[Federal Register Volume 81, Number 77 (Thursday, April 21, 2016)]
[Proposed Rules]
[Pages 23442-23445]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-09186]
�========================================================================
�Proposed Rules
� Federal Register
�________________________________________________________________________
�
�This section of the FEDERAL REGISTER contains notices to the public of
�the proposed issuance of rules and regulations. The purpose of these
�notices is to give interested persons an opportunity to participate in
�the rule making prior to the adoption of the final rules.
�
�========================================================================
�
��Federal Register / Vol. 81, No. 77 / Thursday, April 21, 2016 /
Proposed Rules��
[[Page 23442]]
DEPARTMENT OF HOMELAND SECURITY
Office of the Secretary
6 CFR Part 29
RIN 1601-AA77
Updates to Protected Critical Infrastructure Information Program
AGENCY: National Protection and Programs Directorate, DHS.
ACTION: Advance notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The Department of Homeland Security (DHS) proposes to update
its procedures for accepting Critical Infrastructure Information (CII)
as a step towards meeting the challenges of evolving technology and
identifying ways to make the PCII Program's protective measures more
effective for information-sharing partnerships between the government
and the private sector. The Critical Infrastructure Information Act of
2002 authorizes DHS to establish a program to accept information
relating to critical infrastructure voluntarily submitted from the
public, owners and operators of critical infrastructure, and State,
local, tribal, and territorial governmental entities, while limiting
public disclosure of that sensitive information under the Freedom of
Information Act and other laws, rules, and processes. To implement this
authority, DHS issued the ``Procedures for Handling Critical
Infrastructure Information'' Final Rule in 2006. This Advance Notice of
Proposed Rulemaking (ANPRM) provides an opportunity for DHS to hear and
consider, during the development of new regulations to update DHS's
PCII program, the views of the private and public sector, and other
interested members of the public on their recommendations for program
modifications, particularly subject matter areas that have developed
significantly since the issuance of the initial rule, such as automated
information sharing.
DATES: Written comments must be submitted on or before July 20, 2016.
ADDRESSES: You may submit comments, identified by one of the following
methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Mail:--U.S. Department of Homeland Security, National
Protection and Programs Directorate, Office of Infrastructure
Protection, Infrastructure Information Collection Division, 245 Murray
Lane SW., Mail Stop 0602, Washington, DC 20528-0602.
FOR FURTHER INFORMATION CONTACT: Emily R. Hickey, Deputy Program
Manager, by phone at (703) 235-9522 or by mail at Protected Critical
Infrastructure Information Program, Office of Infrastructure
Protection, Infrastructure Information Collection Division, 245 Murray
Lane SW., Mail Stop 0602, Washington, DC 20528-0602.
SUPPLEMENTARY INFORMATION:
Abbreviations and Terms Used in This Document
ANPRM--Advance Notice of Proposed Rulemaking
CFR--Code of Federal Regulations
CII--Critical Infrastructure Information
CII Act of 2002--Critical Infrastructure Information Act of 2002
DHS--Department of Homeland Security
PCII--Protected Critical Infrastructure Information
I. Background
The Department of Homeland Security receives sensitive information
about the nation's critical infrastructure through its congressionally-
mandated PCII Program. The PCII Program provides a secure environment
for the private sector, government analysts, and other subject matter
experts to share information that is vital to addressing concerns
across all critical infrastructure sectors. The Critical Infrastructure
Information Act of 2002 (Sections 211-215, Title II, Subtitle B of the
Homeland Security Act of 2002, Pub. L. 107-296) (CII Act of 2002)
established the PCII Program, which assures owners and operators that
the information they voluntarily submit is protected from public
disclosure. Only trained PCII Authorized Users, with a specific ``need-
to-know'', can access PCII and use it only for homeland security
purposes. In accordance with the CII Act of 2002, on September 1, 2006,
DHS issued the PCII Program Final Rule (71 FR 52271, codified at 6 CFR
part 29). This rule established procedures that govern the receipt,
validation, handling, storage, marking, and use of critical
infrastructure information voluntarily submitted to DHS. The procedures
are applicable to all Federal, State, local, tribal, and territorial
government agencies and contractors that have access to, handle, use,
or store critical infrastructure information that enjoys protection
under the CII Act of 2002.
After 10 years of operation, changes are needed to transition the
managing of submissions, access, use, dissemination and safeguarding of
PCII to state of the art technology that operates within an electronic
environment. Throughout this ANPRM DHS discusses and seeks comment on
the economic impact of transitioning the PCII Program to a preferred
electronic environment that: (1) Enhances the submission and validation
process for critical infrastructure information, (2) uses state of the
art technology for an automated interface for quicker access and
dissemination of PCII, (3) modifies requirements for the express and
certification statements; (4) expands the use of categorical
inclusions; (5) requires portion marking of PCII; and (6) implements
specific methods to capture and deliver metadata to the PCII Program.
This ANPRM also seeks comment on proposals to revise the overall
approach for: (1) Automated submissions and an expansion of categorical
inclusions, (2) marking PCII, (3) sharing PCII with foreign
governments, (4) regulatory access, (5) safeguarding, (6) oversight and
compliance, (7) alignment with other information protection programs,
and (8) the administration of PCII at the State, local, tribal, and
territorial level.
The CII Act of 2002 requires that all voluntary submissions
(physical and electronic) of CII, for which protection is requested,
are submitted to DHS, directly or indirectly, include an ``express
statement'' and a ``certification statement'' with each submission. The
``express statement'' informs the PCII Program Office that the
information in question is being voluntarily submitted
[[Page 23443]]
to the Federal government in expectation of protection from disclosure
as provided by the provisions of the CII Act of 2002. The
``certification statement'' includes the submitter's contact
information and certifies that the information in question is not
customarily in the public domain and is not being submitted in lieu of
complying with a regulatory requirement. This ANPRM seeks comments on
automating the submission process so that the transition to a preferred
electronic environment captures the ``express statement'' and
``certification statement'' in an efficient manner.
Additionally, the ANPRM seeks comments on expanding submissions of
CII through categorical inclusions and developing a consistent method
for collecting the metadata on those categorical inclusions.
``Categorical inclusions'' are a means of creating a class of
presumptively valid information, thus expediting the process of
acceptance as PCII. The PCII Program Manager has the discretion to
declare certain subject matter or types of information categorically
protected as PCII and to set procedures for the receipt and processing
of that information. CII submitted within a categorical inclusion will
be considered validated upon receipt by the PCII Program Office or any
of the Designees without further review, provided the submitter
includes an ``express statement'' and the PCII Program Manager has pre-
validated that type of information as PCII. The PCII Program Manager
must appoint a Designee before an entity can establish a categorical
inclusion. Currently, only Federal entities or systems or programs
managed and overseen by a Federal employee can make use of the
categorical inclusion.
The regulations at 6 CFR part 29 also authorize DHS (or the PCII
Program Manager) to establish procedures to ensure that any DHS
component or other Federal, State, local, tribal, or territorial entity
that works with PCII understands and implements the policy and
procedural requirements necessary to appropriately receive, use,
disseminate, and safeguard PCII in compliance with the requirements of
the CII Act and the associated regulations. Since the publication of
the PCII Final Rule, the program has met several significant milestones
and receives ongoing nationwide participation from Federal, State,
local, tribal, and territorial partners. To date, the PCII Program has
received submissions from owners and operators across all 16 critical
infrastructure sectors whose assets, systems, and networks, whether
physical or cyber, are considered so vital to the United States that
their degradation, incapacitation or destruction would have a
debilitating effect on security, national economic security, national
public health or safety, or any combination thereof.
As the PCII Program continues to expand throughout the nation, the
PCII Program Office has to extend its efforts to perform effective
oversight and compliance, accurate identification of PCII in a variety
of materials, access and safeguarding of PCII, statistical reporting,
and the tracking of PCII shared and disseminated within the critical
infrastructure community.
