On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and U.S. Department of Justice (“DOJ”) jointly issued final guidance on the Cybersecurity Information Sharing Act of 2015 (“CISA”). Enacted in December 2015, CISA includes a variety of measures designed to strengthen private and public sector cybersecurity. In particular, CISA provides protections from civil liability, regulatory action and disclosure under the Freedom of Information Act (“FOIA”) and other open government laws for “cyber threat indicators” (“CTI”) and “defensive measures” (“DM”) that are shared: (1) among businesses or (2) between businesses and the government through a DHS web portal. Congress passed CISA in order to increase the sharing of cybersecurity information among businesses and between businesses and the government, and to improve the quality and quantity of timely, actionable cybersecurity intelligence in the hands of the private sector and government information security professionals.

The document issued yesterday included final guidelines on privacy and civil liberties and on the receipt of CTI and DM by the government:

  • Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015. This document was developed by DHS and DOJ pursuant Section 105(b) of CISA. It establishes privacy and civil liberties guidelines governing the receipt, retention, use and dissemination of CTI and DM by a federal entity under CISA.
  • Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government. Developed by DHS and DOJ as directed in Section 105(a)(1)&(3) of CISA, this document establishes procedures on how the federal government receives CTI and DM. It also interprets statutory requirements for the processes by which federal entities receive and handle CTI and DM, and disseminate it to other appropriate federal entities.

Yesterday’s guidance builds on the four implementation guidance documents that the federal government issued in February of this year. Those documents included:

  • Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015. Developed by DHS and DOJ as directed in Section 105(a)(4) of CISA, this document provides information on how non-federal entities can share CTI and DM with the federal government under CISA, and describes the protections that non-federal entities can receive, including liability protection and other statutory protections.
  • Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act of 2015. This document covers federal cybersecurity information sharing within the federal government and with non-federal entities. It was developed by DHS, DOJ, Director of National Intelligence and Department of Defense as directed by Section 103 of CISA. Much of the document outlines current programs through which federal entities share CTI and DM with non-federal entities. The document provides limited guidance on the roles of entities involved in cybersecurity information sharing.
  • Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government. The final version of these guidelines were issued on June 15, 2016, as required by CISA.
  • Privacy and Civil Liberties Interim Guidelines: Cybersecurity Information Sharing Act of 2015. The final version of these guidelines were issued on June 15, 2016, as required by CISA.