The Cybersecurity Information Sharing Act of 2015 (CISA) provides limited liability protection and information disclosure protections for private-to-private and private-to-government cybersecurity information sharing. On February 16, 2016, two key U.S. agencies released a set of documents describing how CISA’s provisions are expected to work in practice. The materials released by the Department of Homeland Security (DHS) and the Department of Justice (DOJ) include:
- Guidance for non-Federal (mostly, private-sector) entities on the sharing of cyber threat indicators and defensive measures;
- Guidance for Federal entities on the sharing of cyber threat indicators and defensive measures;
- Interim procedures related to the receipt of such information by the federal government; and
- Privacy and civil liberties interim guidelines.
A Federal Register notice (currently available here for pre-publication review) from DHS is scheduled to be published on February 18, 2016.
Notably, the guidance, procedures, and guidelines are expected to influence the Information Sharing and Analysis Organizations (ISAO) standards development effort (more here). While the ISAO standards development effort is not expected to recreate the DHS-DOJ documents, best practice recommendations for ISAOs to implement and apply the newly released guidance documents, procedures, and guidelines are under consideration.