II. Written Comments
A. In General
This ANPRM provides an opportunity for DHS to hear and consider the
views of owners and operators of critical infrastructure and other
interested members of the public on their recommendations for PCII
Program modifications and improvements.
DHS invites interested persons to submit written comments, data, or
views on how the current PCII Program regulations, codified at 6 CFR
part 29, ``Procedures for Handling Critical Infrastructure
Information,'' might be improved. Comments that would be most helpful
to DHS include the questions and answers identified in Part III of this
document. Please explain the reason for any comments with available
data, and include other information or authority that supports such
comments. DHS encourages interested parties to provide specific data
that documents the potential costs of modifying the existing rule
requirements pursuant to the commenter's suggestions; the potential
quantifiable benefits including security and societal benefits of
modifying the existing regulatory requirements; and the potential
impacts on small entities of modifying the existing regulatory
requirements.
DHS requests that commenters discuss potential economic impacts,
whenever possible, in terms of quantitative benefits and costs when
providing feedback on this ANPRM. DHS also requests that commenters
provide any special circumstances related to small entities or uniquely
high costs that small entities may bear.
DHS requests that commenters discuss economic impacts in as
specific terms as possible. For example, if a policy change would
necessitate additional employee training, then helpful information
would include the following: the training courses necessary; the types
of employees or contractors who would receive the training; topics
covered; any retraining necessary; and the training costs if conducted
by a third-party vendor or in-house trainer. DHS invites comment on the
time and level of expertise required to implement commenter
suggestions, even if dollar-cost estimates are not available.
DHS requests that commenters discuss economic impacts concerning
the transition of the PCII Program to a preferred electronic
environment. In addressing the transition from the paper environment to
the electronic environment, DHS encourages interested parties to
provide specific data that documents the potential costs of
transforming the PCII Program to an electronic environment. DHS is
seeking information on potential quantifiable benefits including
security and societal benefits of the transition and cost data on the
potential impact of the transition and how a preferred electronic
environment could impact the number of voluntary submittals. In
particular, DHS is seeking comment on how many potential submitters
would not have access to the internet and any costs relating to
expenses associated with obtaining internet access for those entities
without such access. This could include internet fees and any costs for
applicable software and training that would be necessary to facilitate
electronic submission of critical infrastructure information for
protection as PCII or travel costs (time and mileage costs) needed to
acquire a location with internet access. Commenters might also address
how DHS can best obtain and consider accurate, objective information
and data about the costs, burdens, and benefits of automating the PCII
Program and whether there are lower cost alternatives that would allow
DHS to achieve its goal of automating the PCII Program.
Feedback that simply states a stakeholder feels strongly that DHS
should modify the PCII Program, without including actionable data,
including how the proposed change would impact the costs and benefits
of the PCII Program, is much less useful to DHS. To help DHS organize
and review all comments, please identify the relevant provision of 6
CFR part 29 that relates to the specific comment provided (e.g., 6 CFR
29.9 (d) Criminal and administrative penalties). Commenters may comment
on topics related to the current 6 CFR part 29 not included in this
ANPRM as well as those questions posed in this ANPRM.
Written comments may be submitted electronically or by mail, as
explained previously in the ADDRESSES section of
[[Page 23444]]
this ANPRM. To avoid duplication, please use only one of these methods
to submit written comments.
Except as provided below, all comments received, as well as
pertinent background documents, will be posted without change to http://www.regulations.gov, including any personal information provided.
B. Handling of Proprietary or Business Sensitive Information
Interested parties are encouraged to submit comments in a manner
that avoids discussion of trade secrets, confidential commercial or
financial information, CII or PCII, or any other category of sensitive
information that should not be disclosed to the general public. If it
is not possible to avoid such discussion, however, please specifically
identify any confidential or sensitive information contained in the
comments with appropriate warning language (e.g., any PCII must be
marked and handled in accordance with the requirements of 6 CFR 29.5
through 29.7) and submit them by mail to the PCII Program Manager
listed in the FOR FURTHER INFORMATION CONTACT section.
