CMMC Training Academy
CUI Explorer

Protected Critical Infrastructure Information

As defined by 6 USC 131-134, and 6 CFR 29, PCII relates to threats, vulnerabilities, or operational experience related to the national infrastructure. PCII offers protection to private sector infrastructure information voluntarily shared with government entities for purposes of homeland security.

Registry statusNARA & DoD
MarkingPCII
Organizational index groupCritical Infrastructure
Updated2026-05-15

This page exposes extracted CUI registry and authority analysis as crawlable text. The interactive explorer remains the operational workspace for filtering, comparison, and voice-agent aligned study.

Open interactive explorer

Registry comparison

Field NARA Registry DoD Registry
Category description As defined by 6 USC 131-134, and 6 CFR 29, PCII relates to threats, vulnerabilities, or operational experience related to the national infrastructure. PCII offers protection to private sector infrastructure information voluntarily shared with government entities for purposes of homeland security. PCII relates to threats, vulnerabilities, or operational experience related to the national infrastructure. PCII offers protection to private sector infrastructure information voluntarily shared with government entities for purposes of homeland security.
Category marking PCII PCII
Banner marking CUI//SP-PCII No corresponding field
Basic or Specified Specified No corresponding field
Authorities 6 CFR 29 6 CFR 29
DoD applicable policies No corresponding field DoDD 3020.40, DoDI 3020.45
Required warning statement No corresponding field None listed
Required dissemination control CUI//SP-PCII None listed
Examples No corresponding field Asset location, Asset listing, Mission assurance assessment reports, Commercial organizations, Building blueprints
Registry date May 13, 2025 2026-05-15

Authority analysis

Authority title
Registry authority evidence compiled; primary authority text analysis pending
Authorities
6 CFR 29
Source currency
NARA last reviewed: May 13, 2025 | DoD detail accessed: 2026-05-15
How the authority operates
NARA registry status: Specified. Per-authority NARA status values: Specified. NARA banner marking evidence: CUI//SP-PCII. The registry evidence is preserved here; detailed primary-law or regulation text analysis remains pending for this category.

Trigger conditions

  • NARA category scope: As defined by 6 USC 131-134, and 6 CFR 29, PCII relates to threats, vulnerabilities, or operational experience related to the national infrastructure. PCII offers protection to private sector infrastructure information voluntarily shared with government entities for purposes of homeland security.
  • DoD category scope: PCII relates to threats, vulnerabilities, or operational experience related to the national infrastructure. PCII offers protection to private sector infrastructure information voluntarily shared with government entities for purposes of homeland security.

Covered information

  • Asset location
  • Asset listing
  • Mission assurance assessment reports
  • Commercial organizations
  • Building blueprints
  • Registry-described information: As defined by 6 USC 131-134, and 6 CFR 29, PCII relates to threats, vulnerabilities, or operational experience related to the national infrastructure. PCII offers protection to private sector infrastructure information voluntarily shared with government entities for purposes of homeland security.
  • DoD-described information: PCII relates to threats, vulnerabilities, or operational experience related to the national infrastructure. PCII offers protection to private sector infrastructure information voluntarily shared with government entities for purposes of homeland security.

Specified controls

Nara basic or specified
Specified
Nara authority rows
6 CFR 29 | status: Specified | banner: CUI//SP-PCII | sanctions: 6 CFR 29.9
Nara banner markings
CUI//SP-PCII
Nara sanctions
6 CFR 29.9
Dod applicable policies
DoDD 3020.40, DoDI 3020.45

Safeguarding and dissemination controls

NARA Registry
CUI//SP-PCII
DoD Registry
None listed
Authority analysis
No DoD required dissemination control is listed on the registry page. Apply approved limited dissemination controls only when required or permitted by the designating agency or governing authority.
Basic or Specified
Use the registry assertions, NARA authority rows, DoD authorities, DoD policies, warning statements, required dissemination controls, and examples first. Where the cited authority does not specify a handling detail, apply CUI Basic safeguards and dissemination rules so long as they do not conflict with the authority or agency-specific controls.

Related authorities

Authority-by-authority detail

6 CFR 29

Listed by: NARA Registry, DoD Registry, Related authorities

Designation evidence

  • NARA authority row: 6 CFR 29 | status: Specified | banner: CUI//SP-PCII.
  • NARA sanctions field: 6 CFR 29.9.
  • DoD authority row: 6 CFR 29. DoD lists this citation for the category; this DoD detail page does not display a separate Basic/Specified field.
  • Related authority evidence: 6 CFR 29 | status: Specified | banner: CUI//SP-PCII | sanctions: 6 CFR 29.9
  • Related authority evidence: DoD lists this authority for the category; the linked authority text is extracted below when available.
  • Registry designation context: Specified, CUI//SP-PCII. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
  • Registry designation for this category is Specified with banner CUI//SP-PCII.

