81 FR 8214 - National Protection and Programs Directorate; Cybersecurity Information Sharing Act of 2015 Interim Guidance Documents-Notice of Availability
DEPARTMENT OF HOMELAND SECURITY Federal Register Volume 81, Issue 32 (February 18, 2016)
Federal Register Volume 81, Issue 32 (February 18, 2016)
| Page Range | 8214-8214 | |
| FR Document | 2016-03430 |
[Federal Register Volume 81, Number 32 (Thursday, February 18, 2016)] [Notices] [Page 8214] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2016-03430] ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY National Protection and Programs Directorate; Cybersecurity Information Sharing Act of 2015 Interim Guidance Documents--Notice of Availability AGENCY: National Protection and Programs Directorate, DHS. ACTION: Notice of availability. ----------------------------------------------------------------------- SUMMARY: DHS is announcing the availability of Cybersecurity Information Sharing Act of 2015 Interim Guidance Documents jointly issued with the Department of Justice (DOJ) in compliance with the Act (CISA), which authorizes the voluntary sharing and receiving of cyber threat indicators and defensive measures for cybersecurity purposes, consistent with certain protections, including privacy and civil liberty protections. ADDRESSES: The CISA guidance documents may be found on www.us-cert.gov/ais. FOR FURTHER INFORMATION CONTACT: If you have questions about this notice, email Matthew Shabat at [email protected] or telephone on (703) 235-5338. Questions may also be directed by mail to Matthew Shabat, 245 Murray Lane SW., Mail Stop 0610, Washington, DC 20528-0610. SUPPLEMENTARY INFORMATION: The CISA requires the Secretary of DHS and the Attorney General to jointly develop and make publicly available--guidance to assist non-Federal entities and promote sharing of cyber threat indicators with the Federal Government; interim and final guidelines for the protection of privacy and civil liberties; and interim and final procedures related to the receipt of cyber threat indicators and defensive measures by the Government, which happen principally through the real-time DHS process, the existing DHS- operated Automated Indicator Sharing (AIS) initiative and may also occur through direct submissions to Federal agencies. The CISA also requires the Secretary of DHS, the Attorney General, the Director of National Intelligence, and the Secretary of Defense, to jointly develop interim procedures to facilitate and promote the sharing of cyber threat indicators and defensive measures by the Federal Government. Authority and Background On December 18, 2015, the President signed into law the Consolidated Appropriations Act, 2016, Public Law 114-113, which included at Division N, Title I the Cybersecurity Information Sharing Act of 2015 (CISA). Congress designed CISA to establish a voluntary cybersecurity information sharing process that encourages public and private sector entities to share cyber threat indicators and defensive measures while protecting privacy and civil liberties. The CISA requires various Executive Branch agencies to coordinate and create, within 60 days of enactment (i.e., not later than February 16, 2016), four guidance documents to facilitate this voluntary cybersecurity information sharing process. The CISA requires two of these interim documents to be made publicly available. See generally Public Law 114- 113, Div. N, Title I secs. 103, 105). Overview of the 60 Day Guidance Required Under CISA The CISA sec. 103 requires the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General, in consultation with the heads of designated Federal entities,\1\ to jointly develop and issue procedures to facilitate and promote the sharing by the Federal Government of classified and unclassified cyber threat indicators, defensive measures, and other information and best practices related to mitigating cyber threats. The CISA sec. 103(b) requires these procedures to include a real-time sharing capability (namely the DHS Automated Indicator Sharing (AIS) initiative); incorporate existing Federal information sharing processes, procedures, roles, and responsibilities to the greatest extent possible; account for sharing done in error; and protect against unauthorized access to cyber threat information. Further, the procedures must account for the review of cyber threat indicators to identify personal information not related to the threat, a technical capability to remove such personal information, and a notification process to alert any U.S. person whose personal information is improperly shared by a Federal entity. --------------------------------------------------------------------------- \1\ The CISA defines Appropriate Federal Entities as the Departments of Commerce, Defense, Energy, Homeland Security, Justice, Treasury, and the Office of the Director of National Intelligence. See CISA sec. 102(3). --------------------------------------------------------------------------- The CISA sec. 105(a)(1) requires the Secretary of Homeland Security and the Attorney General, in consultation with the heads of designated Federal entities, to jointly develop and issue interim policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government. These internal operational procedures describe general rules applicable to DHS and other Federal agencies and the operative processes of the DHS AIS system, including the statutory