Information Sharing: DHS Should Take Steps to Encourage More Widespread Use of Its Program to Protect and Share Critical Infrastructure Information

On September 1, 2006, the Department of Homeland Security issued "Procedures for Handling Critical Infrastructure Information; Final Rule" in the Federal Register.

To communicate to the private sector the Department of Homeland Security's (DHS) protected critical infrastructure information (PCII)needs and expected use, the Office of Infrastructure Protection/PCII Program has made available, through its public website, answers to frequently asked questions that defines the type of information collected and what it is used for. In addition, the public website explains how PCII will be accessed, handled, and used by Federal, state and local government employees and their contractors.

As outlined in the "Procedures for Handling Critical Infrastructure Information--Final Rule" issued September 1, 2006, DHS has taken the following steps to increase submissions: 1) Allowing the submission of Critical Infrastructure Information (CII) to other Federal agencies or indirect submissions, providing greater intake capability, and greater convenience for submitters, and 2) categorical inclusion of classes of Protected CII, allowing for presumptive validation and more certainty for submitters. The Final Rule identifies procedures for indirect submissions to DHS through DHS field representatives and other Federal Agencies. Federal agencies other than DHS may be designated to receive CII on behalf of DHS, but only the PCII Program Manager is authorized to make the decision to validate a submission as PCII. The Final Rule also invests the PCII Program Manager with the authority and flexibility to designate certain types of infrastructure information as presumptively valid PCII to accelerate the validation process. The PCII Program Manager may establish categories of information for which PCII status will automatically apply.

DHS has taken steps to encourage more users to participate by allowing State and local government officials to share PCII with other parties already authorized to receive such information by the PCII Program Manager. The PCII Program Office has developed an accreditation program as a means to share PCII with eligible government entities. The accreditation program has been designed to ensure the proper handling, use, dissemination, and safeguarding of PCII by government users. A State or local entity can become authorized to receive PCII once its accreditation process has been initiated. The PCII Program Office has already accredited Maryland, Arizona, California, and Massachusetts to receive PCII and is currently working with several other states to become accredited. Once they are fully accredited, the changes made in the Final Rule will facilitate information sharing amongst these entities, should they want to share PCII.