PCII Program - Frequently Asked Questions
These are some frequently asked questions regarding the Protected Critical Infrastructure Information (PCII) Program.
What is the definition of Critical Infrastructure Information (CII)?
CII is information not customarily in the public domain and related to the security of critical infrastructure or protected systems, including documents, records, communication networks, or other information concerning:
- Actual, potential, or threatened interference with, attack on, compromise or incapacitation of critical infrastructure or protected systems by either physical or computer-based attack or other similar conduct that violates Federal, State, local, tribal, territorial laws, harms interstate commerce of the United States, or threatens public health or safety;
- The ability of any critical infrastructure or protected system to prevent such interference, compromise, or incapacitation; including any planned or past assessment, projection, or estimate of the vulnerability of critical infrastructure or a protected system, including security testing, risk evaluation thereto, risk management planning, or risk audit; and
- Any planned or past operational problem or solution regarding critical infrastructure or protected systems, including repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to such interference, compromise, or incapacitation.
For further information on CII, please see the Critical Infrastructure Information Act of 2002 (codified at 6 U.S.C. § 133) and the PCII regulations (6 C.F.R. part 29) available at the PCII Program.
What is the PCII Program?
The PCII Program, part of the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS), is an information-protection program to enhance information sharing between the private sector and the government. Qualifying information voluntarily submitted to the government and validated as PCII is protected by the government from public disclosure under the Freedom of Information Act (FOIA) and similar State and local disclosure laws, use in civil litigation and for regulatory purposes.
DHS and other Federal, State and local government analysts use PCII in pursuit of a more secure homeland, focusing primarily on:
- Analyzing and securing critical infrastructure and protected systems;
- Identifying vulnerabilities and developing risk assessments; and
- Enhancing recovery preparedness measures.
What protections are offered by the PCII Program?
The PCII Program protects all information designated as PCII through its lifecycle. Safeguards ensure PCII is:
- Accessed only by authorized and properly trained individuals;
- Used for analysis of threats, vulnerabilities, and other homeland security purposes;
- Protected from disclosure under the Freedom of Information Act (FOIA) and similar State, local, tribal, or territorial disclosure laws; and
- Not used directly in civil litigation nor as the basis for regulatory action.
What are the responsibilities of the PCII Program Office?
The PCII Program Office’s responsibilities are:
- Establishing guidelines for handling, accessing and storing PCII;
- Training users and recipients on safeguarding PCII;
- Accrediting government entities to handle PCII;
- Validating submissions as PCII; and
- Facilitating access to PCII.
What are the requirements for accessing PCII?
The PCII Program shares PCII directly through the PCII Program Office or through DHS field representatives and other Federal agencies designated to receive PCII by the PCII Program Manager. Only authorized users can access PCII. To become an authorized user, you must be a Federal, State, local, tribal, or territorial government employee or government contractor trained to handle and safeguard PCII and have homeland security responsibilities as specified in the CII Act, the PCII regulations, and policies and procedures issued by the PCII Program Office. On line training is offered through the Protected Critical Infrastructure Information Management System (PCIIMS).
Upon completion of the training, you will be issued a certificate providing an Authorized User Number. Annual refresher training is required to maintain your authorization status and access to PCII. Access to PCII is granted only to Federal, State, local, tribal, and territorial government employees and their contractors who:
- Are trained in the proper handling and safeguarding of PCII;
- Have homeland security responsibilities as specified in the CII Act, PCII regulations, and policies and procedures issued by the PCII Program Office;
- Have a need-to-know the specific information; and
- Sign a Non-Disclosure Agreement (State, local, tribal and territorial government employees and their contractors). In addition to the above requirements, government contractors must modify relevant contracts to comply with requirements of the PCII Program. The contract modification is not a prerequisite to accessing PCII; however, the contractor must contractually acknowledge its responsibilities with respect to PCII as soon as practicable. Contractors can be certified by the PCII Program Manager or a PCII Officer.
What are the penalties for intentionally mishandling PCII?
The PCII Program recognizes that receipt of CII from the private sector is contingent upon keeping submissions safe from unauthorized access, disclosure, and misuse. The CII Act and the PCII regulations apply criminal and civil penalties for Federal employees who intentionally mishandle PCII.
All Federal, State, local, tribal, and territorial government employees with access to PCII, including the PCII Program Office Manager, all PCII Program Office staff, PCII Officers and Deputy Officers, and all Designees of the PCII Program Manager share responsibility for ensuring that PCII is properly safeguarded in accordance with stringent procedures. Federal government employees who do not follow these safeguarding procedures may be subject to disciplinary action including criminal and civil penalties and loss of employment. State laws governing theft, conspiracy, trade secrets, or other topics may apply to other government employees and contractors who intentionally mishandle PCII.
Who can submit information to the PCII Program?
Individuals or entities who have information about critical infrastructure that is not customarily in the public domain, as defined by the PCII regulations, can provide such information to the PCII Program Office, so long as the information is submitted in good faith and is not submitted in lieu of compliance with any regulatory requirement. Individuals submitting on behalf of entities must be authorized to do so by the entity. Entities that might submit information include, but are not limited to:
- Private Sector companies;
- State, local, tribal, and territorial government entities; and
- Working groups comprised of government and private sector representatives.