requirement for Federal agencies that receive cyber threat indicators and defensive measures to share them with other appropriate agencies. The CISA sec. 105(a)(4) requires the Secretary of Homeland Security and the Attorney General to jointly develop and make publicly available guidance to assist non-Federal entities with sharing cyber threat indicators with Federal entities. This guidance includes explanations of how non-Federal entities can identify and share cyber threat indicators and defensive measures with the Federal Government in accordance with CISA and describes the protections non-Federal entities receive under CISA for sharing cyber threat indicators and defensive measures, including targeted liability protection and other statutory protections. Finally, CISA sec. 105(b) requires the Secretary of Homeland Security and the Attorney General, in consultation with the Department Heads and Chief Privacy and Civil Liberties Officers of the designated Federal entities, to jointly develop and make publicly available interim guidelines relating to privacy and civil liberties that govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity. These privacy and civil liberties guidelines are consistent with the Fair Information Practice Principles (FIPPs) set forth in Appendix A of the ``National Strategy for Trusted Identities in Cyberspace,'' published by the President in April 2011. Issuance of Agency Guidance Required Under CISA The CISA guidance documents may be found on www.us-cert.gov/ais. Dated: February 11, 2016. Andy Ozment, Assistant Secretary, Department of Homeland Security. [FR Doc. 2016-03430 Filed 2-17-16; 8:45 am] BILLING CODE 9110-9P-P
![8214 Federal Register / Vol. 81, No. 32 / Thursday, February 18, 2016 / Notices
(5) Closing remarks/plans for next Director of National Intelligence, and information is improperly shared by a
meeting. the Secretary of Defense, to jointly Federal entity.
(6) Adjournment of Meeting. develop interim procedures to facilitate The CISA sec. 105(a)(1) requires the
Dated: February 11, 2016. and promote the sharing of cyber threat Secretary of Homeland Security and the
V.B. Gifford, indicators and defensive measures by Attorney General, in consultation with
Captain, U.S. Coast Guard, Director of
the Federal Government. the heads of designated Federal entities,
Inspections and Compliance. Authority and Background to jointly develop and issue interim
[FR Doc. 2016–03348 Filed 2–17–16; 8:45 am] policies and procedures relating to the
On December 18, 2015, the President receipt of cyber threat indicators and
BILLING CODE 9110–04–P
signed into law the Consolidated defensive measures by the Federal
Appropriations Act, 2016, Public Law
Government. These internal operational
114–113, which included at Division N,
DEPARTMENT OF HOMELAND procedures describe general rules
Title I the Cybersecurity Information
SECURITY applicable to DHS and other Federal
Sharing Act of 2015 (CISA). Congress
agencies and the operative processes of
National Protection and Programs designed CISA to establish a voluntary
the DHS AIS system, including the
Directorate; Cybersecurity Information cybersecurity information sharing
statutory requirement for Federal
Sharing Act of 2015 Interim Guidance process that encourages public and
agencies that receive cyber threat
Documents—Notice of Availability private sector entities to share cyber
indicators and defensive measures to
threat indicators and defensive
AGENCY: National Protection and share them with other appropriate
measures while protecting privacy and
Programs Directorate, DHS. agencies.
civil liberties. The CISA requires
ACTION: Notice of availability. various Executive Branch agencies to The CISA sec. 105(a)(4) requires the
coordinate and create, within 60 days of Secretary of Homeland Security and the
SUMMARY: DHS is announcing the enactment (i.e., not later than February Attorney General to jointly develop and
availability of Cybersecurity Information 16, 2016), four guidance documents to make publicly available guidance to
Sharing Act of 2015 Interim Guidance facilitate this voluntary cybersecurity assist non-Federal entities with sharing
Documents jointly issued with the information sharing process. The CISA cyber threat indicators with Federal
Department of Justice (DOJ) in requires two of these interim documents entities. This guidance includes
compliance with the Act (CISA), which to be made publicly available. See explanations of how non-Federal
authorizes the voluntary sharing and generally Public Law 114–113, Div. N, entities can identify and share cyber
receiving of cyber threat indicators and Title I secs. 103, 105). threat indicators and defensive
defensive measures for cybersecurity measures with the Federal Government
purposes, consistent with certain Overview of the 60 Day Guidance in accordance with CISA and describes
protections, including privacy and civil Required Under CISA the protections non-Federal entities
liberty protections. The CISA sec. 103 requires the receive under CISA for sharing cyber
ADDRESSES: The CISA guidance Director of National Intelligence, the threat indicators and defensive
documents may be found on www.us- Secretary of Homeland Security, the measures, including targeted liability
cert.gov/ais. Secretary of Defense, and the Attorney protection and other statutory
FOR FURTHER INFORMATION CONTACT: If General, in consultation with the heads protections.
