Federal Register: February 20, 2004 (Volume 69, Number 34)
Rules and Regulations           
Page 8073-8089


Department of Homeland Security


-----------------------------------------------------------------------


Office of the Secretary


-----------------------------------------------------------------------


6 CFR Part 29


Procedures for Handling Critical Infrastructure Information; Interim 
Rule


[[Page 8074]]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Office of the Secretary

6 CFR Part 29

RIN 1601-AA14

 
Procedures for Handling Critical Infrastructure Information; 
Interim Rule

AGENCY: Office of the Secretary, Department of Homeland Security.

ACTION: Interim rule with request for comments.

-----------------------------------------------------------------------

SUMMARY: This interim rule establishes procedures to implement section 
214 of the Homeland Security Act of 2002 regarding the receipt, care, 
and storage of critical infrastructure information voluntarily 
submitted to the Department of Homeland Security. The protection of 
critical infrastructure reduces the vulnerability of the United States 
to acts of terrorism. The purpose of this regulation is to encourage 
private sector entities to share information pertaining to their 
particular and unique vulnerabilities, as well as those that may be 
systemic and sector-wide. As part of its responsibilities under the 
Homeland Security Act of 2002, this information will be analyzed by the 
Department of Homeland Security to develop a more thorough 
understanding of the critical infrastructure vulnerabilities of the 
nation. By offering an opportunity for protection from disclosure under 
the Freedom of Information Act for information that qualifies under 
section 214, the Department will assure private sector entities that 
their information will be safeguarded from abuse by competitors or the 
open market. In addition, information from individual private sector 
entities combined with those from other entities, will create a broad 
perspective from which the Federal government, State and local 
governments, and individual entities and organizations in the private 
sector can gain a better understanding of how to design and develop 
structures and improvements to strengthen and defend those 
infrastructure vulnerabilities from future attacks.

DATES: This interim rule is effective February 20, 2004. Comments and 
related material must reach the Department of Homeland Security on or 
before May 20, 2004.

ADDRESSES: Submit written comments to Janice Pesyna, Office of the 
General Counsel, Department of Homeland Security, Washington, DC 20528. 
Electronic comments may be submitted to [email protected]

FOR FURTHER INFORMATION CONTACT: Janice Pesyna, Office of the General 
Counsel, (202) 205-4857, or Fred Herr, Information Analysis and 
Infrastructure Protection Directorate, (202) 360-3023, not a toll-free 
call.

SUPPLEMENTARY INFORMATION:

Public Participation and New Request for Comments

    The Department of Homeland Security (Department or DHS) encourages 
the public to participate in this rulemaking by submitting comments and 
related materials. All comments received will be posted, without 
change, to the DHS Web site (http://www.dhs.gov/pcii/) and will include 
any personal information provided.
    Submitting comments: To submit a comment, please include the full 
name and address of the person submitting the comment, identify the 
docket number for this rulemaking, indicate the specific section of 
this document to which each comment applies, and give the reason for 
each comment. Comments and supporting material may be submitted by 
electronic means, mail, or delivery to the Department of Homeland 
Security, Washington, DC 20328. The Department will consider all 
comments and material received during the comment period. The 
Department may change this rule in view of them.

Regulatory History

    On April 15, 2003, the Department published a notice of proposed 
rulemaking entitled ``Procedures for Handling Critical Infrastructure 
Information'' in the Federal Register (68 FR 18523), 6 CFR part 29, RIN 
1601-AA14. As stated in the notice of proposed rulemaking, the 
Department intended to implement this interim rule as soon as possible. 
The Department finds that the need to receive critical infrastructure 
information, as soon as practicable, furnishes good cause for this 
interim rule to take effect immediately under section 808 of the 
Congressional Review Act.
    For many years, private industry has indicated that its reluctance 
to share critical infrastructure information with the Federal 
government is based upon a concern that the information will not be 
adequately protected from disclosure to the public. Furthermore, 
private sector entities fear that entities intending to harm our 
nation, as well as potential business competitors, could seek to use 
the Freedom of Information Act or other disclosure processes to obtain 
sensitive or confidential business information not otherwise available 
to the public. Release of such information could facilitate the efforts 
of those persons or entities planning or attempting to cause physical 
or economic harm to our nation or to a particular company or industry.
    The responsibilities of the Department include taking action to 
prevent terrorist attacks within the United States and reducing the 
vulnerability of the United States to acts of terrorism. The reduction 
of that vulnerability includes the protection of vital physical or 
computer-based systems and assets, collectively referred to as 
``critical infrastructure,'' the incapacitation or destruction of which 
would have a debilitating impact on national security, national 
economic security, national public health or safety, or any combination 
of these matters.
    The Department recognizes the importance of receiving information 
from those with direct knowledge of the security of that critical 
infrastructure in order to help reduce our nation's vulnerability to 
acts of terrorism. The Department believes the voluntary sharing of 
critical infrastructure information (CII) has been slowed due to 
concerns that information might be released to the public.
    The Department recognizes that its receipt of information 
pertaining to the security of critical infrastructure, which is not 
customarily within the public domain, is best encouraged through the 
assurance that such information will be utilized for securing the 
United States and will not be disseminated to the general public. 
Accordingly, section 214 of the Homeland Security Act, subtitle B of 
title 2, which is referenced as the Critical Infrastructure Information 
Act of 2002 (CII Act of 2002), directly addressed this problem by 
establishing a program that protects from disclosure to the general 
public any CII that is voluntarily provided to the Department. Section 
214(f) of the statute provides for fines and imprisonment under title 
18 (Crimes and Criminal Procedure) of the United States Code for 
unauthorized disclosure of CII.
    The interim rule will provide the Department with the framework 
necessary to receive CII and protect it from disclosure to the general 
public. This interim rule provides flexibility to allow the Department 
to adapt as program operations evolve. This interim rule sets out a 
basic set of regulations that implements the Protected CII Program. The 
Department will continue to consider public comments to this interim 
rule and determine whether possible supplemental regulations are needed 
as experience is gained with implementing the CII Act of 2002.

[[Page 8075]]

Discussion of Comments and Changes

    The Department received 117 different sets of comments on the 
proposed rule during the initial comment period. The Department has 
considered all of these 117 sets of comments, and summaries of the 
comments and the Department's responses follow.

CII and Protected CII

    The Department received six comments suggesting the need to make 
the distinction between CII and Protected CII clearer throughout the 
rule. This regulation establishes the program for the receipt, 
handling, use, and storage of a specialized category of information 
that is voluntarily submitted to the Department and meets the criteria 
for Protected CII. Not all CII necessarily will be Protected CII. 
Recognizing that the proposed rule did not in all instances use the 
terms ``CII'' and ``Protected CII'' consistently, the interim rule has 
been modified throughout where appropriate.

Indirect Submissions

    The Department received 20 comments expressing concern regarding 
the proposed provision that would enable other Federal government 
entities to act as conduits for submissions of CII to the Department. 
Comments observed that extending the protections of the CII Act of 2002 
to information submitted to agencies other than the Department was 
outside the authority of the Department. Further, comments highlighted 
the increased potential for unauthorized use and disclosure of 
information, as well as the burden that indirect submissions might 
place on other entities. Comments requested that all references to 
indirect submissions be removed and that the rule's terms be clarified 
so that no section could be interpreted to express or imply that 
material may be submitted to another Federal government agency.
    Three comments supported allowing indirect submissions as proposed 
in the notice of proposed rulemaking; however, these comments, too, 
highlighted the need for clarification of how such a provision might be 
implemented and sought additional clarification to ensure that 
questions regarding the status of CII submitted to an entity other than 
the Department will be avoided. Support for indirect submissions 
recognized the Department's original intent, which was to further 
encourage the sharing of CII with the Federal government. Owners and 
operators of the nation's critical infrastructures have established 
relationships with other Federal agencies (e.g., agencies that are 
sector leads for a particular infrastructure) and are comfortable 
sharing information with those entities. The Department did not want to 
impede information sharing and, consequently, our ability to protect 
our nation, by limiting the ability of submitters to share CII with the 
Department using those existing relationships.
    Recognizing that, at this time, implementation of such a provision 
would present not only operational but, more importantly, also 
significant program oversight challenges, the Department has removed 
references throughout the rule to indirect submissions. Specifically, 
Sec.  29.1 has been revised to ensure that ``receive'' is not 
interpreted to mean that material may be submitted to Federal 
government entities other than the Department. Section 29.2(i) has been 
revised to clarify that only the Department and no other Federal 
government entity shall be the recipient of voluntarily submitted CII. 
Sections 29.5(a), 29.5(b), and 29.5(c) have been revised to remove 
references to indirect submissions and to clarify that submissions must 
be made directly to the Protected CII Program Manager or the Program 
Manager's designee.
    After the Protected CII Program has become operational, however, 
and pending additional legal and related analyses, the Department 
anticipates the development of appropriate mechanisms to allow for 
indirect submissions in the final rule and would welcome comments on 
appropriate procedures for the implementation of indirect submissions. 
Comments in support of, or opposed to, the proposed framework for 
indirect submission of CII to DHS should fully set forth, with relevant 
citations to the CII Act of 2002 and any other statutory, legislative, 
or case authorities that may be applicable, the basis for the position 
they advance.

Relationship Between Protected CII and Other Similar Regulations

    The Department received four comments regarding the relationship 
between this rule and similar Federal agency rules such as the 
Transportation Security Administration's (TSA) Sensitive Security 
Information (SSI) rule and the Federal Energy Regulatory Commission's 
(FERC) Critical Energy Infrastructure Information (CEII) rule. The 
comments requested that the Department review and clarify the relation 
of the Department's procedures with similar procedures created by other 
Federal agencies for the same types of data.
    Under certain limited circumstances, there may be information 
designated as CII under this interim rule that may also constitute SSI 
under regulations administered by TSA. SSI is information that the 
Administrator of TSA has determined must be protected from unauthorized 
disclosure in order to ensure transportation security. The TSA 
Administrator's authority to designate information as SSI is derived 
from 49 U.S.C. 114(s).
    TSA's regulation implementing this authority, which is set forth at 
49 CFR part 1520, specifies certain categories of information that are 
subject to restrictions on disclosure, both in the hands of certain 
regulated parties and in the hands of Federal agencies. Currently, the 
SSI regulation applies primarily to security information related to the 
aviation sector such as: Security programs and procedures of airport 
and aircraft operators; procedures TSA uses to perform security 
screening of airline passengers and baggage; and information detailing 
vulnerabilities in the aviation system or a facility. SSI is created by 
airports and aircraft operators and other regulated parties, pursuant 
to regulatory requirements. TSA also creates SSI, such as screening 
procedures and certain non-public security directives it issues to 
regulated parties. The SSI regulation prohibits regulated parties from 
disseminating SSI, except to those employees, contractors, or agents 
who have a need to know the information in order to carry out security 
duties.
    Like the provisions of the Homeland Security Act governing CII, 
TSA's SSI statute and its implementing regulation trigger one of the 
statutory exemptions to the general disclosure requirements of the 
Freedom of Information Act (FOIA). See 5 U.S.C. 552(b)(3). Thus, both 
Protected CII and SSI held by the Federal government are exempt from 
public disclosure under the FOIA. In addition, TSA is currently 
considering amendments to its SSI regulation that would make it civilly 
enforceable against employees of DHS and the Department of 
Transportation, which are the Federal agencies most likely to maintain 
SSI. In contrast, unauthorized disclosure of Protected CII by a Federal 
employee is subject to criminal penalties.
    Another key difference between SSI and Protected CII is the extent 
to which a Federal employee may disclose such information. Under TSA's 
SSI regulation, TSA may disclose SSI to persons with a need to know in 
order to carry out transportation security duties. This includes 
persons both within and outside the Federal

