Sharing of cyber threat indicators and defensive measures with the Fed. Govt.

Page 405

TITLE 6—DOMESTIC SECURITY

with heads of the appropriate Federal entities
and in consultation with officers designated
under section 2000ee–1 of title 42, jointly develop, submit to Congress, and make available
to the public interim guidelines relating to
privacy and civil liberties which shall govern
the receipt, retention, use, and dissemination
of cyber threat indicators by a Federal entity
obtained in connection with activities authorized in this subchapter.
(2) Final guidelines
(A) In general
Not later than 180 days after December 18,
2015, the Attorney General and the Secretary
of Homeland Security shall, in coordination
with heads of the appropriate Federal entities and in consultation with officers designated under section 2000ee–1 of title 42 and
such private entities with industry expertise
as the Attorney General and the Secretary
consider relevant, jointly issue and make
publicly available final guidelines relating
to privacy and civil liberties which shall
govern the receipt, retention, use, and dissemination of cyber threat indicators by a
Federal entity obtained in connection with
activities authorized in this subchapter.
(B) Periodic review
The Attorney General and the Secretary of
Homeland Security shall, in coordination
with heads of the appropriate Federal entities and in consultation with officers and
private entities described in subparagraph
(A), periodically, but not less frequently
than once every 2 years, jointly review the
guidelines issued under subparagraph (A).
(3) Content
The guidelines required by paragraphs (1)
and (2) shall, consistent with the need to protect information systems from cybersecurity
threats and mitigate cybersecurity threats—
(A) limit the effect on privacy and civil
liberties of activities by the Federal Government under this subchapter;
(B) limit the receipt, retention, use, and
dissemination of cyber threat indicators
containing personal information of specific
individuals or information that identifies
specific individuals, including by establishing—
(i) a process for the timely destruction of
such information that is known not to be
directly related to uses authorized under
this subchapter; and
(ii) specific limitations on the length of
any period in which a cyber threat indicator may be retained;
(C) include requirements to safeguard
cyber threat indicators containing personal
information of specific individuals or information that identifies specific individuals
from unauthorized access or acquisition, including appropriate sanctions for activities
by officers, employees, or agents of the Federal Government in contravention of such
guidelines;
(D) consistent with this subchapter, any
other applicable provisions of law, and the

§ 1504

fair information practice principles set forth
in appendix A of the document entitled ‘‘National Strategy for Trusted Identities in
Cyberspace’’ and published by the President
in April 2011, govern the retention, use, and
dissemination by the Federal Government of
cyber threat indicators shared with the Federal Government under this subchapter, including the extent, if any, to which such
cyber threat indicators may be used by the
Federal Government;
(E) include procedures for notifying entities and Federal entities if information received pursuant to this section is known or
determined by a Federal entity receiving
such information not to constitute a cyber
threat indicator;
(F) protect the confidentiality of cyber
threat indicators containing personal information of specific individuals or information
that identifies specific individuals to the
greatest extent practicable and require recipients to be informed that such indicators
may only be used for purposes authorized
under this subchapter; and
(G) include steps that may be needed so
that dissemination of cyber threat indicators is consistent with the protection of
classified and other sensitive national security information.
(c) Capability and process within the Department of Homeland Security
(1) In general
Not later than 90 days after December 18,
2015, the Secretary of Homeland Security, in
coordination with the heads of the appropriate
Federal entities, shall develop and implement
a capability and process within the Department of Homeland Security that—
(A) shall accept from any non-Federal entity in real time cyber threat indicators and
defensive measures, pursuant to this section;
(B) shall, upon submittal of the certification under paragraph (2) that such capability and process fully and effectively operates
as described in such paragraph, be the process by which the Federal Government receives cyber threat indicators and defensive
measures under this subchapter that are
shared by a non-Federal entity with the Federal Government through electronic mail or
media, an interactive form on an Internet
website, or a real time, automated process
between information systems except—
(i) consistent with section 1503 of this
title, communications between a Federal
entity and a non-Federal entity regarding
a previously shared cyber threat indicator
to describe the relevant cybersecurity
threat or develop a defensive measure
based on such cyber threat indicator; and
(ii) communications by a regulated nonFederal entity with such entity’s Federal
regulatory
authority
regarding
a
cybersecurity threat;
(C) ensures that all of the appropriate Federal entities receive in an automated manner such cyber threat indicators and defensive measures shared through the real-time
process within the Department of Homeland
Security;

