(a) Applicability. This section governs the maintenance, safeguarding, and disclosure of information and records that constitute Chemical-terrorism Vulnerability Information (CVI), as defined in §27.400(b). The Secretary shall administer this section consistent with section 550(c) of the Homeland Security Appropriations Act of 2007, including appropriate sharing with Federal, State and local officials.
(b) Chemical-terrorism vulnerability information. In accordance with section 550(c) of the Department of Homeland Security Appropriations Act of 2007, the following information, whether transmitted verbally, electronically, or in written form, shall constitute CVI:
(1) Security Vulnerability Assessments under §27.215;
(2) Site Security Plans under §27.225;
(3) Documents relating to the Department's review and approval of Security Vulnerability Assessments and Site Security Plans, including Letters of Authorization, Letters of Approval and responses thereto; written notices; and other documents developed pursuant to §27.240 or §27.245;
(4) Alternate Security Programs under §27.235;
(5) Documents relating to inspection or audits under §27.250;
(6) Any records required to be created or retained under §27.255;
(7) Sensitive portions of orders, notices or letters under §27.300;
(8) Information developed pursuant to §§27.200 and 27.205; and
(9) Other information developed for chemical facility security purposes that the Secretary, in his discretion, determines is similar to the information protected in §27.400(b)(1) through (8) and thus warrants protection as CVI.
(c) Covered persons. Persons subject to the requirements of this section are:
(1) Each person who has a need to know CVI, as specified in §27.400(e);
(2) Each person who otherwise receives or gains access to what they know or should reasonably know constitutes CVI.
(d) Duty to protect information. A covered person must—
(1) Take reasonable steps to safeguard CVI in that person's possession or control, including electronic data, from unauthorized disclosure. When a person is not in physical possession of CVI, the person must store it in a secure container, such as a safe, that limits access only to covered persons with a need to know;
(2) Disclose, or otherwise provide access to, CVI only to persons who have a need to know;
(3) Refer requests for CVI by persons without a need to know to the Assistant Secretary;
(4) Mark CVI as specified in §27.400(f);
(5) Dispose of CVI as specified in §27.400(k);
(6) If a covered person receives a record or verbal transmission containing CVI that is not marked as specified in §27.400(f), the covered person must—
(i) Mark the record as specified in §27.400(f) of this section; and
(ii) Inform the sender of the record that the record must be marked as specified in §27.400(f); or
(iii) If received verbally, make reasonable efforts to memorialize such information and mark the memorialized record as specified in §27.400(f) of this section, and inform the speaker of any determination that such information warrants CVI protection.
(7) When a covered person becomes aware that CVI has been released to persons without a need to know (including a covered person under §27.400(c)(2)), the covered person must promptly inform the Assistant Secretary.
(8) In the case of information that is CVI and also has been designated as critical infrastructure information under section 214 of the Homeland Security Act, any covered person in possession of such information must comply with the disclosure restrictions and other requirements applicable to such information under section 214 and any implementing regulations.
(e) Need to know.
(1) A person, including a State or local official, has a need to know CVI in each of the following circumstances:
(i) When the person requires access to specific CVI to carry out chemical facility security activities approved, accepted, funded, recommended, or directed by the Department.
(ii) When the person needs the information to receive training to carry out chemical facility security activities approved, accepted, funded, recommended, or directed by the Department.
(iii) When the information is necessary for the person to supervise or otherwise manage individuals carrying out chemical facility security activities approved, accepted, funded, recommended, or directed by the Department.
(iv) When the person needs the information to provide technical or legal advice to a covered person, who has a need to know the information, regarding chemical facility security requirements of Federal law.
(v) When the Department determines that access is required under §27.400(h) or §27.400(i) in the course of a judicial or administrative proceeding.
(2) Federal employees, contractors, and grantees.
(i) A Federal employee has a need to know CVI if access to the information is necessary for performance of the employee's official duties.
(ii) A person acting in the performance of a contract with or grant from the Department has a need to know CVI if access to the information is necessary to performance of the contract or grant. Contractors or grantees may not further disclose CVI without the consent of the Assistant Secretary.
(iii) The Department may require that non-Federal persons seeking access to CVI complete a non-disclosure agreement before such access is granted.
(3) Background check. The Department may make an individual's access to the CVI contingent upon satisfactory completion of a security background check or other procedures and requirements for safeguarding CVI that are satisfactory to the Department.
(4) Need to know further limited by the Department. For some specific CVI, the Department may make a finding that only specific persons or classes of persons have a need to know.
(5) Nothing in §27.400(e) shall prevent the Department from determining, in its discretion, that a person not otherwise listed in §27.400(e) has a need to know CVI in a particular circumstance.
(f) Marking of paper records.
(1) In the case of paper records containing CVI, a covered person must mark the record by placing the protective marking conspicuously on the top, and the distribution limitation statement on the bottom, of—
(i) The outside of any front and back cover, including a binder cover or folder, if the document has a front and back cover;
(ii) Any title page; and
(iii) Each page of the document.
(2) Protective marking. The protective marking is: CHEMICAL-TERRORISM VULNERABILITY INFORMATION.
(3) Distribution limitation statement. The distribution limitation statement is: WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR 27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR 27.400(e). Unauthorized release may result in civil penalties or other action. In any administrative or judicial proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h) and (i).
