[Federal Register Volume 68, Number 72 (Tuesday, April 15, 2003)]
[Proposed Rules]
[Pages 18524-18529]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 03-9126]



[[Page 18523]]

-----------------------------------------------------------------------

Part V





Department of Homeland Security





-----------------------------------------------------------------------



6 CFR Part 29



Procedures for Handling Critical Infrastructure Information; Proposed 
Rule

Federal Register / Vol. 68 , No. 72 / Tuesday, April 15, 2003 / 
Proposed Rules

[[Page 18524]]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

6 CFR Part 29

RIN 1601-AA14


Procedures for Handling Critical Infrastructure Information

AGENCY: Office of the Secretary, Homeland Security.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: This notice of proposed rulemaking establishes for Federal 
agencies the uniform procedures to implement Section 214 of the 
Homeland Security Act of 2002 regarding the receipt, care, and storage 
of Critical Infrastructure Information (CII) voluntarily submitted to 
the Federal Government. The protection of critical infrastructure 
reduces the vulnerability of the United States to acts of terrorism.

DATES: Written comments on this notice of proposed rulemaking may be 
submitted to the Department of Homeland Security on or before June 16, 
2003.

ADDRESSES: Submit written comments (preferably an original and three 
copies) to Associate General Counsel (General Law), Department of 
Homeland Security, Washington, DC 20528. Electronic comments may be 
submitted to cii.regcomments@DHS.gov.

FOR FURTHER INFORMATION CONTACT: Frank Nolan, (202) 282-8495, not a 
toll free call.

SUPPLEMENTARY INFORMATION:

I. Background

    On November 25, 2002, the President signed into law the Homeland 
Security Act (Pub. L. 107-296), which created the new Department of 
Homeland Security (DHS) and established its responsibilities. Pursuant 
to the provisions of the Act, the Department came into existence on 
January 24, 2003.
    The responsibilities of the Department include the taking of action 
to prevent terrorist attacks within the United States and to reduce the 
vulnerability of the United States to acts of terrorism. The reduction 
of that vulnerability includes the protection of vital physical or 
computer-based systems and assets, collectively referred to as 
``critical infrastructure,'' the incapacitation or destruction of which 
would have a debilitating impact on national security, national 
economic security, national public health or safety, or any combination 
of these matters. The Department of Homeland Security recognizes the 
importance of receiving information from those with direct knowledge on 
the security of that critical infrastructure in order to reduce the 
vulnerability of this critical infrastructure to acts of terrorism.
    The Department recognizes that its receipt of information 
pertaining to the security of critical infrastructure, much of which is 
not customarily within the public domain, is best encouraged through 
the assurance that such information will be utilized for securing the 
United States and will not be disseminated to the general public. 
Accordingly, section 214 of the Homeland Security Act, subtitle B of 
Title 2, which is referenced as the Critical Infrastructure Information 
Act of 2002 (``CII Act''), provides for the establishment of a critical 
infrastructure protection program that protects from disclosure to the 
general public any critical infrastructure information which the public 
may voluntarily provide to the Department.
    Although the Homeland Security Act establishes a working definition 
of critical infrastructure information, the Department relies upon the 
discretion of the submitter as to whether the volunteered information 
meets the definition of critical infrastructure information. These 
procedures establish how critical infrastructure information 
volunteered by the public will be protected pursuant to section 214 of 
the Homeland Security Act.

II. Notice of Proposed Rulemaking

    This notice of proposed rulemaking establishes the procedures for 
protecting critical infrastructure information which are referenced in 
section 214(e) of the CII Act of 2002.
    This regulation establishes uniform procedures for the receipt, 
care, and storage of Critical Infrastructure Information (CII) 
voluntarily provided to the Federal Government by the public. These 
procedures apply to all Federal agencies that receive, care for, or 
store CII that is voluntarily submitted to the Federal Government 
pursuant to the CII Act of 2002. 6 U.S.C. 130, et seq. In addition, 
these procedures apply to United States Government contractors, to 
Foreign, State, and local governments, and to government authorities, 
pursuant to their express agreements.

III. Procedural Requirements

    In recognition of the importance of these procedures, the 
Department is providing this notice of proposed rulemaking of uniform 
procedures for the receipt, care, and storage of voluntarily submitted 
CII. As these procedures will affect Federal, State, and local 
governments and entities, the Department recognizes the importance of 
providing the opportunity for comment upon these procedures by both the 
government and private sector.

