Request For Comment
The request for comment period for this draft concluded on Tuesday, July 18, 2017. All comments were reviewed and adjudicated by working groups. Comments received after the July 18th deadline may be included in future adjudication and revision periods.
Broadening participation in voluntary information sharing is an important goal, the success of which will fuel the creation of an increasing number of Information Sharing and Analysis Organizations (ISAOs) across a wide range of corporate, institutional and governmental sectors. While information sharing had been occurring for many years, the Cybersecurity Act of 2015 (Pub. L. No. 114-113) (CISA) was intended to encourage participation by even more entities by adding certain express liability protections that apply in several certain circumstances. As such proliferation continues, it likely will be organizational general counsel who will be called upon to recommend to their superiors whether to participate in such an effort.
With the growth of the ISAO movement, it is possible that joint private-public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality.
To aid in that decision making, we have set forth a compilation of frequently asked questions and related guidance that might shed light on evaluating the potential risks and rewards of information sharing and the development of policies and procedures to succeed in it. We do not pretend that the listing of either is exhaustive, and nothing contained therein should be considered to contain legal advice. That is the ultimate prerogative of the in-house and outside counsel of each organization. And while this memorandum is targeted at general counsels, we hope that it also might be useful to others who contribute to decisions about cyber-threat information sharing and participation in ISAOs.
Submitted Comments
The ISAO SO invited the public to provide comments on this document from June 19, 2017 – July 18, 2017. The line reference and comment fields listed below are the exact contents as submitted by the commenter.
| Line Reference | Comment | Disposition |
|---|---|---|
| 9 | Add "Information Sharing" after Cybersecurity | Approved |
| 9, 10 | Add div. N., 129 Stat. 2242, 2936 – 2956 (2015) before CISA | Approved |
| 10 | Add "public and private sector" after "encourage" | Approved |
| 10 (11) | Delete "participation by even more" after "encourage" | Approved |
| 10 (11) | Add "to share cyber threat information " after "entities" | Approved |
| 10 (11, 12) | Add "removing legal barriers and" after "entities by" | Approved |
| 11, 12 (13-19) | Add "Broadly, as explained in the legislative history, CISA provides “positive legal authori-ties for private companies to: (1) monitor their networks, or those of their customers upon authorization and written consent, for cybersecurity purposes; (2) take defensive measures to stop cyber attacks and (3) share cyber threat information with each other and with the government to further collective cybersecurity.” S.Rep. No. 114-32, at 2 (2015). CISA therefore provides an environment and potentially serves as a catalyst for increasing private sector information sharing. " after "circumstances." | Approved |
| 13 (21) | Delete "to their superiors" | Approved |
| 15-19 (23-25) | Delete "With the growth of the ISAO movement, it is possible that joint private/public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality. " | Approved |
| 27 (33) | Remove "-" in "cyber-threat" | Approved |
| 36-38 (44-46) | Delete "and help identify victims for notification purposes where information reveals compromised customer IP addresses" | Approved |
| 41 (49-50) | Insert "vital assets, including its " before "critical infrastructure" | Approved |
| 44 (52) | Delete "• It also should be noted that most of the value of s" and capitalize "s" | Approved |
| 44 (52-53) | Replace "be accomplished " with "occur" | Approved |
| 45 (53) | Replace "the inclusion of " with "including" | Approved |
| 45 (53-54) | Replace "personal information (PII) " with "personally identifiable information (PII)," | Approved |
| 56 (65-67) | Insert "Furthermore, federal laws such as CISA provide protections that lower the risk by providing clear authority for sharing and other protections for sharing information" after "compromise" | Approved |
| 56-60 (67-71) | See Comments | Approved |
| 63 (74) | Insert "such as the Traffic Light Protocol " | Approved |
| 69 (81) | Replace "risk" with "threat" | Approved |
| 81 (93) | Change font for " etc., " | Approved |
| 81 (93-96) | Insert "Sharing cyber threat indicators and defensive measures helps ensure that one entity’s detection of a threat allows other entities to quickly defend against that threat, which helps quickly mitigate attacks and protects the entire ecosystem." after "provide" | Approved |
