6 C.F.R. § 29.2

Current through October 31, 2024
Section 29.2 - Definitions

For purposes of this part:

Critical Infrastructure has the same meaning stated in 6 U.S.C. 101(4) (which cross references the term used in 42 U.S.C. 5195c(e) ) and means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Critical Infrastructure Information or CII has the same meaning stated in 6 U.S.C. 671(1) and means information not customarily in the public domain and related to the security of critical infrastructure or protected systems, including documents, records or other information concerning:

(1) Actual, potential, or threatened interference with, attack on, compromise of, or incapacitation of critical infrastructure or protected systems by either physical or computer-based attack or other similar conduct (including the misuse of or unauthorized access to all types of communications and data transmission systems) that violates Federal, State, or Local law, harms interstate commerce of the United States, or threatens public health or safety;

(2) The ability of any critical infrastructure or protected system to resist such interference, compromise, or incapacitation, including any planned or past assessment, projection, or estimate of the vulnerability of critical infrastructure or a protected system, including security testing, risk evaluation thereto, risk-management planning, or risk audit; or

(3) Any planned or past operational problem or solution regarding critical infrastructure or protected systems, including repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to such interference, compromise, or incapacitation.

CII Act means the Critical Infrastructure Information Act of 2002 in 6 U.S.C. 671-674 ; Sections 2222-2225 of the Homeland Security Act of 2002, Public Law 107-296 , 116 Stat. 2135, as amended by Subtitle B of the Cybersecurity and Infrastructure Security Act of 2018, Public Law 115-278 , 132 Stat. 4168.

CISA means the Cybersecurity and Infrastructure Security Agency.

Department or DHS means the Department of Homeland Security.

Director means the Director of the CISA, any successors to that position within the Department, or any designee.

Executive Assistant Director means the Executive Assistant Director for the Infrastructure Security Division of the CISA, any successors to that position within the Department, or any designee.

Information Sharing and Analysis Organization or ISAO has the same meaning stated in 6 U.S.C. 671(5) and means any formal or informal entity or collaboration created or employed by public or private sector organizations for purposes of:

(1) Gathering and analyzing CII, including information related to cybersecurity risks and incidents, in order to better understand security problems and interdependencies related to critical infrastructure and protected systems, so as to ensure the availability, integrity, and reliability thereof;

(2) Communicating or disclosing CII, including cybersecurity risks and incidents, to help prevent, detect, mitigate, or recover from the effects of an interference, compromise, or an incapacitation problem related to critical infrastructure or protected systems; and

(3) Voluntarily disseminating CII, including cybersecurity risks and incidents, to its members, Federal, State, and Local governments, or any other entities that may be of assistance in carrying out the purposes specified in paragraphs (h)(1) and (2) of this section.

In the public domain means information lawfully, properly, and regularly disclosed generally or broadly to the public. Information regarding system, facility, or operational security is not "in the public domain." Information submitted with CII that is proprietary or business sensitive, or which might be used to identify a submitting person or entity will not be considered "in the public domain." Information may be "business sensitive" for this purpose whether or not it is commercial in nature, and even if its release could not demonstrably cause substantial harm to the competitive position of the submitting person or entity.

Local government has the same meaning stated in 6 U.S.C. 101(13) and means:

(1) A county, municipality, city, town, township, local public authority, school district, special district, intrastate district, council of governments (regardless of whether the council of governments is incorporated as a nonprofit corporation under State law), regional or interstate government entity, or agency or instrumentality of a Local government;

(2) An Indian tribe or authorized tribal organization, or in Alaska, a Native village or Alaska Regional Native Corporation; and

(3) A rural community, unincorporated town or village, or other public entity.

Protected Critical Infrastructure Information or PCII means validated CII, including information covered by § 29.6(b) and (h) , including the identity of the submitting person or entity and any person or entity on whose behalf the submitting person or entity submits the CII, that is voluntarily submitted, directly or indirectly, to CISA, for its use regarding the security of critical infrastructure and protected systems, analysis, warning, interdependency study, recovery, reconstitution, or other appropriate purpose. PCII also includes any information, statements, compilations or other materials reasonably necessary to explain the CII, put the CII in context, or describe the importance or use of the CII when accompanied by an express statement as described in § 29.5 .

PCII Program Manager means the federal employee within the Infrastructure Security Division of CISA appointed as responsible for the administration of the PCII Program pursuant to this part, any successors to that position within the Department, or any designee.

