Last week the new Department of Homeland Security (DHS) proposed its rule for handling Critical Infrastructure Information (CII). While it was encouraging that DHS is engaging in an open rulemaking process, complete with a public comment period, the content of the proposed rule was troubling. The CII provisions of the Homeland Security Act of 2002 were already widely criticized, resulting in proposed legislation to fix the provisions. The CII provisions requested that corporations voluntarily submit information on infrastructure vulnerabilities and would be, in return, guaranteed secrecy, civil immunity, preemption of state and local disclosure laws, and criminal penalties for government employees that reveal the information. The DHS proposed rule raises new concerns. The proposed rule broadens the scope of the Homeland Security Act's protections for CII by allowing any agency in the federal government to receive CII submissions from companies and withhold them from disclosure. The Homeland Security Act itself specifies that the provisions only apply to information submitted to DHS. In fact, during debate on the legislation in the House, an amendment to expand the scope of the information provisions to all federal agencies was proposed and voted down. However, the proposed rule attempts to skirt around this by redefining “submission to DHS” as being either directly from companies or indirectly through other agencies. This expansion could confuse the process of managing CII submissions and could lead to the withholding of more information then was originally intended. For instance, suppose a company filed a required report with a federal agency but included some additional critical infrastructure information with the report. The report would be withheld from the public while DHS figured out how to handle the mixed submission and it is very possible that portions of the required report, or possibly the entire report, could be withheld from the public under the CII protections. There are additional concerns with the proposed CII rule including the unclear validation process, a presumption of protection for all submitted information, the ability to withdraw or have the government destroy invalid submissions, and the severe limitation on the government’s ability to use the submitted information. The proposed rule has a public comment period that is open until June 16, and OMB Watch will be submitting comments.