Private sector responds slowly to DHS info sharing program
The Homeland Security Department office set up to shield information about private sector vulnerabilities in critical infrastructure has been underwhelmed since opening.
The Homeland Security Department office set up to shield information about private sector vulnerabilities in critical infrastructure has been underwhelmed since opening for business three months ago.
Since February the Protected Critical Infrastructure Information Office has received six submissions, said program manager Frederick W. Herr.
That is not necessarily bad news, Herr said at a briefing in Washington today. The office had been concerned that it might get hit with an industry data dump on the first day of business.
"The pace at which we have received submissions has allowed us to test and adjust our processes," he said. "Most of the submissions have been in formats we didn't anticipate, in ways we didn't expect."
PCII was established under the Critical Infrastructure Information Act of 2002, part of the legislation creating DHS. It protects information voluntarily submitted under the program with exemptions from disclosure under the Freedom of Information Act and with limits on civil liability. The goal was to encourage companies to share information about threats to and vulnerabilities in privately owned critical infrastructure.
Final rules for how the program would operate were published for public comment Feb. 20. Thirty comments were received during the 90-day comment period that closed May 20. These will be reviewed before rules are finalized.
In the meantime, PCII is in the first phase of its rollout.
Submissions for protected status must be made directly to the PCII office, and the information is provided only to analysts in the DHS Information Analysis and Infrastructure Protection Directorate. Submissions must be made in a physical format.
"We're not yet prepared to receive electronic submissions," Herr said. "The problem we're trying to deal with is what constitutes an acceptable electronic signature."
Over the next year, procedures for submissions will be broadened and dissemination of protected information will be expanded, first throughout DHS and then to approved parties in federal, state and local government, as well as to qualified contractors.