Extracted authority meaning

  • PART 29—PROTECTED CRITICAL
  • Registry designation context: Specified, CUI//SP-PCII. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.

Operating conditions

  • NARA category scope used with this authority: As defined by 6 USC 131-134, and 6 CFR 29, PCII relates to threats, vulnerabilities, or operational experience related to the national infrastructure. PCII offers protection to private sector infrastructure information voluntarily shared with government entities for purposes of homeland security.
  • DoD category scope used with this authority: PCII relates to threats, vulnerabilities, or operational experience related to the national infrastructure. PCII offers protection to private sector infrastructure information voluntarily shared with government entities for purposes of homeland security.
  • 6 CFR 29 | status: Specified | banner: CUI//SP-PCII | sanctions: 6 CFR 29.9
  • DoD lists this authority for the category; the linked authority text is extracted below when available.
  • NARA registry status: Specified. Per-authority NARA status values: Specified. NARA banner marking evidence: CUI//SP-PCII. The registry evidence is preserved here; detailed primary-law or regulation text analysis remains pending for this category.
  • NARA category scope: As defined by 6 USC 131-134, and 6 CFR 29, PCII relates to threats, vulnerabilities, or operational experience related to the national infrastructure. PCII offers protection to private sector infrastructure information voluntarily shared with government entities for purposes of homeland security.
  • DoD category scope: PCII relates to threats, vulnerabilities, or operational experience related to the national infrastructure. PCII offers protection to private sector infrastructure information voluntarily shared with government entities for purposes of homeland security.
  • Extracted authority condition: (a) CII shall receive the protections of section 214 of the CII Act when: (1) Such information is voluntarily submitted, directly or indirectly, to the PCII Program Manager or the PCII Program Manager’s designee; (2) The information is submitted for protected use regarding the security of critical infrastructure or protected sys- tems, analysis, warning, interdepend- ency study, recovery, reconstitution, or other appropriate purposes includ- ing, without limitation, for the identi- fication, analysis, prevention, preemp- tion, disruption, defense against and/or mitigation of terrorist threats to the homeland; (3) The information is labeled with an express statement as follows: (i) In the case of documentary sub- missions, written marking on the in- formation or records substantially similar to the following: ‘‘This infor- mation is voluntarily submitted to the Federal government in expectation of protection from disclosure as provided by the provisions of the Critical Infra- structure Information Act of 2002’’; or (ii) In the case of oral information: (A) Through an oral statement, made at the time of the oral submission or within a reasonable period thereafter, indicating an expectation of protection from disclosure as provided by the pro- visions of the CII Act;...
  • Extracted authority condition: (b) Critical Infrastructure Information, or CII, has the same meaning as estab- lished in section 212 of the CII Act of 2002 and means information not cus- tomarily in the public domain and re- lated to the security of critical infra- structure or protected systems, includ- ing documents, records or other infor- mation concerning: (1) Actual, potential, or threatened interference with, attack on, com- promise of, or incapacitation of critical infrastructure or protected systems by either physical or computer-based at- tack or other similar conduct (includ- ing the misuse of or unauthorized ac- cess to all types of communications and data transmission systems) that violates Federal, State, local, or tribal law, harms interstate commerce of the United States, or threatens public health or safety; (2) The ability of any critical infra- structure or protected system to resist such interference, compromise, or inca- pacitation, including any planned or
  • Extracted authority condition: I (1–1–19 Edition) § 29.7 (C) Advise the submitting person or entity that the submission can be with- drawn at any time before a final deter- mination is made; (D) Notify the submitting person or entity that until a final determination is made the submission will be treated as PCII; (E) Notify the submitting person or entity that any response to the notifi- cation must be received by the PCII Program Office no later than thirty calendar days after the date of the no- tification; and (F) Request the submitting person or entity to state whether, in the event the PCII Program Office makes a final determination that any such informa- tion is not PCII, the submitting person or entity prefers that the information be maintained without the protections of the CII Act or returned to the sub- mitter or destroyed.

