Many people ask for clarification on CISA as there are confusing points amplified when reading it. Here are some sets of information that might help.
ISAOs/ISACs: Cybersecurity Information Sharing Act (CISA) Liability Protection
On February 13, 2015, the President signed Executive Order (E.O.) 13691referred to as the “Information Sharing and Analysis Organization (ISAO E.O.). In December 2015, The Cybersecurity Information Sharing Act which provides limited liability protections for companies that share. Entities that share cyber threat information with a non-federal entity, such as an ISAO or ISAC, receive liability protection if the sharing is conducted in accordance with CISA’s requirements and existing law. This document better explains CISA’s liability protection for private sector entities sharing information with ISAOs and Information Sharing and Analysis Centers (ISACs).
The following sections helps illustrate how CISA’s liability protections are applied to information shared with and between ISAOs and ISACs by entities:
CISA Section 104(c)(1): Allows an entity to share with any other entity – private, federal, state, local – provided that the sharing is conducted for cybersecurity purposes and is consistent with existing protections of classified information.
CISA Section 106(b): Grants liability protection to all entities that share cyber threat indicators under section 104 under two conditions:
Such sharing is conducted in accordance with CISA requirements; and
If the information is shared with the Federal Government, it is shared in accordance with section 105(c)(1)(B). (If the information is shared with a Non-Federal Entity, only the first condition applies)
Liability Protection for Non-Federal Information Sharing
Based on the information provided in the CISA legislation, information shared from private entities to non-federal entities, such as ISAOs or ISACs, must be shared in accordance to CISA requirements for the entity to receive liability protection. It is exempt from condition 2 under section 106(b).
Section 2(b)(iv) of the DHS Non-Federal Entity Guidance states that: Non-federal entities that share a cyber threat indicator or defensive measure with an Information Sharing and Analysis Center or Information Sharing and Analysis Organization—or any other non-federal entity—in accordance with the Act’s requirements receive liability protection for such sharing under section 106(b) of the Act.
DHS guidance documents and the CISA legislation outlines the complete requirements that would grant an entity liability protection of information shared with a Non-Federal entity. Examples of these requirements include, but are not limited to:
The sharing is conducted for cybersecurity purposes
The sharing and receiving entities must implement and utilize a security control to protect against unauthorized access to the shared information
The sharing entity scrubs information for personally identifiable or privacy information
Entities sharing with Federal entities must go through DHS to receive liability protection. If a federal entity stands up an ISAO, must entities sharing information with that Federal ISAO go through DHS to receive liability protection? Or must the DHS Non-Federal Entity Guidance be updated to read “Non-federal entities that share…….with a Non-Federal ISAO or ISAC…”?
CISA section 106(b)(1) requires that “such sharing is conducted in accordance with CISA requirements”. There is no document that clearly consolidates all requirements.