6 USC 1504 - Sharing of cyber threat indicators and defensive measures with the Federal Government

U.S Code last checked for updates: Nov 22, 2024

§ 1504.

Sharing of cyber threat indicators and defensive measures with the Federal Government

(a)

Requirement for policies and procedures

(1)

Interim policies and procedures

(2)

Final policies and procedures

(3)

Requirements concerning policies and procedures

Consistent with the guidelines required by subsection (b), the policies and procedures developed or issued under this subsection shall—

(A)

ensure that cyber threat indicators shared with the Federal Government by any non-Federal entity pursuant to section 1503(c) of this title through the real-time process described in subsection (c) of this section—

(i)

are shared in an automated manner with all of the appropriate Federal entities;

(ii)

are only subject to a delay, modification, or other action due to controls established for such real-time process that could impede real-time receipt by all of the appropriate Federal entities when the delay, modification, or other action is due to controls—

(I)

agreed upon unanimously by all of the heads of the appropriate Federal entities;

(II)

carried out before any of the appropriate Federal entities retains or uses the cyber threat indicators or defensive measures; and

(III)

uniformly applied such that each of the appropriate Federal entities is subject to the same delay, modification, or other action; and

(iii)

may be provided to other Federal entities;

(B)

ensure that cyber threat indicators shared with the Federal Government by any non-Federal entity pursuant to section 1503 of this title in a manner other than the real-time process described in subsection (c) of this section—

(i)

are shared as quickly as operationally practicable with all of the appropriate Federal entities;

(ii)

are not subject to any unnecessary delay, interference, or any other action that could impede receipt by all of the appropriate Federal entities; and

(iii)

may be provided to other Federal entities; and

(C)

ensure there are—

(i)

audit capabilities; and

(ii)

appropriate sanctions in place for officers, employees, or agents of a Federal entity who knowingly and willfully conduct activities under this subchapter in an unauthorized manner.

(4)

Guidelines for entities sharing cyber threat indicators with Federal Government

(A)

In general

(B)

Contents

(i)

Identification of types of information that would qualify as a cyber threat indicator under this subchapter that would be unlikely to include information that—

(I)

is not directly related to a cybersecurity threat; and

(II)

is personal information of a specific individual or information that identifies a specific individual.

(ii)

Identification of types of information protected under otherwise applicable privacy laws that are unlikely to be directly related to a cybersecurity threat.

(iii)

Such other matters as the Attorney General and the Secretary of Homeland Security consider appropriate for entities sharing cyber threat indicators with Federal entities under this subchapter.

(b)

Privacy and civil liberties

(1)

Interim guidelines

(2)

Final guidelines

(A)

In general

(B)

Periodic review

(3)

Content

The guidelines required by paragraphs (1) and (2) shall, consistent with the need to protect information systems from cybersecurity threats and mitigate cybersecurity threats—

(A)

limit the effect on privacy and civil liberties of activities by the Federal Government under this subchapter;

(B)

limit the receipt, retention, use, and dissemination of cyber threat indicators containing personal information of specific individuals or information that identifies specific individuals, including by establishing—

(i)

a process for the timely destruction of such information that is known not to be directly related to uses authorized under this subchapter; and

(ii)

specific limitations on the length of any period in which a cyber threat indicator may be retained;

(C)

include requirements to safeguard cyber threat indicators containing personal information of specific individuals or information that identifies specific individuals from unauthorized access or acquisition, including appropriate sanctions for activities by officers, employees, or agents of the Federal Government in contravention of such guidelines;

(D)

consistent with this subchapter, any other applicable provisions of law, and the fair information practice principles set forth in appendix A of the document entitled “National Strategy for Trusted Identities in Cyberspace” and published by the President in April 2011, govern the retention, use, and dissemination by the Federal Government of cyber threat indicators shared with the Federal Government under this subchapter, including the extent, if any, to which such cyber threat indicators may be used by the Federal Government;

(E)

include procedures for notifying entities and Federal entities if information received pursuant to this section is known or determined by a Federal entity receiving such information not to constitute a cyber threat indicator;

(F)

protect the confidentiality of cyber threat indicators containing personal information of specific individuals or information that identifies specific individuals to the greatest extent practicable and require recipients to be informed that such indicators may only be used for purposes authorized under this subchapter; and

(G)

include steps that may be needed so that dissemination of cyber threat indicators is consistent with the protection of classified and other sensitive national security information.

(c)

Capability and process within the Department of Homeland Security

(1)

In general

Not later than 90 days after December 18, 2015, the Secretary of Homeland Security, in coordination with the heads of the appropriate Federal entities, shall develop and implement a capability and process within the Department of Homeland Security that—

(A)

shall accept from any non-Federal entity in real time cyber threat indicators and defensive measures, pursuant to this section;

(B)

shall, upon submittal of the certification under paragraph (2) that such capability and process fully and effectively operates as described in such paragraph, be the process by which the Federal Government receives cyber threat indicators and defensive measures under this subchapter that are shared by a non-Federal entity with the Federal Government through electronic mail or media, an interactive form on an Internet website, or a real time, automated process between information systems except—

(i)

consistent with section 1503 of this title, communications between a Federal entity and a non-Federal entity regarding a previously shared cyber threat indicator to describe the relevant cybersecurity threat or develop a defensive measure based on such cyber threat indicator; and