DHS will not place any confidential or sensitive comments in the
public docket; rather, DHS will handle them in accordance with
applicable safeguards and restrictions on access. See, e.g., 6 CFR 29.5
through 29.7. See also the DHS PCII Procedures Manual (``Protected
Critical Infrastructure Information Program,'' April 2009, located on
the DHS Web site at www.dhs.gov/protected-critical-infrastructure-information-pcii-program). DHS will hold any such comments in a
separate file to which the public does not have access, and place a
note in the public docket that DHS has received such materials from the
commenter. DHS will provide appropriate access to such comments upon
request to individuals who meet the applicable legal requirements for
access to such information.
III. Questions for Commenters
The transition from a paper-based PCII Program to a preferred
electronic PCII Program must be addressed and managed on many different
and complex levels: Administratively, financially, culturally,
technologically, and institutionally. This ANPRM seeks comments on
making the transition to a preferred electronic PCII Program that is
practicable. This ANPRM's goal is to adopt solutions that streamline
workflow performance rather than continuing existing processes that are
becoming outdated.
To help DHS identify ways, if any, to improve the manner in which
it administers PCII, DHS seeks public comments on any and all aspects
of 6 CFR part 29. This ANPRM seeks comments from all interested parties
and subject matter experts and other private and public organizations
associated within the Information Technology and cyber security fields.
Areas that DHS is most interested in receiving comments on include, but
are not limited to, the following:
a. Automated Submissions. Currently, all submitters are required to
include an ``express statement'' and a ``certification statement'' with
each CII submission (physical and electronic). This ANPRM seeks
comments on modifying this requirement to allow multiple associated CII
submissions under one ``express statement'' and ``certification
statement.'' Comments 1 through 3 concern the automated submissions of
express and certification statements, comments 4 through 5 concern
internal and external statistical reporting, and comments 6 through 9
concern the expansion of categorical inclusions. Specifically, we are
requesting:
(1) Comments on how to enhance the submission methods for critical
infrastructure information and automate sharing via structured
information expression profiles and electronic exchange protocols such
as the Structured Threat Information eXpression (STIX) and the Trusted
Automated eXchange of Indicator Information (TAXII);
(2) Comments on whether an updated PCII rule should permit multiple
submissions of information under one express statement and
certification statement enabling the submission of multiple documents
by an organization over the course of several weeks or months, all
relating to an identified incident, and whether such submission should
be treated and tracked as one submission;
(3) Comments on whether an updated PCII rule should allow
submissions in a purely electronic format that includes an electronic
express statement and certification statement in order to simplify the
submission of large data sets in particular, such as electronic
submissions with a large volume of data potentially indicating a
compromise of a critical information system;
(4) Currently, the PCII Program does not have an automated process
for collecting statistical information on each submission. For this
reason, this ANPRM seeks comments outlining whether and to what extent
an automated submission process should incorporate auditing and
statistical reporting requirements to increase transparency of the
frequency and types of data being submitted to the program;
(5) Currently, the PCII Program does not facilitate the submitter's
ability to request and receive audits or access data relating to the
submission. This ANPRM seeks comments addressing any process amendments
or program enhancements to effectively implement automated submission
processing in order to facilitate the submitter's ability to request
and receive timely audits of access to the submissions and to withdraw
the data submitted to the program via an automated process;
(6) Comments about what effect, if any, an updated PCII Program
would have on enabling broader sharing and analysis among other trusted
recipients of cyber threat and risk data, including potential concerns
related to protecting sources and methods;
(7) Comments on the extent to which specific programmatic-
submission use cases that define data collection needs should be
developed and established as categorical inclusions in specific data
exchange activities in order to increase the submitters' community use
and ease of submission in the PCII submission process, and to foster
broader use of the PCII Program; and
(8) Categorical inclusions enjoy a presumption of protection for
CII relating to certain subject matters that the PCII Program Manager
declares as PCII. Additionally, the PCII Program Manager sets
procedures for receipt and processing of such information. This ANPRM
seeks comments on the extent to which specific programmatic-submission
use cases should be developed and established as categorical inclusions
in order to normalize a range of permissible and impermissible uses for
specific types of data shared as PCII; and
(9) Currently, categorical inclusions exist in Federal governmental
entities. This ANPRM seeks comments on expanding categorical inclusions
to the State governmental level to increase the range of submissions,
enhance the efficiency of information sharing, and make the protection
of critical infrastructure information more effective.