[[Page 8076]]

government. This rule proposes disclosure of Protected CII to entities 
that have entered into express written agreements with the Department 
and, in some cases, requires the written consent of the submitter 
before disclosure is permitted. Thus, in cases where information 
qualifies as both SSI and Protected CII, a Federal employee must treat 
the information according to the stricter disclosure limitations 
applicable to Protected CII.
    In practice, the situations in which information constitutes both 
SSI and Protected CII may be limited. For the most part, information 
that is SSI is created by TSA or is required to be submitted to TSA or 
to another part of the Federal government. Therefore, it ordinarily 
will not be voluntarily submitted, which is a required element for 
Protected CII designation. In addition, SSI might or might not relate 
to critical infrastructure assets. Nonetheless, DHS will work to ensure 
that TSA's SSI regulation identifies any instances in which there may 
be an overlap between the SSI and Protected CII regulatory schemes and 
clarifies the applicable requirements for the handling of such 
information.
    Other comments expressed concern regarding the relationship between 
Protected CII and the rule set forth in the Critical Energy 
Infrastructure Information program of the Federal Energy Regulatory 
Commission. These rules are not the same. They operate in a very 
different fashion with respect to the disclosure requirements of FOIA. 
On February 21, 2003, FERC promulgated final regulations establishing 
the CEII procedures, whereby persons with a demonstrated need to know 
who agree to no further dissemination can be provided with certain 
information not otherwise available through FOIA. (68 FR 9857 (March 3, 
2003)) While information that meets the FERC definition of CEII remains 
protected from disclosure under existing FOIA exemptions, an 
alternative means of sharing certain CEII is established, including 
through a CEII Coordinator charged with verification of the need of 
requesters for access and the use of non-disclosure agreements via a 
non-FOIA disclosure track. In other words, the FERC program does not 
create any exempting authority that would change FOIA disclosure 
requirements, whereas section 214 of the Homeland Security Act, which 
is the basis for the Department's CII regulations, does.

Definitions

    The Department received several comments regarding terms defined in 
Sec.  29.2. The following sections address each of the terms in greater 
detail.

Critical Infrastructure and Protected System

    The Department received two comments expressing concern that the 
terms ``critical infrastructure'' and ``protected system'' were not 
sufficiently defined. The comments suggested that examples be provided 
and that phrases such as ``debilitating impact'' be further defined. 
The Department notes that Congress in the CII Act of 2002 prescribed 
the definition of ``protected system.'' The Department believes that 
the definition provides an appropriate degree of flexibility necessary 
to ensure that information pertaining to the protection of these assets 
could potentially be shared with the Department.
    That said, the Department bases its construction of the regulatory 
definition on the CII Act of 2002 itself. The Department is mindful 
that private sector submitters, as the owners and operators of most of 
the nation's critical infrastructures, are the most well versed as to 
what information in their particular sector or industry might qualify 
as CII; therefore, the Department does not wish to unduly restrict the 
scope of what may be submitted as CII under the Act. As part of its 
evaluation process in determining whether information meets the 
criteria for Protected CII, the Department will consider the belief of 
the submitter that the information merits protection under the Act.

Critical Infrastructure Information

    The Department received 11 comments suggesting that the definition 
of CII be expanded and clarified. Several of the comments wished to 
expand the definition to include network and topology information for 
critical infrastructures. The comments also emphasized that expansion 
of the definition would provide submitters with guidance regarding the 
type of information that the Department is looking to receive and also 
ensure that other important information is afforded the protections of 
the CII Act of 2002, therefore further encouraging submissions. The 
comments requested that a detailed explanation of ``not customarily in 
the public domain'' be provided and encouraged the Department to 
develop procedures for evaluating whether information is in the public 
domain. One comment requested that the rule further describe the 
specific records or information that would be considered by the 
Department for protection under the CII Act of 2002. Further, comments 
suggested that the rule specify what information is not CII so that 
submitters know what types of information should not be submitted. The 
Department notes that Congress in the CII Act of 2002 prescribed the 
definition of CII.
    The Department believes that the definition provides the 
appropriate degree of flexibility necessary to further promote 
information sharing by providing submitters with an opportunity to 
provide the information they believe meets the definition and should be 
protected.
    The Department also received two comments noting that the proposed 
rule defined CII as both records and information. Comments suggested 
that the term ``record'' be removed from the rule while other comments 
supported defining CII as both. As a practical matter, these two terms 
are virtually interchangeable in a context such as this. Accordingly, 
Sec.  29.2 has been revised to say ``CII consists of records including 
and information concerning * * *''

Voluntary/Voluntarily

    The Department received 11 comments regarding the broad definition 
of ``voluntary.'' The rule defines information that is not voluntarily 
provided as that information which the Department has exercised legal 
authority to obtain. The comments expressed concern that this could 
permit submitters to share with the Department information that is 
involuntarily collected by other Federal entities. The rule follows the 
explicit language of the Homeland Security Act and allows for the 
voluntary submission of information to the Department that is 
involuntarily collected by other Federal agencies, subject to certain 
requirements. These restrictions are found throughout the rule, 
primarily in Sec.  29.3(a), which states that its procedures do not 
apply to or affect any obligation of any Federal agency to disclose 
mandatorily submitted information (even where it is identical to 
information voluntarily submitted pursuant to the CII Act of 2002), and 
Sec.  29.5(a)(4), which has been added to the rule to address specific 
concerns raised by commenters. Section 29.5(a)(4) requires submitters 
to certify that the particular information is being voluntarily 
provided to the Department; that the information is not being submitted 
in lieu of independent compliance with a Federal legal requirement; 
that the information is of a type not customarily in the public domain; 
and whether the information is required to be submitted to a Federal

[[Page 8077]]

agency. If the information is required to be submitted to a Federal 
agency, the submitter must identify the Federal agency and the legal 
authority mandating that submission.

Good Faith

    The Department received 26 comments requesting that the rule define 
the term ``good faith'' and establish procedures for determining that 
material has been submitted in good faith. Comments also asserted that 
the proposed rule had the potential to establish a system where 
material that was not submitted in good faith, and thus does not 
qualify for protection, would never be made public. Comments suggested 
that the Protected CII Program Manager should inform submitters when a 
decision is made that information was not submitted in good faith and 
provide them with an opportunity to provide an explanation. Other 
comments recommended deleting references to ``good faith'' in their 
entirety.
    The Protected CII program is based upon a relationship of trust 
with the public that the information submitted will be carefully 
evaluated, marked, and utilized for the purposes of protecting the 
nation. As recommended by a number of these comments, Sec.  29.5 has 
been revised, deleting the requirement for the submitters to certify 
that they are submitting the information in good faith. Instead, Sec.  
29.5 now provides that the submitters are presumed to have submitted 
the information in good faith. False representations may constitute a 
violation of 18 U.S.C. 1001 and are punishable by fines and 
imprisonment. The intent of such a provision is to provide a remedy to 
prevent a party from repetitively submitting information in bad faith 
solely to consume agency resources and from submitting information in 
an attempt to shield from the public any evidence of wrongdoing.

Independently Obtained Information

    The Department received five comments regarding the definition of 
``independently obtained information.'' Comments claimed that the 
proposed definition was not consistent with the CII Act of 2002. In 
addition, one comment correctly noted that to ensure clarity the 
provision should be revised to indicate that independently obtained 
information does not include information that has been directly or 
indirectly derived from Protected CII. The Department has revised Sec.  
29.3(d) to alleviate confusion and ensure consistency with the 
legislation.

Protected CII Program Management and Administration

    Consistent with the CII Act of 2002 and this regulation, the Under 
Secretary for Information Analysis and Infrastructure Protection (IAIP) 
is the official responsible for the receipt, safeguarding, storage, 
handling, and dissemination of Protected CII. The Under Secretary 
oversees and administers the Protected CII Program. Many comments 
expressed concern regarding details of the procedural implementation of 
the Protected CII Program. In addition, other comments recommended that 
the program begin operations as soon as possible after publication of 
this interim rule.
    To implement this regulation in an efficient manner, the Department 
intends to use a phased approach that gradually expands the 
capabilities of the Program to receive submissions. Initially, 
submissions will be received only by the Protected CII Program Office 
within the Information Analysis and Infrastructure Directorate (IAIP) 
of the Department.
    Subsequent phases will expand the points of entry for information 
within the Department. During the initial phase, only paper or 
electronic submissions (e.g., floppy disks, CDs, etc.) delivered via 
U.S. Mail, commercial delivery service, courier, facsimile, or hand 
delivery will be accepted. As the Program evolves, e-mail and oral 
submissions (i.e., voice mail or person-to-person) will be accepted. 
The capabilities of the Program to share information that has been 
validated as Protected CII also will expand. The Department envisions 
that Federal, State, and local government entities that would like to 
access and use Protected CII shall enter into an express written 
agreement with the Department. Such an agreement will outline the 
responsibilities for handling, using, storing, safeguarding, and 
disseminating Protected CII; require entities to put in place similar 
procedures for investigating suspected or actual violations of 
Protected CII procedures; and establish guidelines for imposing penalty 
provisions for unauthorized disclosure similar to those identified in 
the CII Act of 2002 and this regulation. Entities that do not sign such 
an agreement with the Department will not have access to Protected CII. 
Initially, the Department intends to share Protected CII only within 
the IAIP Directorate and with other DHS components, although exceptions 
may be made on a case-by-case basis. As the Program evolves and 
agreements with additional entities are finalized, the disclosure of 
information will expand to other Federal government entities, State, 
and local government entities, and eventually to foreign governments.
    The Department received one comment suggesting that the proposed 
rule would overburden the Department by creating a situation where only 
one employee of the Department is responsible for receiving submissions 
and validating Protected CII. Other comments questioned how the 
Protected CII Program Manager would have the expertise, resources, and 
ability to handle the workload that may result from these provisions. 
The Department does not envision a situation in which only one employee 
is handling submissions and validating Protected CII. The Under 
Secretary for IAIP is responsible for directing the Protected CII 
Program and overseeing its day-to-day operations. In this capacity, the 
Under Secretary will ensure that the Program Manager or Program 
Manager's designees consult with other Department officials, as 
appropriate and necessary, to evaluate the validity of submissions. In 
addition, a staff and other resources required to perform the 
responsibilities outlined in the interim rule will support the 
Protected CII Program Manager. References throughout the rule to the 
Protected CII Program Manager have been revised to include ``or 
designees'', where appropriate, to indicate that other individuals will 
be designated to handle receipt, validation, and other duties related 
to the day-to-day operations of the Protected CII Program.
    The Department also received three comments requesting that the 
rule be clarified to specify in greater detail the selection, training, 
and support of Protected CII Officers. The Department intends to 
encourage Federal, State, and local (including tribal) government 
entities that have signed an agreement with the Department to access 
and use Protected CII to appoint a Protected CII Officer who has been 
trained and is familiar with procedures for safeguarding, handling, 
transmitting, and using Protected CII. While this is addressed in 
greater detail in Protected CII Program procedures, the role of 
Protected CII Officer may be assigned to an individual in addition to 
their other duties. The Protected CII Program Manager shall establish 
procedures outlining the responsibilities of Protected CII Officers and 
will work with Federal government, and State and local entities in the 
identification, selection, training, and oversight of Protected CII 
Officers.
    The Department received one comment recommending that