Executive Order 12866

    It has been determined that this rulemaking is a significant 
regulatory action for purposes of section 3(f)(4) of Executive Order 
12866. This rulemaking is, however, not considered an economically 
significant regulatory action for the purposes of Executive Order 
12866. This rulemaking has been reviewed and approved by the Office of 
Management and Budget.

Regulatory Flexibility Act Certification

    Because no notice of proposed rulemaking is required, the 
provisions of the Regulatory Flexibility Act (5 U.S.C. chapter 6) do 
not apply.

Paperwork Reduction Act of 1995

    OMB does not consider nonspecific or nondirective reporting--such 
as the information requested in the rule--that the respondent wishes to 
provide on a specific topic without further specification being sought 
to be subject to the Paperwork Reduction Act.

List of Subjects in 6 CFR Part 29

    Classified information, Confidential business information, 
Reporting and recordkeeping requirements.

Authority and Issuance

    For the reasons set forth above, 6 CFR is proposed to be amended by 
adding part 29 to read as follows:

PART 29--CRITICAL INFRASTRUCTURE INFORMATION

Sec.
29.1 Purpose and scope.
29.2 Definitions.
29.3 Effect of provisions.
29.4 Critical Infrastructure Information Program administration.
29.5 Authority to receive Critical Infrastructure Information.
29.6 Acknowledgment, validation, and marking of receipt.
29.7 Safeguarding of protected Critical Infrastructure Information.
29.8 Disclosure of information.
29.9 Investigation and reporting of violation of CII procedures.

    Authority: Pub. L. 107-296, 116 Stat. 2135 (6 U.S.C. 1 et seq.); 
5 U.S.C. 301.


Sec.  29.1  Purpose and Scope.

    (a) Purpose. This part implements Section 214 of Title II, Subtitle 
B, of the Homeland Security Act of 2002 through the establishment of 
uniform procedures for the receipt, care, and storage of Critical 
Infrastructure Information (CII)

[[Page 18525]]

voluntarily submitted to the Federal Government. Title II, Subtitle B, 
of the Homeland Security Act is referred to herein as the CII Act of 
2002. It is Department of Homeland Security (DHS) policy to encourage 
the voluntary submission of CII by protecting that information from 
unauthorized disclosure to the fullest extent permitted by law. As 
required by the CII Act of 2002, the procedures established herein 
include mechanisms regarding:
    (1) The acknowledgement of receipt by a Federal agency of critical 
infrastructure information voluntarily submitted to the Federal 
Government;
    (2) The maintenance of the identification of critical 
infrastructure information voluntarily submitted to the Federal 
Government for purposes of and subject to the provisions of the CII Act 
of 2002;
    (3) The receipt, care, storage, and proper marking of the 
information as Protected CII;
    (4) The protection and maintenance of the confidentiality of such 
information that permits the sharing of such information within the 
Federal Government and with Foreign, State, and local governments; and
    (5) The issuance of notices and warnings related to the protection 
of critical infrastructure and protected systems in such a manner to 
protect from public disclosure the identity of the submitting person or 
entity, as well as information that is proprietary, business-sensitive, 
relates specifically to the submitting person or entity, and/or is not 
appropriately in the public domain.
    (b) Scope. These procedures apply to all Federal agencies that 
receive, care for, or store CII voluntarily submitted to the Federal 
Government pursuant to the CII Act of 2002. In addition, these 
procedures apply to United States Government contractors, to Foreign, 
State, and local governments, and government authorities, pursuant to 
their express agreements.


Sec.  29.2  Definitions.

