Home | Information Sharing & Analysis | Prevention & Protection | Preparedness & Response | Research | Commerce & Trade | Travel Security | Immigration |
The threat level in the airline sector is High or Orange. Read more.
The Protected Critical Infrastructure Information (PCII) Program's safeguards ensure that PCII is:
PCII cannot be used as the basis for regulatory action.
The PCII Program Office administers an accreditation program for federal, state and local governments to ensure that uniform PCII Program standards and requirements are consistently applied by all participating entities.
Only the PCII Program Office or the PCII Program Manager Designees may mark information as PCII and provide it with a submission identification number. Information that does not contain the requisite PCII markings and identification number is not PCII.
To ensure appropriate protections on PCII:
The PCII marking remains until the PCII Program Office determines that the information no longer qualifies for PCII protection or the submitter requests that the protection be removed.
The PCII Cover Sheet must be attached to all physical copies of PCII materials to alert individuals of the PCII.
PCII materials should always be protected with the Cover Sheet, whether in storage, transit, or on a desk, even if that desk is in an environment where the most rigorous access controls are in place. The Cover Sheet must:
All PCII recipients share responsibility for ensuring that PCII is properly safeguarded in accordance with the Critical Infrastructure Information Act of 2002 (CII Act) (PDF, 11 pages - 53 KB) and the Final Rule: Procedures for Handling Protected Critical Infrastructure Information (Final Rule).
Federal government employees who do not follow these safeguarding procedures may be subject to disciplinary action and to the civil and criminal penalties set forth in the CII Act of 2002.
In general, safeguarding measures must ensure that:
Recipients of PCII, including copies of PCII and derivative work products, must safeguard the PCII to ensure that PCII is:
Once submitted information is validated and marked as PCII, it may reside on a partnering federal entity's system and keep the protections afforded under the PCII Program.
The PCII Program Office keeps a record of all submissions, including those made to an information-sharing partnership. All partnering entities must adhere to the strict safeguarding, handling and storing requirements detailed in the CII Act of 2002 (CII Act) (PDF, 11 pages - 53 KB) and the Final Rule.
In some cases, the PCII Program Manager may discover that information validated as PCII was at the time of validation of a type customarily in the public domain. Under such circumstances, the PCII Program Manager will review the submission’s PCII status and can remove the PCII protections.
The submitter may also, at any time after submission of critical infrastructure information (CII), request in writing that his or her submitted information no longer be protected as PCII. The PCII Program Manager or the Designee will follow the submitter's directions under the following circumstances:
In the event that the PCII Program Manager determines that the information should not retain its PCII status or the submitter requests that his or her submitted information no longer be protected as PCII, the PCII Program Office will:
If there is no indication that the information has been used as PCII, the PCII Program Office will notify the submitter of the change in status and ask him or her to specify whether the information should be destroyed or retained without protection under the CII Act of 2002 (PDF, 11 pages - 53KB). If the PCII Program Office does not receive a response to this request within 30 calendar days of notifying the submitter of the change in status, the PCII Program Office may retain the information without protection or destroy it in a manner consistent with the appropriate National Archives and Records Administration-approved records disposition schedule.
All individuals with access to PCII are responsible for safeguarding it while it is in their possession or control. Participating government entities, in partnership with the PCII Program Office, ensure individuals adhere to safeguarding and handling requirements.
PCII accredited government entities must designate a PCII Officer to provide oversight and manage employees with access to PCII in their organization. The PCII Program Office works in conjunction with the PCII Officer to ensure PCII is being used appropriately by reviewing the annual reports and self-inspections and conducting site visits as necessary.
The PCII Officer’s oversight of the PCII program in his or her entity consists of:
In coordination with the Department of Homeland Security Office of Security and the Office of the General Counsel, the PCII Program Manager has established and implemented procedures for reporting and investigating the suspected loss, misplacement, or unauthorized disclosure of PCII. The Memorandum of Agreement that entities must enter into as part of the accreditation process, requires federal, state and local entities to cooperate in these investigations.
Suspicious or inappropriate requests for information by any means (e.g., e-mail or verbal), must be reported immediately to the relevant PCII Officer, who must then report them to the PCII Program Office.
All federal, state and local government employees and contractors with access to PCII must ensure that PCII is properly safeguarded according to official program procedures.
Individuals who do not follow these procedures may be subject to disciplinary action, including criminal and civil penalties and loss of employment. State laws governing theft, conspiracy and trade secrets may apply to government employees and contractors who intentionally mishandle PCII. The penalties for mismanagement are detailed further in the Final Rule.
This page was last reviewed/modified on November 3, 2008.