Submit Critical Infrastructure Information (CII) For Protected Critical Infrastructure Information (PCII) Protection
This webpage describes who can submit Critical Infrastructure Information (CII) for protection under the CII Act of 2002, what kind of information can be submitted, and how to submit that information. If you are a first time submitter of CII, the PCII Program Office highly recommends you review the information provided below before submitting. If you are familiar with the electronic submissions process, please go directly to PCIIMS eSubmissions platform.
Critical Infrastructure Information
Information related to the security of critical infrastructure or protected systems, including documents, records, or other information concerning threats, vulnerabilities and operational experience may be submitted for PCII protection. This information must be:
- Voluntarily submitted;
- Not customarily available in the public domain; and
- Not submitted in lieu of compliance with any regulatory requirement.
Submitted information will retain PCII protections unless the PCII Program Office determines that the information, at the time of the submission, was customarily in the public domain, or the submitter requests in writing that the protections be removed.
Potential Submitters
The PCII Program Office will accept submissions of CII for consideration of the protections of the CII Act from any submitter who:
- Owns the information being submitted (or is an authorized representative of the owner of the information);
- Has sufficient knowledge of the information to affirm that it is being submitted voluntarily (i.e., in the absence of an exercise of legal authority by the Department of Homeland Security to compel access to or submission of such information); and
- Has sufficient knowledge of the information to affirm in the Certification Statement that the information is not lawfully, properly, and regularly disclosed generally or broadly to the public.
Examples of potential submitters include, but are not limited to:
- State and local government officials
- Authorized representatives of privately or publicly owned companies
- Industry associations (on behalf of their members)
- Individuals capable of providing an analytical observation of a critical infrastructure
- Working groups comprised of government and private sector representatives
Representatives of federal government entities may not submit information to the PCII Program in consideration of the protections of the CII Act.
Express Statement and Certification Statement
All information submitted for PCII protection must include:
- An Express Statement requesting the protection offered by the CII Act; and
- A Certification Statement containing an affirmation that the individual submitting the information is authorized to submit, the submitter’s contact information, and certification that the information is not customarily in the public domain.
When accompanied by an Express Statement and a signed Certification Statement, the submission will be granted the presumption of protection throughout the entire validation process. If the Certification Statement is missing or incomplete, the information will have the presumption of protection but the PCII Program Office will request that the submitter provide a complete Certification Statement within 30 calendar days.
If the submitter does not provide both within 30 days of the request, the PCII Program Office will either return the information to the submitter in accordance with the submitting person or entity's written preference or destroy the submission in accordance with the Federal Records Act and Department of Homeland Security regulations.
Submission Process
Submitters should contact the PCII Program Office (PCII-Assist@cisa.dhs.gov) prior to submitting their information to ensure that the Program Office can accept the submission format and provide any additional guidance.
Submitting CII via Partnering Federal Agency
When CII is submitted to the Department of Homeland Security through approved partnerships with federal agencies, the PCII Program Manager declares certain subject matter or types of information categorically protected as PCII and sets procedures for receiving and processing of this information.
Submitting CII Directly to the PCII Program Office via Electronic Submissions
These guidelines will help you successfully complete an electronic submission via the eSubmission platform:
- The electronic submission process MUST be completed in a single session as information cannot be saved and completed at a later date.
- All necessary information should be available prior to beginning the electronic submission process as the session will end and all information will be deleted after 20 minutes of inactivity. Submitters will be prompted before they are disconnected to give them an opportunity to continue with their submission.
- The time required to submit information will depend on the number, size, and format of the uploaded files as well as the connection speed.
- There is no limit on the number of times an individual can submit information, but each submission cannot exceed 100 files or be greater than 1 GB in total size.
- Submitters must use Microsoft Edge, Firefox, or Google Chrome as their browser.
- All file types and formats are accepted by the PCII Program.
- As a further security measure, submitters are encouraged to provide a digital signature. Although not required, a digital signature authenticates the submitter's identity, guaranteeing the original content of documents has not been altered in transmission. A Certificate Authority issues digital signatures and can be located through most online search engines.
- Identify the primary contact in case the PCII Program Office has questions about a submission. Provide the contact's name, organization name, mailing address, city, state, zip code, email address, and telephone number. A secondary point of contact may also be designated.
- Indicate the tracking number provided in the confirmation letter if the current submission is supplying additional information to support a prior submission.
- Verify that the information listed in the Certification Statement:
- Is not customarily in the public domain.
- Has the submitter's most updated contact information.
- If the information submitted is required by the federal government, specify the department or agency and identify the legal authority that mandates the submission.
- Provide a brief description of the information in each file to be submitted before attaching and uploading files.
- Selecting the "Cancel" button before uploading files will end the submission process, and all information related to the submission will be deleted.
- The submission process cannot be cancelled after files have been uploaded to the PCII Program.
Submitting CII Directly to the PCII Program Office via Other Means
- Standard Mail:
PCII Program Office
Department of Homeland Security
245 Murray Lane, SW, Mail Stop 0602
Washington, DC 20528-0602 - Phone: 866-844-8163 (Phone submissions must be followed by a similar written statement within 15 calendar days after the submission.)
The PCII Program Office or Designee will acknowledge receipt of the submission within 30 days of its receipt. Acknowledgement of receipt is not a determination of validation, but only a notification to the submitter that the PCII Program Office or Designee has received the information accompanied by an Express and Certification Statement.
Validation Process
When a submission is evaluated and determined to meet all prescribed qualifications, the PCII Program Office will validate it and mark the information as PCII. Once the submission is validated, the submitter will receive a validation letter or an email which will include a submission identification number.
PCII protections apply only to the information in the hands of the government and not to the copy retained by the submitter. A submitter may use their copy of the information as they see fit, but we encourage submitters to consider information access and information security as part of that decision.
Submissions that do not meet requirements are destroyed or returned to the submitter, as determined by the submitter's written preference.
State and Tribal Submissions and Records Laws
After the submitted information has been validated by DHS for PCII protection, the original information and documents may still be subject to records management and disclosure laws that vary by state or within different tribes, territories, or localities. This may lead to a situation where a submission is validated and marked as PCII, but the original records cannot be destroyed by the submitting state, tribal, or local entity due to records retention rules. Those original records could still be used not only for regulatory purposes, but they could also be requested by the public depending on the disclosure rules of the jurisdiction. A failure to understand the different status of marked and non-marked copies can lead to a mistaken belief that every copy is protected once one copy is submitted to the PCII Program.
Contact Information
To learn more about how the PCII Program can support your organization's homeland security efforts, please contact PCII-Assist@cisa.dhs.gov.