On April 26, 2012, the U.S. House of Representatives approved the Cyber Intelligence Sharing and Protection Act (“CISPA” or H.R. 3523), which is aimed at facilitating the exchange of cyber threat intelligence information between the government and certain private entities. In addition, the House approved the Federal Information Security Amendments Act of 2012 (H.R. 4257), which modifies the Federal Information Security Management Act of 2002 to provide for automated and continuous monitoring of the security of government information systems.
Cyber Intelligence Sharing and Protection Act
Pursuant to CISPA, the Director of National Intelligence is required to establish procedures that would allow the intelligence community to share “cyber threat intelligence” with private-sector entities, and to encourage the sharing of such intelligence. In addition, “cyber security providers,” such as Internet service providers, would be allowed to share “cyber threat information” with certain private entities and the federal government. “Cyber threat information” includes information directly pertaining to a vulnerability of, or a threat to, a system or network of a government or private entity.
The House made several amendments to CISPA prior to passing it. Under the proposed draft bill, there was no requirement to shield any personally identifying information that may be included in the cyber threat information. The proponents of the bill claimed that some of the amendments were aimed at addressing these privacy concerns.
- One amendment limits the federal government’s ability to use shared cyber threat information to one of five enumerated purposes: (1) cyber security, (2) investigation and prosecution of cyber security crimes, (3) protection of individuals from death or serious bodily harm, (4) protection of minors from sexual exploitation or physical threat, or (5) protection of national security.
- Another amendment provides that the federal government may not use shared “information that identifies a person” contained in (1) library circulation records, (2) library patron lists, (3) book sales records, (4) book customer lists, (5) firearms sales records, (6) tax return records, (7) educational records, or (8) medical records.
CISPA also includes a provision that limits the liability of private entities from sharing cyber threat information, but the adopted version does not include provisions regarding the protection of critical infrastructure systems, as was proposed by the Obama Administration and recommended by military and intelligence experts.
Federal Information Security Amendments Act
The proposed amendments would require agencies to (1) ensure the sufficiency of their information security programs, (2) continuously monitor the security of federal information systems, and (3) appoint a chief information security officer or senior official to oversee information security programs and enforce compliance. Pages 2-3 of the Federal Information Security Amendments Act outline the following purposes for the amendments:
- provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets;
- recognize the highly networked nature of the current Federal computing environment and provide effective Government wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities assets;
- provide for development and maintenance of minimum controls required to protect Federal information and information infrastructure;
- provide a mechanism for improved oversight of Federal agency information security programs and systems through a focus on automated and continuous monitoring of agency information systems and regular threat assessments;
- acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the Nation that are designed, built, and operated by the private sector; and
- recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.
Both bills are now headed to the Senate for approval.