Safeguarding and dissemination controls

  • NARA registry control evidence: status Specified; banner marking CUI//SP-PCII.
  • DoD applicable policies: DoDD 3020.40, DoDI 3020.45
  • Nara basic or specified: Specified
  • Nara authority rows: 6 CFR 29 | status: Specified | banner: CUI//SP-PCII | sanctions: 6 CFR 29.9
  • Nara banner markings: CUI//SP-PCII
  • Nara sanctions: 6 CFR 29.9
  • Dod applicable policies: DoDD 3020.40, DoDI 3020.45
  • No DoD required dissemination control is listed on the registry page. Apply approved limited dissemination controls only when required or permitted by the designating agency or governing authority.
  • Use the registry assertions, NARA authority rows, DoD authorities, DoD policies, warning statements, required dissemination controls, and examples first. Where the cited authority does not specify a handling detail, apply CUI Basic safeguards and dissemination rules so long as they do not conflict with the authority or agency-specific controls.
  • Extracted authority control: Notice of the final change in status of PCII shall be pro- vided to all recipients of that PCII under 6 CFR 29.8. § 29.7 Safeguarding of Protected Crit- ical Infrastructure Information.
  • Extracted authority control: (4) The issuance of advisories, notices and warnings related to the protection of critical infrastructure or protected systems in such a manner as to protect from unauthorized disclosure the source of critical infrastructure infor- mation that forms the basis of the warning, and any information that is proprietary or business sensitive, might be used to identify the submit- ting person or entity, or is otherwise not appropriately in the public domain.
  • Extracted authority control: As required by the CII Act, these rules establish procedures regarding: (1) The acknowledgement of receipt by DHS of voluntarily submitted CII; (2) The receipt, validation, handling, storage, proper marking and use of in- formation as PCII; (3) The safeguarding and mainte- nance of the confidentiality of such in- formation, appropriate sharing of such information with State and local gov- ernments pursuant to section 214(a) through (g) of the HSA.
  • Extracted authority control: (a) CII shall receive the protections of section 214 of the CII Act when: (1) Such information is voluntarily submitted, directly or indirectly, to the PCII Program Manager or the PCII Program Manager’s designee; (2) The information is submitted for protected use regarding the security of critical infrastructure or protected sys- tems, analysis, warning, interdepend- ency study, recovery, reconstitution, or other appropriate purposes includ- ing, without limitation, for the identi- fication, analysis, prevention, preemp- tion, disruption, defense against and/or mitigation of terrorist threats to the homeland; (3) The information is labeled with an express statement as follows: (i) In the case of documentary sub- missions, written marking on the in- formation or records substantially similar to the following: ‘‘This infor- mation is voluntarily submitted to the Federal government in expectation of protection from disclosure as provided by the provisions of the Critical Infra- structure Information Act of 2002’’; or (ii) In the case of oral information: (A) Through an oral statement, made at the time of the oral submission or within a reasonable period thereafter, indicating an expectation of protection from disclosure as provided by the pro- visions of the CII Act;...
  • Extracted authority control: Pursuant to section 214(a)(1)(C) of the Homeland Security Act of 2002, PCII shall not, without the written consent of the person or entity submit- ting such information, be used directly by any Federal, State or local author- ity, or by any third party, in any civil action arising under Federal, State, local, or tribal law. § 29.9 Investigation and reporting of violation of PCII procedures.
  • Extracted authority control: PCII may be provided to a State or local government entity for the purpose of protecting critical infrastructure or protected systems, or in furtherance of an investigation or the prosecution of a criminal act.

Authority excerpts

Most relevant extracted authority passage

Notice of the final change in status of PCII shall be pro- vided to all recipients of that PCII under 6 CFR 29.8. § 29.7 Safeguarding of Protected Crit- ical Infrastructure Information.

Extracted authority passage 2

(4) The issuance of advisories, notices and warnings related to the protection of critical infrastructure or protected systems in such a manner as to protect from unauthorized disclosure the source of critical infrastructure infor- mation that forms the basis of the warning, and any information that is proprietary or business sensitive, might be used to identify the submit- ting person or entity, or is otherwise not appropriately in the public domain.

Extracted authority passage 4

As required by the CII Act, these rules establish procedures regarding: (1) The acknowledgement of receipt by DHS of voluntarily submitted CII; (2) The receipt, validation, handling, storage, proper marking and use of in- formation as PCII; (3) The safeguarding and mainte- nance of the confidentiality of such in- formation, appropriate sharing of such information with State and local gov- ernments pursuant to section 214(a) through (g) of the HSA.