[[Page 8078]]

implementing directives discussing how the Protected CII Program will 
be managed be subject to public review and comment. The Department will 
follow all provisions of the Administrative Procedure Act in 
implementing the CII Act of 2002 and this regulation; all policies, and 
changes to policies, that are required to proceed by way of public 
notice will do so. Program office development, including but not 
limited to the Protected Critical Infrastructure Information Management 
System, used for tracking information voluntarily submitted under the 
Act, will be consistent with the existing standards of the Department 
and the Federal government. The Department intends to measure and 
assess the Program's performance and conduct internal audits to ensure 
that its goals and objectives are met. The Department recognizes that 
the success of the Protected CII Program depends on submitters and 
those with whom Protected CII is shared having an understanding and 
appreciation of Protected CII Program procedures.

Protected CII Management System

    The Department received five comments expressing concerns about the 
Department's ability to adequately ensure the security of the Protected 
CII Management Systems (PCIIMS) database. The PCIIMS is a tracking 
system, not a storage database for the PCII itself. The PCIIMS will be 
used to track the receipt, acknowledgement, validation, storage, 
dissemination, and disposition of Protected CII. It is the Department's 
intent that Protected CII will be maintained in a manner that ensures 
that it is kept separate from information pertaining to the source of 
the submission. The Department received two comments requesting that 
the tracking number be extended to material that has been validated as 
Protected CII. In addition, one comment recommended that there be a 
mechanism to track the status of material marked as Protected CII in 
the event that the status of the information changes. The Department 
has reviewed this regulation and, consistent with this regulation and 
these comments, the tracking number assigned to the submission will 
accompany the material from the time that it is received by the 
Protected CII Program Manager. The Protected CII Program Manager will 
establish programs and procedures regarding the security of all 
Protected CII, including the data stored on the Protected CII 
Management System (PCIIMS). In addition, the Department will ensure 
compliance with all appropriate Departmental and Federal government 
information security policies.

Presumption of Protection

    The Department received five comments regarding the presumption of 
protection afforded to submissions received by the Protected CII 
Program Manager but for which a final validation determination has not 
been made. These comments asserted that material does not qualify for 
protection just because it has been submitted to and received by the 
Department. The Department also received eight comments encouraging the 
Department to consider including a time frame for making validation 
determinations. Comments expressed concern that, combined with the 
presumption of protection, the lack of a time frame for validating 
submissions could result in material that does not qualify for 
protection retaining protection for long periods of time. The 
Department also received four comments supporting the presumption of 
protection. These comments noted that absent such a provision 
submitters would be unlikely to submit CII of a sensitive nature. The 
Department agrees that in order to promote information sharing the 
presumption of protection is a necessary provision. The Department 
agrees that the validation of submitted material must be completed in a 
timely manner. Submitters, the public, and users of Protected CII 
within Federal, State, local, and foreign governments must be assured 
that decisions will be made in a timely manner that allows Protected 
CII to be used appropriately. Additional language has been added to 
Sec.  29.6(e)(1), therefore, indicating that the Protected CII Program 
Manager or designees will review and make a validation determination as 
soon as practicable following receipt of the submission. The Department 
considered identifying a more specific time frame; however, the 
Department does not believe it wise to limit the Program Manager's 
ability to determine what time frame is feasible given the constraints 
of program resources and the nature of the submissions received.
    The Department also agreed with one of the comments that suggested 
the proposed language should be revised to read ``presumed to be and 
will be treated'' (emphasis added for clarification) in Sec.  29.6(b). 
Section 29.6(b) has been revised accordingly.

Freedom of Information Act Requests

    The Department received nine comments requesting that the rule be 
clarified to explain how FOIA requests will be handled during the 
period of time in which the Protected CII Program Manager is making a 
determination regarding whether the submission is Protected CII. 
Comments further recommended that when a FOIA request is received, the 
Protected CII status should be reviewed to ensure that the designation 
remains appropriate. Further, comments requested that submitters be 
notified when the Department receives a FOIA request concerning the 
information that they submitted. FOIA requests concerning Protected CII 
will be handled in accordance with the Department's existing FOIA 
processes and Executive Order 12600. See U.S. Department of Justice, 
Office of Information and Privacy's Freedom of Information Act Guide & 
Privacy Act Overview, May 2002 Edition. The Protected CII Program 
Manager or designees will work closely with the Department's FOIA 
Officer to handle FOIA requests of Protected CII in a manner consistent 
with FOIA.

Marking of Information

    The Department received two comments highlighting a potential area 
of confusion regarding marking of materials for protection under the 
CII Act of 2002. The comments incorrectly asserted that material would 
be marked with the ``express statement'' and that the marking would 
provide direction for the material's handling. It is correct that 
submitters must include the express statement as identified in Sec.  
29.5(a)(3) when material is submitted to the Department; however, that 
statement is not used in the marking of Protected CII. When such 
information is validated and has been found to warrant protection under 
the CII Act of 2002, the Protected CII Program Manager will mark the 
material with the marking found in Sec.  29.6(c), which makes specific 
reference to this regulation.
    The Department received six comments requesting that the Department 
include provisions for segregating information so that information that 
is not protected under the CII Act of 2002 is clearly marked and only 
information that is absolutely necessary to the protection of the 
nation's critical infrastructure is kept from public view. The 
Department does not at this time intend to ``portion mark'' Protected 
CII. It is the Department's belief that requiring submitters to 
``portion mark'' material at the time of submission may impede the full 
disclosure of information. Instead, the Department will consider a 
submission to be Protected CII as long as it in substance meets all of 
the requirements for protection. In making validation determinations, 
the Department will carefully review the

[[Page 8079]]

submitted information against the certification by the submitter to 
ensure that the information is provided voluntarily, in good faith, and 
is not required by law to be submitted to DHS.

Storage of Protected CII

    The Department received seven comments regarding the storage of 
Protected CII material. Comments expressed concern that the 
requirements are not sufficient to protect against unauthorized access. 
For example, the comments noted that a ``locked desk'' is not generally 
recognized as a ``secure container.'' In addition, comments suggested 
that additional safeguards should be considered for information that is 
aggregated within one facility, area, or system.
    In response, Sec.  29.7(b) has been revised to address these 
concerns about safeguarding Protected CII. In accordance with Federal 
government requirements for protecting information and information 
systems, the Department will take proper precautions to ensure that 
Protected CII is appropriately safeguarded. Furthermore, this section 
has been revised to clarify how Protected CII should be safeguarded 
when in the physical possession of a person.

Transmission of Information

    The Department received eight comments regarding the treatment of 
U.S. first class, express, certified, or registered mail and secure 
electronic means as equivalent means of transmission in terms of the 
security they provide. Further, comments noted that Sec.  29.7(e) did 
not allow for use of commercial delivery firms or person-to-person 
delivery. The comments noted that the proposed rule's specific listing 
of modes that were acceptable for transmitting information was 
restrictive. In response, the Department has broadened the language to 
include any secure means of delivery as determined by the Protected CII 
Program Manager. This change alleviates any problem of the rule 
implicitly, but unintentionally, prohibiting other transmission modes 
that were not included in the list. As technology advances, this 
language will allow the Department to utilize new transmission modes, 
as appropriate.

Disclosure of Information

    The Department received two comments recommending that any 
advisories, alerts, and warnings issued to the public should not 
disclose the source of any voluntarily submitted CII that forms the 
basis for the warning or information that is proprietary, business 
sensitive, relates to the submitting person or entity, or is otherwise 
not appropriately within the public domain. The Department agrees with 
these comments in significant part. Section 29.8(a) has been modified 
to include language similar to that contained in the comments.
    Twelve comments were received requesting that notification be made 
to submitters prior to disclosure of their information. Some of the 
comments also went so far as to request that the prior written consent 
of the submitter be obtained before Protected CII is disclosed. The 
comments also suggested that submitters should be made aware of the 
content of any alerts, advisories, and/or warnings that are issued 
based on Protected CII. The Department envisions that it will be able 
to track the disclosure of Protected CII to other Federal government 
entities and State, and local government entities. In addition, these 
entities will be asked to track further disclosure of Protected CII 
within their respective entities. The Department recognizes the desire 
of submitters to control the release of the information that they 
submitted; however, such a provision for prior notification has the 
potential to place a significant administrative burden on the 
Department. The Department does agree that further disclosure of 
information beyond those entities or individuals that have entered into 
a formal agreement with the Department may require the permission of 
the submitter.
    The Department received seven comments regarding disclosure of 
Protected CII to contractors, each of which encouraged the Department 
to require contractors to comply with the requirements of this 
regulation through express written agreements with contractors. The 
Department received one comment requesting clarification regarding 
whether State and local governments would be able to share Protected 
CII with contractors acting on behalf of the Federal government and 
managing critical infrastructure assets without the submitter 
authorizing State and local entities to do so. The Department agrees 
that contractors should be required to comply with the requirements of 
this regulation. It is the intent of the Department that the Department 
as well as other Federal, State, and local government entities that 
access Protected CII shall put in place the necessary written 
agreements to ensure that the regulations are appropriately adhered to.
    The Department received 14 comments regarding the sharing of 
Protected CII with foreign governments. The comments expressed concern 
that the CII Act of 2002 did not authorize the Department to share 
Protected CII with such entities; that express agreements to share 
Protected CII with foreign governments may be beyond the scope of the 
Act; and, if sharing information with foreign governments is not beyond 
the scope of the Act, then senior Department officials, as appropriate, 
should coordinate the agreements. Comments also questioned how the 
Department would verify that foreign governments are handling Protected 
CII appropriately and enforce criminal and administrative penalties if 
the material is not being handled in a manner consistent with the CII 
Act of 2002 and this rule. The Department believes that through the 
establishment of formal agreements with foreign governments, Protected 
CII can safely and properly be shared for important homeland security 
purposes. The comments also expressed concern that the proposed rule 
would allow release of information concerning the source of the 
Protected CII and other proprietary, business-sensitive information to 
foreign governments. Accordingly, Sec.  29.8(j) has been revised to 
address this latter concern by protecting from public disclosure the 
source of any voluntarily submitted CII that forms the basis for the 
warning, as well as any information that is proprietary or business 
sensitive, relates specifically to the submitting party or entity, or 
is otherwise not appropriate for such disclosure.

