Download:
pdf |
pdf§ 1504
TITLE 6—DOMESTIC SECURITY
vidual or information that identifies a specific individual and remove such information; or
(B) implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity
threat that the non-Federal entity knows at
the time of sharing to be personal information of a specific individual or information
that identifies a specific individual.
(3) Use of cyber threat indicators and defensive measures by non-Federal entities
(A) In general
Consistent with this subchapter, a cyber
threat indicator or defensive measure shared
or received under this section may, for
cybersecurity purposes—
(i) be used by a non-Federal entity to
monitor or operate a defensive measure
that is applied to—
(I) an information system of the nonFederal entity; or
(II) an information system of another
non-Federal entity or a Federal entity
upon the written consent of that other
non-Federal entity or that Federal entity; and
(ii) be otherwise used, retained, and further shared by a non-Federal entity subject to—
(I) an otherwise lawful restriction
placed by the sharing non-Federal entity
or Federal entity on such cyber threat
indicator or defensive measure; or
(II) an otherwise applicable provision
of law.
(B) Construction
Nothing in this paragraph shall be construed to authorize the use of a cyber threat
indicator or defensive measure other than as
provided in this section.
(4) Use of cyber threat indicators by State,
tribal, or local government
(A) Law enforcement use
A State, tribal, or local government that
receives a cyber threat indicator or defensive measure under this subchapter may use
such cyber threat indicator or defensive
measure for the purposes described in section 1504(d)(5)(A) of this title.
(B) Exemption from disclosure
A cyber threat indicator or defensive
measure shared by or with a State, tribal, or
local government, including a component of
a State, tribal, or local government that is a
private entity, under this section shall be—
(i) deemed voluntarily shared information; and
(ii) exempt from disclosure under any
provision of State, tribal, or local freedom
of information law, open government law,
open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records.
(C) State, tribal, and local regulatory authority
(i) In general
Except as provided in clause (ii), a cyber
threat indicator or defensive measure
Page 318
shared with a State, tribal, or local government under this subchapter shall not be
used by any State, tribal, or local government to regulate, including an enforcement action, the lawful activity of any
non-Federal entity or any activity taken
by a non-Federal entity pursuant to mandatory standards, including an activity relating to monitoring, operating a defensive
measure, or sharing of a cyber threat indicator.
(ii) Regulatory authority specifically relating to prevention or mitigation of
cybersecurity threats
A cyber threat indicator or defensive
measure shared as described in clause (i)
may, consistent with a State, tribal, or
local government regulatory authority
specifically relating to the prevention or
mitigation of cybersecurity threats to information systems, inform the development or implementation of a regulation
relating to such information systems.
(e) Antitrust exemption
(1) In general
Except as provided in section 1507(e) of this
title, it shall not be considered a violation of
any provision of antitrust laws for 2 or more
private entities to exchange or provide a cyber
threat indicator or defensive measure, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat,
for cybersecurity purposes under this subchapter.
(2) Applicability
Paragraph (1) shall apply only to information that is exchanged or assistance provided
in order to assist with—
(A) facilitating the prevention, investigation, or mitigation of a cybersecurity threat
to an information system or information
that is stored on, processed by, or transiting
an information system; or
(B) communicating or disclosing a cyber
threat indicator to help prevent, investigate,
or mitigate the effect of a cybersecurity
threat to an information system or information that is stored on, processed by, or transiting an information system.
(f) No right or benefit
The sharing of a cyber threat indicator or defensive measure with a non-Federal entity under
this subchapter shall not create a right or benefit to similar information by such non-Federal
entity or any other non-Federal entity.
(Pub. L. 114–113, div. N, title I, § 104, Dec. 18, 2015,
129 Stat. 2940.)
§ 1504. Sharing of cyber threat indicators and defensive measures with the Federal Government
(a) Requirement for policies and procedures
(1) Interim policies and procedures
Not later than 60 days after December 18,
2015, the Attorney General and the Secretary
of Homeland Security shall, in consultation
with the heads of the appropriate Federal enti-
Page 319
TITLE 6—DOMESTIC SECURITY
ties, jointly develop and submit to Congress
interim policies and procedures relating to the
receipt of cyber threat indicators and defensive measures by the Federal Government.
