VII

Information Sharing

operate countermeasures on a third party’s information systems to protect the third party’s information systems and information that is stored on, processed by, or transiting the information systems, if the third party lawfully authorizes the countermeasures.

operate countermeasures on information systems of the entity to protect the information systems and information that is stored on, processed by, or transiting the information systems; and

monitor a third party’s information systems and information that is stored on, processed by, or transiting the information systems for cybersecurity threats, if the third party lawfully authorizes the monitoring;

monitor information systems of the entity and information that is stored on, processed by, or transiting the information systems for cybersecurity threats;

Notwithstanding chapter 119, 121, or 206 of title 18, United States Code, the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), and the Communications Act of 1934 (47 U.S.C. 151 et seq.), any private entity may—

may only use, retain, or further disclose the cybersecurity threat indicators for the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from cybersecurity threats or mitigating the threats.

may not use the cybersecurity threat indicators to gain an unfair competitive advantage to the detriment of the entity that authorized such sharing; and

shall comply with any lawful restrictions placed on the disclosure or use of cybersecurity threat indicators by the disclosing entity, including, if requested, the removal of information that can be used to identify specific persons from such indicators;

shall make reasonable efforts to safeguard communications, records, system traffic, or other information that can be used to identify specific persons from unauthorized access or acquisition;

Notwithstanding any other provision of law, any private entity may disclose lawfully obtained cybersecurity threat indicators to any other private entity.

if the Secretary has not designated any non-Federal entities as a cybersecurity exchange, provides recommendations concerning the advisability of designating non-Federal entities as cybersecurity exchanges.

summarizes the policies and procedures established under section 704(g); and

Not later than 90 days after the date on which the Secretary designates the initial cybersecurity exchange under this section, the Secretary, the Director of National Intelligence, the Attorney General, and the Secretary of Defense shall jointly submit to Congress a written report that—

Nothing in this section may be construed to authorize additional layers of Federal bureaucracy for the receipt and disclosure of cybersecurity threat indicators.

Nothing in this section may be construed to alter the authorities of a Federal cybersecurity center, unless such cybersecurity center is acting in its capacity as a designated cybersecurity exchange.

The Secretary may promulgate regulations as may be necessary to carry out this subsection.

The ability of the non-Federal entity to sustain operations using entirely non-Federal sources of funding.

The adequacy of the policies and procedures of the non-Federal entity to protect personally identifiable information from unauthorized disclosure and use.

The capacity of the non-Federal entity to safeguard cybersecurity threat indicators from unauthorized disclosure and use.

Whether the designation could substantially improve the overall cybersecurity of the United States by serving as a hub for receiving and sharing cybersecurity threat indicators, including the capacity of the non-Federal entity for performing those functions.

The net effect that an additional cybersecurity exchange would have on the overall cybersecurity of the United States.

In considering whether to designate a non-Federal entity as a cybersecurity exchange to receive cybersecurity threat indicators under section 704(a), and what entity to designate, the Secretary shall consider the following factors:

In accordance with the process and procedures established under subsection (a), the Secretary, in consultation with the Director of National Intelligence, the Attorney General, and the Secretary of Defense, may designate additional existing Federal entities as cybersecurity exchanges, if the cybersecurity exchanges are subject to the requirements for use, retention, and disclosure of information by a cybersecurity exchange under section 704(b) and the special requirements for Federal entities under section 704(g).

The National Cybersecurity and Communications Integration Center of the Department shall serve as the interim lead cybersecurity exchange until the Secretary designates a lead cybersecurity exchange under paragraph (1).

Not later than 60 days after the date of enactment of this Act, the Secretary shall designate a lead cybersecurity exchange under paragraph (1).

coordinate with other Federal entities, as appropriate, to compile and analyze information about risks and incidents that threaten information systems, including information voluntarily submitted in accordance with section 704(a) or otherwise in accordance with applicable laws.

conduct, in consultation with private entities and relevant Federal and other governmental entities, regular assessments of existing and proposed information sharing models to eliminate bureaucratic obstacles to information sharing and identify best practices for such information sharing; and

coordinate with other Federal and non-Federal entities, as appropriate, to integrate information from Federal and non-Federal entities, including Federal cybersecurity centers, non-Federal network or security operation centers, other cybersecurity exchanges, and non-Federal entities that disclose cybersecurity threat indicators under section 704(a) to provide situational awareness of the United States information security posture and foster information security collaboration among information system owners and operators;

disseminate timely and actionable cybersecurity threat, vulnerability, mitigation, and warning information, including alerts, advisories, indicators, signatures, and mitigation and response measures, to improve the security and protection of information systems;

international partners, in consultation with the Secretary of State; and

receive and distribute cybersecurity threat indicators in accordance with this title;

The Secretary, in consultation with the Director of National Intelligence, the Attorney General, and the Secretary of Defense, shall designate a Federal entity as the lead cybersecurity exchange to serve as the focal point within the Federal Government for cybersecurity information sharing among Federal entities and with non-Federal entities.

