Files moving from File cabinet to Computer

Critical Infrastructure Information Regulations Issued by DHS

After an extensive process of deliberation, and no small amount of controversy, the Department of Homeland Security (DHS) has now issued regulations that establish its "Protected Critical Infrastructure Program" in implementation of section 214 of the Homeland Security Act of 2002, 6 U.S.C.A. 133 (West Supp. 2003). A principal feature of the program, which is applicable to "critical infrastructure information" that is voluntarily submitted to DHS by private-sector industries and other nonfederal entities, is protection of those information submissions under Exemption 3 of the Freedom of Information Act, 5 U.S.C. 552(b)(3) (2000).

Section 214 of the Homeland Security Act, enacted in November 2002, contains a series of provisions aimed at promoting the flow of sensitive information about the nation's critical infrastructure (eighty-five percent of which is in the private sector) to the federal government for homeland security purposes. See FOIA Post, "Homeland Security Law Contains New Exemption 3 Statute" (posted 1/27/03). It establishes this new category of "critical infrastructure information" (referred to as "CII"), for Exemption 3 protection under the FOIA and for other safeguarding treatment as well. See id.; see also 6 U.S.C.A. 131(3) (defining CII). This new Exemption 3 statute for CII, which now applies to information held by DHS only, is one of "a growing trend [of] statutes enacted in recent years [that] contain disclosure prohibitions that are not general in nature but rather are specifically directed toward disclosure under the FOIA in particular." FOIA Post, "Agencies Rely on Wide Range of Exemption 3 Statutes" (posted 12/16/03).

These regulations implementing this part of the Homeland Security Act were issued last week in "interim final" form, which means that they became effective immediately upon issuance yet are subject to revision upon their issuance as a "final rule" at some point in the future after another round of public comments. They were the subject of considerable public comment after their issuance in proposed form last April 15, during a comment period that ended on June 17, 2003.

Most controversial has been the issue of whether this new CII program should apply to information submissions made to DHS only (i.e., "directly"), or to submissions made to other federal agencies instead (i.e., "indirectly"). On that difficult point, the proposed regulations issued last April did provide for the submission of CII to other agencies as part of the program. Significantly, these new "interim final" regulations by their revised terms do not so provide, but the preamble to them specifically states that at this time DHS "anticipates the development of appropriate mechanisms to allow for indirect submissions in the final rule." Procedures for Handling Critical Infrastructure Information; Interim Rule, 69 Fed. Reg. 8073, 8075 (Feb. 20, 2004) ("CII Regulations") (regulations to be codified at 6 C.F.R. Part 29). Under the heading of "Indirect Submissions," this regulatory preamble further states that DHS "would welcome comments" on this during its new further comment period, which extends to May 20. Id. at 8074.

Thus, while the CII program is being instituted at DHS on a "direct" basis only at this time, there remains the stated prospect of it being expanded to operate beyond DHS on an "indirect" basis at some point in the future. As was discussed at the FOIA Officers Conference held by the Office of Information and Privacy in June of last year, see FOIA Post, "FOIA Officers Conference Held on Homeland Security" (posted 7/3/03), such a development could be expected to have an impact upon the daily processes of FOIA administration at many agencies.

Another controversial aspect of section 214 and its implementation is the perception in some quarters that it somehow could be used by industry submitters to "hide" information from public view. However, the statute contains two specific provisions, subsections 214(c) and 214(d), that speak to this. The first, entitled "Independently Obtained Information," speaks to the fact that many federal regulatory agencies routinely obtain information that falls within the definition of "critical infrastructure information" as part of their everyday regulatory processes; it makes clear that "nothing in [section 214] shall be construed" to apply to such submissions. 6 U.S.C.A. 133(c). The second such provision makes clear that the voluntary submission of information under section 214 "shall not be construed to constitute compliance with any requirement to submit such information" elsewhere. 6 U.S.C.A. 133(d).

Such concerns also are addressed in section 29.3(a) of the CII Regulations, among other places, which explicitly speaks of the fact that "mandatorily submitted information" at one federal agency might be "identical to information [that is] voluntarily [and] separately submitted to DHS" under section 214, with the two submissions properly treated differently under the law. CII Regulations, 69 Fed. Reg. at 8084. What must be remembered is that the same industry information can exist in two counterpart forms, identical in whole or in part, and that any information can be submitted to multiple federal agencies on entirely different tracks. See also CII Regulations (Preamble), 69 Fed. Reg. at 8076 (indicating that section 29.3(a) was revised to address such concerns).

This new statutory protection traces back several years, even before the horrific events of September 11, 2001, to similar such proposals that were introduced in the 1990s, first in the House of Representatives and then in the Senate as well. Those early efforts quickly culminated during Congress's final crafting of the Homeland Security Act near the end of 2002, in the form of a distinct subtitle of that Act that is devoted to the subject of "critical infrastructure information" exclusively. See FOIA Post, "Homeland Security Law Contains New Exemption 3 Statute" (posted 1/27/03). Since that time, there have been some legislative efforts to modify that action, aimed at the "restoration" of section 214 to one or another of its earlier proposed forms, but they have not advanced through the legislative process.

Lastly, it may be noted that the development of these CII Regulations by DHS was the subject of a statutory report that DHS submitted to Congress on February 20, pursuant to section 893 of the Homeland Security Act, 6 U.S.C.A. 483. Also addressed in that report was the ongoing development of a new policy and procedures for the handling of "sensitive homeland security information" (referred to as "SHSI") throughout the executive branch. See also FOIA Post, "FOIA Officers Conference Held on Homeland Security" (posted 7/3/03). While that development will not directly impact the governmentwide administration of the FOIA, in that it will involve no additional authority for protecting information from public disclosure, it certainly holds the potential of significantly altering the landscape for the safeguarding of federal information. It remains to be seen whether this latter initiative as described in DHS's statutory report will be instituted prior to the finalization of its regulations on CII.  (posted 2/27/04)

Go to: Main FOIA Post Page// DOJ FOIA Page // DOJ Home Page