Request For Comment
The request for comment period for this draft concluded on Friday, May 5. All comments are currently under review and adjudication by working groups. Comments received after the May 5th deadline are welcomed and may be included in future adjudication and revision periods.
Broadening participation in voluntary information sharing is an important goal, the success of which will fuel the creation of an increasing number of Information Sharing and Analysis Organizations (ISAOs) across a wide range of corporate, institutional and governmental sectors. While information sharing had been occurring for many years, the Cybersecurity Act of 2015 (Pub. L. No. 114-113) (CISA) was intended to encourage participation by even more entities by adding certain express liability protections that apply in several certain circumstances. As such proliferation continues, it likely will be organizational general counsel who will be called upon to recommend to their superiors whether to participate in such an effort.
With the growth of the ISAO movement, it is possible that joint private-public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality.
To aid in that decision making, we have set forth a compilation of frequently asked questions and related guidance that might shed light on evaluating the potential risks and rewards of information sharing and the development of policies and procedures to succeed in it. We do not pretend that the listing of either is exhaustive, and nothing contained therein should be considered to contain legal advice. That is the ultimate prerogative of the in-house and outside counsel of each organization. And while this memorandum is targeted at general counsels, we hope that it also might be useful to others who contribute to decisions about cyber-threat information sharing and participation in ISAOs.
CommentsTo provide comments, please first login and then use the comments form provided to submit feedback. If you are not a registered user, we recommend registering on our website before submitting draft comments in order to save your contact information for future use.
If you would like to submit comments without registering, please use the following link: