Following Obama’ s February 13, 2015 Executive Order to promote the sharing of cybersecurity risks and incidents between the federal government and the private sector, Congress has introduced a slew of information-sharing legislation. Such legislation includes the Cybersecurity Information Sharing Act of 2015 (“CISA”), which was marked up and approved 14-1 by the Senate Intelligence Committee in a closed session on March 12.
CISA, which has been met with some criticism in the press, provides for the promulgation of policies and procedures for the voluntary sharing of “cyber threat indicators” among the federal government and the private sector. The bill defines “cyber threat indicators” as “information necessary to describe or identify –
- malicious reconnaissance . . .;
- a method of defeating a security control or exploitation of a security vulnerability;
- a security vulnerability;
- a method of causing a user with legitimate access to an information system . . . to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
- malicious cyber command and control;
- the actual or potential harm cause by an incident . . .; or
- any other attribute of a cybersecurity threat.”
As currently drafted, CISA would apply to contractors in two ways:
First, on the positive side, the bill explicitly states that it may not be construed to allow Federal agencies to condition the award of Government contracts on a contractor’s provision of cybersecurity information. In other words, a contractor cannot be denied a Government contract for not participating in cybersecurity information-sharing with the Federal Government.
Second, the bill raises potential concerns for contractors as it would amend Section 941 of the National Defense Authorization Act (“NDAA”) of 2013, which required the Department of Defense (“DoD”) to promulgate regulations for the rapid reporting of data breaches. Section 941 would be amended to allow the Secretary of Defense to share information reported under the rapid reporting regulations if that information “consists of cyber threat indicators and countermeasures” and is shared “consistent with the policies and procedures [promulgated under CISA]”. Thus, DoD contractors subject to the forthcoming rapid reporting regulations will need to pay attention to any information policies and procedures ultimately promulgated under CISA to determine what type of information the Secretary of Defense may share with federal agencies and the private sector. If, for example, the contractor’s identity may be shared, contractors experiencing data breaches could find themselves receiving unexpected attention from federal agencies and the private sector. Moreover, it remains unclear whether this information about cyber incidents and breaches of contractor information systems could be factors in agency responsibility and/or past performance determinations.