    For purposes of this part:
    (a) Critical Infrastructure has the same definition as described in 
section 2 of the Homeland Security Act of 2002, and means systems and 
assets, whether physical or virtual, so vital to the United States that 
the incapacity or destruction of such systems and assets would have a 
debilitating impact on security, national economic security, national 
public health or safety, or any combination thereof.
    (b) Critical Infrastructure Information or CII means information 
not customarily in the public domain and related to the security of 
critical infrastructure or protected systems. CII consists of records 
or information concerning:
    (1) Actual, potential, or threatened interference with, attack on, 
compromise of, or incapacitation of critical infrastructure or 
protected systems by physical or computer-based attack or other similar 
conduct (including the misuse of or unauthorized access to all types of 
communications and data transmission systems) that violates Federal, 
State, or local law, harms the interstate commerce of the United 
States, or threatens public health or safety;
    (2) The ability of any critical infrastructure or protected system 
to resist such interference, compromise, or incapacitation, including 
any planned or past assessment, projection, or estimate of the 
vulnerability of critical infrastructure or a protected system, 
including security testing, risk evaluation thereto, risk management 
planning, or risk audit; or
    (3) Any planned or past operational problem or solution regarding 
critical infrastructure or protected systems, including repair, 
recovery, reconstruction, insurance, or continuity, to the extent it is 
related to such interference, compromise, or incapacitation.
    (c) Critical Infrastructure Information Program or ``CII Program'' 
means the maintenance, management, and review of these procedures and 
of the information provided to DHS in expectation of the protections 
provided by the CII Act of 2002.
    (d) Information Sharing and Analysis Organization or ISAO means any 
formal or informal entity or collaboration created or employed by 
public or private sector organizations, for purposes of:
    (1) Gathering and analyzing critical infrastructure information in 
order to better understand security problems and interdependencies 
related to critical infrastructure and protected systems to ensure the 
availability, integrity, and reliability thereof;
    (2) Communicating or disclosing critical infrastructure information 
to help prevent, detect, mitigate, or recover from the effects of an 
interference, compromise, or an incapacitation problem related to 
critical infrastructure or protected systems; and
    (3) Voluntarily disseminating critical infrastructure information 
to its members, Federal, State, and local governments, or any other 
entities that may be of assistance in carrying out the purposes 
specified in paragraphs (d)(1) and (d)(2) of this section.
    (e) Local Government has the same meaning as established in section 
2 of the Homeland Security Act of 2002, and means:
    (1) A county, municipality, city, town, township, local public 
authority, school district, special district, intrastate district, 
council of governments (regardless of whether the council of 
governments is incorporated as a nonprofit corporation under State 
law), regional or interstate government entity, or agency or 
instrumentality of a local government;
    (2) An Indian tribe or authorized tribal organization, or in Alaska 
a Native village or Alaska Regional Native Corporation; and
    (3) A rural community, unincorporated town or village, or other 
public entity.
    (f) Protected Critical Infrastructure Information or Protected CII 
means CII (including the identity of the submitting person or entity) 
that is voluntarily submitted to DHS for its use regarding the security 
of critical infrastructure and protected systems, analysis, warning, 
interdependency study, recovery, reconstitution, or other informational 
purpose, when accompanied by an express statement as described in Sec.  
29.5 of this chapter. This information maintains its protected status 
unless the CII Program Manager renders a final decision that the 
information is not Protected CII.
    (g) Protected System means any service, physical or computer-based 
system, process, or procedure that directly or indirectly affects the 
viability of a facility of critical infrastructure and includes any 
physical or computer-based system, including a computer, computer 
system, computer or communications network, or any component hardware 
or element thereof, software program, processing instructions, or 
information or data in transmission or storage therein, irrespective of 
the medium of transmission or storage.
    (h) Purpose has the meaning as described in section 214(a)(1) of 
the CII Act of 2002, and includes the security of critical 
infrastructure and protected systems, analysis, warning, 
interdependency study, recovery, reconstitution, or other informational 
purpose.
    (i) Submission to DHS as referenced in these procedures means any 
transmittal of CII from any entity to DHS. The CII may be provided to 
DHS either directly or indirectly via another Federal agency, which, 
upon receipt of the CII, will forward it to DHS.
    (j) Voluntary or Voluntarily, when used in reference to any 
submission of

[[Page 18526]]

CII to DHS, means submitted in the absence of DHS's exercise of legal 
authority to compel access to or submission of such information; such 
submission may be accomplished by (i.e. come from) a single entity or 
an ISAO on behalf of itself or its members. The term does not include 
information or statements submitted or relied upon as a basis for 
making licensing or permitting determinations, or during regulatory 
proceedings. In the case of any action brought under the securities 
laws--as is defined in section 3(a)(47) of the Securities Exchange Act 
of 1934 (15 U.S.C. 78c(a)(47)) the term ``voluntary'' does not include 
information or statements contained in any documents or materials 
filed, pursuant to section 12(i) of the Securities Exchange Act of 1934 
(15 U.S.C. 78l(i)) with the Securities and Exchange Commission or with 
Federal banking regulators; and with respect to the submission of CII, 
it does not include any disclosure or writing that when made 
accompanied the solicitation of an offer or a sale of securities.