The purpose of a cybersecurity exchange is to efficiently receive and distribute cybersecurity threat indicators in accordance with this title.

a process for identifying certified entities authorized to receive classified cybersecurity threat indicators in accordance with paragraph (2).

procedures to facilitate and encourage the sharing of classified and unclassified cybersecurity threat indicators with designated cybersecurity exchanges and other appropriate Federal entities and non-Federal entities; and

a process for designating appropriate Federal entities (such as 1 or more Federal cybersecurity centers) and non-Federal entities as cybersecurity exchanges;

The Secretary, in consultation with the Director of National Intelligence, the Attorney General, and the Secretary of Defense, shall establish—

in contravention of the requirements, policies and procedures required under this subsection.

in a manner inconsistent with the discharge of the responsibilities of the Federal entities; or

outside the normal course of their specified duties;

The heads of Federal entities shall develop and enforce appropriate sanctions for officers, employees, or agents of the Federal entities who conduct activities under this title—

recommendations for improvements to or modifications of the law to address privacy and civil liberties concerns.

an assessment of the privacy and civil liberties impact of the activities carried out by the Federal entities under this title; and

Not later than 2 years after the date of enactment of this Act, the Privacy and Civil Liberties Oversight Board shall submit to Congress and the President a report providing—

On an annual basis, the Chief Privacy and Civil Liberties Officer of the Department of Justice and the Department of Homeland Security, in consultation with the most senior privacy and civil liberties officer or officers of any appropriate agencies, shall jointly submit to Congress a report assessing the privacy and civil liberties impact of the activities of the Federal Government conducted under this title.

provide the Attorney General with any information relevant to the violation that any Attorney General requires.

promptly notify the Attorney General of significant violations of the policies and procedures; and

comply with the policies and procedures developed by the Secretary and approved by the Attorney General under paragraph (4);

The head of each Federal entity that receives information under this title shall—

The Secretary and the Attorney General shall establish a mandatory program to monitor and oversee compliance with the policies and procedures issued under this subsection.

The policies and procedures issued under this subsection and any amendments to such policies and procedures shall be provided to Congress.

Not later than 1 year after the date of the enactment of this Act, the Attorney General shall review and approve policies and procedures developed under this subsection.

The head of a Federal agency responsible for a Federal entity designated as a cybersecurity exchange under section 703 shall adopt and comply with the policies and procedures developed under this subsection.

protect the confidentiality of cybersecurity threat indicators associated with specific persons to the greatest extent practicable and require recipients to be informed that such indicators may only be used for protecting information systems against cybersecurity threats, mitigating against cybersecurity threats, or disclosed to law enforcement under paragraph (2).

include requirements to safeguard cybersecurity threat indicators that can be used to identify specific persons from unauthorized access or acquisition; and

reasonably limit the receipt, retention, use and disclosure of cybersecurity threat indicators associated with specific persons consistent with the need to carry out the responsibilities of this title, including establishing a process for the timely destruction of cybersecurity threat indicators that are received under this section that do not reasonably appear to be related to protecting information systems from cybersecurity threats and mitigating cybersecurity threats, unless the indicators appear to relate to a crime which has been, is being, or is about to be committed;

minimize the impact on privacy and civil liberties, consistent with the need to protect information systems from cybersecurity threats and mitigate cybersecurity threats;

In consultation with privacy and civil liberties experts, the Director of National Intelligence, and the Secretary of Defense, the Secretary shall develop and periodically review policies and procedures governing the receipt, retention, use, and disclosure of cybersecurity threat indicators by a Federal entity obtained in connection with activities authorized under this title, which shall—

A Federal entity that is not a cybersecurity exchange shall ensure, by written agreement, that when disclosing cybersecurity threat indicators to a non-Federal entity under this section, the non-Federal entity shall use or retain the cybersecurity threat indicators in a manner that is consistent with the requirements under section 702(b) on the use and protection of information and paragraph (2) of this subsection.

to disclose the cybersecurity threat indicators to a law enforcement agency under paragraph (2).

to protect information systems from cybersecurity threats and to mitigate cybersecurity threats; or