Oral Submissions

    The Department received one comment expressing concern that oral 
submission of CII may be chilled by the lack of clarity in the rule 
concerning the status of notes regarding CII submissions. The comment 
recommended that the definition of CII be expanded to include notes of 
oral conversations. The Department intends that notes made by the 
Protected CII Program Manager or designees shall be presumed to be and 
will be treated as Protected CII until a validation determination 
regarding the oral submission and the written version of the oral 
submission is made otherwise.
    The Department received one comment requesting clarification of the 
process regarding acknowledgement of the receipt of orally submitted 
CII for protection under the CII Act of 2002. Section 29.6(d) has been 
revised to explain this process further. In addition, two comments 
correctly noted that Sec.  29.6(d) was incorrectly numbered in the 
proposed rule, and the interim rule has been revised accordingly.

[[Page 8080]]

Destruction of Information

    The Department received three comments noting that the proposed 
rule used a variety of terms (e.g., ``destroy,'' ``dispose,'' 
``disposed,'' and ``disposal of'') to deal with the treatment of 
material that has been found not to warrant protection. The comments 
recommended the consistent use of either ``destroy'' or ``destroyed'' 
throughout the rule in accordance with the Federal Records Act. The 
interim rule has been revised throughout as appropriate.

Retaining Information for Law Enforcement and/or National Security 
Reasons

    The Department received four comments requesting that the 
Department clarify what information would be retained for law 
enforcement and/or national security reasons that would not be 
Protected CII. The comments requested that language be included to 
demonstrate that the information would also be protected from 
disclosure under FOIA. Further, comments recommended that submitters be 
notified when a submission is retained for such purposes. The 
Department will retain information for law enforcement and/or national 
security reasons on a case-by-case basis. In some instances, 
information that has been found not to warrant protection under the CII 
Act of 2002 may be of significance for law enforcement and/or national 
security purposes. In that case, if the information is exempt from 
disclosure under other FOIA exemptions, the Department will consider 
such exemptions at the time that a FOIA request is received. In any 
case, the Department will handle such information in a manner 
commensurate with its nature and sensitivity.

Deference

    The Department received seven comments regarding the deference 
given to submitters in the Department determination of what is CII. 
Comments stated that the language is ambiguous and provides too much 
discretion to the submitter. The Department will evaluate the 
submitter's claims that information meets the requirements for 
protection under the CII Act of 2002 and make the final determination 
regarding whether submitted information meets the requirements for 
protection. In response to these comments, the Department has removed 
references to deference. In addition, the Department agreed with two 
comments suggesting that submitters sign a statement attesting to the 
validity of their claims that a submission meets the requirements for 
protection. The Department has added to this interim rule (Sec.  
29.5(a)(4)) the requirement that submitters sign a statement certifying 
that the submission meets the requirements for protection (i.e., that 
the information is being provided voluntarily for the purposes of the 
CII Act of 2002; that the information is not being submitted in lieu of 
independent compliance with a Federal legal requirement; whether the 
information is required to be submitted to a Federal agency; and that 
the information is not customarily in the public domain). It is the 
intent of this provision to discourage unjustified claims for 
protection.

Change of Protected CII Status

    The Department received 15 comments regarding the change of status 
from Protected CII to non-Protected CII. The comments recommended that 
the Protected CII Program Manager notify the submitter and any other 
parties with whom Protected CII has been shared of any changes in 
status. The comments also suggested that the circumstances under which 
a change of status may take place be enumerated in the rule. In 
response to these comments, Sec.  29.6(f) has been modified to allow 
the submitter to request in writing that the status of Protected CII 
material be changed. In addition, the Department recognizes that there 
may be other circumstances that require the status of Protected CII to 
be changed. For example, changes may take place if the Program Manager 
subsequently determines that the information was customarily in the 
public domain, was required by Federal law or regulation to be 
submitted to DHS, or is now publicly available through legal means. In 
addition, Sec.  29.6(f) has been revised to ensure that submitters and 
those entities with which the Protected CII was shared are made aware 
of the change in status.

Return and Withdrawal of Material

    The Department received seven comments recommending that in 
addition to maintaining the information without protection and 
destruction of the information, submitters should be able to indicate 
that they would like submitted material returned to them in the event 
that a final validation determination is made that the submission is 
not Protected CII. Although the Department understands the desire of 
submitters to retain control over the information that they submitted, 
including such a provision has the potential to place a significant 
administrative burden on the Department.
    The Department also received one comment requesting that the 
submitter be provided with the opportunity to withdraw the submission 
prior to a final validation determination. The Department agrees with 
this comment and has added language to Sec.  29.6(e)(2)(i)(C) giving 
submitters an opportunity to withdraw submissions prior to a final 
validation determination.

Investigation of Violations

    The Department received one comment requesting that submitters be 
notified when an investigation of improper disclosure has begun and the 
outcome of that investigation, therefore allowing the submitter to take 
steps to protect information in the event that the material was 
disclosed improperly. Two additional comments requested that a specific 
time frame for notification be identified in the rule. The Department 
disagrees that submitters should be notified when an investigation has 
begun. It is the Department's belief that at such a time submitters 
will want to know specific details regarding the suspected or actual 
violation. The Department will not have specifics until such time as 
the investigation is concluded and formal findings have been 
identified.
    In addition, one comment was received regarding the requirement 
that ``all persons authorized to have access to Protected CII'' report 
suspected or actual violations. The comment suggested that all 
officers, employees, contractors, and subcontractors of the Department 
whether authorized to access Protected CII or not should report 
suspected or actual violations. The Department does not agree with this 
suggestion. The intent of Sec.  29.9(a) is to encourage those 
individuals with access to Protected CII to self-report suspected or 
actual incidents. In addition, individuals that have not been granted 
access to Protected CII are unlikely to knowingly witness any abuses of 
Protected CII procedures. Those authorized to access Protected CII will 
be uniquely qualified to detect suspected or actual incidents of 
unauthorized access or misuse.

Whistleblower Protection

    The Department received 10 comments suggesting that the application 
of the Whistleblower Protection Act is not sufficient to protect 
whistleblowers. The comments expressed concern that whistleblowers 
could be unfairly treated and subject to termination, fines, and 
imprisonment. This would discourage the accurate reporting of 
information vital to the public. The Department has modified

[[Page 8081]]

Sec.  29.8(f)(ii) to reference the Whistleblower Protection Act (WPA). 
Since the Department's intention is to afford the protections of the 
WPA, by referencing the WPA itself, the Department believes that it 
clearly ensures the full range of protections offered under the WPA.

An Appeals Process

    The Department received two comments requesting that procedures for 
appealing determinations regarding Protected CII be included in these 
regulations. One comment suggested that submitters be provided with 
additional time to justify their assertion that a submission meets the 
requirements for protection if the submitter makes such a request. The 
Department believes that the procedures outlined in Sec.  29.6(e) 
regarding validation determinations provide submitters with adequate 
time to justify their submissions. If the Department were to allow 
appeals of validation determinations or permit submitters to take 
longer than the thirty calendar days to respond, the Department would 
be contributing to situations in which information that might not be 
Protected CII remains in protected status.

No Private Right of Action

    The Department received one comment concerning the ambiguity 
introduced by the proposed rule's reference to ``no private rights or 
privileges'' in Sec.  29.3(e). The Department agreed with this comment 
and has revised the interim rule to ensure that the regulation is 
consisted with the statutory language. Section 29.3(e) is now entitled 
``No Private Right of Action.''

Restrictions on Use of Protected CII in Civil Actions

    The Department received three comments regarding the superfluous 
and potentially confusing use of the phrase ``for homeland security 
purposes'' in Sec.  29.8(i). The Department agrees with these comments 
and has replaced that phrase with ``under the CII Act of 2002.''

FOIA Access and Mandatory Submission of Information

    The Department received two comments pointing to ambiguities in 
Sec.  29.3(a) and four comments supporting Sec.  29.3(a). Comments 
sought to clarify through minor word changes that the provision was 
intended to prevent submitters from submitting material for protection 
under the CII Act of 2002 if the material already was required to be 
submitted to DHS under a Federal legal requirement. The Department 
agrees in significant part with the intent of the comments to 
distinguish between submissions of information to different agencies of 
the Federal government, consistent with the treatment of 
``independently obtained information'' under section 214(c) of the 
statute, as is discussed in greater detail above. Therefore, Sec.  
29.3(a) has been modified accordingly.

Application of Various Laws and Executive Orders to This Interim 
Rulemaking

Good Cause for Immediate Effectiveness

    DHS has determined that it is in the public interest to make this 
regulation effective upon publication in the Federal Register. DHS 
believes that information that would qualify as Protected CII and would 
assist DHS in implementing security measures is unlikely to be 
submitted to DHS before this regulation's effective date. After 
considering the likelihood that valuable information that likely is now 
being withheld because of fears that it might be handled without the 
protections that this regulation would prescribe, and the possibility 
that this information could be useful in deterring or responding to a 
security incident, DHS has concluded that the public interest is best 
served by making the regulation effective immediately.

Regulatory Evaluation

    Changes to Federal regulations must undergo several economic 
analyses. First, Executive Order 12866, Regulatory Planning and Review 
(58 FR 51735, October 4, 1993), directs each Federal agency to propose 
or adopt a regulation only upon a reasoned determination that the 
benefits of the intended regulation justify its costs. Second, the 
Regulatory Flexibility Act of 1980 (5 U.S.C. 601-612) requires agencies 
to analyze the economic impact of regulatory changes on small entities. 
Third, the Office of Management and Budget directs agencies to assess 
the effect of regulatory changes on international trade. Fourth, the 
Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531-1538) requires 
agencies to prepare a written assessment of the costs, benefits, and 
other effects of proposed or final rules that include a Federal mandate 
likely to result in the expenditure by State or local governments, in 
the aggregate, or by the private sector, of $100 million or more 
annually (adjusted for inflation.)

