On Friday the National Protection and Programs Directorate
(NPPD) at DHS published a 60-day information collection request (ICR) notice in
the Federal Register (77 FR 68795-68796)
that would allow for the establishment of a questionnaire concerning the
Protected Critical Infrastructure Information (PCII) program.
The Questionnaire
This is a different questionnaire from the one for which OMB
recently approved
a separate ICR. While the purpose of both questionnaires is to improve the
PCII program, they are apparently targeted at different audiences. The earlier
ICR was targeted at federal officials and contractors. According to this
notice:
“This questionnaire is designed to
gather information from PCII Officers that will be used by the NPPD/IP PCII
Program to assess state and local programs, their compliance with PCII rules
and requirements, and the specific needs of their accredited programs. These
assessments are designed to help the DHS PCII Program and Officers to ensure
that PCII is being properly protected and to limit the potential for
mishandling and improper disclosures.”
We won’t see the actual questionnaire until the ICR is
submitted to the Office of Management and Budget. That means that we won’t
actually know what questions are being asked to accomplish the above objective.
Protecting PCII
I am concerned about the phrase “to ensure that PCII is
being properly protected and to limit the potential for mishandling and
improper disclosures”. The whole point of the PCII program is that the private
sector voluntarily shares sensitive information about critical infrastructure
with the federal government. The only incentive that the government is able to
provide is that it will in turn provide actionable intelligence information
that the participants might be able to use to protect their facilities.
Since everyone knows that that information will come
infrequently at best (or hopes that it will be infrequent; no one wants to be
targeted by terrorists) this is not much of an incentive. This means that any
risk of governmental disclosure of the information will be enough to stop most
facility owners from sharing critical information with the government.
NPPD certainly has a responsibility to ensure that the privately
provided information shared with State and local officials continues to be
protected from disclosure. There is nothing in this ICR notice that indicates
that there are other tools being used by NPPD to ensure the adequate protection
of the PCII information at the State and local level. I certainly wouldn’t
advocate that all of the security measures be disclosed, but this notice that
proposes that actions need to be taken to ensure that PCII is properly
protected at the State and local level should include some sort of assurances
that there are other measures already in place to ensure the same thing.
Public Comments
NPPD is soliciting public comments on this ICR. Comments can
be filed using the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2012-0046).
Comments need to be filed by January 15, 2013.
Posts
No comments:
Post a Comment