment typically required by the Administrative Procedure Act.

“The PCII Program is essential to CISA’s ability to gather information about risks facing critical infrastructure,” said Dr. David Mussington, Executive Assistant Director for Infrastructure Security. “This technical rule modernizes and clarifies important aspects of the Program, making it easier for our partners to share information with DHS. These revisions further demonstrate our commitment to ensuring that sensitive, proprietary information shared with CISA remains secure and protected. I would like to thank CISA’s PCII Program Office and Office of the Chief Counsel for their hard work in making this technical rule a reality.”

These revisions constitute non-substantive technical, organizational, and conforming amendments in various sections of 6 CFR part 29 to correct errors, change addresses, update titles, and make other non-substantive amendments that improve the clarity of the PCII Program regulations. This rule does not create or change any substantive requirements. A complete description of the revisions is in the technical Final Rule, which can be found at 87 Fed. Reg. 77971 (December 21, 2022). An accompanying unofficial redline of the regulatory text, which is provided as a courtesy only, will be available at the PCII Program website for public view.