§ 1504

TITLE 6—DOMESTIC SECURITY

(D) is in compliance with the policies, procedures, and guidelines required by this section; and
(E) does not limit or prohibit otherwise
lawful
disclosures
of
communications,
records, or other information, including—
(i) reporting of known or suspected
criminal activity, by a non-Federal entity
to any other non-Federal entity or a Federal entity, including cyber threat indicators or defensive measures shared with a
Federal entity in furtherance of opening a
Federal law enforcement investigation;
(ii) voluntary or legally compelled participation in a Federal investigation; and
(iii) providing cyber threat indicators or
defensive measures as part of a statutory
or authorized contractual requirement.
(2) Certification and designation
(A) Certification of capability and process
Not later than 90 days after December 18,
2015, the Secretary of Homeland Security
shall, in consultation with the heads of the
appropriate Federal entities, submit to Congress a certification as to whether the capability and process required by paragraph (1)
fully and effectively operates—
(i) as the process by which the Federal
Government receives from any non-Federal entity a cyber threat indicator or defensive measure under this subchapter; and
(ii) in accordance with the interim policies, procedures, and guidelines developed
under this subchapter.
(B) Designation
(i) In general
At any time after certification is submitted under subparagraph (A), the President may designate an appropriate Federal
entity, other than the Department of Defense (including the National Security
Agency), to develop and implement a capability and process as described in paragraph (1) in addition to the capability and
process developed under such paragraph by
the Secretary of Homeland Security, if,
not fewer than 30 days before making such
designation, the President submits to Congress a certification and explanation
that—
(I) such designation is necessary to ensure that full, effective, and secure operation of a capability and process for the
Federal Government to receive from any
non-Federal entity cyber threat indicators or defensive measures under this
subchapter;
(II) the designated appropriate Federal
entity will receive and share cyber
threat indicators and defensive measures
in accordance with the policies, procedures, and guidelines developed under
this subchapter, including subsection
(a)(3)(A); and
(III) such designation is consistent
with the mission of such appropriate
Federal entity and improves the ability
of the Federal Government to receive,
share, and use cyber threat indicators

Page 406

and defensive measures as authorized
under this subchapter.
(ii) Application to additional capability and
process
If the President designates an appropriate Federal entity to develop and implement a capability and process under clause
(i), the provisions of this subchapter that
apply to the capability and process required by paragraph (1) shall also be construed to apply to the capability and process developed and implemented under
clause (i).
(3) Public notice and access
The Secretary of Homeland Security shall
ensure there is public notice of, and access to,
the capability and process developed and implemented under paragraph (1) so that—
(A) any non-Federal entity may share
cyber threat indicators and defensive measures through such process with the Federal
Government; and
(B) all of the appropriate Federal entities
receive such cyber threat indicators and defensive measures in real time with receipt
through the process within the Department
of Homeland Security consistent with the
policies and procedures issued under subsection (a).
(4) Other Federal entities
The process developed and implemented
under paragraph (1) shall ensure that other
Federal entities receive in a timely manner
any cyber threat indicators and defensive
measures shared with the Federal Government
through such process.
(d) Information shared with or provided to the
Federal Government
(1) No waiver of privilege or protection
The provision of cyber threat indicators and
defensive measures to the Federal Government
under this subchapter shall not constitute a
waiver of any applicable privilege or protection provided by law, including trade secret
protection.
(2) Proprietary information
Consistent with section 1503(c)(2) of this
title and any other applicable provision of law,
a cyber threat indicator or defensive measure
provided by a non-Federal entity to the Federal Government under this subchapter shall
be considered the commercial, financial, and
proprietary information of such non-Federal
entity when so designated by the originating
non-Federal entity or a third party acting in
accordance with the written authorization of
the originating non-Federal entity.
(3) Exemption from disclosure
A cyber threat indicator or defensive measure shared with the Federal Government under
this subchapter shall be—
(A) deemed voluntarily shared information
and exempt from disclosure under section
552 of title 5 and any State, tribal, or local
provision of law requiring disclosure of information or records; and
(B) withheld, without discretion, from the
public under section 552(b)(3)(B) of title 5