Executive Order 12866 Assessment

    Executive Order 12866 (58 FR 51735, October 4, 1993), provides for 
making determinations whether a regulatory action is ``significant'' 
and therefore subject to Office of Management and Budget (OMB) review 
and to the requirements of the Executive Order.
    DHS has determined that this action is a significant regulatory 
action within the meaning of Executive Order 12866 because there is 
significant public interest in security issues since the events of 
September 11, 2001.
    DHS has performed an analysis of the expected costs of this interim 
rule. The interim rule affects entities in the private sector that have 
critical infrastructure information that they wish to share with DHS. 
The interim rule requires that, when DHS receives, validates, and 
shares CII, DHS and the receiving parties, whether they be other 
Federal agencies or State or local governments with whom DHS has signed 
agreements detailing the procedures on how Protected CII must be 
safeguarded, must take appropriate action to safeguard its contents and 
to destroy it when it is no longer needed. The interim rule does not 
require the use of safes or enhanced security equipment or the use of a 
crosscut shredder. Rather, the interim rule requires only that an 
affected entity or person restrict disclosure of, and access to, the 
protected information to those with a need to know, and destroy such 
information when it is no longer needed. Under the rule, a locked 
drawer or cabinet is an acceptable means of complying with the 
requirement to secure Protected CII, and a normal paper shredder or 
manual destruction are acceptable means of destroying Protected CII 
documents.

Costs

    DHS believes that affected entities will incur minimal costs from 
complying with the interim rule because, in practice, affected entities 
already have systems in place for securing sensitive commercial, trade 
secret, or personnel information, which are appropriate for 
safeguarding Protected CII. For instance, a normal filing cabinet with 
a lock may be used to safeguard Protected CII, and a normal paper 
shredder or manual destruction may be used to destroy CII. Accordingly, 
the agency estimates that there will be minimal costs associated with 
safeguarding Protected CII.
    The agency has estimated the following costs for placing the 
required protective marking and distribution

[[Page 8082]]

limitation statement on records containing Protected CII.
    For an electronic document, a person can place the required 
markings on each page with a few keystrokes. The agency estimates that 
there will be no costs associated with this action.
    For a document that is already printed, a person can use a rubber 
stamp for the required markings. Such stamps can be custom ordered and 
last several years. For the protective marking, the agency estimates 
that the cost of a rubber stamp is from $9.90 (for a stamp 4\1/4\ 
inches wide by \1/4\ inch high) to $10.25 (for a stamp 5 inches wide by 
\1/4\ inch high). A typical ink pad costs approximately $15.60. A two-
ounce bottle of ink for the ink pad costs about $3.75.
    For other types of record, such as maps, photos, DVDs, CD-ROMs, and 
diskettes, a person can use a label for the required markings. Labels 
typically cost from $7.87 (for 840 multipurpose labels) to $22.65 (for 
225 diskette inkjet labels) to $34.92 (for 30 DVC/CD-ROM labels). These 
labels can be pre-printed with the required markings, or the affected 
person can print the required markings on an as-needed basis.
    The interim rule does not require a specific method for destroying 
Protected CII. Thus, a person may use any method of destruction, so 
long as it precludes recognition or reconstruction of the Protected 
CII. DHS believes that most affected entities already have the 
capability to destroy CII in accordance with the requirements in this 
interim final rule. Thus, the agency estimates that there will be no 
costs associated with these destruction requirements.
    Accordingly, DHS believes that the costs associated with this 
interim rule are minimal; however, the Department will accept comments 
addressing the estimated costs associated with the implementation of 
this rule.

Benefits

    The primary benefit of the interim rule will be DHS's ability to 
receive information from those with direct knowledge on the security of 
the United States' critical infrastructure, in order to reduce its 
vulnerability to acts of terrorism by ensuring that information 
pertaining to the security of critical infrastructure is properly 
safeguarded and protected from public disclosure. In addition, based on 
information shared, DHS will provide threat information, security 
directives, and information circulars throughout the Federal, State, 
and local governments, to law enforcement officials, to the private 
sector, and other persons that have a need to know, and to act upon, 
information about security concerns related to the nation's critical 
infrastructure.
    Prior to providing Protected CII to entities, and to ensure that 
any information these entities produce that would be treated as 
Protected CII is safeguarded, DHS must ensure that those entities are 
under a legal obligation to protect Protected CII from disclosure.
    DHS notes that the unauthorized disclosure of Protected CII can 
have a detrimental effect not only on the ability to thwart terrorist 
and other criminal activities in the transportation sector, but also on 
the willingness of the private sector to share that information with 
DHS if that information might be publicly disclosed.
    The effectiveness of providing Protected CII to persons involved 
with the protection of this country's critical infrastructures, and of 
security measures developed by those persons, depends on strictly 
limiting access to the information to those persons who have a need to 
know. Given the minimal cost associated with this interim rule and the 
potential benefits of preventing, or mitigating the effects of, 
terrorist attacks on the United States' critical infrastructures, DHS 
believes that this interim final will be cost-beneficial; however, the 
Department will accept comments addressing the anticipated benefits 
associated with the implementation of this rule.

Initial Regulatory Flexibility Determination

    The Regulatory Flexibility Act of 1980, as amended (RFA), was 
enacted to ensure that small entities are not unnecessarily or 
disproportionately burdened by Federal regulations. The RFA requires 
agencies to review rules to determine if they have a ``significant 
impact on a substantial number of small entities.'' DHS has reviewed 
this rule and has determined that it will not have a significant 
economic impact on a substantial number of small entities for the 
following reasons:
    (1) In practice, affected entities already have systems in place 
for securing sensitive commercial, trade secret, or personnel 
information, which are appropriate for safeguarding Protected CII. For 
instance, a normal filing cabinet with a lock may be used to safeguard 
Protected CII, and a normal paper shredder or manual destruction may be 
used to destroy CII. Accordingly, the agency estimates that there will 
be minimal costs associated with safeguarding Protected CII.
    (2) The agency has estimated the following costs for placing the 
required protective marking and distribution limitation statement on 
records containing Protected CII.
    (a) For an electronic document, a person can place the required 
markings on each page with a few keystrokes. The agency estimates that 
there will be no costs associated with this action.
    (b) For a document that is already printed, a person can use a 
rubber stamp for the required markings. Such stamps can be custom 
ordered and last several years. For the protective marking, the agency 
estimates that the cost of a rubber stamp is from $9.90 (for a stamp 
4\1/4\ inches wide by \1/4\ inch high) to $10.25 (for a stamp 5 inches 
wide by \1/4\ inch high). A typical ink pad costs approximately $15.60. 
A two-ounce bottle of ink for the ink pad costs about $3.75.
    (c) For other types of record, such as maps, photos, DVDs, CD-ROMs, 
and diskettes, a person can use a label for the required markings. 
Labels typically cost from $7.87 (for 840 multipurpose labels) to 
$22.65 (for 225 diskette inkjet labels) to $34.92 (for 30 DVC/CD-ROM 
labels). These labels can be pre-printed with the required markings, or 
the affected person can print the required markings on an as-needed 
basis.
    (3) The interim rule does not require a specific method for 
destroying Protected CII. Thus, a person may use any method of 
destruction, so long as it precludes recognition or reconstruction of 
the Protected CII. DHS believes that most affected entities already 
have the capability to destroy CII in accordance with the requirements 
in this interim rule. Thus, the agency estimates that there will be no 
costs associated with these destruction requirements; however, the 
Department will accept comments addressing the impact on small entities 
associated with the implementation of this rule.

Unfunded Mandates Reform Act of 1995

    This interim rule will not result in the expenditure by State and 
local governments, in the aggregate, or by the private sector, of $100 
million or more in any one year, and it will not significantly or 
uniquely affect small governments.

Executive Order 13132--Federalism

    The Department of Homeland Security does not believe this interim 
rule will have substantial direct effects on the States, on the 
relationship between the national government and the States, or on 
distribution of power and responsibilities among the various levels of 
government. States will benefit, however, from this interim rule to the 
extent that Protected CII is shared with

[[Page 8083]]

them. The Department requests comment on the federalism impact of this 
interim rule.

Paperwork Reduction Act of 1995

    Under the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501-
3520), a Federal agency must obtain approval from the Office of 
Management and Budget (OMB) for each collection of information it 
conducts, sponsors, or requires through regulations. This rule does not 
contain provisions for collection of information, does not meet the 
definition of ``information collection'' as defined under 5 CFR part 
1320, and is therefore exempt from the requirements of the PRA. 
Accordingly, there is no requirement to obtain OMB approval for 
information collection.

Environmental Analysis

    DHS has analyzed this regulation for purposes of the National 
Environmental Policy Act and has concluded that this rule will not have 
any significant impact on the quality of the human environment.

List of Subjects in 6 CFR Part 29

    Confidential business information, Reporting and recordkeeping 
requirements.

Authority and Issuance

0
For the reasons discussed in the preamble, 6 CFR chapter I is amended 
by adding part 29 to read as follows:

PART 29--PROTECTED CRITICAL INFRASTRUCTURE INFORMATION

Sec.
29.1 Purpose and scope.
29.2 Definitions.
29.3 Effect of provisions.
29.4 Protected Critical Infrastructure Information Program 
administration.
29.5 Requirements for protection.
29.6 Acknowledgment of receipt, validation, and marking.
29.7 Safeguarding of Protected Critical Infrastructure Information.
29.8 Disclosure of Protected Critical Infrastructure Information.
29.9 Investigation and reporting of violation of Protected CII 
procedures.

    Authority: Pub. L. 107-296, 116 Stat. 2135 (6 U.S.C. 1 et seq.); 
5 U.S.C. 301.


Sec.  29.1  Purpose and scope.

    (a) Purpose of the rule. This part implements section 214 of Title 
II, Subtitle B, of the Homeland Security Act of 2002 through the 
establishment of uniform procedures for the receipt, care, and storage 
of Critical Infrastructure Information (CII) voluntarily submitted to 
the Federal government through the Department of Homeland Security. 
Title II, Subtitle B, of the Homeland Security Act is referred to 
herein as the Critical Infrastructure Information Act of 2002 (CII Act 
of 2002). Consistent with the statutory mission of the Department of 
Homeland Security (DHS) to prevent terrorist attacks within the United 
States and reduce the vulnerability of the United States to terrorism, 
it is the policy of DHS to encourage the voluntary submission of CII by 
safeguarding and protecting that information from unauthorized 
disclosure and by ensuring that such information is expeditiously and 
securely shared with appropriate authorities including Federal national 
security, homeland security, and law enforcement entities and, 
consistent with the CII Act of 2002, with State and local officials, 
where doing so may reasonably be expected to assist in preventing, 
preempting, and disrupting terrorist threats to our homeland. As 
required by the CII Act of 2002, the procedures established herein 
include mechanisms regarding:
    (1) The acknowledgement of receipt by DHS of voluntarily submitted 
CII;
    (2) The maintenance of the identification of CII voluntarily 
submitted to DHS for purposes of, and subject to the provisions of the 
CII Act of 2002;
    (3) The receipt, handling, storage, and proper marking of 
information as Protected CII;
    (4) The safeguarding and maintenance of the confidentiality of such 
information that permits the sharing of such information within the 
Federal government and with foreign, State, and local governments and 
government authorities, and the private sector or the general public, 
in the form of advisories or warnings; and
    (5) The issuance of notices and warnings related to the protection 
of critical infrastructure and protected systems in such a manner as to 
protect from unauthorized disclosure the identity of the submitting 
person or entity as well as information that is proprietary, business 
sensitive, relates specifically to the submitting person or entity, and 
is not customarily available in the public domain.
    (b) Scope. These procedures apply to all Federal agencies that 
handle, use, or store Protected CII pursuant to the CII Act of 2002. In 
addition, these procedures apply to United States Government 
contractors, to foreign, State, and local governments, and to 
government authorities, pursuant to any necessary express written 
agreements, treaties, bilateral agreements, or other statutory 
authority.


