DHS Publishes PCII ANPRM

Today the Department of Homeland Security (DHS) published an advance notice of proposed rulemaking (ANPRM) in the Federal Register (81 FR 23442-23445) for a possible update of the Protected Critical Infrastructure Information (PCII) program as established in 6 CFR Part 29. This program protects critical infrastructure information (CII) voluntarily submitted to DHS from public disclosure.

Information Sought

The notice provides background information on the initial establishment of the PCII program in 2006. It then goes on to explain that the program needs to be transitioned to a modern electronic environment that transition would:

• Enhance the submission and validation process for critical infrastructure information;

• Use state of the art technology for an automated interface for quicker access and dissemination of PCII;

• Modify requirements for the express and certification statements;

• Expand the use of categorical inclusions;

• Require portion marking of PCII; and

• Implement specific methods to capture and deliver metadata to the PCII Program.

Specifically, DHS is requesting information and comments on the following topics:

• Automated Submissions;

• Marking/Portion Marking; and

• Sharing PCII with Foreign Governments.

The first topic is the one about which DHS is seeking the most information. It is seeking comments on nine specific areas in this topic. Those areas include:

• How to enhance the submission methods for critical infrastructure information and automate sharing via structured information expression profiles and electronic exchange protocols;

• Whether an updated PCII rule should permit multiple submissions of information under one express statement and certification statement enabling the submission of multiple documents by an organization over the course of several weeks or months;

• Whether an updated PCII rule should allow submissions in a purely electronic format that includes an electronic express statement and certification statement in order to simplify the submission of large data sets in particular;

• Whether and to what extent an automated submission process should incorporate auditing and statistical reporting requirements to increase transparency of the frequency and types of data being submitted to the program;

• Addressing any process amendments or program enhancements to effectively implement automated submission processing in order to facilitate the submitter's ability to request and receive timely audits of access to the submissions;

• What effect, if any, an updated PCII Program would have on enabling broader sharing and analysis among other trusted recipients of cyber threat and risk data;

• Which specific programmatic-submission use cases that define data collection needs should be developed and established as categorical inclusions in specific data exchange activities in order to increase the submitters' community use and ease of submission in the PCII submission process;

• The extent to which specific programmatic-submission use cases should be developed and established as categorical inclusions in order to normalize a range of permissible and impermissible uses for specific types of data shared as PCII; and

• Expanding categorical inclusions to the State governmental level to increase the range of submissions, enhance the efficiency of information sharing, and make the protection of critical infrastructure information more effective.

Public Comments

DHS is soliciting public comments on the above topics and questions. Those comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # OOPS there is no docket number provide in today’s notice). I expect that we will see a revision notice next week in the Federal Register providing a docket number. Until then, the only other method of comment submission included in the notice is snail mail, not my recommendation. Still comments should be submitted by July 20^th, 2016.

Commentary

The one thing missing from this notice is mention of the pending rule on Controlled Unclassified Information. The final rule on CUI was submitted to OMB back in October. This rulemaking from the National Archives and Records Administration (NARA) seeks to standardize the administration of CUI programs like PCII.

Since the PCII program was established by statute {the CII Act of 2002 (Sections 211-215, Title II, Subtitle B of the Homeland Security Act of 2002, PL 107-296)} most of the NARA regulations can be overridden by the PCII regulations. But, any areas of the NARA regulations that are not specifically addressed in the PCII regulations will have to comply with the NARA provisions. And there will be some areas of the NARA regulations that may not be superseded unless specifically authorized in legislation.

Unfortunately, this ANPRM cannot attempt to address those issues since the NARA regulations have not yet been approved. I suspect that the most likely areas of potential conflict will deal with page and paragraph marking requirements.

The other area of potential concern (though probably not an actual conflict since it has never been addressed) will be the requirements for cybersecurity of electronic copies of documents. This will be particularly important with this ANPRM because of the expressed intent of expanding the use of electronic data submission and sharing. But, again, it is hard to express concerns about these issues until the NARA rule is published.