CUNA Regulatory Comment Call
March 24, 2004
Procedures for Handling Critical Infrastructure Information
- The Department of Homeland Security (DHS) has issued an interim rule that requests comments on procedures for handling critical infrastructure information (CII) voluntarily submitted to the federal government through DHS by credit unions and other private sector entities. CII covers vital physical or computer-based systems and assets, the incapacitation or destruction of which would have a debilitating impact on national security, national economic security, and national public health and safety, and way of life.
- This interim rule establishes procedures to implement the provisions (Section 214) of the Homeland Security Act of 2002 regarding the establishment of uniform procedures for the receipt, care and storage of CII voluntarily submitted to DHS. Section 214 of the Homeland Security Act, commonly referred to as the Critical Infrastructure Information Act of 2002 (CII Act), established a program that protects from disclosure to the general public any CII that is voluntarily provided to DHS the Protected CII Program. This interim rule will provide DHS with the framework necessary to receive CII and protect it from disclosure to the general public. More information on the Protected CII Program, administered by the DHS Information Analysis and Infrastructure Protection (IAIP) Directorates PCII Program Office, is available on the DHS website at http://www.dhs.gov/dhspublic/display?theme=52.
- The purpose of this interim rule is to encourage the private sector entities to share information pertaining to their particular and unique vulnerabilities, as well as those that may be systemic and sector-wide. By offering an opportunity for protection from disclosure under the Freedom of Information Act (FOIA) for information that qualifies under the CII Act, DHS will assure private sector entities that their information will be safeguarded from abuse by competitors or the open market. In addition, information from individual private sector entities, combined with those from other entities, will create a broad perspective from which the federal government, state and local governments, and individual entities and organizations in the private sector can gain a better understanding of how to design and develop structures and improvements to strengthen and defend those infrastructure vulnerabilities from future attacks.
- The interim rule sets out a basic set of regulations that implements the Protected CII Program. The procedures
in this interim rule include mechanisms regarding:
- Acknowledgement of receipt by DHS of voluntarily submitted CII;
- Maintenance of the identification of CII voluntarily submitted to DHS for purposes of, and subject to the provisions of the CII Act;
- The receipt, handling, storage and proper marking of information as Protected CII;
- Safeguarding and maintenance of the confidentiality of such information that permits the sharing of such information within the federal government and with foreign, state and local government authorities, and the private sector or the general public, in the form of advisories or warnings; and
- Issuance of notices and warnings related to the protection of critical infrastructure and protected systems in such as manner as to protect from unauthorized disclosure the identity of the submitting person or entity as well as information that is proprietary, business sensitive, relates specifically to the submitting person or entity, and is not customarily available in the public domain.
- This interim rule provides flexibility to allow DHS to adapt as program operations evolve. DHS will continue to consider public comments to this interim rule and determine whether possible supplemental regulations are needed as experience is gained with implementing the CII Act.
- This interim rule is effective February 20, 2004.
- Comments are due to DHS by May 20, 2004. Please send your comments to CUNA by May 7, 2004. Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at firstname.lastname@example.org or to Senior Regulatory Counsel Catherine Orr at email@example.com; or mail them to Mary or Catherine in c/o CUNA's Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, 6th Floor - South Building, Washington, DC 20004-2601. You may also contact us if you would like a copy of the interim rule, or you may access it on CUNAs website.
DESCRIPTION OF THE INTERIM RULE
Requirements for Protection
In order for CII to receive the protections of Section 214 of the CII Act, the information must be:
- Voluntarily submitted to the Protected CII Program Manager or the Managers designee(s).
- Submitted for use by DHS for the security of critical infrastructure and protected systems, analysis, warning, interdependency study, recovery, reconstitution or other informational purposes including, without limitation, the identification, analysis, prevention, preemption and/or disruption of terrorist threats to the U.S.