A Federal entity that is not a cybersecurity exchange may receive cybersecurity threat indicators from a cybersecurity exchange under section 703, but shall only use or retain the cybersecurity threat indicators in a manner that is consistent with this subsection in order—

Further disclosure and use of information by a Federal entity

the disclosure is permitted under the procedures developed by the Secretary and approved by the Attorney General under paragraph (4).

the information appears to relate to a crime which has been, is being, or is about to be committed; and

A cybersecurity exchange that is a Federal entity may disclose cybersecurity threat indicators received under subsection (a) to a law enforcement entity if—

the recipient of the communication, record, or other information agrees to comply with the Federal entity’s lawful requirements regarding the protection and further disclosure of the information, except to the extent the requirements are inconsistent with the policies and procedures developed by the Secretary and approved by the Attorney General under paragraph (4).

a private entity that is acting as a provider of electronic communication services, remote computing service, or cybersecurity services to a Federal entity; and

another component, officer, employee, or agent of the Federal entity with cybersecurity responsibilities;

protecting the information system of a Federal entity from cybersecurity threats; or

the disclosure is made for the purpose of—

Notwithstanding any other provision of law and consistent with the requirements of this subsection, a Federal entity that lawfully intercepts, acquires, or otherwise obtains or possesses any communication, record, or other information from its electronic communications system, may disclose that communication, record, or other information if—

Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) may not be construed to be a waiver of any applicable privilege or protection provided under Federal, State, tribal, or territorial law, including any trade secret protection.

Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall not be subject to the rules of any governmental entity or judicial doctrine regarding ex parte communications with a decision making official.

treated as voluntarily shared information under section 552 of title 5, United States Code, or any comparable State law.

exempt from disclosure under section 552(b)(3) of title 5, United States Code, or any comparable State law; and

Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall be—

may only use, retain, or further disclose the cybersecurity threat indicators for the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from cybersecurity threats or mitigating such threats.

may not use the cybersecurity threat indicators to gain an unfair competitive advantage to the detriment of the third party that authorized the sharing; and

shall comply with any lawful restrictions placed on the disclosure or use of cybersecurity threat indicators by the cybersecurity exchange or a third party, if the cybersecurity exchange received the information from the third party, including, if requested, the removal of information that can be used to identify specific persons from the indicators;

shall make reasonable efforts to safeguard communications, records, system traffic, and other information that can be used to identify specific persons from unauthorized access or acquisition;

Use and protection of information received from a cybersecurity exchange

Except as provided in subsection (g), a cybersecurity exchange may only use, retain, or further disclose information provided under subsection (a) in order to protect information systems from cybersecurity threats or mitigate cybersecurity threats.

Use, retention, and disclosure of information by a cybersecurity exchange

Notwithstanding any other provision of law, a non-Federal entity may disclose lawfully obtained cybersecurity threat indicators to a cybersecurity exchange.

the Committee on Armed Services, the Committee on Energy and Commerce, the Committee on Homeland Security, the Committee on the Judiciary, and the Permanent Select Committee on Intelligence of the House of Representatives.

the Committee on Armed Services, the Committee on Commerce, Science, and Transportation, the Committee on Homeland Security and Governmental Affairs, the Committee on the Judiciary, and the Select Committee on Intelligence of the Senate; and

Following the establishment of the procedures under section 703(a)(2) and the issuance of the guidelines under subsection (b), the Secretary and the Director of National Intelligence shall expeditiously distribute the procedures and guidelines to—

expedite the security clearance process for a certified entity or employee of a certified entity, if appropriate, in a manner consistent with the need to protect the national security of the United States.

grant a security clearance on a temporary or permanent basis to a certified entity and approval to use appropriate facilities; or

grant a security clearance on a temporary or permanent basis to an employee of a certified entity;

Not later than 60 days after the date of enactment of this Act, the Director of National Intelligence shall issue guidelines providing that appropriate Federal officials may, as the Director considers necessary to carry out this title—

used by a certified entity in a manner that protects the cybersecurity threat indicators from unauthorized disclosure.

shared with a person with an appropriate security clearance to receive the cybersecurity threat indicators; and

shared in a manner that is consistent with the need to protect the national security of the United States;

The procedures established under section 703(a)(2) shall provide that classified cybersecurity threat indicators may only be—

Compliance with lawful restrictions placed on the disclosure or use of cybersecurity threat indicators is a complete defense to any tort or breach of contract claim originating in a failure to disclose cybersecurity threat indicators to a third party.

