View all text of Part B [§ 671 - § 674]
§ 673. Protection of voluntarily shared critical infrastructure information
(a) Protection
(1) In generalNotwithstanding any other provision of law, critical infrastructure information (including the identity of the submitting person or entity) that is voluntarily submitted to a covered Federal agency for use by that agency regarding the security of critical infrastructure and protected systems, analysis, warning, interdependency study, recovery, reconstitution, or other informational purpose, when accompanied by an express statement specified in paragraph (2)—
(A) shall be exempt from disclosure under section 552 of title 5 (commonly referred to as the Freedom of Information Act);
(B) shall not be subject to any agency rules or judicial doctrine regarding ex parte communications with a decision making official;
(C) shall not, without the written consent of the person or entity submitting such information, be used directly by such agency, any other Federal, State, or local authority, or any third party, in any civil action arising under Federal or State law if such information is submitted in good faith;
(D) shall not, without the written consent of the person or entity submitting such information, be used or disclosed by any officer or employee of the United States for purposes other than the purposes of this part, except—
(i) in furtherance of an investigation or the prosecution of a criminal act; or
(ii) when disclosure of the information would be—(I) to either House of Congress, or to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee thereof or subcommittee of any such joint committee; or(II) to the Comptroller General, or any authorized representative of the Comptroller General, in the course of the performance of the duties of the Government Accountability Office.1
1 So in original. The period probably should be a semicolon.
(E) shall not, if provided to a State or local government or government agency—
(i) be made available pursuant to any State or local law requiring disclosure of information or records;
(ii) otherwise be disclosed or distributed to any party by said State or local government or government agency without the written consent of the person or entity submitting such information; or
(iii) be used other than for the purpose of protecting critical infrastructure or protected systems, or in furtherance of an investigation or the prosecution of a criminal act; and
(F) does not constitute a waiver of any applicable privilege or protection provided under law, such as trade secret protection.
(2) Express statementFor purposes of paragraph (1), the term “express statement”, with respect to information or records, means—
(A) in the case of written information or records, a written marking on the information or records substantially similar to the following: “This information is voluntarily submitted to the Federal Government in expectation of protection from disclosure as provided by the provisions of the Critical Infrastructure Information Act of 2002.”; or
(B) in the case of oral information, a similar written statement submitted within a reasonable period following the oral communication.
(b) Limitation
(c) Independently obtained information
(d) Treatment of voluntary submittal of information
(e) Procedures
(1) In general
(2) ElementsThe procedures established under paragraph (1) shall include mechanisms regarding—
(A) the acknowledgement of receipt by Federal agencies of critical infrastructure information that is voluntarily submitted to the Government;
(B) the maintenance of the identification of such information as voluntarily submitted to the Government for purposes of and subject to the provisions of this part;
(C) the care and storage of such information; and
(D) the protection and maintenance of the confidentiality of such information so as to permit the sharing of such information within the Federal Government and with State and local governments, and the issuance of notices and warnings related to the protection of critical infrastructure and protected systems, in such manner as to protect from public disclosure the identity of the submitting person or entity, or information that is proprietary, business sensitive, relates specifically to the submitting person or entity, and is otherwise not appropriately in the public domain.
(f) Penalties
(g) Authority to issue warningsThe Federal Government may provide advisories, alerts, and warnings to relevant companies, targeted sectors, other governmental entities, or the general public regarding potential threats to critical infrastructure as appropriate. In issuing a warning, the Federal Government shall take appropriate actions to protect from disclosure—
(1) the source of any voluntarily submitted critical infrastructure information that forms the basis for the warning; or
(2) information that is proprietary, business sensitive, relates specifically to the submitting person or entity, or is otherwise not appropriately in the public domain.
(h) Authority to delegate
(Pub. L. 107–296, title XXII, § 2224, formerly title II, § 214, Nov. 25, 2002, 116 Stat. 2152; Pub. L. 108–271, § 8(b), July 7, 2004, 118 Stat. 814; Pub. L. 112–199, title I, § 111, Nov. 27, 2012, 126 Stat. 1472; renumbered title XXII, § 2224, and amended Pub. L. 115–278, § 2(g)(2)(H), (9)(B)(ii), Nov. 16, 2018, 132 Stat. 4178, 4181; Pub. L. 117–286, § 4(a)(18), Dec. 27, 2022, 136 Stat. 4307.)