Regulations last checked for updates: Nov 22, 2024

Title 6 - Domestic Security last revised: Nov 19, 2024
§ 29.7 - Safeguarding of PCII.

(a) Safeguarding. All persons granted access to PCII are responsible for safeguarding such information in their possession or control. PCII must be protected at all times by appropriate storage and handling. Each person who works with PCII is personally responsible for taking proper precautions to ensure that unauthorized persons do not gain access to it.

(b) Background checks on persons with access to PCII. For those who require access to PCII, CISA will, to the extent practicable and consistent with the purposes of the CII Act, undertake appropriate background checks to ensure that individuals with access to PCII do not pose a threat to national security. These checks may also be waived in exigent circumstances.

(c) Use and storage. When PCII is in the physical possession of a person, reasonable steps must be taken, in accordance with procedures prescribed by the PCII Program Manager, to minimize the risk of access to PCII by unauthorized persons. When PCII is not in the physical possession of a person, it must be stored in a secure environment.

(d) Reproduction. Pursuant to procedures prescribed by the PCII Program Manager, a document or other material containing PCII may be reproduced to the extent necessary and consistent with the need to carry out official duties, provided that the reproduced documents or material are marked and protected in the same manner as the original documents or material.

(e) Disposal of information. Documents and material containing PCII may be disposed of by any method that prevents unauthorized retrieval, such as shredding or incineration.

(f) Transmission of information. PCII will be transmitted only by secure means of delivery as determined by the PCII Program Manager, and in conformance with appropriate federal standards.

(g) Automated Information Systems. The PCII Program Manager will establish security requirements designed to protect information to the maximum extent practicable, and consistent with the CII Act, for Automated Information Systems that contain PCII. Such security requirements will be in conformance with the information technology security requirements in the Federal Information Security Management Act and the Office of Management and Budget's implementing policies.

authority: 6 U.S.C. 671-674; Section 2222-2225 of the Homeland Security Act of 2002, Pub. L. 107-296, 116 Stat. 2135, as amended by Subtitle B of the Cybersecurity and Infrastructure Security Act of 2018, Pub. L. 115-278, 132 Stat. 4184. 5 U.S.C. 301.
source: 71 FR 52271, Sept. 1, 2006, as amended at 87 FR 77972, Dec. 21, 2022, unless otherwise noted.
cite as: 6 CFR 29.7