Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 114th Congress · S. 754 (Placed on Calendar Senate) — To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, an... · Sec. 5

Sec. 5. Sharing of cyber threat indicators and defensive measures with the Federal Government

2,188 words·~10 min read·/bill/114/s/754/pcs/section-5

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Not later than 60 days after the date of the enactment of this Act, the Attorney General, in coordination with the heads of the appropriate Federal entities, shall develop and submit to Congress interim policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government. Not later than 180 days after the date of the enactment of this Act, the Attorney General shall, in coordination with the heads of the appropriate Federal entities, promulgate final policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government.
Consistent with the guidelines required by subsection (b), the policies and procedures developed and promulgated under this subsection shall— ensure that cyber threat indicators are shared with the Federal Government by any entity pursuant to section 4(c) through the real-time process described in subsection
(c)of this section— are shared in an automated manner with all of the appropriate Federal entities; are not subject to any delay, modification, or any other action that could impede real-time receipt by all of the appropriate Federal entities; and may be provided to other Federal entities; ensure that cyber threat indicators shared with the Federal Government by any entity pursuant to section 4 in a manner other than the real-time process described in subsection
(c)of this section— are shared as quickly as operationally practicable with all of the appropriate Federal entities; are not subject to any unnecessary delay, interference, or any other action that could impede receipt by all of the appropriate Federal entities; and may be provided to other Federal entities; consistent with this Act, any other applicable provisions of law, and the fair information practice principles set forth in appendix A of the document entitled National Strategy for Trusted Identities in Cyberspace and published by the President in April 2011, govern the retention, use, and dissemination by the Federal Government of cyber threat indicators shared with the Federal Government under this Act, including the extent, if any, to which such cyber threat indicators may be used by the Federal Government; and ensure there is— an audit capability; and appropriate sanctions in place for officers, employees, or agents of a Federal entity who knowingly and willfully conduct activities under this Act in an unauthorized manner. Not later than 60 days after the date of the enactment of this Act, the Attorney General shall develop and make publicly available guidance to assist entities and promote sharing of cyber threat indicators with Federal entities under this Act. The guidelines developed and made publicly available under subparagraph
(A)shall include guidance on the following: Identification of types of information that would qualify as a cyber threat indicator under this Act that would be unlikely to include personal information of or identifying a specific person not directly related to a cyber security threat. Identification of types of information protected under otherwise applicable privacy laws that are unlikely to be directly related to a cybersecurity threat. Such other matters as the Attorney General considers appropriate for entities sharing cyber threat indicators with Federal entities under this Act. Not later than 60 days after the date of the enactment of this Act, the Attorney General shall, in coordination with heads of the appropriate Federal entities and in consultation with officers designated under section 1062 of the National Security Intelligence Reform Act of 2004 ( 42 U.S.C. 2000ee–1 ), develop, submit to Congress, and make available to the public interim guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act. Not later than 180 days after the date of the enactment of this Act, the Attorney General shall, in coordination with heads of the appropriate Federal entities and in consultation with officers designated under section 1062 of the National Security Intelligence Reform Act of 2004 ( 42 U.S.C. 2000ee–1 ) and such private entities with industry expertise as the Attorney General considers relevant, promulgate final guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act. The Attorney General shall, in coordination with heads of the appropriate Federal entities and in consultation with officers and private entities described in subparagraph (A), periodically review the guidelines promulgated under subparagraph (A). The guidelines required by paragraphs
(1)and
(2)shall, consistent with the need to protect information systems from cybersecurity threats and mitigate cybersecurity threats— limit the impact on privacy and civil liberties of activities by the Federal Government under this Act; limit the receipt, retention, use, and dissemination of cyber threat indicators containing personal information of or identifying specific persons, including by establishing— a process for the timely destruction of such information that is known not to be directly related to uses authorized under this Act; and specific limitations on the length of any period in which a cyber threat indicator may be retained; include requirements to safeguard cyber threat indicators containing personal information of or identifying specific persons from unauthorized access or acquisition, including appropriate sanctions for activities by officers, employees, or agents of the Federal Government in contravention of such guidelines; include procedures for notifying entities and Federal entities if information received pursuant to this section is known or determined by a Federal entity receiving such information not to constitute a cyber threat indicator; protect the confidentiality of cyber threat indicators containing personal information of or identifying specific persons to the greatest extent practicable and require recipients to be informed that such indicators may only be used for purposes authorized under this Act; and include steps that may be needed so that dissemination of cyber threat indicators is consistent with the protection of classified and other sensitive national security information. Not later than 90 days after the date of the enactment of this Act, the Secretary of Homeland Security, in coordination with the heads of the appropriate Federal entities, shall develop and implement a capability and process within the Department of Homeland Security that— shall accept from any entity in real time cyber threat indicators and defensive measures, pursuant to this section; shall, upon submittal of the certification under paragraph
