About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 [1] (April 8, 2025)

handle is hein.crs/cbyscinsh0001 and id is 1 raw text is: Conresinlleerhlevc April 8, 2025 The Cybersecurity Information Sharing Act of 2015: Expiring Provisions A decade ago, Congress authorized a cybersecurity information sharing structure that allows the federal government to collect and disseminate threat information, and enabled private sector entities to voluntarily share that information with the government, as well as among themselves. Congress passed this authorization after discussing the need for an information sharing protection framework with stakeholders in order to amplify their collective understanding of cybersecurity threats and how to respond to them. The provisions in this authorization are set to expire on September 30, 2025. A number of industry groups have advocated for its renewal. This CRS In Focus discusses these provisions, potential implications for their expiration, and possible changes to statute that Congress may choose to consider. Background Congress passed the Cybersecurity Information Sharing Act of 2015 (act) as Title I of the Cybersecurity Act of 2015. The major authorizing provisions prescribe that * Agencies with cyber threat information shall have procedures to share that information in a classified and unclassified way with both federal and nonfederal entities. * An entity (governmental or nongovernmental) can have a private sector entity monitor and secure their information technology (IT). * Private entities may share information related to identifying and defending against cyberthreats with other private entities and with the federal government. * The private sector will not be subject to antitrust liability for participating in the cybersecurity information sharing activities authorized by the act. * Personally identifiable information (PII) must be removed from shared information. Further, the Department of Homeland Security (DHS) and Department of Justice (DOJ) shall release guidance on protecting civil liberties when sharing information. * The DHS and DOJ shall issue guidance on federal government and nonfederal entity information sharing. * Private entities shall be protected from liability when conducting certain act- authorized activities, including monitoring IT, implementing protective actions, and sharing cybersecurity information. * Information shared under the act is exempt from federal and state disclosure requirements. The Senate Select Committee on Intelligence committee report on the originally-considered bill highlights some of the areas of debate. In 2015, privacy protections for the information of individuals that could potentially be collected and shared through the program, and limitations on the use of program information were of primary concern. Recent Inspector General reviews have not found that PII has been shared in violation of the act. Automated Indicator Sharing Program The Automated Indicator Sharing Program (AIS) implements the information sharing requirements prescribed by the act. It is voluntary program which allows the federal government and nonfederal participants to share certain indicators of cybersecurity threat information with each other. The program defines an indicator as a technical artifact or observable that suggests an attack is imminent or is currently underway, or that a compromise may have already occurred. Examples of such indicators might include a malicious website, activity by a known threat actor, or the identification of a new technique. The AIS primarily shares indicators provided by government agencies. These indicators could be gained from both an unclassified source (e.g., reported by a regulated entity) or a classified source (e.g., collected through a classified program or operation, even if the information itself is unclassified). These indicators are uploaded into an AIS server which pushes that information to program participants. AIS also collects indicators from the private sector, which are voluntarily shared. To participate in the program, an entity (federal or nonfederal) agrees to participation in writing and establishes an AIS client server. The entity then connects the AIS client server to their IT and cybersecurity equipment to enable real-time, machine-to-machine information sharing. AIS is a technical capability, but the information could potentially be shared in other ways (e.g., manual reporting) and still receive protections under the act ittps://Crsreports.congress.gt S

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most