Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that the DHS National Protection and Programs Directorate (NPPD) had withdrawn their information collection request (ICR) for a questionnaire to be used by State Protected Critical Infrastructure Information (PCII) Officers to conduct a self-assessment of the protections applied to PCII at the State level.
NPPD has been having a number of administrative problems with this ICR since it was initiated last year. I noted back in May that they ignored a public comment posted in response to their 60-day ICR. Then OIRA rejected their initial submission of the ICR in July as being ‘improperly submitted’.
The actual questionnaire being proposed for the self-assessment program (down-loadable here) seems to address the issues that one would expect that someone conducting a compliance audit of the program would be looking at. Too many of the questions, however, solicit ‘Yes’ or ‘No’ answers and the wording of the question usually indicates the ‘proper’ response. Since only an inappropriate response requires an explanation, a cursory appropriate response is encouraged when filling out the form. This is a typical problem with a self-assessment program.
As I have repeatedly noted in the earlier posts about this ICR, I have concerns about the use of a self-assessment questionnaire in evaluating the protections put in place for the State level PCII programs. Critical infrastructure organizations are relying on NPPD and the Federal Government to ensure that the critical information that they are voluntarily submitting is properly protected.
Since that PCII must, in most cases, be shared with State and local agencies to ensure that those critical infrastructure facilities are appropriately protected, NPPD has an overarching requirement to ensure that the PCII programs are being properly administered at the State and local levels. Simply requiring that a self-assessment form be completed is not adequately ensuring that the protections are in place.
I wonder, how long has it been since Congress has exercised their oversight responsibility of this important information sharing program? I don’t recall the last time any committee has held hearings on the PCII program. With Congress interested in encouraging information sharing about cybersecurity matters, may be they ought to take a look at how well the government is protecting information already being shared by the same organizations.