you have questions about this notice, of designated Federal entities,1 to jointly Finally, CISA sec. 105(b) requires the
email Matthew Shabat at develop and issue procedures to Secretary of Homeland Security and the
matthew.shabat@hq.dhs.gov or facilitate and promote the sharing by the Attorney General, in consultation with
telephone on (703) 235–5338. Questions Federal Government of classified and the Department Heads and Chief Privacy
may also be directed by mail to Matthew unclassified cyber threat indicators, and Civil Liberties Officers of the
Shabat, 245 Murray Lane SW., Mail defensive measures, and other designated Federal entities, to jointly
Stop 0610, Washington, DC 20528– information and best practices related to develop and make publicly available
0610. mitigating cyber threats. The CISA sec. interim guidelines relating to privacy
SUPPLEMENTARY INFORMATION: The CISA
103(b) requires these procedures to and civil liberties that govern the
requires the Secretary of DHS and the include a real-time sharing capability receipt, retention, use, and
Attorney General to jointly develop and (namely the DHS Automated Indicator dissemination of cyber threat indicators
make publicly available— Sharing (AIS) initiative); incorporate by a Federal entity. These privacy and
• guidance to assist non-Federal existing Federal information sharing civil liberties guidelines are consistent
entities and promote sharing of cyber processes, procedures, roles, and with the Fair Information Practice
threat indicators with the Federal responsibilities to the greatest extent Principles (FIPPs) set forth in Appendix
Government; possible; account for sharing done in A of the ‘‘National Strategy for Trusted
• interim and final guidelines for the error; and protect against unauthorized Identities in Cyberspace,’’ published by
protection of privacy and civil liberties; access to cyber threat information. the President in April 2011.
and Further, the procedures must account
• interim and final procedures related for the review of cyber threat indicators Issuance of Agency Guidance Required
to the receipt of cyber threat indicators to identify personal information not Under CISA
and defensive measures by the related to the threat, a technical
The CISA guidance documents may
capability to remove such personal
mstockstill on DSK4VPTVN1PROD with NOTICES
Government, which happen principally be found on www.us-cert.gov/ais.
through the real-time DHS process, the information, and a notification process
existing DHS-operated Automated to alert any U.S. person whose personal Dated: February 11, 2016.
Indicator Sharing (AIS) initiative and Andy Ozment,
1 The CISA defines Appropriate Federal Entities
may also occur through direct Assistant Secretary, Department of Homeland
as the Departments of Commerce, Defense, Energy, Security.
submissions to Federal agencies. Homeland Security, Justice, Treasury, and the
The CISA also requires the Secretary Office of the Director of National Intelligence. See [FR Doc. 2016–03430 Filed 2–17–16; 8:45 am]
of DHS, the Attorney General, the CISA sec. 102(3). BILLING CODE 9110–9P–P
VerDate Sep<11>2014 19:03 Feb 17, 2016 Jkt 238001 PO 00000 Frm 00042 Fmt 4703 Sfmt 9990 E:\FR\FM\18FEN1.SGM 18FEN1](https://thefederalregister.org/doc/81_FR_8246/page/1.svg)
Document Created: 2016-02-18 07:46:11
Document Modified: 2016-02-18 07:46:11
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice of availability. | |
| Contact | If you have questions about this notice, email Matthew Shabat at [email protected] or telephone on (703) 235-5338. Questions may also be directed by mail to Matthew Shabat, 245 Murray Lane SW., Mail Stop 0610, Washington, DC 20528-0610. | |
| FR Citation | 81 FR 8214 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR