DHS to Consider Important Changes to Regulations Protecting Voluntarily Shared Critical Infrastructure Information
In the wake of recent congressional action to promote cybersecurity and critical infrastructure information sharing, the U.S. Department of Homeland Security (DHS) is expected soon to reevaluate its approach to a flagship program for protecting critical infrastructure information voluntarily shared with the government by the private sector. Entities that consider sharing—or that might be asked to share—information with the federal government should think about whether to engage with DHS to shape the next phase of this program.
DHS expects to release this April an Advance Notice of Proposed Rulemaking (ANPRM) to open reconsideration and revision of its Protected Critical Infrastructure Information (PCII) regulations. The PCII regulations establish procedures for the receipt, care, and storage of critical infrastructure information voluntarily submitted to DHS by private sector entities. Among other things, the regulations ensure that information submitted through the program is protected from Freedom of Information Act (FOIA) inquiries and similar disclosure requests.
The ANPRM will provide interested parties with an opportunity to provide input to DHS regarding any needed or helpful changes to its PCII regulations. DHS has not yet publicly signaled the scope of proposed revisions. According to the announcement published in the Unified Agenda of Federal Regulatory and Deregulatory Actions:
DHS is initiating this rulemaking process to help it identify how to enhance the PCII regulation more effectively in achieving [sic] its regulatory objectives. DHS believes that after nine years of experience implementing the PCII program, DHS has gained first-hand insight on lessons learned, and that the ANPRM process provides expanded opportunities for the Department to hear and consider the views of interested members of the public on their recommendations for program modifications.
This is timely because federal agencies right now are grappling with how to collect information about cybersecurity readiness. The ANPRM is an important part of the overall discussion of cybersecurity because of the central role that DHS’s PCII program can play in protecting and promoting the sharing of critical infrastructure information.
Recent enactments by Congress, including the Cybersecurity Act of 2015 and the Cybersecurity Information Sharing Act of 2015, enshrine DHS as the hub of critical infrastructure and cybersecurity information sharing, including through entities like the National Cybersecurity and Communications Integration Center (NCCIC). Provisions in these and other enactments evidence a strong desire by Congress to promote voluntary information sharing, and to strengthen incentives for private sector participation through protections from disclosure and other potential liability. These protections also promote privacy goals by ensuring that consumer data and other information in the hands of private sector entities is not publicly disclosed. The PCII regulations, which are authorized by statute, are an important piece of that congressional agenda. PCII was not the subject of recent legislation, but is an important tool for the government and private sector. DHS can and should ensure that any revisions to its PCII regulations are consistent with the incentives for sharing that Congress has sought to create.