(2) Final policies and procedures
Not later than 180 days after December 18,
2015, the Attorney General and the Secretary
of Homeland Security shall, in consultation
with the heads of the appropriate Federal entities, jointly issue and make publicly available
final policies and procedures relating to the
receipt of cyber threat indicators and defensive measures by the Federal Government.
(3) Requirements concerning policies and procedures
Consistent with the guidelines required by
subsection (b), the policies and procedures developed or issued under this subsection shall—
(A) ensure that cyber threat indicators
shared with the Federal Government by any
non-Federal entity pursuant to section
1503(c) of this title through the real-time
process described in subsection (c) of this
section—
(i) are shared in an automated manner
with all of the appropriate Federal entities;
(ii) are only subject to a delay, modification, or other action due to controls established for such real-time process that
could impede real-time receipt by all of
the appropriate Federal entities when the
delay, modification, or other action is due
to controls—
(I) agreed upon unanimously by all of
the heads of the appropriate Federal entities;
(II) carried out before any of the appropriate Federal entities retains or uses
the cyber threat indicators or defensive
measures; and
(III) uniformly applied such that each
of the appropriate Federal entities is
subject to the same delay, modification,
or other action; and
(iii) may be provided to other Federal
entities;
(B) ensure that cyber threat indicators
shared with the Federal Government by any
non-Federal entity pursuant to section 1503
of this title in a manner other than the realtime process described in subsection (c) of
this section—
(i) are shared as quickly as operationally
practicable with all of the appropriate
Federal entities;
(ii) are not subject to any unnecessary
delay, interference, or any other action
that could impede receipt by all of the appropriate Federal entities; and
(iii) may be provided to other Federal
entities; and
(C) ensure there are—
(i) audit capabilities; and
(ii) appropriate sanctions in place for officers, employees, or agents of a Federal
entity who knowingly and willfully conduct activities under this subchapter in an
unauthorized manner.
§ 1504
(4) Guidelines for entities sharing cyber threat
indicators with Federal Government
(A) In general
Not later than 60 days after December 18,
2015, the Attorney General and the Secretary
of Homeland Security shall jointly develop
and make publicly available guidance to assist entities and promote sharing of cyber
threat indicators with Federal entities
under this subchapter.
(B) Contents
The guidelines developed and made publicly available under subparagraph (A) shall
include guidance on the following:
(i) Identification of types of information
that would qualify as a cyber threat indicator under this subchapter that would be
unlikely to include information that—
(I) is not directly related to a
cybersecurity threat; and
(II) is personal information of a specific individual or information that identifies a specific individual.
(ii) Identification of types of information
protected under otherwise applicable privacy laws that are unlikely to be directly
related to a cybersecurity threat.
(iii) Such other matters as the Attorney
General and the Secretary of Homeland
Security consider appropriate for entities
sharing cyber threat indicators with Federal entities under this subchapter.
(b) Privacy and civil liberties
(1) Interim guidelines
Not later than 60 days after December 18,
2015, the Attorney General and the Secretary
of Homeland Security shall, in consultation
with heads of the appropriate Federal entities
and in consultation with officers designated
under section 2000ee–1 of title 42, jointly develop, submit to Congress, and make available
to the public interim guidelines relating to
privacy and civil liberties which shall govern
the receipt, retention, use, and dissemination
of cyber threat indicators by a Federal entity
obtained in connection with activities authorized in this subchapter.
(2) Final guidelines
(A) In general
Not later than 180 days after December 18,
2015, the Attorney General and the Secretary
of Homeland Security shall, in coordination
with heads of the appropriate Federal entities and in consultation with officers designated under section 2000ee–1 of title 42 and
such private entities with industry expertise
as the Attorney General and the Secretary
consider relevant, jointly issue and make
publicly available final guidelines relating
to privacy and civil liberties which shall
govern the receipt, retention, use, and dissemination of cyber threat indicators by a
Federal entity obtained in connection with
activities authorized in this subchapter.
(B) Periodic review
The Attorney General and the Secretary of
Homeland Security shall, in coordination
§ 1504
TITLE 6—DOMESTIC SECURITY
with heads of the appropriate Federal entities and in consultation with officers and
private entities described in subparagraph
(A), periodically, but not less frequently
than once every 2 years, jointly review the
guidelines issued under subparagraph (A).