PCII Program Manager's Designee means a federal employee outside of the PCII Program Office, whether employed by CISA or another federal agency, to whom certain functions of the PCII Program Office are delegated by the PCII Program Manager, as determined on a case-by-case basis.

Protected Critical Infrastructure Information Program Office or PCII Program Office means the personnel organized within the Infrastructure Security Division of CISA who carry out the operational and administrative functions of the PCII Program pursuant to the direction of the PCII Program Manager.

PCII Program Officer means a Federal, State, or Local government employee appointed by their respective agency or entity and, upon approval of the PCII Program Manager, carries out the responsibilities described in 6 CFR 29.4(d) to ensure the proper use, storage, and handling of PCII within their respective agency or entity.

Protected Critical Infrastructure Information Program or PCII Program means the program implementing the CII Act within the Infrastructure Security Division of the CISA, including the maintenance, management, and review of the information provided in furtherance of the protections provided by the CII Act.

Protected Critical Infrastructure Information Management System or PCIIMS means the electronic database and platform used to record the receipt, acknowledgement, validation, storage, dissemination, and destruction of PCII. PCIIMS also enables CISA to manage and train individuals authorized to view, handle, and access PCII.

Protected system has the same meaning stated in 6 U.S.C. 671(6) and means any service, physical or computer-based system, process, or procedure that directly or indirectly affects the viability of a facility of critical infrastructure; and includes any physical or computer-based system, including a computer, computer system, computer or communications network, or any component hardware or element thereof, software program, processing instructions, or information or data in transmission or storage therein, irrespective of the medium of transmission or storage.

Purposes of the CII Act has the meaning set forth in the CII Act and includes the security of critical infrastructure and protected systems, analysis, warning, interdependency study, recovery, reconstitution, or other informational purposes.

Regulatory proceeding, as used in 6 U.S.C. 671(7) and this part, means administrative proceedings in which DHS is the adjudicating entity, and does not include any form or type of regulatory proceeding or other matter outside of DHS.

State has the same meaning stated in 6 U.S.C. 101(17) and means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Commonwealth of the Northern Mariana Islands, and any possession of the United States.

Submission as referenced in these procedures means any transmittal, either directly or indirectly, of CII to the CISA PCII Program Office or the PCII Program Manager's Designee, as set forth herein.

Submitted in good faith means any submission of information that could reasonably be defined as CII or PCII under this section. Upon validation of a submission as PCII, CISA has conclusively established the good faith of the submission. Any information qualifying as PCII by virtue of a categorical inclusion identified by the PCII Program Manager pursuant to this part is submitted in good faith.

Voluntary or voluntarily, when used in reference to any submission of CII, means the submittal thereof in the absence of an exercise of legal authority by DHS to compel access to or submission of such information. Voluntary submission of CII may be accomplished by (i.e., come from) a single State or Local governmental entity; private entity or person; or by an ISAO acting on behalf of its members or otherwise. There are two exclusions from this definition:

(1) In the case of any action brought under the securities laws-as is defined in 15 U.S.C. 78c(a)(47) -the term "voluntary" or "voluntarily" does not include:

(i) Information or statements contained in any documents or materials filed pursuant to 15 U.S.C. 78l(i) with the U.S. Securities and Exchange Commission or with federal banking regulators; or

(ii) A writing that accompanied the solicitation of an offer or a sale of securities; and

(2) Information or statements previously submitted to DHS in the course of a regulatory proceeding or a licensing or permitting determination are not "voluntarily submitted." In addition, the submission of information to DHS for purposes of seeking a federal preference or benefit, including CII submitted to support an application for a DHS grant to secure critical infrastructure will be considered a voluntary submission of information. Applications for Support Anti-terrorism by Fostering Effective Technologies Act of 2002 filed pursuant to 6 U.S.C. 441 et seq., or SAFETY Act Designation or Certification under 6 CFR part 25, will also be considered a voluntary submission.

Used directly by such agency, any other Federal, State, or Local authority, or any third party, in any civil action arising under Federal or State law in 6 U.S.C. 673(a)(1)(C) means any use in any proceeding other than a criminal prosecution before any court of the United States or of a State or otherwise, of any PCII, or any drafts or copies of PCII retained by the submitter, including the opinions, evaluations, analyses and conclusions prepared and submitted as CII, as evidence at trial or in any pretrial or other discovery, notwithstanding whether the United States, its agencies, officers, or employees is or are a party to such proceeding.

6 C.F.R. §29.2

87 FR 77972, 12/21/2022