Sec.  29.3  Effect of provisions.

    (a) Freedom of Information Act access and mandatory submissions of 
information. The CII Act of 2002 and these procedures do not apply to 
or affect any requirement pertaining to information that must be 
submitted to a Federal agency or pertaining to the obligation of any 
Federal agency to disclose such information under the Freedom of 
Information Act. Similarly, the CII Act of 2002 and these procedures do 
not apply to any information that is submitted to a Federal agency 
pursuant to any legal requirement. The fact that a person or entity has 
voluntarily submitted information pursuant to the CII Act of 2002 does 
not constitute compliance with any requirement to submit that 
information or any other such information to a Federal agency under any 
other provision of law. Moreover, when information is required to be 
submitted to a Federal agency to satisfy a provision of law, it is not 
to be marked by the submitter, by DHS, or by any other party, as 
submitted or protected under the CII Act of 2002 or to be otherwise 
afforded the protections of the CII Act of 2002.
    (b) Freedom of Information Act disclosure exemptions. Information 
that is separately exempt from disclosure under the Freedom of 
Information Act or applicable State or local law does not lose its 
separate exemption protection due to the applicability of these 
procedures or any failure to follow them.
    (c) Restriction on use of protected CII by regulatory and other 
federal agencies. No Federal agency shall request, obtain, maintain, or 
use information protected under the CII Act of 2002 as a substitute for 
the exercise of its own legal authority to compel access to or 
submission of such information. Federal agencies shall not utilize CII 
for regulatory purposes without the written consent of the submitter.
    (d) Independently obtained information. These procedures shall not 
be construed to limit or in any way affect the ability of a Federal, 
State, or local Government entity, agency, or authority, or any third 
party, under applicable law, to obtain information by means of a 
different law, regulation, rule, or other authority.
    (e) No private rights or privileges. Nothing contained in these 
procedures is intended to confer any substantive or procedural right or 
privilege on any person or entity. Nothing in these procedures shall be 
construed to create a private right of action for enforcement of any 
provision of these procedures or a defense to noncompliance with any 
independently applicable legal obligation.


Sec.  29.4  Critical Infrastructure Information Program administration.

    (a) IAIP Directorate Program Management. The Secretary of the 
Department of Homeland Security shall designate the Under Secretary of 
the Information Analysis Infrastructure Protection (IAIP) Directorate 
as the senior DHS official responsible for the direction and 
administration of the Critical Infrastructure Information Program.
    (b) Appointment of CII Program Manager. The Under Secretary of IAIP 
shall:
    (1) Appoint a CII Program Manager within the IAIP Directorate to 
direct and administer the CII Program;
    (2) Commit necessary resources to the effective implementation of 
the CII Program; and
    (3) Promulgate implementing directives and prepare training 
materials as necessary for the proper treatment of Protected CII.
    (c) Appointment of CII Officers. The CII Program Manager shall 
establish procedures to ensure that any DHS component or other entity 
that works with Protected CII appoints one or more employees to serve 
as a CII Officer for the activity in order to provide proper management 
and oversight. Persons appointed to these positions shall be fully 
familiar with these procedures.
    (d) Responsibilities of a CII Officer. The CII Officer shall:
    (1) Oversee the storage and handling of Protected CII;
    (2) Establish and maintain an ongoing self-inspection program, to 
include periodic review and assessment of the entity's storage, 
handling, and use of Protected CII;
    (3) Establish additional procedures as necessary to prevent 
unauthorized access to Protected CII; and
    (4) Ensure prompt and appropriate coordination with the CII Program 
Manager regarding any request, appeal, challenge, complaint, or 
suggestion arising out of the implementation of these procedures.
    (e) Critical Infrastructure Information Management System (CIIMS), 
The CII Program Manager shall develop and use an electronic database, 
to be known as the ``Critical Infrastructure Information Management 
System'' (CIIMS), to record the receipt, acknowledgement, validation, 
storage, destruction, and disclosure of Protected CII. This compilation 
of CII shall be protected by the provisions of the CII Act of 2002.


