DHS, CISA roll out technical rule to update PCII program, bring legal protections for cyber, physical infrastructure information
The U.S. Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) issued Wednesday a technical rule to improve and modernize aspects of the Protected Critical Infrastructure Information (PCII) program, which provides legal protections for cyber and physical infrastructure information submitted to DHS. The protections offered by the PCII program enhance the voluntary sharing of CII between infrastructure owners and operators and the government, while providing homeland security partners confidence that sharing their information with the government will not expose sensitive or proprietary data to public disclosure.
The latest non-substantive, technical edits amend the PCII program regulation found at 6 CFR part 29, to help critical infrastructure owners/operators, state and local governments, and other important stakeholders more effectively use the PCII Program.
The U.S. Congress created the PCII program under the Critical Infrastructure Information Act of 2002 (CII Act) to protect information voluntarily shared with the government on the security of private and state/local government critical infrastructure. Title 6 Code of Federal Regulations (CFR) part 29, ‘Procedures for Handling Critical Infrastructure Information; Final Rule,’ establishes uniform procedures on the receipt, validation, handling, storage, marking, and use of critical infrastructure information (CII) voluntarily submitted to the CISA within the DHS.
Established as part of major security reforms following the 9/11 terror attacks, the PCII Program has become a cornerstone of CISA’s public-private partnership to secure U.S. cybersecurity and critical infrastructure by providing legal protections for information shared with the government by the private sector for homeland security purposes. This technical rule represents the first-ever update to the PCII regulations since their initial publication in 2006.
Since then, the implementing component within DHS underwent substantial reorganization (i.e., transitioning the National Protection and Programs Directorate into CISA). As a result of this change, several technical revisions to 6 CFR part 29 were required to reflect updates to the organization and to address typographical and other errors in the 2006 final rule. These improvements help to modernize the PCII program and further position CISA as the nation’s lead cyber defense agency. These technical, non-substantive revisions qualify for publication as a final rule without the notice and comment typically required by the Administrative Procedure Act.
In a notice published in the Federal Register, the agencies noted that a majority of the changes made throughout 6 CFR part 29 are intended to reflect that CISA is the agency responsible for operating the PCII program within DHS and providing the public with accurate information regarding how CISA currently operates the program. “Specifically, the part is amended to accurately identify the names of offices and titles of personnel responsible for operating the PCII Program within CISA and to update legal citations and cross-references. This rule also creates several new definitions and amends existing definitions to clarify terms, titles, and acronyms used throughout the part that are specific to CISA’s operation of the PCII Program,” it added.
For example, some new definitions include ‘CISA,’ ‘Director,’ ‘Executive Assistant Director,’ and ‘PCII Program Manager’ and do not create substantive changes to the regulations. Other definitions such as ‘Critical Infrastructure,’ ‘Information Sharing and Analysis Organization,’ and ‘Voluntary or Voluntarily’ are amended through this rule to align the definitions with the exact statutory text of the CII Act or to update outdated legal citations.
The final rule also makes changes throughout the entirety of 6 CFR part 29 to correct typographical and grammatical errors and to clarify the regulation through stylistic wording and organizational changes. Some of these changes in the wording of the regulation are to align the regulatory text with the statutory text of the CII Act by incorporating the exact statutory language instead of cross-references to the CII Act or to add words from the statutory language of the CII Act which were initially erroneously omitted from 6 CFR part 29.
“The PCII Program is essential to CISA’s ability to gather information about risks facing critical infrastructure,” David Mussington, executive assistant director for infrastructure security, said in a Wednesday statement. “This technical rule modernizes and clarifies important aspects of the Program, making it easier for our partners to share information with DHS. These revisions further demonstrate our commitment to ensuring that sensitive, proprietary information shared with CISA remains secure and protected. I would like to thank CISA’s PCII Program Office and Office of the Chief Counsel for their hard work in making this technical rule a reality.”
These revisions constitute non-substantive technical, organizational, and conforming amendments in various sections of 6 CFR part 29 to correct errors, change addresses, update titles, and make other non-substantive amendments that improve the clarity of the PCII Program regulations. The rule does not create or change any substantive requirements. A complete description of the revisions is in the technical Final Rule, which can be found at 87 Fed. Reg. 77971 (December 21, 2022).
Information Sharing and Analysis Organization (ISAO) has the same meaning stated in 6 U.S.C. 671(5) and means any formal or informal entity or collaboration created or employed by public or private sector organizations to gather and analyze CII, including information related to cybersecurity risks and incidents, in order to better understand security problems and interdependencies related to critical infrastructure and protected systems, so as to ensure the availability, integrity, and reliability thereof.
Additionally, it also covers communicating or disclosing CII, including cybersecurity risks and incidents, to help prevent, detect, mitigate, or recover from the effects of interference, compromise, or incapacitation problem related to critical infrastructure or protected systems. It also includes voluntarily disseminating CII, including cybersecurity risks and incidents, to its members, federal, state, and local governments, or any other entities.
Related
