DHS Proposes Rules for Critical Infrastructure Reports, Data

Published: June 01, 2003, By Sheila A. Millar, Attorney-at-Law, Keller & Heckman, Washington, DC

On April 15 the Dept. of Homeland Security (DHS) issued a Notice of Proposed Rulemaking (NPRM) to establish uniform procedures implementing Section 214 of the Homeland Security Act of 2002 [the Critical Infrastructure Information Act (CIIA) of 2002]. The CIIA governs receipt, care, and storage of Critical Infrastructure Information (CII) voluntarily submitted to the federal government. The proposed rule is of interest to converters, suppliers, and their customers as it will apply to all federal agencies receiving CII, including (among others) the Dept. of Health and Human Services (HHS) and the EPA.

The CIIA reflects longstanding policies to protect critical infrastructures. A Presidential Commission on Critical Infrastructure Protection issued a report in October 1997 describing infrastructure security vulnerabilities and recommending industry cooperation, an organizational structure to address infrastructure threats, information-sharing, R&D, and education. This was followed by Presidential Decision Directive (PDD) 63 in 1998, which encouraged the creation of Information Sharing Analysis Centers (ISACs) for eight key industry sectors and established organizational bodies within the federal government to address infrastructure threats.

Two Executive Orders issued shortly after 9/11 established an Office of Homeland Security in the White House and continued PDD 63 activities. A national strategy document issued in July 2002 added four additional industry sectors to the PDD 63 list, including agriculture, food, chemicals and hazardous materials, and postal and shipping.

The HSA and CIIA elevated the federal homeland security operation to cabinet status while continuing to promote public/private partnerships and information-sharing about cyber and physical threats. To foster voluntary reporting, the CIIA exempts CII from Freedom of Information Act (FOIA) disclosure or rules on ex parte communications; limits the use federal or other agencies can make of protected CII; and limits civil actions for CII submitted voluntarily for homeland security purposes.

The NPRM establishes that “Protected CII” (including the identity of the submitter) remains protected unless the CII program manager renders a final decision that the information is not Protected CII. The Act and the proposed procedures, however, do not apply to or affect information required to be submitted to a federal agency, any government agency's obligation to disclose such information, or any agency's right to obtain information from submitters on matters within its jurisdiction.

So, otherwise reportable information is not exempt from reporting (and potentially public disclosure) by marking it CII, e.g., data required to be submitted under right-to-know laws or the Bioterrorism Act.

Under the NPRM, the DHS Information Analysis Infrastructure Protection (IAIP) Directorate is the sole entity authorized to acknowledge and validate receipt of Protected CII. To obtain Protected CII status for submitted information, documents must be marked with the following (or a similar) legend: “This information is submitted voluntarily to the federal government in expectation of protection from disclosure as provided by the provisions of The Critical Infrastructure Information Act of 2002.” A written statement bearing the legend must be submitted within 15 days of submission of an oral report.

The CII program manager is responsible for marking CII materials as “Protected Critical Infrastructure Information” and for verifying submissions meet the definition. If the program manager determines the information submitted does not meet the requirements, he must notify the submitter, request additional explanation (which must be submitted within 30 days), and ask the submitter to specify whether, in the event a final determination is made that the information is not Protected CII, the submitter prefers the information be maintained without the protections of the CIIA or be disposed of in accordance with the Federal Records Act.

It will be important for any member of the converting industry who participates in an ISAC or who otherwise may be reporting CII to understand the final requirements to protect CII.

Sheila A. Millar, a partner with Keller and Heckman LLP, counsels both corporate and association clients. Contact her at 202/434-4143; This email address is being protected from spambots. You need JavaScript enabled to view it.; PackagingLaw.com