(2)that such capability and process fully and effectively operates as described in such paragraph, be the process by which the Federal Government receives cyber threat indicators and defensive measures under this Act that are shared by a private entity with the Federal Government through electronic mail or media, an interactive form on an Internet website, or a real time, automated process between information systems except— communications between a Federal entity and a private entity regarding a previously shared cyber threat indicator; and communications by a regulated entity with such entity's Federal regulatory authority regarding a cybersecurity threat; ensures that all of the appropriate Federal entities receive in an automated manner such cyber threat indicators shared through the real-time process within the Department of Homeland Security; is in compliance with the policies, procedures, and guidelines required by this section; and does not limit or prohibit otherwise lawful disclosures of communications, records, or other information, including— reporting of known or suspected criminal activity, by an entity to any other entity or a Federal entity; voluntary or legally compelled participation in a Federal investigation; and providing cyber threat indicators or defensive measures as part of a statutory or authorized contractual requirement. Not later than 10 days prior to the implementation of the capability and process required by paragraph (1), the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, certify to Congress whether such capability and process fully and effectively operates— as the process by which the Federal Government receives from any entity a cyber threat indicator or defensive measure under this Act; and in accordance with the policies, procedures, and guidelines developed under this section. The Secretary of Homeland Security shall ensure there is public notice of, and access to, the capability and process developed and implemented under paragraph
(1)so that— any entity may share cyber threat indicators and defensive measures through such process with the Federal Government; and all of the appropriate Federal entities receive such cyber threat indicators and defensive measures in real time with receipt through the process within the Department of Homeland Security. The process developed and implemented under paragraph
(1)shall ensure that other Federal entities receive in a timely manner any cyber threat indicators and defensive measures shared with the Federal Government through such process. Not later than 60 days after the date of the enactment of this Act, the Secretary of Homeland Security shall submit to Congress a report on the development and implementation of the capability and process required by paragraph (1), including a description of such capability and process and the public notice of, and access to, such process. The report required by subparagraph
(A)shall be submitted in unclassified form, but may include a classified annex. The provision of cyber threat indicators and defensive measures to the Federal Government under this Act shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection. Consistent with section 4(c)(2), a cyber threat indicator or defensive measure provided by an entity to the Federal Government under this Act shall be considered the commercial, financial, and proprietary information of such entity when so designated by the originating entity or a third party acting in accordance with the written authorization of the originating entity. Cyber threat indicators and defensive measures provided to the Federal Government under this Act shall be— deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; and withheld, without discretion, from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local provision of law requiring disclosure of information or records. The provision of a cyber threat indicator or defensive measure to the Federal Government under this Act shall not be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decisionmaking official. Cyber threat indicators and defensive measures provided to the Federal Government under this Act may be disclosed to, retained by, and used by, consistent with otherwise applicable provisions of Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal Government solely for— a cybersecurity purpose; the purpose of identifying a cybersecurity threat, including the source of such cybersecurity threat, or a security vulnerability; the purpose of identifying a cybersecurity threat involving the use of an information system by a foreign adversary or terrorist; the purpose of responding to, or otherwise preventing or mitigating, an imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction; the purpose of responding to, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety; or the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a threat described in clause
(iv)or any of the offenses listed in— section 3559(c)(2)(F) of title 18, United States Code (relating to serious violent felonies); sections 1028 through 1030 of such title (relating to fraud and identity theft); chapter 37 of such title (relating to espionage and censorship); and chapter 90 of such title (relating to protection of trade secrets). Cyber threat indicators and defensive measures provided to the Federal Government under this Act shall not be disclosed to, retained by, or used by any Federal agency or department for any use not permitted under subparagraph (A). Cyber threat indicators and defensive measures provided to the Federal Government under this Act shall be retained, used, and disseminated by the Federal Government— in accordance with the policies, procedures, and guidelines required by subsections
(a)and (b); in a manner that protects from unauthorized use or disclosure any cyber threat indicators that may contain personal information of or identifying specific persons; and in a manner that protects the confidentiality of cyber threat indicators containing personal information of or identifying a specific person. Except as provided in clause (ii), cyber threat indicators and defensive measures provided to the Federal Government under this Act shall not be directly used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any entity, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators. Cyber threat indicators and defensive measures provided to the Federal Government under this Act may, consistent with Federal or State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems. Clause
(i)shall not apply to procedures developed and implemented under this Act.
Connections1 off-index
1 reference not yet in our index
  • 42 USC 2000ee–1
Citation graph
cites case law
Sec. 5
Sharing of cyber threat indicators and defensive measures with the Federal Government
Cite42 USC 2000ee–1
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.