Sec.  29.2  Definitions.

    For purposes of this part:
    Critical Infrastructure has the definition referenced in section 2 
of the Homeland Security Act of 2002 and means systems and assets, 
whether physical or virtual, so vital to the United States that the 
incapacity or destruction of such systems and assets would have a 
debilitating impact on security, national economic security, national 
public health or safety, or any combination of those matters.
    Critical Infrastructure Information, or CII means information not 
customarily in the public domain and related to the security of 
critical infrastructure or protected systems. CII consists of records 
and information concerning:
    (1) Actual, potential, or threatened interference with, attack on, 
compromise of, or incapacitation of critical infrastructure or 
protected systems by either physical or computer-based attack or other 
similar conduct (including the misuse of or unauthorized access to all 
types of communications and data transmission systems) that violates 
Federal, State, or local law, harms the interstate commerce of the 
United States, or threatens public health or safety;
    (2) The ability of any critical infrastructure or protected system 
to resist such interference, compromise, or incapacitation, including 
any planned or past assessment, projection, or estimate of the 
vulnerability of critical infrastructure or a protected system, 
including security testing, risk evaluation, risk-management planning, 
or risk audit; or
    (3) Any planned or past operational problem or solution regarding 
critical infrastructure or protected systems, including repair, 
recovery, reconstruction, insurance, or continuity, to the extent it is 
related to such interference, compromise, or incapacitation.
    Critical Infrastructure Information Program, or CII Program means 
the maintenance, management, and review of these procedures and of the 
information provided to DHS in furtherance of the protections provided 
by the CII Act of 2002.
    Information Sharing and Analysis Organization, or ISAO means any 
formal or informal entity or collaboration created or employed by 
public or private sector organizations for purposes of:
    (1) Gathering and analyzing CII in order to better understand 
security problems and interdependencies related to critical 
infrastructure and protected systems in order to ensure the

[[Page 8084]]

availability, integrity, and reliability thereof;
    (2) Communicating or sharing CII to help prevent, detect, mitigate, 
or recover from the effects of an interference, compromise, or 
incapacitation problem related to critical infrastructure or protected 
systems; and
    (3) Voluntarily disseminating CII to its members, Federal, State, 
and local governments, or to any other entities that may be of 
assistance in carrying out the purposes specified in this section.
    Local Government has the same meaning as is established in section 
2 of the Homeland Security Act of 2002 and means:
    (1) A county, municipality, city, town, township, local public 
authority, school district, special district, intrastate district, 
council of governments (regardless of whether the council of 
governments is incorporated as a nonprofit corporation under State 
law), regional or interstate government entity, or agency or 
instrumentality of a local government;
    (2) An Indian tribe or authorized tribal organization, or in Alaska 
a Native village or Alaska Regional Native Corporation; and
    (3) A rural community, unincorporated town or village, or other 
public entity.
    Protected Critical Infrastructure Information, or Protected CII 
means CII (including the identity of the submitting person or entity) 
that is voluntarily submitted to DHS for its use regarding the security 
of critical infrastructure and protected systems, analysis, warning, 
interdependency study, recovery, reconstitution, or other informational 
purpose, when accompanied by an express statement as described in Sec.  
29.5. This information maintains its protected status unless DHS's 
Protected CII Program Manager or the Protected CII Program Manager's 
designees render a final decision that the information is not Protected 
CII.
    Protected System means any service, physical or computer-based 
system, process, or procedure that directly or indirectly affects the 
viability of a facility of critical infrastructure and includes any 
physical or computer-based system, including a computer, computer 
system, computer or communications network, or any component hardware 
or element thereof, software program, processing instructions, or 
information or data in transmission or storage therein, irrespective of 
the medium of transmission or storage.
    Purpose of CII has the meaning set forth in section 214(a)(1) of 
the CII Act of 2002 and includes the security of critical 
infrastructure and protected systems, analysis, warning, 
interdependency study, recovery, reconstitution, or other informational 
purpose.
    Submission to DHS as referenced in these procedures means any 
transmittal of CII to the DHS Protected CII Program Manager or the 
Protected CII Program Manager's designees, as set forth in Sec.  29.5.
    Voluntary or Voluntarily, when used in reference to any submission 
of CII to DHS, means submitted in the absence of DHS's exercise of 
legal authority to compel access to or submission of such information; 
such submission may be accomplished by (i.e., come from) a single 
entity or by an ISAO acting on behalf of its members. In the case of 
any action brought under the securities laws--as is defined in section 
3(a)(47) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(47))-
-the term ``voluntary'' does not include information or statements 
contained in any documents or materials filed, pursuant to section 
12(i) of the Securities Exchange Act of 1934 (15 U.S.C. 781(i)), with 
the Securities and Exchange Commission or with Federal banking 
regulators; and with respect to the submission of CII, it does not 
include any disclosure or writing that when made accompanies the 
solicitation of an offer or a sale of securities. The term also 
explicitly excludes information or statements submitted during a 
regulatory proceeding or relied upon as a basis for making licensing or 
permitting determinations.


Sec.  29.3  Effect of provisions.

    (a) Mandatory submissions of information. The CII Act of 2002 and 
these procedures do not apply to or affect any requirement pertaining 
to information that must be submitted to DHS pursuant to a Federal 
legal requirement, nor do they pertain to any obligation of any Federal 
agency to disclose mandatorily submitted information (even where it is 
identical to information voluntarily submitted to DHS pursuant to the 
CII Act of 2002). The fact that a person or entity has voluntarily 
submitted information pursuant to the CII Act of 2002 does not 
constitute compliance with any requirement to submit that information 
to a Federal agency under any other provision of law. Information 
submitted to any other Federal agency pursuant to a Federal legal 
requirement is not to be marked as submitted or protected under the CII 
Act of 2002 or otherwise afforded the protection of the CII Act of 
2002, provided, however, that such information, if it is separately 
submitted to DHS pursuant to these procedures, may upon submission to 
DHS be marked as Protected CII or otherwise afforded the protections of 
the CII Act of 2002.
    (b) Freedom of Information Act disclosure exemptions. Information 
that is separately exempt from disclosure under the Freedom of 
Information Act or applicable State or local law does not lose its 
separate exemption protection due to the applicability of these 
procedures or any failure to follow them.
    (c) Restriction on use of Protected CII by regulatory and other 
Federal agencies. No Federal agency shall request, obtain, maintain, or 
use information protected under the CII Act of 2002 as a substitute for 
the exercise of its own legal authority to compel access to or 
submission of that same information. Federal agencies shall not utilize 
Protected CII for regulatory purposes without the written consent of 
the submitter or another party on the submitter's behalf.
    (d) Independently obtained information. These procedures shall not 
be construed to limit or in any way affect the ability of a Federal, 
State, or local government entity, agency, or authority, or any third 
party, under applicable law, to otherwise obtain CII by means of a 
different law, regulation, rule, or other authority, including such 
information as is lawfully and customarily disclosed to the public. 
Independently obtained information does not include any information 
derived directly or indirectly from Protected CII subsequent to its 
submission. Nothing in these procedures shall be construed to limit or 
in any way affect the ability of such entities, agencies, authorities, 
or third parties to use such information in any manner permitted by 
law.
    (e) No private right of action. Nothing contained in these 
procedures is intended to confer any substantive or procedural right or 
privilege on any person or entity. Nothing in these procedures shall be 
construed to create a private right of action for enforcement of any 
provision of these procedures or a defense to noncompliance with any 
independently applicable legal obligation.


Sec.  29.4  Protected Critical Infrastructure Information Program 
administration.

    (a) IAIP Directorate Program Management. The Secretary of the 
Department of Homeland Security hereby designates the Under Secretary 
of the Information Analysis and Infrastructure Protection (IAIP)

[[Page 8085]]

Directorate as the senior DHS official responsible for the direction 
and administration of the Protected CII Program.
    (b) Appointment of a Protected CII Program Manager. The Under 
Secretary for IAIP shall:
    (1) Appoint a Protected CII Program Manager within the IAIP 
Directorate who is responsible to the Under Secretary for the 
administration of the Protected CII Program;
    (2) Commit resources necessary to the effective implementation of 
the Protected CII Program;
    (3) Ensure that sufficient personnel, including such detailees or 
assignees from other Federal national security, homeland security, or 
law enforcement entities as the Under Secretary deems appropriate, are 
assigned to the Protected CII Program to facilitate the expeditious and 
secure sharing with appropriate authorities, including Federal national 
security, homeland security, and law enforcement entities and, 
consistent with the CII Act of 2002, with State and local officials, 
where doing so may reasonably be expected to assist in preventing, 
preempting, or disrupting terrorist threats to our homeland; and
    (4) Promulgate implementing directives and prepare training 
materials as appropriate for the proper treatment of Protected CII.
    (c) Appointment of Protected CII Officers. The Protected CII 
Program Manager shall establish procedures to ensure that any DHS 
component or other Federal, State, or local entity that works with 
Protected CII appoints one or more employees to serve as a Protected 
CII Officer for the activity in order to carry out the responsibilities 
stated in paragraph (d) of this section. Persons appointed to these 
positions shall be fully familiar with these procedures.
    (d) Responsibilities of Protected CII Officers. Protected CII 
Officers shall:
    (1) Oversee the handling, use, and storage of Protected CII;
    (2) Ensure the expeditious and secure sharing of Protected CII with 
appropriate authorities, as set forth in Sec.  29.1(a) and paragraph 
(b)(3) of this section;
    (3) Establish and maintain an ongoing self-inspection program, to 
include periodic review and assessment of the entity's handling, use, 
and storage of Protected CII;
    (4) Establish additional procedures as necessary to prevent 
unauthorized access to Protected CII; and
    (5) Ensure prompt and appropriate coordination with the Protected 
CII Program Manager regarding any request, challenge, or complaint 
arising out of the implementation of these procedures.
    (e) Protected Critical Infrastructure Information Management System 
(PCIIMS). The Protected CII Program Manager or the Protected CII 
Program Manager's designees shall develop and use an electronic 
database, to be known as the ``Protected Critical Infrastructure 
Information Management System'' (PCIIMS), to record the receipt, 
acknowledgement, validation, storage, dissemination, and destruction of 
Protected CII. This compilation of Protected CII shall be safeguarded 
and protected in accordance with the provisions of the CII Act of 2002.


Sec.  29.5  Requirements for protection.

