This week, the Federal government took the first steps toward implementation of the The Cybersecurity Information Sharing Act (CISA), enacted into law last December. CISA aims to encourage sharing of cyber threat indicators and defensive measures among private companies and between the private sector and the Federal government by providing liability protection for sharing such information in accordance with the Act. The DHS Federal Register notice was published this morning here.
As required by the Act, the government has released four pieces of guidance designed to assist companies and Federal agencies with respect to sharing, receiving and handling cyber threat information.
- For non-Federal (mostly private sector) entities: DHS and DOJ jointly released guidance to private companies and other non-Federal entities designed to promote sharing of cyber threat indicators and defensive measures from companies to the Federal government. This includes guidance regarding instances in which personal information would (or would not) be necessary to describe a cyber threat, as well as categories of information likely to be considered individually identifiable information unrelated to a cybersecurity threat. The document also sets forth the sharing mechanisms that private companies should use in order to obtain liability protection for providing cyber threat indicators and defensive measures to the Federal government.
- For Federal entities: The Director of National Intelligence, along with the Department of Homeland Security (DHS), the Secretary of Defense, and the Department of Justice (DOJ) released guidance outlining procedures for the sharing of classified and unclassified cyber threat indicators and defensive measures possessed by the Federal government with private companies and other levels of government. The release stressed that existing sharing mechanisms and programs are “dynamic and are expected to grow or evolve over time,” and that some programs “may be discontinued” and replaced by new mechanisms.
- Interim procedures: DHS and DOJ also set forth interim procedures related to the receipt of cyber threat indicators and defensive measures by the Federal government. This document sets forth the processes for Federal agency receipt, handling and dissemination of cyber threat indicators and defensive measures, including via the operation of the DHS Automated Indicator Sharing capability also established under the Act.
- Privacy and civil liberties interim guidelines: DHS and DOJ also released interim privacy and civil liberties guidelines governing the receipt, retention, use and dissemination of cyber threat indicators by a Federal agency. The guidance is designed to apply Fair Information Practice Principles (FIPPs) to Federal agency receipt, use and dissemination of cyber threat indicators consistent with CISA’s goal of protecting networks from cybersecurity threats.
The DHS Automated Indicator Sharing (AIS) capability referenced in some of the releases is designed to facilitate real-time sharing of cyber threat indicators by enabling DHS’s National Cybersecurity and Communications Integration Center (NCCIC) to (1) receive indicators from the private sector and other non-federal entities; (2) remove unnecessary personally identifiable information; and (3) disseminate the indicators, as appropriate, to other federal departments and agencies and the private sector and other non-federal entities. Key functions of this capability include:
- Performing a series of automated analyses and technical mitigations to ensure that personally identifiable information (PII) that is not directly related to a cybersecurity threat is removed before any information is shared;
- Incorporating limited elements of human review to ensure such information is removed in cases where automated mitigations are not feasible;
- Anonymizing the identity of the submitter of the information, unless the submitter has consented to sharing its identity;
- Minimizing the amount of data collected to what is directly related to a cyber threat;
- Retaining information for a limited amount of time, consistent with the need to address cyber threats; and
- Ensuring any information collected is explicitly used for authorized governmental purposes.
Non-federal entities that share cyber threat information with the federal government pursuant to one of the mechanisms described above and in accordance with CISA’s requirements receive a variety of protections, including a limited antitrust exemption, liability protection, an exemption from certain federal and state disclosure laws, and exemption from certain state and federal regulatory uses, and protection for certain privileged and proprietary information, including trade secrets.
The new guidance offers companies a road map for how to share cyber threat information with the government while staying within the bounds of the law. In the coming days, Mintz Levin’s privacy attorneys will analyze each of the guidance documents in detail in this blog space.