DHS Begins Rulemaking Proceeding on FOIA Exemption for Critical Infrastructure Information

April 15, 2003. The Department of Homeland Security (DHS) published a notice in the Federal Register regarding proposed rules for receiving and protecting critical infrastructure information (CII). The DHS is required by the Homeland Security Act to conduct this rulemaking to implement the provisions of the Act creating an exemption to the Freedom of Information Act (FOIA) for certain information about critical infrastructures, including cyber security, that is voluntarily shared with the government.

The relevant statutory provisions are at  211-215 of HR 5005 (107th Congress). These sections are collectively named that "Critical Infrastructure Information Act of 2002". President Bush signed the Homeland Security Act on November 25, 2002. It then became Public Law No. 107-296. The FOIA is codified at 5 U.S.C. 552.

The CII exemption to the FOIA was enacted to incent companies to share information with the government that they would not otherwise share because of fears that their competitors or critics could obtain it under the FOIA. The government needs information from the private sector to be able to combat cyber terrorism and other threats to critical infrastructures. Technology companies and groups strongly supported creating the exemption.

During consideration of the Homeland Security Act in 2002, some other groups opposed creating the exemption, arguing that they would use the FOIA to obtain records regarding critical infrastructures, in furtherance of their watchdog functions. Also, some Democrats in Congress, responding to these arguments, opposed including the exemption in the bill.

The proposed rules contained in this notice provide further guidance on what information may be protected as CII, and how persons and entities providing CII may mark and submit CII in a manner that will allow the DHS to treat it as protected CII.

The notice contains proposed definitions of many key terms. The notice also contains proposed procedures for administering the CII program, authority to receive CII, and safeguarding of protected CII.

The deadline to submit comments is June 16, 2003. See, Federal Register, April 15, 2003, Vol. 68, No. 72, at Pages 18523 - 18529.