DHS issues final critical-infrastructure rule

The Homeland Security Department issued a final rule today about how it will handle information on U.S. critical infrastructure that it receives from the private sector and state, local and tribal governments, following a rulemaking process that’s already more than three years long.

The information is deemed crucial to DHS’ ability to effectively analyze vulnerabilities in critical infrastructure, such as banking and financial institutions, telecommunications networks, and energy production and transmission facilities. About 85 percent of those are in private-sector hands.

But many organizations balked at providing information until DHS specified which information it would request and how it would share and protect that information.

The Critical Infrastructure Information Act of 2002, which was a part of the legislation that established DHS in 2002, requires the department to set up procedures for receipt, safe storage and handling of such information. An interim rule was published in February 2004.

In a report to Congress in April, the Government Accountability Office listed four main challenges it said DHS must address to overcome the private sector’s wariness over providing information. Those challenges are:

• Defining specific government needs for critical infrastructure information.
• Determining how the information will be used.
• Assuring the private sector that the information will be protected and defining who will be authorized to have access to it.
• Demonstrating to critical infrastructure owners the benefits of sharing the information.