"Federal Agencies Release Guidance on Cyber Sharing"
Right on the nose – “[n]ot later than 60 days after the date of the enactment of [the Cybersecurity Information Sharing Act of 2015]” – federal agencies made good on their direction in the Cybersecurity Information Sharing Act of 2015 (“CISA”), releasing guidance regarding sharing cyber threat indicators with the federal government. The Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General, in consultation with the heads of the appropriate federal entities, were tasked with developing procedures to facilitate and promote cybersecurity information sharing under CISA, which was signed into law on December 18, 2015.
The four guidance documents are the first steps towards implementation of CISA.
- Federal Sharing. Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act of 2015, released by the Office of the Director of National Intelligence, the Department of Homeland Security, the Department of Defense, and the Department of Justice, encourages sharing “broadly and quickly” to relevant federal and non-federal entities, including if appropriate the public. It outlines current procedures used by federal agencies to share information, stressing that these may evolve over time.
- Non-Federal to Federal Sharing. Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 was released by the Department of Homeland Security and the Department of Justice and provides guidance to non-federal entities that elect to share cyber-threat indicators and defensive measures with the federal government.
- Federal Receipt and Use Procedures. Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government was released by the Department of Homeland Security and the Department of Justice. It establishes procedures for receipt, use, and dissemination of information submitted to the federal government.
- Interim Privacy and Civil Liberties Guidelines. Privacy and Civil Liberties Interim Guidelines: Cybersecurity Information Sharing Act of 2015 was released by the Department of Homeland Security and the Department of Justice. It explains how the federal government “shall follow procedures designed to limit the effect on privacy and civil liberties of federal activities under CISA” by identifying guidelines governing the receipt, use and dissemination of indicators by federal entities.
Companies that follow these guidelines can expect some level of liability protection. Next on this blog’s radar is the looming 90-day deadline for the Department of Health and Human Services to convene a task force to address cybersecurity issues unique to the health care industry.