On Friday the National Protection and Programs Directorate (NPPD) at DHS published a 60-day information collection request (ICR) notice in the Federal Register (77 FR 68795-68796) that would allow for the establishment of a questionnaire concerning the Protected Critical Infrastructure Information (PCII) program.
This is a different questionnaire from the one for which OMB recently approved a separate ICR. While the purpose of both questionnaires is to improve the PCII program, they are apparently targeted at different audiences. The earlier ICR was targeted at federal officials and contractors. According to this notice:
“This questionnaire is designed to gather information from PCII Officers that will be used by the NPPD/IP PCII Program to assess state and local programs, their compliance with PCII rules and requirements, and the specific needs of their accredited programs. These assessments are designed to help the DHS PCII Program and Officers to ensure that PCII is being properly protected and to limit the potential for mishandling and improper disclosures.”
We won’t see the actual questionnaire until the ICR is submitted to the Office of Management and Budget. That means that we won’t actually know what questions are being asked to accomplish the above objective.
I am concerned about the phrase “to ensure that PCII is being properly protected and to limit the potential for mishandling and improper disclosures”. The whole point of the PCII program is that the private sector voluntarily shares sensitive information about critical infrastructure with the federal government. The only incentive that the government is able to provide is that it will in turn provide actionable intelligence information that the participants might be able to use to protect their facilities.
Since everyone knows that that information will come infrequently at best (or hopes that it will be infrequent; no one wants to be targeted by terrorists) this is not much of an incentive. This means that any risk of governmental disclosure of the information will be enough to stop most facility owners from sharing critical information with the government.
NPPD certainly has a responsibility to ensure that the privately provided information shared with State and local officials continues to be protected from disclosure. There is nothing in this ICR notice that indicates that there are other tools being used by NPPD to ensure the adequate protection of the PCII information at the State and local level. I certainly wouldn’t advocate that all of the security measures be disclosed, but this notice that proposes that actions need to be taken to ensure that PCII is properly protected at the State and local level should include some sort of assurances that there are other measures already in place to ensure the same thing.
NPPD is soliciting public comments on this ICR. Comments can be filed using the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2012-0046). Comments need to be filed by January 15, 2013.