| 81 (97-105) | Make own paragraph and delete "also" | Approved |
| 94 (107-126) | Insert new paragraph " • Private entities receive liability protection and other protections and ex-emptions for sharing cyber threat indicators and defensive measures with other private entities, including ISAOs, in accordance with CISA. 6 U.S.C. § 1503, § 1505(b)(1). Such sharing is authorized “notwithstanding any other provision of law,” meaning any conflicting law is overridden when con-ducted in accordance with CISA. Furthermore, CISA provides statutory liability protection for sharing certain information. To receive liabil-ity protection or to benefit from CISA’s other protections, an entity must share cyber threat indicators or defensive measures for a cybersecurity purpose. Prior to sharing, the entity must remove information not directly related to a cybersecurity threat that the entity knows at the time of sharing to be personal information of a specific individual or information that iden-tifies a specific individual, and implement and use a security control to pro-tect against unauthorized access to or acquisition of the information. Final-ly, when receiving such information, the entity must observe lawful re-strictions placed by the sharing entity. For further information, see U.S. Department of Homeland Security and U.S. Department of Justice, Guid-ance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Infor-mation Sharing Act of 2015 (June 2015), available at https://us-cert.gov/ais. | Approved |
| 94 (128-148) | Insert new paragraph: "• Similarly, private entities, including ISAOs, that share cyber threat indica-tors or defensive measures with the federal government in accordance with CISA receive liability protection and other protections and exemptions. 6 U.S.C. § 1503(c); 6 U.S.C. § 1504(c)(1)(B). Again, such sharing is authorized “notwithstanding any other provision of law,” meaning any conflicting law is overridden when conducted in accordance with CISA. Further, it pro-vides liability protection. To obtain liability protection when sharing with the Federal Government, private entities must share through the DHS-operated capability and process for receiving cyber threat indicators (or under one of the exceptions to the use of that capability) concerning previously shared cyber threat indicators and sharing with federal regula-tory authorities. See 6 U.S.C. § 1504(c)(1)(B)(i) and (ii). Non-federal en-tities sharing with the federal government also receive additional protec-tions, including exemption from state and federal disclosure laws, exemp-tion from certain state and federal regulatory use, no waiver of privilege for shared material, waiver from ex parte communications, and a limitation on permitted uses the government can make of the information that is shared. For further information, see U.S. Department of Homeland Security and U.S. Department of Justice, Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Enti-ties under the Cybersecurity Information Sharing Act of 2015 (June 2015), available at https://us-cert.gov/ais | Approved |
| 91-94 (149-152) | Delete: "• If CISA’s pre-requisites are met, CISA’s liability protections apply both to cyber threat information exchanges between private sector entities includ-ing ISAOs and the government and to cyber threat information exchanges between private sector entities alone. " | Approved |
| 107 (165) | Delete "also" | Approved |
| 107 (165) | Replace "redaction" with "removal before sharing" | Approved |
| 107 (165) | Delete "certain" | Approved |
| 107-110 (166-171) | Replace "(e.g. personally identifiable information or PII) that is not directly related to a cybersecurity threat that the entity knows at the time of sharing that identifies specific individuals or information personal to them. " with "not directly related to a cybersecurity threat that the sharing entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual" | Approved |
| 115 (177) | Insert new paragraph "• Prior to sharing cyber threat indicators and defensive measures under CISA, private entities should have processes in place to ensure the removal of information not directly related to a cybersecurity threat that the entity knows at the time of sharing to be personal information of a specific indi-vidual or information that identifies a specific individual. The entity should also implement and use a security control to protect against unau-thorized access to or acquisition of the cyber threat information or defen-sive measures. When receiving such information, the entity should also have policies in place that require the observation of lawful restrictions placed by the sharing federal government or private entity." | Approved |
