The Critical Infrastructure Information Act of 2002 of the U.S. Congress provides a mechanism for severely restricting access to proprietary critical infrastructure information voluntarily shared by network operators with the federal government. It prevents consumers and organizations from accessing this information under the Freedom of Information Act, by a regulatory agency, or as part of civil litigation. What this means is that a utility, telecom, or other organization can elect to submit proprietary network information including the location of above and below ground facilities to the Department of Homeland Security's critical infrastructure information program (PCII) after which it is protected from access by anyone except certified Federal government employees and contractors.
Introduction
Information about infrastructure in the United States is regulated by an act of Congress and several presidential directives. The earliest federal directive is the 1998 Presidential Decision Directive/NSC-63 Critical Infrastructure Protection that identified the need for a private public partnership, preferably voluntary, to protect critical infrastructure. The Critical Infrastructure Information (PCII) Act of 2002 followed very closely after September 11, 2001, The Homeland Security Presidential Directive 7 in 2003 established a national policy for Federal departments and agencies to identify and prioritize critical infrastructure and to protect them from terrorist attacks. The Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience of 2013, established a national policy on critical infrastructure security and resilience as a shared responsibility among the Federal, state, local, tribal, and territorial governments and public and private owners and operators of critical infrastructure. This directive also clarifies the critical infrastructure-related responsibilities across the Federal Government. The National Infrastructure Protection Plan (NIPP) 2013 is a plan resulting from Homeland Security Presidential Directive 7. The NIPP's goals are to protect critical infrastructure and key resources and ensure resiliency. The NIPP is based on the 1998 Presidential Decision Directive-63, which identified critical sectors of the economy and identified government agencies to each of them on sharing information and on strengthening responses to attack.
Critical Infrastructure Information Act of 2002
The U.S. Congress established standards for protecting critical infrastructure information through the Critical Infrastructure Information Act of 2002. In response, the Department of Homeland Security (DHS) created the Protected Critical Infrastructure Information (PCII) program to protect private sector infrastructure information voluntarily shared with the government for the purposes of homeland security. The 6 Code of Federal Regulations (CFR) part 29, Procedures for Handling Critical Infrastructure Information; Final Rule, published in 2006, established uniform procedures on the receipt, validation, handling, storage, marking, and use of critical information information voluntarily submitted to DHS. Information submitted by utilities, telecoms and others to the PCII is broadly protected from disclosure. This includes disclosure under the Freedom of Information Act; State, local, tribal, or territorial disclosure laws; regulation or civil litigation. Only trained and certified U.S. government employees or contractors may use PCII. All users of PCII must have homeland security responsibilities and duties, possess a valid need-to-know, and sign a non-disclosure agreement. Organizations that can submit proprietary information to the PCII includes privately or publicly owned companies, industry associations and State and local government officials. Federal government agencies may not submit information to the PCII Program. Information that is in the public domain cannot be submitted.
Presidential Decision Directive/NSC-63 1998 Critical Infrastructure Protection
Directive NSC-63 identified critical infrastructure whose physical and cyber-based systems were essential to the minimum operations of the economy and government. These included telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private. Since most infrastructure is privately owned, the protection of critical infrastructure is necessarily a shared responsibility and partnership between owners, operators and the government. The directive specifically identified interdependence between different utility, telecom and other systems as a growing challenge. Its goal was to create a public-private partnership to enable a closely coordinated effort of both the government and the private sector to avoid increasing government regulation or putting a greater burden on the private sector. To that end it stated that it is preferable that participation by owners and operators in a national infrastructure protection system be voluntary. It also emphasized that privacy rights of consumers and operators of utility, telecom, and other networks must be protected and information handled accurately, confidentially and reliably.
Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection 2003
Homeland Security Presidential Directive 7 establishes a national policy for Federal departments and agencies to identify and prioritize critical infrastructure and to protect them from terrorist attacks. It directs that federal agencies will collaborate with the private sector to encourage the development of information sharing and analysis mechanisms. Its objective is to identify, prioritize, and coordinate the protection of critical infrastructure and key resources and to facilitate sharing of information about physical and cyber threats, vulnerabilities, incidents, protective measures, and best practices.
President issued Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience 2013
This directive establishes national policy on critical infrastructure security and resilience as a shared responsibility among the Federal, state, local, tribal, and territorial governments, and public and private owners and operators of critical infrastructure. Its objective is to enable information exchange among these organizations by Identifying baseline data and systems requirements for the Federal Government. Federal departments and agencies are directed to ensure that all existing privacy principles, policies, and procedures are implemented consistent with applicable laws and policies. The Secretary of Homeland Security, in coordination with other Federal departments and agencies, was directed to convene a team of experts to identify baseline data and systems requirements to enable the efficient exchange of information and intelligence relevant to strengthening the security and resilience of critical infrastructure.
National Infrastructure Protection Plan 2013
The National Infrastructure Protection Plan (NIPP) 2013 was mandated by Homeland Security Presidential Directive 7. The latest version of the plan was produced in 2013. The NIPP's goal is a mechanism for developing coordination between government and the private sector. As the Nation’s critical infrastructure is largely owned by the private sector, managing risk to enhance security and resilience is a shared priority for industry and government. The goal is collaborative public-private partnership that operates as a unified national effort, as opposed to a hierarchical, command-and-control structure. The eighteen sectors identified by DHS as critical infrastructure are: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information, technology, nuclear reactors, materials, and waste, transportation systems, water and wastewater systems. While it lauds the investment in some critical infrastructure it specifically refers to A National Academy of Sciences report that the Nation’s earlier heavy investment in the design, construction, and operation of critical infrastructure systems—water, wastewater, energy, transportation, and telecommunications—has not been matched with the funds necessary to keep these systems in good condition or to upgrade them to meet the demands of a growing population.
Information about critical infrastructure is vulnerable to unauthorized access that could affect its confidentiality, integrity, or availability. The distribution of such information to those entities that can use it for efficient and effective risk management remains a challenge. It is critical to maintain the availability of information and distribute it to those who can use and protect it properly. This entails being transparent about information-sharing practices; protecting sources and methods; and ensuring privacy and protecting civil liberties, while also enabling law enforcement investigations. It references the PCII program, authorized by the Critical Infrastructure Information (CII) Act of 2002 and its implementing regulations (Title 6 of the Code of Federal Regulations Part 29).
The National Plan identifies certain lifeline functions that are essential to the operation of most critical infrastructure sectors. These lifeline functions include communications, energy, transportation, and water. To manage critical infrastructure risk effectively, it directs that partners must identify the assets, systems, and networks that are essential to their continued operation including interdependencies. Interdependencies may be operational (e.g., power required to operate a water pumping station) or physical (e.g., co-located infrastructure, such as water and electric lines running under a bridge span) and include infrastructure that requires accurate and precise positioning, navigation, and timing (PNT) data. PNT services are critical to the operations of multiple critical infrastructure sectors and are vital to incident response.