Nothing in this title may be construed to limit liability for a failure to comply with the requirements of section 702(b) and section 704(c) on the use and protection of information.

Any person who knowingly and willfully violates restrictions under this title shall not receive the protections under this title.

No civil or criminal cause of action shall lie or be maintained in any Federal or State court against any private entity, or any officer, employee, or agent of such an entity, and any such action shall be dismissed promptly, for the reasonable failure to act on information received under this title.

the Secretary, the Attorney General, or the Director of National Intelligence determines that disclosure of a cybersecurity threat indicator would threaten national or homeland security and submits a written request to delay notification, except that the Secretary, the Attorney General or the Director of National Intelligence may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary.

the Attorney General determines that disclosure of a cybersecurity threat indicator would impede a civil or criminal investigation and submits a written request to delay notification for up to 30 days, except that the Attorney General may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary; or

No civil or criminal cause of action shall lie or be maintained in any Federal or State court against any entity, and any such action shall be dismissed promptly, for a failure to disclose a cybersecurity threat indicator if—

No Federal entity may use a cybersecurity threat indicator received under this title as evidence in a regulatory enforcement action against the entity that lawfully shared the cybersecurity threat indicator with a cybersecurity exchange that is a Federal entity.

Limitation on use of cybersecurity threat indicators for regulatory enforcement actions

If a civil or criminal cause of action is not barred under subsection (a), good faith reliance that this title permitted the conduct complained of is a complete defense against any civil or criminal action brought under this title or any other law.

to any other private entity under section 702(a), if the cybersecurity threat indicator is also disclosed within a reasonable time to a cybersecurity exchange.

to a private entity or governmental entity that provides or manages critical infrastructure; or

by a provider of cybersecurity services to a customer of the provider;

the cybersecurity monitoring activities authorized by paragraphs (1) and (2) of section 701; or

No civil or criminal cause of action shall lie or be maintained in any Federal or State court against any entity, and any such action shall be dismissed promptly, based on—

On an annual basis, the Director of National Intelligence shall provide a report to the Select Committee on Intelligence of the Senate and the Permanent Select Committee on Intelligence of the House of Representatives on the implementation of section 705. Each report under this subsection, which shall be submitted in an unclassified form, but may include a classified annex, shall include a list of private entities that receive classified cybersecurity threat indicators under this title, except that the unclassified report shall not contain information that may be used to identify specific private entities unless such private entities consent to such identification.

proposes changes to the law, including the definitions, authorities and requirements under this title, that are necessary to ensure the law keeps pace with the threat while protecting privacy and civil liberties.

describes in general terms the nature and quantity of information disclosed and received by governmental entities and private entities under this title; and

discloses any significant acts of noncompliance by a non-Federal entity with this title, with special emphasis on privacy and civil liberties, and any measures taken by the Federal Government to uncover such noncompliance;

describes the extent to which the authorities conferred by this title have enabled the Federal Government and the private sector to mitigate cybersecurity threats;

Not later than 2 years after the date of enactment of this Act, the Secretary, the Director of National Intelligence, the Attorney General, and the Secretary of Defense shall jointly submit to Congress a report that—

Consistent with the exemptions from public disclosure of section 704(d), the Director of National Intelligence, in consultation with the Secretary, shall facilitate the declassification and sharing of information in the possession of a Federal entity that is related to cybersecurity threats, as the Director of National Intelligence determines appropriate.

No cybersecurity threat indicators obtained under this title may be used, retained, or disclosed by a Federal entity or non-Federal entity, except as authorized under this title.

to condition the disclosure of unclassified or classified cybersecurity threat indicators under this title with a non-Federal entity on the provision of cybersecurity threat information to the Federal Government.

to require a non-Federal entity to share information with the Federal Government; or

Nothing in this title, except as expressly stated, may be construed to permit a Federal entity—

Prohibition on requirement to provide information to the Federal Government

The provision of information to a non-Federal entity under this title shall not create a right or benefit to similar information by any other non-Federal entity.

No creation of a right to information

Except as expressly provided, nothing in this title shall be construed to preempt the applicability of any other State law or requirement.

