Following Obama’ s February 13, 2015 Executive Order to promote the sharing of cybersecurity risks and incidents between the federal government and the private sector, Congress has introduced a slew of information-sharing legislation. Such legislation includes the Cybersecurity Information Sharing Act of 2015 (“CISA”), which was marked up and approved 14-1 by the Senate Intelligence Committee in a closed session on March 12.
CISA, which has been met with some criticism in the press, provides for the promulgation of policies and procedures for the voluntary sharing of “cyber threat indicators” among the federal government and the private sector. The bill defines “cyber threat indicators” as “information necessary to describe or identify –
- malicious reconnaissance . . .;
- a method of defeating a security control or exploitation of a security vulnerability;
- a security vulnerability;
- a method of causing a user with legitimate access to an information system . . . to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
- malicious cyber command and control;
- the actual or potential harm cause by an incident . . .; or
- any other attribute of a cybersecurity threat.”
As currently drafted, CISA would apply to contractors in two ways:Continue Reading Controversial Cyber Information Sharing Bill May Impact Government Contractors