- Accompanied by a statement substantially similar to the following: This information is voluntarily submitted to the Federal government in expectation of protection from disclosure as provided by the provisions of the Critical Infrastructure Information Act of 2002 in the case of written information. In the case of oral information, the submitter must provide a comparable written statement within 15 calendar days of the oral submission.
- Additionally accompanied by a written certification indicating the following: (1) the information is being voluntarily submitted for purposes of the CII Act; (2) the information is being submitted in place of independent compliance with a federal legal requirement; (3) whether the information is required to be submitted to a federal agency; and (4) and the information is not of a type customarily in the public domain.
Acknowledgment of Receipt
- Only the Protected Program Manager or the Managers designee(s) are authorized to acknowledge receipt of and validate information as Protected CII.
- All information submitted in accordance with the procedures in the interim rule will be presumed to be Protected CII and treated accordingly (including being clearly marked as Protected CII), unless and until such time as the Protected Program Manager or the Manager designee(s) render a final decision that the information is not Protected CII.
- The Protected CII Program Manager of the Managers designee(s) must acknowledge receipt of information submitted as CII and in doing so is required to: (1) contact the submitter within 30 calendar days of receipt; (2) maintain a database of information submitted including the name of the submitter, tracking number and validation status; and (3) provide the submitter with a tracking number.
- If the Protected CII Program Manager or the Managers designee(s) make an initial determination that the information submitted does not meet the requirements of Protected CII, they must notify the submitter. The notification must: (1) request that the submitter further explain the basis for belief that the information is Protected CII; (2) advise the submitter that any additional information submitted will be reviewed before rendering a final determination; (3) provide the submitter an opportunity to withdraw the submission; (4) advise the submitter that any response must be received no later than 30 calendar days from the date of the notification; and (5) request the submitter to state, in the event the information is finally determined to not be Protected CII, whether the information should be maintained without the protections of the CII Act or be disposed of in accordance with the Federal Records Act.
- Once the final determination is made that the information is not Protected CII, if the submitter cannot be notified or the submitters response is not received in 30 calendar days after the notification, the Protected CII Program Manager or the Managers designee(s) will destroy the information in accordance with the Federal Records Act, unless it is determined that there is a need to retain it for law enforcement and/or national security reasons.
- Once information if validated, status changes (Protected CII to non-Protected CII) may take place when the submitter requests in writing that the information no longer be protected or when the Protected CII Program Manager of the Managers designee(s) determine that the information was customarily in the public domain, is publicly available through legal means, or is required to be submitted to DHS by federal law or regulation. The submitter must be informed when a change in status is made.
Safeguarding of Protected CII
- Each person who works with Protected CII is personally responsible for taking proper precautions to ensure that unauthorized persons do not gain access to it.
- When Protected CII is not in the possession of a person, it is required to be stored in a secure environment that affords it the necessary level of protection in accordance with its vulnerability and sensitivity.
- Protected CII must be transmitted only by secure means of delivery.
- Documents and material containing Protected CII may be disposed of by any method that prevents unauthorized retrieval.
- Protected CII Program Manager or the Mangers designee(s) must establish security requirements for Automated Information Systems that contain Protected CII.
Disclosure of Protected CII
- Public advisories, alerts or warnings issued to the public regarding potential threats and vulnerabilities to critical infrastructure must protect from disclosure: (1) the source of any voluntarily submitted CII that forms the basis for such warning and (2) any information that is proprietary, business sensitive, relates specifically to the submitting person or entity and is not customarily in the public domain.
- The Protected CII Program Manager or the Managers designee(s) may share Protected CII with an employee of the federal, state or local government provided that the information is shared for purposes of securing the critical infrastructure and protected systems. Sharing of such information with a state or local government entity can only be done pursuant to an express written agreement by the state or local government entity to comply with the requirements below. State and local governments receiving information marked Protected Critical Infrastructure Information may not share that information with any party or remove those markings without first obtaining authorization from the Protected CII Program Manager or the Managers designee(s). The Manager or designee(s) is responsible for obtaining written consent from the submitter. State and local governments may use Protected CII only for the purpose of protecting critical infrastructure or protected systems, or in furtherance of an investigation or the prosecution of a criminal act.
- Protected CII may be disclosed to federal contractors only if: (1) the contractor is performing services in support of the mission of DHS; (2) the contractor has signed corporate or individual confidentiality agreements; and (3) the contractor has agreed by contract to comply with all the requirements of the protected CII Program.
- There are several exemptions for disclosure of Protected CII, including: (1) in furtherance of an investigation or the prosecution of a criminal act and (2) to Congress.
- Protected CII will be treated as exempt from disclosure under FOIA.
- The procedures in the rule do not limit the ability of a state or local government entity to obtain under applicable state or local law information directly from the same person or entity voluntarily submitting information to DHS.
- Protected CII may be provided to foreign governments to the same extent and under the same conditions it may provide advisories, alerts and warnings to state and local governmental entities, or in furtherance of an investigation or in prosecution of a criminal act.
- The Protected CII Program Manager or the Mangers designee(s) may seek and obtain written consent from submitters when such consent is required under the CII Act to permit disclosure. The disclosure of Protected CII does not lose its treatment as Protected CII if the disclosure is conditioned on a limited release that is made for DHS purposes and is done in a manner that offers reasonable protection against disclosure to the general public.
Investigation and Reporting of Violations
- Persons authorized to have access to Protected CII are required to report any possible violation of security procedures, the loss or misplacement, and any unauthorized disclosure immediately to the Protected CII Program Manager or the Managers designee(s). The Manager or the Mangers designee(s) must, in turn, report incident to the IAIP Directorate Security Office and the DHS Inspector General.
- The Inspector General, Protected CII Program Manager, or IAIP Security Officer shall investigate the incident in consultation with the DHS General Counsel. If there is evidence of wrongdoing, DHS shall immediately contact the Department of Justices Criminal Division for consideration of criminal prosecution.
- If it is determined that a loss of information or an unauthorized disclosure has occurred, the Protected CII Program Manager or Managers designee(s) shall notify the submitter of the Protected CII in writing.
- Criminal and administrative penalties may be imposed on a federal government employee who knowingly publishes, divulges, or makes known to any extent not legally authorized any information protected from disclosure under the CII Act.
QUESTIONS REGARDING THE INTERIM RULE
- DHS received many comments on the proposal expressing concern regarding the
provision enabling indirect submissions. Indirect submission refers to the situation
where other federal government agencies act as conduits for submissions to DHS. Under
the proposal, a person or private sector entity would submit the CII to any federal
agency; the federal agency, in turn, would forward the information to the DHS IAIP
Directorate, pursuant to the submitters express direction. As a result of comments
received, all references to indirect submissions have been deleted in the interim rule.
After the Protected CII Program has become operational (and pending additional legal and
related analyses), DHS anticipates the development of appropriate mechanisms to allow for
indirect submissions in the final rule. What do you feel would constitute appropriate
procedures for the implementation of indirect submissions?
- Do the protections in this interim rule for CII go far enough to alleviate the
concerns of credit unions and other private sector entities in sharing such information with DHS?
Yes ______ No ______
If not, what additional protective measures should be included in the final rule? Or what could DHS do to further encourage credit unions and other private sector entities to share CII?
- Do you feel this interim rule is sufficiently flexible to allow DHS to adapt as
the Protected CII Program evolves?
Yes ______ No ______
If not, what provisions should be more flexible?
- Other comments?
Eric Richard General Counsel (202) 508-6742 firstname.lastname@example.org |
Mary Mitchell Dunn SVP & Associate General Counsel (202) 508-6736 email@example.com
Jeffrey Bloch Assistant General Counsel (202) 508-6732 firstname.lastname@example.org
Catherine Orr Senior Regulatory Counsel (202) 508-6743 email@example.com