This title supersedes any law or requirement of a State or political subdivision of a State that restricts or otherwise expressly regulates the provision of cybersecurity services or the acquisition, interception, retention, use or disclosure of communications, records, or other information by private entities to the extent such law contains requirements inconsistent with this title.

to prevent a governmental entity from using information not acquired through a cybersecurity exchange for regulatory purposes.

to permit price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning; or

to authorize or prohibit any law enforcement, homeland security, or intelligence activities not otherwise authorized or prohibited under another provision of law;

to limit the ability of a private entity or governmental entity to receive data about the information systems of the entity, including lawfully obtained cybersecurity threat indicators;

to limit or prohibit otherwise lawful disclosures of communications, records, or information by a private entity to a cybersecurity exchange or any other governmental or private entity not conducted under this title;

information that is specifically subject to a court order or a certification, directive, or other authorization by the Attorney General precluding such disclosure;

any restricted data (as that term is defined in paragraph (y) of section 11 of the Atomic Energy Act of 1954 (42 U.S.C. 2014));

information that has been determined by the Federal Government pursuant to an Executive Order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations;

Nothing in this title may be construed—

708.

Definitions

In this title:

(1) Certified entity The term certified entity means a protected entity, a self-protected entity, or a provider of cybersecurity services that— (A) possesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence; and (B) is able to demonstrate to the Director of National Intelligence that the provider or entity can appropriately protect and use classified cybersecurity threat indicators.

(2) Countermeasure The term countermeasure means automated or manual actions with defensive intent to modify or block data packets associated with electronic or wire communications, internet traffic, program code, or other system traffic transiting to or from or stored on an information system for the purpose of protecting the information system from cybersecurity threats, conducted on an information system owned or operated by or on behalf of the party to be protected or operated by a private entity acting as a provider of electronic communication services, remote computing services, or cybersecurity services to the party to be protected.

(3) Cybersecurity exchange The term cybersecurity exchange means any governmental entity or private entity designated by the Secretary as a cybersecurity exchange under section 703(a).

(4) Cybersecurity services The term cybersecurity services means products, goods, or services intended to detect, mitigate, or prevent cybersecurity threats.

(5) Cybersecurity threat The term cybersecurity threat means any action that may result in unauthorized access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information that is stored on, processed by, or transiting an information system.

(6) Cybersecurity threat indicator The term cybersecurity threat indicator means information— (A) that may be indicative of or describe— (i) malicious reconnaissance, including anomalous patterns of communications that reasonably appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; (ii) a method of defeating a technical control; (iii) a technical vulnerability; (iv) a method of defeating an operational control; (v) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a technical control or an operational control; (vi) malicious cyber command and control; (vii) the actual or potential harm caused by an incident, including information exfiltrated as a result of subverting a technical control when it is necessary in order to identify or describe a cybersecurity threat; (viii) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or (ix) any combination thereof; and (B) from which reasonable efforts have been made to remove information that can be used to identify specific persons unrelated to the cybersecurity threat.

(7) Federal cybersecurity center The term Federal cybersecurity center means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, or the United States Computer Emergency Readiness Team, or any successor to such a center.

(8) Federal entity The term Federal entity means a Federal agency, or any component, officer, employee, or agent of a Federal agency.

(9) Governmental entity The term governmental entity means any Federal entity and agency or department of a State, local, tribal, or territorial government other than an educational institution, or any component, officer, employee, or agent of such an agency or department.

(10) Information system The term information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, including communications with, or commands to, specialized systems such as industrial and process control systems, telephone switching and private branch exchange, and environmental control systems.

(11) Malicious cybercommand and control The term malicious cyber command and control means a method for remote identification of, access to, or use of, an information system or information that is stored on, processed by, or transiting an information system associated with a known or suspected cybersecurity threat.

(12) Malicious reconnaissance The term malicious reconnaissance means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat.

(13) Monitor The term monitor means the interception, acquisition, or collection of information that is stored on, processed by, or transiting an information system for the purpose of identifying cybersecurity threats.

(14) Non-Federal entity The term non-Federal entity means a private entity or a governmental entity other than a Federal entity.

(15) Operational control The term operational control means a security control for an information system that primarily is implemented and executed by people.

(16) Private entity The term private entity has the meaning given the term person in section 1 of title 1, United States Code, and does not include a governmental entity.

(17) Protect The term protect means actions undertaken to secure, defend, or reduce the vulnerabilities of an information system, mitigate cybersecurity threats, or otherwise enhance information security or the resiliency of information systems or assets.

(18) Protected entity The term protected entity means an entity, other than an individual, that contracts with a provider of cybersecurity services for goods or services to be used for cybersecurity purposes.

(19) Self-protected entity The term self-protected entity means an entity, other than an individual, that provides cybersecurity services to itself.

(20) Technical control The term technical control means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system.

(21) Technical vulnerability The term technical vulnerability means any attribute of hardware or software that could enable or facilitate the defeat of a technical control.