Your security risk analysis data contains sensitive information about your organization. A risk assessment lists your security vulnerabilities, information about your facilities, and other information you don’t want to make public knowledge.

Many organizations believe that keeping these documents internally is the way to protect them, but this is not necessarily the case. However, they’re stored, your reports can be used against you in civil liability cases or accessed by requests filed under the Freedom of Information Act (FOIA).

There is a way to protect them however: filing them with the Cybersecurity & Infrastructure Security Agency’s (CISA) Protected Critical Infrastructure Information (PCII) program.

What is the Protected Critical Infrastructure Information program?

Most people don’t know there’s a federal program designed to keep their data from being shared, but that’s exactly what the Protected Critical Infrastructure Information program is.

PCII is a designation provided by the Department of Homeland Security that allows organizations to seal critical data to the public. If your risk and vulnerability reports have a PCII designation, the reports are not subject to:

• The Freedom of Information Act

• State, local, tribal, and territorial disclosure laws

• Use in regulatory actions

• Use in civil litigation

If you’re concerned about a threat and vulnerability assessment report revealing sensitive information about your organization, PCII allows you to protect the data so that it doesn’t go out into the world and create more risk for your organization.

Do you need PCII protection?

It’s an excellent protection to have. We recommend that anytime they do an assessment, they immediately apply for PCII. Even in a civil liability case, your risk increases when you expose your organization’s vulnerabilities to the world. It just doesn’t make sense to allow even the possibility of your assessments being subject to FOIA or a civil liability lawsuit.

Under PCII, not even your employees can access the report without permission. In the case of a civil liability, such as a slip-and-fall incident, the plaintiff can’t have access to claim that your company knew about that crack in the sidewalk. Your primary concern is to keep sensitive security information out of the public eyes to limit your vulnerabilities and exposure.

However, the purpose of PCII is not to absolve you of your responsibilities to keep people safe from accidents. It is still your responsibility to protect your employees and the public. And you can still be successfully sued if an accident occurs at your facility. PCII doesn’t protect you from lawsuits or absolve you of ethical standards—it simply protects that particular security report from being released to the public.

How can you get PCII protection?

PCII protection can be extended to any information related to critical infrastructure or protected systems, including:

• Documents

• Records

• Other information concerning threats, vulnerabilities and operational experience

The number one factor in determining PCII is whether your organization is a critical infrastructure. DHS provides a list of critical infrastructure categories. In essence, your organization qualifies as a critical infrastructure if the economy of the area/region/state/country would be affected if a critical event occurred at your facility.

To get PCII protection, submit an application. (The PCII encourages online submissions.) The application will be acknowledged within 30 days. Validation, however, can take weeks to months. Submissions that are not validated are either destroyed or returned to sender.

Risk assessment reports need protection

Today, 85 percent of our nation’s critical infrastructure is privately owned. If that includes your organization, there is essentially no automatic protection to ensure that your assessments stay within your company. But by applying for PCII, you can help guard your most sensitive information from the public domain.

Having that data in a digital format makes the process even easier. Security risk assessment software, like Circadian Risk, allows you to collect risk data from all your sites, creating a living document that helps you remediate your vulnerabilities quickly and easily.

Learn more about how technology can improve your security posture. Schedule your personalized demo today.