(ii)

communications by a regulated non-Federal entity with such entity’s Federal regulatory authority regarding a cybersecurity threat;

(C)

ensures that all of the appropriate Federal entities receive in an automated manner such cyber threat indicators and defensive measures shared through the real-time process within the Department of Homeland Security;

(D)

is in compliance with the policies, procedures, and guidelines required by this section; and

(E)

does not limit or prohibit otherwise lawful disclosures of communications, records, or other information, including—

(i)

reporting of known or suspected criminal activity, by a non-Federal entity to any other non-Federal entity or a Federal entity, including cyber threat indicators or defensive measures shared with a Federal entity in furtherance of opening a Federal law enforcement investigation;

(ii)

voluntary or legally compelled participation in a Federal investigation; and

(iii)

providing cyber threat indicators or defensive measures as part of a statutory or authorized contractual requirement.

(2)

Certification and designation

(A)

Certification of capability and process

Not later than 90 days after December 18, 2015, the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, submit to Congress a certification as to whether the capability and process required by paragraph (1) fully and effectively operates—

(i)

as the process by which the Federal Government receives from any non-Federal entity a cyber threat indicator or defensive measure under this subchapter; and

(ii)

in accordance with the interim policies, procedures, and guidelines developed under this subchapter.

(B)

Designation

(i)

In general

At any time after certification is submitted under subparagraph (A), the President may designate an appropriate Federal entity, other than the Department of Defense (including the National Security Agency), to develop and implement a capability and process as described in paragraph (1) in addition to the capability and process developed under such paragraph by the Secretary of Homeland Security, if, not fewer than 30 days before making such designation, the President submits to Congress a certification and explanation that—

(I)

such designation is necessary to ensure that full, effective, and secure operation of a capability and process for the Federal Government to receive from any non-Federal entity cyber threat indicators or defensive measures under this subchapter;

(II)

the designated appropriate Federal entity will receive and share cyber threat indicators and defensive measures in accordance with the policies, procedures, and guidelines developed under this subchapter, including subsection (a)(3)(A); and

(III)

such designation is consistent with the mission of such appropriate Federal entity and improves the ability of the Federal Government to receive, share, and use cyber threat indicators and defensive measures as authorized under this subchapter.

(ii)

Application to additional capability and process

(3)

Public notice and access

The Secretary of Homeland Security shall ensure there is public notice of, and access to, the capability and process developed and implemented under paragraph (1) so that—

(A)

any non-Federal entity may share cyber threat indicators and defensive measures through such process with the Federal Government; and

(B)

all of the appropriate Federal entities receive such cyber threat indicators and defensive measures in real time with receipt through the process within the Department of Homeland Security consistent with the policies and procedures issued under subsection (a).

(4)

Other Federal entities

(d)

Information shared with or provided to the Federal Government

(1)

No waiver of privilege or protection

(2)

Proprietary information

(3)

Exemption from disclosure

A cyber threat indicator or defensive measure shared with the Federal Government under this subchapter shall be—

(A)

deemed voluntarily shared information and exempt from disclosure under section 552 of title 5 and any State, tribal, or local provision of law requiring disclosure of information or records; and

(B)

withheld, without discretion, from the public under section 552(b)(3)(B) of title 5 and any State, tribal, or local provision of law requiring disclosure of information or records.

(4)

Ex parte communications

(5)

Disclosure, retention, and use

(A)

Authorized activities

Cyber threat indicators and defensive measures provided to the Federal Government under this subchapter may be disclosed to, retained by, and used by, consistent with otherwise applicable provisions of Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal Government solely for—

(i)

a cybersecurity purpose;

(ii)

the purpose of identifying—

(I)

a cybersecurity threat, including the source of such cybersecurity threat; or

(II)

a security vulnerability;

(iii)

the purpose of responding to, or otherwise preventing or mitigating, a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or a use of a weapon of mass destruction;

(iv)

the purpose of responding to, investigating, prosecuting, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety; or

(v)

the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a threat described in clause (iii) or any of the offenses listed in—

(I)

sections 1028 through 1030 of title 18 (relating to fraud and identity theft);

(II)

chapter 37 of such title (relating to espionage and censorship); and

(III)

chapter 90 of such title (relating to protection of trade secrets).

(B)

Prohibited activities

(C)

Privacy and civil liberties

Cyber threat indicators and defensive measures provided to the Federal Government under this subchapter shall be retained, used, and disseminated by the Federal Government—

(i)

in accordance with the policies, procedures, and guidelines required by subsections (a) and (b);

(ii)

in a manner that protects from unauthorized use or disclosure any cyber threat indicators that may contain—

(I)

personal information of a specific individual; or

(II)

information that identifies a specific individual; and

(iii)

in a manner that protects the confidentiality of cyber threat indicators containing—

(I)

personal information of a specific individual; or

(II)

information that identifies a specific individual.

(D)

Federal regulatory authority

(i)

In general

(ii)

Exceptions

(I)

Regulatory authority specifically relating to prevention or mitigation of cybersecurity threats

(II)

Procedures developed and implemented under this subchapter

(Pub. L. 114–113, div. N, title I, § 105, Dec. 18, 2015, 129 Stat. 2943.)

cite as: 6 USC 1504