Sec.  29.5  Authority to receive Critical Infrastructure Information.

    (a) The Secretary of Homeland Security shall designate the DHS IAIP 
Directorate as the sole entity authorized to acknowledge and validate 
the receipt of Protected CII.
    (b) CII shall receive the protections of section 214 of the CII Act 
of 2002 only when:
    (1) Such information is voluntarily submitted either directly to 
the IAIP Directorate or indirectly to the DHS IAIP Directorate by 
submitting it to any Federal agency which then, pursuant to the 
submitter's express direction, forwards the information to the DHS IAIP 
Directorate;
    (2) The information is submitted for use by DHS for the security of 
critical infrastructure and protected systems, analysis, warning, 
interdependency study, recovery, reconstitution, or other informational 
purposes, as evidenced below, and
    (3) The information is accompanied by an express statement as 
follows:
    (i) In the case of written information or records, through a 
written marking on the information or records substantially similar to 
the following: ``This information is voluntarily submitted to the 
Federal Government in expectation of protection from disclosure as 
provided by the provisions of the Critical Infrastructure Information 
Act of 2002''; or
    (ii) In the case of oral information, within fifteen (15) calendar 
days of the

[[Page 18527]]

oral submission, through a written statement similar to the one above 
accompanied by a written or otherwise tangible version of the oral 
information initially provided.
    (c) Information that is not submitted to the CII Program Manager, 
either directly by the submitter or indirectly through another Federal 
agency by request of the submitter, will not qualify for protection 
under the CII Act of 2002. Any Federal agency or DHS component, other 
than the IAIP Directorate, that receives information with a request for 
protection under the CII Act of 2002 shall forward the information to 
the CII Program Manager. Only the CII Program Manager, or the Program 
Manager's designee, is authorized to acknowledge and validate the 
receipt of Protected CII.
    (d)(1) Federal agencies, or DHS components other than the IAIP 
Directorate, shall maintain information as protected by the provisions 
of the CII Act of 2002 only:
    (i) When that information is provided to the agency or component by 
the CII Program Manager, or his designee, and is marked ``Protected 
CII''; or
    (ii) When the information is provided to the agency or component by 
the submitter pursuant to paragraph (b) of this section, that 
information is forwarded to the CII Program Manager pursuant to 
paragraph (c) of this section, and the CII Program Manager acknowledges 
and validates the information as ``Protected CII'' and authorizes the 
agency or component to mark the information as ``Protected CII''.
    (2) The Federal agency or DHS component forwarding the information 
to the CII Program Manager may not disseminate, distribute, or make 
public the information until the CII Program Manager has notified the 
agency or component that the Program Manager has acknowledged and 
validated the information.


Sec.  29.6  Acknowledgment, validation, and marking of receipt.

    (a) Authorized official. Only the CII Program Manager, or the 
Program Manager's designee, is authorized to acknowledge and validate 
the receipt of information as Protected CII.
    (b) Presumption of Protection. All information submitted in 
accordance with the procedures set forth herein will be presumed to be 
treated as Protected CII from the time the information is received by a 
Federal agency or DHS component. The information shall remain protected 
unless and until the CII Program Manager renders a final decision that 
the information is not Protected CII.
    (c) Marking of information. In addition to markings made by 
submitters of CII pursuant to Sec.  29.5(b), all Protected CII shall be 
clearly identified through markings made by the CII Program Manager. 
The CII Program Manager shall mark CII materials as follows: 
``Protected Critical Infrastructure Information.''
    (d) Acknowledgement of receipt of information. The CII Program 
Manager, or the Program Manager's designee, shall acknowledge receipt 
of information submitted as Protected CII, and in so doing shall:
    (1) Contact the submitter, by the means specified in Sec.  29.7(e), 
within thirty (30) days of receipt;
    (2) Maintain a database including date of receipt, name of 
submitter, description of information, and date and manner of 
acknowledgment; and
    (1) At a minimum, provide the submitter with a unique tracking 
number whenever the information is provided to the CII Program Manager 
electronically by submission through an internet-enabled DHS on-line 
incident reporting form.
    (e) Validation of information. (1) The CII Program Manager shall be 
responsible for reviewing all submissions that request protection under 
the CII Act of 2002. The Program Manager shall review the submitted 
information to validate the satisfaction of the definition of CII as 
established by law. In making this initial validation determination, 
the Program Manager shall give deference to the submitter's expectation 
that the information qualifies for protection. However, if the Program 
Manager makes an initial determination that some or all of the 
information submitted does not meet the requirements for protection 
under the CII Act of 2002, the CII Program Manager shall:
    (i) Notify the submitter of the initial determination that the 
information is not considered to be Protected CII. This notification 
also shall:
    (A) Request that the submitter further explain the nature of the 
information and the submitter's basis for believing the information 
qualifies for protection under the CII Act of 2002;
    (B) Advise the submitter that the CII Program Manager will review 
any further information provided before rendering a final 
determination;
    (C) Notify the submitter that any response to the notification must 
be received by the CII Program Manager no later than thirty (30) days 
after the date of the notification; and
    (D) Request the submitter to state whether, in the event the CII 
Program Manager makes a final determination that any such information 
is not Protected CII, the submitter prefers that the information be 
maintained without the protections of the CII Act of 2002 or be 
disposed of in accordance with the Federal Records Act.
    (ii) If the CII Program Manager makes a final determination that 
the information is not Protected CII, the Program Manager, per the 
submitter's stated preference, shall either maintain the information 
without the protections of the CII Act of 2002 or dispose of it in 
accordance with the Federal Records Act. If the submitter, however, 
cannot be notified or the submitter's response is not received within 
thirty (30) days after the submitter received the notification, the 
Program Manager shall destroy the information in accordance with the 
Federal Records Act unless the Program Manager determines that there is 
a need to retain it for law enforcement and/or national security 
reasons.
    (2) [Reserved]
    (f) In the event the CII Program Manager determines that any 
information is not submitted in good faith accordance with the CII Act 
of 2002 and these procedures, the Program Manager is not required to 
notify the submitter that the information does not qualify as Protected 
CII. This is the only exception to the notice requirement of these 
procedures.
    (g) Changing the status of CII to Non-CII. Only the CII Program 
Manager or the Program Manager's designee may change the status of 
Protected CII to non-Protected CII and remove its Protected CII 
markings.


Sec.  29.7  Safeguarding of protected Critical Infrastructure 
Information.

    (a) All persons granted access to Protected CII are responsible for 
safeguarding all such information in their possession or control. 
Protected CII shall be protected at all times either by appropriate 
storage or having it under the personal observation and control of a 
person authorized by the CII Officer to receive it. Each person who 
works with Protected CII is personally responsible for taking proper 
precautions to ensure that unauthorized persons do not gain access to 
it.
    (b) Use and storage. During working hours, reasonable steps shall 
be taken to minimize the risk of access to Protected CII by 
unauthorized personnel. After working hours, Protected CII shall be 
stored in a secure container, such as a locked desk or file cabinet, or 
in a facility where Government or Government-contract security is 
provided.
    (c) Reproduction. A document or material containing Protected CII 
may

[[Page 18528]]

be reproduced to the minimum extent necessary consistent with the need 
to carry out official duties, provided that the reproduced material is 
marked and protected in the same manner as the original material.
    (d) Disposal of information. Material containing Protected CII 
shall be disposed of by any method that prevents unauthorized 
retrieval.
    (e) Transmission of information. Protected CII shall be transmitted 
only by U.S. first class, express, certified, or registered mail, or 
through secure electronic means.
    (f) Automated Information Systems that contain CII shall comply 
with the requirements of the Federal Information Security Management 
Act of 2002, 44 U.S.C. 3531-3538, implementing policy, and Office of 
Management and Budget Circular No. A-130, Appendix III.


Sec.  29.8  Disclosure of information.

