6 CFR § 29.5 - Requirements for protection.

§ 29.5 Requirements for protection.

(a) CII shall receive the protections of section 214 of the CII Act when:

(1) Such information is voluntarily submitted, directly or indirectly, to the PCII Program Manager or the PCII Program Manager's designee;

(2) The information is submitted for protected use regarding the security of critical infrastructure or protected systems, analysis, warning, interdependency study, recovery, reconstitution, or other appropriate purposes including, without limitation, for the identification, analysis, prevention, preemption, disruption, defense against and/or mitigation of terrorist threats to the homeland;

(3) The information is labeled with an express statement as follows:

(i) In the case of documentary submissions, written marking on the information or records substantially similar to the following: “This information is voluntarily submitted to the Federal government in expectation of protection from disclosure as provided by the provisions of the Critical Infrastructure Information Act of 2002”; or

(ii) In the case of oral information:

(A) Through an oral statement, made at the time of the oral submission or within a reasonable period thereafter, indicating an expectation of protection from disclosure as provided by the provisions of the CII Act; and

(B) Through a written statement substantially similar to the one specified above accompanied by a document that memorializes the nature of oral information initially provided received by the PCII Program Manager or the PCII Program Manager's designee within a reasonable period after using oral submission; and

(iii) In the case of electronic information:

(A) Through an electronically submitted statement within a reasonable period of the electronic submission indicating an expectation of protection from disclosure as provided by the provisions of the CII Act; and

(B) Through a non-electronically submitted written statement substantially similar to the one specified above accompanied by a document that memorializes the nature of e-mailed information initially provided, to be received by the PCII Program Manager or the PCII Program Manager's designee within a reasonable period after using e-mail submission.

(4) The submitted information additionally is accompanied by a statement, signed by the submitting person or an authorized person on behalf of an entity identifying the submitting person or entity, containing such contact information as is considered necessary by the PCII Program Manager, and certifying that the information being submitted is not customarily in the public domain;

(b) Information that is not submitted to the PCII Program Manager or the PCII Program Manager's designees will not qualify for protection under the CII Act. Only the PCII Program Manager or the PCII Program Manager's designees are authorized to acknowledge receipt of information being submitted for consideration of protection under the Act.

(c) All Federal, State and local government entities shall protect and maintain information as required by these rules or by the provisions of the CII Act when that information is provided to the entity by the PCII Program Manager or the PCII Program Manager's designee and is marked as required in 6 CFR 29.6(c).

(d) All submissions seeking PCII status shall be presumed to have been submitted in good faith until validation or a determination not to validate pursuant to these rules.