Extracted authority passage 5

(a) CII shall receive the protections of section 214 of the CII Act when: (1) Such information is voluntarily submitted, directly or indirectly, to the PCII Program Manager or the PCII Program Manager’s designee; (2) The information is submitted for protected use regarding the security of critical infrastructure or protected sys- tems, analysis, warning, interdepend- ency study, recovery, reconstitution, or other appropriate purposes includ- ing, without limitation, for the identi- fication, analysis, prevention, preemp- tion, disruption, defense against and/or mitigation of terrorist threats to the homeland; (3) The information is labeled with an express statement as follows: (i) In the case of documentary sub- missions, written marking on the in- formation or records substantially similar to the following: ‘‘This infor- mation is voluntarily submitted to the Federal government in expectation of protection from disclosure as provided by the provisions of the Critical Infra- structure Information Act of 2002’’; or (ii) In the case of oral information: (A) Through an oral statement, made at the time of the oral submission or within a reasonable period thereafter, indicating an expectation of protection from disclosure as provided by the pro- visions of the CII Act;...

DoDD 3020.40

Listed by: Related authorities

Designation evidence

  • Related authority evidence: DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
  • Registry designation context: Specified, CUI//SP-PCII. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
  • Registry designation for this category is Specified with banner CUI//SP-PCII.

Extracted authority meaning

  • Title: DoDD 3020.40, November 29, 2016, Incorporating Change 1 on September 11, 2018
  • Registry designation context: Specified, CUI//SP-PCII. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.

Operating conditions

  • DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
  • Extracted authority condition: (4) Provide timely information to the Secretary of Homeland Security and the national critical infrastructure centers necessary to support cross-sector analysis and inform the situational awareness capability for critical infrastructure.
  • Extracted authority condition: (5) Providing to the Secretary of Homeland Security, on an annual basis, sector-specific critical infrastructure information.
  • Extracted authority condition: A process to protect or ensure the continued function and resilience of capabilities and assets, including personnel, equipment, facilities, networks, information and information systems, infrastructure, and supply chains, critical to the execution of DoD mission-essential functions in any operating environment or condition.

Safeguarding and dissemination controls

  • Extracted authority control: Composed of personnel, physical, industrial, information, and operational security programs; special access programs security policy; critical program information protection policy; and security training.
  • Extracted authority control: DoD Components will maintain sufficient resources to meet DCI responsibilities for identifying, assessing, managing, and monitoring risk to critical infrastructure and align associated security, protection, and risk management efforts under an MA construct.
  • Extracted authority control: These existing security, protection, and risk-management programs and activities will continue to meet DoDD 3020.40, November 29, 2016 Change 1, September 11, 2018
  • Extracted authority control: Department of Homeland Security, “National Infrastructure Protection Plan 2013: Partnering for Critical Infrastructure Security and Resiliency,” 2013
  • Extracted authority control: Ensures that such information-sharing policy also conforms to DoD policy on information sharing and information safeguarding, and safeguards information from disclosure that could harm DoD operations or jeopardize information-safeguarding agreements.
  • Extracted authority control: Unit commanders or civilian managers and directors responsible for DoD elements occupying leased facility space, or space in buildings owned or operated by the U.S.
  • Extracted authority control: The framework of interdependent physical and cyber-based systems comprising identifiable industries, institutions (including people and procedures), and distribution capabilities that provide a reliable flow of products and services essential to the defense and economic security of the United States, to the smooth functioning of government at all levels, and to society as a whole.

Authority excerpts

Most relevant extracted authority passage

Composed of personnel, physical, industrial, information, and operational security programs; special access programs security policy; critical program information protection policy; and security training.

Extracted authority passage 2

DoD Components will maintain sufficient resources to meet DCI responsibilities for identifying, assessing, managing, and monitoring risk to critical infrastructure and align associated security, protection, and risk management efforts under an MA construct.

Extracted authority passage 3

These existing security, protection, and risk-management programs and activities will continue to meet DoDD 3020.40, November 29, 2016 Change 1, September 11, 2018

Extracted authority passage 4

Department of Homeland Security, “National Infrastructure Protection Plan 2013: Partnering for Critical Infrastructure Security and Resiliency,” 2013

Extracted authority passage 5

Ensures that such information-sharing policy also conforms to DoD policy on information sharing and information safeguarding, and safeguards information from disclosure that could harm DoD operations or jeopardize information-safeguarding agreements.