    (a) Authorization of access. The Under Secretary of IAIP, or his or 
her designee, may choose to provide or authorize access to Protected 
CII when it is determined that this access supports a lawful and 
authorized Government purpose as enumerated in the CII Act of 2002, 
other law, regulation, or legal authority.
    (b) Federal, State and Local Government access. The CII Program 
Manager may provide Protected CII to an employee of the Federal 
Government, or of a State or local government, provided that such 
information is shared for purposes of securing the critical 
infrastructure and protected systems, analysis, warning, 
interdependency study, recovery, reconstitution, or for another 
informational purpose relating to homeland security. Protected CII may 
be made available to a State or local government entity only pursuant 
to its express agreement with the Program Manager that acknowledges the 
understanding and responsibilities of the recipient.
    (c) Disclosure of information to Federal contractors. Disclosure of 
Protected CII to Federal contractors may be made after a CII Officer 
certifies that the contractor is performing services in support of the 
purposes of DHS. The contractor shall safeguard Protected CII in 
accordance with these procedures. Contractors shall not further 
disclose Protected CII to any of their components, employees, or other 
contractors (including subcontractors) without the prior written 
approval of a CII Officer unless such disclosure is expressly 
authorized in writing by the submitter.
    (d) Further use or disclosure of information by State and Local 
governments. (1) State and local governments receiving information 
marked ``Protected Critical Infrastructure Information'' shall not 
disclose that information to any other party, or remove any CII 
markings, without first obtaining authorization from the CII Program 
Manager, who shall be responsible for requesting and obtaining written 
consent for any such State or local government disclosure from the 
person or entity that submitted the information.
    (2) The CII Program Manager may not authorize State and local 
governments to further disclose or distribute the information to 
another party unless the Program Manager first obtains the written 
consent of the person or entity submitting the information.
    (3) State and local governments may use Protected CII only for the 
purpose of protecting critical infrastructure or protected systems, or 
in furtherance of an investigation or the prosecution of a criminal 
act.
    (e) Disclosure of information to appropriate entities and the 
general public. The IAIP Directorate may provide advisories, alerts, 
and warnings to relevant companies, targeted sectors, other government 
entities, or the general public regarding potential threats to critical 
infrastructure as appropriate. In issuing a warning, the IAIP 
Directorate shall protect from disclosure the source of any voluntarily 
submitted CII that forms the basis for the warning; and any information 
that is proprietary, business-sensitive, relates specifically to the 
submitting person or entity, or is otherwise not appropriately in the 
public domain.
    (f) Access by Congress and whistleblower protection. (1)(i) 
Pursuant to section 214(a)(1)(D) of the Homeland Security Act, 
Protected CII shall not, without the written consent of the person or 
entity submitting such information, be used or disclosed by any officer 
or employee of the United States for purposes other than the purposes 
of the CII Act of 2002, except--
    (A) In furtherance of an investigation or the prosecution of a 
criminal act; or
    (B) When disclosure of the information is made--
    (1) To either House of Congress, or to the extent of matter within 
its jurisdiction, any committee or subcommittee thereof, any joint 
committee thereof or subcommittee of any such joint committee; or
    (2) To the Comptroller General, or any authorized representative of 
the Comptroller General, in the course of the performance of the duties 
of the General Accounting Office.
    (ii) If any disclosure is made pursuant to these exceptions, prior 
written authorization must be obtained, in consultation with the DHS 
Office of the General Counsel, from the DHS Secretary, DHS Deputy 
Secretary, Under Secretary for IAIP, the DHS Inspector General, or the 
CII Program Manager.
    (2) Consistent with the authority to disclose information for any 
purpose described in Sec.  29.2(h), disclosure of Protected CII may be 
made, without the written consent of the person or entity submitting 
such information, to the DHS Inspector General, or to any other 
employee designated by the Secretary of Homeland Security. Disclosure 
may be made by any officer or employee of the United States who 
reasonably believes that such information:
    (i) Evidences an employee's or agency's conduct in violation of 
criminal law, or any other law, rule, or regulation, affecting or 
relating to the protection of the critical infrastructure and protected 
systems, analysis, warning, interdependency study, recovery, or 
reconstitution; or
    (ii) Evidences mismanagement, a gross waste of funds, an abuse of 
authority, or a substantial and specific danger to public health or 
safety affecting or relating to the protection of the critical 
infrastructure and protected systems, analysis, warning, 
interdependency study, recovery, or reconstitution.
    (3) Disclosures of the above nature are authorized by law and 
therefore are not subject to penalty under section 214(f) of the 
Homeland Security Act of 2002.
    (g) Responding to requests made under the Freedom of Information 
Act or State/local information access laws. (1) Protected CII shall be 
treated as exempt from disclosure under the Freedom of Information Act 
and, if provided by the CII Program Manager, or the Program Manager's 
designee, to a State or local government agency, entity or authority, 
or an employee or contractor thereof, shall not be made available 
pursuant to any State or local law requiring disclosure of records or 
information. Any Federal, State, or local government agency with 
questions regarding the protection of Protected CII from public 
disclosure shall contact the CII Program Manager, who may in turn 
consult with the DHS Office of the General Counsel.
    (2) These procedures do not limit or otherwise affect the ability 
of a State or local government entity, agency, or authority to obtain 
information directly from the same person or entity voluntarily 
submitting information to

