The Protected Critical Infrastructure Information (PCII) Program was created under the Critical Infrastructure Information (CII) Act of 2002 to protect private-sector infrastructure information voluntarily shared with the government for the purposes of homeland security. The final rule: 6 Code of Federal Regulations (CFR) Part 29, Procedures for Handling Critical Infrastructure Information; Final Rule, published in the Federal Register on September 1, 2006, established uniform procedures on the receipt, validation, handling, storage, marking, and use of CII voluntarily submitted to the Department of Homeland Security.
The protections offered by the PCII Program enhance the voluntary sharing of CII between infrastructure owners/operators and the government by providing confidence that shared sensitive and/or proprietary data will not be exposed.
Federal and state agencies with regulatory oversight of energy utilities and transmission infrastructure have also developed and implemented programs to ensure CII are protected. We are profiling two agencies: Federal Energy Regulatory Commission (FERC) and the California Public Utilities Commission (CPUC) and their respective programs, which are intended to protect CII through implementation of Controlled Unclassified Information (CUI) actions to protect owner/operator assets from potential cybersecurity and/or physical terrorist threats or attacks. The following sections identify and describe CUI and Critical Energy Infrastructure Information (CEII), both of which have been adopted by FERC and CPUC.
CONTROLLED UNCLASSIFIED INFORMATION
CUI, a type of CII, is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies as specified in Executive Order 13556 and Rule 32 CFR Part 2002. The National Archives and Records Administration (NARA) was appointed by the President to be the Executive Agent of the CUI Program; this order designated NARA as the agency to oversee the CUI program, a task that was then delegated to the Information Security Oversight Office (ISOO). The ISOO issued 32 CFR 2002, which established policy for handling CUI. Many different organizations and federal/state agencies, including regulatory agencies such as FERC and CPUC, routinely handle, use, share, or receive CUI.
Different types of CUI are classified within organizational index groupings and specific CUI categories. Organizational index groups, including the energy sector, have a large range to encompass sensitive information across the different government agencies, and then are narrowed and defined even further. Within the Critical Infrastructure organizational index, CUI categories include chemical-terrorism vulnerability information, physical security, and water assessments; these CUI classifications define how the different types of information are handled and protected.
CRITICAL ENERGY INFRASTRUCTURE INFORMATION
CEII is another CUI category within the Critical Infrastructure organizational index. 18 CFR Section 388.113 defines CEII as design, engineering, or vulnerability information about existing and/or proposed critical infrastructure. CEII includes information about the production, transmission, or distribution of energy, and it is exempt from mandatory disclosure under the Freedom of Information Act. In addition, any information that could be useful in planning an attack on critical infrastructure is considered to be CEII. Information that only includes the location of the infrastructure is not considered to be CEII.
FEDERAL ENERGY REGULATORY COMMISSION
To promote compliance with ISOO policy that protects CUI, FERC currently accepts electronic filings and comments from the public through its eFiling system. Most filings (including public comments) are labeled as ‘public’ and are available for viewing in FERC’s eLibrary system under a specific project docket number. Documents containing CUI are filed separately from non-sensitive information, which should be marked ‘public.’
For non-public and other sensitive information, FERC has created eight CUI categories using NARA’s guidelines. First, FERC uses these categories to designate documents as either ‘public’ or ‘CUI’ by labeling the top of documents filed externally or created internally. Next, FERC protects CUI by password-protecting file folders using WinZip or password-protecting the actual files with Microsoft or Adobe products.
The September 11, 2001 terrorist attacks prompted the FERC to reconsider its treatment of certain documents that have previously been made available to the public through various means. FERC removed from the public viewing documents (such as oversized maps) that detail the specifications of energy facilities licensed or certificated under Part I of the Federal Power Act and/or Section 7(c) of the Natural Gas Act. The CEII designation was created originally to deter physical threats to any existing or proposed new infrastructure but has developed and evolved to include cybersecurity threats together under the CUI and CII umbrellas.
