On February 16, 2016, the Department of Homeland Security (DHS) and Department of Justice (DOJ) issued “guidance” to assist federal agencies and non-federal entities in implementing the Cybersecurity Act of 2015. The Act was signed into law on December 18, 2015.
We recently posted about the Act; it is a long-anticipated federal law intended to encourage and facilitate confidential sharing of cyber threat information within and between the private sector and the federal government. As part of the new law, Congress directed DHS and the Attorney General to jointly create and publicly issue initial guidance to help implement key aspects of the Act.
The initial, “interim” guidance consists of four documents, as follows:
This document provides assistance in defining the sort of information that should and should not be shared with federal entities under the Cybersecurity Act. It explains what is considered to be a cyber threat indicator (CTI) as well as a defensive measure (DM) – and thus should be shared. On the other hand, it also identifies different kinds of information that are protected under otherwise applicable privacy laws and unlikely to be directed related to a cyber security threat – and thus should not be shared with the federal entities. The document also explains the mechanics of sharing CTI and DM with DHS. Finally, it briefly discusses the liability protections afforded to entities that share information with the federal government.
This document describes the processes used by federal entities for receiving, handling and disseminating information that is shared pursuant to the Act. It also states and interprets the statutory requirements for federal entities that receive CTI and DM under the Act to share them with other appropriate federal entities.
This document outlines procedures for federal entities to follow to timely share CTIs and DMs with appropriate federal entities and non-federal entities that have necessary security clearances, as well as periodic sharing of cyber security best practices.
This document sets forth privacy and civil liberty guidelines governing the receipt, retention, use and dissemination of cyber threat indicators by a federal entity obtained via Cybersecurity Act-authorized sharing activities. A “guiding principle for all federal entity activities related to the receipt, retention, use and dissemination of cyber threat indicators as authorized by CISA is the Fair Information Practice Principles (FIPPs) set forth in Appendix A of the National Strategy for Trusted Identities in Cyberspace.”
Obviously, these four documents contain a considerable amount of detailed information, processes and procedures. Any company that is considering sharing cyber threat information with the federal government under the Act will need to carefully study these documents before taking any such action. Additional analysis of this initial guidance is expected in the near future, so stay tuned.