On February 16, 2016, the Department of Homeland Security (“DHS”), in collaboration with other federal agencies, released a series of documents outlining procedures for both federal and non-federal entities to share and disseminate cybersecurity information. These documents were released as directed by the Cybersecurity Act of 2015 (the “Act”), signed into law on December 18, 2015. The Act outlines a means by which the private sector may enjoy protection from civil liability when sharing certain cybersecurity information with the federal government and private entities. These documents represent the first steps by the executive branch to implement the Act.
- Federal to Non-Federal Sharing. Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act of 2015. This document was developed by DHS, the Department of Justice (“DOJ”), the Director of National Intelligence and the Department of Defense (“DoD”) as directed by Section 103 of the Act. It contains procedures that outline the current mechanisms through which appropriate federal entities share information with non-federal entities, and describes the programs that currently implement these procedures.
- Non-Federal to Federal Sharing. Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015. This document was developed by DHS and DOJ as directed by Section 105(a)(4) of the Act. It provides information on how non-federal entities can share cybersecurity threat indicators and defensive measures with the federal government under the Act, and describes the protections that non-federal entities can receive, including liability protection and other statutory protections. Notably, the document addresses the types of information that would constitute “personal information” that must be removed by non-federal entities from cybersecurity information shared with the federal government.
- Federal Receiving From Non-Federal. Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government. This document was developed by DHS and DOJ as directed by Section 105(a)(1) and (3) of the Act. It establishes interim procedures on how the federal government receives cyber threat indicators and defensive measures under the Act. It also interprets statutory requirements for the processes by which federal entities receive, handle and disseminate cybersecurity information with other appropriate federal entities. A final version of these guidelines is due by June 15, 2016.
- Privacy and Civil Liberties. Privacy and Civil Liberties Interim Guidelines: Cybersecurity Information Sharing Act of 2015. This document was developed by DHS and DOJ pursuant Section 105(b) of the Act. It establishes interim privacy and civil liberties guidelines governing the receipt, retention, use and dissemination of cyber threat indicators by a federal entity under the Act. A final version of these guidelines is due by June 15, 2016.
The Act directs additional actions to occur throughout the spring and early summer, and into the coming years. Notably, the Act directs DHS to certify to Congress a capability within DHS to receive cybersecurity information by March 2016, which will become the primary portal through which the federal government receives cybersecurity information under the Act. According to DHS, the Department’s Automated Information Sharing initiative will be that principal mechanism. However, the Act also states that at “any time after” DHS certifies this capability, the President can designate a non-DoD agency to also receive cybersecurity information under the Act.