Cybersecurity Information Sharing Act of 2015

On December 18, 2015, Congress passed and President Obama signed into law the Cybersecurity Information Sharing Act of 2015, which is designed to increase cybersecurity information sharing between the private sector and the Federal Government. The Act provides various protections to non-federal entities that share cyber threat indicators or defensive measures with the Federal Government. DHS’s Automated Indicator Sharing (AIS) initiative is the principal mechanism for such sharing with the Federal Government. Sharing with DHS through AIS or other DHS mechanisms that is conducted in accordance with the Act’s requirements receives liability protection.

The AIS initiative is a capability that DHS has developed to enable the timely exchange of cyber threat indicators among the federal departments and agencies and the private sector and other non-federal entities. This capability supports federal departments and agencies and the private sector and other non-federal entities in addressing cyber threats to public health and safety, national security, and economic security while ensuring appropriate privacy, civil liberties, and other compliance protections.

The goal of the AIS initiative is to achieve real-time sharing of cyber threat indicators by enabling DHS’s National Cybersecurity and Communications Integration Center (NCCIC) to (1) receive indicators from the private sector and other non-federal entities; (2) remove unnecessary personally identifiable information; and (3) disseminate the indicators, as appropriate, to other federal departments and agencies and the private sector and other non-federal entities.

By design, the initiative:

  • Performs a series of automated analyses and technical mitigations to ensure that personally identifiable information (PII) that is not directly related to a cybersecurity threat is removed before any information is shared;
  • Incorporates limited elements of human review to ensure such information is removed in cases where automated mitigations are not feasible;
  • Anonymizes the identity of the submitter of the information, unless the submitter has consented to sharing its identity;
  • Minimizes the amount of data collected to what is directly related to a cyber threat;
  • Retains information for a limited amount of time, consistent with the need to address cyber threats; and
  • Ensures any information collected is explicitly used for authorized governmental purposes.
  • As mandated by the Cybersecurity Information Sharing Act of 2015 (Title I of the Cybersecurity Act of 2015), DHS released guidance to assist private sector and federal entities share cyber threat indicators with the Federal Government. The Department also released interim policies and procedures relating to the receipt and use of cyber threat indicators by federal entities, interim guidelines relating to privacy and civil liberties in connection with the exchange of those indicators, and guidance to federal agencies on sharing information in the government’s possession.

The Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 includes the type of information that should not be shared – such as types financial information.

Staff involved with the credit union’s cybersecurity should review the guidance documents, and incorporate them into the credit union’s response program, if warranted.

Leave a Reply

Your email address will not be published. Required fields are marked *