| 117 (189) | Add "sharing and handling " after "information" | Approved |
| 120 (192) | Replace "their" with "its" | Approved |
| 141 (214) | Replace "also contemplates" with "permits" | Approved |
| 147 (220) | Delete "o Moreover, as a matter of policy, the Federal government has stated that it will not turn over reported CISA information to enforcement agencies, and reported information is not made public" | Approved |
| 150-152 (224-226) | Delete "o CISA also addresses the inadvertent disclosure of personally identifiable information. In any event, counsel must be attentive to have in place measures to protect confidential information that is to be shared." | Approved |
| 155 (229-231) | Insert "CISA’s liability protection applies to monitoring information systems and the sharing or receiving of cyber threat indicators under CISA" | Approved |
| 156 (232) | Change "enforcement" to "regulatory" | Approved |
| 162 (238) | Insert "the" before SAFETY Act | Approved |
| 163 (239) | Change "legal" to "certain" | Approved |
| 163-164 (239-241) | Change "Qualified Anti-Terrorism products or Technologies approved by the Department of Homeland Security | Approved |
| 174 (251) | see comments | Approved |
| 176-178 (253-255) | Delete: "This is especially true for PHI (Protected Health Information) covered by HIPAA, which has requirements beyond CISA’s. HIPAA also offers certain additional protections if data are encrypted. " | Approved |
| 179 (256) | see comments | Approved |
| 208 (286-291) | Insert paragraph:" • Liability protections attach to sharing of cyber threat indicators and defen-sive measures regardless of whether removal of information not directly re-lated to a cybersecurity threat occurs using a manual or technical means. Similarly, sharing cyber threat indicators and defensive measures with DHS regardless of whether through the automated process and capability or through a manual means receives certain liability protections." | Approved |
| 62-66 | Related to bullet two in Section 2.2, the FS-ISAC recommends the use of a Traffic Light Protocol (TLP) approach be introduced here in this document. This is necessary to signal the sensitivity of information shared and the necessary control mechanisms. This also is important to establish and maintain trust among participants involved in information sharing processes. Finally, it would be consistent with Legal Counsel document. | Approved |
| 17 | Replaced citation with footnote | Approved |
| 27 | Change "therein" to "herein" | Approved |
| 28 | Consider changing the "." to a dash or colon after the word "advice" | Approved |
| 67-71 | Reduce complexity by putting the required action up front and/or breaking the sentence into sections. | Approved |
| 110 | Insert "for their members" between "resource" and "to gather information…" | Approved |
| 111 | Replaced citation with footnote | Approved |
| 126-127 | Changed citations to footnotes | Approved |
| 131-132 | Changed citations to footnotes | Approved |
| 145-149 | Change to footnote | Approved |
| 165 | Add reference for ISAO SP 4000 | Approved |
| 218-219 | Recommend deleting references to specific agencies. If the reference is essential, recommend adding a footnote that lists all known federal regulatory authorities. | Approved |
| 223-224 | First sentence is a fragment. Recommend deleting this. | Approved |
| 224-227 | Second sentence - One or more information sharing organizations have already established liability protection under the SAFETY Act. We should be able to articulate more clearly what the “certain liability protections” are and the require-ments to obtain them. | Approved |
| 243-245 | Rephrase this to recommend this as a best practice. As currently written, it implies that this is a pre-requisite to joining an ISAO, which will deter organizations from joining. | Approved |
| 251-252 | Change "...published about standards" to "standardized processes" | Approved |
| 254-258 | This isn't a binary question. Modify question to reflect: What are the legal impacts of automated information sharing? Should be a repeatable process, reduces, human error, and incorporates organizational policy on regarding PII. | Approved |
| 275-284 | We need to add a reference to the work the ISAO SO is doing to develop standards and guidelines with respect to information sharing generally and to automated information sharing specifically. It should be inserted prior to any other agency reference | Approved |
| 289-290 | Add "or region," between "sector" and "how it has exercised control…" | Approved |
