Earlier this week the Office of Management and Budget (OMB) announced the approval of an information collection request (ICR) submitted by DHS National Protection and Programs Directorate (NPPD) that would allow NPPD to collect information during a survey of participants of the Protected Critical Infrastructure Information (PCII) program. The ICR was approved without change.
The original Federal Register notice for this ICR (76 FR 17935-17936) notes that:
The PCII Program helps government analysts, emergency responders, and other homeland security professionals access data about facilities and systems on which the Nation depends. The PCII Program is responsible for ensuring compliance with the regulation’s uniform procedures for the handling, use, dissemination, and safeguarding of PCII. In this capacity, the PCII Program oversees a community of stakeholders, including submitters of CII, authorized users of PCII and accredited Federal, State and local entities with homeland security duties.
The purpose of the survey covered by this ICR is to “gather information to improve relationships with stakeholders and maximize the value of the PCII Program” according to the abstract provided in the ICR notice. NPPD expects to have 100 responses to this survey and expects that it will take about 13 hours for a respondent to collect the data and respond. As is typical for NPPD submitted ICRs, they don’t expect this effort to cost the respondents any money; apparently they have never heard of the adage that time is money.
Interestingly, this ICR was originally submitted in February and then was withdrawn by NPPD in July; there is no word why the ICR was withdrawn at that time. It was resubmitted in September with no new Federal Register notices (ICR submissions require a 60-day notice and a 30-day notice before being sent to OMB), so one would like to assume that there were no significant changes made in the submission documentation.
There is a link to the approved PCII Stakeholder Survey provided in the ICR document; it is actually a Word® document version of the on-line survey. The version of the survey in the original submission is actually a series of web shots of the actual planned on-line survey. The only real differences between the two are differing sets of questions 11 thru 14. There is nothing startling in the differences in those questions other than the approved version appears to be asking for slightly less detail. Perhaps this was done to increase the anonymity of the responses.
While the new question 11 does include ‘Submitter’ as one of the responses to describe the person completing the survey, the responses to question 12 does make it clear that this survey is being targeted at government users of the PCII program, not the public portion that is actually providing the information. That may be why there is no cost associated with the 13 hours per response noted in the ICR.
I think that it is fair to say that the proper sharing of PCII is an important perquisite to ensuring that intelligence and security analysts have access to the necessary information necessary for doing their jobs. As such it is important for the PCII program managers to understand those things that are making that proper sharing of information more difficult.
The Wiki Leaks fiasco has also shown us what happens when it is too easy to share critical information. It would have been nice to see at least one question in the survey that would address the issues of inadequate information sharing controls.