Months after receiving comments on the proposed rule, the Department of Homeland Security (DHS) finally published the interim final rule for Critical Infrastructure Information (CII) in the Feb. 20 Federal Register. Although an interim final rule with a public comment period open until May 20, the rule went into effect immediately. DHS hopes that by providing exemptions for public disclosure, restrictions on regulatory activities, and civil immunity, companies will be encouraged enough to voluntarily share information on the vulnerabilities of critical infrastructure. The agency published the proposed rule April 15, 2003 and received 64 substantive comments during the two-month public comment period. It is unclear why DHS needed 8 months from the close of the public comment period to publish the final rule. While the foundation of the rule, which was dictated by a congressional statute, remains the same from the proposed rule, there were some notable changes. On several minor issues public interest groups seem to have made some progress.

• The program is limited to only direct submissions to DHS.
• The rule contains strengthened statements explaining that information required by any other agencies can not be CII.
• Submitters must provide a fairly strong express statement attesting that the submitted information meets the criteria and is not required by any federal agency.
• The rule allows for the protection status of information to change based upon the information becoming available through other legal means, that information is now customarily in the public domain, or that it is required to be submitted to DHS;
• Any disclosure that qualifies as whistleblowing under the Whistblowers Protection Act (WPA) is considered authorized and is exempt from penalties.

Unfortunately, these minor improvements do not affect many of the more serious and fundamental flaws in the CII program. In fact, several of the improvements noted above are either temporary or significantly limited.

• DHS plans to expand the program to allow submissions through other federal agencies in the final rule.
• The government still can not use submitted CII for any regulatory action (i.e. inspection, violation notice, fine, etc.)
• DHS still requires consent from the submitters (typically in writing) to share, disclose or basically use the information in any meaningful manner.
• Submissions are now automatically presumed to be made in good faith.
• The database tracking the submissions seems to be protected under the program.
• While the protected status can change, the rule does not include, nor do FOIA requests trigger, any standard procedures to provide for a secondary review of submissions.