Protected Critical Infrastructure Information (PCII) Program Emily R. Hickey Sr. Communications Officer PCII Program Office Briefing to the FGDC HSWG Washington,

Protected Critical Infrastructure Information (PCII) Program

Emily R. HickeySr. Communications OfficerPCII Program Office

Briefing to the FGDC HSWG

Washington, DC

September 21, 2006

2

OverviewOverview

The PCII Program Benefits of Participation Operational Processes Accreditation Program Growth and New Initiatives How to Participate in the PCII Program

3

The Protected Critical Infrastructure The Protected Critical Infrastructure Information (PCII) ProgramInformation (PCII) Program

Established under the CII Act of 2002, the PCII Program protects voluntarily submitted critical

infrastructure information from:

Freedom of Information Act (FOIA)State and local sunshine lawsCivil litigation proceedings

P

CII

Information cannot be used for regulatory purposes

The PCII Program is an important tool to encourage industry to share their sensitive critical infrastructure information

4

Examples of Critical Infrastructure Examples of Critical Infrastructure Information (CII)Information (CII)

Information defined by the CII Act includes:

Threats ― Actual, potential, or threatened interference with, attack on, compromise of, or incapacitation of a critical asset

Vulnerabilities ― Ability to resist threats, including assessments or estimates of vulnerability

Operational experience ― Any past operational problem or planned or past solution including repair, recovery, or extent of incapacitation

5

PCII Program Office MissionPCII Program Office Mission

The Program Office’s mission is to receive, validate, facilitate access to, and safeguard PCII

Receive Validate Facilitate Access

6

Benefits of ParticipationBenefits of Participation

The PCII Program can:

Facilitate new information sharing without compromising sensitive business information

Strengthen existing public/private partnerships by adding protection to private sector’s information

Enhance and increase Federal, State and local government entity access to critical infrastructure information

7

Operational ProcessesOperational ProcessesProcess for Submitting CII for PCII Protection Private sector, State or local government entities, and Information Sharing

and Analysis Organizations (ISAO) may voluntarily submit information that meets the definition of CII as defined in the Act. Information may be submitted to the Program Office by mail, fax, courier, or electronically through a secure Web portal at www.dhs.gov/pcii, and must include:

Express Statement requesting protection

Certification Statement

User Access to PCII

Once validated, PCII can be shared in various ways with authorized users:

Hand delivery

E-mail password protected file

8

Qualifications for PCII StatusQualifications for PCII Status

To qualify for protection under the PCII Program, critical infrastructure information must:

Be voluntarily submitted to and validated by the PCII Program Office

Not otherwise be required by DHS

Not be customarily in the public domain

9

Validation Process for PCIIValidation Process for PCII

PCII Program Office: Checks for Express Statement Verifies receipt of required certification Reviews submitted information Determines if information meets definition of CII

Submissions from: Private Industry Information Sharing and Analysis Organizations (ISAO) State/local governments

NOYES

Makes available to authorized users

Destroy material orreturn it to submitter

Meets criteria?

10

Standard Access PolicyStandard Access Policy To be an Authorized User, the following requirements must be met:

• PCII Training (Federal, State and local employees and their contractors)

• Contract Modification (Federal, State and local contractors)

• Non-Disclosure Agreement (non-Federal employees)

• Must be assigned homeland security duties (Federal, State and local government employees and their contractors)

• Must have a need to know the specific information (Federal, State and local government employees and their contractors)

Any Federal, State or local government Authorized User within an accredited entity may receive PCII

11

Purpose of AccreditationPurpose of Accreditation

Ensures that all participating government entities:

• Understand the handling, use, dissemination and safeguarding of PCII

• Have the necessary resources for operating a PCII Program

Promotes consistent application of uniform minimum standards and requirements by all participating entities

Ensures timely access to PCII Provides ongoing guidance to participating government

entities with respect to handling, using, disseminating and safeguarding PCII

12

PCII SafeguardsPCII Safeguards

PCII Program safeguards and Accreditation Program ensure that all submitted information is:

Accessed only by authorized and trained individuals, or those who receive submitter consent to view the PCII

Used appropriately, based on guidance set forth in the CII Act and the PCII Program Final Rule

Stored, handled, and disseminated using methods approved by the PCII Program Office

13

Program GrowthProgram GrowthAggressive outreach has led to increased program participation

The PCII Program Office has publicized the Program at various conferences to reach out to individual industry sectors

The Program Office has enlisted the support of other DHS programs to advocate the benefits of PCII Program protections

The Program Office has hosted discussions with private sector and government representatives to determine the best approach to information sharing

Over the past year, private sector submissions of critical infrastructure information have quadrupled

14

Program GrowthProgram Growth

Federal Entities States/local Entities

Food and Drug Administration’s Center for Food Safety and Applied Nutrition (Accredited)

Department of Agriculture (In Process)

Nuclear Regulatory Commission (In Process)

Department of Defense (In Process)

Maryland (Accredited)

Arizona (Accredited)

Massachusetts (Accredited)

California (Accredited)

Michigan (In Process)

New York (In Process)

Ohio (In Process)

District of Columbia (In Process)

Indianapolis, Indiana (In Process)

Seattle, Washington (In Process)

The PCII Program Office has accredited, or is in the process of accrediting, numerous Federal, State and local entities.

15

Program Initiatives within DHSProgram Initiatives within DHSIncrease in submissions through collaborative efforts with identified users of CII in DHS, including:

National Cyber Security Division’s United States Computer Emergency Readiness Team Secure Portal Submissions Capability

Risk Management Division’s (RMD) Risk Assessment Methodology for Critical Asset Protection (RAMCAP) Program

RMD’s Chemical Comprehensive Review

RMD’s Site Assistance Visits (SAVs) and Buffer Zone Plans (BZPs)

RMD’s Constellation/Automated Critical Asset Management System (ACAMS)

16

Questions to consider to determine if your entity would benefit from becoming an accredited entity of the PCII Program:

What are your entity's information needs? What private sector companies hold this information? Is there private sector information that you are not

receiving because of FOIA concerns? Do you or might you have a need to access PCII received

by the Program Office?

Contact the Program Office to discuss the process further

How to ParticipateHow to Participate

17

PCII Program OfficeDepartment of Homeland Security245 Murray Lane, SWBuilding 410Washington, DC 20528-0001

202-360-3023www.dhs.gov/[email protected]

Contact InformationContact Information