This week, the Federal government took the first steps toward implementation of the The Cybersecurity Information Sharing Act (CISA), enacted into law last December.  CISA aims to encourage sharing of cyber threat indicators and defensive measures among private companies and between the private sector and the Federal government by providing liability protection for sharing such information in accordance with the Act.   The DHS Federal Register notice was published this morning here.

As required by the Act, the government has released four pieces of guidance designed to assist companies and Federal agencies with respect to sharing, receiving and handling cyber threat information.

The DHS Automated Indicator Sharing (AIS) capability referenced in some of the releases is designed to facilitate real-time sharing of cyber threat indicators by enabling DHS’s National Cybersecurity and Communications Integration Center (NCCIC) to (1) receive indicators from the private sector and other non-federal entities; (2) remove unnecessary personally identifiable information; and (3) disseminate the indicators, as appropriate, to other federal departments and agencies and the private sector and other non-federal entities.  Key functions of this capability include:

  • Performing a series of automated analyses and technical mitigations to ensure that personally identifiable information (PII) that is not directly related to a cybersecurity threat is removed before any information is shared;
  • Incorporating limited elements of human review to ensure such information is removed in cases where automated mitigations are not feasible;
  • Anonymizing the identity of the submitter of the information, unless the submitter has consented to sharing its identity;
  • Minimizing the amount of data collected to what is directly related to a cyber threat;
  • Retaining information for a limited amount of time, consistent with the need to address cyber threats; and
  • Ensuring any information collected is explicitly used for authorized governmental purposes.

Non-federal entities that share cyber threat information with the federal government pursuant to one of the mechanisms described above and in accordance with CISA’s requirements receive a variety of protections, including a limited antitrust exemption, liability protection, an exemption from certain federal and state disclosure laws, and exemption from certain state and federal regulatory uses, and protection for certain privileged and proprietary information, including trade secrets.

The new guidance offers companies a road map for how to share cyber threat information with the government while staying within the bounds of the law.  In the coming days, Mintz Levin’s privacy attorneys will analyze each of the guidance documents in detail in this blog space.