[[Page 18529]]

DHS. Information independently obtained by a State or local government 
entity, agency, or authority is not subject to the CII Act of 2002's 
prohibition on making such information available pursuant to any State 
or local law requiring disclosure of records or information.
    (h) Ex parte communications with decision-making officials. 
Pursuant to section 214(a)(1)(B) of the Homeland Security Act of 2002, 
Protected CII is not subject to ``any agency rules or judicial doctrine 
regarding ex parte communications with a decision-making official.''
    (i) Restriction on use of Critical Infrastructure Information in 
civil actions. Protected CII shall not, without the written consent of 
the person or entity submitting such information, be used by any 
Federal, State, or local authority, or by any third party, in any civil 
action arising under Federal or State law if such information is 
submitted in good faith for homeland security purposes.
    (j) Disclosure to foreign governments. The CII Program Manager, or 
the Program Manager's designee, may provide Protected CII to a Foreign 
Government without the written consent of the person or entity 
submitting such information to the same extent it may provide 
advisories, alerts, and warnings to other governmental entities as 
described in Sec.  29.8(e) of this chapter, or in furtherance of an 
investigation or the prosecution of a criminal act.
    (k) Obtaining written consent for further disclosure from the 
person or entity submitting information. Only the CII Program Manager, 
or the Program Manager's designee, may seek and obtain written consent 
from persons or entities submitting information when such consent is 
required under the CII Act of 2002 to permit disclosure. A person or 
entity's consent to additional disclosure, if conditioned both on a 
limited release of Protected CII for DHS's purposes and in a manner 
that offers reasonable protection against disclosure to the general 
public, shall not result in the information's loss of treatment as 
Protected CII.


Sec.  29.9  Investigation and reporting of violation of CII procedures.

    (a) All persons authorized to have access to Protected CII shall 
report any possible violations of security procedures, the loss or 
misplacement of Protected CII, and any unauthorized disclosure of 
Protected CII immediately to the CII Program Manager, who shall in turn 
report the incident to the IAIP Directorate Security Officer and to the 
DHS Inspector General.
    (b) Review and investigation of written report. The Inspector 
General, CII Program Manager, or IAIP Security Officer, shall 
investigate the incident and, in consultation with the Office of the 
General Counsel, determine whether a violation of procedures, loss of 
information, and/or unauthorized disclosure has occurred. If the 
investigation reveals any evidence of wrongdoing, DHS, through the 
Office of the General Counsel, shall immediately contact the Department 
of Justice, Criminal Division, for consideration of prosecution under 
the criminal penalty provisions of section 214(f) of the CII Act of 
2002.
    (c) Notification to originator of Protected CII. If the CII Program 
Manager or the IAIP Security Officer determines that an unauthorized 
disclosure occurred, or that Protected CII is missing, the CII Program 
Manager shall notify the submitter of the information in writing. The 
written notice shall contain a description of the incident and the date 
of disclosure, if known.
    (d) Criminal and administrative penalties: Pursuant to section 
214(f) of the Homeland Security Act of 2002, whoever, being an officer 
or employee of the United States or of any department or agency 
thereof, knowingly publishes, divulges, discloses, or makes known in 
any manner or to any extent not authorized by law, any CII protected 
from disclosure by the Homeland Security Act and coming to the officer 
or employee in the course of his or her employment or official duties 
or by reason of any examination or investigation made by, or return, 
report, or record made to or filed with, such department or agency or 
officer or employee thereof, shall be fined under Title 18 of the 
United States Code, imprisoned not more than one (1) year, or both, and 
shall be removed from office or employment.

    Dated: April 9, 2003.
Tom Ridge,
Secretary of Homeland Security.
[FR Doc. 03-9126 Filed 4-14-03; 8:45 am]
BILLING CODE 4410-10-P