PCII and CVI Information

Earlier this week DHS did a complete update of their web site that deals with the Protected Critical Infrastructure Information (PCII) program. This controlled but unclassified information protection program was established in 2002 as Subtitle B of Title II of the Homeland Security Act of 2002 (PL 107-296). One of the new pages included in this re-worked site addresses information that is protected both by the PCII program and the Chemical Vulnerability Information (CVI) program under CFATS.

Differences Between PCII and CVI

Both programs provide similar degrees of protection against public disclosure of information submitted to the Federal government. There is a significant difference, however. Information submitted via the PCII program may not be used for regulatory purposes and the CFATS program is definitely a regulatory program.

This means, essentially, that the folks that work at the Infrastructure Security Compliance Division (ISCD) of NPPD do not have access to PCII. Facilities that submit documents to ISCD that have also been provided to DHS under the PCII program must ensure that there are no PCII markings on copies sent to ISCD.

Commentary

There is an interesting difference between document protection requirements in these two programs. While the CVI program sets rules for document protection at the facility that submits the documents, there are no such requirements included in the PCII program. The PCII program only sets the document protection requirements for government entities and contractors working for those entities.

If facilities are submitting the same documents under both programs it is important that the PCII marked documents are kept separate from the CVI marked documents. This is going to make keeping the documents up to date a tad bit more difficult as they will have to be maintained in separate computer files as well since electronic CVI documents are required to be saved with program markings.