    (a) CII shall receive the protections of section 214 of the CII Act 
of 2002 only when:
    (1) Such information is voluntarily submitted to the Protected CII 
Program Manager or the Protected CII Program Manager's designees;
    (2) The information is submitted for use by DHS for the security of 
critical infrastructure and protected systems, analysis, warning, 
interdependency study, recovery, reconstitution, or other informational 
purposes including, without limitation, the identification, analysis, 
prevention, preemption, and/or disruption of terrorist threats to our 
homeland, as evidenced below;
    (3) The information is accompanied by an express statement as 
follows:
    (i) In the case of written information or records, through a 
written marking on the information or records substantially similar to 
the following: ``This information is voluntarily submitted to the 
Federal government in expectation of protection from disclosure as 
provided by the provisions of the Critical Infrastructure Information 
Act of 2002''; or
    (ii) In the case of oral information, within fifteen calendar days 
of the oral submission, through a written statement comparable to the 
one specified above, and a certification as specified below, 
accompanied by a written or otherwise tangible version of the oral 
information initially provided; and
    (4) The submitted information additionally is accompanied by a 
statement, signed by the submitting entity, certifying essentially to 
the following on behalf of the named entity:
    (i) The submitter is voluntarily providing the information for the 
purposes of the CII Act of 2002;
    (ii) The information being submitted is not being submitted in lieu 
of independent compliance with a Federal legal requirement;
    (iii) The information is or is not required to be submitted to a 
Federal agency. If the information is required to be submitted to a 
Federal agency, the submitter shall identify the Federal agency 
requiring submission and the legal authority that mandates the 
submission; and
    (iv) The information is of a type not customarily in the public 
domain.
    (b) Information that is not submitted to the Protected CII Program 
Manager or the Protected CII Program Manager's designees will not 
qualify for protection under the CII Act of 2002. Any DHS component 
other than the IAIP Directorate that receives information with a 
request for protection under the CII Act of 2002, shall immediately 
forward the information to the Protected CII Program Manager. Only the 
Protected CII Program Manager or the Protected CII Program Manager's 
designees are authorized to acknowledge receipt and validate Protected 
CII pursuant to Sec.  29.6(a).
    (c) Federal agencies and DHS components other than the IAIP 
Directorate shall maintain information as protected by the provisions 
of the CII Act of 2002 when that information is provided to the agency 
or component by the Protected CII Program Manager or the Protected CII 
Program Manager's designees and is marked as required in Sec.  29.6(c).
    (d) All submissions seeking Protected CII status shall be regarded 
as submitted with the presumption of good faith on the part of the 
submitter.
    (e) Submissions must affirm the understanding of the submitter that 
any false representations on such submissions may constitute a 
violation of 18 U.S.C. 1001 and are punishable by fine and 
imprisonment.



Sec.  29.6  Acknowledgment of receipt, validation, and marking.

    (a) Authorized officials. Only the Protected CII Program Manager or 
the Protected CII Program Manager's designees are authorized to 
acknowledge receipt of and validate information as Protected CII.
    (b) Presumption of protection. All information submitted in 
accordance with the procedures set forth herein will be presumed to be 
and will be treated as Protected CII from the time the information is 
received by DHS, either through the DHS component or the Protected CII 
Program Manager or the Protected CII Program Manager's designees. The 
information shall remain protected unless and until the Protected CII 
Program Manager or the Protected CII Program Manager's designees render

[[Page 8086]]

a final decision that the information is not Protected CII.
    (c) Marking of information. In addition to markings made pursuant 
to Sec.  29.5(a) by submitters of CII requesting review, all Protected 
CII shall be clearly identified through markings made by the Protected 
CII Program Manager or the Protected CII Program Manager's designees. 
The Protected CII Program Manager or the Protected CII Program 
Manager's designees shall mark Protected CII materials as follows: 
``This document contains Protected CII. In accordance with the 
provisions of 6 CFR part 29, it is exempt from release under the 
Freedom of Information Act (5 U.S.C. 552(b)(3)). Unauthorized release 
may result in civil penalty or other action. It is to be safeguarded 
and disseminated in accordance with Protected CII Program 
requirements.''
    (d) Acknowledgement of receipt of information. The Protected CII 
Program Manager or the Protected CII Program Manager's designees shall 
acknowledge receipt of information submitted as CII and accompanied by 
an express statement and certification, and in so doing shall:
    (1) Contact the submitter, within thirty calendar days of receipt, 
by the means of delivery prescribed in procedures developed by the 
Protected CII Program Manager or the Protected CII Program Manager. In 
the case of oral submissions, receipt will be acknowledged in writing 
within thirty calendar days after receipt by the Protected CII Program 
Manager or the Protected CII Program Manager's designees of a written 
statement, certification, and documentation of the oral submission, as 
referenced in Sec.  29.5(a)(3)(ii);
    (2) Maintain a database including date of receipt, name of 
submitter, description of information, manner of acknowledgment, 
tracking number, and validation status; and
    (3) Provide the submitter with a unique tracking number that will 
accompany the information from the time it is received by the Protected 
CII Program Manager or the Protected CII Program Manager's designees.
    (e) Validation of information.
    (1) The Protected CII Program Manager or the Protected CII Program 
Manager's designees shall be responsible for reviewing all submissions 
that request protection under the CII Act of 2002. The Protected CII 
Program Manager or the Protected CII Program Manager's designee shall 
review the submitted information as soon as practicable. If a 
determination is made that the submitted information meets the 
requirements for protection, the Protected CII Program Manager or the 
Protected CII Program Manager's designee shall mark the information as 
required in paragraph (c) of this section, and disclose it only 
pursuant to Sec.  29.8.
    (2) If the Protected CII Program Manager or the Protected CII 
Program Manager's designees make an initial determination that the 
information submitted does not meet the requirements for protection 
under the CII Act of 2002, the Protected CII Program Manager or the 
Protected CII Program Manager's designees shall:
    (i) Notify the submitter of the initial determination that the 
information is not considered to be Protected CII. This notification 
also shall:
    (A) Request that the submitter further explain the nature of the 
information and the submitter's basis for believing the information 
qualifies for protection under the CII Act of 2002;
    (B) Advise the submitter that the Protected CII Program Manager or 
the Protected CII Program Manager's designees will review any further 
information provided before rendering a final determination;
    (C) Provide the submitter with an opportunity to withdraw the 
submission;
    (D) Notify the submitter that any response to the notification must 
be received by the Protected CII Program Manager or the Protected CII 
Program Manager's designees no later than thirty calendar days after 
the date of the notification; and
    (E) Request the submitter to state whether, in the event the 
Protected CII Program Manager or the Protected CII Program Manager's 
designees make a final determination that any such information is not 
Protected CII, the submitter prefers that the information be maintained 
without the protections of the CII Act of 2002 or be disposed of in 
accordance with the Federal Records Act.
    (ii) If the Protected CII Program Manager or the Protected CII 
Program Manager's designees, after following the procedures set forth 
in paragraph (e)(2)(i) of this section, make a final determination that 
the information is not Protected CII, the Protected CII Program Manager 
or the Protected CII Program Manager's designees, in accordance with 
the submitter's written preference, shall maintain the information 
without protection or following coordination, as appropriate, with 
other Federal national security, homeland security, or law enforcement 
authorities, destroy it in accordance with the Federal Records Act 
unless the Protected CII Program Manager or the Protected CII Program 
Manager's designees, consistent with the coordination required in this 
subpart, determine there is a need to retain it for law enforcement 
and/or national security reasons. The Protected CII Program Manager or 
the Protected CII Program Manager's designees shall destroy the 
information within thirty calendar days of making a final 
determination. If the submitter, however, cannot be notified or the 
submitter's response is not received within thirty calendar days after 
the submitter received the notification, as provided in paragraph 
(e)(2)(i) of this section, the Protected CII Program Manager or the 
Protected CII Program Manager's designee will destroy the information 
in accordance with the Federal Records Act, unless the Protected CII 
Program Manager or the Protected CII Program Manager's designee, after 
coordination with other Federal national security, homeland security, 
or law enforcement authorities, as appropriate, determines that there 
is a need to retain it for law enforcement and/or national security 
reasons.
    (f) Changing the status of Protected CII to non-Protected CII. Once 
information is validated, only the Protected CII Program Manager or the 
Protected CII Program Manager's designees may change the status of 
Protected CII to that of non-Protected CII and remove its Protected CII 
markings. Status changes may take place when the submitter requests in 
writing that the information no longer be protected under the CII Act 
of 2002 or when the Protected CII Program Manager or the Protected CII 
Program Manager's designee determines that the information was 
customarily in the public domain, is publicly available through legal 
means, or is required to be submitted to DHS by Federal law or 
regulation. The Protected CII Program Manager or the Protected CII 
Program Manager's designees shall inform the submitter when a change in 
status is made. Notice of the change in status of Protected CII shall 
be provided to all recipients of that Protected CII under Sec.  29.8.


Sec.  29.7  Safeguarding of Protected Critical Infrastructure 
Information.

    (a) Safeguarding. All persons granted access to Protected CII are 
responsible for safeguarding all such information in their possession 
or control. Protected CII shall be protected at all times by 
appropriate storage and handling. Each person who works with Protected 
CII is personally responsible for taking proper precautions to ensure 
that unauthorized persons do not gain access to it.

[[Page 8087]]

    (b) Use and storage. When Protected CII is in the physical 
possession of a person, reasonable steps shall be taken to minimize the 
risk of access to Protected CII by unauthorized persons. When Protected 
CII is not in the physical possession of a person, it shall be stored 
in a secure environment that affords it the necessary level of 
protection commensurate with its vulnerability and sensitivity.
    (c) Reproduction. Pursuant to procedures prescribed by the 
Protected CII Program Manager, a document or other material containing 
PCII may be reproduced to the extent necessary consistent with the need 
to carry out official duties, provided that the reproduced documents or 
material are marked and protected in the same manner as the original 
documents or material.
    (d) Disposal of information. Documents and material containing 
Protected CII may be disposed of by any method that prevents 
unauthorized retrieval.
    (e) Transmission of information. Protected CII shall be transmitted 
only by secure means of delivery as determined by the Protected CII 
Program Manager or the Protected CII Program Manager's designees.
    (f) Automated Information Systems. The Protected CII Program 
Manager or the Protected CII Program Manager's designees shall 
establish security requirements for Automated Information Systems that 
contain Protected CII.


Sec.  29.8  Disclosure of Protected Critical Infrastructure 
Information.