(3) Content
The guidelines required by paragraphs (1)
and (2) shall, consistent with the need to protect information systems from cybersecurity
threats and mitigate cybersecurity threats—
(A) limit the effect on privacy and civil
liberties of activities by the Federal Government under this subchapter;
(B) limit the receipt, retention, use, and
dissemination of cyber threat indicators
containing personal information of specific
individuals or information that identifies
specific individuals, including by establishing—
(i) a process for the timely destruction of
such information that is known not to be
directly related to uses authorized under
this subchapter; and
(ii) specific limitations on the length of
any period in which a cyber threat indicator may be retained;
(C) include requirements to safeguard
cyber threat indicators containing personal
information of specific individuals or information that identifies specific individuals
from unauthorized access or acquisition, including appropriate sanctions for activities
by officers, employees, or agents of the Federal Government in contravention of such
guidelines;
(D) consistent with this subchapter, any
other applicable provisions of law, and the
fair information practice principles set forth
in appendix A of the document entitled ‘‘National Strategy for Trusted Identities in
Cyberspace’’ and published by the President
in April 2011, govern the retention, use, and
dissemination by the Federal Government of
cyber threat indicators shared with the Federal Government under this subchapter, including the extent, if any, to which such
cyber threat indicators may be used by the
Federal Government;
(E) include procedures for notifying entities and Federal entities if information received pursuant to this section is known or
determined by a Federal entity receiving
such information not to constitute a cyber
threat indicator;
(F) protect the confidentiality of cyber
threat indicators containing personal information of specific individuals or information
that identifies specific individuals to the
greatest extent practicable and require recipients to be informed that such indicators
may only be used for purposes authorized
under this subchapter; and
(G) include steps that may be needed so
that dissemination of cyber threat indicators is consistent with the protection of
classified and other sensitive national security information.
Page 320
(c) Capability and process within the Department of Homeland Security
(1) In general
Not later than 90 days after December 18,
2015, the Secretary of Homeland Security, in
coordination with the heads of the appropriate
Federal entities, shall develop and implement
a capability and process within the Department of Homeland Security that—
(A) shall accept from any non-Federal entity in real time cyber threat indicators and
defensive measures, pursuant to this section;
(B) shall, upon submittal of the certification under paragraph (2) that such capability and process fully and effectively operates
as described in such paragraph, be the process by which the Federal Government receives cyber threat indicators and defensive
measures under this subchapter that are
shared by a non-Federal entity with the Federal Government through electronic mail or
media, an interactive form on an Internet
website, or a real time, automated process
between information systems except—
(i) consistent with section 1503 of this
title, communications between a Federal
entity and a non-Federal entity regarding
a previously shared cyber threat indicator
to describe the relevant cybersecurity
threat or develop a defensive measure
based on such cyber threat indicator; and
(ii) communications by a regulated nonFederal entity with such entity’s Federal
regulatory
authority
regarding
a
cybersecurity threat;
(C) ensures that all of the appropriate Federal entities receive in an automated manner such cyber threat indicators and defensive measures shared through the real-time
process within the Department of Homeland
Security;
(D) is in compliance with the policies, procedures, and guidelines required by this section; and
(E) does not limit or prohibit otherwise
lawful
disclosures
of
communications,
records, or other information, including—
(i) reporting of known or suspected
criminal activity, by a non-Federal entity
to any other non-Federal entity or a Federal entity, including cyber threat indicators or defensive measures shared with a
Federal entity in furtherance of opening a
Federal law enforcement investigation;
(ii) voluntary or legally compelled participation in a Federal investigation; and
(iii) providing cyber threat indicators or
defensive measures as part of a statutory
or authorized contractual requirement.
(2) Certification and designation
(A) Certification of capability and process
Not later than 90 days after December 18,
2015, the Secretary of Homeland Security
shall, in consultation with the heads of the
appropriate Federal entities, submit to Congress a certification as to whether the capability and process required by paragraph (1)
fully and effectively operates—
(i) as the process by which the Federal
Government receives from any non-Fed-
Page 321
TITLE 6—DOMESTIC SECURITY
eral entity a cyber threat indicator or defensive measure under this subchapter; and
(ii) in accordance with the interim policies, procedures, and guidelines developed
under this subchapter.
