The Department of Homeland Security (DHS) and the Department of Justice (DOJ) have released Interim Guidance Documents (Guidance Documents) to implement the Cybersecurity Information Sharing Act of 2015 (CISA). The Act requires DHS and DOJ to establish a voluntary cybersecurity information sharing process that encourages public and private sector entities to share cyber threat indicators and defensive measures. Companies that choose to share such information must comply with the Guidance Documents to take advantage of the liability protections conferred by CISA.
The Guidance Documents include:
The Guidance Documents describe the requirements and mechanisms for sharing information with DHS's National Cybersecurity and Communications Integration Center (NCCIC), which serves as ''a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement.''
Companies that share cyber threat indicators and defensive measures may also include personally identifiable information with any other entity permissible under the Guidance Documents as long as the information is directly related to a ''cybersecurity purpose,'' even though such information would otherwise be protected from such sharing under other applicable privacy laws. CISA broadly defines a ''cybersecurity purpose'' as any purpose related to protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.
Companies will have a number of options for sharing relevant information, including through a form on the NCCIC website, via e-mail to DHS, or by utilizing DHS's Automated Indicator Sharing (AIS) initiative, which allows for machine-to-machine real-time communication of information between federal agencies and the private sector.
