Home Information Sharing & Analysis Prevention & Protection Preparedness & Response Research Commerce & Trade Travel Security & Procedures Immigration
About the Department Open for Business Press Room
Current National Threat Level is elevated

The threat level in the airline sector is High or Orange. Read more.

Homeland Security 5 Year Anniversary 2003 - 2008, One Team, One Mission Securing the Homeland

How Protected Critical Infrastructure Information (PCII) Is Protected

The Protected Critical Infrastructure Information (PCII) Program's safeguards ensure that PCII is:

  • Only accessed by authorized and properly trained individuals,
  • Properly marked as PCII,
  • Used appropriately for threat analysis, vulnerabilities and other homeland security purposes,
  • Protected from disclosure under the Freedom of Information Act (FOIA) and similar state and local disclosure laws, and
  • Not used directly in civil litigation.

PCII cannot be used as the basis for regulatory action.

The PCII Program Office administers an accreditation program for federal, state and local governments to ensure that uniform PCII Program standards and requirements are consistently applied by all participating entities.

Marking PCII

Only the PCII Program Office or the PCII Program Manager Designees may mark information as PCII and provide it with a submission identification number.  Information that does not contain the requisite PCII markings and identification number is not PCII.

To ensure appropriate protections on PCII:

  • All forms of PCII are marked with “Protected Critical Infrastructure Information” in the headers and footers to alert users to the information’s status and protection requirements.
  • All PCII is marked with an Identification Number.
  • All PCII materials are labeled with the required Protection Statement.

The PCII marking remains until the PCII Program Office determines that the information no longer qualifies for PCII protection or the submitter requests that the protection be removed.

Back To Top

PCII Cover Sheet

The PCII Cover Sheet must be attached to all physical copies of PCII materials to alert individuals of the PCII.

PCII materials should always be protected with the Cover Sheet, whether in storage, transit, or on a desk, even if that desk is in an environment where the most rigorous access controls are in place. The Cover Sheet must:

  • Be positioned in such a manner that the PCII cannot be viewed by individuals in the immediate area who are not working with the information,
  • Remain with PCII materials at all times, and
  • Be placed on top of a transmittal letter or memorandum.

Back To Top

Safeguarding and Storing PCII

All PCII recipients share responsibility for ensuring that PCII is properly safeguarded in accordance with the Critical Infrastructure Information Act of 2002 (CII Act) (PDF, 11 pages - 53 KB) and the Final Rule: Procedures for Handling Protected Critical Infrastructure Information (Final Rule).

Federal government employees who do not follow these safeguarding procedures may be subject to disciplinary action and to the civil and criminal penalties set forth in the CII Act of 2002.

In general, safeguarding measures must ensure that:

  • Precautions are taken to prevent unauthorized persons from overhearing conversations, observing PCII materials, or otherwise obtaining such information,
  • PCII is accessed only by authorized users,
  • To the extent feasible, submitted information is not at risk of inappropriate use, and
  • PCII is not disseminated inappropriately.

Recipients of PCII, including copies of PCII and derivative work products, must safeguard the PCII to ensure that PCII is:

  • Accessed by authorized users who are properly trained in how to handle PCII, and
  • Safeguarded in accordance with all the guidance from the PCII Program Manager.

Once submitted information is validated and marked as PCII, it may reside on a partnering federal entity's system and keep the protections afforded under the PCII Program.

The PCII Program Office keeps a record of all submissions, including those made to an information-sharing partnership. All partnering entities must adhere to the strict safeguarding, handling and storing requirements detailed in the CII Act of 2002 (CII Act) (PDF, 11 pages - 53 KB) and the Final Rule.

Back To Top

Change in PCII Status

In some cases, the PCII Program Manager may discover that information validated as PCII did not, in fact, meet all requirements at the time of validation (i.e., was not voluntarily provided, was of a type customarily in the public domain, or was subsequently determined to be false).  Under such circumstances, the PCII Program Manager will review the submission’s PCII status.

The submitter may also, at any time after submission of critical infrastructure information (CII), request in writing that his or her submitted information no longer be protected as PCII.  The PCII Program Manager or the Designee will follow the submitter's directions under the following circumstances:

  • Withdrawal of Submissions: If a submitter wishes to withdraw the submission, and that information has not completed the validation process, the PCII Program Office will return all such information to the submitting person or entity or destroy the information, depending on the written request of the submitter.
  • Change of Status: If the submitter requests in writing that the PCII protections be removed on a submission that has already been validated, the PCII Program Office will do so. In this case, the PCII Program Office may destroy the information or return it to the submitter, depending on the submitter’s instructions and availability.  Recipients of that PCII will be notified of the final change in status.

In the event that the PCII Program Manager determines that the information should not retain its PCII status or the submitter requests that his or her submitted information no longer be protected as PCII, the PCII Program Office will:

  • Notify the submitter of the change in status,
  • Remove the  PCII markings from the information,
  • Change the designation of the information in PCII Management System, and
  • Notify users of the information’s change in status.

If there is no indication that the information has been used as PCII, the PCII Program Office will notify the submitter of the change in status and ask him or her to specify whether the information should be destroyed or retained without protection under the CII Act of 2002 (PDF, 11 pages - 53KB). If the PCII Program Office does not receive a response to this request within 30 calendar days of notifying the submitter of the change in status, the PCII Program Office may retain the information without protection or destroy it in a manner consistent with the appropriate National Archives and Records Administration-approved records disposition schedule.

Back To Top

Oversight and Compliance

All individuals with access to PCII are responsible for safeguarding it while it is in their possession or control.  Participating government entities, in  partnership with the PCII Program Office, ensure individuals adhere to safeguarding and handling requirements.

PCII accredited government entities must designate a PCII Officer to provide oversight and manage employees with access to PCII in their organization. The PCII Program Office works in conjunction with the PCII Officer to ensure PCII is being used appropriately by reviewing the annual reports and self-inspections and conducting site visits as necessary.

The PCII Officer’s oversight of the PCII program in his or her entity consists of:

  • Monitoring ongoing compliance with PCII Program requirements,
  • Supervising PCII authorized users within the entity,
  • Performing periodic self-inspections,
  • Fulfilling an annual reporting requirement,
  • Investigating any alleged or actual misuse or compromise of PCII, 
  • Undertaking site visits,
  • Conducting system audits, and
  • Reporting any misuse or mishandling of PCII.

In coordination with the Department of Homeland Security Office of Security and the Office of the General Counsel, the PCII Program Manager has established and implemented procedures for reporting and investigating the suspected loss, misplacement, or unauthorized disclosure of PCII.  The Memorandum of Agreement that entities must enter into as part of the accreditation process, requires federal, state and local entities to cooperate in these investigations.

Suspicious or inappropriate requests for information by any means (e.g., e-mail or verbal), must be reported immediately to the relevant PCII Officer, who must then report them to the PCII Program Office. 

Back To Top

Penalties for Mishandling PCII

All federal, state and local government employees and contractors with access to PCII must ensure that PCII is properly safeguarded according to official program procedures.

Individuals who do not follow these procedures may be subject to disciplinary action, including criminal and civil penalties and loss of employment. State laws governing theft, conspiracy and trade secrets may apply to government employees and contractors who intentionally mishandle PCII. The penalties for mismanagement are detailed further in the Final Rule.

Back To Top

This page was last reviewed/modified on August 1, 2008.