(B) Designation
(i) In general
At any time after certification is submitted under subparagraph (A), the President may designate an appropriate Federal
entity, other than the Department of Defense (including the National Security
Agency), to develop and implement a capability and process as described in paragraph (1) in addition to the capability and
process developed under such paragraph by
the Secretary of Homeland Security, if,
not fewer than 30 days before making such
designation, the President submits to Congress a certification and explanation
that—
(I) such designation is necessary to ensure that full, effective, and secure operation of a capability and process for the
Federal Government to receive from any
non-Federal entity cyber threat indicators or defensive measures under this
subchapter;
(II) the designated appropriate Federal
entity will receive and share cyber
threat indicators and defensive measures
in accordance with the policies, procedures, and guidelines developed under
this subchapter, including subsection
(a)(3)(A); and
(III) such designation is consistent
with the mission of such appropriate
Federal entity and improves the ability
of the Federal Government to receive,
share, and use cyber threat indicators
and defensive measures as authorized
under this subchapter.
(ii) Application to additional capability and
process
If the President designates an appropriate Federal entity to develop and implement a capability and process under clause
(i), the provisions of this subchapter that
apply to the capability and process required by paragraph (1) shall also be construed to apply to the capability and process developed and implemented under
clause (i).
(3) Public notice and access
The Secretary of Homeland Security shall
ensure there is public notice of, and access to,
the capability and process developed and implemented under paragraph (1) so that—
(A) any non-Federal entity may share
cyber threat indicators and defensive measures through such process with the Federal
Government; and
(B) all of the appropriate Federal entities
receive such cyber threat indicators and defensive measures in real time with receipt
through the process within the Department
of Homeland Security consistent with the
policies and procedures issued under subsection (a).
§ 1504
(4) Other Federal entities
The process developed and implemented
under paragraph (1) shall ensure that other
Federal entities receive in a timely manner
any cyber threat indicators and defensive
measures shared with the Federal Government
through such process.
(d) Information shared with or provided to the
Federal Government
(1) No waiver of privilege or protection
The provision of cyber threat indicators and
defensive measures to the Federal Government
under this subchapter shall not constitute a
waiver of any applicable privilege or protection provided by law, including trade secret
protection.
(2) Proprietary information
Consistent with section 1503(c)(2) of this
title and any other applicable provision of law,
a cyber threat indicator or defensive measure
provided by a non-Federal entity to the Federal Government under this subchapter shall
be considered the commercial, financial, and
proprietary information of such non-Federal
entity when so designated by the originating
non-Federal entity or a third party acting in
accordance with the written authorization of
the originating non-Federal entity.
(3) Exemption from disclosure
A cyber threat indicator or defensive measure shared with the Federal Government under
this subchapter shall be—
(A) deemed voluntarily shared information
and exempt from disclosure under section
552 of title 5 and any State, tribal, or local
provision of law requiring disclosure of information or records; and
(B) withheld, without discretion, from the
public under section 552(b)(3)(B) of title 5
and any State, tribal, or local provision of
law requiring disclosure of information or
records.
(4) Ex parte communications
The provision of a cyber threat indicator or
defensive measure to the Federal Government
under this subchapter shall not be subject to a
rule of any Federal agency or department or
any judicial doctrine regarding ex parte communications with a decision-making official.
(5) Disclosure, retention, and use
(A) Authorized activities
Cyber threat indicators and defensive
measures provided to the Federal Government under this subchapter may be disclosed
to, retained by, and used by, consistent with
otherwise applicable provisions of Federal
law, any Federal agency or department,
component, officer, employee, or agent of
the Federal Government solely for—
(i) a cybersecurity purpose;
(ii) the purpose of identifying—
(I) a cybersecurity threat, including
the source of such cybersecurity threat;
or
(II) a security vulnerability;
(iii) the purpose of responding to, or
otherwise preventing or mitigating, a spe-
§ 1505
TITLE 6—DOMESTIC SECURITY
cific threat of death, a specific threat of
serious bodily harm, or a specific threat of
serious economic harm, including a terrorist act or a use of a weapon of mass destruction;
(iv) the purpose of responding to, investigating, prosecuting, or otherwise preventing or mitigating, a serious threat to
a minor, including sexual exploitation and
threats to physical safety; or
(v) the purpose of preventing, investigating, disrupting, or prosecuting an offense
arising out of a threat described in clause
(iii) or any of the offenses listed in—
(I) sections 1028 through 1030 of title 18
(relating to fraud and identity theft);
(II) chapter 37 of such title (relating to
espionage and censorship); and
(III) chapter 90 of such title (relating
to protection of trade secrets).