    (a) Authorization of access. The Under Secretary for IAIP, or the 
Under Secretary's designee, may choose to provide or authorize access 
to Protected CII when it is determined that this access supports a 
lawful and authorized Government purpose as enumerated in the CII Act 
of 2002, other law, regulation, or legal authority. Any disclosure or 
use of Protected CII within the Federal government is limited by the 
terms of the CII Act of 2002. Accordingly, any advisories, alerts, or 
warnings issued to the public pursuant to paragraph (e) of this section 
shall protect from disclosure:
    (1) The source of any voluntarily submitted CII that forms the 
basis for the warning, and
    (2) Any information that is proprietary, business sensitive, 
relates specifically to the submitting person or entity, and is not 
customarily in the public domain.
    (b) Federal, State, and local government sharing. The Protected CII 
Program Manager or the Protected CII Program Manager's designees may 
provide Protected CII to an employee of the Federal government, or of a 
State or local government, provided that such information is shared for 
purposes of securing the critical infrastructure and protected systems, 
analysis, warning, interdependency study, recovery, reconstitution, or 
for another informational purpose including, without limitation, the 
identification, analysis, prevention, preemption, and/or disruption of 
terrorist threats to our homeland. Protected CII may be provided to a 
State or local government entity only pursuant to its express written 
agreement with the Protected CII Program Manager to comply with the 
requirements of paragraph (d) of this section and that acknowledges the 
understanding and responsibilities of the recipient.
    (c) Disclosure of information to Federal contractors. Disclosure of 
Protected CII to Federal contractors may be made only after the 
Protected CII Program Manager or a Protected CII Officer certifies that 
the contractor is performing services in support of the purposes of 
DHS, the contractor has signed corporate or individual confidentiality 
agreements as appropriate, covering an identified category of 
contractor employees where appropriate, and has agreed by contract to 
comply with all the requirements of the Protected CII Program. The 
contractor shall safeguard Protected CII in accordance with these 
procedures and shall not remove any ``Protected CII'' markings. 
Contractors shall not further disclose Protected CII to any of their 
components, additional employees, or other contractors (including 
subcontractors) without the prior written approval of the Protected CII 
Program Manager or the Protected CII Program Manager's designees, 
unless such disclosure is expressly authorized in writing by the 
submitter and is the subject of timely notification to the Protected 
CII Program Manager.
    (d) Further use or disclosure of information by State and local 
governments.
    (1) State and local governments receiving information marked 
``Protected Critical Infrastructure Information'' shall not share that 
information with any other party, or remove any Protected CII markings, 
without first obtaining authorization from the Protected CII Program 
Manager or the Protected CII Program Manager's designees who shall be 
responsible for requesting and obtaining written consent for any such 
State or local government disclosure from the person or entity that 
submitted the information or on whose behalf the information was 
submitted.
    (2) The Protected CII Program Manager or a Protected CII Program 
Manager's designee may not authorize State and local governments to 
further disclose the information to another party unless the Protected 
CII Program Manager or a Protected CII Program Manager's designee first 
obtains the written consent of the person or entity submitting the 
information.
    (3) State and local governments may use Protected CII only for the 
purpose of protecting critical infrastructure or protected systems, or 
in furtherance of an investigation or the prosecution of a criminal 
act.
    (e) Disclosure of information to appropriate entities or to the 
general public. The IAIP Directorate may provide advisories, alerts, 
and warnings to relevant companies, targeted sectors, other 
governmental entities, ISAOs or the general public regarding potential 
threats and vulnerabilities to critical infrastructure as appropriate. 
In issuing a warning, the IAIP Directorate shall protect from 
disclosure the source of any Protected CII that forms the basis for the 
warning as well as any information that is proprietary, business 
sensitive, relates specifically to the submitting person or entity, and 
is not customarily in the public domain.
    (f) Access by Congress and whistleblower protection.
    (1) Exceptions for disclosure.
    (i) Pursuant to section 214(a)(1)(D) of the CII Act of 2002, 
Protected CII shall not, without the written consent of the person or 
entity submitting such information, be used or disclosed by any officer 
or employee of the United States for purposes other than the purposes 
of the CII Act of 2002, except--
    (A) In furtherance of an investigation or the prosecution of a 
criminal act; or
    (B) When disclosure of the information is made--
    (1) To either House of Congress, or to the extent of matter within 
its jurisdiction, any committee or subcommittee thereof, any joint 
committee thereof or subcommittee of any such joint committee; or
    (2) To the Comptroller General, or any authorized representative of 
the Comptroller General, in the course of the performance of the duties 
of the General Accounting Office.
    (ii) If any officer or employee of the United States makes any 
disclosure pursuant to these exceptions, contemporaneous written 
notification must be provided to the Department through the Protected 
CII Program Manager.

[[Page 8088]]

    (2) Consistent with the authority to disclose information for any 
purpose described in Sec.  29.2, disclosure of Protected CII may be 
made, without the written consent of the person or entity submitting 
such information, to the DHS Inspector General, or to any other 
employee designated by the Secretary of Homeland Security.
    (3) Subject to the limitations of title 5 U.S.C., section 1213 (the 
``Whistleblower Protection Act''), disclosure of Protected CII may be 
made by any officer or employee of the United States who reasonably 
believes that such information:
    (i) Evidences an employee's or agency's conduct in violation of 
criminal law, or any other law, rule, or regulation, affecting or 
relating to the protection of the critical infrastructure and protected 
systems, analysis, warning, interdependency study, recovery, or 
reconstitution or
    (ii) Evidences mismanagement, a gross waste of funds, an abuse of 
authority, or a substantial and specific danger to public health or 
safety affecting or relating to the protection of the critical 
infrastructure and protected systems, analysis, warning, 
interdependency study, recovery, or reconstitution.
    (4) Disclosures of all of the information cited in paragraphs 
(f)(1) through (3) of this section, including under paragraph 
(f)(1)(i)(A), are authorized by law and therefore are not subject to 
penalty under section 214(f) of the Homeland Security Act of 2002.
    (g) Responding to requests made under the Freedom of Information 
Act or State/local information access laws.
    (1) Protected CII shall be treated as exempt from disclosure under 
the Freedom of Information Act and, if provided by the Protected CII 
Program Manager or the Protected CII Program Manager's designees to a 
State or local government agency, entity, or authority, or an employee 
or contractor thereof, shall not be made available pursuant to any 
State or local law requiring disclosure of records or information. Any 
Federal, State, or local government agency with questions regarding the 
protection of Protected CII from public disclosure shall contact the 
Protected CII Program Manager, who shall in turn consult with the DHS 
Office of the General Counsel.
    (2) These procedures do not limit or otherwise affect the ability 
of a State or local government entity, agency, or authority to obtain 
under applicable State or local law information directly from the same 
person or entity voluntarily submitting information to DHS. Information 
independently obtained by a State or local government entity, agency, 
or authority is not subject to the CII Act of 2002's prohibition on 
making such information available pursuant to any State or local law 
requiring disclosure of records or information.
    (h) Ex parte communications with decisionmaking officials. Pursuant 
to section 214(a)(1)(B) of the Homeland Security Act of 2002, Protected 
CII is not subject to any agency rules or judicial doctrine regarding 
ex parte communications with a decision making official.
    (i) Restriction on use of Protected CII in civil actions. Pursuant 
to section 214(a)(1)(C) of the Homeland Security Act of 2002, Protected 
CII shall not, without the written consent of the person or entity 
submitting such information, be used directly by any Federal, State, or 
local authority, or by any third party, in any civil action arising 
under Federal or State law if such information is submitted in good 
faith under the CII Act of 2002.
    (j) Disclosure to foreign governments. The Protected CII Program 
Manager or the Protected CII Program Manager's designees may provide 
Protected CII to a foreign Government without the written consent of 
the person or entity submitting such information to the same extent, 
and under the same conditions, it may provide advisories, alerts, and 
warnings to other governmental entities as described in paragraph (e) 
of this section, or in furtherance of an investigation or the 
prosecution of a criminal act. Before disclosing Protected CII to a 
foreign government, the Protected CII Program Manager or the Protected 
CII Program Manager's designees shall protect from disclosure the 
source of the Protected CII, any information that is proprietary or 
business sensitive, relates specifically to the submitting person or 
entity, or is otherwise not appropriate for such disclosure.
    (k) Obtaining written consent for further disclosure from the 
person or entity submitting information.
    (1) Authority to Seek and Obtain Submitter's Consent to Disclosure. 
The Protected CII Program Manager or any Protected CII Program 
Manager's designee may seek and obtain written consent from persons or 
entities submitting information when such consent is required under the 
CII Act of 2002 to permit disclosure. In exigent circumstances, and so 
long as contemporaneous notice is provided to the Protected CII Program 
Manager or the Protected CII Program Manager's designees, any Federal 
government employee may seek the consent of the submitting party to the 
disclosure of Protected CII where such consent is required under the 
CII Act of 2002.
    (2) Consequence of Consent. Whether given in response to a request 
from the Protected CII Program Manager, the Protected CII Program 
Manager's designees, or another Federal government employee pursuant to 
paragraph (k)(1) of this section, a person's or entity's consent to 
additional disclosure, if conditioned on a limited release of Protected 
CII that is made for DHS's purposes and in a manner that offers 
reasonable protection against disclosure to the general public, shall 
not result in the information's loss of treatment as Protected CII.


Sec.  29.9  Investigation and reporting of violation of protected CII 
procedures.

    (a) Reporting of possible violations. Persons authorized to have 
access to Protected CII shall report any possible violation of security 
procedures, the loss or misplacement of Protected CII, and any 
unauthorized disclosure of Protected CII immediately to the Protected 
CII Program Manager or the Protected CII Program Manager's designees 
who shall in turn report the incident to the IAIP Directorate Security 
Officer and to the DHS Inspector General.
    (b) Review and investigation of written report. The Inspector 
General, Protected CII Program Manager, or IAIP Security Officer shall 
investigate the incident and, in consultation with the DHS Office of 
the General Counsel, determine whether a violation of procedures, loss 
of information, and/or unauthorized disclosure has occurred. If the 
investigation reveals any evidence of wrongdoing, DHS, through its 
Office of the General Counsel, shall immediately contact the Department 
of Justice's Criminal Division for consideration of prosecution under 
the criminal penalty provisions of section 214(f) of the CII Act of 
2002.
    (c) Notification to originator of Protected CII. If the Protected 
CII Program Manager or the IAIP Security Officer determines that a loss 
of information or an unauthorized disclosure has occurred, the 
Protected CII Program Manager or the Protected CII Program Manager's 
designees shall notify the submitter of the information in writing, 
unless providing such notification could reasonably be expected to harm 
the investigation of that loss or any other law enforcement, national 
security, or homeland security interest. The written notice shall 
contain a description of the incident and the date of disclosure, if 
known.

[[Page 8089]]

    (d) Criminal and administrative penalties. As established in 
section 214(f) of the CII Act, whoever, being an officer or employee of 
the United States or of any department or agency thereof, knowingly 
publishes, divulges, discloses, or makes known in any manner or to any 
extent not authorized by law any information protected from disclosure 
by the CII Act of 2002 and coming to the officer or employee in the 
course of his or her employment or official duties or by reason of any 
examination or investigation made by, or return, report, or record made 
to or filed with, such department or agency or officer or employee 
thereof, shall be fined under title 18 of the United States Code, 
imprisoned not more than one year, or both, and shall be removed from 
office or employment.

    Dated: February 12, 2004.
Tom Ridge,
Secretary of Homeland Security.
[FR Doc. 04-3641 Filed 2-19-04; 8:45 am]

BILLING CODE 4410-10-P