DoDI 3020.45

Listed by: Related authorities

Designation evidence

  • Related authority evidence: DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
  • Registry designation context: Specified, CUI//SP-PCII. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
  • Registry designation for this category is Specified with banner CUI//SP-PCII.

Extracted authority meaning

  • Title: DoDI 3020.45, "Mission Assurance Construct," August 14, 2018, Incorporating Change 1 on May 2, 2022
  • Registry designation context: Specified, CUI//SP-PCII. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.

Operating conditions

  • DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
  • Extracted authority condition: (2) The ASD(HD&HA) will leverage the assessments by the Department of Homeland Security Protective Security Advisors, or other similar assessments, for commercial TCAs, as applicable, and post assessment results to the MA system of record while abiding by all appropriate classification, proprietary, contractual, and protected critical infrastructure information requirements.
  • Extracted authority condition: (3) CCMDs with geographic areas of responsibility will work with the Department of State and host nations, as appropriate and to the greatest extent possible, to assess foreign-owned TCAs and post assessment results to the MA system of record while abiding by all appropriate classification, proprietary, contractual, and protected critical infrastructure information requirements.
  • Extracted authority condition: Information includes but is not limited to asset lists or subsets; asset BEIs; criticality data; threat and hazard information at the global, region, area, or installation and local level; assessment reports; RMPs; operational status reports; program resource information and reports; readiness reporting; program process plans; and MACB and MACB working group information.
  • Extracted authority condition: (3) DoD personnel will be familiar with non-DoD agency classifications such as sensitive secure information, protected critical infrastructure information, and LE sensitive information before release to ensure proper handling of MA information.

Safeguarding and dissemination controls

  • Extracted authority control: (3) DoD personnel will be familiar with non-DoD agency classifications such as sensitive secure information, protected critical infrastructure information, and LE sensitive information before release to ensure proper handling of MA information.
  • Extracted authority control: (2) The ASD(HD&HA) will leverage the assessments by the Department of Homeland Security Protective Security Advisors, or other similar assessments, for commercial TCAs, as applicable, and post assessment results to the MA system of record while abiding by all appropriate classification, proprietary, contractual, and protected critical infrastructure information requirements.
  • Extracted authority control: (3) CCMDs with geographic areas of responsibility will work with the Department of State and host nations, as appropriate and to the greatest extent possible, to assess foreign-owned TCAs and post assessment results to the MA system of record while abiding by all appropriate classification, proprietary, contractual, and protected critical infrastructure information requirements.
  • Extracted authority control: (k) Fire protection and prevention, in accordance with DoDI 6055.06, enhance DoD mission capabilities by protecting the U.S. homeland and critical bases of operation through preventive risk management, education, emergency response, and risk communication as they relates to fire.
  • Extracted authority control: (a) Decomposing assigned strategic missions based upon specified or implied tasks, or based upon the universal joint task list (UJTL), to define and provide mission-essential capabilities, standards, and conditions to appropriate DoD Components for task critical asset (TCA) identification.
  • Extracted authority control: (n) LE, or suspicious activity reporting, in accordance with DoDI 2000.26, identifies persons involved in terrorism, criminal-related activities, and threats directed against DoD.

Authority excerpts

Most relevant extracted authority passage

(3) DoD personnel will be familiar with non-DoD agency classifications such as sensitive secure information, protected critical infrastructure information, and LE sensitive information before release to ensure proper handling of MA information.

Extracted authority passage 3

(2) The ASD(HD&HA) will leverage the assessments by the Department of Homeland Security Protective Security Advisors, or other similar assessments, for commercial TCAs, as applicable, and post assessment results to the MA system of record while abiding by all appropriate classification, proprietary, contractual, and protected critical infrastructure information requirements.

Extracted authority passage 4

(3) CCMDs with geographic areas of responsibility will work with the Department of State and host nations, as appropriate and to the greatest extent possible, to assess foreign-owned TCAs and post assessment results to the MA system of record while abiding by all appropriate classification, proprietary, contractual, and protected critical infrastructure information requirements.

Extracted authority passage 5

(k) Fire protection and prevention, in accordance with DoDI 6055.06, enhance DoD mission capabilities by protecting the U.S. homeland and critical bases of operation through preventive risk management, education, emergency response, and risk communication as they relates to fire.

Extracted authority passage 6

Information includes but is not limited to asset lists or subsets; asset BEIs; criticality data; threat and hazard information at the global, region, area, or installation and local level; assessment reports; RMPs; operational status reports; program resource information and reports; readiness reporting; program process plans; and MACB and MACB working group information.