(4) Other types of records. In the case of non-paper records that contain CVI, including motion picture films, videotape recordings, audio recording, and electronic and magnetic records, a covered person must clearly and conspicuously mark the records with the protective marking and the distribution limitation statement such that the viewer or listener is reasonably likely to see or hear them when obtaining access to the contents of the record.
(g) Disclosure by the Department—In general.
(1) Except as otherwise provided in this section, and notwithstanding the Freedom of Information Act (5 U.S.C. 552), the Privacy Act (5 U.S.C. 552a), and other laws, records containing CVI are not available for public inspection or copying, nor does the Department release such records to persons without a need to know.
(2) Disclosure of Segregatable Information under the Freedom of Information Act and the Privacy Act. If a record is marked to signify both CVI and information that is not CVI, the Department, on a proper Freedom of Information Act or Privacy Act request, may disclose the record with the CVI redacted, provided the record is not otherwise exempt from disclosure under the Freedom of Information Act or Privacy Act.
(h) Disclosure in administrative enforcement proceedings.
(1) The Department may provide CVI to a person governed by section 550, and his counsel, in the context of an administrative enforcement proceeding of section 550 when, in the sole discretion of the Department, as appropriate, access to the CVI is necessary for the person to prepare a response to allegations contained in a legal enforcement action document issued by the Department.
(2) Security background check. Prior to providing CVI to a person under §27.400(h)(1), the Department may require the individual or, in the case of an entity, the individuals representing the entity, and their counsel, to undergo and satisfy, in the judgment of the Department, a security background check.
(i) Disclosure in judicial proceedings.
(1) In any judicial enforcement proceeding of section 550, the Secretary, in his sole discretion, may, subject to §27.400(i)(1)(i), authorize access to CVI for persons necessary for the conduct of such proceedings, including such persons' counsel, provided that no other persons not so authorized shall have access to or be present for the disclosure of such information.
(i) Security background check. Prior to providing CVI to a person under §27.400(i)(1), the Department may require the individual to undergo and satisfy, in the judgment of the Department, a security background check.
(ii) [Reserved]
(2) In any judicial enforcement proceeding of section 550 where a person seeks to disclose CVI to a person not authorized to receive it under paragraph (i)(1) of this section, or where a person not authorized to receive CVI under paragraph (i)(1) of this section seeks to compel its disclosure through discovery, the United States may make an ex parte application in writing to the court seeking authorization to—
(i) Redact specified items of CVI from documents to be introduced into evidence or made available to the defendant through discovery under the Federal Rules of Civil Procedure;
(ii) Substitute a summary of the information for such CVI; or
(iii) Substitute a statement admitting relevant facts that the CVI would tend to prove.
(3) The court shall grant a request under paragraph (i)(2) of this section if, after in camera review, the court finds that the redacted item, stipulation, or summary is sufficient to allow the defendant to prepare a defense.
(4) If the court enters an order granting a request under paragraph (i)(2) of this section, the entire text of the documents to which the request relates shall be sealed and preserved in the records of the court to be made available to the appellate court in the event of an appeal.
(5) If the court enters an order denying a request of the United States under paragraph (i)(2) of this section, the United States may take an immediate, interlocutory appeal of the court's order in accordance with 18 U.S.C. 2339B(f)(4), (5). For purposes of such an appeal, the entire text of the documents to which the request relates, together with any transcripts of arguments made ex parte to the court in connection therewith, shall be maintained under seal and delivered to the appellate court.
(6) Except as provided otherwise at the sole discretion of the Secretary, access to CVI shall not be available in any civil or criminal litigation unrelated to the enforcement of section 550.
(7) Taking of trial testimony—
(i) Objection—During the examination of a witness in any judicial proceeding, the United States may object to any question or line of inquiry that may require the witness to disclose CVI not previously found to be admissible.
(ii) Action by court—In determining whether a response is admissible, the court shall take precautions to guard against the compromise of any CVI, including—
(A) Permitting the United States to provide the court, ex parte, with a proffer of the witness's response to the question or line of inquiry; and
(B) Requiring the defendant to provide the court with a proffer of the nature of the information that the defendant seeks to elicit.
(iii) Obligation of defendant—In any judicial enforcement proceeding, it shall be the defendant's obligation to establish the relevance and materiality of any CVI sought to be introduced.
(8) Construction. Nothing in this subsection shall prevent the United States from seeking protective orders or asserting privileges ordinarily available to the United States to protect against the disclosure of classified information, including the invocation of the military and State secrets privilege.
(j) Consequences of violation. Violation of this section is grounds for a civil penalty and other enforcement or corrective action by the Department, and appropriate personnel actions for Federal employees. Corrective action may include issuance of an order requiring retrieval of CVI to remedy unauthorized disclosure or an order to cease future unauthorized disclosure.
(k) Destruction of CVI.
(1) The Department of Homeland Security. Subject to the requirements of the Federal Records Act (5 U.S.C. 105), including the duty to preserve records containing documentation of a Federal agency's policies, decisions, and essential transactions, the Department destroys CVI when no longer needed to carry out the agency's function.
(2) Other covered persons—
(i) In general. A covered person must destroy CVI completely to preclude recognition or reconstruction of the information when the covered person no longer needs the CVI to carry out security measures under paragraph (e) of this section.
(ii) Exception. Section 27.400(k)(2) does not require a State or local government agency to destroy information that the agency is required to preserve under State or local law.