b. Marking/Portion Marking--The purpose of the portion marking
process is to identify what information within a submission of critical
infrastructure information should be protected. Presently, submitters
are not required to portion mark the submitted information. The PCII
Program Office does not currently mark portions of submitted
information as PCII or non-PCII within the steps of the validation
process. If the
[[Page 23445]]
submitted information is validated as PCII, the entire submission is
given protection as PCII. Additionally, metadata practices are not
streamlined so that it is received in a uniform process. This ANPRM
seeks comments regarding the marking of PCII as it relates to the
Controlled Unclassified Information (CUI) framework, to include
comments on portion marking of original PCII, and the marking of PCII
metadata.
c. Sharing PCII with Foreign Governments--To date the PCII Program
does not share PCII with foreign governments, however it is possible to
do so through sharing agreements. This ANPRM seeks comments regarding
the sharing of PCII with trusted international partners identified
through sharing agreements to support the critical infrastructure
protection and resilience efforts of the United States and partner
governments.
d. Regulatory Purposes--Comments on whether the current information
in 6 CFR part 29 is sufficient to describe the restriction on
regulatory access to PCII. See sections 29.2(k) and 29.3 of 6 CFR part
29.
e. Safeguarding--Comments on all aspects of PCII safeguarding,
including comments on storage, violations of unauthorized disclosure,
dissemination, tracking and use of PCII, and destruction of same.
f. Oversight and Compliance--Currently, oversight and compliance
within the PCII Program ensures that all critical infrastructure
activities are in accordance with the CII Act of 2002 and 6 CFR part
29. This ANPRM seeks comments relating to broadening the oversight and
compliance of the PCII Program to enhance assessment and measure the
effectiveness of compliance with PCII Program policies, procedures and
practices.
g. Alignment with other information protection programs--Comments
regarding how DHS may be able to better align the PCII Program with
other existing information protection and sharing programs, such as the
Transportation Security Administration's Sensitive Security Information
program, the Department of Homeland Security's Chemical-Terrorism
Vulnerability Information program, and the National Archives and
Records Administration Controlled Unclassified Information Program,
including comments on any duplication or overlap that may exist between
the PCII Program and another information protection programs. When
providing comments on this topic, DHS encourages commenters to provide
the specific citations to any information protection programs that may
duplicate or overlap with the PCII requirements as well as a specific
description of the duplicative or overlapping requirement.
h. Administration of PCII Program in States--Comments on
streamlining the administration of the PCII Program within State,
local, tribal, and territorial entities by including State, local,
tribal, and territorial Homeland Security Advisors in the management of
the PCII Program so that states are accredited in their entirety and
aligned with the requirements of the PCII Program.
In each of the above cases, DHS also requests that the commenter
provide, in as much detail as possible, an explanation why the
procedures should be modified, streamlined, expanded, or removed, as
well as specific suggestions of the ways DHS can better achieve its
protective objectives for sharing information about the nation's
critical infrastructure.
In addressing these topics, DHS encourages interested parties to
provide specific data that documents the potential costs of modifying
the existing regulatory requirements pursuant to the commenter's
suggestions; the potential quantifiable benefits including security and
societal benefits of modifying the existing procedures; and the
potential impacts on small businesses of modifying the existing
regulatory requirements. Commenters might also address how DHS can best
obtain and consider accurate, objective information and data about the
costs, burdens, and benefits of the PCII Program and whether there are
lower cost alternatives that would allow DHS to continue to achieve its
goal of protecting sensitive security information on the nation's
critical infrastructure consistent with the CII Act of 2002.
Jeh Charles Johnson,
Secretary.
[FR Doc. 2016-09186 Filed 4-20-16; 8:45 am]
BILLING CODE 9110-9P-P