Federal Agencies Finalize Cybersecurity Threat-Sharing Regulations

    Jul 12, 2016

    The Departments of Justice and Homeland Security on June 15 released final rules for cybersecurity information sharing by companies, as well as three guidance documents on the sharing of cyber-threat indicators and defensive measures between and among federal and non-federal entities.

    The Cybersecurity Information Sharing Act (CISA), enacted by Congress last December, requires the federal government to share more information, including classified information under appropriate safeguards, with relevant private sector entities to further cybersecurity efforts.  And it includes legal immunity for private companies to monitor their networks for cybersecurity purposes, take defensive measures to stop cyber-attacks, and share cyber-threat information with each other and with the government.

    One of the guidance documents, entitled “Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government,” establishes procedures for the receipt of cyber-threat indicators and defensive measures by all federal entities under CISA. It describes the processes for receiving, handling, and disseminating information that is shared with DHS, and it outlines statutory requirements for all federal entities that receive cyber-threat indicators and defensive measures.

    A second document includes guidelines addressing privacy and civil liberties. The guidelines govern the receipt, retention, use, and dissemination of cyber-threat indicators by a federal entity obtained in connection with activities authorized in CISA, while protecting classified information, intelligence sources and methods, and privacy and civil liberties. Specifically, the guidelines require federal agencies to “review cyber threat indicators, prior to sharing them, to assess whether they contain any information not directly related to a cybersecurity threat that such federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information.”

    The third guidance document seeks to help companies and other non-federal entities share cyber-threat indicators and defensive measures with federal agencies. Of note, the guidelines provide that non-federal entities that wish to share information must remove personally identifiable information (PII) that isn't directly related to a cybersecurity threat, and remove it before sharing it with a federal entity. The rule does not provide a definition for PII, but it does include certain types of information that should be excluded, such as protected health information, human resource information, education history, property ownership, and information protected under the Children's Online Privacy Protection Act.

    “In sum, the final guidelines provide confirmation of the powerful legal basis for companies to engage in and share information about defensive measures, as well as to engage in cybersecurity-related network monitoring, and to share information about cyberthreat indicators with both government and non-government entities, and both through the DHS automated portal and through means other than the DHS portal,” wrote Sidley and Austin attorneys Alan Charles Raul, Colleen Theresa Brown, and Frances E. Faircloth in a blog post. “As interpreted by DHS and DOJ, CISA should prove highly useful to corporate cybersecurity efforts.”

    The Washington Policy Brief is an online advisory that contains brief summaries of recent legislative and regulatory issues that may affect the records and information management profession. Further information about the issue is accessed by clicking on the link provided at the end of each summary.


    Want to sign up to receive an e-mail version of the Washington Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.



    © 2017, ARMA International