Critical infrastructure data sought

The private sector can voluntarily submit critical infrastructure information to the Homeland Security Department with a new program designed to protect such information.

Starting Feb. 20, the Protected Critical Infrastructure Information (PCII) program will collect sensitive data about physical and cyber infrastructure according to regulations that will be posted online Feb. 19 and published in the Federal Register the following day. Public comment on the regulations could last up to 90 days.

Robert Liscouski, DHS' assistant secretary for infrastructure protection, said by partnering with the private sector and making the program voluntary, the federal government can find vulnerabilities and nuances that the private sector knows best.

"The partnership's important to us because the government can't afford to buy the expertise that we need to understand those vulnerabilities at the nuance level if they have access to it," he said.

Fred Herr, PCII's program manager, said the private sector isn't required to submit anything to the federal government under the program. But DHS officials cited the public good as a reason why companies and nongovernment organizations might share such information voluntarily. The information will be kept confidential, because any data that passes all program requirements will be exempt from the Freedom of Information Act and cannot be accessed by third parties or state and local governments for civil litigation, officials said.

However, if companies provided false statements or submitted information they knew to be wrong, they would be subject to federal felony statutes.

Information submitted will be available initially to DHS' Information Analysis and Infrastructure Protection Directorate, where the PCII program office resides. DHS officials plan to eventually share that data with other authorized personnel in federal, state and local agencies. Officials did not describe how or when other agencies and governments could access the data, although it probably would be accessed through existing secure networks, officials said.

Officials said that data given to DHS must meet a number of requirements:

* The submitting entity must ask for protection.

* The submitter must certify that the material is voluntarily provided.

* The submitter must certify that it's not submitted in lieu of meeting a federal requirement or regulation.

* The submitter must certify that it meets the definition of critical infrastructure information specified under the Critical Infrastructure Information Act of 2002.

"If it meets all those requirements we then will label it protected infrastructure information, PCII," Herr said. "If it doesn't meet those requirements, we'll go back to the submitting entity and ask them for additional justification