Washington, DC - The Department of Homeland Security, with the Department of Justice, issued guidelines and procedures, required by the Cybersecurity Act of 2015.
First, these guidelines provide federal agencies and the private sector with a clear understanding of how to share cyber threat indicators with DHS’s National Cybersecurity and Communications Integration Center, or “NCCIC,” and how the NCCIC will share and use that information.
We know many cyber intrusions can be prevented if we share cyber threat indicators. These can include, for example, the subject line of a spear phishing email, or the IP address of the computer from which it originated. Sharing this kind of information in real-time, and swiftly applying defensive measures, will allow both the government and private sector to more effectively prevent attacks.
Before the Cybersecurity Act of 2015 was passed, we had already made significant progress in sharing information in real-time through our Automated Indicator Sharing system. This system allows automated, two-way sharing of cyber threat indicators between the government and private sector.
To address requirements of the new law, we improved our existing sharing system and added new capabilities. As a further incentive, the law provides companies with targeted liability protection for sharing cyber threat indicators with the Automated Indicator Sharing system. I encourage companies to work with DHS to set up the technical infrastructure needed to share and receive cyber threat indicators in real-time. Today’s guidelines provide the private sector with clear guidance on how to participate and what to expect.
Second, the law importantly provides two layers of privacy protections: companies are required to remove personal information before sharing cyber threat indicators and DHS is required to and has implemented its own process to conduct a privacy review of received information. In addition to the information sharing guidance we issued today, we also issued interim guidelines to define how DHS will implement this privacy review and ensure compliance over time. We welcome feedback from privacy advocates and private sector participants in the Automated Indicator Sharing system as we continue to develop the final documents ahead of their statutory deadline in June.
Again, I am very pleased Congress passed the Cybersecurity Act of 2015. The guidelines issued today are a significant step forward in implementing this important law. For more information about the guidelines, or to participate in Automated Indicator Sharing, please visit www.us-cert.gov/ais.