Are you required to submit directly to the PCII Program Office?
PCII regulations identify procedures for indirect submissions to DHS through DHS field representatives and other Federal agencies. The PCII Program Manager designates Federal employees to receive CII on behalf of DHS, but only the PCII Program Manager is authorized to make the decision to validate a submission as PCII. Those designated to receive CII on behalf of DHS must be Federal employees. The PCII Program Manager appoints Designees and delegates their functions on a case-by-case basis. All Designees are trained to ensure compliance with the requirements of PCII regulations. The PCII Program Office maintains a record of all indirect submissions and the associated Meta-data through the PCII Program Management System (PCIIMS).
What must accompany a submission to qualify for protection?
Submitters are encouraged to contact the PCII Program Office at 866-844-8163 or PCII-Assist@cisa.dhs.gov prior to submitting their information to ensure that the PCII Program Office can accept the submission format and for any additional guidance. Two items must be included with information submitted for PCII protection under the CII Act:
- An Express statement requesting protection similar to the following: ‘‘This information is voluntarily submitted to the Federal government in expectation of protection from disclosure as provided by the provisions of the Critical Infrastructure Information Act of 2002”; and
- A Certification statement that the information is not customarily in the public domain and includes the submitter’s contact information.
When accompanied by signed Express and Certification statements, the submission will be granted an initial presumption of protection. If the certification statement is incomplete, the PCII Program Office requests that the submitter provide a complete certification statement within 30 calendar days of the submitter’s receipt of the request. If the submitter does not remedy the deficiency within 30 days of the request, the PCII Program Office will either return the information to the submitter in accordance with the submitting person or entity’s written preference or destroy the submission in accordance with the Federal Records Act and Department of Homeland Security regulation.
Who can mark information as PCII?
Only the PCII Program Manager or a PCII Program Manager Designee may mark information as PCII and provide the submission with an identification number. Information that does not contain the requisite PCII markings and identification number will not be treated by the PCII Program as PCII. The PCII marking remains until the PCII Program Manager determines that the information no longer qualifies for PCII protection or the submitter requests that the protection be removed. PCII Authorized Users must ensure products created from PCII include a PCII cover sheet, are marked with “Protected Critical Infrastructure Information” in the header and footer of the documentation and labeled with the protection statement:
"This document contains PCII. In accordance with the provisions of 6 CFR part 29, this document is exempt from release under the Freedom of Information Act (5 U.S.C. 552(b) (3)) and similar laws requiring public disclosure. Unauthorized release may result in criminal and administrative penalties. This document is to be safeguarded and disseminated in accordance with the CII Act and the PCII Program requirements."
If the information does not have an identification number, please contact the PCII Program Office immediately at 866-844-8163 or at PCII-Assist@cisa.dhs.gov.
How is PCII tracked?
PCII submissions are tracked through a unique identification number. The identification number is assigned when CII enters the validation process for protection under the CII Act. This unique identification number is included on all original PCII, copies of original PCII and products created from PCII.
What is a Categorical Inclusion?
The PCII Program Manager can declare certain subject matter or types of information categorically protected as PCII and set procedures for the receipt and processing of such information per 6 CFR § 29.6. The PCII Program Office then expedites the acceptance of presumptively valid critical infrastructure information. CII within a categorical inclusion is considered validated upon receipt by the PCII Program Office or any of the Designees without further review, provided that the PCII Program Office has pre-validated that type of information as PCII and the submitter includes signed Express and Certification statements. The PCII Program Manager must appoint a Designee before an entity can establish a categorical inclusion. Currently, Federal entities or programs managed and overseen by a Federal employee can collect data under a categorical inclusion. Interested partners can coordinate with the PCII Program Office to establish a categorical inclusion and to complete required documentation.
What is the Protected Critical Infrastructure Information Management System (PCIIMS)?
PCIIMS is an information technology system required by the PCII regulations (6 CFR § 29.4) to record the receipt, acknowledgement, validation, storage, dissemination, and destruction of PCII. PCIIMS supports through automation the collection of voluntarily submitted critical infrastructure information (CII) from the private sector and supports the PCII validation process to establish protection of CII. The PCII Program Office uses PCIIMS: (1) to accept CII submissions via the electronic submissions portal; (2) to train and monitor PCII Authorized Users through its distributed framework, which consists of communities within the many Federal, State, local, tribal, and territorial government organizations; and (3) to manage PCII Program Office data. Only PCII Authorized Users with a valid need-to-know may access PCIIMS. Information contained in PCIIMS is safeguarded and protected in accordance with the CII Act and regulations.
Prior to accessing PCII, individuals must register through PCIIMS to receive certification as a PCII Authorized User after meeting various vetting and training requirements.
Can information be both PCII and Sensitive Security Information (SSI)?
Yes information can be both PCII and SSI. According to the SSI regulation at 49 CFR § 1520.15(h), disclosure of information that is both SSI and PCII is governed solely by the PCII requirements of the CII Act of 2002 and PCII regulations. Users handling materials that are marked as both PCII and SSI will observe PCII handling, safeguarding, and dissemination requirements.
To learn more about how the PCII Program can support your organization's homeland security efforts, please contact PCII-Assist@cisa.dhs.gov.