6 CFR § 29.8 - Disclosure of PCII.

§ 29.8 Disclosure of PCII.

(a) Authorization of access. The Director, the Executive Assistant Director, or either's designee may choose to provide or authorize access to PCII under one or more of the paragraphs in this section when it is determined that access supports a lawful and authorized government purpose as enumerated in the CII Act or other law, regulation, or legal authority.

(b) Federal, State, and Local government sharing. The PCII Program Office or a PCII Program Manager's Designee may provide PCII to an employee of the federal government, provided, subject to paragraph (f) of this section, that such information is shared for purposes of securing the critical infrastructure or protected systems, analysis, warning, interdependency study, recovery, reconstitution, or for another appropriate purpose including, without limitation, the identification, analysis, prevention, preemption, and/or disruption of terrorist threats to the homeland. PCII may not be used, directly or indirectly, for any collateral regulatory purpose. PCII may be provided to a State or Local government entity for the purpose of protecting critical infrastructure or protected systems, or in furtherance of the investigation or prosecution of a criminal act. The provision of PCII to a State or Local government entity will normally be made only pursuant to an arrangement with the PCII Program Manager providing for compliance with the requirements of paragraph (d) of this section and acknowledging the understanding and responsibilities of the recipient. State and Local governments receiving such information will acknowledge in such arrangements the primacy of PCII protections under the CII Act; agree to assert all available legal defenses to disclosure of PCII under State or Local public disclosure laws, statutes, or ordinances; and will agree to treat breaches of the agreements by their employees or contractors as matters subject to the applicable criminal code or employee code of conduct for the jurisdiction.

(c) Disclosure of information to Federal, State, and Local government contractors. Disclosure of PCII to Federal, State, and Local government contractors may be made when necessary for an appropriate purpose under the CII Act, and only after the PCII Program Manager or a PCII Program Officer certifies that the contractor is performing services in support of the purposes of the CII Act. The contractor's employees who will be handling PCII must sign individual nondisclosure agreements in a form prescribed by the PCII Program Manager, and the contractor must agree by contract, whenever and to whatever extent possible, to comply with all relevant requirements of the PCII Program. The contractor must safeguard PCII in accordance with these procedures and may not remove any “PCII” markings. An employee of the contractor may, in the performance of services in support of the purposes of the CII Act and when authorized to do so by the PCII Program Manager or a PCII Program Manager's Designee, communicate with a submitting person or an authorized person of a submitting entity about a submittal of information by that person or entity. Contractors will not further disclose PCII to any other party not already authorized to receive such information by the PCII Program Manager or a PCII Program Manager's Designee, without the prior written approval of the PCII Program Manager or a PCII Program Manager's Designee.

(d) Further use or disclosure of information by State and Local governments.

(1) State and Local governments receiving information marked “Protected Critical Infrastructure Information” will not share that information with any other party not already authorized to receive such information by the PCII Program Manager or a PCII Program Manager's Designee, with the exception of their contractors after complying with the requirements of paragraph (c) of this section, or remove any PCII markings, without first obtaining authorization from the PCII Program Manager or a PCII Program Manager's Designee, who is responsible for requesting and obtaining written consent from the submitter of the information.

(2) State and Local governments may use PCII only for the purpose of protecting critical infrastructure or protected systems, or as set forth elsewhere in these rules.

(e) Disclosure of information to appropriate entities or to the general public. PCII may be used to prepare advisories, alerts, and warnings to relevant companies, targeted sectors, governmental entities, ISAOs, or the general public regarding potential threats and vulnerabilities to critical infrastructure as appropriate pursuant to the CII Act. Unless exigent circumstances require otherwise, any such warnings to the general public will be authorized by the Secretary of the Department of Homeland Security, the Director, the Executive Assistant Director for Infrastructure Security of CISA, or the Executive Assistant Director for Cybersecurity of CISA. Such exigent circumstances exist only when approval of the Secretary, the Director, the Executive Assistant Director for Infrastructure Security for CISA, or the Executive Assistant Director for Cybersecurity for CISA cannot be obtained within a reasonable time necessary to issue an effective advisory, alert, or warning. In issuing advisories, alerts, and warnings, DHS will consider the exigency of the situation, the extent of possible harm to the public or to critical infrastructure, and the necessary scope of the advisory, alert, or warning; and take appropriate actions to protect from disclosure any information that is proprietary, business sensitive, relates specifically to or might be used to identify the submitting person or entity or any persons or entities on whose behalf the CII was submitted, or is not otherwise appropriately in the public domain. Depending on the exigency of the circumstances, DHS may consult or cooperate with the submitter in making such advisories, alerts, or warnings.

(f) Disclosure for law enforcement purposes and communication with submitters; access by Congress, the Comptroller General, and the Inspector General; and whistleblower protection.

(1) Exceptions for disclosure.

(i) PCII will not, without the written consent of the person or entity submitting such information, be used or disclosed for purposes other than the purposes of the CII Act, except:

(A) In furtherance of the investigation or prosecution of a criminal act by the federal government, or by a State, Local, or foreign government, when such disclosure is coordinated by a federal law enforcement official;

(B) To communicate with a submitting person or an authorized person on behalf of a submitting entity, about a submittal of information by that person or entity when authorized to do so by the PCII Program Manager or a PCII Program Manager's Designee; or

(C) When disclosure of the information is made by any officer or employee of the United States;

(1) To either House of Congress, or to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee thereof or subcommittee of any such joint committee; or

(2) To the Comptroller General, or any authorized representative of the Comptroller General, in the course of the performance of the duties of the Government Accountability Office.

(ii) If any officer or employee of the United States makes any disclosure pursuant to these exceptions, contemporaneous written notification must be provided to CISA through the PCII Program Manager.

(2) Consistent with the authority to disclose information for any of the purposes of the CII Act, disclosure of PCII may be made, without the written consent of the person or entity submitting such information, to the DHS Office of Inspector General.

(g) Responding to requests made under the Freedom of Information Act or State and Local government information access laws. PCII will be treated as exempt from disclosure under the Freedom of Information Act and any State or Local government law requiring disclosure of records or information. Any Federal, State, or Local government agency with questions regarding the protection of PCII from public disclosure must contact the PCII Program Office, who will in turn consult with the CISA Office of the Chief Counsel.

(h) Ex parte communications with decision-making officials. Pursuant to 6 U.S.C. 673(a)(1)(B), PCII is not subject to any agency rules or judicial doctrine regarding ex parte communications with a decision-making official.

(i) Restriction on use of PCII in civil actions. Pursuant to 6 U.S.C. 673(a)(1)(C), PCII will not, without the written consent of the person or entity submitting such information, be used directly by any Federal, State, or Local authority, or by any third party, in any civil action arising under Federal, State, or Local law.