FERC defines CEII as information related to critical electric infrastructure that is generated by or provided to the FERC or other federal agency (other than classified national security information) or is designated as critical electric infrastructure information by FERC or the Secretary of the Department of Energy pursuant to Section 215A(d) of the Federal Power Act.
Critical energy/electric infrastructure is a system or asset of the bulk-power system (physical or virtual) that, if destroyed or incapacitated, would negatively affect national security, economic security, public health or safety, or any combination of such matters. CEII is specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure (physical or virtual) that meets the following criteria:
- relates details about the production, generation, transmission, or distribution of energy;
- could be useful to a person planning an attack on critical infrastructure;
- is exempt from mandatory disclosure under the Freedom of Information Act; and/or
- gives strategic information beyond the location of the critical infrastructure.
CALIFORNIA PUBLIC UTILITIES COMMISSION
While the CPUC uses these federal definitions for CUI and CEII, the agency is also subject to state confidentiality regulations that make this information more difficult to safeguard. The California Public Resources Act (CPRA) requires that public agency records be open to public inspection unless they are exempt as ‘personal’ information. As records received by a state regulatory agency from regulated entities relate to the agency’s conduct of people’s regulatory business, the CPRA definition of public records includes records received and generated by the CPUC. In response to CPRA requests, the CPUC has used existing legislation to reconcile CPRA requirements and safeguard CUI and CEII that is not specifically identified as exempt by the CPRA. Most notably, Public Utilities Code Section 583 sets forth a process for dealing with claims of confidentiality and does not contain any substantive rules about what is and is not appropriate for confidentiality. The CPUC used this code and other similar codes regarding confidentiality to adopt General Order (GO) 66-C in 1974. GO 66-C identifies all CPUC records as public unless they fall within a specific exemption. In 2017, the CPUC adopted the revised GO 66-D to replace GO 66-C.
GO 66-D, as amended in 2020, establishes processes for:
- submitting information to the CPUC with a claim of confidentiality;
- the public to submit requests for information to the CPUC per the CPRA;
- the CPUC to determine whether a claim of confidentiality for a submission of information is lawful; and
- the CPUC to determine whether information, including information both submitted to and generated by the CPUC, can be released to the public (including but not limited to information provided in response to a CPRA request).
This process requires utilities to identify the information within a submission that needs to be claimed as confidential. Additionally, the utility must specify the basis for the CPUC to provide confidential treatment. If the utility claims that the submitted information is CII, this information must meet a baseline that requires the utility to show that the information is not customarily in the public domain by providing a declaration stating that the information is not related to the location of a physical structure that is visible with the naked eye available publicly online or in print; this baseline also requires that the utility prove that the information either discusses vulnerabilities of a facility providing critical utility care or could allow a bad actor to attack, compromise, or incapacitate utility service.
GO 66-D has greatly improved the CPUC’s ability to response to CPRA requests in a timely manner and safeguard information that is truly confidential while allowing the public to have access to all other records. The baseline for CII enables a better consideration of confidentiality, as the CPUC’s review is more consistent and appropriate for CUI and CEII.
In addition to these safeguards to information submitted to the CPUC by regulated utilities, there are other circumstances outside of information submittals where the CPUC must act to safeguard sensitive information. When the CPUC communicates with utility companies, the correspondence may include sensitive information that needs additional protections. In some cases, these interactions may require a non-disclosure agreement or protective order in order to continue conversations. The CPUC often uses a Model Protective Order, also commonly used by FERC and utilities, that governs the use, exchange, and discussion of CUI and CEII.
If you have questions regarding FERC’s CUI and CEII policies, please contact Alisa Lykens at 681-247-0022 or email@example.com. If you have questions regarding CPUC’s CRPA program, please contact Anne Marie McGraw and Rob Curley at 650-321-6787, or firstname.lastname@example.org and email@example.com respectively.