Answers to common questions regarding Protected Critical Infrastructure Information (PCII) when compared to Sensitive Security Information (SSI) and Chemical-Terrorism Vulnerability Information (CVI).
Sensitive Security Information (SSI)
Sensitive Security Information (SSI) is information that, if publicly released, would be detrimental to transportation security, as defined by Federal Regulation 49 C.F.R. Part 1520.
Can information be both PCII and SSI?
Yes, information can be both PCII and SSI. Disclosure of information that is both PCII and SSI is governed by both PCII and SSI requirements. Therefore, users handling materials that are marked as both PCII and SSI should observe all PCII handling, safeguarding, and dissemination requirements. Users should remember that PCII cannot be used for regulatory purposes, even if it is also SSI.
If a document contains both PCII and SSI, how must it be protected?
If a document is both SSI and PCII it should be protected as both PCII and SSI. If those requirements conflict, users should contact either the PCII Program (PCII-Assist@cisa.dhs.gov) or the SSI Program (SSI@tsa.dhs.gov) for further guidance.
Can a private sector submitter disclose SSI if a copy has also been validated as PCII?
The private sector entity would not have a marked copy of PCII. Therefore, the entity's copy would be SSI, but not PCII. While there are no PCII safeguarding or handling requirements for unmarked copies of validated PCII retained by a submitter, the entity is still required to comply with all SSI handling and safeguarding requirements that are applicable to the information. The private sector entity therefore can disclose the information only to a "Covered Person" as defined in the SSI Regulation.
Can a state or local government entity submit SSI for validation as PCII?
Yes. The copy of the information the entity retains, however, is SSI and is not PCII and must be handled and safeguarded in accordance with SSI requirements, including the SSI Regulation.
Can information that has been submitted for PCII protections also have SSI protections?
Yes. A submitting entity retains control over the information and products it has generated and may handle the unmarked copy of the information as it chooses. That copy is not PCII and is not subject to the PCII handling and safeguarding requirements. If the information falls within the categories of SSI, the entity will need to comply with SSI handling, safeguarding, and dissemination requirements.
For marked copies of PCII that a state or local government entity might hold, that entity may only share those copies in accordance with PCII handling and safeguarding requirements. Validated PCII will be marked as such and have a submission identification number provided by the PCII Program. If the information is marked as SSI and PCII, the information is governed by both PCII and SSI handling, safeguarding, use, and dissemination requirements.
Chemical-Terrorism Vulnerability Information (CVI)
Chemical-Terrorism Vulnerability Information (CVI) is information developed and/or submitted to DHS pursuant to the Chemical Facility Anti-Terrorism Standards program.
Would the same document ever be marked as CVI and PCII at the same time?
No. The same underlying information might be submitted to both the CFATS and PCII programs, but then that would create a set of documents marked and protected under CVI and a set of documents marked and protected under PCII. Each category of information would be used for separate purposes.
Can a facility disclose information that has been validated as PCII in order to comply with the Chemical Facility Anti-Terrorism Standards (CFATS)?
Yes. Copies of the information the facility holds may be shared by the facility with anyone, including federal regulators, even if that information has also been submitted as PCII.
However, a facility should not provide its PCII-marked and protected copies of their information to comply with CFATS, so it can avoid confusion about whether PCII is being improperly disclosed. PCII-marked and protected information is not allowed to be used for regulatory purposes, including CFATS, and sharing a marked copy may give the impression that this requirement has been violated.
At any time after their submission is validated, submitters can request an unmarked copy of their submission be returned to them. This copy is not subject to the PCII handling and safeguarding requirements.
Will federal government employees or contractors who work on CFATS have access to PCII relating to a covered facility?
To learn more about how the PCII Program can support your organization's homeland security efforts, please contact PCII-Assist@cisa.dhs.gov.