The Care and Handling of CEII
Privacy Plus+
Privacy, Technology and Perspective
The Care and Handling of CEII. This week, let’s consider an unusual type of confidential information called “CUI,” and how one example of it is regulated in the energy industry.
What is CUI? “CUI” stands for “Controlled Unclassified Information.” CUI is information that is not strictly “classified” by the US Government (e.g. Confidential, Secret, Top Secret, etc.), but is still “regulated” by the Executive Branch. Generally, information that qualifies as CUI must be designated, handled, and decontrolled in specific ways. You can read more about CUI here:
· 32 CFR 2002.20: https://www.govinfo.gov/content/pkg/CFR-2018-title32-vol6/pdf/CFR-2018-title32-vol6-part2002.pdf
· CUI Guidance: https://www.archives.gov/guidance/cui-guidance
· Limited Dissemination Controls: https://www.archives.gov/files/cui/documents/20181116-cui-notice-2018-07-limited-dissemination-controls.pdf
Spotlight on CEII: Many industrial systems or assets play a critical role in the life of the nation, and are therefore called “critical infrastructure.” One important example of CUI associated with critical infrastructure is CEII, which encompasses sensitive information about critical electric and energy infrastructure.
Critical electric infrastructure means generally a system or asset of the bulk-power system, whether physical or virtual, whose incapacity or destruction would negatively affect national security, economic security, public health and/or safety.
Critical energy infrastructure information means specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure that:
Relates details about the production, generation, transportation, transmission, or distribution of energy;
Could be useful to a person in planning an attack on critical infrastructure;
Is exempt from mandatory disclosure under the Freedom of Information Act (“FOIA”); and
Does not simply give the general location of the critical infrastructure.
How is CEII regulated? CEII is regulated by FERC, an independent agency within the U.S. Department of Energy that regulates the transmission of electricity, oil, and natural gas in interstate commerce. Generally, FERC requires entities to know what materials they have that meet the definition of CEII and to restrict access to them. FERC also restricts access to such materials shared with FERC during licensing/registration and regulation.
How to handle CEII: The procedures for submitting, designating, handling, sharing, and disseminating CEII are described in 18 CFR Part 388, a link to which follows:
https://www.ecfr.gov/current/title-18/chapter-I/subchapter-X/part-388/section-388.113
Submissions and designations. To designate material as CEII, an entity must: (1) submit to FERC a written justification for CEII treatment; (2) clearly label the cover page and pages or portions to be designated CEII in bold, capital letters, indicating that it contains CEII and marked “DO NOT RELEASE;” and (3) include a proposed form of protective agreement, or identify a protective agreement that has already been filed in the proceeding that applies to the CEII.
Once submitted, FERC’s CEII Coordinator will evaluate whether the information or portions fall within CEII definitions. Once designated CEII, the designation may last up to five years unless re-designated.
Sharing / Accessing / Disseminating CEII: FERC facilitates voluntary sharing of CEII among appropriate public authorities and certain others, like owners/operators of a facility and their employees. See 18 C.F.R. 388.113(g).
“Receivers” of CEII must follow a three-step process outlined in 18 C.F.R. 388.113(g)(5). Summarized, a “receiver” must:
Execute the appropriate non-disclosure agreement;
Identify themselves to FERC (name, title, address, phone number and name, address, and phone number of the person/ entity on whose behalf the information is requested); and
Provide FERC with a Statement of Need, detailing:
· the extent to which a particular function depends upon access to the information;
· why the function cannot be achieved or performed without access to the information;
· whether other available information could facilitate the same objective;
· how long the information will be needed;
· any specific proceeding in connection with which the information is needed; and
· how quickly the information is needed.
FERC maintains an online CEII Request Form, a link to which follows:
https://www.ferc.gov/enforcement-legal/ceii/electronic-ceii-request-form
FERC also maintains a filing guide that links to templates for confidentiality/non-disclosure agreements, among other things. A link to the filing guide and template agreements follows:
https://www.ferc.gov/ceii-filing-guide
Closing thoughts For Owners/Operators and their Service Providers: Organizations that have submitted certain materials to FERC as CEII should limit who has access to that material and ensure that they are handling their own CEII in a manner consistent with FERC’s regulations. Specifically, they should observe FERC’s CEII request process, described above. Our impression is that this process may sometimes be overlooked or not fully understood by owners/operators, especially in cases where they on service providers to store or otherwise process CEII on their behalf. The security and confidentiality of CEII are important, so organizations handling CEII will wish to confirm that they have implemented access controls and other measures to protect that information from unauthorized access and misuse.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.