On June 15, 2016, the U.S. Department of Homeland Security (DHS) and U.S. Department of Justice (DOJ) issued final guidance on implementation of the Cyber Security Information Sharing Act (CISA) which was signed into law in December 2015 as part of the Cyber Security Act of 2015. Among other issues, the guidance documents clarify that liability protections under CISA apply to the sharing of information between private entities (this information may be found in Annex 1 of the non-federal entity guidance).
The DHS/DOJ CISA documents include the following guidance regarding the sharing of Cyber Threat Indicators and Defensive Measures:
- Non-Federal Entities Sharing Information
- Privacy and Civil Liberties
- Federal Entities Receiving Information
Previously, on Feb. 16, 2016, the Office of the Director of National Intelligence, the Department of Defense, DHS, and DOJ issued guidance on the sharing of information under CISA by the federal government.
Private entities wishing to share cybersecurity information under CISA must utilize the federal portal housed at the DHS National Cybersecurity and Communications Information Center (NCCIC). Information may be shared in real time via Automated Indicator Sharing (AIS) or by email or web form. Congress recently conducted an oversight hearing regarding progress on implementation of CISA and it was disclosed that only 30 private entities are currently sharing information using AIS, although over 100 private entities are in the process of preparing to participate.