Sec. 3. Authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats
1,024 words·~5 min read·
/bill/114/hr/1560/rh/section-3A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Notwithstanding any other provision of law, a private entity may, for a cybersecurity purpose, monitor— an information system of such private entity; an information system of a non-Federal entity or a Federal entity, upon the written authorization of such non-Federal entity or such Federal entity; and information that is stored on, processed by, or transiting an information system monitored by the private entity under this paragraph. Nothing in this subsection shall be construed to— authorize the monitoring of an information system, or the use of any information obtained through such monitoring, other than as provided in this Act; authorize the Federal Government to conduct surveillance of any person; or limit otherwise lawful activity.
Except as provided in paragraph
(2)and notwithstanding any other provision of law, a private entity may, for a cybersecurity purpose, operate a defensive measure that is operated on and is limited to— an information system of such private entity to protect the rights or property of the private entity; and an information system of a non-Federal entity or a Federal entity upon written authorization of such non-Federal entity or such Federal entity for operation of such defensive measure to protect the rights or property of such private entity, such non-Federal entity, or such Federal entity. The authority provided in paragraph
(1)does not include the intentional or reckless operation of any defensive measure that destroys, renders unusable or inaccessible (in whole or in part), substantially harms, or initiates a new action, process, or procedure on an information system or information stored on, processed by, or transiting such information system not owned by— the private entity operating such defensive measure; or a non-Federal entity or a Federal entity that has provided written authorization to that private entity for operation of such defensive measure on the information system or information of the entity in accordance with this subsection. Nothing in this subsection shall be construed— to authorize the use of a defensive measure other than as provided in this subsection; or to limit otherwise lawful activity. Except as provided in paragraph
(2)and notwithstanding any other provision of law, a non-Federal entity may, for a cybersecurity purpose and consistent with the requirement under subsection (d)(2) to remove personal information of or information identifying a specific person not directly related to a cybersecurity threat and the protection of classified information— share a lawfully obtained cyber threat indicator or defensive measure with any other non-Federal entity or an appropriate Federal entity (other than the Department of Defense or any component of the Department, including the National Security Agency); and receive a cyber threat indicator or defensive measure from any other non-Federal entity or an appropriate Federal entity. A non-Federal entity receiving a cyber threat indicator or defensive measure from another non-Federal entity or a Federal entity shall comply with otherwise lawful restrictions placed on the sharing or use of such cyber threat indicator or defensive measure by the sharing non-Federal entity or Federal entity. Nothing in this subsection shall be construed to— authorize the sharing or receiving of a cyber threat indicator or defensive measure other than as provided in this subsection; authorize the sharing or receiving of classified information by or with any person not authorized to access such classified information; prohibit any Federal entity from engaging in formal or informal technical discussion regarding cyber threat indicators or defensive measures with a non-Federal entity or from providing technical assistance to address vulnerabilities or mitigate threats at the request of such an entity; limit otherwise lawful activity; prohibit a non-Federal entity, if authorized by applicable law or regulation other than this Act, from sharing a cyber threat indicator or defensive measure with the Department of Defense or any component of the Department, including the National Security Agency; or authorize the Federal Government to conduct surveillance of any person. A non-Federal entity monitoring an information system, operating a defensive measure, or providing or receiving a cyber threat indicator or defensive measure under this section shall implement an appropriate security control to protect against unauthorized access to, or acquisition of, such cyber threat indicator or defensive measure. A non-Federal entity sharing a cyber threat indicator pursuant to this Act shall, prior to such sharing, take reasonable efforts to— review such cyber threat indicator to assess whether such cyber threat indicator contains any information that the non-Federal entity reasonably believes at the time of sharing to be personal information of or information identifying a specific person not directly related to a cybersecurity threat and remove such information; or implement a technical capability configured to remove any information contained within such indicator that the non-Federal entity reasonably believes at the time of sharing to be personal information of or information identifying a specific person not directly related to a cybersecurity threat. A non-Federal entity may, for a cybersecurity purpose— use a cyber threat indicator or defensive measure shared or received under this section to monitor or operate a defensive measure on— an information system of such non-Federal entity; or an information system of another non-Federal entity or a Federal entity upon the written authorization of that other non-Federal entity or that Federal entity; and otherwise use, retain, and further share such cyber threat indicator or defensive measure subject to— an otherwise lawful restriction placed by the sharing non-Federal entity or Federal entity on such cyber threat indicator or defensive measure; or an otherwise applicable provision of law. A State, tribal, or local government may use a cyber threat indicator shared with such State, tribal, or local government for the purposes described in clauses (i), (ii), and
(iii)of section 4(d)(5)(A). A cyber threat indicator shared with a State, tribal, or local government under this section shall be— deemed voluntarily shared information; and exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records, except as otherwise required by applicable State, tribal, or local law requiring disclosure in any criminal prosecution. The sharing of a cyber threat indicator with a non-Federal entity under this Act shall not create a right or benefit to similar information by such non-Federal entity or any other non-Federal entity.