This webpage describes who can submit Critical Infrastructure Information (CII) for protection under the CII Act of 2002, what kind of information can be submitted, and how to submit that information.
PCII Submitter Awareness Video
The PCII Submitter Awareness video provides greater detail on CII, and provides additional guidance on why it should be submitted to the PCII Program, and how someone would go about submitting CII for PCII protection.
The video also explains the benefits of the PCII Program, some of the procedural safeguards and training requirements used to ensure the appropriate handling of PCII, and explains how PCII is used by DHS to improve the Federal Government’s ability to work.
Critical Infrastructure Information
Information related to the security of critical infrastructure or protected systems, including documents, records, or other information concerning threats, vulnerabilities and operational experience may be submitted for PCII protection. This information must be:
- Voluntarily submitted;
- Not customarily available in the public domain; and
- Not submitted in lieu of compliance with any regulatory requirement.
Submitted information will retain PCII protections unless the PCII Program Office determines that the information, at the time of the submission, was customarily in the public domain, or the submitter requests in writing that the protections be removed.
The PCII Program Office will accept submissions of CII for consideration of the protections of the CII Act from any submitter who:
- Owns the information being submitted (or is an authorized representative of the owner of the information);
- Has sufficient knowledge of the information to affirm that it is being submitted voluntarily (i.e., in the absence of an exercise of legal authority by the Department of Homeland Security to compel access to or submission of such information); and
- Has sufficient knowledge of the information to affirm in the Certification Statement that the information is not lawfully, properly, and regularly disclosed generally or broadly to the public.
Examples of potential submitters include, but are not limited to:
- State and local government officials
- Authorized representatives of privately or publicly owned companies
- Industry associations (on behalf of their members)
- Individuals capable of providing an analytical observation of a critical infrastructure
- Working groups comprised of government and private sector representatives
Representatives of federal government entities may not submit information to the PCII Program in consideration of the protections of the CII Act.
Express Statement and Certification Statement
All information submitted for PCII protection must include:
- An Express Statement requesting the protection offered by the CII Act; and
- A Certification Statement containing an affirmation that the individual submitting the information is authorized to submit, the submitter’s contact information, and certification that the information is not customarily in the public domain.
When accompanied by an Express Statement and a signed Certification Statement, the submission will be granted the presumption of protection throughout the entire validation process. If the Certification Statement is missing or incomplete, the information will have the presumption of protection but the PCII Program Office will request that the submitter provide a complete Certification Statement within 30 calendar days.
If the submitter does not provide both within 30 days of the request, the PCII Program Office will either return the information to the submitter in accordance with the submitting person or entity's written preference or destroy the submission in accordance with the Federal Records Act and Department of Homeland Security regulations.
Submitters should contact the PCII Program Office (PCII-Assist@cisa.dhs.gov) prior to submitting their information to ensure that the Program Office can accept the submission format and provide any additional guidance.
Critical infrastructure information can be submitted for PCII validation in two ways:
- Through a partnering federal government entity
- Directly to the PCII Program Office
Submitting CII via Partnering Federal Agency
When CII is submitted to the Department of Homeland Security through approved partnerships with federal agencies, the PCII Program Manager declares certain subject matter or types of information categorically protected as PCII and sets procedures for receiving and processing of this information.
Submitting CII Directly to the PCII Program Office
Critical infrastructure information may be submitted directly to the PCII Program Office for protection via:
- Electronic Submission
- Standard Mail:
PCII Program Office
Department of Homeland Security
245 Murray Lane, SW, Mail Stop 0602
Washington, DC 20528-0602
- Fax: 703-235-3050
- Phone: 1-866-844-8163 (Phone submissions must be followed by a similar written statement within 15 calendar days after the submission.)
The PCII Program Office or Designee will acknowledge receipt of the submission within 30 days of its receipt. Acknowledgement of receipt is not a determination of validation, but only a notification to the submitter that the PCII Program Office or Designee has received the information accompanied by an Express and Certification Statement.
When a submission is evaluated and determined to meet all prescribed qualifications, the PCII Program Office will validate it and mark the information as PCII. Once the submission is validated, the submitter will receive a validation letter or an email which will include a submission identification number.
PCII protections apply only to the information in the hands of the government and not to the copy retained by the submitter. A submitter may use their copy of the information as they see fit, but we encourage submitters to consider information access and information security as part of that decision.
Submissions that do not meet requirements are destroyed or returned to the submitter, as determined by the submitter's written preference.
State and Tribal Submissions and Records Laws
After the submitted information has been validated by DHS for PCII protection, the original information and documents may still be subject to records management and disclosure laws that vary by state or within different tribes, territories, or localities. This may lead to a situation where a submission is validated and marked as PCII, but the original records cannot be destroyed by the submitting state, tribal, or local entity due to records retention rules. Those original records could still be used not only for regulatory purposes, but they could also be requested by the public depending on the disclosure rules of the jurisdiction. A failure to understand the different status of marked and non-marked copies can lead to a mistaken belief that every copy is protected once one copy is submitted to the PCII Program.
The PCII Program works with federal government partners to integrate PCII protections into data-collection processes. Examples of successful information-sharing partnerships within the Department include:
- Infrastructure Security Division’s CISA Gateway
- National Cyber Security Division’s United States Computer Emergency Readiness Team (US-CERT) Secure Portal Submissions Capability
To learn more about how the PCII Program can support your organization's homeland security efforts, please contact PCII-Assist@cisa.dhs.gov.