The DHS National Protection and Programs Directorate’s Infrastructure Information Collection Division (IICD) published a 60-Day information collection request (ICR) notice in Monday’s Federal Register (78 FR 29375-29376; available on-line today) supporting a questionnaire targeted at State and local Protected Critical Infrastructure Information (PCII) Officers. The questionnaire would help the Department “to gather information from PCII Officers that can be used to assess their programs, their compliance with PCII rules and requirements, and the specific needs of their accredited programs”.
The Importance of PCII Programs
The Department posted a 60-day ICR notice in the Federal Register back in November, 2012. In a post about that notice I expressed some concerns about the Department’s just now getting around to assessing these State and local programs with which DHS shares selected PCII information. Since the promise of limited disclosure is the only incentive that DHS can provide critical infrastructure organizations to share security information with DHS, any questions about the efficacy of State and local PCII programs will act as a disincentive to information sharing.
The new Cybersecurity Framework under development will depend on PCII programs to protect the information about critical infrastructure computer systems and networks provided to the government. This means that the PCII protections are going to have to be a critical part of the Framework. Again, this makes assessment of State and local PCII programs all that more important.
The current notice states that “DHS received no comments”. A review of the Docket (DHS-2012-0046) at www.Regulations.gov shows that there was a comment submitted on November 28th. Terry Frank from Shell Oil Company noted that it would be difficult to assess the accuracy of the collection effort since a copy of the questionnaire is not made available. This is a point I also made in my earlier blog post. This is particularly aggravating since NPPD is required to include the questionnaire when it files this ICR with OMB. It could easily be placed in the current docket.
Mr. Frank also notes a discrepancy in the description of information disclosure protections provided by the PCII program. Since that comment is not really germane to the ICR in question, I suppose that DHS was justified in ignoring that portion of the comment. Still the comment should have been noted in this ICR notice.
NPPD is soliciting public comments on this 30-day ICR notice. Comments may be filed via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2012-0046). The notice does not contain the customary ‘submit comments by’ information, but this is a 30-day notice so comments should be filed within 30 days of the publishing of the notice on Monday; so June 18th, 2013.
NOTE: With the failure to acknowledge the comment filed on the 60-day notice and the failure to include a comment closure date in this notice, perhaps NPPD should consider re-submitting this 30-day ICR notice in proper form.