(B) Prohibited activities
Cyber threat indicators and defensive
measures provided to the Federal Government under this subchapter shall not be disclosed to, retained by, or used by any Federal agency or department for any use not
permitted under subparagraph (A).
(C) Privacy and civil liberties
Cyber threat indicators and defensive
measures provided to the Federal Government under this subchapter shall be retained, used, and disseminated by the Federal Government—
(i) in accordance with the policies, procedures, and guidelines required by subsections (a) and (b);
(ii) in a manner that protects from unauthorized use or disclosure any cyber threat
indicators that may contain—
(I) personal information of a specific
individual; or
(II) information that identifies a specific individual; and
(iii) in a manner that protects the confidentiality of cyber threat indicators containing—
(I) personal information of a specific
individual; or
(II) information that identifies a specific individual.
(D) Federal regulatory authority
(i) In general
Except as provided in clause (ii), cyber
threat indicators and defensive measures
provided to the Federal Government under
this subchapter shall not be used by any
Federal, State, tribal, or local government
to regulate, including an enforcement action, the lawful activities of any non-Federal entity or any activities taken by a
non-Federal entity pursuant to mandatory
standards, including activities relating to
monitoring, operating defensive measures,
or sharing cyber threat indicators.
(ii) Exceptions
(I) Regulatory authority specifically relating to prevention or mitigation of
cybersecurity threats
Cyber threat indicators and defensive
measures provided to the Federal Gov-
Page 322
ernment under this subchapter may, consistent with Federal or State regulatory
authority specifically relating to the
prevention
or
mitigation
of
cybersecurity threats to information
systems, inform the development or implementation of regulations relating to
such information systems.
(II) Procedures developed and implemented under this subchapter
Clause (i) shall not apply to procedures
developed and implemented under this
subchapter.
(Pub. L. 114–113, div. N, title I, § 105, Dec. 18, 2015,
129 Stat. 2943.)
§ 1505. Protection from liability
(a) Monitoring of information systems
No cause of action shall lie or be maintained
in any court against any private entity, and
such action shall be promptly dismissed, for the
monitoring of an information system and information under section 1503(a) of this title that is
conducted in accordance with this subchapter.
(b) Sharing or receipt of cyber threat indicators
No cause of action shall lie or be maintained
in any court against any private entity, and
such action shall be promptly dismissed, for the
sharing or receipt of a cyber threat indicator or
defensive measure under section 1503(c) of this
title if—
(1) such sharing or receipt is conducted in
accordance with this subchapter; and
(2) in a case in which a cyber threat indicator or defensive measure is shared with the
Federal Government, the cyber threat indicator or defensive measure is shared in a manner
that is consistent with section 1504(c)(1)(B) of
this title and the sharing or receipt, as the
case may be, occurs after the earlier of—
(A) the date on which the interim policies
and procedures are submitted to Congress
under section 1504(a)(1) of this title and
guidelines are submitted to Congress under
section 1504(b)(1) of this title; or
(B) the date that is 60 days after December
18, 2015.
(c) Construction
Nothing in this subchapter shall be construed—
(1) to create—
(A) a duty to share a cyber threat indicator or defensive measure; or
(B) a duty to warn or act based on the receipt of a cyber threat indicator or defensive
measure; or
(2) to undermine or limit the availability of
otherwise applicable common law or statutory
defenses.
(Pub. L. 114–113, div. N, title I, § 106, Dec. 18, 2015,
129 Stat. 2950.)
§ 1506. Oversight of government activities
(a) Report on implementation
(1) In general
Not later than 1 year after December 18,
2015, the heads of the appropriate Federal enti-
File Type | application/pdf |
File Modified | 2016-08-16 |
File Created | 2016-08-16 |